Tags: information gathering vulnerability scanning
1. Practical goals
- Master the most basic skills in information gathering and how to use common tools
2. Basic knowledge
1. Practice content
(1) Application of various search techniques
(2) Query of DNS IP registration information
(3) Basic scanning technology: host discovery, port scanning, OS and service version detection, specific service checkpoint (targeting your own host)
(4) Vulnerability scanning: scanning will be done, reports will be read, descriptions of vulnerabilities will be checked, and vulnerabilities will be repaired (targeting your own host)
2. Preliminary knowledge
Nmap
- NMap, also known as Network Mapper, was the first network scanning and sniffer toolkit under Linux.
- nmap is a network connection terminal scanning software, used to scan open network connection terminals of online computers. Determine which services are running on which connections, and infer which operating system the computer is running on (this is also known as fingerprinting).
- Nmap uses secret methods to avoid the monitoring of the intrusion detection system and does not affect the daily operation of the target system as much as possible.
- There are three basic functions: one is to detect whether a group of hosts is online; the second is to scan the host ports and sniff the network services provided; and you can also infer the operating system used by the hosts.
search engine
- Some websites will link sensitive files such as address book orders, and can be targeted to find site: XXX.com filetype: xls.
OpenVAS
sudo su
apt-get update
apt-get upgrade
apt-get install openvas
openvas-setup # 可能需要重复多次,需要下载很多xml文件
openvas-check-setup
openvasmd --user=admin --new-password=[new key]
Automation tools
metasploit
Thebrute_dirs
dir_listing
dir_scanner
other auxiliary modules are mainly violent guessing solutions. Brute force cracking generally refers to the exhaustive method. The principle is to use the attacker's own username and password dictionary to enumerate whether they can log in one by one. In theory, as long as the dictionary is large enough, enumeration will always succeed.modules/auxiliary/scanner/discovery
arp_sweep
,udp_probe
,udp_sweep
;scanner/[service_name]/[service_name]_version
Traverse the host to determine the service version;scanner/[service_name]/[service_name]_login
Conduct password detection attacks.
traceroute/tracert
- Use the ICMP protocol to locate all routers between the user's computer and the target computer, and can traverse to all routers on the data packet transmission path;
- The TTL value can reflect the number of routers or gateways that the data packet passes through, by manipulating the TTL value of the independent ICMP call message and observing the return information of the message being discarded.
3. Practice steps
1. Application of various search techniques
1.1 Search URL directory structure
dir_scanner
Module
dir_listing
Module
brute_dirs
Module
1.2 Search for specific types of files
- Search xls file under Sogou search engine
- Open the file after download, there are many valid information
1.3 Search E-Mail
- Cannot be used legally in the country
Google
andYahoo
can be set tofalse
1.4 IP routing investigation
Kali
traceroute
Check to see thatwww.baidu.com
after 30 routers, it* * *
means that the return time of the connection has timed out
- Window
stracert
view information content- The first column: time to live, increments by 1 every time a router node passes
- The second to fourth columns: the return time of the ICMP packet sent three times, the unit is ms
- The fifth column: the IP address of the router, if there is a host name, the host name is included,
*
indicating that the return time of the ICMP packet times out
Windows
Also shows tracking through up to 30 hops (i.e. 30 routers)
2. Query of DNS IP registration information
2.1 Whois domain name registration information query
- When registering a domain name, an upper-level domain name is usually registered
baidu.com
First-level domain name (upper domain name)www.baidu.com
Second-level domain name (subdomain)
- The subdomain name is managed by its own domain name server
whois
and may not be queried in the database
2.2 nslookup, dig domain name query
nslookup
Can diagnose the information of Domain Name System (DNS) infrastructure, but not necessarily accurate
dig
You can query the exact results from the official DNS server
dig
There are many query options, each query option is identified by a keyword with a prefix (+)+[no]search
Use [do not use] the search list orresolv.conf
the search list defined by the mid-domain directive (if any) (not used by default);+[no]trace
Switch to proxy path tracking for the name to be queried starting from the root name server (not used by default). If tracking dig is enabled to resolve the name to be queried using an iterative query, the reference from the root server will be used to display the information from each server that uses the resolved query Reply+[no]identify
When the+short
option is enabled , the IP address and port number that provide [not display] response are displayed;+[no]stats
Set to display statistical information, when the query is in progress, the size of the response, etc. By default, the query statistical information is displayed.
2.3 IP2 anti-domain name query
- Use two networks separately
ping baidu.com
, still the same server ip
- Enter the query in the IP or domain name
baidu.com
query
- Enter the Baidu server IP found in the IP address query
3. Basic scanning technology
3.1 Host discovery
arp_sweepARP
Scanner, use ARP request to enumerate the active hosts of the local area network
udp_sweep
Use UDP packet detection
nmap -sn
Only host discovery, no port scanning
3.2 Port scanning
metasploit
Port scan module
Nmap
Port scan
3.3 OS and service version detection
namp -O
OS detection, detecting the type of operating system and device type running on the target host
nmap -sV
Version detection to determine the specific application and version information running on the open port of the target host
3.4 Viewing specific services
telnet
Service scan
SSH
Service scan
Oracle
Database service enumeration
open_proxy
Open proxy detection
4. Vulnerability scan
- After installation,
openvas-check-setup
check and find the error:
- Follow the instructions of FIX to enter the command:
openvas-check-setup
openvasmd --migrate
openvas-manage-certs -a -f
openvasmd
openvas-check-setup
- The use of
openvas-start
open service, an error can not open the browser and copyhttps://127.0.0.1:9392
it into your browser to open, if the relevant certificate validation selectionAccept
- Enter account and password to log in
- New task
scans→Tasks→Task Wizard
- Enter the scan host IP:
192.168.196.133
- Start scanning:
Start Scans
- After a few minutes, the scan is complete:
- Then choose
Full and fast
toDatabases
view all vulnerabilities:
- You can see that different vulnerability levels are different
- Choose a higher hazard level (red)
- Summary描述该漏洞:`IBM Db2 is prone to a permission weakness vulnerability.`,说明IBM Db2容易出现权限漏洞。
- Solution给出解决方法:`Upgrade to IBM Db2 version 9.5 Fix Pack 9 or later.`,升级至ibmdb2version9.5fix Pack 9或更高版本。
5. Experimental summary and experience
5.1 Question answer
- (1) Which organizations are responsible for the management of DNS and IP.
The top-level manager is Internet Corporation for Assigned Names and Numbers (ICANN), and the global root servers are all managed by ICANN authorized by the US government.
There are currently 5 regional registration agencies worldwide:- 1) ARIN is mainly responsible for business in North America
- 2) RIPE is mainly responsible for business in Europe
- 3) APNIC is mainly responsible for business in the Asia-Pacific region
- 4) LACNIC is mainly responsible for Latin American business
- 5) AfriNIC is mainly responsible for business in Africa.
There are three support organizations under ICANN, of which the address support organization (ASO) is responsible for the management of the IP address system; and the domain name support organization (DNSO) is responsible for the management of the domain name system (DNS) on the Internet.
-
(2) What is 3R information.
- Registrant: Registrant
- Registrar: Registrar
- Registry: the official registry
-
(3) The accuracy of the scan results under evaluation.
- The scan results are actually quite accurate. I feel that the openvas vulnerability scanning is still relatively powerful. I scanned my computer. I turned on the hot spot and scanned for an hour. After the completion, I found a lot of vulnerabilities. This scan is better. The point is that each vulnerability will tell us what the corresponding solution is. The loopholes are also very extensive and profound, and the scan results can only be understood through Google Translate ~
5.2 Experimental experience
Through this experiment, I have a certain understanding of the information collection method of the Linux operating system. Many problems were encountered during the experiment. The main thing is that the download speed of OpenVas was too slow, which resulted in a day of waiting. At the same time, the protection of personal information caused by this experiment was a wake-up call. In addition to not publishing personal information on the Internet, some official websites should also strengthen the privacy protection of user information on the website. In addition, the operating system's vulnerability check results also indicate that the operating system should be updated in time to prevent attackers from attacking their machines through the vulnerability, resulting in information leakage or more serious accidents .