Kali Linux渗透测试之服务扫描（一）——Banner、服务识别、操作系统识别

服务扫描：

不能简单的通过端口号来识别服务，目标系统开放80端口不一定开放着http服务，要通过对目标系统进行服务扫描，来识别开放的端口后面到底是什么服务，运行什么样的应用；

1. 服务扫描——Banner（简单但不准确）

• 通过连接服务器的端口，使其返回的banner信息，可能查不到，也可能是管理员伪造的；
• 通过软件开发商，软件名称，服务类型，版本号(直接发现已知的漏洞和弱点)；
• 对于Banner信息的捕获，需要建立完整的TCP连接；
• 另类服务识别方法：1. 特征行为和响应字段； 2.  不同的响应可用于识别底层操作系统；

（1）nc

root@root:~# nc -nv 192.168.37.128 25
(UNKNOWN) [192.168.37.128] 25 (smtp) open
220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
root@root:~# nc -nv 192.168.37.128 80
(UNKNOWN) [192.168.37.128] 80 (http) open
get
HTTP/1.1 400 Bad Request
Date: Sun, 14 Apr 2019 05:32:15 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44) 
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> banner.connect(("192.168.37.128",25))
>>> banner.recv(4096)
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n'
>>> banner.close()
>>> exit()

 （2）socket——用于连接网络服务

root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44) 
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket       #导入socket模块
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  #SOCK_STREAM表示为TCP连接<
>>> banner.connect(("192.168.37.128",25))    #连接的IP地址和端口
>>> banner.recv(4096)                        #接收返回包大小
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n' #获取到的Banner信息
>>> banner.close()            #关闭连接
>>> exit()

在很多情况下，系统的banner信息不允许抓取，recv函数无返回将会被挂起；针对这个问题，写如下脚本进行处理：

#!/usr/bin/python 
# -*- coding: utf-8 -*-
#Author：橘子女侠
#Time：2019/04/14
#该脚本用于实现Banner信息的扫描，如果Banner信息不能获取，则pass

import socket 
import select 
import sys 
if len( sys.argv ) !=4:
	print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]" 		
	print "Example - ./banner_grab.py 1.1.1.1 1 100" 
	sys.exit()

ip = sys.argv[1] 
start = int(sys.argv[2]) 
end = int(sys.argv[3]) 
for port in range(start,end):
	try: 
		bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		bangrab.connect((ip,port))
		ready=select.select([bangrab],[],[],1) #连接间隔时间1秒 
		if ready[0]: 
			print "TCP Port " + str(port) + "." +bangrab.recv(4096) 
			bangrab.close() 
	except: 
		pass

结果如下：

root@root:~# chmod +x ./banner.py
root@root:~# ./banner.py 192.168.37.128 1 200
TCP Port 25.220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready

TCP Port 110.+OK WIN-N7TAB1239LM.st13.com Winmail Mail Server POP3 ready

TCP Port 143.* OK IMAP4 ready! WIN-N7TAB1239LM.st13.com Winmail Mail Server MagicWinmail Extend IMAP 102

（3） dmitry

root@root:~# dmitry -pb 192.168.37.128
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:192.168.37.128
HostName:bogon

Gathered TCP Port information for 192.168.37.128
---------------------------------

 Port		State

25/tcp		open
>> 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready

53/tcp		open

Portscan Finished: Scanned 150 ports, 147 ports were in state closed


All scans completed, exiting

 （4）nmap

使用nmap自带的脚本（/usr/share/nmap/scripts/）

root@root:~# nmap -sT 192.168.37.128 -p 25 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:40 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00046s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
MAC Address: 00:0C:29:3B:24:57 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
root@root:~# nmap -sT 192.168.37.128 -p 1-100 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:41 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00065s latency).
Not shown: 96 closed ports
PORT   STATE SERVICE
25/tcp open  smtp
|_banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
53/tcp open  domain
80/tcp open  http
88/tcp open  kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.47 seconds

 （5）amap

root@root:~# amap -B 192.168.37.128 25
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:44:33 - BANNER mode

Banner on 192.168.37.128:25/tcp : 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n

amap v5.4 finished at 2019-04-14 14:44:33
root@root:~# amap -B 192.168.37.128 1-100
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:44:52 - BANNER mode

Banner on 192.168.37.128:25/tcp : 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n

amap v5.4 finished at 2019-04-14 14:45:03

2.  服务扫描——服务识别

• Banner信息抓取能力有限；
• 需要借助于另类服务和识别方法进行进一步和准确性的判断；

（1）Nmap（开放端口对应的服务和版本）

root@root:~# nmap 192.168.37.128 -p 1-100 -sV  #经常使用
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:47 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00036s latency).
Not shown: 96 closed ports
PORT   STATE SERVICE      VERSION
25/tcp open  smtp         Winmail smtpd
53/tcp open  domain       Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
80/tcp open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
88/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-04-14 06:47:51Z)
MAC Address: 00:0C:29:3B:24:57 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds

（2）Amap

• -q：显示清晰；
• -b：显示详细信息；

root@root:~# amap 192.168.37.128 1-100
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:49:24 - APPLICATION MAPPING mode

Protocol on 192.168.37.128:25/tcp matches smtp
Protocol on 192.168.37.128:80/tcp matches http
Protocol on 192.168.37.128:80/tcp matches http-apache-2
Protocol on 192.168.37.128:25/tcp matches nntp
Protocol on 192.168.37.128:88/tcp matches mysql

Unidentified ports: 192.168.37.128:1/tcp 192.168.37.128:2/tcp 192.168.37.128:3/tcp 192.168.37.128:4/tcp 192.168.37.128:5/tcp 192.168.37.128:6/tcp 192.168.37.128:7/tcp 192.168.37.128:8/tcp 192.168.37.128:9/tcp 192.168.37.128:10/tcp 192.168.37.128:11/tcp 192.168.37.128:12/tcp 192.168.37.128:13/tcp 192.168.37.128:14/tcp 192.168.37.128:15/tcp 192.168.37.128:16/tcp 192.168.37.128:17/tcp 192.168.37.128:18/tcp 192.168.37.128:19/tcp 192.168.37.128:20/tcp 192.168.37.128:21/tcp 192.168.37.128:22/tcp 192.168.37.128:23/tcp 192.168.37.128:24/tcp 192.168.37.128:26/tcp 192.168.37.128:27/tcp 192.168.37.128:28/tcp 192.168.37.128:29/tcp 192.168.37.128:30/tcp 192.168.37.128:31/tcp 192.168.37.128:32/tcp 192.168.37.128:33/tcp 192.168.37.128:34/tcp 192.168.37.128:35/tcp 192.168.37.128:36/tcp 192.168.37.128:37/tcp 192.168.37.128:38/tcp 192.168.37.128:39/tcp 192.168.37.128:40/tcp 192.168.37.128:41/tcp 192.168.37.128:42/tcp 192.168.37.128:43/tcp 192.168.37.128:44/tcp 192.168.37.128:45/tcp 192.168.37.128:46/tcp 192.168.37.128:47/tcp 192.168.37.128:48/tcp 192.168.37.128:49/tcp 192.168.37.128:50/tcp 192.168.37.128:51/tcp 192.168.37.128:52/tcp 192.168.37.128:53/tcp 192.168.37.128:54/tcp 192.168.37.128:55/tcp 192.168.37.128:56/tcp 192.168.37.128:57/tcp 192.168.37.128:58/tcp 192.168.37.128:59/tcp 192.168.37.128:60/tcp 192.168.37.128:61/tcp 192.168.37.128:62/tcp 192.168.37.128:63/tcp 192.168.37.128:64/tcp 192.168.37.128:65/tcp 192.168.37.128:66/tcp 192.168.37.128:67/tcp 192.168.37.128:68/tcp 192.168.37.128:69/tcp 192.168.37.128:70/tcp 192.168.37.128:71/tcp 192.168.37.128:72/tcp 192.168.37.128:73/tcp 192.168.37.128:74/tcp 192.168.37.128:75/tcp 192.168.37.128:76/tcp 192.168.37.128:77/tcp 192.168.37.128:78/tcp 192.168.37.128:79/tcp 192.168.37.128:81/tcp 192.168.37.128:82/tcp 192.168.37.128:83/tcp 192.168.37.128:84/tcp 192.168.37.128:85/tcp 192.168.37.128:86/tcp 192.168.37.128:87/tcp 192.168.37.128:89/tcp 192.168.37.128:90/tcp 192.168.37.128:91/tcp 192.168.37.128:92/tcp 192.168.37.128:93/tcp 192.168.37.128:94/tcp 192.168.37.128:95/tcp 192.168.37.128:96/tcp 192.168.37.128:97/tcp 192.168.37.128:98/tcp 192.168.37.128:99/tcp 192.168.37.128:100/tcp (total 97). 	[Note: the -q option suppresses this listing]

amap v5.4 finished at 2019-04-14 14:49:37
root@root:~# amap 192.168.37.128 1-100 -q
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:49:44 - APPLICATION MAPPING mode

Protocol on 192.168.37.128:25/tcp matches smtp
Protocol on 192.168.37.128:80/tcp matches http
Protocol on 192.168.37.128:80/tcp matches http-apache-2
Protocol on 192.168.37.128:88/tcp matches mysql
Protocol on 192.168.37.128:25/tcp matches nntp

amap v5.4 finished at 2019-04-14 14:49:56
root@root:~# amap 192.168.37.128 1-100 -qb
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:49:59 - APPLICATION MAPPING mode

Protocol on 192.168.37.128:25/tcp matches nntp - banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n502 unimplemented\r\n
Protocol on 192.168.37.128:25/tcp matches smtp - banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n502 unimplemented\r\n
Protocol on 192.168.37.128:80/tcp matches http - banner: HTTP/1.1 200 OK\r\nDate Sun, 14 Apr 2019 065001 GMT\r\nServer Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45\r\nX-Powered-By PHP/5.4.45\r\nContent-Length 11\r\nConnection close\r\nContent-Type text/html\r\n\r\nHello World
Protocol on 192.168.37.128:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nDate Sun, 14 Apr 2019 065001 GMT\r\nServer Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45\r\nX-Powered-By PHP/5.4.45\r\nContent-Length 11\r\nConnection close\r\nContent-Type text/html\r\n\r\nHello World
Protocol on 192.168.37.128:88/tcp matches mysql - banner: 

amap v5.4 finished at 2019-04-14 14:50:11

3. 操作系统识别

• 对操作系统的识别，可以判断出目标主机的操作系统类型，操作系统版本；
• 针对不同的操作系统的版本，我们可以版本了解到系统默认会开放哪些服务；或者老版本操作系统自身的漏洞等；

（1）scapy（根据TTL值简单判断操作系统的类型）

root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> win="192.168.37.128"
>>> linux="192.168.37.143"
>>> aw=sr1(IP(dst=win)/ICMP())
Begin emission:
..*Finished to send 1 packets.

Received 3 packets, got 1 answers, remaining 0 packets
>>> aw.display()
###[ IP ]### 
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 28
  id= 1213
  flags= 
  frag= 0L
  ttl= 128
  proto= icmp
  chksum= 0x69d0
  src= 192.168.37.128
  dst= 192.168.37.131
  \options\
###[ ICMP ]### 
     type= echo-reply
     code= 0
     chksum= 0xffff
     id= 0x0
     seq= 0x0
###[ Padding ]### 
        load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

>>> al=sr1(IP(dst=linux)/ICMP())
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> al.display()
###[ IP ]### 
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 28
  id= 31514
  flags= 
  frag= 0L
  ttl= 64
  proto= icmp
  chksum= 0x3364
  src= 192.168.37.143
  dst= 192.168.37.131
  \options\
###[ ICMP ]### 
     type= echo-reply
     code= 0
     chksum= 0xffff
     id= 0x0
     seq= 0x0
###[ Padding ]### 
        load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

使用脚本的方式：ttl_os.py

#!/usr/bin/python
#Author：橘子女侠
#该脚本用于通过TTL值的大小，简单的判断目标主机操作系统的类型
from scapy.all import *
import sys 
if len( sys.argv ) !=2:
	print "Usage - ./ttl_os.py [IP adress]" 
	print "Example - ./ttl_os.py 1.1.1.1" 
	sys.exit() 

ip = sys.argv[1] 
ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0) 
if ans == None: 
	print "No response was returned" 
elif int(ans[IP].ttl)<=64: 
	print "Host is Linux/Unix" 
else: 
	print "Host is Windows"

root@root:~# vim ttl_os.py
root@root:~# chmod +x ttl_os.py 
root@root:~# ./ttl_os.py 192.168.37.128
Host is Windows
root@root:~# ./ttl_os.py 192.168.37.143
Host is Linux/Unix

（2）Nmap

• -O：识别操作系统的类型

root@root:~# nmap -O 192.168.37.128      #扫描Windows
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 18:02 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00074s latency).
Not shown: 973 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
465/tcp   open  smtps
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
993/tcp   open  imaps
995/tcp   open  pop3s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3306/tcp  open  mysql
6000/tcp  open  X11
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49158/tcp open  unknown
49167/tcp open  unknown
MAC Address: 00:0C:29:3B:24:57 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
root@root:~# nmap -O 192.168.37.143      #扫描Linux
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 18:04 CST
Nmap scan report for bogon (192.168.37.143)
Host is up (0.0016s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:EF:E0:1D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.21 seconds

（3）Xprobe2（专门用于识别操作系统，但不是很准确）

oot@root:~# xprobe2 192.168.37.128

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]

[+] Target is 192.168.37.128
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.37.128. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.37.128. Module test failed
[-] No distance calculation. 192.168.37.128 appears to be dead or no ports known
[+] Host: 192.168.37.128 is up (Guess probability: 50%)
[+] Target: 192.168.37.128 is alive. Round-Trip Time: 0.52607 sec
[+] Selected safe Round-Trip Time value is: 1.05214 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.37.128 Running OS:  (Guess probability: 88%)
[+] Other guesses:
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS:  (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: ��3G�U (Guess probability: 88%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
root@root:~# xprobe2 192.168.37.143

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]

[+] Target is 192.168.37.143
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.37.143. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.37.143. Module test failed
[-] No distance calculation. 192.168.37.143 appears to be dead or no ports known
[+] Host: 192.168.37.143 is up (Guess probability: 50%)
[+] Target: 192.168.37.143 is alive. Round-Trip Time: 0.50384 sec
[+] Selected safe Round-Trip Time value is: 1.00768 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

（4） 被动操作系统识别

• 主动扫描：通过向目标系统发包，通过返回的信息，判断目标操操作系统的类型；
• 被动扫描：不主动的向目标系统发包，基于一种网络抓包，监听的工作原理来进行识别目标操作系统；

root@root:~# p0f
--- p0f 3.09b by Michal Zalewski <[email protected]> ---

[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.

.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn) ]-
|
| client   = 192.168.37.131/38136
| os       = Linux 3.11 and newer
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----

.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| client   = 192.168.37.131/38136
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn+ack) ]-
|
| server   = 96.17.15.27/80
| os       = ???
| dist     = 0
| params   = none
| raw_sig  = 4:128+0:0:1460:mss*44,0:mss::0
|
`----

.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| server   = 96.17.15.27/80
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (http request) ]-
|
| client   = 192.168.37.131/38136
| app      = Safari 5.1-6
| lang     = English
| params   = dishonest
| raw_sig  = 1:Host,User-Agent,Accept=[*/*],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],?Cache-Control,Pragma=[no-cache],Connection=[keep-alive]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
|
`----

.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (http response) ]-
|
| server   = 96.17.15.27/80
| app      = ???
| lang     = none
| params   = none
| raw_sig  = 1:Content-Type,?Content-Length,?Last-Modified,?ETag,Accept-Ranges=[bytes],Server,X-Amz-Cf-Id=[kUgYdtbDIrNX_jkcyy6MvN4hq0Cy_EscpxcYwco2FM-wif_8vyNkzA==],?Cache-Control,Date,Connection=[keep-alive]:Keep-Alive:AmazonS3
|
`----

^C[!] WARNING: User-initiated shutdown.

All done. Processed 15 packets.
root@root:~# uname -a
Linux root 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux