Kali Linux port and service scan
Port scan
Port corresponding to network service and application end program
Vulnerability of server-side program hacked through port
Discovery of Open ports
More specific attack surface
UDP port Scan
If the target system does not respond to ICMP, it may cause a miscarriage
Full UDP scan with high accuracy and time-consuming
Port off: Port Unreachable
Port open: no Return package
Understanding each UDP application-based package structure is helpful
The same technology as the three layer
Miscalculation
Scapy
SR1 (IP (dst= "1.1.1.1")/udp (dport=53), timeout=1,verbose=1)
./udp_scan.py 1.1.1.1 100
Nmap
Nmap-su 192.168.1.104
There is a default of 1000 ports
Nmap-su 192.168.1.104-p53 (Specify port)
Nmap-su 192.168.1.104-p-(1-65535)
Nmap-il iplist.txt-su-p 1-200
TCP port Scan
Link-based protocols
Three-time handshake
Covert scan
Zombie Scan (more covert than covert scan, no direct contact with target)
Full link Scan
All TCP scanning methods are based on three handshake changes to determine the status of the port
Covert scan----SYN
Do not establish a full connection
Application log does not record scan behavior
Zombie Scan
Extreme Concealment
Harsh implementation conditions
Can Forge Source address
Choose Zombie machine, idle system, system using incremental ipid (0, random, none of these)
Covert Port Scan
Syn----syn/ack-----rst
Scapy
1.A=SR1 (IP (dst= "192.168.1.110")/tcp (flags= "S"), timeout=1,verbose=1)
OR:A=SR1 (IP (dst= "192.168.1.110")/tcp (flags= "S", dport=22), timeout=1,verbose=1)
2../syn_scan.py (Script Run command)
Nmap (powerful scanning Tool)
Nmap-ss 1.1.1.1-p1-100--open
Nmap-ss 1.1.1.1-p 1-65535--open
Nmap-ss-il iplist.txt-p 80,22,23,21
Nmap-ss 1.1.1.1-p---open
Hping3
Hping3 1.1.1.1--scan 80-s (send SYN packet)
Hping3 1.1.1.1--scan 80,21,25,443-s
Hping3 1.1.1.1--scan 0-65535-s
Hping3-c 10-s-spoof 1.1.1.2-p ++1 1.1.1.3 (-c 10-s indicates 10 SYN packets, address spoofing changes the address of 1.1.1.1 to 1.1.1.2, the target is 1.1.1.3,-p ++1 and the preceding 10 represents each port +1 Scan these 10 ports from 1-10, so you must log in to 1.1.1.2 this computer to grab the bag to see the results of the scan)
Full-Connection port scan (not concealed, can be scanned under strict filtering conditions)
Scapy
SYN Scan does not require raw packets
The kernel thinks that Syn/ack is an illegal packet, and it interrupts the connection directly.
Full-connection scanning is difficult for scapy
A=SR1 (IP (dst= "192.168.1.110")/tcp (dport=22,flags= "S"))
Namp
Nmap-st 1.1.1.1-p 80
Nmap-st 1.1.1.1-p 80,21,25
Nmap-st 1.1.1.1-p 80-2000
Nmap-st-il Iplist.txt-p 80
Default of 1000 Common ports
Dmitry
Simple function but easy to use
Default 150 most-Used ports
Dmitry-p 192.168.1.110
Dmitry-p 192.168.1.110-o Output
nc
Nc-nv-w 1-z 192.168.1.110 1-100 (definition timeout is 1 seconds,-Z means scan)
For x in $ (seq.);d o NC-NV
For x in $ (SEQ 20 30); Do nc-nv-w 1-z 1.1.1. $x 80;done
Zombie Scan: Idle machine does not have to be completely limited, as long as there is no three layer of IP communication.
XP before the computer meets the requirements, the current operating system does not work.
Scapy----zonbie.py
Only Scapy and nmap support zombie scanning
1.i=ip ()
2.T=TCP ()
3.rz= (i/t) (packets sent to the zombie machine)
4.rt= (i/t) (packets sent to the target machine)
5.rz[ip].dst= "Zombie Machine Address"
6.rz[tcp].dport=445 (Zombie machine Open port)
7.rz[tcp].flags= "SA" (Syn+ack package)
8.rt[ip].src= "Zombie Machine Address"
9.rt[ip].dst= "Target machine address"
10.RT[TCP].DPORT=25 (Destination confidential scanned port)
11.rt[tcp].flags= "S"
12.AZ1=SR1 (RZ)
13.AR=SR1 (Rt,timeout=1)
14.AZ2=SR1 (RZ)
15.AZ1 (Show package)
16.AZ2 (Compare Ipid If add 2 means open if Add 1 means not turned on)
Nmap
Discover Zombie Machines
nmap-p445 1.1.1.1--script=ipidseq.nse
Scan target
Nmap native Ip-si Zombie ip-pn-p 0-100
Service Scan
Identify the applications running on the port
Identify the target operating system
Increase attack efficiency
Banner Capture
Service identification (identification of software version, vulnerability for targeted attacks)
Operating system identification (operating system self-service may also be vulnerable)
SNMP analysis
Firewall recognition
Banner Information
Software developer
Software name
Service type
Version number
Direct discovery of known vulnerabilities and weaknesses
Direct access to banner after link creation
Alternative service Identification method
Feature behavior and Response fields
Different responses can be used to identify the underlying operating system
Snmp
Simple Network Management Protocol
Community Strings (identity authentication information)
Information query or reconfiguration
Identify and bypass firewall filtering
Service Scan----Banner
nc
1.nc-nv 1.1.1.1 22 (22 is the port number to identify some information about SSH)
2.get/
Python socket
Socket module for Network connection service
1.python
2.import socket
3.banner=socket.socket (Socket.af_inet,socket. SOCK_STREAM)
4.banner.connect (("192.168.1.110", 21))
5.BANNER.RECV (4096) (Receive data, specify data size of 4096)
6.banner.close ()
7.exit ()
Banner If no fetch is allowed, no return of the RECV function will be suspended. Need to run through a script
Dmitry
Dmitry-p 192.168.1.110
DMITRY-PB 192.168.1.110
Nmap
Nmap-st 1.1.1.1-p--script=banner
Nmap-st 1.1.1.1-p1-100--script=banner.nse
Amap
Amap-b 192.168.1.110 21
Amap-b 192.168.1.110 1-65535
Amap-b 192.168.1.110 1-65535 | grep on
Service Scanning----Service identification
Banner information grasping ability is limited
The corresponding feature analysis and recognition service of NMAP
Send a series of complex probes
According to the corresponding characteristics signature
NC-NV 1.1.1.1 80
Nmap 1.1.1.1-p 80-sv (often used, high accuracy)
Amap
AMAP 192.168.1.110 80
AMAP 192.168.1.110 1-100 (-Q) plus-Q to make information more tidy
AMAP 192.168.1.110 1-100-QB Info more
I wanted to learn a new loophole today, but it was not enough to learn half the time, only until tomorrow.
This article is from the "Xiao Yu" blog, please be sure to keep this source http://791120766.blog.51cto.com/10836248/1765601
April 19, 2016 Infiltration learning summary