Little white Diary 13:kali Penetration Testing Service Scan (iii)-SMTB scanning, firewall identification, load Balancing identification, WAF identification

SMTP scan SMTP (Simple Mail Transfer Protocol) is a basic message Transfer protocol, which is a set of rules for sending mail from the source address to the destination, and it controls the way the letters are relayed. The SMTP protocol is a TCP/IP protocol cluster that helps each computer find its next destination when sending or relaying letters. Through the server specified by the SMTP protocol, e-Mail can be sent to the recipient's server, the whole process only a few minutes. An SMTP server is a sending mail server that follows the SMTP protocol and is used to send or relay e-mail messages. The SMB scan detects its vulnerabilities for the machine, and the SMTP scan is able to collect some of the mail accounts for active discovery of the target system (passive information collection). Use: Social engineering

Primary method

[Email protected]:~# nc-nv 192.168.1.107            #连接25端口 (UNKNOWN) [192.168.1.107] (SMTP) open220 Metasploitable.localdomain ESMTP Postfix (Ubuntu) VRFY root                                     #输入: Try to confirm if there is a root account 252 2.0.0 root<strong></ Strong>

Nmap premise: Do a port scan know target host Open 25 port scan user account

[Email protected]:~# nmap smtp.163.com-p25--script=smtp-enum-users.nse--script-args=smtp-enum-users.methods={vrfy }                               #尝试枚举账号     #指定使用什么方式, default to root account, plus other parameters (specify dictionary) starting Nmap 7.01 (https://nmap.org) at 2016-09-12 21:06 Cstnmap Scan report for smtp.163.com (220.181.12.16) Host was up (0.044s latency). Other addresses-smtp.163.com (not scanned): 220.181.12.17 220.181.12.18 220.181.12.11 220.181.12.12 220.181.12.13 220 .181.12.14 220.181.12.15rDNS record for 220.181.12.16:m12-16.163.comport State   service25/tcp Open  smtp| Smtp-enum-users: |_  couldn ' t find any accountsnmap done:1 IP address (1 host up) scanned in 1.73 seconds

Specify dictionary Scan mailbox account: Smtp-user-enum-m vrfy-u users.txt-t 10.0.0.1
Scan Mail Open relay: "If mail relay is open, everyone can use this mail server"

[Email protected]:~# nmap smtp.163.com-p25--script=smtp-open-relay.nsestarting nmap 7.01 (https://nmap.org) at 2016-09 -12 21:11 cstnmap Scan report for smtp.163.com (220.181.12.15) Host was up (0.043s latency). Other addresses-smtp.163.com (not scanned): 220.181.12.14 220.181.12.13 220.181.12.12 220.181.12.11 220.181.12.18 220 .181.12.17 220.181.12.16rDNS record for 220.181.12.15:m12-15.163.comport State   service25/tcp Open  smtp|_ Smtp-open-relay:server doesn ' t seem to being an open relay, all tests Failednmap done:1 IP address (1 host up) scanned in 3 . seconds

Note: All can be implemented in Python script

Firewall recognition

In case of concealment, scan out the open port on the firewall, check back the packet, and possibly identify whether the port is filtered by the firewall. "The filtered port, not the port on the firewall, but the temporary port where the internal host originated the request" but there are a variety of devices, the results of a certain error how to judge four cases: http://img.blog.csdn.net/20160912224355136? Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /southeast python script scan

#!/usr/bin/pythonfrom scapy.all import*import Logginglogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) Import Sysif len (sys.argv)!=3:print "Usage-./firewalk_scan.py [Target.ip] [Target Port]" print "Example- ./firewalk_scan.py 1.1.1.1 443 "print" Example would determine if filtering exists on port 443 of Host 1.1.1.1 "Sys.exi T () IP = sys.argv[1]port = Int (sys.argv[2]) Ack_response = SR1 (IP (DST=IP)/tcp (dport=port,flags= "A"), timeout=1,verbose= 0) Syn_response = SR1 (IP (DST=IP)/tcp (dport=port,flags= "S"), timeout=1,verbose=0) if ((Ack_response = = None) or (syn_ Response = = None): print "Port is either unstatefully filtered or host was down" <strong>elif ((ack_response = = Non e) or (Syn_response = = none) and not ((Ack_response = = none) and (Syn_response = none): print "Stateful filtering in Place "#防火墙在线 # This sentence has a logical problem, has not been modified </strong>elif int (syn_response[tcp].flags) = = 18:print" Port is unfiltered and open " elif int (syn_response[tcp].flags) = = 20:print "Port is unfiltered and closed "Else:print" unable to determine if the port is filtered "<strong></strong> 

The identification of the firewall by Nmap

[Email protected]:~# nmap-p22 192.168.1.141-sastarting nmap 7.01 (https://nmap.org) at 2016-09-12 23:18 Cstnmap scan R Eport for DESKTOP-TA5DCRJ (192.168.1.141) Host was up (0.00021s latency).  PORT   State      service22/tcp unfiltered Sshmac address:2c:6e:85:c4:0d:5b (Intel Corporate) Nmap done:1 IP Address (1 Host up) scanned in 0.44 seconds

To match the type according to its response to the SYN and ACK packets

Load Balancing Identification

load balancing is divided into local load balancing (global load Balance, also called geo-load Balancing) from the geographic structure of its application, and local load balancing is the load balancing on the local server farm, Balance Global load balancing is the load balancing of server groups that are placed in different geographic locations with different network architectures. It provides an inexpensive and effective way to extend the bandwidth of network devices and servers, increase throughput, enhance network data processing capabilities, and improve network flexibility and availability. In short, DNS, that is, the same domain name corresponds to a different IP. Category: Http://lusongsong.com/reed/158.html Web-based service load balancing often uses Nginx, Apache application layer load Balancing LBD (directly add domain name, or add IP)

[email protected]:~# LBD www.baidu.comlbd-load Balancing Detector 0.4-checks If a given domain uses load-balancin G. Written by Stefan Behte (http://ge.mine.nu) Proof -of-concept! might give false positives.<strong>checking for dns-loadbalancing:foundwww.a.shifen.com have address 14.215.177.38www.a.shifen.com have address 14.215.177.37Checking for http-loadbalancing [Server]: #应用层负载均衡 bfe/1. 0.8.18 not found</strong>checking for http-loadbalancing [Date]: 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:25, 15:36:25, 15 : 36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:3 6:26, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36: 27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, not foundchecking for http-loadbalancing [Diff]: FOUND< Last-M  Odified:mon, June 02:50:17 gmt> Last-modified:mon, June 02:50:12 gmt< ETag: "575e1f69-115" > ETag: "575e1f64-115" Www.baidu.com does load-balancing. Found via Methods:dns http[diff]<strong></strong>

WAF recognition

The Chinese name of the WAF (Web application Firewall) is called "Web application Firewall", and using internationally accepted parlance, the definition of WAF is this: the Web application firewall is implemented through a series of http/ HTTPS security policy to provide a product that is specifically protected for Web applications. From the definition of WAF above, we can clearly understand that WAF is a product that works at the application layer and specifically provides security protection for Web applications through specific security policies. WAF defensive Combat: http://secsky.sinaapp.com/216.html based on rule WAF filtering "can be bypassed", a WAF based on machine learning combined with syntactic lexical analysis will become mainstream, virtually preventing all SQL injections wafw00f

<strong>[email protected]:~# wafw00f-l                         #列出其可检测的WAF </strong>                                 ^     _   __   _ _ ___ _   __  _    _   ____       ///7//. ' \/__////7//, ' \, ' \/__/      | V V//O//_/| V V//0//0//_/        |_n_, '/_n_//_/   |_n_, ' \_, ' \_, '/_/                                    <                                    ... '                                     wafw00f-web application Firewa ll Detection Tool by        Sandro Gauci && Wendel G. Henriquecan test for these Wafs:profensenetcontinuumbarracudah YperGuardBinarySecTerosF5 TrafficshieldF5 asmairlockcitrix netscalermodsecurityibm Web application SECURITYIBM Datapowerdenyalldotdefenderwebapp.securebig-ipurlscanwebknightsecureiisimpervaisa Server

<strong>[email protected]:~# wafw00f http://www.microsoft.com</strong>                                 ^     ^        _   __  _   ____ _   __  _    _   ____       ///7//. ' \/__////7//, ' \, ' \/__/      | V V//O//_/| V V//0//0//_/        |_n_, '/_n_//_/   |_n_, ' \_, ' \_, '/_/                                    <                                    ... '                                     wafw00f-web application Firewa ll Detection Tool by        Sandro Gauci && Wendel G. henriquechecking http://www.microsoft.comGeneric Detection re Sults:the site http://www.microsoft.com seems to be behind a WAF reason:the server returned a different response code whe n A string trigged the blacklist. Normal Response code is "a", while the response code to a attack is "403" number of requests:16

Nmap detects WAF

[Email protected]:~# nmap www.microsoft.com <strong>--script=http-waf-detect.nse</strong>starting nmap 7.01 (https://nmap.org) at 2016-09-12 23:51 CST

Little white Diary, not to be continued ...

Little white Diary 13:kali Penetration Testing Service Scan (iii)-SMTB scanning, firewall identification, load Balancing identification, WAF identification