Kali basic knowledge of Linux Infiltration (ii) vulnerability scanning

Kali Linux Infiltration Basics finishing Series article review

Vulnerability scanning

• Network traffic
• Nmap
• Hping3
• Nessus
• Whatweb
• Dirbuster
• Joomscan
• Wpscan

Network traffic

Network traffic is the amount of data transmitted over the network.

TCP protocol

TCP is the Transport layer protocol in the Internet, using three-time handshake protocols to establish a connection. When the active party sends a SYN connection request, it waits for the other person to answer the Syn+ack and eventually performs an ACK acknowledgment on the other's syn. This method of establishing a connection prevents the wrong connection from being generated, and the traffic control protocol used by TCP is a variable-sized sliding window protocol.

Connection creation

The process for the TCP three-time handshake is as follows:

(1) The client sends a SYN (SEQ=X) message to the server side and enters the Syn_send state.

(2) The server receives the SYN message, responds to a SYN (seq=y) ACK (ack=x+1) message, and enters the SYN_RECV state.

(3) The client receives the server-side SYN message, responds to an ACK (ack=y+1) message, and enters the established state.

Three times the handshake is complete, the TCP client and server side successfully establish the connection and can begin transmitting data.

Connection termination

Establishing a connection requires three handshakes, while terminating a connection takes four handshakes, which is caused by a semi-shutdown of TCP (Half-close).

(1) An application process first calls close, saying that the end of "active close" on that side of TCP then sends a FIN subsection, indicating that the data is sent.

(2) The peer of the fin is received to perform a "passive shutdown" (passive close), which is confirmed by TCP.

Note: The receive of fin is also passed as a file terminator (End-of-file) to the receive end application process, placed after any other data that has been queued for the application process, because the receipt of fin means that the receiving application process has no additional data to receive on the corresponding connection.

(3) After a period of time, the application process that receives this file terminator will call close to close its socket. This causes its TCP to also send a fin.

(4) The original sender TCP receiving this final fin (i.e. the end of the active shutdown) confirms the fin.

UDP protocol

The full name of the UDP protocol is the User Datagram Protocol, which is used in the network as the TCP protocol to process packets and is a non-connected protocol. In the OSI model, the fourth layer, the transport layer, is in the upper layer of the IP protocol. UDP has the disadvantage of not providing packet grouping, assembling, or sorting packets, that is, when the message is sent, it is not possible to know whether or not it arrives safely and completely. UDP is used to support network applications that need to transfer data between computers. A large number of client/server mode network applications, including the network video conferencing system, require the use of UDP protocol.

ICMP protocol

ICMP is (Internet Control message Protocol) Internet Controlled message protocol. It is a sub-protocol of the TCP/IP protocol family that is used to pass control messages between IP hosts and routers. The control message refers to the message that the network is not accessible, whether the host is available, whether the route is available, and so on. These control messages, while not transmitting user data, play an important role in the delivery of user data.

The ping command is using the ICMP protocol

Nmap

Nmap is often used in penetration testing, not only to determine the survival status of computers on the target network, but also to scan each computer's operating system, open ports, services, and possibly obtain the user's certificate. Familiar with the use of nmap, can greatly improve the penetration testing technology.

Command structure

nmap -sS -T2 -p 1-500 192.168.1.1 -oN metscan.txt

Nmap command followed by the scan type, the first parameter SS for covert scanning, the second parameter T2 is the timing option, set the NMAP scan speed, flow; the third parameter-P sets the port to be scanned. The following 192.168.1.1 is the scan target, can be IP address, can also be set as the network segment address, scan target followed by output option, you can save the scan results as a file for testers to analyze.

Instance application recognition system, TCP Scan, SYN Scan, ACK Scan, UDP scan ...

Identification System:

Nmap-o-PN URI (-PN disables Nmap network discovery function, assuming all systems are active)

The result shown in the figure is the Windows operating system

TCP Scan

The most stable port scan, using a TCP three-time handshake

TCP scans are typically used to gather more information about the target, but a completed TCP connection is established with the target host.

-sT -Pn  URI

The results show that services such as Telnet and HTTP are open

-st TCP connection Scan (s=> which type of scan?) ==>t TCP type)

SYN Scan:

TCP Two-time handshake (hidden scan, fast, nmap default parameter)

NMAP-SS-PN URI

-SS (-s) what type of scan? S=> SYN)

ACK Scan:

ACK Scan to determine if a TCP port is filtered by a firewall

NMAP-SA-PN URI

-SS (-s) what type of scan? A=> ACK)

UDP Scan

Dhcp,dns,snmp,tftp and so on are using the UDP protocol

The UDP scan evaluates the UDP port on the target system to confirm that the UDP port is open or filtered by the firewall.

-sU  URI

U=> UDP, v=> version information (add version scan information in-SV UDP scan)

There is no-PN parameter (from the UDP protocol to understand, you sent the OK tube he confiscated received)

Timing templates

The timing parameter allows you to specify the speed of the Nmap scan. Each of these options is as follows:

T0:paranoid slow network scan, serial scan, two scan interval 5 minutes. The scanning speed is very slow.

T1:sneky slow network scan, serial scan, two scan interval 15 seconds, scanning speed is slow.

T2:polite Mid-speed network scan, serial scan, two scans interval 400 milliseconds, scanning speed is slow.

T3:normal Medium speed Network scan, parallel scan, two scans interval 0 seconds, scan speed is normal.

T4:aggressive Fast network Scan, parallel scan, two scan interval 0 seconds, scanning speed is faster.

T5:normal Fast network Scan, parallel scan, two scan interval 0 seconds, scanning speed extremely fast.

Scan Ports-p port

Nmap-ss-p PORT URI

**

nmap -sS -p 80,135,3380-3389 192.168.1.1

Scan 80, 135, 3380-3389 ports, results only 80 ports open

Scan IP Segment

Nmap 192.168.1.1-255 #扫描192.168.1.1-192.168.1.255 all IPs

Nmap 192.168.1.1/24 #扫描192.168.1.1-192.168.1.255 all IPs

Nmap-il IPL.txt #扫描IPL all IP saved in. txt

Output Save options

-on Save as a text file

-ox Save as XML file

-og Save As Grepable output

-os Script Output

Nmap-on metscan.txt 192.168.154.134 #将扫描结果保存到metscan. txt file.

Hping3

Hping3 is a free packet generation and analysis tool for the TCP/IP protocol. Hping is one of the de facto tools used to perform security audits and tests on firewalls and networks. Hping3 can write scripts in Tcl and implement an engine that can be used for string-based, human-readable descriptions of TCP/IP packets, and so on.

Command structure

Hping3-c 1000-d 120-s w 64-p 80-flood-rand-source www.hdu.edu.cn

The number of packets sent by-C 1000.

-D 120 the size of each packet sent to the target machine.

-S sends only SYN packets.

-W TCP window size.

-p 80 Destination port.

–flood sends the packet as soon as possible, without having to consider displaying the inbound reply. Flood attack mode.

–rand-source uses the source IP address of randomness. You can also use-a or –spoof to hide host names.

www.hdu.edu.cn the destination IP address or IP address of the destination machine.

Example application: Syn flood Attack (DOS)

Nessus

Nessus is currently the world's most widely used system vulnerability scanning and analysis software Nessus is a security vulnerability automatic collection tool, it can be remotely or on the host to detect, scanning a variety of open port Server vulnerability, is a comprehensive vulnerability detection tool.

Since there is no nessus in Kali, we need to install it. But Nessus is more complex to install under Linux, so we chose to install it under windows and use Nessus.

Because the professional version of the Nessus need to charge, so we chose the home version. Make a request enough, Nessus will give you a family version of the serial number, enter and start the download.

After the download is complete, enter the Nessus via the username password. Then add a vulnerability diagnostic object.

Click the Start button to begin the vulnerability diagnosis.

View the vulnerability diagnostic results.

Export report: After the scan is complete, you can export the diagnostic results as a report in export. The format can be nessus, PDF, HTML, CSV, Nessus DB.

Whatweb

Whatweb is a Web site fingerprint identification Tool, the main question is: "What technology does this website use?" "Whatweb can tell you the program used to build the site, including what CMS system, what blog system, javascript libraries, Web servers, embedded devices, etc. Whatweb has more than 900 plugins and can identify version numbers, email addresses, accounts, web frames, SQL errors, and more.

Simple usage: whatweb URI

For example Whatweb www.sysorem.xyz

From the returned results you can see the website Web server software for Apache 2.2.15, region us, mailbox for [email protected], support HTML5, server operating system for Red Hat Linux, The IP address is 52.91.79.239, the website also uses the jquery library, the website is based on WordPress 4.5.3

Dirbuster

Dirbuter is a multithreaded Java-based application design brute force web/application Server for fuzzy testing tools, mainly used to scan directories and file names.

Running in the CLI

dirbuster -H -u https://www.target.com/ -l 字典文件

Using the GUI

dirbuster -u https://www.target.com/

For example:

Dirbuter Some of the directories and file names that were swept out.

Joomscan

Features of Joomla Security scanner

1. Exact version detection (can detect the use of the Joomla whole station version of the program)

2. Common joomla! Web-based application firewall probing.

3. Search for a known Joomla security vulnerability and its components.

4. Test report in text and HTML format.

5. Immediate Software update capability

Just look for a Joomla-based website, such as http://37.60.253.96/

joomscan -u http://37.60.253.96/

Scan results, a bunch of holes and exp

Wpscan

Wpscan is a security scanning software for wwordpress, Wpscan can scan the version of WordPress, themes, plugins, background users, as well as the user password blasting background.

Simple command

Wpscan-url Uri-enumerate P #扫描插件

Wpscan-url uri-enumerate u #扫描后台用户

Burst password by username

Wpscan-url uri-wordlist Dic.lst-username USER

For example, perform Wpscan-url www.sysorem.xyz-enumerate u

Reference documents

Https://github.com/sysorem/Kali-Linux-Pentest-Basic

* This article original SYSOREM, reprint must indicate from freebuf.com

Kali basic knowledge of Linux Infiltration (ii) vulnerability scanning