网络攻击(二)--情报搜集阶段
4.1. 概述
在情报收集阶段,你需要采用各种可能的方法来收集将要攻击的客户组织的所有信息,包括使用社交网络、 技术、目标系统踩点等等。
而作为渗透测试者,你最为重要的一项技能就是对目标系统的探查能力,包括获知它的行为模式、运行机理,以及最终可以如何被攻击。
对目标系统所搜集到的信息将帮助你准确的掌握目标系统所部署的安全控制措施。
* 第一步 * 目标系统IP地址范围* 详细的注册信息* DNS服务器位置* 电话号段* 网络、或安全管理员及其联系方式* 外部网络拓扑结构* 而后* 目标网络中活跃主机* 操作系统类型* 开放的端口* 端口后面运行的网络服务* 是否存在已公开的披露的安全漏洞* 最后(对初步选择的攻击目标服务实施更细致的信息探查)* 像用户账号* 共享资源* 网络服务类型与版本号* 服务配置信息
通过收集这些信息, 攻击者可以大致判断目标系统的安全状况, 从而寻求有效的入侵途径与方法。
扫描 查点 4.2. 踩点
踩点就是对目标组织()进行有计划、有组织的信息收集,以得到目标完整剖析图的过程
4.2.1. Web信息搜索-
Goole (谷歌黑客)_360搜索
4.2.2. DNS查询--
是一款非常强大的域名信息收集工具。
它能够通过谷歌或者字典文件猜测可能存在的域名,并对一个网段进行反向查询。它不仅可以查询网站的主机地址信息、域名服务器和邮件交换记录,还可以在域名服务器上执行axfr请求,然后通过谷歌脚本得到扩展域名信息,提取子域名并查询,最后计算C类地址并执行whois查询,执行反向查询,把地址段写入文件。
本小节将介绍使用工具检查DNS枚举。在终端执行如下所示的命令:
root@Kali-Panda:~# dnsenum --enum example.com
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
Warning: can't load Net::Whois::IP module, whois queries disabled.
Warning: can't load WWW::Mechanize module, Google scraping desabled.----- example.com -----Host's addresses:
__________________example.com. 36912 IN A 93.184.216.34Name Servers:
______________a.iana-servers.net. 73 IN A 199.43.135.53
b.iana-servers.net. 73 IN A 199.43.133.53Mail (MX) Servers:
___________________Trying Zone Transfers and getting Bind Versions:
_________________________________________________Trying Zone Transfer for example.com on a.iana-servers.net ...
AXFR record query failed: NOTAUTHTrying Zone Transfer for example.com on b.iana-servers.net ...
AXFR record query failed: REFUSEDbrute force file not specified, bay.
root@Kali-Panda:~#
可以收集DNS的信息分为下述几类:
root@Kali-Panda:~# dnsenum -h
$ nslookup baidu.com
4.2.3. DNS信息获取-whois
whois(读作“Who is”,非缩写)是用来查询域名的IP以及所有者等信息的传输协议。简单说,whois就是一个用来查询域名是否已经被注册,以及注册域名的详细信息的数据库(如域名所有人、域名注册商)
itcast@itcast $ whois baidu.com
4.2.4. 路由信息
获取dns信息之后,尽可能获取目标网络的拓扑结构。 好找准攻击点
root@Kali-Panda:~# traceroute www.example.com
traceroute to www.example.com (93.184.216.34), 30 hops max, 60 byte packets1 localhost (192.168.0.1) 8.207 ms 8.908 ms 10.830 ms2 localhost (192.168.1.1) 10.732 ms 16.626 ms 16.735 ms3 * * *4 61.51.246.197 (61.51.246.197) 24.228 ms 25.782 ms 29.403 ms5 bt-230-081.bta.net.cn (202.106.230.81) 31.423 ms 219.232.11.29 (219.232.11.29) 29.724 ms 29.650 ms6 202.96.12.1 (202.96.12.1) 30.249 ms 124.65.194.25 (124.65.194.25) 9.982 ms 124.65.194.21 (124.65.194.21) 6.976 ms7 219.158.18.66 (219.158.18.66) 12.332 ms 219.158.5.146 (219.158.5.146) 10.793 ms 219.158.5.150 (219.158.5.150) 12.163 ms8 219.158.3.138 (219.158.3.138) 12.077 ms 219.158.16.82 (219.158.16.82) 20.989 ms 20.926 ms9 219.158.107.118 (219.158.107.118) 214.112 ms 214.534 ms 214.461 ms
10 219.158.33.194 (219.158.33.194) 251.167 ms 312.330 ms 312.398 ms
11 ffm-bb4-link.telia.net (62.115.142.194) 255.167 ms 251.091 ms ffm-bb3-link.telia.net (62.115.142.204) 310.773 ms
12 prs-bb3-link.telia.net (62.115.123.13) 324.318 ms prs-bb4-link.telia.net (62.115.122.138) 316.212 ms prs-bb3-link.telia.net (62.115.123.13) 315.887 ms
13 ash-bb3-link.telia.net (80.91.251.243) 247.043 ms ash-bb4-link.telia.net (62.115.122.159) 237.803 ms 238.235 ms
14 ash-b1-link.telia.net (80.91.248.157) 243.919 ms 306.199 ms 306.720 ms
15 verizon-ic-315151-ash-b1.c.telia.net (213.248.83.117) 311.853 ms 314.697 ms 249.671 ms
16 152.195.64.133 (152.195.64.133) 249.688 ms 152.195.65.133 (152.195.65.133) 325.343 ms 328.961 ms
17 93.184.216.34 (93.184.216.34) 252.255 ms 261.291 ms 253.151 ms
root@Kali-Panda:~#
4.3. 扫描
如果把踩点比喻为实施盗窃前,侦查外围环境以确定目标大楼,那扫描就是从中找出有人居住的房间,找出可供嵌入的门窗。。。。
4.3.1. 目标主机在线存活--ping
在检查主机是否在线的工具中, ping可能是最著名的工具了。
示例
root@Kali-Panda:~# ping -c 2 www.baidu.com
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=1 ttl=56 time=5.12 ms
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=2 ttl=56 time=5.81 ms--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 5.123/5.469/5.816/0.354 ms
root@Kali-Panda:~#
root@Kali-Panda:~# ping -c 3 -s 128 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 128(156) bytes of data.
136 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=2.79 ms
136 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=2.09 ms
136 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=3.56 ms--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.091/2.817/3.566/0.602 ms
root@Kali-Panda:~#
4.3.2. 目标主机在线存活-- nmap
Nmap是一个免费开放的网络扫描和嗅探工具包,也叫网络映射器( )。该工具其基本功能有三个,
测试一个网络中活跃的主机。使用方法如下所示。
root@Kali-Panda:~# nmap -sP 192.168.0.110
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 09:25 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.52 seconds
root@Kali-Panda:~# nmap -sP 192.168.0.106
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 09:26 CST
Nmap scan report for localhost (192.168.0.106)
Host is up (0.00024s latency).
MAC Address: FC:F8:AE:06:92:2B (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
root@Kali-Panda:~#
root@Kali-Panda:~# nmap -sP 192.168.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 09:27 CST
Nmap scan report for localhost (192.168.0.1)
Host is up (0.0076s latency).
MAC Address: 14:75:90:50:57:DB (Tp-link Technologies)
Nmap scan report for localhost (192.168.0.100)
Host is up (0.068s latency).
MAC Address: EC:F3:42:CF:97:F3 (Guangdong Oppo Mobile Telecommunications)
Nmap scan report for localhost (192.168.0.101)
Host is up (0.12s latency).
MAC Address: 78:A8:73:CF:66:B2 (Samsung Electronics)
Nmap scan report for localhost (192.168.0.102)
Host is up (0.12s latency).
MAC Address: 60:A4:D0:A3:47:D2 (Samsung Electronics)
Nmap scan report for localhost (192.168.0.106)
Host is up (0.00018s latency).
MAC Address: FC:F8:AE:06:92:2B (Intel Corporate)
Nmap scan report for localhost (192.168.0.107)
Host is up (0.063s latency).
MAC Address: 2C:D9:74:20:D1:09 (Unknown)
Nmap scan report for localhost (192.168.0.111)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.87 seconds
root@Kali-Panda:~#
4.3.3. 系统指纹信息 --nmap
本节通过主动方式,收集目标系统指纹信息,获取操作系统的类型
使用Nmap命令的-O选项,启用操作系统测试功能。(注意,是大写字母O,不是数字0)
执行命令如下所示:
root@Kali-Panda:~# nmap -O 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 11:36 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0062s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
MAC Address: D4:F9:A1:70:6B:25 (Huawei Technologies)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.5
OS details: Linux 3.5
Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds
root@Kali-Panda:~#
4.3.4. 系统指纹信息 -- p0f
p0f 采用被动式探测目标主机的操作系统类型
root@Kali-Panda:~# p0f -i eth0 -f /etc/p0f/p0f.fp
--- p0f 3.09b by Michal Zalewski ---[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop..-[ 192.168.1.228/33014 -> 192.168.1.170/22 (syn) ]-
|
| client = 192.168.1.228/33014
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
p0f 为被动式识别工具
对一个大范围的网络或活跃的主机进行渗透测试,必须要了解这些主机上所打开的端口号。 也就是目标主机上所提供的服务。
4.3.5. 端口扫描 -- nmap
使用nmap工具查看192.168.1.1 主机上正在运行的服务。执行命令如下所示:
root@Kali-Panda:~# nmap 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 14:36 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0085s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
MAC Address: D4:F9:A1:70:6B:25 (Huawei Technologies)Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds
root@Kali-Panda:~#
从命令结果可以看出, 目标主机192.168.1.1 提供了ftp、ssh、、http等服务。
常用参数
扫描特定端口22
root@Kali-Panda:~# nmap -p 22 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 14:40 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0059s latency).PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: D4:F9:A1:70:6B:25 (Huawei Technologies)Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
root@Kali-Panda:~#
root@Kali-Panda:~# nmap -p 1-32 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 14:40 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.027s latency).
Not shown: 29 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
MAC Address: D4:F9:A1:70:6B:25 (Huawei Technologies)Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds
4.3.6. 端口服务指纹识别--nmap
为了确保有一个成功的渗透测试,必须需要知道目标系统中服务的指纹信息。服务指纹信息包括服务端口、服务名和版本等。
使用Nmap工具查看192.168.41.136服务上正在运行的端口。执行命令如下所示:
root@Kali-Panda:~# nmap -sV -p 22 192.168.1.228
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-24 14:52 CST
Nmap scan report for localhost (192.168.1.228)
Host is up (0.00016s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
MAC Address: FC:F8:AE:06:92:2B (Intel Corporate)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
此处使用,一般会用-p 指定端口,效率更高。 此处获取ssh的版本信息。
4.3.7. 漏洞扫描 4.3.7.1. 介绍
国外流行的漏洞扫描工具。多用来发现系统漏洞。
是目前全世界最多人使用的系统漏洞扫描与分析软件。总共有超过75,000个机构使用 作为扫描该机构电脑系统的软件。
1998年, 的创办人 展开了一项名为 ""的计划,其计划目的是希望能为因特网社群提供一个免费、威力强大、更新频繁并简易使用的远端系统安全扫描程序。经过了数年的发展, 包括 CERT 与 SANS 等著名的网络安全相关机构皆认同此工具软件的功能与可用性。
2002年时, 与 Ron Gula, Jack 创办了一个名为 的机构。在第三版的 发布之时, 该机构收回了 的版权与程序源代码 (原本为开放源代码), 并注册成为该机构的网站。 目前此机构位于美国马里兰州的哥伦比亚。
4.3.7.2. 漏洞扫描
使用进行漏洞扫描是我们需要了解的重点。
在界面中,选择 Scan
* `Name`: 给本次扫描起个名字,(按自己心意即可, 我一般用IP,网段, 主机名)
* `Description` : 描述,根据情况编写
* `Folder` : 一种归类手段, 默认即可
* `Targets`: 重要, 192.168.0.4填写完成, 下方点击Save保存
4.3.7.3. 漏扫报告解读
以国内厂商的漏扫报告,我们一起看一下。
