服务扫描

不能单纯的以端口辨别服务。很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率。确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入的挖掘,通常称为服务查点。
 
1、Banner捕获(最主要最简单,也是最不准确)
连接服务器的端口,利用其返回的banner信息,但可能是管理员伪造的。
【软件开发商软件名称,服务类型,版本号--可直接发现已知的漏洞,但如果不是很熟悉的话,需要长时间查找资料】
必须建立完整的TCP连接,才能直接获得banner
结合另类服务识别:1、特征行为和响应字段;2不同的响应可用于识别底层系统
 
NC
root@kali:~# nc -nv 192.168.1.107 80

(UNKNOWN) [192.168.1.107] 80 (http) open

get                                                             #需要在此get一下

<html><head><title>Metasploitable2 - Linux</title></head><body>

<pre>

                _                  _       _ _        _     _      ____

 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \

| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |

| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/

|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|

                            |_|                                          

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started                  #账号已出,可爆破

</pre>

<ul>

<li><a href="/twiki/">TWiki</a></li>

<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>

<li><a href="/mutillidae/">Mutillidae</a></li>

<li><a href="/dvwa/">DVWA</a></li>

<li><a href="/dav/">WebDAV</a></li>

</ul>

</body>

</html>

</pre></div><div><span style="font-size:18px;">Python socket(socket模块用于连接网络服务)</span></div><div><span style="font-size:18px;"></span><pre name="code" class="plain">root@kali:~# python

Python 2.7.12+ (default, Sep  1 2016, 20:27:38)

[GCC 6.2.0 20160822] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>>

>>> import socket                <strong>#导入库</strong>

>>>

>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM) <strong>#标准socket语句写法 #SOCK_STREAM表示为TCP连接</strong>

>>> banner.connect(("192.168.1.107",21))                  <strong>#连接IP,端口</strong>

>>> banner.recv(4096)                                    <strong> #用recv()接收返回包</strong>

'220 (vsFTPd 2.3.4)\r\n'                            <strong> #banner信息</strong>

>>> banner.close()                                  <strong> #手动回收对象</strong>

>>> exit()                                         <strong>  #退出</strong>

很多系统不允许抓取banner信息,recv函数会被挂起,需做特殊处理

<pre name="code" class="plain">#!/usr/bin/python

import socket

import select

import sys

if len( sys.argv ) !=4:

   print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"

   print "Example - ./banner_grab.py 1.1.1.1 1 100"

   print "Example will grab banners for TCP ports 1 through 100 on 1.1.1.1"

   sys.exit()

ip = sys.argv[1]

start = int(sys.argv[2])

end = int(sys.argv[3])

for port in range(start,end):

   try:

     bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

     bangrab.connect((ip,port))

     ready=select.select([bangrab],[],[],1)                   #连接间隔时间1秒

     if ready[0]:

       print "TCP Port " + str(port) + "." +bangrab.recv(4096)

       bangrab.close()

   except:

     pass

后面需再通过其他工具进行验证





Dmitry


root@kali:~# dmitry -pb 192.168.1.107       #-pb

Deepmagic Information Gathering Tool

"There be some deep magic going on"

ERROR: Unable to locate Host Name for 192.168.1.107

Continuing with limited modules

HostIP:192.168.1.107

HostName:

Gathered TCP Port information for 192.168.1.107

---------------------------------

 Port		State

21/tcp		open

>> 220 (vsFTPd 2.3.4)

22/tcp		open

>> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

23/tcp		open

>> ���� ��#��'

25/tcp		open

>> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

53/tcp		open

Portscan Finished: Scanned 150 ports, 144 ports were in state closed

All scans completed, exiting



Nmap




root@kali:~# nmap -sT 192.168.1.107 -p 22 --script=banner.nse    #-p也可指定端口范围 banner.nse 扫描脚本

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 22:30 CST

Nmap scan report for 192.168.1.107

Host is up (0.00062s latency).

PORT   STATE SERVICE

22/tcp open  ssh

|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds



ls | grep *** 查询某脚本




amap(专门用于发现开放端口后的服务的工具)


 


发现banner:  #-b参数,也可指定端口范围,使用grep on可过滤不开放端口返回结果




root@kali:~# amap -B 192.168.1.107 25

amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:36:05 - BANNER mode

Banner on 192.168.1.107:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n

amap v5.4 finished at 2016-09-11 22:36:05





2、服务识别


Banner信息抓取能力比较有限,而且不一定准确。


发现端口后应用的版本,基于版本,到其官网寻找其漏洞,针对性的找其利用代码,或者利用逆向工程或模糊测试发现其漏洞。


 


Nmap(基于特征库,还有其他脚本可以结合使用)


-sV  #可信度高




root@kali:~# nmap 192.168.1.107 -p1-100 -sV

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 22:40 CST

Nmap scan report for 192.168.1.107

Host is up (0.00017s latency).

Not shown: 94 closed ports

<strong>PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 2.3.4

22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp open  telnet  Linux telnetd

25/tcp open  smtp    Postfix smtpd

53/tcp open  domain  ISC BIND 9.4.2

80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)</strong>

MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)

Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds



amap(没nmap详细,但也有其优点)【可作为nmap的验证工具】




root@kali:~# amap 192.168.1.107 1-100 -qb           #q显示清晰,b显示更多信息

amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:44:17 - APPLICATION MAPPING mode

Protocol on 192.168.1.107:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n

Protocol on 192.168.1.107:22/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n

Protocol on 192.168.1.107:80/tcp matches http - banner: <html><head><title>Metasploitable2 - Linux</title></head><body>\n<pre>\n\n                _                  _       _ _        _     _      ____  \n _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \\ \n| '_ ` _ \\ / _ \\ __/ _` / _

Protocol on 192.168.1.107:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nDate Sun, 11 Sep 2016 144435 GMT\r\nServer Apache/2.2.8 (Ubuntu) DAV/2\r\nX-Powered-By PHP/5.2.4-2ubuntu5.10\r\nContent-Length 891\r\nConnection close\r\nContent-Type text/html\r\n\r\n<html><head><title>Metasploitable2 - Linux</title><

Protocol on 192.168.1.107:21/tcp matches ftp - banner: 220 (vsFTPd 2.3.4)\r\n

Protocol on 192.168.1.107:23/tcp matches telnet - banner:  #'

Protocol on 192.168.1.107:25/tcp matches smtp - banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n

Protocol on 192.168.1.107:53/tcp matches dns - banner: \f

amap v5.4 finished at 2016-09-11 22:44:29





 


3、操作系统识别


识别操作系统,因为操作系统在开启时,便默认开放些服务;针对老版本系统的漏洞进行渗透,提权、获得操作权限。


1.TTL起始值:Windows系统【128(65-128)】;Linux/Unix【64(1-64)】,某些Unix为255


[路由器劫持:可通过TTL值确定,劫持点;TTL也可修改]




#!/usr/bin/python

from scapy.all import*

import logging

logging.getLogger( "scapy.runtime" ).setLevel(logging.ERROR)

import sys

if len( sys.argv ) !=2:

   print "Usage - ./ttl_os.py [IP adress]"

   print "Example - ./ttl_os.py 1.1.1.1"

   print "Example will preform ttl analysis to attemptto determine whether the systems is Windows or Linux/Unix"

   sys.exit()

ip = sys.argv[1]

ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)

if ans == None:

       print "No response was returned"

elif int(ans[IP].ttl)<=64:

       print "Host is Linux/Unix"

else:

       print "Host is Windows"



 


2.Nmap


-O #此参数用于检测主机系统 #结合端口判断特征


root@kali:~# nmap -O 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 23:48 CST

Nmap scan report for DD-WRT (192.168.1.1)

<strong>Host is up (0.17s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE

23/tcp open  telnet

53/tcp open  domain

80/tcp open  http

MAC Address: 1C:BD:B9:27:D5:32 (D-Link International)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.8 - 2.6.30            #可去官网查该范围的linux系统是否有缓存区溢出等漏洞

Network Distance: 1 hop</strong>

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds



3、Xprobe2(专门用于识别操作系统,更为详细,但不是很准确)




<strong>root@kali:~# xprobe2 192.168.1.115

</strong>

Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

[+] Target is 192.168.1.115

[+] Loading modules.

[+] Following modules are loaded:

[x] [1] ping:icmp_ping  -  ICMP echo discovery module

[x] [2] ping:tcp_ping  -  TCP-based ping discovery module

[x] [3] ping:udp_ping  -  UDP-based ping discovery module

[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation

[x] [5] infogather:portscan  -  TCP and UDP PortScanner

[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module

[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module

[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module

[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module

[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module

[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module

[x] [12] fingerprint:smb  -  SMB fingerprinting module

[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module

[+] 13 modules registered

[+] Initializing scan engine

[+] Running scan engine

[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.1.115. Module test failed

[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.1.115. Module test failed

[-] No distance calculation. 192.168.1.115 appears to be dead or no ports known

[+] Host: 192.168.1.115 is up (Guess probability: 50%)

[+] Target: 192.168.1.115 is alive. Round-Trip Time: 0.00094 sec

[+] Selected safe Round-Trip Time value is: 0.00188 sec

[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)

[-] fingerprint:smb need either TCP port 139 or 445 to run

[-] fingerprint:snmp: need UDP port 161 open

[+] Primary guess:

[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP2" (Guess probability: 93%)

[+] Other guesses:

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 93%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 93%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP1" (Guess probability: 92%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP" (Guess probability: 92%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 92%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 92%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 2" (Guess probability: 92%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 92%)

[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 92%)

[+] Cleaning up scan engine

[+] Modules deinitialized

[+] Execution completed.<strong>

</strong>


被动操作系统识别


基于抓包分析,可部署在网络出口处,则可被动检测


 


p0f  #直接输入,即可实现被动监听 #还可能发现些证书信息




root@kali:~# p0f

--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.

[+] Loaded 320 signatures from 'p0f.fp'.

[+] Intercepting traffic on default interface 'eth0'.

[+] Default packet filtering configured [+VLAN].

[+] Entered main event loop.<strong>

</strong>


·可以结合ARP地址欺骗识别全网OS




 


4、基于指纹信息识别(能比较准确的识别)


nmap:拥有大量的指纹信息库。


5、SNMP扫描(简单网络管理协议)


#客户端使用UDP161端口,服务端使用UDP161端口;与DHCP相似,基于UDP,使用67、68。服务器用单号


若SNMP配置不当,则会产生漏洞。属于网络管理员最容易配置疏漏的服务。有两个community strings,一个只读,一个可写。


基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息。基本都可以监控到。


community:登录证书,容易被管理员遗忘修改其特征字符 #可用字典破解community


MIB库:MIB Tree


【SNMP配置】


onesixtyone 192.168.1.115 public


能扫出硬件信息,当返回信息较少时,可能已经被修改community,可使用下一条指令


#dpkg -L onesixtyone ###查询字典


onesixtyone -c dict.txt -i hosts -o my.log -w 100   #字典爆破community


snmpwalk命令


snmpwalk 192.168.1.115 -c public -v 2c


#能查出更多的信息 -v指定版本,2c使用比较广泛#能查出MIB库ID号,安装的软件


snmpwalk -c public -v 2c 1.1.1.1 1.3.6.1.4.1.77.1.2.25   #OID


#查询用户账号


snmpcheck -t 192.168.20.199


snmpcheck -t 192.168.20.199 -c private -v 2


snmpcheck -t 192.168.20.199 -w


6、识别边界防火墙


为了去绕过和躲避。
												


											
小白日记11:kali渗透测试之服务扫描-banner、dmitry、nmap特征库、操作系统识别、SNMP的更多相关文章
	

    
								
  1. 小白日记13:kali渗透测试之服务扫描(三)-SMTB扫描、防火墙识别、负载均衡识别、WAF识别
		
    SMTP扫描 SMTP(Simple Mail Transfer Protocol)即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则,由它来控制信件的中转方式.SMTP协议属于TCP/ ...
    
		
    2. 
						
  2. 小白日记12:kali渗透测试之服务扫描(二)-SMB扫描
		
    SMB扫描 Server Message Block 协议.与其他标准的TCP/IP协议不同,SMB协议是一种复杂的协议,因为随着Windows计算机的开发,越来越多的功能被加入到协议中去了,很难区分 ...
    
		
    3. 
						
  3. 小白日记10:kali渗透测试之端口扫描-UDP、TCP、僵尸扫描、隐蔽扫描
		
    端口扫描 二三四层发现的目的只是为了准确发现所有活着主机IP,确定攻击面,端口扫描即发现攻击点,发现开放端口.端口对应网络服务及应用端程序,服务端程序的漏洞通过端口攻入.[所有的扫描结果,都不要完全相 ...
    
		
    4. 
						
  4. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD
		
    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...
    
		
    5. 
						
  5. 小白日记16:kali渗透测试之弱点扫描-openvas、nessus
		
    漏洞扫描工具 1.openvas OpenVAS是开放式漏洞评估系统,也可以说它是一个包含着相关工具的网络扫描器.在kali上默认集成openvas.在kali上,配置相对简单[几乎每天都在更新] 实 ...
    
		
    6. 
						
  6. kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail
		
    kali渗透测试之缓冲区溢出实例-windows,POP3,SLmail 相关链接:https://www.bbsmax.com/A/xl569l20Jr/ http://4hou.win/wordp ...
    
		
    7. 
						
  7. kali linux之服务扫描
		
    识别开放端口上运行的应用.识别目标操作系统,提高攻击效率 banner捕获(软件开发商,软件名称,服务类型,版本号-----直接发现已知的漏洞和弱点) 服务识别 操作系统识别 snmp分析(简单网络管 ...
    
		
    8. 
						
  8. 小白日记7:kali渗透测试之主动信息收集-发现(一)--二层发现:arping/shell脚本,Netdiscover,scapy
		
    主动信息收集 被动信息收集可能不准确,可以用主动信息收集验证   特点:直接与目标系统交互通信,无法避免留下访问痕迹 解决方法:1.使用受控的第三方电脑进行探测,使用代理 (做好被封杀的准备)   2 ...
    
		
    9. 
						
  9. 小白日记3:kali渗透测试之被动信息收集(二)-dig、whios、dnsenum、fierce
		
    一.DIG linux下查询域名解析有两种选择,nslookup或者dig.Dig(Domain Information Groper)是一个在类Unix命令行模式下查询DNS包括NS记录,A记录,M ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 无序数组a,求a[i]-a[j]的最大值,且i<j
			
    一道面试题:对于无序数组a,求a[i]-a[j]的最大值,其中i<j package test; import java.util.Arrays; public class FindMax {  ...
    
			
    2. 
						
  2. bzoj 1009 [HNOI2008]GT考试(DP+KMP+矩阵乘法)
			
    [题目链接] http://www.lydsy.com/JudgeOnline/problem.php?id=1009 [题意] 给定一个字符串T,问长度为n且不包含串T的字符串有多少种. [思路]  ...
    
			
    3. 
						
  3. 用VMware 8安装Ubuntu 12.04详细过程(图解)
			
    转载 http://www.cnblogs.com/achillesyang/archive/2012/06/21/2557152.html
    
			
    4. 
						
  4. SQL Server 跨库连接
			
    -- 开启组件 reconfigure reconfigure -- 关闭组件 reconfigure reconfigure -- 查询远程数据库 SELECT * FROM OPENDATASOU ...
    
			
    5. 
						
  5. GDB中应该知道的几个调试方法
			
    七.八年前写过一篇<用GDB调试程序>,于是,从那以后,很多朋友在MSN上以及给我发邮件询问我关于GDB的问题,一直到今天,还有人在问GDB的相关问题.这么多年来,有一些问题是大家反复在问 ...
    
			
    6. 
						
  6. LinkButton(按钮)
			
    使用$.fn.linkbutton.defaults重写默认值对象. 按钮组件使用超链接按钮创建.它使用一个普通的<a>标签进行展示.它可以同时显示一个图标和文本,或只有图标或文字.按钮的 ...
    
			
    7. 
						
  7. 【转】关于Xcode的Other Linker Flags
			
    链接器 首先,要说明一下Other Linker Flags到底是用来干嘛的.说白了,就是ld命令除了默认参数外的其他参数.ld命令实现的是链接器的工作,详细说明可以在终端man ld查看. 如果有人 ...
    
			
    8. 
						
  8. thymeleaf比较符号问题
			
    比较器与平等: 值表达可以是>.<.> =.< =符号,像往常一样,也是= =和!=操作符可以用来检查平等,但是>.<.> =.< =不能用,要用gt  ...
    
			
    9. 
						
  9. codeforces 652B z-sort(思维)
			
    B. z-sort time limit per test 1 second memory limit per test 256 megabytes input standard input outp ...
    
			
    10. 
						
  10. [iOS微博项目 - 1.8] - 各种尺寸图片加载 & 控件不显示研究
			
    A. 图片的加载:  [UIImage imageNamed:@"home"];  加载png图片    一.非retina屏幕  1.3.5 inch(320 x 480)  * ...
    
			
    11.