20155326 Liu Meicen Exp6 Information Collection and Vulnerability Scanning
Questions to answer after the experiment
(1) Which organizations are responsible for the management of DNS and IP.
The global root servers are managed by ICANN, which is authorized by the US government, and is responsible for the management of global domain name root servers, DNS and IP addresses.
There are five regional registries in the world: ARIN is mainly responsible for North America, RIPE is mainly responsible for Europe, APNIC is mainly responsible for Asia Pacific, LACNIC is mainly responsible for Latin America, and AfriNIC is responsible for Africa.
(2) What is 3R information.
Registrant, Registrar, Official Registry
(3) The accuracy of the scan results under evaluation
The scan results are relatively accurate. After openvas scans the vulnerability, the vulnerability analysis is also very comprehensive, and it also tells us the possible impact of this vulnerability, its solution, and so on.
practice process record
1. Information collection
Mining the information of the target website by DNS and IP
(1) Whois domain name registration information query
Enter whois baidu.com in the terminal to query Baidu 3R registration information, including the registrant's name, organization and city.
Note: When doing whois query, remove prefixes such as www, because when registering a domain name, an upper-level domain name is usually registered, and the subdomain name is managed by its own domain name server, which may not be queried in the whois database.
(2) nslookup, dig domain name query
nslookup can get the result of the Cache saved by the DNS resolution server, but it is not necessarily accurate (it can be seen from the following query that it is the same):
dig can query exact results from official DNS servers:
(3) IP2Location Geolocation query GeolP2 IP2Location
Ping Baidu's website directly to get his IP address
got the query result
(4) The information query service provided by netcraft can obtain more and more detailed information
More detailed information can be obtained through neuralcraft, you can see the DNS administrator [email protected] , hosting history, etc.
(5) IP2 anti-domain name query
(6) You can use the shodan search engine to query and get some registration information
(7) tracert route detection
Using the traceroute 220.181.57.216 command under Linux to detect the routes passed by Baidu, we can query these routes or the geographic location of the machine through ip, and analyze the route taken by the data packets.
Since the virtual machine uses a NAT connection, the TTL exceeded message returned by traceroute cannot be mapped to the source IP address, source port, destination IP address, destination port and protocol, so the message cannot be routed back through reverse NAT, so re-route the message under Windows. For detection, you can query the location of these routes through the ip query tool on the Internet, and analyze the route taken by the data packet:
The middle part of the request timeout should be due to some network devices do not allow ping and tracert.
- Information collection through search engines
Use the search command format filetype:xxx NAME site:xxx.xxx to query
site:搜索范围限定在特定站点中如果知道某个站点中有自己需要找的东西,就可以把搜索范围限定在这个站点中,提高查询效率。
Filetype:搜索范围限定在指定文档格式中查询词用Filetype语法可以限定查询词出现在指定的文档中,支持文档格式有pdf,doc,xls,ppt,rtf,all(所有上面的文档格式)。对于找文档资料相当有帮助。Search for a specific type of file
eg: Enter filetype:xls scholarship site:edu.cn in Baidu's search bar to search for URLs with xls format files including keywords.
Host Probing and Port Scanning
- netdiscover discovery
Under linux, you can directly perform host detection on the private network segment 192.168.. by executing the netdiscover command.
- nmap scan
First, enter nmap –sn 192.168.223.* in the Kali terminal to scan for surviving hosts. It can scan a host or a whole network segment. I scanned my Win 8 host and two vms. For an entire network segment including the virtual machine, the following results were obtained:
Scanned to my win 10 host and two vms.
Enter nmap -sS IP address in the Kali terminal to scan the open tcp port of the target host, -sS indicates that it belongs to tcp syn scan. The virtual machine xp system and the host win 8 system were scanned respectively, and the status of different tcp ports and the services provided were found.
Enter nmap -sS -sU -top-ports 150 IP address under Kali terminal, -sU means to scan UDP ports, -top-ports 150 means to scan the 150 most likely open ports for tcp and udp respectively.
Enter nmap -sV IP address in the Kali terminal to check the service version of the target host.
It can be seen that the service version of the win 8 host and the win xp virtual machine is very different. It can be speculated on the system and system version used.
Enter nmap -O IP address in the Kali terminal to detect the operating system of the target host.
You can see the host MAC address of the ip address, using the SP2 or SP3 system of Win xp
And win 8 has been speculated to have many versions.
Service scan and enumeration
- SSH service scan
Open msf, check the service scanning auxiliary modules available in msf by entering the command, and see that there are the following modules that can apply ssh_version
Choose to use the module, configure the parameters, and then exploit.
- smb service enumeration
Enter use auxiliary/scanner/smb/smb_version to use this module. After modifying the relevant configuration, you can find the smb version information of the target host:
- http80 service enumeration
Open msf: msfconsole, view the auxiliary enumeration modules available in msf by entering the command, use auxiliary/scanner/http/http_version, view the configuration parameters, and configure accordingly, and then run.
The results of the http80 service enumeration are as follows, and one http80 service under the LAN was found:
OpenVAS Network Vulnerability Scan
- Check the installation status and enable VAS
Enter the command in the terminal: openvas-check-setup to check the installation status.
If there is an error in the prompt, follow the command in the FIX prompt to fix it:
openvas-check-setup
openvasmd --migrate
openvas-manage-certs -a
openvas-manage-certs -a -f
openvasmd
openvas-check-setupAfter the repair, it shows that the installation was successful:
- Using openvas-start to start the service will automatically open the browser homepage https://127.0.0.1:9392:
There was an error opening the link here.
Click Advanced, click the lower left corner, and set https://127.0.0.1:9392 as a trusted site to open it normally.
Select Tasks-->Task Wizard in the menu bar, create a new task wizard, enter the IP address of the xp target machine to be scanned in the bar, and click Start Scans to confirm and start scanning.
System vulnerabilities can be seen here.
Open the details of the scan result and click Full and fast:
Take the firewall as an example and click to view:
Select one of the high-severity vulnerabilities for analysis:
The summary shows that a remote attacker can bypass the firewall by setting the ECE bit in the TCP flag field. At least one firewall (IPFW) is known to have this behavior. Known vulnerable systems include all FreeBSD 3, X, 4, X, 3.5-stable, and 4.2-stable.
The solution is shown in the solution section: I need to upgrade my firewall.
Experiment summary and experience
In this experiment, the vulnerabilities that can be used to attack the scanned target machine are obtained through information collection and vulnerability scanning. After learning to use the method of filetype:xxx NAME site:xxx.xxx to conduct in-depth queries, I deeply felt the horror of big data in modern society. If this information is used by criminals, the consequences will be very serious. . .