Port Scan analysis (I) Common network-related commands

Sender: heway (tao), email area: internet_program
Question: port scan analysis (I) commonly used network-related commands
Mailing site: migration to the cloud (Sun Mar 19 14:47:35 2000)

Source/Author: Oliver
A port is a potential communication channel, or an intrusion channel. Port the target computer
Scan to get a lot of useful information. There are many scanning methods, either manual or
Port scanning software.
When scanning manually, you need to be familiar with various commands. Analyze the output after the command is executed. Soft Scanning
When scanning, many scanner software has the ability to analyze data.
Through port scanning, you can obtain a lot of useful information to detect system security vulnerabilities.
Next we will first introduce several common network commands, introduce the port scanning principle, and then provide a simple
Scan program. Section 1 common network-related commands
Ping commands are often used to diagnose TCP/IP networks. Send a data packet through the target computer so that it can
Packets are sent back. If the returned packet is the same as the sent packet, your ping command is
Success. By analyzing the returned data, you can determine whether the computer is on or whether the data packet is sent from
The amount of time it takes to send a response.
I. Several common network-related commands
1. Basic Format of ping command:
Ping hostname
The hostname is the address of the target computer. Ping also has many advanced features. The following is an example.

C:> Ping-F hostname
This command sends a large amount of data to the target machine, so that the target computer is busy responding. In Windows 95
On the computer, use the following method:
C:/Windows/ping-l 65510 saddam_hussein's .computer.mil
After this is done, the target computer may be mounted or restarted. Because-l 65510 generates
A huge packet. The request to return the same data packet will make the target computer unable to respond.
On a Linux computer, you can write a program to implement the above method.
# Include <stdio. h>
# Include <sys/types. h>
# Include <sys/socket. h>
# Include <netdb. h>
# Include <netinet/in. h>
# Include <netinet/in_syw..h>
# Include <netinet/IP. h>
# Include <netinet/ip_icmp.h>
/*
* If your kernel doesn' t muck with raw packets, # define really_raw.
* This is probably only Linux.
*/
# Ifdef really_raw
# Define fix (x) htons (X)
# Else
# Define fix (x) (X)
# Endif
Int
Main (INT argc, char ** argv)
{
Int S;
Char Buf [1500];
Struct IP * IP = (struct IP *) BUF;
Struct ICMP * ICMP = (struct ICMP *) (IP + 1 );
Struct hostent * HP;
Struct sockaddr_in DST;
Int offset;
Int on = 1;
Bzero (BUF, sizeof BUF );
If (S = socket (af_inet, sock_raw, ipproto_ip) <0 ){
Perror ("socket ");
Exit (1 );
}
If (setsockopt (S, ipproto_ip, ip_hdrincl, & on, sizeof (on) <0 ){
Perror ("ip_hdrincl ");
Exit (1 );
}
If (argc! = 2 ){
Fprintf (stderr, "Usage: % s Hostname/N", argv [0]);
Exit (1 );
}
If (HP = gethostbyname (argv [1]) = NULL ){
If (IP-> ip_dst.s_addr = inet_addr (argv [1]) =-1 ){
Fprintf (stderr, "% s: Unknown host/N", argv [1]);
}
} Else {
Bcopy (HP-> h_addr_list [0], & IP-> ip_dst.s_addr, HP-> h_length );
}
Printf ("sending to % s/n", inet_ntoa (IP-> ip_dst ));
IP-> ip_v = 4;
IP-> ip_hl = sizeof * ip> 2;
IP-> ip_tos = 0;
IP-> ip_len = fix (sizeof BUF );
IP-> ip_id = htons (4321 );
IP-> ip_off = fix (0 );
IP-> ip_ttl = 255;
IP-> ip_p = 1;
IP-> ip_sum = 0;/* kernel fills in */
IP-> ip_src.s_addr = 0;/* kernel fills in */
DST. sin_addr = IP-> ip_dst;
DST. sin_family = af_inet;
ICMP-> icmp_type = ICMP_Echo;
ICMP-> icmp_code = 0;
ICMP-> icmp_cksum = htons (~ (ICMP_Echo <8 ));
/* The checksum of all 0's is easy to compute */
For (offset = 0; offset <65536; offset + = (sizeof Buf-sizeof * IP )){
IP-> ip_off = fix (Offset> 3 );
If (offset <65120)
IP-> ip_off | = fix (ip_mf );
Else
IP-> ip_len = fix (418);/* make total 65538 */
If (sendto (S, Buf, sizeof Buf, 0, (struct sockaddr *) & DST,
Sizeof DST) <0 ){
Fprintf (stderr, "offset % d:", offset );
Perror ("sendto ");
}
If (offset = 0 ){
ICMP-> icmp_type = 0;
ICMP-> icmp_code = 0;
ICMP-> icmp_cksum = 0;
}
}
}
2. The tracert command is used to track the path from one computer to another, for example, from you
Computer to Zhejiang information supermarket. In the DOS window, the command is as follows:
C:/Windows> tracert 202.96.102.4
Tracing Route to 202.96.102.4 over a maximum of 30 hops
1 84 MS 82 MS 95 MS 202.96.101.57
2 100 MS 100 MS 95 MS 0fa1. 1-rtr1-a-hz1.zj.cn.net [202.96.101.33]
3 95 MS 90 MS 100 MS 202.101.165.1
4 90 MS 90 MS 90 MS 202.107.197.98
5 95 MS 90 MS 99 MS 202.96.102.4
6 90 MS 95 MS 100 MS 202.96.102.4
Trace complete.
What do the above outputs mean? The number on the left is the number of computers used by the route. "150 ms"
It refers to the round-trip time of the computer to send messages, in microseconds. Because of the time each message goes back and forth each time
Different, tracert will display three back-and-forth times. "*" Indicates that the round-trip time is too long. tracert will "forget"
". After the arrival of time information, the computer name information also arrived. In the beginning, it is a form that is easy for people to read.
Format, followed by the number format.
C:/Windows> tracert 152.163.199.56
Tracing Route to dns-aol.ANS.NET [198.83.210.28] over a maximum of 30 hops:
1 124 MS 106 MS 105 MS 202.96.101.57
2 95 MS 95 MS 90 MS 0fa1. 1-rtr1-a-hz1.zj.cn.net [202.96.101.33]
3 100 MS 90 MS 100 MS 202.101.165.1
4 90 MS 95 MS 202.97.18.241
5 105 MS 105 MS 100 MS 202.97.18.93
6 100 MS 99 MS 100 MS 202.97.10.37
7 135 MS 98 MS 100 MS 202.97.9.78
8 760 MS 725 MS 768 MS gip-ftworth-4-serial8-3.gip.net [204.59.178.53]
9 730 MS 750 MS 715 MS gip-ftworth-4-serial8-3.gip.net [204.59.178.53]
10 750 MS 785 MS 772 MS 144.232.11.9
11 740 MS 800 MS 735 MS sl-bb11-pen-2-0.sprintlink.NET [144.232.8.158]
12 790 MS 800 MS 735 MS sl-nap2-pen-4-0-0.sprintlink.net [144.232.5.66]
13 770 MS 800 MS 800 MS p219.t3.ans.net [192.157.69.13]
14 775 MS 820 MS 780 MS h14-1.t60-6.Reston.t3.ANS.NET [140.223.17.18]
15 780 MS 800 MS 800 MS h11-1.t60-2.Reston.t3.ANS.NET [140.223.25.34]
16 790 MS 795 MS 800 MS h14-1.t104-0.Atlanta.t3.ANS.NET [140.223.65.18]
17 * h14-1.t104-0.Atlanta.t3.ANS.NET [140.223.65.18] reports: Destination Ho
St unreachable.
Trace complete.
3. rusers and finger
Both are Unix commands. With these two commands, you can collect information about user elimination on the target computer.
.
The result of using the rusers command is as follows:
Gajake snark.wizard.com: ttyp1 Nov 13 (remote)
Root snark.wizard.com: ttyp2 Nov 13 (remote)
Robo snark.wizard.com: ttyp3 Nov 15 0:04 01 (remote)
Angel111 snark.wizard.com: ttyp4 nov14 23:09 (remote)
Pippen snark.wizard.com: ttyp6 Nov 14 :05 (remote)
Root snark.wizard.com: ttyp5 Nov 13 (remote)
Gajake snark.wizard.com: ttyp7 Nov 14 (remote)
DAFR snark.wizard.com: ttyp15nov 3 (remote)
DAFR snark.wizard.com: ttyp1 Nov 14 (remote)
DAFR snark.wizard.com: ttyp19nov 14 (remote)
The leftmost is the user name for remote logon. It also includes the last logon time, the shell type used, and so on.
.
Using finger can produce results similar to the following:
Users00 PPP ppp-122-pm1.wiza Thu Nov 14 21:29:30-still logged in
User S15 PPP ppp-119-pm1.wiza Thu Nov 14 22:16:35-still logged in
User s04 PPP ppp-121-pm1.wiza Fri Nov 15 00:03:22-still logged in
User s03 PPP ppp-112-pm1.wiza Thu Nov 14 22:20:23-still logged in
User s26 PPP ppp-124-pm1.wiza Fri Nov 15 01:26:49-still logged in
User s25 PPP ppp-102-pm1.wiza Thu Nov 14 23:18:00-still logged in
User S17 PPP ppp-115-pm1.wiza Thu Nov 14 07:45:00-still logged in
User S-1 0.0.0.0 Sat Aug 10 15:50:03-still logged in
User S23 PPP ppp-103-pm1.wiza Fri Nov 15 00:13:53-still logged in
User S12 PPP ppp-111-pm1.wiza wed Nov 13 16:58:12-still logged in
This command displays the user status. This command is built on the customer/service model. The user passes through the customer
The client sends a request to the server and then explains the information and provides it to the user. Generally,
A program called fingerd can provide some information to the customer based on the configuration of the server machine. If you consider
To protect this personal information, many servers may not provide this service, or only provide irrelevant messages.
.
4. Host Command
Host is a Unix Command, which has the same functions as the standard NSLookup query. The only difference is host life.
It is easier to understand. The host command is dangerous. The following example shows how to use
Host query.
Host-l-v-T any bu.edu
The execution result of this command produces a lot of information, including a lot of data in the operating system, machine, and network.
. Let's take a look at the basic information:
Found 1 addresses for BU. edu
Found 1 addresses for rs0.internic. net
Found 1 addresses for software. Bu. edu
Found 5 addresses for Rs. InterNIC. net
Found 1 addresses for nsegc. Bu. edu
Trying 128.197.27.7
Bu.edu 86400 in SOA bu. edu hostmaster. Bu. Edu (
961112121; Serial (Version)
900; refresh period
900; retry refresh this often
604800; expiration period
86400; minimum TTL
)
Bu.edu 86400 in NS software. Bu. edu
Bu.edu 86400 in NS Rs. InterNIC. net
Bu.edu 86400 in NS nsegc. Bu. edu
Bu.edu 86400 in a 128.197.27.7
These are not dangerous, but some machines and their DNS servers. You can use whois or
The domain name is retrieved from the registered website. But let's look at the following lines of information:
Bu.edu 86400 in HINFO SUN-SPARCSTATION-10/41 Unix
PPP-77-25.bu.edu 86400 in a 128.197.7.237
PPP-77-25.bu.edu 86400 in HINFO PPP-HOST PPP-SW
PPP-77-26.bu.edu 86400 in a 128.197.7.238
PPP-77-26.bu.edu 86400 in HINFO PPP-HOST PPP-SW
Odie.bu.edu 86400 in a 128.197.10.52
Odie.bu.edu 86400 in MX 10 CS. Bu. edu
Odie.bu.edu 86400 in HINFO DEC-ALPHA-3000/300lx osf1
From here, we will immediately find that an EDC Alpha runs the osf1 operating system. Let's see:
Strauss.bu.edu 86400 in HINFO PC-PENTIUM DOS/Windows
Burullus.bu.edu 86400 in HINFO sun-3/50 Unix (ouch)
Georgetown.bu.edu 86400 in HINFO Macintosh Mac-OS
Cheezwiz.bu.edu 86400 in HINFO SGI-INDIGO-2 Unix
Pollux.bu.edu 86400 in HINFO sun-4/20-sparcstation-slc Unix
SFA109-PC201.bu.edu 86400 in hinfo pc MS-DOS/Windows
UH-PC002-CT.bu.edu 86400 in HINFO PC-CLONE MS-DOS
Software.bu.edu 86400 in HINFO SUN-SPARCSTATION-10/30 Unix
Cabmac.bu.edu 86400 in HINFO Macintosh Mac-OS
Vidual.bu.edu 86400 in HINFO SGI-INDY IRIX
KIOSK-GB.bu.edu 86400 in HINFO gatorbox gatorware
Clarinet.bu.edu 86400 in HINFO VISUAL-X-19-TURBO X-SERVER
Duncan.bu.edu 86400 in HINFO DEC-ALPHA-3000/400 osf1
Milhouse.bu.edu 86400 in HINFO VAXSTATION-II/GPX Unix
PSY81-PC150.bu.edu 86400 in hinfo pc windows-95
Buphyc.bu.edu 86400 in HINFO VAX-4000/300 OpenVMS
It can be seen that anyone can collect all calculations in a domain by typing a command in the command line.
Important information of the machine. It takes only 3 seconds.
We can use the above useful network commands to collect a lot of useful information, such as the name of a domain
Server address, user name on a computer, what service is running on a server, this service is
Which software is provided and what operating system is running on the computer.
If you know the operating system and service applications running on the target computer, you can use the discovered
These vulnerabilities are used to launch attacks. If the network administrator of the target computer does not promptly fix these vulnerabilities,
Intruders can easily break into the system, gain administrator privileges, and leave a backdoor.
If the attacker obtains the user name on the target computer, he can use the password cracking software to log on to the target computer multiple times.
Computer. After the attempt, it is possible to enter the target computer. If you get the username, you get half of it.
Only software is used for attacks.

--

###################################
### I am a dark cloud on the horizon ###
### Cover the sun and the moon ###
###################################

※Source:. freecity.dhs.org. [from: heway]