2019-2020-4 20175121 Yang Bo "Network Countermeasure Technology" Exp5 Information Collection and Vulnerability Scan

Tags: information gathering vulnerability scanning

---

1. Practical goals

• Master the most basic skills in information gathering and how to use common tools

2. Basic knowledge

1. Practice content

(1) Application of various search techniques
(2) Query of DNS IP registration information
(3) Basic scanning technology: host discovery, port scanning, OS and service version detection, specific service checkpoint (targeting your own host)
(4) Vulnerability scanning: scanning will be done, reports will be read, descriptions of vulnerabilities will be checked, and vulnerabilities will be repaired (targeting your own host)

2. Preliminary knowledge

Nmap

• NMap, also known as Network Mapper, was the first network scanning and sniffer toolkit under Linux.
• nmap is a network connection terminal scanning software, used to scan open network connection terminals of online computers. Determine which services are running on which connections, and infer which operating system the computer is running on (this is also known as fingerprinting).
• Nmap uses secret methods to avoid the monitoring of the intrusion detection system and does not affect the daily operation of the target system as much as possible.
• There are three basic functions: one is to detect whether a group of hosts is online; the second is to scan the host ports and sniff the network services provided; and you can also infer the operating system used by the hosts.

search engine

• Some websites will link sensitive files such as address book orders, and can be targeted to find site: XXX.com filetype: xls.

OpenVAS

sudo su
apt-get update 
apt-get upgrade
apt-get install openvas
openvas-setup # 可能需要重复多次，需要下载很多xml文件
openvas-check-setup
openvasmd --user=admin --new-password=[new key]

Automation tools

• metasploitThe brute_dirs dir_listing dir_scannerother auxiliary modules are mainly violent guessing solutions. Brute force cracking generally refers to the exhaustive method. The principle is to use the attacker's own username and password dictionary to enumerate whether they can log in one by one. In theory, as long as the dictionary is large enough, enumeration will always succeed.
  • modules/auxiliary/scanner/discovery arp_sweep, udp_probe, udp_sweep；
  • scanner/[service_name]/[service_name]_versionTraverse the host to determine the service version;
  • scanner/[service_name]/[service_name]_loginConduct password detection attacks.

traceroute/tracert

• Use the ICMP protocol to locate all routers between the user's computer and the target computer, and can traverse to all routers on the data packet transmission path;
• The TTL value can reflect the number of routers or gateways that the data packet passes through, by manipulating the TTL value of the independent ICMP call message and observing the return information of the message being discarded.

3. Practice steps

1. Application of various search techniques

1.1 Search URL directory structure

• dir_scannerModule

• dir_listingModule

• brute_dirsModule

1.2 Search for specific types of files

• Search xls file under Sogou search engine

• Open the file after download, there are many valid information

1.3 Search E-Mail

• Cannot be used legally in the country Googleand Yahoocan be set tofalse

1.4 IP routing investigation

• Kali tracerouteCheck to see that www.baidu.comafter 30 routers, it * * *means that the return time of the connection has timed out

• Window stracertview information content
  • The first column: time to live, increments by 1 every time a router node passes
  • The second to fourth columns: the return time of the ICMP packet sent three times, the unit is ms
  • The fifth column: the IP address of the router, if there is a host name, the host name is included, *indicating that the return time of the ICMP packet times out
• WindowsAlso shows tracking through up to 30 hops (i.e. 30 routers)

2. Query of DNS IP registration information

2.1 Whois domain name registration information query

• When registering a domain name, an upper-level domain name is usually registered
  • baidu.comFirst-level domain name (upper domain name)
  • www.baidu.comSecond-level domain name (subdomain)
• The subdomain name is managed by its own domain name server whoisand may not be queried in the database

2.2 nslookup, dig domain name query

• nslookupCan diagnose the information of Domain Name System (DNS) infrastructure, but not necessarily accurate

• digYou can query the exact results from the official DNS server

• digThere are many query options, each query option is identified by a keyword with a prefix (+)
  • +[no]searchUse [do not use] the search list or resolv.confthe search list defined by the mid-domain directive (if any) (not used by default);
  • +[no]traceSwitch to proxy path tracking for the name to be queried starting from the root name server (not used by default). If tracking dig is enabled to resolve the name to be queried using an iterative query, the reference from the root server will be used to display the information from each server that uses the resolved query Reply
  • +[no]identifyWhen the +shortoption is enabled , the IP address and port number that provide [not display] response are displayed;
  • +[no]statsSet to display statistical information, when the query is in progress, the size of the response, etc. By default, the query statistical information is displayed.

2.3 IP2 anti-domain name query

• Use two networks separately ping baidu.com, still the same server ip

• Enter the query in the IP or domain namebaidu.com query

• Enter the Baidu server IP found in the IP address query

3. Basic scanning technology

3.1 Host discovery

• arp_sweepARPScanner, use ARP request to enumerate the active hosts of the local area network

• udp_sweepUse UDP packet detection

• nmap -snOnly host discovery, no port scanning

3.2 Port scanning

• metasploitPort scan module

• NmapPort scan

3.3 OS and service version detection

• namp -OOS detection, detecting the type of operating system and device type running on the target host

• nmap -sVVersion detection to determine the specific application and version information running on the open port of the target host

3.4 Viewing specific services

• telnetService scan

• SSHService scan

• OracleDatabase service enumeration

• open_proxyOpen proxy detection

4. Vulnerability scan

• After installation, openvas-check-setupcheck and find the error:

• Follow the instructions of FIX to enter the command:

openvas-check-setup
openvasmd --migrate
openvas-manage-certs -a -f
openvasmd
openvas-check-setup

• The use of openvas-startopen service, an error can not open the browser and copy https://127.0.0.1:9392it into your browser to open, if the relevant certificate validation selectionAccept

• Enter account and password to log in

• New task scans→Tasks→Task Wizard
• Enter the scan host IP: 192.168.196.133
• Start scanning: Start Scans

• After a few minutes, the scan is complete:

• Then choose Full and fastto Databasesview all vulnerabilities:

• You can see that different vulnerability levels are different

• Choose a higher hazard level (red)

- Summary描述该漏洞：`IBM Db2 is prone to a permission weakness vulnerability.`，说明IBM Db2容易出现权限漏洞。
- Solution给出解决方法：`Upgrade to IBM Db2 version 9.5 Fix Pack 9 or later.`，升级至ibmdb2version9.5fix Pack 9或更高版本。

5. Experimental summary and experience

5.1 Question answer

• (1) Which organizations are responsible for the management of DNS and IP.
  The top-level manager is Internet Corporation for Assigned Names and Numbers (ICANN), and the global root servers are all managed by ICANN authorized by the US government.
  There are currently 5 regional registration agencies worldwide:
  • 1) ARIN is mainly responsible for business in North America
  • 2) RIPE is mainly responsible for business in Europe
  • 3) APNIC is mainly responsible for business in the Asia-Pacific region
  • 4) LACNIC is mainly responsible for Latin American business
  • 5) AfriNIC is mainly responsible for business in Africa.

There are three support organizations under ICANN, of which the address support organization (ASO) is responsible for the management of the IP address system; and the domain name support organization (DNSO) is responsible for the management of the domain name system (DNS) on the Internet.

• (2) What is 3R information.

  • Registrant: Registrant
  • Registrar: Registrar
  • Registry: the official registry

• (3) The accuracy of the scan results under evaluation.

  • The scan results are actually quite accurate. I feel that the openvas vulnerability scanning is still relatively powerful. I scanned my computer. I turned on the hot spot and scanned for an hour. After the completion, I found a lot of vulnerabilities. This scan is better. The point is that each vulnerability will tell us what the corresponding solution is. The loopholes are also very extensive and profound, and the scan results can only be understood through Google Translate ~

5.2 Experimental experience

Through this experiment, I have a certain understanding of the information collection method of the Linux operating system. Many problems were encountered during the experiment. The main thing is that the download speed of OpenVas was too slow, which resulted in a day of waiting. At the same time, the protection of personal information caused by this experiment was a wake-up call. In addition to not publishing personal information on the Internet, some official websites should also strengthen the privacy protection of user information on the website. In addition, the operating system's vulnerability check results also indicate that the operating system should be updated in time to prevent attackers from attacking their machines through the vulnerability, resulting in information leakage or more serious accidents .