我们不能简单地通过端口号来识别端口上运行的应用,因此可以通过服务扫描来进行识别,从而有针对性地找到它的利用代码或者发现它的漏洞以及利用方法。本篇除了讲解如何识别端口所对应的服务,还会讲解如何识别目标操作系统。不同的操作系统自带的服务上面也会存在一些漏洞,因此我们可以利用漏洞的弱点直接取得目标系统的管理权,或者取得它的用户权限,然后在用户权限的基础之上进行本地提权,拿到它的管理员权限,进行后续渗透测试的攻击。
如何识别应用以及操作系统的版本?
- Banner捕获
- 服务识别
- 操作系统识别
- SNMP分析(通过系统内部信息来进行信息的探测和搜索,所以准确性也会比较高)
- 防火墙识别(识别边界防火墙的类型以及过滤机制,从而绕过和躲避它)
一、服务扫描——Banner(准确性不高)
- 获取软件开发商、软件名称、服务类型、版本号(可能直接发现已知的漏洞和弱点)
- 只有建立完整的连接后才能获取目标系统的Banner信息,才能更准确地识别端口上运行的应用。
- Banner并不是特别准确,它需要结合另类的服务识别方法——特征行为和响应字段,不同的操作系统对于同一请求的响应结果是不同的,因此不同的响应可用于识别低层操作系统。
- 通过连接服务器的端口,使其返回banner信息,结果可能查不到,也可能是管理员伪造的。
1、nc
nc -nv 192.168.24.129 80
root@kali:~# nc -nv 192.168.247.129 80
(UNKNOWN) [192.168.247.129] 80 (http) open
get
HTTP/1.1 400 Bad Request
Date: Wed, 24 Apr 2019 14:48:54 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
2、socket —— 用于连接网络服务
root@kali:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> banner.connect(("192.168.247.129",80)) //创建连接
>>> banner.recv(1024) //接收数据
''
>>> banner.close() //关闭连接
>>> exit()
某些应用软件,它的Banner信息是不允许被抓取的,recv函数无返回将被挂起,因此需要对程序进行处理。针对该问题,下面的脚本进行了一些处理:
#!/usr/bin/python
# -*- coding: utf-8 -*-
#该脚本用于实现Banner信息的扫描,如果Banner信息不能获取,则pass
import socket
import select #通过一个select()系统调用来监视多个文件描述符的数组
import sys
if len( sys.argv ) !=4:
print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
print "Example - ./banner_grab.py 1.1.1.1 1 100"
sys.exit()
ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])
for port in range(start,end):
try:
bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM) #建立TCP连接
bangrab.connect((ip,port))
ready=select.select([bangrab],[],[],1) #连接间隔时间1秒
if ready[0]: #ready[0]表示recv函数没有被挂起
print "TCP Port " + str(port) + "." +bangrab.recv(2048)
bangrab.close() #每发现一个端口,就要关闭TCP连接,避免建立太多的TCP连接,从而造成网络性能以及系统性能的下降
except:
pass
root@kali:~# chmod +x banner.py
root@kali:~# ./banner.py 192.168.247.129 1 200 //目标主机加入了域
TCP Port 25.220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
TCP Port 110.+OK WIN-N7TAB1239LM.st13.com Winmail Mail Server POP3 ready
TCP Port 143.* OK IMAP4 ready! WIN-N7TAB1239LM.st13.com Winmail Mail Server MagicWinmail Extend IMAP 102
3、dimitry
- dimitry -p 192.168.247.129 //-p TCP端口的扫描
- dimitry -pb 192.168.247.129 //-b 从扫描到的端口中获取Banner信息
root@kali:~# dmitry -pb 192.168.247.129
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:192.168.247.129
HostName:bogon
Gathered TCP Port information for 192.168.247.129
---------------------------------
Port State
80/tcp open //未获取到Banner信息
Portscan Finished: Scanned 150 ports, 148 ports were in state closed
All scans completed, exiting
4、nmap
nmap中有大量的脚本,在kali测试机的 /usr/share/nmap/scripts/ 目录下可以看到它所有的扫描脚本。
- nmap -sT -p 80 192.168.247.129 --script=banner.nse
- nmap -sT -p 1-200 192.168.247.129 --script=banner.nse
root@kali:~# nmap -sT -p 1-200 192.168.247.129 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 23:20 CST
Nmap scan report for bogon (192.168.247.129)
Host is up (0.0014s latency).
Not shown: 197 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
MAC Address: 00:0C:29:8F:74:74 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.37 seconds
amap
- amap -B 192.168.247.129 1-100
- amap -B 192.168.247.129 25
root@kali:~# amap -B 192.168.247.129 1-100
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-24 23:27:25 - BANNER mode
Banner on 192.168.247.129:25/tcp : 220 chengqia-852040 Microsoft ESMTP MAIL Service, Version 6.0.3790.3959 ready at Wed, 24 Apr 2019 232723 +0800 \r\n
amap v5.4 finished at 2019-04-24 23:27:25
Banner信息的抓取比较有限,要更完善的发现一个端口上跑的是什么应用,必须基于像强大的nmap根据响应特征分析来识别服务,下面我们就来介绍服务识别。
二、服务扫描——服务识别
1、nmap(准确性、可靠度高)
nmap响应特征分析识别服务
- 发送系列复杂的探测
- 依据响应特征signature
- nc -nv 1.1.1.1 80
- nmap 1.1.1.1 -p 80 -sV //-sV 通过指纹特征匹配方式来判断端口所对应的服务
root@kali:~# nmap 192.168.247.129 -p 1-100 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 23:30 CST
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00015s latency).
Not shown: 98 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.3790.3959
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
MAC Address: 00:0C:29:8F:74:74 (VMware)
Service Info: Host: chengqia-852040; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.73 seconds
2、amap
- amap 192.168.247.129 1-100
- amap 192.168.247.129 1-100 -qb //默认输出结果比较乱,-q 可清楚显示,-b 显示详细信息
root@kali:~# amap 192.168.247.129 1-100
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-24 23:31:36 - APPLICATION MAPPING mode
Protocol on 192.168.247.129:25/tcp matches smtp
Protocol on 192.168.247.129:80/tcp matches http
Protocol on 192.168.247.129:80/tcp matches http-apache-2
Unidentified ports: 192.168.247.129:1/tcp 192.168.247.129:2/tcp 192.168.247.129:3/tcp 192.168.247.129:4/tcp 192.168.247.129:5/tcp 192.168.247.129:6/tcp 192.168.247.129:7/tcp 192.168.247.129:8/tcp 192.168.247.129:9/tcp 192.168.247.129:10/tcp 192.168.247.129:11/tcp 192.168.247.129:12/tcp 192.168.247.129:13/tcp 192.168.247.129:14/tcp 192.168.247.129:15/tcp 192.168.247.129:16/tcp 192.168.247.129:17/tcp 192.168.247.129:18/tcp 192.168.247.129:19/tcp 192.168.247.129:20/tcp 192.168.247.129:21/tcp 192.168.247.129:22/tcp 192.168.247.129:23/tcp 192.168.247.129:24/tcp 192.168.247.129:26/tcp 192.168.247.129:27/tcp 192.168.247.129:28/tcp 192.168.247.129:29/tcp 192.168.247.129:30/tcp 192.168.247.129:31/tcp 192.168.247.129:32/tcp 192.168.247.129:33/tcp 192.168.247.129:34/tcp 192.168.247.129:35/tcp 192.168.247.129:36/tcp 192.168.247.129:37/tcp 192.168.247.129:38/tcp 192.168.247.129:39/tcp 192.168.247.129:40/tcp 192.168.247.129:41/tcp 192.168.247.129:42/tcp 192.168.247.129:43/tcp 192.168.247.129:44/tcp 192.168.247.129:45/tcp 192.168.247.129:46/tcp 192.168.247.129:47/tcp 192.168.247.129:48/tcp 192.168.247.129:49/tcp 192.168.247.129:50/tcp 192.168.247.129:51/tcp 192.168.247.129:52/tcp 192.168.247.129:53/tcp 192.168.247.129:54/tcp 192.168.247.129:55/tcp 192.168.247.129:56/tcp 192.168.247.129:57/tcp 192.168.247.129:58/tcp 192.168.247.129:59/tcp 192.168.247.129:60/tcp 192.168.247.129:61/tcp 192.168.247.129:62/tcp 192.168.247.129:63/tcp 192.168.247.129:64/tcp 192.168.247.129:65/tcp 192.168.247.129:66/tcp 192.168.247.129:67/tcp 192.168.247.129:68/tcp 192.168.247.129:69/tcp 192.168.247.129:70/tcp 192.168.247.129:71/tcp 192.168.247.129:72/tcp 192.168.247.129:73/tcp 192.168.247.129:74/tcp 192.168.247.129:75/tcp 192.168.247.129:76/tcp 192.168.247.129:77/tcp 192.168.247.129:78/tcp 192.168.247.129:79/tcp 192.168.247.129:81/tcp 192.168.247.129:82/tcp 192.168.247.129:83/tcp 192.168.247.129:84/tcp 192.168.247.129:85/tcp 192.168.247.129:86/tcp 192.168.247.129:87/tcp 192.168.247.129:88/tcp 192.168.247.129:89/tcp 192.168.247.129:90/tcp 192.168.247.129:91/tcp 192.168.247.129:92/tcp 192.168.247.129:93/tcp 192.168.247.129:94/tcp 192.168.247.129:95/tcp 192.168.247.129:96/tcp 192.168.247.129:97/tcp 192.168.247.129:98/tcp 192.168.247.129:99/tcp 192.168.247.129:100/tcp (total 98). [Note: the -q option suppresses this listing]
amap v5.4 finished at 2019-04-24 23:31:42
root@kali:~# amap 192.168.247.129 1-100 -q
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-24 23:33:56 - APPLICATION MAPPING mode
Protocol on 192.168.247.129:25/tcp matches smtp
Protocol on 192.168.247.129:80/tcp matches http
Protocol on 192.168.247.129:80/tcp matches http-apache-2
amap v5.4 finished at 2019-04-24 23:34:03
root@kali:~# amap 192.168.247.129 1-100 -qb
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-24 23:34:12 - APPLICATION MAPPING mode
Protocol on 192.168.247.129:25/tcp matches smtp - banner: 220 chengqia-852040 Microsoft ESMTP MAIL Service, Version 6.0.3790.3959 ready at Wed, 24 Apr 2019 233410 +0800 \r\n500 5.3.3 Unrecognized command\r\n
Protocol on 192.168.247.129:80/tcp matches http - banner: HTTP/1.1 200 OK\r\nDate Wed, 24 Apr 2019 153410 GMT\r\nServer Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45\r\nX-Powered-By PHP/5.4.45\r\nContent-Length 11\r\nConnection close\r\nContent-Type text/html\r\n\r\nHello World
Protocol on 192.168.247.129:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nDate Wed, 24 Apr 2019 153410 GMT\r\nServer Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45\r\nX-Powered-By PHP/5.4.45\r\nContent-Length 11\r\nConnection close\r\nContent-Type text/html\r\n\r\nHello World
amap v5.4 finished at 2019-04-24 23:34:18
三、操作系统系别
操作系统安装之后,默认会开放一些服务或端口,通过扫描操作系统的版本,可以识别默认开放的服务或端口上面存在的一些漏洞,利用该漏洞有可能进入目标系统。
1、nmap
nmap -O 192.168.247.129 //识别操作系统的类型
root@kali:~# nmap -O 192.168.247.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 23:35 CST
Nmap scan report for bogon (192.168.247.129)
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
8099/tcp open unknown
MAC Address: 00:0C:29:8F:74:74 (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.55 seconds
2、scapy—— 根据TTL值判断目标操作系统的类型
TTL起始值
- Windows:128(65-128)
- Linux:64(1-64)
- 某些Unix:255
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> win="192.168.247.129"
>>> linux="192.168.247.157"
>>> aw=sr1(IP(dst=win)/ICMP())
Begin emission:
.*Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
>>> aw.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 9523
flags=
frag= 0L
ttl= 128 //Windows操作系统
proto= icmp
chksum= 0xa52a
src= 192.168.247.129
dst= 192.168.247.176
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
>>> a1=sr1(IP(dst=linux)/ICMP())
Begin emission:
.*Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
>>> a1.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 46017
flags=
frag= 0L
ttl= 64 //Linux操作系统
proto= icmp
chksum= 0x5680
src= 192.168.247.157
dst= 192.168.247.176
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
脚本:ttl_os.py
#!/usr/bin/python
#该脚本用于通过TTL值的大小,简单判断目标主机操作系统的类型
from scapy.all import *
import sys
if len( sys.argv ) !=2:
print "Usage: ./ttl_os.py [IP adress]"
print "example: ./ttl_os.py 1.1.1.1"
sys.exit()
ip = sys.argv[1]
ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)
if ans == None:
print "No respone was returned"
elif int(ans[IP].ttl)<=64:
print "Host is LInux/Unix"
else:
print "Host is Windows"
root@kali:~# chmod +x ttl_os.py
root@kali:~# ./ttl_os.py 192.168.247.129
Host is Windows
root@kali:~# ./ttl_os.py 192.168.247.157
Host is LInux/Unix
3、xprobe2(专门用于识别操作系统,但不是很准确)
root@kali:~# xprobe2 192.168.247.129
Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]
[+] Target is 192.168.247.129
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.247.129. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.247.129. Module test failed
[-] No distance calculation. 192.168.247.129 appears to be dead or no ports known
[+] Host: 192.168.247.129 is up (Guess probability: 50%)
[+] Target: 192.168.247.129 is alive. Round-Trip Time: 0.52076 sec
[+] Selected safe Round-Trip Time value is: 1.04152 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.247.129 Running OS: `���UU (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: `���UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: `���UU (Guess probability: 100%)
[+] Host 192.168.247.129 Running OS: ����UU (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
4、被动操作系统识别
- 主动扫描:通过向目标系统发包,通过返回的信息,判断目标操操作系统的类型
- 被动扫描:不主动的向目标系统发包,基于一种网络抓包,监听的工作原理来进行识别目标操作系统
不同的操作系统发出去的包都是不一样的,比如Windows和Linux系统发出的ping包
root@kali:~# p0f //不仅判断本机信息,还可以判断和本机产生数据流量的主机信息
--- p0f 3.09b by Michal Zalewski <[email protected]> ---
[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.
.-[ 192.168.247.176/49254 -> 192.168.247.129/80 (syn) ]- //需触发流量
|
| client = 192.168.247.176/49254
| os = Linux 3.11 and newer //判断本机操作系统
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ 192.168.247.176/49254 -> 192.168.247.129/80 (mtu) ]-
|
| client = 192.168.247.176/49254
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.247.176/49254 -> 192.168.247.129/80 (syn+ack) ]-
|
| server = 192.168.247.129/80 //访问192.168.247.129的80端口
| os = ???
| dist = 0
| params = none
| raw_sig = 4:128+0:0:1460:mss*44,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:ts1-:0
|
`----
.-[ 192.168.247.176/49254 -> 192.168.247.129/80 (mtu) ]-
|
| server = 192.168.247.129/80
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.247.176/49254 -> 192.168.247.129/80 (http request) ]- //http请求信息
|
| client = 192.168.247.176/49254
| app = Firefox 10.x or newer
| lang = English
| params = none
| raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],Connection=[keep-alive],Upgrade-Insecure-Requests=[1]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
|
`----
.-[ 192.168.247.176/49254 -> 192.168.247.129/80 (http response) ]- //http响应信息
|
| server = 192.168.247.129/80
| app = Apache 2.x
| lang = none
| params = none
| raw_sig = 1:Date,Server,X-Powered-By=[PHP/5.4.45],?Content-Length,Keep-Alive=[timeout=5, max=100],Connection=[Keep-Alive],Content-Type:Accept-Ranges:Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|
`----