2019-2020-2 20175334 Luo Xinrui "Network Countermeasure Technology" Exp5 Information Collection and Vulnerability Scan
1 Practice description
1.1 practical goals
- Master the most basic skills in information gathering and how to use common tools
1.2 Practice content
-(1) Application of various search techniques
-(2) Query of DNS IP registration information
-(3) Basic scanning technology: host discovery, port scanning, OS and service version detection, specific service checkpoints (targeting your own host)
-(4) Vulnerability scanning: scan, read reports, check vulnerability descriptions, and repair vulnerabilities (targeting your own host)
2 Application of various search techniques
2.1 Search URL directory structure
- Open
msfconsole, enter the following command
use auxiliary/scanner/http/dir_scanner
set THREADS 34
set RHOSTS www.baidu.com
exploit
- The directory structure of the website can be obtained:
2.2 Information collection through search engines
- Baidu search
site:edu.cn filetype:xls 数学, you can see many websites containing mathematical format XLS
- Open after downloading, the content is as follows:
2.2 tracert
- In
cmdthe input commandstracert www.baidu.comare routed investigation
- The output information is expressed as the number of routing nodes, the speed of connecting to each routing node, the return speed, the average value of multiple link feedbacks, the IP corresponding to each routing node (the asterisk indicates the return timeout)
3 Query of DNS IP registration information
3.1 whois
- Enter
whois baidu.com3R registration information in the terminal , including the name, organization and city of the registrant
- Note:
whoisremove a querywwwsuch as a prefix, because usually the upper register a domain name registration, domain, sub-domain by its own domain name server management,whois数据库may not find the
3.2 nslookup, dig domain name query
- The nslookup command can get the cache result saved by the DNS resolution server
- The dig command can query accurate results from the official DNS server
-
The dig command has many options
-
+[no]search: Use [do not use] the search list or the search list defined in the domain directive (if any) in resolv.conf. The search list is not used by default -
+[no]trace: Switch to proxy path tracking for the name to be queried starting from the root name server. By default, tracking is not used. Once tracking is enabled, dig uses iterative queries to resolve the name to be queried. It will show the response from each server that uses the parse query according to the reference from the root server -
+[no]short: When the + short option is enabled, display [or not display] the IP address and port number that provide the answer -
+[no]stats: The query option is set to display statistical information: when the query is in progress, the size of the response, etc. Display query statistics by default
3.3 shodan geographic location query
IP2LocationThe website cannot be opened, choose hereshodan
3.4 IP2 anti-domain name query
- More detailed content can be found here
4 Basic scanning techniques
4.1 Host discovery
pingCommand to detect active hosts by sending ICMP messages
-
Modules in metasploit
arp_sweepUse ARP request to enumerate the active hosts of the local area network, startmsfconsoleinput the following command
use auxiliary/scanner/discovery/arp_swee 进入arp_sweep 模块
set RHOSTS 192.168.186.0/24 进行hosts设置
set THREADS 50 加快扫描速度
run 执行
udp_sweepUse UDP packet detection, startmsfconsoleinput the following command
use auxiliary/scanner/discovery/udp_sweep 进入udp_sweep模块
set RHOSTS 192.168.186.0/24 进行hosts设置
set THREADS 50 加快扫描速度
run 执行
nmap -snCommand to detect active hosts on a network segment
4.2 Port scanning
- The module in metasploit, start
msfconsoleenter the following command
set auxiliary/scanner/portscan/tcp 通过一次完整的TCP链接来判断端口是否开放
使用set RHOSTS 192.168.186.0/24 进行hosts设置
set THREADS 100 加快扫描速度
run 执行
-
In addition, there are other port scans
-
ack: Detect unshielded ports on the firewall by ACK scanning
-
ftpbounce: Enumerate TCP services through the principle of FTP BOUNCE attack
-
syn: Use TCP SYN flag to detect open ports
-
Xmas: a more concealed scanning method, by sending FIN, PSH, URG signs can avoid some TCP marker detector filtering
-
-
nmap port scanning (-sS is TCP SYN scanning, -Pn is before scanning)
4.3 OS and service version detection
nmap -OCommand to identify the target operating system and obtain information such as the operating system and service version of the target machine
nmap -sVCommand to view detailed service information of the target host
4.4 Enumeration of specific services
- Telnet service scan, start
msfconsoleinput the following command
use auxiliary/scanner/telnet/telnet_version 进入telnet模块
使用set RHOSTS 192.168.1.0/24 进行hosts设置
set THREADS 100 加快扫描速度
run 执行
- SSH service scan, start
msfconsoleinput the following command
use auxiliary/scanner/ssh/ssh_version 进入ssh模块
使用set RHOSTS 192.168.1.0/24进行hosts设置
set THREADS 100 加快扫描速度
run 执行
- Oracle database service checkpoint, start
msfconsoleinput the following command
use auxiliary/scanner/oracle/tnslsnr_version 进入tnslsnr模块
使用set RHOSTS 192.168.1.0/24 进行hosts设置
set THREADS 100 加快扫描速度
run 执行
- Use open_proxy for open proxy detection, start and
msfconsoleenter the following command
use auxiliary/scanner/http/open_proxy 进入open_proxy模块
使用set RHOSTS 192.168.1.0/24 进行hosts设置
set THREADS 100 加快扫描速度
run 执行
5 Vulnerability scanning
5.1 Install OpenVAS
- Enter the following command to install
apt-get update 更新软件包列表
apt-get dist-upgrade 获取到最新的软件包
apt-get install openvas 安装OpenVAS工具
5.2 Configure OpenVAS
- Repeat the input
openvas-check-setupto repair and configure, the main operations are as follows
greenbone-nvt-sync 更新nvt
openvasmd --rebuild 重建数据库
greenbone-scapdata-sync 获取证书数据库
openvasmd --create-user=20175334 --role=Admi 创建用户
openvasmd --user=20174320 --new-password=5335 设置新密码
greenbone-scapdata-sync –refresh 生成scap.db文件
openvas-scapdata-sync 同步SCAP数据
openvas-certdata-sync 同步证书数据
5.3 Using OpenVAS
- Open the browser, enter
https://127.0.0.1:9392, enter the user name and password to enter
- After the login is successful, select it in the menu bar
Tasks, and then click toTask Wizardcreate a new task wizard, enter the IP address of the host in the task bar, andStart Scansstart scanning
- Click
ScannerunderFull and fast
- Choose
Buffer overflowto analyze
- After entering, you will find many vulnerabilities and danger levels. Choose the first one to analyze it (the host runs 3CTftpSvc TFTP server, which is prone to buffer overflow)
- There are solutions below (upgrade to a new version, disable the respective features, delete the product or replace the product with another product)
6 Experimental gains and thoughts
- The operation of this experiment is relatively simple, and the more troublesome is to download and configure OpenVAS; through the experiment, we have mastered the use of many common tools for information collection, and we need to repair the vulnerabilities in our computers in time to prevent them
7 answer questions
-
(1) Which organizations are responsible for the management of DNS and IP
- The global root servers are all managed by ICANN authorized by the US government and are responsible for the management of domain name root servers, DNS and IP addresses worldwide. Global root domain name servers: the vast majority are in Europe and North America (13 worldwide, numbered A to M), and China only has mirror servers (backups). There are 5 regional registries in the world: ARIN is mainly responsible for North American business, RIPE is mainly responsible for European business, APNIC is mainly responsible for Asia-Pacific business, LACNIC is mainly responsible for Latin American business, AfriNIC is responsible for Africa business.
-
(2) What is 3R information
- Registrant, Registrar, and Registry
-
(3) The accuracy of the scan results under evaluation
- The scanning results of various scanning tools are still detailed and accurate, and the operation is also very convenient, suitable for daily use