Exp6 Information Collection and Vulnerability Scanning
1. Information collection
1.1 Mining the information of the target website through DNS and IP
- whois query
- When doing whois query, remove prefixes such as www, because when registering a domain name, an upper-level domain name is usually registered, and the subdomain name is managed by its own domain name server, which may not be queried in the whois database.
I have been learning English recently, so I checked the website of Spark English.
There is very little information, so I checked Baidu again
saw a lot of registration information
- nslookup,dig domain name query
nslookup can get the cached results saved by the DNS resolution server, but it is not necessarily accurate.
dig can query precise results from official DNS servers, which is more accurate.
- Geographical query
Precise query using geoip2
Query using IP-ADDRESS
- IP2 Anti-Domain Name Lookup
Through the shodan website, the anti-domain name query can be realized, and the geographical location of the ip can be found, and the server of Hangzhou Ali used by Spark English can be seen.
1.2 Other searches
- search engine query
You can use search engines such as Baidu to query the information we want. The format is filetype:xxx and the keyword site:xxx. For example, I want to be on a website with the site scope of edu.cn. After we graduate, many people want to take an on-the-job master's degree. Search for the key The word is an on-the-job doc document.
- Check URL directory structure
- Enter msf and use msf to scan. The auxiliary module of the last experiment has been used many times. Here we will experiment with the scanning module used by the scholars.
Using auxiliary/scanner/http/dir_scanner, I wanted to set up the previous Spark English, but it was not successful, so I chose the website in the blog of other classmates.
- Route reconnaissance using traceroute
As a result, I saw that the route from my ip to the Spark English website IP went through
Basic scanning techniques: host discovery, port scanning, OS and service version detection, enumeration of specific services
Active host scan
- ICMP Ping Command to Scan Active Hosts
Use of nmap
- nmap scan
- Use the nmap -sn command to scan the information under the network segment
- Use nmap -sS to scan the host's open TCP ports
- Use nmap -sU to scan the host's open UDP ports
Use nmap -O to scan the operating system running on this host
smb service enumeration
Use auxiliary/scanner/smb/smb_version to scan the modules of the operating system in the previous experiment. already done.
Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and patch vulnerabilities