20155334 Exp6 Information Collection and Vulnerability Scanning
1. Answers to experimental questions
Which organizations are responsible for DNS, IP management?
A: The Internet Corporation for Assigned Names and NumbersICANN
, which determines the assignment of domain names and IP addresses. Responsible for coordinating the technical elements of DNS to ensure universal resolvability so that all Internet users can find valid addresses. There are three support organizations under it, among which the address support organizationASO
is responsible for the management of the IP address system; the domain name support organizationDNSO
is responsible for the management of the domain name system on the Internet.ICANN
It is a non-profit organization established to undertake the functions of domain name system management, IP address allocation, protocol parameter configuration, and main server system management.What is 3R information?
Answer: The 3Rs refer to: registrantRegistrant
, registrarRegistrar
, official registryRegistry
2. Experimental summary and experience
Third, the practice process record
1. Information collection
whois
can use whois to query the domain name registration information of the website. Here is my favorite Qin Shimingyue website for testing: directly enter:whois qinsmoon.com
, the following is the query result:
- nslookup, dig domain name query, take
qinsmoon.com
as an example to experiment:- nslookup
- you
- nslookup
- IP2Location Geolocation Query
Log in to www.maxmind.com to query the geographic location by IP:
- You can also look up IP addresses on this website
. Well, it's actually in Beihai. IP2 anti-domain name query
In the shodan search engine, anti-domain name query can be performed. This shodan is not particularly familiar with, but after all, we have to do an experiment, so we have to check it. The result is a bit scary:
Tracert Routing Probe
Enter on Windows and kali respectively:Tracert 地址
Detect specific types of files
Some websites will link sensitive files such as address books, orders, etc., which can be searched in a targeted manner, such as inputting on Baidufiletype:xls 统计表 site:edu.cn
- Use of nmap
- Exploring active hosts
Enter the kali command line tonmap -sn 192.168.1.*
scan the entire network segment and get:
- Use
nmap -O 192.168.1.100
to get information such as the operating system of the target machine:
- Use the
nmap -sS -Pn 192.168.1.100
command to do a TCP SYN scan, where -sS is the TCP SYN scan and -Pn is before the scan:
- Use the
nmap -sV -Pn 192.168.1.100
command , where -sV is used to view the detailed service information of the target machine:
- Exploring active hosts
- Network service scan
- Telnet service scan
- SSH service scan
- Oracle Database Service Enumeration
- Password guessing and sniffing
use auxiliary/scanner/ssh/ssh_login
Enter the ssh_login module
set RHOSTS 192.168.1.0/24
Set the target IP or IP segment
set USERNAME root
Set the administrator account of the target system
set PASS_FILE /root/password.txt
Set the cracked dictionary
set THREADS 200
Improve query speed
- Telnet service scan
2. Vulnerability Scanning
- Check the installation status, open the VAS, use
openvas-check-setup
it, and the result is an error:
Follow FIX's guidance, step by step:
openvasmd --migrate openvas-manage-certs -a openvas-manage-certs -a -f openvasmd openvas-check-setup
Repair done: