1. Practical goals

1. Practice goals

Master the most basic skills of information gathering and how to use common tools.

2. Practical requirements

Application of various search techniques
DNS IP registration information query
Basic scanning techniques: host discovery, port scanning, OS and service version detection, specific service checkpoints (targeting your own host)
Vulnerability Scanning: Scanning, reading reports, checking vulnerability descriptions, patching vulnerabilities (targeting your own host)

Second, the practical process

1. Application of various search techniques

1.1 Search engine query IP address

Through the https://www.ip138.com/ website, you can query ip related information.

Try it here using the school's website

Find the corresponding information

1.2 Search URL directory structure

The method is to use msf automated tools: such as metasploit ’s brute_dirs, dir_listing, dir_scanner and other auxiliary modules, which are mainly violent guesses.

Open msfconsole, use

use auxiliary/scanner/http/dir_scanner
set THREADS 20
set RHOSTS www.baidu.com
exploit

Obtain the website directory structure, you can find the following directories:

1.3 Search for specific types of files

Webpage input: [site: <domain name> filetype: <file type> <retrieval information>]

Scanned out the qualified files under the domain name on the Internet [site: edu.cn filetype: xls holiday] (May Day holiday is coming soon, so search for holiday information)

Open the table that needs to be retrieved, you can see the relevant information

1.4 Search E-maile

There is search_email_collector in metasploit for targeted collection.

Open msfconsole and enter the following command
use auxiliary/gather/search_email_collector
show options
set DOMAIN baidu.com
set OUTFILE 4310srq.txt
set SEARCH_GOOGLE false
set SEARCH_YAHOO false (Domestic Yahoo and Google cannot be used normally, so set to False)
run

The corresponding information is stored in the file 4310srq.txt

1.5IP routing reconnaissance

The traceroute command uses the ICMP protocol to locate all routers between the user's computer and the target computer.

The TTL value can reflect the number of routers or gateways that the data packet passes through. By manipulating the TTL value of the independent ICMP call message and observing the return information of the message being discarded, the traceroute command can traverse all routers on the data packet transmission path.

Enter in kali: traceroute www.baidu.com, you can track the process of 30 routers passed by Baidu server.

Open the cmd input in windows : tracert www.baidu.com

The first column represents the TTL "time-to-live" (increased by 1 every time a router node is passed)
The second to fourth columns indicate the "return time of ICMP packets sent three times" (a total of 3, the unit is ms)
The fifth column means "IP address of the router" (if there is a host name, it will also include the host name)
The information with an asterisk (*) indicates that the return time of the ICMP packet timed out

2. Query of DNS IP registration information

2.1 whois query

Through the whois command query, you can get domain name information, subdomain information, server location information, 3R registration information, etc.

Here I checked the URL of Baidu. Instruction: whois baidu.com

2.2nslookup, dig domain name query

Principle: nslookup can get the results of the cache stored by the DNS resolution server, but it is not necessarily accurate.

Similarly, when analyzing Baidu. Instruction: nslookup baidu.com

dig domain name query

Principle: dig can query accurate results from the official DNS server.

The instruction is: dig baidu.com

2.3IP2Location geographic location query

www.maxmind.com website can query geographic location based on IP

First, I checked the IP address of a Baidu homepage

You can also query the ip information of this machine

ip-Adress.com There you can quickly and easily determine the IP address, or learn more about domain names or host names.

What I continue to try is my own ip.

3. Basic scanning technology

3.1 PING command: ICMP query

Ping是Windows、Unix和Linux系统下的一个命令。ping也属于一个通信协议，是TCP/IP协议的一部分。利用“ping”命令可以检查网络是否连通，可以很好地帮助我们分析和判定网络故障。

我ping了百度的官网www.baidu.com

可以ping通，并且没有丢包

3.2metasploit中的模块扫描

3.2.1arp_sweep扫描

arp.sweep使用ARP请求枚举本地局域网络中的所有活跃主机。

进入msf模式中输入

use auxiliary/scanner/discovery/arp_sweep
set RHOSTS 192.168.80.1/24 //用set进行hosts主机段设置
exploit

3.2.2udp_sweep扫描

udp.sweep通过发送UDP数据包探查指定主机是否舌跃，并发现主机上的UDP服务

use auxiliary/scanner/discovery/udp_sweep
set RHOSTS 192.168.80.1/24 //用set进行hosts主机段设置
exploit

3.3nmap 扫描

在kali中输入 nmap -sS 192.168.80.1/24 指令，sS 扫描可以看到开放的端口

得到结果。

该指令还可以扫描出电脑的操作系统以及其他更详细的信息。

指令：nmap -O 192.168.80.1，查看计算机的操作系统。

扫描的得到的结果是windows xp、windows2008、windows7，无操作系统与主机配对（可能是还没有将win10录入）

指令：nmap -sV 192.168.80.1，查看计算机的更详细的网络服务信息

3.4Telnet服务扫描

Telnet先天缺乏安全性的网络服务，对于传输数据不进行加密，一般管理员大多使用SSH协议代替telnet。在渗透进入一个网络时，可以扫描一下是否有主机设备开启telnet服务。

在kali中的msf环境下输入

use auxiliary/scanner/telnet/telnet_version //进入telnet模块
show options //查看设置信息
set RHOSTS 192.168.80.1/24 //扫描主机网段
set THREADS 50 //提高查询速度
run //扫描

大部分这个服务都是关闭的

但是有少数几个是开启的

3.5SSH服务扫描

SSH（“安全外壳”）协议是用于从一个系统安全远程登录到另一个的方法。用户通过客户端 - 服务器架构格式的不安全网络使用安全通道，用于将SSH客户端与SSH服务器连接起来。一般是linux系统上最常见的远程管理服务，SSH采用了安全的加密信息传输方式。如果管理员没有限制管理员登录的ip地址或mac地址，可获取服务器口令登录服务器，对网络中开发的SSH服务主机进行扫描。
在kali中的msf环境下输入