• 2017-2018-2 20155228 《网络对抗技术》 实验六:信息搜集与漏洞扫描


    2017-2018-2 20155228 《网络对抗技术》 实验六:信息搜集与漏洞扫描

    1.实践目标和内容

    1.1 实践目标

    掌握信息搜集的最基础技能与常用工具的使用方法

    1.2 实践内容

    • 各种搜索技巧的应用

    • DNS IP注册信息的查询

    • 基本的扫描技术:主机发现、端口扫描、OS及服务版本探测、具体服务的查点

    • 漏洞扫描:会扫,会看报告,会查漏洞说明,会修补漏洞


    2. 基础问题回答

    2.1 哪些组织负责DNS,IP的管理

    DNS:Internet 的顶级域名由 Internet网络协会域名注册查询负责网络地址分配的委员会进行登记和管理,它还为 Internet的每一台主机分配唯一的 IP地址。全世界现有三个大的网络信息中心: 位于美国的 Inter-NIC,负责美国及其他地区; 位于荷兰的RIPE-NIC,负责欧洲地区;位于日本的APNIC ,负责亚太地区

    IP:所有的IP地址都由国际组织NIC(Network Information Center)负责统一分配,目前全世界共有三个这样的网络信息中心。InterNIC:负责美国及其他地区;ENIC:负责欧洲地区;APNIC:负责亚太地区。我国申请IP地址要通过APNIC,APNIC的总部设在日本东京大学。申请时要考虑申请哪一类的IP地址,然后向国内的代理机构提出。

    2.2 什么是3R信息

    注册局、注册商和注册人

    There are three different roles that participate in the domain name registration process: The registry, registrar, and registrant. The following information breaks down each role and how they work with one another:

    有三种不同的角色参与域名注册过程:注册管理机构,注册服务商和注册人。 以下信息将分解每个角色以及它们如何相互协作:

    Registry: A domain name registry is an organization that manages top-level domain names. They create domain name extensions, set the rules for that domain name, and work with registrars to sell domain names to the public. For example, VeriSign manages the registration of .com domain names and their domain name system (DNS).

    注册局:域名注册局是管理顶级域名的组织。他们创建域名扩展名,为该域名设置规则,并与注册商合作向公众出售域名。例如,VeriSign负责管理.com域名及其域名系统(DNS)的注册。

    Registrar: The registrar is an accredited organization, like GoDaddy, that sells domain names to the public. Some have the ability to sell top-level domain names (TLDs) like .com, .net, and .org or country-code top-level domain names (ccTLDs) such as .us, .ca, and .eu.

    注册服务商:注册服务商是GoDaddy等经认可的组织,向公众出售域名。一些公司有能力销售顶级域名(TLD),如.com,.net和.org或国家代码顶级域名(ccTLD),如.us,.ca和.eu

    Registrant: A registrant is the person or company who registers a domain name. Registrants can manage their domain name’s settings through their registrar. When changes are made to the domain, their registrar will send the information to the registry to be updated and saved in the registry’s database. When you register a domain name, you become a registrant!

    注册人:注册人是注册域名的人或公司。注册人可以通过他们的注册商管理他们的域名设置。 当对域进行更改时,他们的注册服务商将把这些信息发送到注册局进行更新并保存在注册中心的数据库中。 当您注册域名时,您将成为注册人!

    2.3 评价下扫描结果的准确性

    本次实验的网站的扫描对象主要是www.baidu.comwww.besti.edu.cn。在使用多个工具进行扫描过后发现www.baidu.com可获取的信息比较多,可能是知名网站的缘故,而www.besti.edu.cn可以获取的信息就非常少了,,有的是不能对.edu进行扫描,有的是根本查不到信息,但是还有有工具可以用的,比如说ip-adress,甚至提供了详细而准确地位置信息。总的来说,扫描时针对不同的网站,使用不同的工具可以获取的信息量存在较大差异,所以还是在扫描时使用多种工具比较好。


    3. 实践总结与体会

    本次实验的主要内容是信息搜集为之后的渗透工作做准备。通过使用一系列工具可以找到很多有用而敏感的信息,无论是对网站还是对主机的,而且信息的获取过程并不复杂,从这一点来看还是很令人吃惊的,网络上流传着大量隐私信息,这对针对性的攻击提供了极大的便利。


    4. 实践过程记录

    4.1 信息搜集——外围信息搜集

    4.1.1 通过DNS和IP挖掘目标网站的信息

    使用whois域名注册信息查询

    msfconsole
    msf > whois besti.edu.cn
    msf > whois besti.edu.cn![](https://images2018.cnblogs.com/blog/1073846/201805/1073846-20180506203144301-884838908.png)
    
    
    

    查询结果如下:

    Domain Name: BAIDU.COM
    Registry Domain ID: 11181110_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.markmonitor.com
    Registrar URL: http://www.markmonitor.com
    Updated Date: 2017-07-28T02:36:28Z
    Creation Date: 1999-10-11T11:05:17Z
    Registry Expiry Date: 2026-10-11T11:05:17Z
    Registrar: MarkMonitor Inc.
    Registrar IANA ID: 292
    Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
    Registrar Abuse Contact Phone: +1.2083895740
    Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
    Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
    Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
    Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
    Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
    Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
    Name Server: DNS.BAIDU.COM
    Name Server: NS2.BAIDU.COM
    Name Server: NS3.BAIDU.COM
    Name Server: NS4.BAIDU.COM
    Name Server: NS7.BAIDU.COM
    DNSSEC: unsigned
    URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
    Last update of whois database: 2018-05-06T07:55:24Z

    For more information on Whois status codes, please visit https://icann.org/epp

    NOTICE: The expiration date displayed in this record is the date the
    registrar's sponsorship of the domain name registration in the registry is
    currently set to expire. This date does not necessarily reflect the expiration
    date of the domain name registrant's agreement with the sponsoring
    registrar. Users may consult the sponsoring registrar's Whois database to
    view the registrar's reported date of expiration for this registration.

    TERMS OF USE: You are not authorized to access or query our Whois
    database through the use of electronic processes that are high-volume and
    automated except as reasonably necessary to register domain names or
    modify existing registrations; the Data in VeriSign Global Registry
    Services' ("VeriSign") Whois database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information
    about or related to a domain name registration record. VeriSign does not
    guarantee its accuracy. By submitting a Whois query, you agree to abide
    by the following terms of use: You agree that you may use this Data only
    for lawful purposes and that under no circumstances will you use this Data
    to: (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail, telephone,
    or facsimile; or (2) enable high volume, automated, electronic processes
    that apply to VeriSign (or its computer systems). The compilation,
    repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of VeriSign. You agree not to
    use electronic processes that are automated and high-volume to access or
    query the Whois database except as reasonably necessary to register
    domain names or modify existing registrations. VeriSign reserves the right
    to restrict your access to the Whois database in its sole discretion to ensure
    operational stability. VeriSign may restrict or terminate your access to the
    Whois database for failure to abide by these terms of use. VeriSign
    reserves the right to modify these terms at any time.

    The Registry database contains ONLY .COM, .NET, .EDU domains and
    Registrars.
    Domain Name: baidu.com
    Registry Domain ID: 11181110_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.markmonitor.com
    Registrar URL: http://www.markmonitor.com
    Updated Date: 2017-07-27T19:36:28-0700
    Creation Date: 1999-10-11T04:05:17-0700
    Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
    Registrar: MarkMonitor, Inc.
    Registrar IANA ID: 292
    Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
    Registrar Abuse Contact Phone: +1.2083895740
    Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
    Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
    Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
    Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
    Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
    Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
    Registry Registrant ID:
    Registrant Name: Domain Admin
    Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
    Registrant Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
    Registrant City: Beijing
    Registrant State/Province: Beijing
    Registrant Postal Code: 100085
    Registrant Country: CN
    Registrant Phone: +86.1059928888
    Registrant Phone Ext:
    Registrant Fax: +86.1059928888
    Registrant Fax Ext:
    Registrant Email: domainmaster@baidu.com
    Registry Admin ID:
    Admin Name: Domain Admin
    Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
    Admin Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
    Admin City: Beijing
    Admin State/Province: Beijing
    Admin Postal Code: 100085
    Admin Country: CN
    Admin Phone: +86.1059928888
    Admin Phone Ext:
    Admin Fax: +86.1059928888
    Admin Fax Ext:
    Admin Email: domainmaster@baidu.com
    Registry Tech ID:
    Tech Name: Domain Admin
    Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
    Tech Street: 3F Baidu Campus No.10, Shangdi 10th Street Haidian District
    Tech City: Beijing
    Tech State/Province: Beijing
    Tech Postal Code: 100085
    Tech Country: CN
    Tech Phone: +86.1059928888
    Tech Phone Ext:
    Tech Fax: +86.1059928888
    Tech Fax Ext:
    Tech Email: domainmaster@baidu.com
    Name Server: ns2.baidu.com
    Name Server: ns3.baidu.com
    Name Server: ns4.baidu.com
    Name Server: dns.baidu.com
    Name Server: ns7.baidu.com
    DNSSEC: unsigned
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

    Last update of WHOIS database: 2018-05-06T00:51:43-0700 <<<

    The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
    information purposes, and to assist persons in obtaining information about or
    related to a domain name registration record. MarkMonitor.com does not guarantee
    its accuracy. By submitting a WHOIS query, you agree that you will use this Data
    only for lawful purposes and that, under no circumstances will you use this Data to:
    (1) allow, enable, or otherwise support the transmission of mass unsolicited,
    commercial advertising or solicitations via e-mail (spam); or
    (2) enable high volume, automated, electronic processes that apply to
    MarkMonitor.com (or its systems).
    MarkMonitor.com reserves the right to modify these terms at any time.
    By submitting this query, you agree to abide by this policy.

    MarkMonitor is the Global Leader in Online Brand Protection.

    MarkMonitor Domain Management(TM)
    MarkMonitor Brand Protection(TM)
    MarkMonitor AntiPiracy(TM)
    MarkMonitor AntiFraud(TM)
    Professional and Managed Services

    Visit MarkMonitor at http://www.markmonitor.com
    Contact us at +1.8007459229
    In Europe, at +44.02032062220

    For more information on Whois status codes, please visit
    https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

    也可以通过域名Whois查询 - 站长之家进行查询

    使用nslookup和dig进行域名查询

    msfconsole
    nslookup
    set type=A
    besti.edu.cn
    baidu.com
    

    根据查询结果使用ip地址访问网站,发现无法访问besti.edu.cn,但是可以访问baidu.com

    msfconsole
    dig @dns.baidu.com baidu.com  
    

    查询结果如下:

    ;; QUESTION SECTION:
    ;baidu.com. IN A

    ;; ANSWER SECTION:
    baidu.com. 600 IN A 220.181.57.216
    baidu.com. 600 IN A 123.125.115.110

    ;; AUTHORITY SECTION:
    baidu.com. 86400 IN NS ns7.baidu.com.
    baidu.com. 86400 IN NS dns.baidu.com.
    baidu.com. 86400 IN NS ns3.baidu.com.
    baidu.com. 86400 IN NS ns2.baidu.com.
    baidu.com. 86400 IN NS ns4.baidu.com.

    ;; ADDITIONAL SECTION:
    dns.baidu.com. 86400 IN A 202.108.22.220
    ns2.baidu.com. 86400 IN A 61.135.165.235
    ns3.baidu.com. 86400 IN A 220.181.37.10
    ns4.baidu.com. 86400 IN A 220.181.38.10
    ns7.baidu.com. 86400 IN A 180.76.76.92

    ;; Query time: 109 msec
    ;; SERVER: 202.108.22.220#53(202.108.22.220)
    ;; WHEN: Sun May 06 16:08:49 CST 2018
    ;; MSG SIZE rcvd: 240

    使用netcraft提供的信息查询服务

    输入域名www.baidu.com进行站点查询

    查看站点报告

    可以看到netcraft提供的信息非常丰富

    IP2反域名查询

    ip-adress.com

    www.baidu.com进行查询

    besti.edu.cn进行查询

    可以看到ip-adress.com提供的位置信息和百度地图提供的位置信息相符

    去查网

    www.besti.edu.cn进行查询

    www.baidu.com进行查询

    4.1.2 通过搜索引擎进行信息搜集

    使用SiteDigger进行信息搜集

    下载链接

    SiteDigger v3.0 Released 12/01/2009

    使用指南

    Kali之情报搜集技术

    搜索网址目录结构

    msfconsole
    use auxiliary/scanner/http/dir_scanner
    set THREADS 50
    set RHOSTS www.baidu.com
    exploit
    

    搜索特定类型的文件

    site:edu.cn filetype:xls 成绩
    site:edu.cn filetype:docx
    

    搜索E-Mali

    msfconsole
    use auxiliary/gather/search_email_collector
    set DOMAIN besti.edu.cn
    exploit
    

    出现错误是因为google在国内不可用

    set SEARCH_GOOGLE false
    exploit
    

    IP路由侦查

    tracert www.besti.edu.cn 
    

    4.2 信息搜集——主机探测和端口扫描

    4.2.1 活跃主机扫描

    ICMP Ping命令

    ping www.baidu.com
    

    使用ARP请求枚举本地局域网的活跃主机

    msfconsole
    use auxiliary/scanner/discovery/arp_sweep 
    set RHOSTS 192.168.232.132/135 
    set THREADS 50 
    run 
    

    Nmap探测

    nmap 192.168.232.132
    

    nmap -O 192.168.232.132
    

    4.3 信息搜集——网络服务扫描

    Telnet服务扫描

    msfconsole
    use auxiliary/scanner/telnet/telnet_versio
    set RHOSTS 192.168.232.132-135 
    run 
    

    SSH服务扫描

    msfconsole
    use auxiliary/scanner/ssh/ssh_version
    set RHOSTS 192.168.232.132-135 
    run 
    

    Oracle数据库服务查点

    msfconsole
    use auxiliary/scanner/oracle/tnslsnr_version
    set RHOSTS 192.168.232.132-135 
    run 
    

    口令猜测与嗅探

    use auxiliary/scanner/ssh/ssh_login 
    set RHOSTS 192.168.232.132
    set USERNAME Win720155228ver2
    set PASS_FILE /root/password.txt 
    set THREADS 200
    run
    

    4.2 漏洞扫描-OpenVAS

    下载和安装OpenVAS

    apt-get update
    apt-get dist-upgrade
    apt-get install openvas
    

    对OpenVAS进行检查

    openvas-check-setup
    

    错误信息

    openvas-check-setup 2.3.7
      Test completeness and readiness of OpenVAS-9
    
      Please report us any non-detected problems and
      help us to improve this check routine:
      http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
    
      Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
    
      Use the parameter --server to skip checks for client tools
      like GSD and OpenVAS-CLI.
    
    Step 1: Checking OpenVAS Scanner ... 
            OK: OpenVAS Scanner is present in version 5.1.1.
            OK: redis-server is present in version v=4.0.7.
            OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
            ERROR: redis-server is not running or not listening on socket: /tmp/redis.sock
            FIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock
    
     ERROR: Your OpenVAS-9 installation is not yet complete!
    
    Please follow the instructions marked with FIX above and run this
    script again.
    
    If you think this result is wrong, please report your observation
    and help us to improve this check routine:
    http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
    Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
    
    

    网上找到的问题解决方案

    redis-server doesn't listen on /tmp/redis.sock by default. Try adding the line unixsocket /tmp/redis.sock to your redis.conf and running/etc/init.d/redis-server restart?

    1. 查找并修改redis.conf文件

    1. 重启redis-server
    /etc/init.d/redis-server restart
    
    

    再次执行

    openvas-check-setup
    

    问题依然存在

    所以还是直接拷别人的虚拟机来做吧

    • 首先在终端输入命令
    openvas-start
    

    • 其次打开浏览器输入网址
    https://127.0.0.1:9392
    

    如果访问被阻止,需要点击Advanced将其设置为可信任的站点。

    • 然后新建任务,设置扫描目标为192.168.232.132,其他参数不用设置,点击创建按钮

    • 最后查看扫描报告


  • 相关阅读:
    EntityFramework.Extended 支持 MySql
    向着那个理想的世界奔跑
    DDD 领域驱动设计-两个实体的碰撞火花
    云自无心水自闲
    JQuery 复制粘贴上传图片插件(textarea 和 tinyMCE)
    理解 .NET Platform Standard
    【补充】Gitlab 部署 CI 持续集成
    DDD 领域驱动设计-领域模型中的用户设计
    CSS float 定位和缩放问题
    JQuery 加载 CSS、JS 文件
  • 原文地址:https://www.cnblogs.com/besti20155228/p/8999534.html
Copyright © 2020-2023  润新知