20179209 "Linux kernel Fundamentals and analysis" 11th Week work

Nmap with Metasploit for port scanning 1.Nmap Scanner Basic Use 1.1 introduction

Nmap (Network Mapper) is the first web scanning sniffer under Linux. Its basic functions are three:

• Detecting whether a group of hosts is online;
• Scan the host port to sniff out the network services it provides;
• Infer the operating system used by the host.

1.2 Basic commands

• The commands for detecting active hosts in a network segment are:
  • Ping scans to print a host that responds to the scan without further testing (such as port scanning or operating system probing): Nmap-sp 192.168.1.0/24
  • Lists only each host on the specified network and does not send any messages to the target host: NMAP-SL 192.168.1.0/24
  • Using UDP ping Probe host: Nmap-pu 192.168.1.0/24
  • The most Frequently used scan option: A SYN Scan, also known as a semi-open scan, does not open a full TCP connection and executes very quickly: Nmap-ss 192.168.1.0/24
  • When the SYN scan is unavailable, the TCP Connect () scan is the default TCP scan: Nmap-st 192.168.1.0/24
  • UDP scan with-SU option, UDP scan sends empty (no data) UDP header to each destination port: Nmap-su 192.168.1.0/24
• Scan host information (port):
  • Probe open ports on the target host, you can specify a comma-delimited list of ports (such as-ps22,23,25,80): Nmap-ps 192.168.1.234
  • Semi-open scan: Nmap-ss 192.168.1.1
  • Full open scan: Nmap-st 192.168.1.1
  • UDP Scan: Nmap-su 192.168.1.1
  • Fin Scan: nmap-sf 192.168.1.1
• Operating system or version detection:
  • Identify the open service and its version by probing the open port: Nmap-sv 192.168.1.1
  • Operating system detection: Nmap-o 192.168.1.1

1.3 Practice:

Scan 192.168.245.0/24 this network segment:

Select target target drone IP is 192.168.245.131:

As you can see, not only can the port and the corresponding service be scanned, but the version of the service can be detected, and of course the information about the operating system. It can be seen that Nmap's scanning intensity is large.

2.Nmap Scan Results Import Metasploit

There are two ways of doing this:

• With Kali's own Nmap scan, and then generate an. xml file, import to Metasploit. The specific steps are: The nmap -A -oX xxx xxx.xxx.xxx.xxx first XXX refers to the file name, and then go to msfconsle with the db_import xxx command import.
  

• Another way is to scan directly in the Metasploit with the Db_nmap command, so that the scan will simply store the scan results in the database.
  

You can view the target host information stored in the database through the hosts command, or you can view the services that the target host runs by using the service command.

3. Vulnerability Analysis

Metasploit itself integrates many of the vulnerabilities of today's popular operating systems, and once new vulnerabilities are reported, the vulnerability database is updated. Each vulnerability will have an introduction to the appropriate operating system version. For different target hosts, it is a key point to use the appropriate attack module. There are two ways to do this:

• Through the above Nmap scan, we will get a lot of information related to the target host (information collection), we can directly online search for such a target host what kind of vulnerability, and then load the corresponding module in Metasploit, exploit. For example, the SMB information above is scanned to the destination host 192.168.245.131 for Windows Server 2003 SP1 or SP2. Direct online search for SP1 or SP2 vulnerability:
  
  then exploit:
  
  However, it did not succeed, as shown in the first attack caused by downtime, in fact, the first time did not succeed, for reasons I checked, the vulnerability of the operating system does not include the Chinese version, In order to make this vulnerability suitable for the Chinese version of Windows Server 2003 SP2, the vulnerability must be in the source code of the pointer re-jump, looked up a lot of information, many people say to modify which which, also modified, and finally did not succeed. From the side also illustrates a problem, this method to exploit vulnerability analysis is a great chance of failure.
  This method of searching vulnerability module also has a way to search the target host's key information directly in the Metasploit, it is very likely to search for a lot of modules that can not be used, must have some experience, know how to filter this method will be very effective.

• There is also a tool for vulnerability analysis to be a great help--nessus. It is a powerful remote security scanner with powerful report output capabilities to generate security reports in HTML, XML, latex, and ASCII text formats, and to advise on each security issue. The software system is Client/sever mode, the server side is responsible for security check, the client is used to configure the Management Server side. The server also employs a plug-in system that allows users to join plug-ins that perform specific functions, allowing for faster and more complex security checks. In addition to plug-ins, Nessus provides users with a scripting language that describes the type of attack for additional security testing.
  We can load nessus use the command to load the Nessus plug-in into the Metasploit so that Nessus can be used directly in Metasploit. To use Nessus in Metasploit, you must connect to the Nessus database:
  
  Since my nessus can't download plugins, there are no scanning policies in the database, no scanning, no more display. But this method of combining Metasploit and Nessus is indeed a very powerful one, and after the Nessus scans the loophole, the direct use of Metasploit to attack, making the infiltration attack become mechanical and efficient.

Summarize

A complete infiltration, the first step must be information collection. The biggest feature of Nmap is the ability to use different scanning methods to obtain host information, of course, information collection is not only the collection of destination host port services and other information, but the information obtained with NMAP is often more direct, key information. The purpose of collecting information is to find out what kind of loopholes exist, the integration of information, analysis at this point is particularly important, blind attack efficiency is very low and to combat confidence-for the novice attack, Nessus and Metasploit combined use will bring great help. Supplement: The target I chose in the experiment target drone although the operating system version is relatively backward, but all the patches have been made up (except for the eternal blue), so the experiment did not break it.

20179209 "Linux kernel Fundamentals and analysis" 11th Week work