Small white diary 11:kali Penetration Testing Services Scan-banner, Dmitry, nmap feature library, operating system identification, SNMP

Service scanning cannot be simply a port-discriminating service. Many network services are vulnerable to frequent vulnerabilities of high-risk objects, the network of specific services to scan, often let us less detours, increase the chance of penetration success. When an open port is identified, information about the service running on the corresponding port is typically more deeply mined, often referred to as a service checkpoint. 1, Banner capture (most of the most simple, but also the most inaccurate)

The port on which the

server is connected, using the banner information it returns, but may be spoofed by the administrator. "Software developer software name, service type, version number--can directly identify known vulnerabilities, but if not very familiar, need to find information for a long time" must establish a complete TCP connection in order to directly obtain banner combination of alternative service identification: 1, feature behavior and response fields ; 2 different responses can be used to identify the underlying system NC

[email protected]:~# nc-nv 192.168.1.107 (UNKNOWN) [192.168.1.107] (HTTP) openget #需要在此get一下 
  

</pre></div><div><span style= "FONT-SIZE:18PX;" >python socket (socket module for connection to Network Service) </span></div><div><span style= "FONT-SIZE:18PX;" ></span><pre name= "code" class= "plain" >[email protected]:~# Pythonpython 2.7.12+ (default, SEP 1 (20:27:38) [GCC 6.2.0 20160822] on Linux2type ' help ', ' copyright ', ' credits ' or ' license ' for more INFORMATION.&GT;&G t;> >>> Import Socket <strong> #导入库 </strong>>>> >>> banner=socket. Socket (Socket.af_inet,socket. SOCK_STREAM) <strong> #标准socket语句写法 #SOCK_STREAM表示为TCP连接 </strong>>>> banner.connect ("                                    192.168.1.107 ",") <strong> #连接IP, Ports </strong>>>> banner.recv (4096) <strong> #用recv () receive return package </strong> ' vsFTPd 2.3.4 \ r \ n ' <stron                                G> #banner信息 </strong>>>> banner.close ()  <strong> #手动回收对象 </strong>>>> exit () <strong> #退出 < /strong>

Many systems do not allow fetching of banner information, recv function will be suspended, need to do special processing

<pre name= "code" class= "plain" >#!/usr/bin/pythonimport socketimport selectimport sysif len (sys.argv)!=4:   Print "Usage-./banner_grab.py [TARGET.IP] [first port] [last Port]"   print "Example-./banner_grab.py 1.1.1.1 1 100"   print "Example would grab banners for TCP ports 1 through + on 1.1.1.1"   sys.exit () IP = sys.argv[1]start = Int (sy S.ARGV[2]) end = Int (sys.argv[3]) for port in range (start,end):   try:     bangrab=socket.socket (Socket.af_inet, Socket. SOCK_STREAM)     Bangrab.connect ((ip,port))     ready=select.select ([bangrab],[],[],1)                   #连接间隔时间1秒     if READY[0]:       print "TCP Port" + str (port) + "." +bangrab.recv (4096)       bangrab.close ()   except:     Pass

Additional tools are required for verification later

Dmitry

[Email protected]:~# dmitry-pb 192.168.1.107       #-pbdeepmagic information gathering Tool "there be some deep magic going On ' error:unable to locate Host ' Name for 192.168.1.107Continuing with limited moduleshostip:192.168.1.107hostname: Gathered TCP Port information for 192.168.1.107---------------------------------portstate21/tcpopen>> 220 ( VsFTPd 2.3.4) 22/tcpopen>> ssh-2.0-openssh_4.7p1 debian-8ubuntu123/tcpopen>>???? ?? #??‘ 25/tcpopen>> metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcpopenportscan finished:scanned, 144 ports were in state Closedall scans completed, exiting

Nmap

[Email protected]:~# nmap-st 192.168.1.107-p--script=banner.nse    #-p can also specify a port range banner.nse Scan script starting Nmap 7.01 ( https://nmap.org) at 2016-09-11 22:30 cstnmap Scan report for 192.168.1.107Host are up (0.00062s latency). PORT State   service22/tcp Open  ssh|_banner:ssh-2.0-openssh_4.7p1 debian-8ubuntu1mac address:08:00:27:eb:1d: BC (Oracle VirtualBox virtual NIC) Nmap done:1 IP address (1 host up) scanned in 0.77 seconds

ls | grep * * * Query a script


AMAP (tool dedicated to discovering services after open ports) found banner: #-b parameter, also can specify port range, use grep on to filter open port return results

[Email protected]:~# amap-b 192.168.1.107 25amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:36:05-banner mode  Banner on 192.168.1.107:25/tcp:220 metasploitable.localdomain ESMTP Postfix (Ubuntu) \r\namap v5.4 finished at 2016-09-11 22:36:05

2. Service Identification

Banner information grasping ability is relatively limited, and not necessarily accurate. Discover the version of the port after the application, based on the version, to its official website to find its vulnerability, targeted to find its use of code, or use reverse engineering or fuzzy testing to discover its vulnerabilities. Nmap (based on the feature library, and other scripts can be used together)-SV #可信度高

[Email protected]:~# nmap 192.168.1.107-p1-100-svstarting nmap 7.01 (https://nmap.org) at 2016-09-11 22:40 Cstnmap SCA N Report for 192.168.1.107Host are up (0.00017s latency). Not shown:94 closed Ports<strong>port State   SERVICE version21/tcp Open  ftp     vsftpd 2.3.422/tcp open< C3/>ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (Protocol 2.0) 23/tcp open  telnet  Linux telnetd25/tcp open  SMTP    Postfix smtpd53/tcp open  domain  ISC BIND 9.4.280/tcp Open  http    Apache httpd 2.2.8 ((Ubuntu) DAV /2) </strong>mac ADDRESS:08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC) Service Info:host:  Metasploitable.localdomain; Oss:unix, Linux; Cpe:cpe:/o:linux:linux_kernelservice Detection performed. Incorrect results at https://nmap.org/submit/. Nmap done:1 IP Address (1 host up) scanned in 8.96 seconds

AMAP (not nmap detailed, but also has its advantages) "can be used as a verification tool for Nmap"

[email protected]:~# amap 192.168.1.107 1-100-qb #q显示清晰, b show more information AMAP v5.4 (WWW.THC.ORG/THC-AMAP) started at 2016-09-11 22:44:17-application MAPPING modeprotocol on 192.168.1.107:22/tcp matches ssh-banner:ssh-2.0-openssh_4.7p 1 Debian-8ubuntu1\nprotocol on 192.168.1.107:22/tcp matches SSH-OPENSSH-BANNER:SSH-2.0-OPENSSH_4.7P1 DEBIAN-8UBUNTU1 \nprotocol on 192.168.1.107:80/tcp matches Http-banner:  
 

3, operating system identification

Identify the operating system, as the operating system is opened, the default is to open some services, the old version of the system to infiltrate the vulnerability, power, access to operational rights. 1.TTL Starting value: Windows System "128 (65-128)", Linux/unix "64 (1-64)", some Unix for 255[router hijacking: Can be determined by TTL value, hijacking point, TTL can also be modified]

#!/usr/bin/pythonfrom scapy.all import*import Logginglogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) Import Sysif len (SYS.ARGV)!=2:   print "Usage-./ttl_os.py [IP adress]"   print "Example-./ttl_os.py 1.1.1 .1 "   print" Example would preform TTL analysis to attemptto determine whether the systems are Windows or Linux/unix "   Sys.exit () IP = Sys.argv[1]ans = SR1 (IP (DST=STR (IP))/icmp (), timeout=1,verbose=0) if ans = = None:       print "No response was returned "Elif Int (ans[ip].ttl) <=64:       print" host is Linux/unix "else:       print" host is Windows "

2.nmap-o #此参数用于检测主机系统 #结合端口判断特征

[Email protected]:~# nmap-o 192.168.1.1Starting nmap 7.01 (https://nmap.org) at 2016-09-11 23:48 cstnmap Scan report fo R Dd-wrt (192.168.1.1) <strong>host is up (0.17s latency). Not shown:997 closed Portsport State   service23/tcp Open  telnet53/tcp open  domain80/tcp open  Httpmac address:1c:bd:b9:27:d5:32 (D-Link international) Device type:general purposerunning:linux 2.6.XOS cpe:cpe:/o:linux: Linux_kernel:2.6os details:linux 2.6.8-2.6.30            #可去官网查该范围的linux系统是否有缓存区溢出等漏洞Network distance:1 Hop</strong >os Detection performed. Incorrect results at https://nmap.org/submit/. Nmap done:1 IP Address (1 host up) scanned in 11.77 seconds

3, Xprobe2 (specifically used to identify the operating system, more detailed, but not very accurate)

<strong>[email protected]:~# xprobe2 192.168.1.115</strong>xprobe2 v.0.3 Copyright (c) 2002-2005 [ Email protected], [email protected], [email protected][+] Target is 192.168.1.115[+] Loading modules. [+]  Following modules is loaded:[x] [1] ping:icmp_ping-icmp echo Discovery Module[x] [2] ping:tcp_ping-tcp-based Ping Discovery Module[x] [3] ping:udp_ping-udp-based ping Discovery Module[x] [4] infogather:ttl_calc-tcp and UDP base D TTL Distance calculation[x] [5] infogather:portscan-tcp and UDP portscanner[x] [6] fingerprint:icmp_echo-icmp Ec Ho request fingerprinting module[x] [7] fingerprint:icmp_tstamp-icmp Timestamp request fingerprinting module[x] [8] fi NGERPRINT:ICMP_AMASK-ICMP Address Mask Request fingerprinting module[x] [9] fingerprint:icmp_port_unreach-icmp por T unreachable fingerprinting module[x] [ten] fingerprint:tcp_hshake-tcp handshake fingerprinting module[x] [one] Fingerp Rint:tcp_rst-tcp rst FINGERPRInting module[x] [FINGERPRINT:SMB-SMB] fingerprinting module[x] [fingerprint:snmp-snmpv2c fingerprinting mo Dule[+] Modules registered[+] Initializing scan engine[+] Running scan engine[-] ping:tcp_ping module:no closed/open T CP ports known on 192.168.1.115. Module Test failed[-] ping:udp_ping module:no closed/open UDP ports known on 192.168.1.115. Module Test failed[-] No distance calculation. 192.168.1.115 appears to be dead or no ports known[+] host:192.168.1.115 are up (Guess probability:50%) [+] target:192.16 8.1.115 is alive. Round-trip time:0.00094 sec[+] Selected safe round-trip time value is:0.00188 sec[-] Fingerprint:tcp_hshake Module EXECU  tion aborted (no open TCP ports known) [-] FINGERPRINT:SMB need either TCP port 139 or 445 to run[-] Fingerprint:snmp:need UDP Port 161 open[+] Primary guess:[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP2" (Guess probability:93%) [+] Other guesses:[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003Server Standard Edition "(Guess probability:93%) [+] Host 192.168.1.115 Running OS:" Microsoft Windows 2003 Server ENTERPR Ise Edition "(guess probability:93%) [+] Host 192.168.1.115 Running OS:" Microsoft Windows XP SP1 "(Guess probability:92% ) [+] host 192.168.1.115 Running OS: "Microsoft Windows XP" (Guess probability:92%) [+] host 192.168.1.115 Running OS: "Mic Rosoft Windows $ Server Service Pack 4 "(Guess probability:92%) [+] Host 192.168.1.115 Running OS:" Microsoft windows 2 Server Service Pack 3 "(Guess probability:92%) [+] Host 192.168.1.115 Running OS:" Microsoft Windows Server Servi Ce Pack 2 "(Guess probability:92%) [+] Host 192.168.1.115 Running OS: Microsoft Windows Server Service Pack 1 (gues  s probability:92%) [+] Host 192.168.1.115 Running OS: "Microsoft Windows $ Server" (Guess probability:92%) [+] Cleaning Up scan engine[+] Modules deinitialized[+] Execution completed.<strong></strong>

Passive operating system identification based on packet analysis, can be deployed at the network exit, you can passively detect p0f #直接输入, can realize passive monitoring #还可能发现些证书信息

[Email protected]:~# p0f---p0f 3.07b by Michal Zalewski <[email protected]>---[+] Closed 1 file descriptor. [+] Loaded signatures from ' P0F.FP '. [+] Intercepting traffic on default interface ' Eth0 '. [+] Default packet filtering configured [+vlan]. [+] Entered Main Event loop.<strong></strong>

• Can be combined with ARP address spoofing to identify the full-network OS

4, based on fingerprint information recognition (can be more accurate identification)

Nmap: Has a lot of fingerprint information.

5. SNMP Scan (Simple Network Management Protocol)

#客户端使用UDP161端口, the server uses the UDP161 port; similar to DHCP, UDP-based, using 67, 68. Server with number

If SNMP is improperly configured, a vulnerability is created. A service that is the easiest for network administrators to configure oversight. There are two community strings, one read-only, one writable.

Based on SNMP, network equipment monitoring, such as: switches, firewalls, servers, CPUs and other internal information system. Basic can be monitored.

Community: Login certificate, easy to be forgotten by the administrator to modify its characteristic characters #可用字典破解community

MIB Library: MiB Tree

"SNMP Configuration"

Onesixtyone 192.168.1.115 Public

Can sweep out the hardware information, when the return information is small, may have been modified community, you can use the next command

#dpkg-L Onesixtyone # # #查询字典

Onesixtyone-c dict.txt-i hosts-o my.log-w #字典爆破community

Snmpwalk command

Snmpwalk 192.168.1.115-c public-v 2c

#能查出更多的信息-V specified version, 2c using a wide range # can detect the MIB Library ID number, installed software

Snmpwalk-c public-v 2c 1.1.1.1 1.3.6.1.4.1.77.1.2.25 #OID

#查询用户账号

Snmpcheck-t 192.168.20.199

Snmpcheck-t 192.168.20.199-c private-v 2

Snmpcheck-t 192.168.20.199-w

6. Identify the perimeter firewall

In order to go around and dodge.

Small white diary 11:kali Penetration Testing Services Scan-banner, Dmitry, nmap feature library, operating system identification, SNMP