1. Practical goals
Master the most basic skills of information collection and the use of common tools.
2. Practical content
(1) Application of various search techniques
(2) Query of DNS IP registration information
(3) Basic scanning techniques: host discovery, port scanning, OS and service version detection, and enumeration of specific services
(4) Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and fix vulnerabilities
Everyone can do it according to their personal interests.
3. Report content
3.1 Answer questions after the experiment
(1) Which organizations are responsible for the management of DNS and IP.
Answer: The Internet Domain Name and Addressing Organization (ICANN) is responsible for the management of the domain name system. It sets up three support organizations. The Address Support Organization (ASO) is responsible for the management of the IP address system; the Domain Name Support Organization (DNSO) is responsible for the domain name system on the Internet. (DNS) administration; the Protocol Supporting Organization (PSO) is responsible for the assignment of unique parameters involving Internet Protocol.
(2) What is 3R information.
A: The registrant (Registrant), the registrar (Registrar), the official registry (Registry), 3R registration information refers to scattered in the official registry or the registrar maintains their own databases. The official registry generally provides registrar information, and the specific registration information is generally located in the registrar database
3.2 Experimental summary and experience
In the experiment, try various methods to obtain the information of the target host, the geographical location of the IP, the registration information of the domain name, the basic information of the corresponding DNS server, the active state of the computer, the operating system version information, the port opening status, and the port corresponding service status. , The vulnerability situation of the target host, I feel very powerful. Whois can successfully find a series of domain name information, and a lot of information can be obtained through simple analysis (although I feel that this effect is not very big). nslookup and traceroute also work well. The usefulness of nmap is very large, the usage is relatively simple, and the function is relatively powerful. The various information collected is actually to prepare for the subsequent attack. The more information obtained, the easier the attack. Also, I think it's good for everyone to face up to the problem and solve it together.
3.3 Practice process record
3.3.1 Information collection
whois
whois can be used to query the IP and owner of a domain name. If I want to check the website information of Bilibili, first use the ping command to check the ip address of station b
See Bilibili's ip address is 101.75.240.7
Then use the command to whois 101.75.240.7see its information
You can also choose to query directly from the website, and search for "whois domain name query" to find many websites that can be used. For query information about Baidu domain names, please refer to this website: https://whois.aliyun.com/whois/domain/baidu .com?spm=5176.8076989.339865.12.MF3uYl&file=baidu.com
The content is basically the same as that analyzed under Linux!
nslookup
Nslookup (name server lookup) is a tool for querying Internet domain information or diagnosing DNS server problems.
traceroute
The command form on Windows is tracert
search engine query
1. The URL for advanced search is https://www.baidu.com/gaoji/advanced.html
For example, I search for the most recent year
-
Site Search
For some websites that do not support on-site search, Baidu can force you to search on the site for you!
but! ! ! Let’s be honest, it’s better to learn how to use commands to type in the search bar if it’s so complicated!
- 1. Limit your search to specific sites
site
Content + "site: (site domain name)" is equivalent to the in-site search in the advanced search above
-
2. Limit the search scope to a specific area
in???-
1. Limit your search to the page title
intitle -
2. Limit the search scope to the web page url
inurl
-
-
3. Exact match - double quotation marks and book title number
How to use: Add double quotation marks or book title number to the keyword to be queried
- 4. Remove irrelevant or unwanted but possibly related content
- How to use: Add a minus sign in front of the search keyword
- 5. Use search engines to find specific document types
Add a filetype: file type after the search term. A lot of information exists on the website in word, xls, powerpoint, PDF and other formats!
NMAP
- host scan
Scan which IP hosts are active on the same network segment as my Linux (in fact, it is to see how many virtual machines I have opened with the network mode set to NAT). The command is as follows:
nmap –sn 192.168.146.*
Scan the network segment where the Linux machine is located
You can see the 4 hosts scanned on the same network segment, of which 192.168.146.132 is my own.
port scan
Scan my window10 host, the ip address is 192.168.199.105, the command is as follows:
nmap –sS –sU –T4 192.168.199.105
Parametric analysis:
-sS means use the TCP SYN method to scan the TCP port;
-sU means scan UDP ports;
-T4 means time level configuration level 4;
We can see that the picture is the result of the port scan, and the open ports are shown in the picture
- Service version detection
To perform version detection on the host, the command is as follows:
nmap –sV 192.168.199.105
.-0: scan the operating system
· Dig cn
dig www.besti.edu.cn, that is to query the A record of the domain name (A (Address) record is used to specify the IP address record corresponding to the host name (or domain name)), the dns server to be queried will use the server configured by the system, that is in /etc/resovle.conf
Vulnerability Scan
- Check the installation status and enable VAS
Enter the command in the terminal: openvas-check-setup to check the installation status
apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get install openvas
(At this point, the installation is complete, otherwise an error will be reported when checking the installation status)
Add an admin account. Use the command openvasmd --user=admin --new-password=admin.
Start VAS: openvas-start
Then in the pop-up web page, there will be a question of certificate security authentication. There will be an error code below it: SEC_ERROR_UNKNOWN_ISSUER, and there will be an authentication certificate in the lower left corner, which seems to be called security exception. After opening it, click the lower right corner, and confirm security exception is over.
Click: Task Wizard, create a new task wizard, enter the scanning interface
- Confirm the target machine IP and start scanning
Enter the IP address of the target machine WinXPAttacker: 192.168.199.105
Start the scan and wait for the results (here you can see previous vulnerability scans!!)
The second is my mobile ip, which takes a long time to scan. It seems that the security level of mobile phones is higher than that of computers.
Here you can see the scan information of the message, high-risk vulnerabilities, medium and low-level vulnerabilities and so on.
Summary: Distributed Computing Environment/Remote Procedure Call (DCE/RPC) or MSRPC services running on a remote host can be enumerated by connecting to port 135 and executing the appropriate query.
Impact: Impact is the fact that an attacker can use this fact to gain more knowledge about the remote host.
Solution: Filter the information flowing through this port