2017-2018-2 20155228 《网络对抗技术》 实验六:信息搜集与漏洞扫描
1.实践目标和内容
1.1 实践目标
掌握信息搜集的最基础技能与常用工具的使用方法
1.2 实践内容
-
各种搜索技巧的应用
-
DNS IP注册信息的查询
-
基本的扫描技术:主机发现、端口扫描、OS及服务版本探测、具体服务的查点
-
漏洞扫描:会扫,会看报告,会查漏洞说明,会修补漏洞
2. 基础问题回答
2.1 哪些组织负责DNS,IP的管理
DNS:Internet 的顶级域名由 Internet网络协会域名注册查询负责网络地址分配的委员会进行登记和管理,它还为 Internet的每一台主机分配唯一的 IP地址。全世界现有三个大的网络信息中心: 位于美国的 Inter-NIC,负责美国及其他地区; 位于荷兰的RIPE-NIC,负责欧洲地区;位于日本的APNIC ,负责亚太地区
IP:所有的IP地址都由国际组织NIC(Network Information Center)负责统一分配,目前全世界共有三个这样的网络信息中心。InterNIC:负责美国及其他地区;ENIC:负责欧洲地区;APNIC:负责亚太地区。我国申请IP地址要通过APNIC,APNIC的总部设在日本东京大学。申请时要考虑申请哪一类的IP地址,然后向国内的代理机构提出。
2.2 什么是3R信息
注册局、注册商和注册人
There are three different roles that participate in the domain name registration process: The registry, registrar, and registrant. The following information breaks down each role and how they work with one another:
有三种不同的角色参与域名注册过程:注册管理机构,注册服务商和注册人。 以下信息将分解每个角色以及它们如何相互协作:
Registry: A domain name registry is an organization that manages top-level domain names. They create domain name extensions, set the rules for that domain name, and work with registrars to sell domain names to the public. For example, VeriSign manages the registration of .com domain names and their domain name system (DNS).
注册局:域名注册局是管理顶级域名的组织。他们创建域名扩展名,为该域名设置规则,并与注册商合作向公众出售域名。例如,VeriSign负责管理.com域名及其域名系统(DNS)的注册。
Registrar: The registrar is an accredited organization, like GoDaddy, that sells domain names to the public. Some have the ability to sell top-level domain names (TLDs) like .com, .net, and .org or country-code top-level domain names (ccTLDs) such as .us, .ca, and .eu.
注册服务商:注册服务商是GoDaddy等经认可的组织,向公众出售域名。一些公司有能力销售顶级域名(TLD),如.com,.net和.org或国家代码顶级域名(ccTLD),如.us,.ca和.eu
Registrant: A registrant is the person or company who registers a domain name. Registrants can manage their domain name’s settings through their registrar. When changes are made to the domain, their registrar will send the information to the registry to be updated and saved in the registry’s database. When you register a domain name, you become a registrant!
注册人:注册人是注册域名的人或公司。注册人可以通过他们的注册商管理他们的域名设置。 当对域进行更改时,他们的注册服务商将把这些信息发送到注册局进行更新并保存在注册中心的数据库中。 当您注册域名时,您将成为注册人!
2.3 评价下扫描结果的准确性
本次实验的网站的扫描对象主要是www.baidu.com
和www.besti.edu.cn
。在使用多个工具进行扫描过后发现www.baidu.com
可获取的信息比较多,可能是知名网站的缘故,而www.besti.edu.cn
可以获取的信息就非常少了,,有的是不能对.edu进行扫描,有的是根本查不到信息,但是还有有工具可以用的,比如说ip-adress
,甚至提供了详细而准确地位置信息。总的来说,扫描时针对不同的网站,使用不同的工具可以获取的信息量存在较大差异,所以还是在扫描时使用多种工具比较好。
3. 实践总结与体会
本次实验的主要内容是信息搜集为之后的渗透工作做准备。通过使用一系列工具可以找到很多有用而敏感的信息,无论是对网站还是对主机的,而且信息的获取过程并不复杂,从这一点来看还是很令人吃惊的,网络上流传着大量隐私信息,这对针对性的攻击提供了极大的便利。
4. 实践过程记录
4.1 信息搜集——外围信息搜集
4.1.1 通过DNS和IP挖掘目标网站的信息
使用whois域名注册信息查询
msfconsole
msf > whois besti.edu.cn
msf > whois besti.edu.cn![](https://images2018.cnblogs.com/blog/1073846/201805/1073846-20180506203144301-884838908.png)
查询结果如下:
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-28T02:36:28Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: DNS.BAIDU.COM
Name Server: NS2.BAIDU.COM
Name Server: NS3.BAIDU.COM
Name Server: NS4.BAIDU.COM
Name Server: NS7.BAIDU.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2018-05-06T07:55:24ZFor more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-27T19:36:28-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
Registrant City: Beijing
Registrant State/Province: Beijing
Registrant Postal Code: 100085
Registrant Country: CN
Registrant Phone: +86.1059928888
Registrant Phone Ext:
Registrant Fax: +86.1059928888
Registrant Fax Ext:
Registrant Email: domainmaster@baidu.com
Registry Admin ID:
Admin Name: Domain Admin
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
Admin City: Beijing
Admin State/Province: Beijing
Admin Postal Code: 100085
Admin Country: CN
Admin Phone: +86.1059928888
Admin Phone Ext:
Admin Fax: +86.1059928888
Admin Fax Ext:
Admin Email: domainmaster@baidu.com
Registry Tech ID:
Tech Name: Domain Admin
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
Tech City: Beijing
Tech State/Province: Beijing
Tech Postal Code: 100085
Tech Country: CN
Tech Phone: +86.1059928888
Tech Phone Ext:
Tech Fax: +86.1059928888
Tech Fax Ext:
Tech Email: domainmaster@baidu.com
Name Server: ns2.baidu.com
Name Server: ns3.baidu.com
Name Server: ns4.baidu.com
Name Server: dns.baidu.com
Name Server: ns7.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/Last update of WHOIS database: 2018-05-06T00:51:43-0700 <<<
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed ServicesVisit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
也可以通过域名Whois查询 - 站长之家进行查询
使用nslookup和dig进行域名查询
msfconsole
nslookup
set type=A
besti.edu.cn
baidu.com
根据查询结果使用ip地址访问网站,发现无法访问besti.edu.cn
,但是可以访问baidu.com
msfconsole
dig @dns.baidu.com baidu.com
查询结果如下:
;; QUESTION SECTION:
;baidu.com. IN A;; ANSWER SECTION:
baidu.com. 600 IN A 220.181.57.216
baidu.com. 600 IN A 123.125.115.110;; AUTHORITY SECTION:
baidu.com. 86400 IN NS ns7.baidu.com.
baidu.com. 86400 IN NS dns.baidu.com.
baidu.com. 86400 IN NS ns3.baidu.com.
baidu.com. 86400 IN NS ns2.baidu.com.
baidu.com. 86400 IN NS ns4.baidu.com.;; ADDITIONAL SECTION:
dns.baidu.com. 86400 IN A 202.108.22.220
ns2.baidu.com. 86400 IN A 61.135.165.235
ns3.baidu.com. 86400 IN A 220.181.37.10
ns4.baidu.com. 86400 IN A 220.181.38.10
ns7.baidu.com. 86400 IN A 180.76.76.92;; Query time: 109 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun May 06 16:08:49 CST 2018
;; MSG SIZE rcvd: 240
使用netcraft提供的信息查询服务
输入域名www.baidu.com
进行站点查询
查看站点报告
可以看到netcraft提供的信息非常丰富
IP2反域名查询
对www.baidu.com
进行查询
对besti.edu.cn
进行查询
可以看到ip-adress.com提供的位置信息和百度地图提供的位置信息相符
对www.besti.edu.cn
进行查询
对www.baidu.com
进行查询
4.1.2 通过搜索引擎进行信息搜集
使用SiteDigger
进行信息搜集
下载链接
SiteDigger v3.0 Released 12/01/2009
使用指南
搜索网址目录结构
msfconsole
use auxiliary/scanner/http/dir_scanner
set THREADS 50
set RHOSTS www.baidu.com
exploit
搜索特定类型的文件
site:edu.cn filetype:xls 成绩
site:edu.cn filetype:docx
搜索E-Mali
msfconsole
use auxiliary/gather/search_email_collector
set DOMAIN besti.edu.cn
exploit
出现错误是因为google
在国内不可用
set SEARCH_GOOGLE false
exploit
IP路由侦查
tracert www.besti.edu.cn
4.2 信息搜集——主机探测和端口扫描
4.2.1 活跃主机扫描
ICMP Ping命令
ping www.baidu.com
使用ARP请求枚举本地局域网的活跃主机
msfconsole
use auxiliary/scanner/discovery/arp_sweep
set RHOSTS 192.168.232.132/135
set THREADS 50
run
Nmap探测
nmap 192.168.232.132
nmap -O 192.168.232.132
4.3 信息搜集——网络服务扫描
Telnet服务扫描
msfconsole
use auxiliary/scanner/telnet/telnet_versio
set RHOSTS 192.168.232.132-135
run
SSH服务扫描
msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.232.132-135
run
Oracle数据库服务查点
msfconsole
use auxiliary/scanner/oracle/tnslsnr_version
set RHOSTS 192.168.232.132-135
run
口令猜测与嗅探
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.232.132
set USERNAME Win720155228ver2
set PASS_FILE /root/password.txt
set THREADS 200
run
4.2 漏洞扫描-OpenVAS
下载和安装OpenVAS
apt-get update
apt-get dist-upgrade
apt-get install openvas
对OpenVAS进行检查
openvas-check-setup
错误信息
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-9
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.1.
OK: redis-server is present in version v=4.0.7.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
ERROR: redis-server is not running or not listening on socket: /tmp/redis.sock
FIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock
ERROR: Your OpenVAS-9 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
redis-server doesn't listen on
/tmp/redis.sock
by default. Try adding the lineunixsocket /tmp/redis.sock
to yourredis.conf
and running/etc/init.d/redis-server restart
?
- 查找并修改
redis.conf
文件
- 重启
redis-server
/etc/init.d/redis-server restart
再次执行
openvas-check-setup
问题依然存在
所以还是直接拷别人的虚拟机来做吧
- 首先在终端输入命令
openvas-start
- 其次打开浏览器输入网址
https://127.0.0.1:9392
如果访问被阻止,需要点击Advanced将其设置为可信任的站点。
- 然后新建任务,设置扫描目标为
192.168.232.132
,其他参数不用设置,点击创建按钮
- 最后查看扫描报告