First, the use NMAP scan to obtain the specified host / network related information
yum the install -Y nmap
nmap [Scan Type] [Option] <... scan target>
common scan types
-sS TCP SYN scan (half open)
-sT the TCP connection scan (full)
-sU UDP scanning
-sP ICMP scanning
-A comprehensive analysis of the target system
-n does not perform DNS resolution
Note: ### before large-scale scanning must tell HowNet work, or will be when the attacker.
Examples:
nmap 192.168.4.0/24 -n -sP ip ## checks that the network 4 can ping
nmap -sT 192.168.4.100 ## open tcp port scan 4.100 and services
nmap -p 21-22 192.168.4.0/ 24 4 ## scan segment 21 and port 22
nmap -sU 192.168.4.100 ## open udp port specified 4.100
Second, the use for capture tcpdump
tcpdump -A host 192.168.4.5 and tcp port 21
monitoring options as follows:
-i, specify the monitored network interfaces (NIC first default listener)
-A, is converted to ACSII codes, to facilitate reading
- w, save the packet information to the specified file
-r, read data packet information from the specified file
filter conditions the tcpdump:
type: host, net, port, portrange
direction: src, dst
protocol: tcp, udp, ip, wlan , arp, ......
plurality of combinations of conditions: and, or, not
Use the -w option to grab packets as a file
tcpdump -A -w ftp.cap host 192.168.4.5 and tcp port 21
using the -r option, crawl before you can read the history data file
tcpdump -A -r ftp.cap | egrep '(USER | PASS )'
Third, the use of plain tcpdump analysis Nginx account authentication information
Ethereal:
tcpdump -A Host 192.168.4.5 and TCP Port 80
to obtain the following data:
tcpdump: Output verbose summary suppressed, use -v or -vv Protocol for Full decode
Listening ON eth0, EN10MB of the type-Link (Ethernet), Capture size 262144 bytes
... ...
the Authorization: Basic dG9tOjEyMzQ1Ng ==
... ...
Use base64 encoding conversion
echo "dG9tOjEyMzQ1Ng ==" | base64 -d
tom: 123456
convert the plaintext password