3 案例3:扫描与抓包分析
3.1 问题
本案例要求熟悉Linux主机环境下的常用安全工具,完成以下任务操作:
使用NMAP扫描来获取指定主机/网段的相关信息
使用tcpdump分析FTP访问中的明文交换信息
- 1
- 2
3.2 步骤
实现此案例需要按照如下步骤进行。
步骤一:使用NMAP扫描来获取指定主机/网段的相关信息
1)安装软件
[root@svr5 ~]# yum -y install nmap
//基本用法:
# nmap [扫描类型] [选项] <扫描目标 ...>
//常用的扫描类型
// -sS,TCP SYN扫描(半开)
// -sT,TCP 连接扫描(全开)
// -sU,UDP扫描
// -sP,ICMP扫描
// -A,目标系统全面分析
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
2)检查目标主机所开启的TCP服务
[root@svr5 ~]# nmap 192.168.4.100
Starting Nmap 5.51 ( http://nmap.org ) at 2018-05-17 17:55 CST
Nmap scan report for 192.168.4.100
Host is up (0.00028s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
MAC Address: 00:0C:29:74:BE:21 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
3)检查192.168.4.0/24网段内哪些主机开启了FTP、SSH服务
[root@svr5 ~]# nmap -p 21-22 192.168.4.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:00 CST
Nmap scan report for 192.168.4.1
Host is up (0.000025s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap scan report for 192.168.4.7
Host is up.
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
Nmap scan report for 192.168.4.120
Host is up (0.00052s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
MAC Address: 00:0C:29:74:BE:21 (VMware)
Nmap scan report for pc110.tarena.com (192.168.4.110)
Host is up (0.00038s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.4.120
Host is up (0.00051s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
MAC Address: 00:0C:29:DB:84:46 (VMware)
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.88 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
3)检查目标主机所开启的UDP服务
[root@svr5 ~]# nmap -sU svr7.tedu.cn //指定-sU扫描UDP
53/udp open domain
111/udp open rpcbind
- 1
- 2
- 3
3)检查192.168.4.0/24网段内哪些主机可以ping通
[root@svr5 ~]# nmap -n -sP 192.168.4.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:01 CST
Nmap scan report for 192.168.4.1
Host is up.
Nmap scan report for 192.168.4.7
Host is up.
Nmap scan report for 192.168.4.120
Host is up (0.00027s latency).
MAC Address: 00:0C:29:74:BE:21 (VMware)
Nmap scan report for 192.168.4.110
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.4.120
Host is up (0.00046s latency).
MAC Address: 00:0C:29:DB:84:46 (VMware)
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.57 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
4)全面分析目标主机192.168.4.100和192.168.4.5的操作系统信息
扫描二维码关注公众号,回复:
10077504 查看本文章
[root@svr5 ~]# nmap -A 192.168.4.100,5
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:03 CST
Nmap scan report for 192.168.4.100 //主机mail的扫描报告
Host is up (0.0016s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 1719 Aug 17 13:33 UserB.pub
| -rw-r--r-- 1 0 0 122 Aug 13 05:27 dl.txt
| drwxr-xr-x 2 14 0 4096 Aug 13 09:07 pub
| -rw-rw-r-- 1 505 505 170 Aug 17 13:18 tools-1.2.3.tar.gz
|_-rw-rw-r-- 1 505 505 287 Aug 17 13:22 tools-1.2.3.tar.gz.sig
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 86:be:d6:89:c1:2d:d9:1f:57:2f:66:d1:af:a8:d3:c6 (DSA)
|_2048 16:0a:15:01:fa:bb:91:1d:cc:ab:68:17:58:f9:49:4f (RSA)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.15 ((Red Hat))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: 302 Found
|_Did not follow redirect to https://192.168.4.100//
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA UIDL TOP OK(K) RESP-CODES PIPELINING STLS SASL(PLAIN)
111/tcp open rpcbind
MAC Address: 00:0C:29:74:BE:21 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=8/19%OT=21%CT=1%CU=34804%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM=52
OS:11ED90%P=x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O
OS:5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6
OS:=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
Service Info: Host: mail.tarena.com; OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 1.55 ms 192.168.4.100
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
步骤二:使用tcpdump分析FTP访问中的明文交换信息
1)启用tcpdump命令行抓包
执行tcpdump命令行,添加适当的过滤条件,只抓取访问主机192.168.4.100的21端口的数据通信 ,并转换为ASCII码格式的易读文本。
[root@svr5 ~]# tcpdump -A host 192.168.4.5 and tcp port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
.. .. //进入等待捕获数据包的状态
//监控选项如下:
// -i,指定监控的网络接口
// -A,转换为 ACSII 码,以方便阅读
// -w,将数据包信息保存到指定文件
// -r,从指定文件读取数据包信息
//tcpdump的过滤条件:
// 类型:host、net、port、portrange
// 方向:src、dst
// 协议:tcp、udp、ip、wlan、arp、……
// 多个条件组合:and、or、not
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
2)执行FTP访问,并观察tcpdump抓包结果
参考前面的测试操作,再次从客户机192.168.4.100访问主机192.168.4.5的vsftpd服务。然后使用tcpdump抓包,仔细分析FTP连接的建立过程、确认收集到的用户名和口令信息。
[root@svr5 ~]# tcpdump -A -w ftp.cap \
> host 192.168.4.5 and tcp port 21 //抓包并保存
[root@svr5 ~]# tcpdump -A -r ftp.cap | egrep '(USER|PASS)' //分析数据包
.. ..
18:47:25.964110 IP 192.168.4.100.novation > 192.168.4.100.ftp: Flags [S], seq 1201822818, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
E..4..@[email protected].*..G.\b........;...............
18:47:25.964268 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [S.], seq 2284929633, ack 1201822819, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
E..4..@[email protected]...*.1BaG.\c..9.7...............
18:47:25.964436 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 1, win 65535, length 0
E..(..@.@.. ...x...d.*..G.\c.1BbP.............
18:47:25.967592 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 1:21, ack 1, win 229, length 20
E..<FJ@[email protected]...*.1BbG.\cP...V...220 (vsFTPd 2.2.2)
18:47:26.117057 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 21, win 65515, length 0
E..(..@[email protected].*..G.\c.1BvP.............
18:47:27.960530 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [P.], seq 1:14, ack 21, win 65515, length 13
E..5..@[email protected].*..G.\c.1BvP.......USER mickey
18:47:27.960544 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 14, win 229, length 0
E..(FK@[email protected]...*.1BvG.\pP.............
18:47:27.960783 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 21:55, ack 14, win 229, length 34
E..JFL@[email protected]...*.1BvG.\pP...i~..331 Please specify the password.
18:47:28.085168 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 55, win 65481, length 0
E..(..@[email protected].*..G.\p.1B.P.............
18:47:29.657364 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [P.], seq 14:27, ack 55, win 65481, length 13
E..5..@[email protected].*..G.\p.1B.P.......PASS pwd123
18:47:29.696968 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 27, win 229, length 0
E..(FM@[email protected]...*.1B.G.\}P.............
18:47:29.702671 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 55:78, ack 27, win 229, length 23
E..?FN@[email protected]>...d...x...*.1B.G.\}P.......230 Login successful.
18:47:29.835258 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 78, win 65458, length 0
E..(..@[email protected].*..G.\}.1B.P.............
18:47:31.716375 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [P.], seq 27:33, ack 78, win 65458, length 6
E.....@[email protected].*..G.\}.1B.P... ...QUIT
18:47:31.716532 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 33, win 229, length 0
E..(FO@[email protected]...*.1B.G.\.P....}........
18:47:31.716634 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 78:92, ack 33, win 229, length 14
E..6FP@[email protected]...*.1B.G.\.P.......221 Goodbye.
18:47:31.716677 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [F.], seq 92, ack 33, win 229, length 0
E..(FQ@[email protected]...*.1B.G.\.P....n........
18:47:31.717053 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 93, win 65444, length 0
E..(..@[email protected].*..G.\..1B.P.............
18:47:31.718796 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [F.], seq 33, ack 93, win 65444, length 0
E..(..@[email protected].*..G.\..1B.P.............
18:47:31.719097 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 34, win 229, length 0
E..(..@[email protected]...*.1B.G.\.P....m........
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
</div>
<link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-b6c3c6d139.css" rel="stylesheet">
<div class="more-toolbox">
<div class="left-toolbox">
<ul class="toolbox-list">
<li class="tool-item tool-active is-like "><a href="javascript:;"><svg class="icon" aria-hidden="true">
<use xlink:href="#csdnc-thumbsup"></use>
</svg><span class="name">点赞</span>
<span class="count"></span>
</a></li>
<li class="tool-item tool-active is-collection "><a href="javascript:;" data-report-click="{"mod":"popu_824"}"><svg class="icon" aria-hidden="true">
<use xlink:href="#icon-csdnc-Collection-G"></use>
</svg><span class="name">收藏</span></a></li>
<li class="tool-item tool-active is-share"><a href="javascript:;" data-report-click="{"mod":"1582594662_002"}"><svg class="icon" aria-hidden="true">
<use xlink:href="#icon-csdnc-fenxiang"></use>
</svg>分享</a></li>
<!--打赏开始-->
<!--打赏结束-->
<li class="tool-item tool-more">
<a>
<svg t="1575545411852" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="5717" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><defs><style type="text/css"></style></defs><path d="M179.176 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5718"></path><path d="M509.684 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5719"></path><path d="M846.175 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5720"></path></svg>
</a>
<ul class="more-box">
<li class="item"><a class="article-report">文章举报</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div class="person-messagebox">
<div class="left-message"><a href="https://blog.csdn.net/xie_qi_chao">
<img src="https://profile.csdnimg.cn/B/F/6/3_xie_qi_chao" class="avatar_pic" username="xie_qi_chao">
<img src="https://g.csdnimg.cn/static/user-reg-year/1x/2.png" class="user-years">
</a></div>
<div class="middle-message">
<div class="title"><span class="tit"><a href="https://blog.csdn.net/xie_qi_chao" data-report-click="{"mod":"popu_379"}" target="_blank">解启超</a></span>
</div>
<div class="text"><span>发布了329 篇原创文章</span> · <span>获赞 52</span> · <span>访问量 3万+</span></div>
</div>
<div class="right-message">
<a href="https://im.csdn.net/im/main.html?userName=xie_qi_chao" target="_blank" class="btn btn-sm btn-red-hollow bt-button personal-letter">私信
</a>
<a class="btn btn-sm attented bt-button personal-watch" data-report-click="{"mod":"popu_379"}">已关注</a>
</div>
</div>
</div>
</article>
3 案例3:扫描与抓包分析
3.1 问题
本案例要求熟悉Linux主机环境下的常用安全工具,完成以下任务操作:
使用NMAP扫描来获取指定主机/网段的相关信息
使用tcpdump分析FTP访问中的明文交换信息
- 1
- 2
3.2 步骤
实现此案例需要按照如下步骤进行。
步骤一:使用NMAP扫描来获取指定主机/网段的相关信息
1)安装软件
[root@svr5 ~]# yum -y install nmap
//基本用法:
# nmap [扫描类型] [选项] <扫描目标 ...>
//常用的扫描类型
// -sS,TCP SYN扫描(半开)
// -sT,TCP 连接扫描(全开)
// -sU,UDP扫描
// -sP,ICMP扫描
// -A,目标系统全面分析
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
2)检查目标主机所开启的TCP服务
[root@svr5 ~]# nmap 192.168.4.100
Starting Nmap 5.51 ( http://nmap.org ) at 2018-05-17 17:55 CST
Nmap scan report for 192.168.4.100
Host is up (0.00028s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
MAC Address: 00:0C:29:74:BE:21 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
3)检查192.168.4.0/24网段内哪些主机开启了FTP、SSH服务
[root@svr5 ~]# nmap -p 21-22 192.168.4.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:00 CST
Nmap scan report for 192.168.4.1
Host is up (0.000025s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap scan report for 192.168.4.7
Host is up.
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
Nmap scan report for 192.168.4.120
Host is up (0.00052s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
MAC Address: 00:0C:29:74:BE:21 (VMware)
Nmap scan report for pc110.tarena.com (192.168.4.110)
Host is up (0.00038s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.4.120
Host is up (0.00051s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
MAC Address: 00:0C:29:DB:84:46 (VMware)
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.88 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
3)检查目标主机所开启的UDP服务
[root@svr5 ~]# nmap -sU svr7.tedu.cn //指定-sU扫描UDP
53/udp open domain
111/udp open rpcbind
- 1
- 2
- 3
3)检查192.168.4.0/24网段内哪些主机可以ping通
[root@svr5 ~]# nmap -n -sP 192.168.4.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:01 CST
Nmap scan report for 192.168.4.1
Host is up.
Nmap scan report for 192.168.4.7
Host is up.
Nmap scan report for 192.168.4.120
Host is up (0.00027s latency).
MAC Address: 00:0C:29:74:BE:21 (VMware)
Nmap scan report for 192.168.4.110
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.4.120
Host is up (0.00046s latency).
MAC Address: 00:0C:29:DB:84:46 (VMware)
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.57 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
4)全面分析目标主机192.168.4.100和192.168.4.5的操作系统信息
[root@svr5 ~]# nmap -A 192.168.4.100,5
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:03 CST
Nmap scan report for 192.168.4.100 //主机mail的扫描报告
Host is up (0.0016s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 1719 Aug 17 13:33 UserB.pub
| -rw-r--r-- 1 0 0 122 Aug 13 05:27 dl.txt
| drwxr-xr-x 2 14 0 4096 Aug 13 09:07 pub
| -rw-rw-r-- 1 505 505 170 Aug 17 13:18 tools-1.2.3.tar.gz
|_-rw-rw-r-- 1 505 505 287 Aug 17 13:22 tools-1.2.3.tar.gz.sig
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 86:be:d6:89:c1:2d:d9:1f:57:2f:66:d1:af:a8:d3:c6 (DSA)
|_2048 16:0a:15:01:fa:bb:91:1d:cc:ab:68:17:58:f9:49:4f (RSA)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.15 ((Red Hat))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: 302 Found
|_Did not follow redirect to https://192.168.4.100//
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA UIDL TOP OK(K) RESP-CODES PIPELINING STLS SASL(PLAIN)
111/tcp open rpcbind
MAC Address: 00:0C:29:74:BE:21 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=8/19%OT=21%CT=1%CU=34804%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM=52
OS:11ED90%P=x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O
OS:5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6
OS:=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
Service Info: Host: mail.tarena.com; OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 1.55 ms 192.168.4.100
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
步骤二:使用tcpdump分析FTP访问中的明文交换信息
1)启用tcpdump命令行抓包
执行tcpdump命令行,添加适当的过滤条件,只抓取访问主机192.168.4.100的21端口的数据通信 ,并转换为ASCII码格式的易读文本。
[root@svr5 ~]# tcpdump -A host 192.168.4.5 and tcp port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
.. .. //进入等待捕获数据包的状态
//监控选项如下:
// -i,指定监控的网络接口
// -A,转换为 ACSII 码,以方便阅读
// -w,将数据包信息保存到指定文件
// -r,从指定文件读取数据包信息
//tcpdump的过滤条件:
// 类型:host、net、port、portrange
// 方向:src、dst
// 协议:tcp、udp、ip、wlan、arp、……
// 多个条件组合:and、or、not
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
2)执行FTP访问,并观察tcpdump抓包结果
参考前面的测试操作,再次从客户机192.168.4.100访问主机192.168.4.5的vsftpd服务。然后使用tcpdump抓包,仔细分析FTP连接的建立过程、确认收集到的用户名和口令信息。
[root@svr5 ~]# tcpdump -A -w ftp.cap \
> host 192.168.4.5 and tcp port 21 //抓包并保存
[root@svr5 ~]# tcpdump -A -r ftp.cap | egrep '(USER|PASS)' //分析数据包
.. ..
18:47:25.964110 IP 192.168.4.100.novation > 192.168.4.100.ftp: Flags [S], seq 1201822818, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
E..4..@[email protected].*..G.\b........;...............
18:47:25.964268 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [S.], seq 2284929633, ack 1201822819, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
E..4..@[email protected]...*.1BaG.\c..9.7...............
18:47:25.964436 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 1, win 65535, length 0
E..(..@.@.. ...x...d.*..G.\c.1BbP.............
18:47:25.967592 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 1:21, ack 1, win 229, length 20
E..<FJ@[email protected]...*.1BbG.\cP...V...220 (vsFTPd 2.2.2)
18:47:26.117057 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 21, win 65515, length 0
E..(..@[email protected].*..G.\c.1BvP.............
18:47:27.960530 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [P.], seq 1:14, ack 21, win 65515, length 13
E..5..@[email protected].*..G.\c.1BvP.......USER mickey
18:47:27.960544 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 14, win 229, length 0
E..(FK@[email protected]...*.1BvG.\pP.............
18:47:27.960783 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 21:55, ack 14, win 229, length 34
E..JFL@[email protected]...*.1BvG.\pP...i~..331 Please specify the password.
18:47:28.085168 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 55, win 65481, length 0
E..(..@[email protected].*..G.\p.1B.P.............
18:47:29.657364 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [P.], seq 14:27, ack 55, win 65481, length 13
E..5..@[email protected].*..G.\p.1B.P.......PASS pwd123
18:47:29.696968 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 27, win 229, length 0
E..(FM@[email protected]...*.1B.G.\}P.............
18:47:29.702671 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 55:78, ack 27, win 229, length 23
E..?FN@[email protected]>...d...x...*.1B.G.\}P.......230 Login successful.
18:47:29.835258 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 78, win 65458, length 0
E..(..@[email protected].*..G.\}.1B.P.............
18:47:31.716375 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [P.], seq 27:33, ack 78, win 65458, length 6
E.....@[email protected].*..G.\}.1B.P... ...QUIT
18:47:31.716532 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 33, win 229, length 0
E..(FO@[email protected]...*.1B.G.\.P....}........
18:47:31.716634 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [P.], seq 78:92, ack 33, win 229, length 14
E..6FP@[email protected]...*.1B.G.\.P.......221 Goodbye.
18:47:31.716677 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [F.], seq 92, ack 33, win 229, length 0
E..(FQ@[email protected]...*.1B.G.\.P....n........
18:47:31.717053 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [.], ack 93, win 65444, length 0
E..(..@[email protected].*..G.\..1B.P.............
18:47:31.718796 IP 192.168.4.100.novation > 192.168.4.5.ftp: Flags [F.], seq 33, ack 93, win 65444, length 0
E..(..@[email protected].*..G.\..1B.P.............
18:47:31.719097 IP 192.168.4.5.ftp > 192.168.4.100.novation: Flags [.], ack 34, win 229, length 0
E..(..@[email protected]...*.1B.G.\.P....m........
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
</div>
<link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-b6c3c6d139.css" rel="stylesheet">
<div class="more-toolbox">
<div class="left-toolbox">
<ul class="toolbox-list">
<li class="tool-item tool-active is-like "><a href="javascript:;"><svg class="icon" aria-hidden="true">
<use xlink:href="#csdnc-thumbsup"></use>
</svg><span class="name">点赞</span>
<span class="count"></span>
</a></li>
<li class="tool-item tool-active is-collection "><a href="javascript:;" data-report-click="{"mod":"popu_824"}"><svg class="icon" aria-hidden="true">
<use xlink:href="#icon-csdnc-Collection-G"></use>
</svg><span class="name">收藏</span></a></li>
<li class="tool-item tool-active is-share"><a href="javascript:;" data-report-click="{"mod":"1582594662_002"}"><svg class="icon" aria-hidden="true">
<use xlink:href="#icon-csdnc-fenxiang"></use>
</svg>分享</a></li>
<!--打赏开始-->
<!--打赏结束-->
<li class="tool-item tool-more">
<a>
<svg t="1575545411852" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="5717" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><defs><style type="text/css"></style></defs><path d="M179.176 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5718"></path><path d="M509.684 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5719"></path><path d="M846.175 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5720"></path></svg>
</a>
<ul class="more-box">
<li class="item"><a class="article-report">文章举报</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div class="person-messagebox">
<div class="left-message"><a href="https://blog.csdn.net/xie_qi_chao">
<img src="https://profile.csdnimg.cn/B/F/6/3_xie_qi_chao" class="avatar_pic" username="xie_qi_chao">
<img src="https://g.csdnimg.cn/static/user-reg-year/1x/2.png" class="user-years">
</a></div>
<div class="middle-message">
<div class="title"><span class="tit"><a href="https://blog.csdn.net/xie_qi_chao" data-report-click="{"mod":"popu_379"}" target="_blank">解启超</a></span>
</div>
<div class="text"><span>发布了329 篇原创文章</span> · <span>获赞 52</span> · <span>访问量 3万+</span></div>
</div>
<div class="right-message">
<a href="https://im.csdn.net/im/main.html?userName=xie_qi_chao" target="_blank" class="btn btn-sm btn-red-hollow bt-button personal-letter">私信
</a>
<a class="btn btn-sm attented bt-button personal-watch" data-report-click="{"mod":"popu_379"}">已关注</a>
</div>
</div>
</div>
</article>