April 19, 2016 Infiltration learning summary

Kali Linux port and service scan

Port scan

Port corresponding to network service and application end program

Vulnerability of server-side program hacked through port

Discovery of Open ports

More specific attack surface

UDP port Scan

If the target system does not respond to ICMP, it may cause a miscarriage

Full UDP scan with high accuracy and time-consuming

Port off: Port Unreachable

Port open: no Return package

Understanding each UDP application-based package structure is helpful

The same technology as the three layer

Miscalculation

Scapy

SR1 (IP (dst= "1.1.1.1")/udp (dport=53), timeout=1,verbose=1)

./udp_scan.py 1.1.1.1 100

Nmap

Nmap-su 192.168.1.104

There is a default of 1000 ports

Nmap-su 192.168.1.104-p53 (Specify port)

Nmap-su 192.168.1.104-p-(1-65535)

Nmap-il iplist.txt-su-p 1-200

TCP port Scan

Link-based protocols

Three-time handshake

Covert scan

Zombie Scan (more covert than covert scan, no direct contact with target)

Full link Scan

All TCP scanning methods are based on three handshake changes to determine the status of the port

Covert scan----SYN

Do not establish a full connection

Application log does not record scan behavior

Zombie Scan

Extreme Concealment

Harsh implementation conditions

Can Forge Source address

Choose Zombie machine, idle system, system using incremental ipid (0, random, none of these)

Covert Port Scan

Syn----syn/ack-----rst

Scapy

1.A=SR1 (IP (dst= "192.168.1.110")/tcp (flags= "S"), timeout=1,verbose=1)

OR:A=SR1 (IP (dst= "192.168.1.110")/tcp (flags= "S", dport=22), timeout=1,verbose=1)

2../syn_scan.py (Script Run command)

Nmap (powerful scanning Tool)

Nmap-ss 1.1.1.1-p1-100--open

Nmap-ss 1.1.1.1-p 1-65535--open

Nmap-ss-il iplist.txt-p 80,22,23,21

Nmap-ss 1.1.1.1-p---open

Hping3

Hping3 1.1.1.1--scan 80-s (send SYN packet)

Hping3 1.1.1.1--scan 80,21,25,443-s

Hping3 1.1.1.1--scan 0-65535-s

Hping3-c 10-s-spoof 1.1.1.2-p ++1 1.1.1.3 (-c 10-s indicates 10 SYN packets, address spoofing changes the address of 1.1.1.1 to 1.1.1.2, the target is 1.1.1.3,-p ++1 and the preceding 10 represents each port +1 Scan these 10 ports from 1-10, so you must log in to 1.1.1.2 this computer to grab the bag to see the results of the scan)

Full-Connection port scan (not concealed, can be scanned under strict filtering conditions)

Scapy

SYN Scan does not require raw packets

The kernel thinks that Syn/ack is an illegal packet, and it interrupts the connection directly.

Full-connection scanning is difficult for scapy

A=SR1 (IP (dst= "192.168.1.110")/tcp (dport=22,flags= "S"))

Namp

Nmap-st 1.1.1.1-p 80

Nmap-st 1.1.1.1-p 80,21,25

Nmap-st 1.1.1.1-p 80-2000

Nmap-st-il Iplist.txt-p 80

Default of 1000 Common ports

Dmitry

Simple function but easy to use

Default 150 most-Used ports

Dmitry-p 192.168.1.110

Dmitry-p 192.168.1.110-o Output

nc

Nc-nv-w 1-z 192.168.1.110 1-100 (definition timeout is 1 seconds,-Z means scan)

For x in $ (seq.);d o NC-NV

For x in $ (SEQ 20 30); Do nc-nv-w 1-z 1.1.1. $x 80;done

Zombie Scan: Idle machine does not have to be completely limited, as long as there is no three layer of IP communication.

XP before the computer meets the requirements, the current operating system does not work.

Scapy----zonbie.py

Only Scapy and nmap support zombie scanning

1.i=ip ()

2.T=TCP ()

3.rz= (i/t) (packets sent to the zombie machine)

4.rt= (i/t) (packets sent to the target machine)

5.rz[ip].dst= "Zombie Machine Address"

6.rz[tcp].dport=445 (Zombie machine Open port)

7.rz[tcp].flags= "SA" (Syn+ack package)

8.rt[ip].src= "Zombie Machine Address"

9.rt[ip].dst= "Target machine address"

10.RT[TCP].DPORT=25 (Destination confidential scanned port)

11.rt[tcp].flags= "S"

12.AZ1=SR1 (RZ)

13.AR=SR1 (Rt,timeout=1)

14.AZ2=SR1 (RZ)

15.AZ1 (Show package)

16.AZ2 (Compare Ipid If add 2 means open if Add 1 means not turned on)

Nmap

Discover Zombie Machines

nmap-p445 1.1.1.1--script=ipidseq.nse

Scan target

Nmap native Ip-si Zombie ip-pn-p 0-100

Service Scan

Identify the applications running on the port

Identify the target operating system

Increase attack efficiency

Banner Capture

Service identification (identification of software version, vulnerability for targeted attacks)

Operating system identification (operating system self-service may also be vulnerable)

SNMP analysis

Firewall recognition

Banner Information

Software developer

Software name

Service type

Version number

Direct discovery of known vulnerabilities and weaknesses

Direct access to banner after link creation

Alternative service Identification method

Feature behavior and Response fields

Different responses can be used to identify the underlying operating system

Snmp

Simple Network Management Protocol

Community Strings (identity authentication information)

Information query or reconfiguration

Identify and bypass firewall filtering

Service Scan----Banner

nc

1.nc-nv 1.1.1.1 22 (22 is the port number to identify some information about SSH)

2.get/

Python socket

Socket module for Network connection service

1.python

2.import socket

3.banner=socket.socket (Socket.af_inet,socket. SOCK_STREAM)

4.banner.connect (("192.168.1.110", 21))

5.BANNER.RECV (4096) (Receive data, specify data size of 4096)

6.banner.close ()

7.exit ()

Banner If no fetch is allowed, no return of the RECV function will be suspended. Need to run through a script

Dmitry

Dmitry-p 192.168.1.110

DMITRY-PB 192.168.1.110

Nmap

Nmap-st 1.1.1.1-p--script=banner

Nmap-st 1.1.1.1-p1-100--script=banner.nse

Amap

Amap-b 192.168.1.110 21

Amap-b 192.168.1.110 1-65535

Amap-b 192.168.1.110 1-65535 | grep on

Service Scanning----Service identification

Banner information grasping ability is limited

The corresponding feature analysis and recognition service of NMAP

Send a series of complex probes

According to the corresponding characteristics signature

NC-NV 1.1.1.1 80

Nmap 1.1.1.1-p 80-sv (often used, high accuracy)

Amap

AMAP 192.168.1.110 80

AMAP 192.168.1.110 1-100 (-Q) plus-Q to make information more tidy

AMAP 192.168.1.110 1-100-QB Info more

I wanted to learn a new loophole today, but it was not enough to learn half the time, only until tomorrow.

This article is from the "Xiao Yu" blog, please be sure to keep this source http://791120766.blog.51cto.com/10836248/1765601

April 19, 2016 Infiltration learning summary