April 19, 2016 Infiltration learning summary

Source: Internet
Author: User
Tags snmp kali linux

Kali Linux port and service scan



Port scan


Port corresponding to network service and application end program

Vulnerability of server-side program hacked through port

Discovery of Open ports

More specific attack surface

UDP port Scan

If the target system does not respond to ICMP, it may cause a miscarriage

Full UDP scan with high accuracy and time-consuming

Port off: Port Unreachable

Port open: no Return package

Understanding each UDP application-based package structure is helpful

The same technology as the three layer

Miscalculation

Scapy

SR1 (IP (dst= "1.1.1.1")/udp (dport=53), timeout=1,verbose=1)


./udp_scan.py 1.1.1.1 100

Nmap

Nmap-su 192.168.1.104


There is a default of 1000 ports


Nmap-su 192.168.1.104-p53 (Specify port)


Nmap-su 192.168.1.104-p-(1-65535)

Nmap-il iplist.txt-su-p 1-200

TCP port Scan

Link-based protocols

Three-time handshake

Covert scan

Zombie Scan (more covert than covert scan, no direct contact with target)


Full link Scan


All TCP scanning methods are based on three handshake changes to determine the status of the port

Covert scan----SYN

Do not establish a full connection

Application log does not record scan behavior

Zombie Scan

Extreme Concealment

Harsh implementation conditions

Can Forge Source address

Choose Zombie machine, idle system, system using incremental ipid (0, random, none of these)


Covert Port Scan


Syn----syn/ack-----rst

Scapy

1.A=SR1 (IP (dst= "192.168.1.110")/tcp (flags= "S"), timeout=1,verbose=1)

OR:A=SR1 (IP (dst= "192.168.1.110")/tcp (flags= "S", dport=22), timeout=1,verbose=1)


2../syn_scan.py (Script Run command)

Nmap (powerful scanning Tool)


Nmap-ss 1.1.1.1-p1-100--open

Nmap-ss 1.1.1.1-p 1-65535--open


Nmap-ss-il iplist.txt-p 80,22,23,21


Nmap-ss 1.1.1.1-p---open

Hping3


Hping3 1.1.1.1--scan 80-s (send SYN packet)


Hping3 1.1.1.1--scan 80,21,25,443-s

Hping3 1.1.1.1--scan 0-65535-s

Hping3-c 10-s-spoof 1.1.1.2-p ++1 1.1.1.3 (-c 10-s indicates 10 SYN packets, address spoofing changes the address of 1.1.1.1 to 1.1.1.2, the target is 1.1.1.3,-p ++1 and the preceding 10 represents each port +1 Scan these 10 ports from 1-10, so you must log in to 1.1.1.2 this computer to grab the bag to see the results of the scan)

Full-Connection port scan (not concealed, can be scanned under strict filtering conditions)


Scapy

SYN Scan does not require raw packets

The kernel thinks that Syn/ack is an illegal packet, and it interrupts the connection directly.

Full-connection scanning is difficult for scapy

A=SR1 (IP (dst= "192.168.1.110")/tcp (dport=22,flags= "S"))

Namp

Nmap-st 1.1.1.1-p 80


Nmap-st 1.1.1.1-p 80,21,25


Nmap-st 1.1.1.1-p 80-2000


Nmap-st-il Iplist.txt-p 80


Default of 1000 Common ports

Dmitry

Simple function but easy to use

Default 150 most-Used ports


Dmitry-p 192.168.1.110

Dmitry-p 192.168.1.110-o Output

nc

Nc-nv-w 1-z 192.168.1.110 1-100 (definition timeout is 1 seconds,-Z means scan)


For x in $ (seq.);d o NC-NV


For x in $ (SEQ 20 30); Do nc-nv-w 1-z 1.1.1. $x 80;done


Zombie Scan: Idle machine does not have to be completely limited, as long as there is no three layer of IP communication.


XP before the computer meets the requirements, the current operating system does not work.


Scapy----zonbie.py

Only Scapy and nmap support zombie scanning

1.i=ip ()


2.T=TCP ()

3.rz= (i/t) (packets sent to the zombie machine)


4.rt= (i/t) (packets sent to the target machine)


5.rz[ip].dst= "Zombie Machine Address"


6.rz[tcp].dport=445 (Zombie machine Open port)


7.rz[tcp].flags= "SA" (Syn+ack package)


8.rt[ip].src= "Zombie Machine Address"


9.rt[ip].dst= "Target machine address"

10.RT[TCP].DPORT=25 (Destination confidential scanned port)


11.rt[tcp].flags= "S"

12.AZ1=SR1 (RZ)

13.AR=SR1 (Rt,timeout=1)

14.AZ2=SR1 (RZ)

15.AZ1 (Show package)

16.AZ2 (Compare Ipid If add 2 means open if Add 1 means not turned on)

Nmap

Discover Zombie Machines


nmap-p445 1.1.1.1--script=ipidseq.nse

Scan target

Nmap native Ip-si Zombie ip-pn-p 0-100


Service Scan


Identify the applications running on the port

Identify the target operating system

Increase attack efficiency

Banner Capture

Service identification (identification of software version, vulnerability for targeted attacks)

Operating system identification (operating system self-service may also be vulnerable)

SNMP analysis


Firewall recognition

Banner Information

Software developer

Software name

Service type

Version number

Direct discovery of known vulnerabilities and weaknesses

Direct access to banner after link creation

Alternative service Identification method

Feature behavior and Response fields


Different responses can be used to identify the underlying operating system

Snmp

Simple Network Management Protocol

Community Strings (identity authentication information)

Information query or reconfiguration


Identify and bypass firewall filtering

Service Scan----Banner

nc


1.nc-nv 1.1.1.1 22 (22 is the port number to identify some information about SSH)


2.get/


Python socket


Socket module for Network connection service

1.python


2.import socket


3.banner=socket.socket (Socket.af_inet,socket. SOCK_STREAM)

4.banner.connect (("192.168.1.110", 21))


5.BANNER.RECV (4096) (Receive data, specify data size of 4096)

6.banner.close ()

7.exit ()

Banner If no fetch is allowed, no return of the RECV function will be suspended. Need to run through a script

Dmitry

Dmitry-p 192.168.1.110


DMITRY-PB 192.168.1.110



Nmap


Nmap-st 1.1.1.1-p--script=banner

Nmap-st 1.1.1.1-p1-100--script=banner.nse

Amap

Amap-b 192.168.1.110 21

Amap-b 192.168.1.110 1-65535

Amap-b 192.168.1.110 1-65535 | grep on

Service Scanning----Service identification

Banner information grasping ability is limited

The corresponding feature analysis and recognition service of NMAP

Send a series of complex probes


According to the corresponding characteristics signature

NC-NV 1.1.1.1 80

Nmap 1.1.1.1-p 80-sv (often used, high accuracy)

Amap

AMAP 192.168.1.110 80


AMAP 192.168.1.110 1-100 (-Q) plus-Q to make information more tidy

AMAP 192.168.1.110 1-100-QB Info more


I wanted to learn a new loophole today, but it was not enough to learn half the time, only until tomorrow.





This article is from the "Xiao Yu" blog, please be sure to keep this source http://791120766.blog.51cto.com/10836248/1765601

April 19, 2016 Infiltration learning summary

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.