小白日記11：kali滲透測試之服務掃描-banner、dmitry、nmap特徵庫、操做系統識別、SNMP

服務掃描

不能單純的以端口辨別服務。不少網絡服務是漏洞頻發的高危對象，對網絡上的特定服務進行掃描，每每能讓咱們少走彎路，增長滲透成功的概率。肯定開放端口後，一般會對相應端口上所運行服務的信息進行更深刻的挖掘，一般稱爲服務查點。

 

一、Banner捕獲（最主要最簡單，也是最不許確）

鏈接服務器的端口，利用其返回的banner信息，但多是管理員僞造的。

【軟件開發商軟件名稱，服務類型，版本號--可直接發現已知的漏洞，但若是不是很熟悉的話，須要長時間查找資料】

必須創建完整的TCP鏈接，才能直接得到banner

結合另類服務識別：一、特徵行爲和響應字段；2不一樣的響應可用於識別底層系統

 

NC

root@kali:~# nc -nv 192.168.1.107 80
(UNKNOWN) [192.168.1.107] 80 (http) open
get                                                             #須要在此get一下
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>

                _                  _       _ _        _     _      ____  
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ 
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ 
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started                  #帳號已出，可爆破


</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>

</pre></div><div><span style="font-size:18px;">Python socket（socket模塊用於鏈接網絡服務）</span></div><div><span style="font-size:18px;"></span><pre name="code" class="plain">root@kali:~# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 
>>> import socket                <strong>#導入庫</strong>
>>> 
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM) <strong>#標準socket語句寫法 #SOCK_STREAM表示爲TCP鏈接</strong>
>>> banner.connect(("192.168.1.107",21))                  <strong>#鏈接IP，端口</strong>
>>> banner.recv(4096)                                    <strong> #用recv（）接收返回包</strong>
'220 (vsFTPd 2.3.4)\r\n'                            <strong> #banner信息</strong>
>>> banner.close()                                  <strong> #手動回收對象</strong>
>>> exit()                                         <strong>  #退出</strong>

不少系統不容許抓取banner信息，recv函數會被掛起，需作特殊處理

<pre name="code" class="plain">#!/usr/bin/python

import socket
import select
import sys

if len( sys.argv ) !=4:
   print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
   print "Example - ./banner_grab.py 1.1.1.1 1 100"
   print "Example will grab banners for TCP ports 1 through 100 on 1.1.1.1"
   sys.exit()

ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])

for port in range(start,end):
   try:
     bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
     bangrab.connect((ip,port))
     ready=select.select([bangrab],[],[],1)                   #鏈接間隔時間1秒
     if ready[0]:
       print "TCP Port " + str(port) + "." +bangrab.recv(4096)
       bangrab.close()
   except:
     pass

後面需再經過其餘工具進行驗證

Dmitry

root@kali:~# dmitry -pb 192.168.1.107       #-pb
Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host Name for 192.168.1.107
Continuing with limited modules
HostIP:192.168.1.107
HostName:

Gathered TCP Port information for 192.168.1.107
---------------------------------

 Port		State

21/tcp		open
>> 220 (vsFTPd 2.3.4)

22/tcp		open
>> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

23/tcp		open
>> ���� ��#��'
25/tcp		open
>> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

53/tcp		open

Portscan Finished: Scanned 150 ports, 144 ports were in state closed


All scans completed, exiting

Nmap

root@kali:~# nmap -sT 192.168.1.107 -p 22 --script=banner.nse    #-p也可指定端口範圍 banner.nse 掃描腳本

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 22:30 CST
Nmap scan report for 192.168.1.107
Host is up (0.00062s latency).
PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds

ls | grep *** 查詢某腳本

amap（專門用於發現開放端口後的服務的工具）

 

發現banner：  #-b參數，也可指定端口範圍，使用grep on可過濾不開放端口返回結果

root@kali:~# amap -B 192.168.1.107 25
amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:36:05 - BANNER mode

Banner on 192.168.1.107:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n

amap v5.4 finished at 2016-09-11 22:36:05

二、服務識別

Banner信息抓取能力比較有限，並且不必定準確。

發現端口後應用的版本，基於版本，到其官網尋找其漏洞，針對性的找其利用代碼，或者利用逆向工程或模糊測試發現其漏洞。

 

Nmap（基於特徵庫，還有其餘腳本能夠結合使用）

-sV  #可信度高

root@kali:~# nmap 192.168.1.107 -p1-100 -sV

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 22:40 CST
Nmap scan report for 192.168.1.107
Host is up (0.00017s latency).
Not shown: 94 closed ports
<strong>PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open  telnet  Linux telnetd
25/tcp open  smtp    Postfix smtpd
53/tcp open  domain  ISC BIND 9.4.2
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)</strong>
MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

amap（沒nmap詳細，但也有其優勢）【可做爲nmap的驗證工具】

root@kali:~# amap 192.168.1.107 1-100 -qb           #q顯示清晰，b顯示更多信息
amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:44:17 - APPLICATION MAPPING mode

Protocol on 192.168.1.107:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
Protocol on 192.168.1.107:22/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
Protocol on 192.168.1.107:80/tcp matches http - banner: <html><head><title>Metasploitable2 - Linux</title></head><body>\n<pre>\n\n                _                  _       _ _        _     _      ____  \n _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \\ \n| '_ ` _ \\ / _ \\ __/ _` / _
Protocol on 192.168.1.107:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nDate Sun, 11 Sep 2016 144435 GMT\r\nServer Apache/2.2.8 (Ubuntu) DAV/2\r\nX-Powered-By PHP/5.2.4-2ubuntu5.10\r\nContent-Length 891\r\nConnection close\r\nContent-Type text/html\r\n\r\n<html><head><title>Metasploitable2 - Linux</title><
Protocol on 192.168.1.107:21/tcp matches ftp - banner: 220 (vsFTPd 2.3.4)\r\n
Protocol on 192.168.1.107:23/tcp matches telnet - banner:  #'
Protocol on 192.168.1.107:25/tcp matches smtp - banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n
Protocol on 192.168.1.107:53/tcp matches dns - banner: \f

amap v5.4 finished at 2016-09-11 22:44:29

 

三、操做系統識別

識別操做系統，由於操做系統在開啓時，便默認開放些服務；針對老版本系統的漏洞進行滲透，提權、得到操做權限。

1.TTL起始值：Windows系統【128（65-128）】；Linux/Unix【64（1-64）】，某些Unix爲255

[路由器劫持：可經過TTL值肯定，劫持點；TTL也可修改]

#!/usr/bin/python

from scapy.all import*
import logging
logging.getLogger( "scapy.runtime" ).setLevel(logging.ERROR)
import sys

if len( sys.argv ) !=2:
   print "Usage - ./ttl_os.py [IP adress]"
   print "Example - ./ttl_os.py 1.1.1.1"
   print "Example will preform ttl analysis to attemptto determine whether the systems is Windows or Linux/Unix"
   sys.exit()

ip = sys.argv[1]

ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)

if ans == None:
       print "No response was returned"
elif int(ans[IP].ttl)<=64:
       print "Host is Linux/Unix"
else:
       print "Host is Windows"

 

2.Nmap

-O #此參數用於檢測主機系統 #結合端口判斷特徵

root@kali:~# nmap -O 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 23:48 CST
Nmap scan report for DD-WRT (192.168.1.1)
<strong>Host is up (0.17s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http
MAC Address: 1C:BD:B9:27:D5:32 (D-Link International)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.8 - 2.6.30            #可去官網查該範圍的linux系統是否有緩存區溢出等漏洞
Network Distance: 1 hop</strong>

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds

三、Xprobe2（專門用於識別操做系統，更爲詳細，但不是很準確）

<strong>root@kali:~# xprobe2 192.168.1.115
</strong>
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

[+] Target is 192.168.1.115
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.1.115. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.1.115. Module test failed
[-] No distance calculation. 192.168.1.115 appears to be dead or no ports known
[+] Host: 192.168.1.115 is up (Guess probability: 50%)
[+] Target: 192.168.1.115 is alive. Round-Trip Time: 0.00094 sec
[+] Selected safe Round-Trip Time value is: 0.00188 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP2" (Guess probability: 93%)
[+] Other guesses:
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 93%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 93%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP1" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 2" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 92%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.<strong>
</strong>

被動操做系統識別

基於抓包分析，可部署在網絡出口處，則可被動檢測

 

p0f  #直接輸入，便可實現被動監聽 #還可能發現些證書信息

root@kali:~# p0f
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.<strong>
</strong>

·能夠結合ARP地址欺騙識別全網OS

 

四、基於指紋信息識別（能比較準確的識別）

nmap：擁有大量的指紋信息庫。

 

 

 

 

五、SNMP掃描（簡單網絡管理協議）

#客戶端使用UDP161端口，服務端使用UDP161端口；與DHCP類似，基於UDP，使用6七、68。服務器用單號

若SNMP配置不當，則會產生漏洞。屬於網絡管理員最容易配置疏漏的服務。有兩個community strings，一個只讀，一個可寫。

基於SNMP，進行網絡設備監控，如：交換機、防火牆、服務器，CPU等其系統內部信息。基本均可以監控到。

community：登陸證書，容易被管理員遺忘修改其特徵字符 #可用字典破解community

 

MIB庫：MIB Tree

【SNMP配置】

onesixtyone 192.168.1.115 public

能掃出硬件信息，當返回信息較少時，可能已經被修改community，可以使用下一條指令

#dpkg -L onesixtyone ###查詢字典

onesixtyone -c dict.txt -i hosts -o my.log -w 100   #字典爆破community

 

snmpwalk命令

 

snmpwalk 192.168.1.115 -c public -v 2c  

      #能查出更多的信息 -v指定版本，2c使用比較普遍#能查出MIB庫ID號，安裝的軟件

snmpwalk -c public -v 2c 1.1.1.1 1.3.6.1.4.1.77.1.2.25   #OID

     #查詢用戶帳號

snmpcheck -t 192.168.20.199

 

snmpcheck -t 192.168.20.199 -c private -v 2

 

snmpcheck -t 192.168.20.199 -w

 

六、識別邊界防火牆

爲了去繞過和躲避。