practice goals
Master the most basic skills of information collection and the use of common tools.
Practical content
(1) Application of various search techniques
(2) Query of DNS IP registration information
(3) Basic scanning techniques: host discovery, port scanning, OS and service version detection, and enumeration of specific services
(4) Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and fix vulnerabilities
Everyone can do it according to their personal interests.
content
collect data
Mining the information of the target website by DNS and IP
whois
nslookup,dig
IP2Location 地理位置查询
www.maxmind.com
https://www.ip-adress.com/reverse-ip-lookup
http://tool.chinaz.com/
https://www.exploit-db.com/google-hacking-database/
使用traceroute命令进行路由侦查
Information collection through search engines
filetype:XXX site:edu.cnActive host scan
ICMP Ping命令Use of nmap
Network service scan
Telnet服务扫描
SSH服务扫描
Oracle数据库服务查点
口令猜测与嗅探
smb服务的查点Vulnerability Scan
openvas
problems encountered
Answer questions after the experiment
————————————————————— Straight dividing line ————————————————————————
collect data
Mining the information of the target website by DNS and IP
whois
nslookup, dig
- IP2Location Geolocation query
www.maxmind.com
Check your IP first
Then I checked Baidu's IP
**https://www.ip-adress.com/reverse-ip-lookup**
Baidu's
** https://www.shodan.io/**
The National Art Museum of China that I have been thinking about has no results, or Baidu is more well-known, and I found it.
** http://tool.chinaz.com/**
found other features mark~
### Information collection through search engines
** https://www.exploit-db.com/google-hacking-database/**
This is a tool library
Route reconnaissance using the traceroute command
Information collection through search engines
filetype:XXX site:edu.cn
Active host scan
ICMP Ping Command
Use of nmap
Network service scan
Telnet service scan
SSH service scan
Oracle Database Service Enumeration
Password guessing and sniffing
This should be downloaded and placed with the corresponding txt, just like
the enumeration of the smb service
Vulnerability Scan
open openvas
Quietly tell everyone, this step is to follow the tutorial of 5303 directly, the system can be updated, but unless you have to download and install openvas again, the ending may be like this: EXP6 information collection and vulnerability scanning (as if back to being dominated by IDEA UBUNTU GIT fear)
Create a new task, use openvas
That's right, this time I still haven't let go of the website of the National Art Museum of China, and I still choose it. But... it also came at a cost in time
result:
Let's see the analysis of one of them
After a comprehensive analysis of its vulnerabilities, the following conclusions are drawn
1. The remote WebServer supports trace and/or trace methods. Trace and trace are HTTP methods for debugging web server connections.
It has been shown that servers supporting this method are subject to a cross-site scripting attack, known as XST for cross-site tracking, when combined with various weaknesses in the browser.
An attacker could exploit this vulnerability to trick a legitimate web user into giving him credentials.
2. The remote SSH server is configured to allow weak encryption algorithms.
3. The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.
problems encountered
- Question 1:
The above is the set IP, and the following is the URL corresponding to the IP, and the output results are different. But the two results are different from those of the students
- Solution: emmm should be the network is not connected
- The solution process:
I didn't find a direct solution on the Internet, but through this link: auxiliary/scanner/portscan/syn for help, asking for help
I guess it may be the reason why I used the intranet. After connecting to the mobile phone hotspot, you must restart to connect to the Internet.
But the intuition always felt that it was not right, so I reconnected to the intranet and restarted, and the result was OK again, so I think the network at that time should be broken, and it has nothing to do with the intranet or not.
Answer questions after the experiment
(1) Which organizations are responsible for the management of DNS and IP.
ICANN : Responsible for the global coordination of the Internet's unique identifier system and its secure and stable operations, including the allocation of Internet Protocol (IP) addresses, the assignment of protocol identifiers, generic top-level domains (gTLDs), and country and regional top-level domains Administration of the domain name (ccTLD) system, and administration of the root server system. These services were initially provided by the Internet Assigned Numbers Authority (IANA) and a number of other organizations under US government contracts.
It has three supporting organizations that assist, examine, and advise on Internet policy and architecture from three different perspectives. These supporting organizations help promote the development of Internet policy and encourage diversity and international participation in Internet technology governance.
Each Supporting Organization appoints three directors to the ICANN Board of Directors.
The three supporting organizations are:
- The Address Supporting Organization (ASO) is responsible for the management of the IP address system.
- The Domain Name Supporting Organization (DNSO) is responsible for the management of the Domain Name System (DNS) on the Internet.
3. The Protocol Supporting Organization (PSO) is responsible for the assignment of unique parameters involving Internet Protocol. This protocol is a technical standard that allows computers to exchange information with each other on the Internet and manage communications.
(2) What is 3R information.
The 3R registration information is scattered in the official registry or in the respective databases maintained by the registrars
SRs are: Registrant, Registrar, Official Registry
(3) Evaluate the accuracy of the scan results.
Experiment summary and experience
This experiment has taught me a variety of ways to collect information. It seems that "finding you along the network cable" seems more likely. From the "panic" of the unsafe network situation when I first did the experiment of this course, to now there is a strange sense of ease of "not worrying about a lot of debts", and even this experimental drama is very enough to "catch Chinese art" The website of the museum will not be posted."...played.