20155320 Exp6 Information Collection and Vulnerability Scanning

Others 2022-04-22 23:11:55 views: 0

20155320 Exp6 Information Collection and Vulnerability Scanning

【Answer questions after the experiment】

  • (1) Which organizations are responsible for the management of DNS and IP.

  • (2) What is 3R information.

  • (3) Evaluate the accuracy of the scan results.

【experiment procedure】

1. Information collection

Mining the information of the target website by DNS and IP

  • whois is used to query domain name registration information. Take Sogou search as an example, enter whois sogou.com to query the 3R registration information, which is very comprehensive, and almost everything comes out.

    It is best not to add a prefix such as www to whois query, because when registering a domain name, an upper-level domain name is usually registered, and the subdomain name is managed by its own domain name server, which may not be queried in the whois database.

    Include information such as the registrant's name, organization, and city.

服务器的相关信息

注册信息和管理员信息

nslookup and dig queries
  • Enter the dig URL or nslookup URL in the kali terminal, and you can view the IP address corresponding to the URL. But because it is not very clear what is the difference between the two commands, I checked the Internet and found the answer in a blog .

The difference between dig and nslookup is that the dig tool can query the exact authoritative answer from the official DNS server of the domain name, while nslookup will only get the non-authoritative answer stored in the cache by the DNS resolution server.

dig命令的使用更为灵活,比如可以在dig中制定使用哪台DNS解析服务器进行查询,同时采用dig命令将会触发DNS解析服务器向。以下是dig sogou.com查到的对应IP,这个IP是准确的,可得到回答、权威、额外三个部分的解析结果。

以下是nslookup sogou.com查到的对应IP,但是这个结果是不准确的。使用set type=A 属性可以对其IP地址进行解析

  • It can be seen from the above that the dig command is the same as the answer part obtained by nslookup, but dig also gives several DNS servers and corresponding IPs corresponding to sougou.com in the authoritative part and the extra part.
IP Location Geolocation query
  • IP2Location Geolocation query GeolP2 IP2Location

Ping sogou.com directly to get his IP address

  • This is the query result of maxmind

  • Below is more detailed location information

Information query service provided by netcraft

IP2 Anti-Domain Name Lookup
  • Some registration information, ssl and certificate information can be obtained through the shodan search engine .

tracert route detection
  • Use the traceroute 111.13.94.45 command under kali to detect the routes passed by Sogou. We can query these routes or the geographic location of the machine through ip, and analyze the route taken by the data packets. But unfortunately, the results are all *, which is very strange

  • After querying, it is found that because the virtual machine uses a nat connection, the TTL exceeded message returned by traceroute cannot be mapped to the source IP address, source port, destination IP address, destination port and protocol, so the reverse NAT cannot pass the message route back. Therefore, when re-detecting under Windows, you can query the location of these routes through the ip query tool on the Internet, and analyze the route taken by the data packets.
  • So I use the command tracert 111.13.94.45 to query under host windows

Information collection through search engines

  • Use the search command format filetype:xxx NAME site:xxx.xxx to query

site: The search scope is limited to a specific site. If you know that there is something you need to find in a certain site, you can limit the search scope to this site to improve query efficiency.

Filetype: The search scope is limited to the specified document format. The query word can be limited to appear in the specified document using the Filetype syntax. The supported document formats are pdf, doc, xls, ppt, rtf, all (all the above document formats). Very helpful for finding documentation.
Search for a specific type of file

  • I didn't expect to find the financial aid summary table of many universities through precise search, and the information is still very detailed

2. Host detection and port scanning

Active host scan

netdiscover discovery
  • Under linux, you can directly perform host detection on the private network segment 192.168.. by executing the netdiscover command.

Nmap detection
  • First, enter nmap –sn 192.168.63.* in the Kali terminal to scan for surviving hosts, and get the following results:

You can see the local IP that I am on, the IPs of kali2 and win xp have been scanned

  • nmap -O target IP, which can realize operating system identification, the following is the IP address of the win-XP virtual machine I obtained through scanning is the xp system

When scanning the host, it found that there are many possible matches

  • nmap -sS IP address can scan the open tcp ports of the target host, and can discover the status of different tcp ports and the services provided

I tried to scan my host and the open ports of win-xp

  • Enter nmap -sV IP address in the Kali terminal to check the service version of the target host.

This is the result of detecting the host

This is the result of detecting winxp virtual machine

It can be seen that the service version of the win 10 host and the win xp virtual machine is very different. It can be speculated on the system and system version used.

3. Service scanning and enumeration

Network service scan

ssh service scan
  • Enter msf, input use auxiliary/scanner/ssh/ssh_version, use the ssh_version module, and use it after configuring the parameters as required.

http80 service enumeration
  • After entering msf, enter use auxiliary/scanner/http/http_version to use the corresponding module, configure relevant parameters as required, and run.

It is found that there is a host under the LAN with http 80

smb service enumeration

Enter use auxiliary/scanner/smb/smb_version to use this module. After modifying the relevant configuration, you can find the smb version information of the target host:

4. OpenVAS Network Vulnerability Scan

  • Enter openvas-check-setup in Kali to view the installation status of openvas, and found that an ERROR appeared

- Enter commands as prompted to resolve errors

openvas-check-setup
openvasmd --migrate
openvas-manage-certs -a
openvas-manage-certs -a -f
openvasmd
openvas-check-setup

- Enter the openvas-check-setup command again, you can see that openvas shows that the installation is successful

  • Enter the openvasmd --user=admin --new-password=20155320 command to add a user account and password.

  • Type openvas-start to start openvas. It will automatically jump to the webpage https://127.0.0.1:9392, but the first time you open this webpage, you need to click Advance to add it to a trusted site.

  • Enter the password you just set, and click Login to jump to the interface with many scanning tasks.

  • Select Tasks-->Task Wizard in the menu bar, create a new task wizard, enter the IP address of the xp target machine to be scanned in the bar, and click Start Scans to confirm and start scanning.

【Experiment Summary】

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325312252&siteId=291194637
Recommended
Ranking
SpringBoot Learning (Five) - springboot rapid integration Druid
map / reduce + lambda allow simplification program
Zookeeper distributed reliable coordination system
How to use GPU to run tensorflow 2.12 on Windows WSL
Use numpy to generate random multidimensional matrices and perform dimension conversion
169. Tower of Hanoi
Basic attribute mapping
About JS traversing ul li
C++ extern “C“
PIM (on)
Daily
More
2024-06-12(0)
2024-06-11(0)
2024-06-10(0)
2024-06-09(0)
2024-06-08(0)
2024-06-07(0)
2024-06-06(0)
2024-06-05(0)
2024-06-04(0)
2024-06-03(1)

Code World

© 2018 codetd.com