1. 防火墙识别
防火墙识别:
- 在尽量隐蔽的情况下,扫描出防火墙的过滤规则,开放哪些端口;
- 我们的扫描行为,并不希望防火墙发现,所以扫描防火墙的目的就是通过发送的数据包,检查回包,识别防火墙过滤的端口;
- 设备多种多样,结果存在一定误差;
可以根据如下四种情况判断防火墙的过滤规则;
(1)使用python脚本实现防火墙识别:firewall_detect.py
#!/usr/bin/python
#Author:橘子女侠
#Time:2019/04/15
#该脚本用于实现判断防火墙的过滤端口(注:脚本有点小问题,未解决)
from scapy.all import *
import sys
if len(sys.argv) != 3:
print ("This script needs 2 args!\nExample:./firewall_detect.py 192.168.0.0 80")
sys.exit()
ip = sys.argv[1]
port = int(sys.argv[2])
SYN_response = sr1(IP(dst = ip) / TCP(flags = "S", dport = port), timeout = 1, verbose = 0)
ACK_response = sr1(IP(dst = ip) / TCP(flags = "A", dport = port), timeout = 1, verbose = 0)
if (SYN_response == None) and (ACK_response == "None"):
print("1. Port is filtered or host is down!")
elif (SYN_response[TCP].flags == "SA" or SYN_response[TCP].flags == "SR") and (ACK_response == None):
print("2. Port is filtered!")
elif int(SYN_response[TCP].flags) == 18:
print ("Port is unfiltered and open" )
elif int(SYN_response[TCP].flags) == 20:
print ("Port is unfiltered and closed")
else:
print ("4. Port is Closed!")结果如下:
root@root:~# ./firewall_detect.py 192.168.37.128 25
Port is unfiltered and open
root@root:~# ./firewall_detect.py 192.168.37.128 80
Port is unfiltered and open
root@root:~# ./firewall_detect.py 192.168.37.128 9090
Port is unfiltered and closed
(2)Nmap
root@root:~# nmap 192.168.37.128 -p25 #默认发个SYN包 -sS
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 15:43 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00032s latency).
PORT STATE SERVICE
25/tcp open smtp
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
root@root:~# nmap -sA 192.168.37.128 -p25
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 15:43 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00071s latency).
PORT STATE SERVICE
25/tcp unfiltered smtp
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
2. 负载均衡识别
负载均衡建立在现有网络结构之上,它提供了一种廉价有效透明的方法扩展网络设备和服务器的带宽、增加吞吐量、加强网络数据处理能力、提高网络的灵活性和可用性;
负载均衡(Load Balance)其意思就是分摊到多个操作单元上进行执行,例如Web服务器、FTP服务器、企业关键应用服务器和其它关键任务服务器等,从而共同完成工作任务。
负载均衡从其应用的地理结构上分为本地负载均衡(Local Load Balance)和全局负载均衡(Global Load Balance,也叫地域负载均衡),本地负载均衡是指对本地的服务器群做负载均衡,全局负载均衡是指对分别放置在不同的地理位置、有不同网络结构的服务器群间作负载均衡。
即针对DNS:同一个域名对应多个IP地址(智能DNS,DNS轮询);
针对于web的服务负载均衡经常使用Nginx、Apache应用层负载均衡;
(1)lbd
root@root:~# lbd www.sina.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
www.sina.com has address 221.204.241.188
Checking for HTTP-Loadbalancing [Server]:
nginx
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 08:08:08, 08:08:08, 08:08:08, 08:08:09, 08:08:09, 08:08:09, 08:08:09, 08:08:09, 08:08:09, 08:08:10, 08:08:10, 08:08:10, 08:08:10, 08:08:10, 08:08:10, 08:08:10, 08:08:10, 08:08:10, 08:08:11, 08:08:11, 08:08:11, 08:08:11, 08:08:11, 08:08:11, 08:08:11, 08:08:11, 08:08:12, 08:08:12, 08:08:12, 08:08:12, 08:08:12, 08:08:12, 08:08:12, 08:08:12, 08:08:13, 08:08:13, 08:08:13, 08:08:13, 08:08:13, 08:08:13, 08:08:13, 08:08:13, 08:08:13, 08:08:14, 08:08:14, 08:08:14, 08:08:14, 08:08:14, 08:08:14, 08:08:14, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Age: 114
< Via: https/1.1 cnc.jinan.ha2ts4.50 (ApacheTrafficServer/6.2.1 [cRs f ]), https/1.1 cnc.zhengzhou.ha2ts4.201 (ApacheTrafficServer/6.2.1 [cRs f ])
< X-Via-Edge: 15553156949798e568b7bf4fb9e3d6b6784d0
< X-Cache: HIT.201
< X-Via-CDN: f=edge,s=cnc.zhengzhou.ha2ts4.197.nb.sinaedge.com,c=123.139.86.142;f=Edge,s=cnc.zhengzhou.ha2ts4.201,c=61.158.251.197
> Age: 115
> Via: https/1.1 cnc.jinan.ha2ts4.50 (ApacheTrafficServer/6.2.1 [cRs f ]), https/1.1 cnc.taiyuan.ha2ts4.167 (ApacheTrafficServer/6.2.1 [cRs f ])
> X-Via-Edge: 15553156950408e568b7bbcf1ccdd4ef143a3
> X-Cache: HIT.167
> X-Via-CDN: f=edge,s=cnc.taiyuan.ha2ts4.167.nb.sinaedge.com,c=123.139.86.142;f=Edge,s=cnc.taiyuan.ha2ts4.167,c=221.204.241.167
www.sina.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
root@root:~# lbd mail.163.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
mail163.ntes53.netease.com has address 123.125.50.28
mail163.ntes53.netease.com has address 123.125.50.7
mail163.ntes53.netease.com has address 123.125.50.26
Checking for HTTP-Loadbalancing [Server]:
nginx
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 08:08:44, 08:08:44, 08:08:44, 08:08:45, 08:08:45, 08:08:45, 08:08:45, 08:08:45, 08:08:45, 08:08:46, 08:08:46, 08:08:46, 08:08:46, 08:08:46, 08:08:46, 08:08:46, 08:08:47, 08:08:47, 08:08:47, 08:08:47, 08:08:47, 08:08:47, 08:08:47, 08:08:48, 08:08:48, 08:08:48, 08:08:48, 08:08:48, 08:08:48, 08:08:48, 08:08:49, 08:08:49, 08:08:49, 08:08:49, 08:08:49, 08:08:49, 08:08:50, 08:08:50, 08:08:50, 08:08:50, 08:08:50, 08:08:50, 08:08:50, 08:08:51, 08:08:51, 08:08:51, 08:08:51, 08:08:51, 08:08:51, 08:08:52, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
mail.163.com does Load-balancing. Found via Methods: DNS
3. WAF识别
WAF:
WAF(Web Application Firewallweb:Web 应用防火墙)。利用国际上公认的一种说法:Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。
(1)WAF识别——wafw00f
root@root:~# wafw00f -l #列出可检测到的WAF
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Can test for these WAFs:
Profense
NetContinuum
Incapsula WAF
CloudFlare
NSFocus
Safedog
Mission Control Application Shield
USP Secure Entry Server
Cisco ACE XML Gateway
Barracuda Application Firewall
Art of Defence HyperGuard
BinarySec
Teros WAF
F5 BIG-IP LTM
F5 BIG-IP APM
F5 BIG-IP ASM
F5 FirePass
F5 Trafficshield
InfoGuard Airlock
Citrix NetScaler
Trustwave ModSecurity
IBM Web Application Security
IBM DataPower
DenyALL WAF
Applicure dotDefender
Juniper WebApp Secure
Microsoft URLScan
Aqtronix WebKnight
eEye Digital Security SecureIIS
Imperva SecureSphere
Microsoft ISA Server
root@root:~# wafw00f http://www.baidu.com
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://www.baidu.com
Generic Detection results:
The site http://www.baidu.com seems to be behind a WAF or some sort of security solution
Reason: The server returned a different response code when a string trigged the blacklist.
Normal response code is "200", while the response code to an attack is "302"
Number of requests: 12
(2)WAF识别——nmap
root@root:~# nmap www.qq.com --script=http-waf-detect.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 16:16 CST
Nmap scan report for www.qq.com (125.39.52.26)
Host is up (0.088s latency).
Other addresses for www.qq.com (not scanned): 2402:4e00:8030:1::7d
rDNS record for 125.39.52.26: no-data
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
843/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 60.16 seconds