Information Gathering and Vulnerability Scanning

Others 2022-04-22 19:49:32 views: 0

lab question answer

(1) Which organizations are responsible for the management of DNS and IP.

ICANN (The Internet Corporation for Assigned Names and Numbers): Internet Corporation for Assigned Names and Numbers

ICANN is a non-profit organization established to undertake the functions of domain name system management, IP address allocation, protocol parameter configuration, and main server system management. It is now managed by IANA and other entities contracted with the US government.
ICANN is the top administrator and currently has 5 regional registries around the world:

ARIN is mainly responsible for business in North America

RIPE is mainly responsible for business in Europe

APNIC is mainly responsible for business in the Asia Pacific region

LACNIC is mainly responsible for Latin America business

AfriNIC is mainly responsible for business in Africa.

 

(2) What is 3R information.

Registrant: the registrant

Registrar: Registrar

Registry: Official Registry

(3) Evaluate the accuracy of the scan results.

 

practice process

Information collection

1.whois query

whois (pronounced "Who is", not abbreviated) is a transport protocol used to look up information such as the IP and owner of a domain name.

Take baidu.com as a test

whois baidu.com

The following results can be obtained

 

The above results are all messy. To get humanized results, you can go to http://whois.chinaz.com to search. But it is not as comprehensive as your own whois, because a lot of other information is filtered.

 

 2. nslookup and dig query

Use nslookup and dig query to find the IP address corresponding to the domain name

 

The functions of the two are similar, but I encountered a small problem in the process of using dig, and it always reported an error at first.

connection time out; no servers could be reached

Then I saw in a forum that it was a configuration problem of the /etc/resolv.conf file. After some modifications, the problem was solved. /etc/resolv.conf is the DNS client configuration file, which is used to set the IP address and DNS domain name of the DNS server, and also contains the domain name search order of the host. For details, please refer to the brief analysis of the /etc/resolv.conf file in the blog Linux .

Open the document and find that the default configuration of my nameserver (nameserver specifies the ip of the dns server) is 192.168.201.2. This is my own host ip. I don’t know if it can be used as the dns server address. Anyway, I can’t connect to the server with the default configuration. Then find the ip of the commonly used dns server, and save it as shown in the figure below.

 

 

 Use the obtained ip to get the address information

IP address actually contains a lot of information, as long as you can search a lot, the address is one of them.

You can check it out by directly querying the Baidu IP address. You can also use the sodan search engine for more accurate information.

Sodan also helped us analyze the operating system of the target ip, available ports, services and other information, which is very powerful.

 

 3. tracert route detection

linux terminal:

traceroute xxx.xxx.xxx.xxx

windows cmd:

tracert xxx.xxx.xxx.xxx

 The virtual machine in nat mode cannot use traceroute to obtain the route. It is reasonable to switch to the bridge mode. It is too troublesome and has not been tested. Use tracert to obtain the route directly in the cmd of windows, and the information collection can be found.

 

 

 4. Search engine query technology


Search engines are actually very powerful. We usually use the most basic functions. By setting some parameters to filter, we can obtain a lot of needed information.

For example, to get a doc file: filetype:doc

Site information with domain name .edu.cn: site:edu.cn

 

 5. The use of nmap scanning ports

Active host IP scan

nmap -sn 192.168 . 201.128 / 24 #Scan if the host whose IP is 192.168.201.xxx is active

24 refers to the mask length of 24, and the first 24-bit addresses are masked by the AND operation with the mask.

-sn: ping probe scans the host, do not perform port scanning (tested that the other host discards the icmp packets, and can still detect the other party's boot state)

-sA: Send tcp ack packets for detection, you can detect whether the host is alive

It can be seen that the results that can be detected by different methods will be different, so sometimes multiple IP detection should be used to obtain active hosts to avoid being filtered by the firewall.

Scanning and collecting information on a specific IP

Separating IP scanning and port scanning can achieve higher efficiency and avoid redundant work on the computer.

Port scanning can be specified by -p, as shown in the figure below, the ports from 1-10000 are scanned.

-sS : port scan | half-open scan (tcp scan without 3-way handshake)

-sV:Version detection

-0: scan the operating system

sO: detect the other party, which protocols are in the TCP/IP protocol suite, and what are the type numbers?

 

Operating system detection may not yield results.

 

Vulnerability Scan

Openvas Vulnerability Scan

1. Configure the environment

If there is no openvas on the host, get it with the following command, you may need to change the source

apt-get update
apt-get dist-upgrade
apt-get install openvas

execute after

openvas-check-setup

Until there is no prompt error, if there is an error, just follow the solution suggested in FIX.

2. Add users

use command

openvasmd--user=guo--new-password=xxxx #Create an account named guo and password is xxxx

3. Log in to openvas

 Using openvas-startthe open service will automatically pop up the browser homepagehttps://127.0.0.1:9392

4. Create a new task to scan

Click the tasks of scans, then click the position shown in the figure below, click taskwizard in the pop-up menu to enter the task wizard, then enter the target ip and some options to start scanning, and wait until the end to view the report

 

 Experimental experience

I feel that this experiment is relatively simple, but it is very important in practical applications, because if you can use these tools to collect enough information, you may have successfully found a way to enter the system without attacking.

Using openvas can also help us select the appropriate attack module in msfconsole.

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325235041&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com