2015306 Bai Jiao "Network Attack and Defense" EXP6 Information Collection and Vulnerability Scanning
1. Answers to questions
(1) Which organizations are responsible for the management of DNS and IP.
顶级的管理者是Internet Corporation for Assigned Names and Numbers (ICANN),全球根服务器均由美国政府授权的ICANN统一管理。
目前全球有5个地区性注册机构:
1)ARIN主要负责北美地区业务
2)RIPE主要负责欧洲地区业务
3)APNIC主要负责亚太地区业务
4) LACNIC主要负责拉丁美洲美洲业务
5)AfriNIC主要负责非洲地区业务。
在ICANN下有三个支持机构,其中地址支持组织(ASO)负责IP地址系统的管理;域名支持组织(DNSO)负责互联网上的域名系统(DNS)的管理。(2) What is 3R information.
Registrant:注册人
Registrar:注册商
Registry:官方注册局(3) The accuracy of the scan results under evaluation
扫描结果其实还蛮准的,感觉openvas漏洞扫描还是比较强大的,我扫描的是我的电脑本机,开着热点居然还扫描了一个小时,完成之后发现扫描出了很多漏洞,这个扫描比较好的就是每一个漏洞都会告诉我们相应的解决方法是什么。漏洞也是非常博大精深,只能通过谷歌翻译来看懂扫描结果~2. Experimental experience
This experiment mainly obtained the information of the target drone through information collection and vulnerability scanning. I deeply realized that in the era of Internet big data, our private information is no longer private, and there will always be invisible facts when using the Internet. With innumerable traces, you can know the life experience of a stranger with one command search, and you can see open ports and various service versions with one IP. It is extremely scary to think about it, even if our information is not known to be used. . . .
3. Experimental content
- Information gathering
1. Peripheral information collection
1.1 Mining the information of the target website through DNS and IP
(1) Whois domain name registration information query
[Note: Prefixes such as www are removed when performing a whois query, because when registering a domain name, an upper-level domain name is usually registered, and the sub-domain name is managed by its own domain name server, which may not be queried in the whois database. 】
From the figure below, we can see that by searching whois sogo.com , we can search the registered city, email address, phone number, etc.
(2) nslookup, dig domain name query
- nslookup can get the result of the cache saved by the DNS resolution server, but it is not necessarily accurate.
- dig can query exact results from official DNS servers
Obviously, the result is the same~
(3) IP2Location Through this website IPADRESSGUIDE can query geographic location according to IP.
(4) Information query service provided by netcraft
More detailed information can be obtained through the website NETCRAFT
(5) IP2 anti-domain name query
Reverse lookup the domain name by IP: reverse-ip-lookup
1.2 Information collection through search engines
(1) Search URL directory structure
Use metasploit's brute_dirs, dir_listing, dir_scanner and other auxiliary modules, mainly for violent guessing.
use auxiliary/scanner/http/dir_scanner
set THREADS 50
set RHOSTS 192.168.44.130
show options
exploit
(2) Search for specific types of files
Some websites will link sensitive documents such as address books and orders, which can be searched in a targeted manner. Such as Baidu, site:edu.cn teacher information filetype:xls. The following results were found:
The scary thing is that all the personal information and life experience of a certain teacher have been exposed, as well as the qualification certificate number of a certain teacher and so on. .
#####(3) IP route reconnaissance
traceroute www.baidu.com
2. Host detection and port scanning
2.1 Active host scan
(1) ICMP Ping command
ping www.baidu.com
(2) Modules in metasploit
For example: arp_sweep uses ARP requests to enumerate active hosts on the local LAN, ie the ARP scanner udp_sweep uses UDP packet detection.
use auxiliary/scanner/discovery/arp_wseep
set RPORT 192.168.44.1/24
show options
exploit
2.3 Port scanning and service detection
(1) Metasploit's port scanning module
(2) Nmap scan
- operating system identification
Nmap -O 参数
Nmap port scan
Specifies the use of Connect() to scan the target host.Nmap -sT 参数
In addition to this, there are many different parameters:
-sU: 指定使用UDP扫描方式确定目标主机的UDP端口状况。
-sN/sF/sX: 指定使用TCP Null, FIN, and Xmas scans秘密扫描方式来协助探测对方的TCP端口状态。
--scanflags <flags>: 定制TCP包的flags。
-sI <zombiehost[:probeport]>: 指定使用idle scan方式来扫描目标主机(前提需要找到合适的zombie host)
-sY/sZ: 使用SCTP INIT/COOKIE-ECHO来扫描SCTP协议端口的开放的情况。
-sO: 使用IP protocol 扫描确定目标机支持的协议类型。
-b <FTP relay host>: 使用FTP bounce scan扫描方式 - Probe Detailed Service Information
-sV: Specifies to let Nmap perform version detection
Nmap -sV 参数
3 Network service scan
(1) SSH service scan
use auxiliary/scanner/ssh/ssh_version
set RPORT 192.168.44.130
show options
exploit
(2) Oracle database service enumeration
use auxiliary/scanner/oracle/tnslsnr_version
set RPORT 192.168.44.130
show options
exploit
- Vulnerability scan
1. Install the new version of OpenVAS
apt-get update//更新软件包列表
apt-get dist-upgrade//获取到最新的软件包,对有更新的包进行下载并安装
apt-get install openvas//重新安装OpenVAS工具2. Configure the OpenVAS service
- Run the command openvas-check-setup repeatedly , and input commands continuously through the prompt message FIX. Until you enter openvas-check-setup again, the interface shown in the figure below appears, then it is successful.
- Enter the openvasmd --user=admin --new-password=20155306 command to add a user account and password.
- Type openvas-start to start openvas. After a while, the browser will automatically jump to https://127.0.0.1:9392. However, the following message will appear: Your connection is not secure.
- Click Advanced to trust the URL.
- Enter the username and password you just set to log in.
Create a new task wizard: scans—tasks—Task Wizard, the following interface appears, enter the IP address of the host you want to scan: 172.20.10.8.
Then. . . is long. . patience. . Wait, it's finally 100%
- Arbitrarily choose a VNC in a brute force attack brute force attack
As you can see from the details, the script exploit attempts to authenticate to the VNC server using the password set in the password preferences.
The improvement given is: change the password to something hard to guess.
- Let's look at another bug. The general meaning is: the host machine is running IBM DB2 prone to permission vulnerability vulnerability, this flaw is caused by the 'nodes.reg' file, which has insecure world-writable permissions.
Vulnerability detection method. And it is mentioned that the version of IBM DB2 is 9.5.
The corresponding solution is to upgrade to IBM DB2 V9.5 FP9. And the updated URL is given: http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg27007053 .