EXP6 Information Collection and Vulnerability Scanning 20154328 Changcheng

EXP6 Information Collection and Vulnerability Scanning

1. Experimental Questions

• Those organizations are responsible for DNS, IP management

  A: The global root servers are managed by ICANN, which is authorized by the US government, and is responsible for the management of global domain name root servers, DNS and IP addresses.

  There are five regional registries in the world: ARIN is mainly responsible for North America, RIPE is mainly responsible for Europe, APNIC is mainly responsible for Asia Pacific, LACNIC is mainly responsible for Latin America, and AfriNIC is responsible for Africa.

• What is 3R information.

Answer: Registrant, Registrar, Official Registry

• Evaluate the accuracy of scan results

Answer: The scanning is more accurate. The effect of openvas scanning for vulnerabilities is still very good. The analysis of the vulnerability is very comprehensive, and it will also tell us what impact this vulnerability may have, and its solution. Vulnerabilities in the system can be discovered and dealt with in a timely manner through scanning.

2. Experiment summary and experience

• A lot of private information can be found through the Internet. In this era of big data, we have no one and privacy at all. It is a simple targeted search on the Internet, we can find a lot of very sensitive information, including phone numbers, identity information and so on. I was deeply frightened during the experiment.
• In the experiment of openvas, it is difficult to configure successfully. I don't know why, every time I need to configure my computer, it is difficult for my computer to succeed. The same type of computer is easy for others, but mine always encounters problems. . This is probably a metaphysical question. The check prompts that the configuration is successful, and it will encounter problems again at startup. I'm making myself uncomfortable, maybe the computer is targeting me.

3. Recording of the experimental process

1. Information collection

1. Peripheral Information Collection

1.1 Mining the information of the target website through DNS and IP

(1) Whois domain name registration information query

• Enter whois 360.com in the terminal to query the 3R registration information, including the registrant's name, organization and city.

(2) nslookup, dig domain name query

• nslookup can get the result of the cache saved by the DNS resolution server, but it is not necessarily accurate:

• dig can query exact results from official DNS servers:

(3) IP Location location query

• Query by IP address

  

(4) Information query service provided by netcraft

• You can get more and more detailed information through neuralcraft, you can see DNS, reverse DNS, hosting history, linux operating system and so on.

  

IP2 Anti-Domain Name Lookup

• Through the shodan search engine, you can perform reverse domain name queries:

1.2 Information collection through search engines

(1) Search for specific types of files

• Some websites will link sensitive documents such as address books and orders, which can be searched in a targeted manner.
  For example, ** filetype:doc contact site:edu.cn**
  

(2) IP route reconnaissance

• Re-detect using tracert www.360.com under Windows:

2. Host detection and port scanning

2.1 Active host scan

(1) Modules in metasploit

• Use ARP request to enumerate all active hosts in the local area network
• use auxiliary/scanner/discovery/arp_wseep
• show options

• By sending UDP packets, detect whether the specified host is active and discover UDP services on the host
• use auxiliary/scanner/discovery/udp_seep
• show options

(2) Nmap detection

• nmap -v -A 192.168.199.1/24

• The -A option is used to scan the host in an offensive manner, performing a complete and comprehensive scan of the host, and the target host performs host discovery, port scan, application and version detection, operating system detection, and invokes the default NSE script scan.

• v means to display redundant information, and display the details of the scan during the scan process, so that the user can understand the current scan status.

2.2 Operating system identification

• nmap -O 192.168.199.243

2.3 Port scanning and service detection

(1) Nmap port scan

• nmap -sS 192.168.199.1/24-sS means to use TCP SYN mode to scan TCP ports

  

(2) Detection of detailed service information

• nmap -sV 192.168.199.1/24

  

3. Service scanning and enumeration

3.1 Network service scan

(1) Telent service scan

• sf > use auxiliary/scanner/telent/telent_version

  

(2) SSH service scan

• msf > use auxiliary/scanner/ssh/ssh_version

2. OpenVAS network vulnerability scanning

1. Install the new version of OpenVAS

• apt-get update update package list
• apt-get dist-upgrade to get the latest package, download and install the updated package

• apt-get install openvas reinstalls the OpenVAS tools

  2. Configure the OpenVAS service

• After installation, run openvas-check-setup repeatedly, and follow the prompts each time to proceed to the next step:

1. openvas-mkcert generates a server-side certificate
2. openvas-nvt-sync synchronization vulnerability library
3. openvas-mkcert-client -n -i generate client certificate
4. openvassd starts the scanner
5. openvasmd --rebuild generate database
6. openvasmd --create-user=admin --role=Admin && openvasmd --user=admin --new-password=admin 创建用户
7. openvas-scapdata-sync Sync SCAP data
8. openvas-certdata-sync sync certificate data
9. openvasmd boot manager
10. gsad starts Greenbone

3. Start a vulnerability scan

• Scan my virtual machine and host

• The scan ends as follows:

• You can see that after the WIN10 host scan is completed, it is medium

• Click the vulnerability name to see the specific information of the vulnerability.

• Or click full and fast when entering the scan information of the target machine to view

• Close openvas.