【Web渗透】-信息搜集
2022-06-30 17:10:29 0 举报
AI智能生成
信息收集的工具与使用方法。
作者其他创作
大纲/内容
概述
1、Web信息搜集(探测)即Web踩点,主要是掌握目标Web服务的方方面面,是实现Web渗透入侵前的准备工作
2、Web踩点内容包括操作系统、服务器类型、数据库类型、Web容器、Web语言、域名信息、网站目录....
3、Web信息搜集涉及搜索引擎、网站扫描、域名遍历、指纹识别等工作
搜索引擎
Google Hacking
符号
-keyword
功能
搜索结果,不包含此关键字
举例
电影 -黑客
带“-”的效果
不带“-”的效果
*keyword
功能
模糊搜索,搜索结果必须包含此关键字
举例
电影 一个叫*决定*
"keyword"
功能
强制搜索结果出现此关键字
举例
书籍 "web安全"
带""的效果
不带""的效果
site
功能
搜索指定的域名的网页内容
可以用来搜索子域名、跟此域名相关的内容
举例
site:zhihu.com
搜索跟zhihu.com相关的网页
“web安全” site:zhihu.com
搜索zhihu.com网站下,跟web安全相关的网页
filetype
功能
搜索指定文件类型
举例
"web安全" filetype:pdf
搜索跟“web安全”相关的pdf文件
site:csdn.net filetype:pdf
搜索csdn网站中的pdf文件
inurl
功能
搜索url网址存在特定关键字的网页
可以用来搜寻有注入点的网站
举例
inurl:.php?id=
搜索网址中有"php?id"的网页
inurl:view.php=?
搜索网址中有"view.php="的网页
inurl:.jsp?id=
搜索网址中有"jsp?id"的网页
inurl:.asp?id=
搜索网址中有"asp?id"的网页
inurl: /admin/login.php
搜索网址中有"/admin/login.php"的网页
inurl:login
搜索网址中有"login"等登录网页
intitle
功能
搜索标题存在特定关键字的网页
举例
intitle:后台登录
搜索网页标题是“后台登录”的相关网页
intitle:后台管理 filetype:php
搜索网页标题是“后台管理”的php页面
intitle:index of "keyword"
搜索此关键字相关的索引目录信息
intitle:index of “parent directory”
搜索根目录相关的索引目录信息
intitle:index of “password”
搜索密码相关的索引目录信息
intitle:index of “login”
搜索登录页面信息
intitle:index of “admin”
搜索后台管理页面信息
intext
功能
搜索正文存在特定关键字的网页
举例
intext:Powered by Discuz
搜索Discuz论坛相关的页面
intext:powered by wordpress
搜索wordpress制作的博客网址
intext:Powered by *CMS
搜索*CMS相关的页面
intext:powered by xxx inurl:login
搜索此类网址的后台登录页面
实战
搜索美女/电影等相关网站
inurl:php?id= intitle:美剧
inurl:php?id= intitle:美女
inurl:php?id intitle:美女图片 intext:powered by discuz
inurl:php?id intitle:美女图片 intext:Powered by *cms
搜索用Discuz搭建的论坛
inurl:php?id intitle:电影 intext:powered by discuz
intext:”powered by discuz! 7.2” inurl:faq.php intitle:论坛
搜索使用Struts的相关网站
intitle:"Struts Problem Report"
intitle:"Struts Problem Report" intext:"development mode is enabled."
https://www.exploit-db.com/google-hacking-database/
Shodan Hacking
Shodan简介
Shodan(撒旦搜索引擎)是由Web工程师John Matherly(马瑟利)编写的,被称为“最可怕的搜索引擎”,可扫描一切联网的设备
除了常见的Web服务器,还能扫描防火墙、路由器、交换机、摄像头、打印机等一切联网设备
支持Chrome和Firefox拓展插件
Shodan使用
基础功能
基于ip搜索
语法
8.8.8.8
1、先根据域名,找到目标服务器的IP地址
2、将目标IP地址输入shodan,即可得到IDC信息、Web服务信息
举例
基于服务/协议搜索
Telnet
telnet
telnet default password
telnet product:"Check Point Firewall-1 telnetd"
telnet product:"Check Point Firewall-1 telnetd" country:"JP"
HTTP
http
http country:"DE"
http country:"DE" product:"Apache httpd"
http product:"Apache httpd"
SSH
ssh
ssh default password
ssh default password country:"JP"
基于关键词搜索
说明
基于关键词搜索的思路是根据banner信息(设备指纹)来搜索
不同厂家不同产品的登录banner信息都不同
有很多网友已经搜索过的整理好的banner可以相互学习
default password
搜索可能采用默认账号密码登录的设备
"default password" country:"TH"
Cisco Devices
搜索cisco思科相关设备
cisco-ios last-modified
200 OK product:"Cisco IOS http config"
200 OK cisco
FTP anon successful
搜索能匿名访问的FTP服务
Webcam
搜索网络摄像头
netcam
Server: SQ-WEBCAM
ip webcam no cache
linux upnp avtech
IPCamera_Logo
logitec
插件使用(addons)
安装插件
浏览网站
点击shodan插件
获取详细信息
进阶功能
过滤词(filter)
注明
需注册登录之后可以使用高级过滤关键字
country
搜索特定的国家
country:cn
country:us
country:jp
product
搜索特定的产品/服务
product:"Microsoft IIS httpd"
product:"nginx"
product:"Apache httpd"
product:MySQL
version
搜索特定的版本
product:MySQL version:"5.1.73"
product:"Microsoft IIS httpd" version:"7.5"
hostname
搜索特定的主机名或者域名
hostname:.org
hostname:.edu
os
搜索特定的操作系统
os:"Windows Server 2008 R2"
country:jp os:"Windows Server 2008 R2"
os:"Windows 7 or 8"
os:"Linux 2.6.x"
net
搜索特定网段地址
net:110.180.13.0/24
200 ok net:110.180.13.0/24
200 ok country:JP net:110.180.13.0/24
port
搜索特定的端口
port:3389
port:445
port:80
port:500
port:4500
综合
搜索日本区开启80端口的设备
country:jp port:"80"
country:jp port:"80" product:"Apache httpd"
country:jp port:"80" product:"Apache httpd" city:"Tokyo"
country:jp port:"80" product:"Apache httpd" city:"Tokyo" os:"Linux 3.x"
搜索日本区使用Linux2.6.x系统的设备
country:jp os:"Linux 2.6.x"
country:jp os:"Linux 2.6.x" port:"80"
country:jp os:"Linux 2.6.x" port:"80" product:"Apache httpd"
搜索日本区使用Windows Server 系统的设备
country:jp os:"Windows Server 2008 R2"
country:jp os:"Windows Server 2003" port:"445"
country:jp os:"Windows Server 2003" port:"80"
搜索日本区使用Microsoft IIS的设备
country:jp product:"Microsoft IIS httpd" version:"7.5"
漏洞利用(exploit)
https://exploits.shodan.io/welcome
搜到了某个有心脏出血漏洞的服务器
根据关键字到链接下找exploit代码
(也可以直接到metasploit找)
地图展现(Map)
目前需要付费使用
报告输出(report)
高阶功能
API编程交互
说明
https://developer.shodan.io/
https://cli.shodan.io/
利用API接口,使用编程语言如Python/Ruby/Perl进行交互
可用于定制自己的信息情报数据库
举例
安装shodan python插件
root@kali:~# pip install shodan
Collecting shodan
Downloading shodan-1.6.9.tar.gz
Requirement already satisfied: click in /usr/lib/python2.7/dist-packages (from shodan)
Successfully built shodan click-plugins
Installing collected packages: click-plugins, shodan
Successfully installed click-plugins-1.0.3 shodan-1.6.9
查看shodan命令行帮助
root@kali:~# shodan -h
Commands:
alert Manage the network alerts for your account
convert Convert the given input data file into a...
count Returns the number of results for a search
download Download search results and save them in a...
honeyscore Check whether the IP is a honeypot or not.
host View all available information for an IP...
info Shows general information about your account
init Initialize the Shodan command-line
myip Print your external IP address
parse Extract information out of compressed JSON...
scan Scan an IP/ netblock using Shodan.
search Search the Shodan database
stats Provide summary information about a search...
stream Stream data in real-time.
Usage: shodan [OPTIONS] COMMAND [ARGS]...
Options:
-h, --help Show this message and exit.
采用key初始命令功能
root@kali:~# shodan init g2z3gioSKVC0xxxNAJluqsQze3P9xxx
Successfully initialized
查看自己的访问IP
root@kali:~# shodan myip
xx.11.10.32
搜索某个IP地址
root@kali:~# shodan host 8.8.8.8
8.8.8.8
Hostnames: google-public-dns-a.google.com
City: Mountain View
Country: United States
Organization: Google
Number of open ports: 2
Ports: 53
搜索某个服务的数量
root@kali:~# shodan count microsoft iis 6.0
572047
root@kali:~# shodan count nginx
18590461
root@kali:~# shodan count Apache httpd
24179
……
实战案例
Wireless(无线路由器)
语法
edimax
"default password"
举例
http://106.105.104.xxx:8080/index.asp
http://106.105.109.xxx:8080/index.asp
admin/1234
Webcam
语法
hikvision
DNVRS-Webs
Server: SQ-WEBCAM
ip webcam no cache
linux upnp avtech
举例
https://110.170.x.y
Cisco
语法
200 OK cisco
cisco-ios last-modified
举例
telnet 110.170.x.y/
Zoomeye Hacking
Zoomeye简介
ZoomEye(钟馗之眼) 是一个面向网络空间的搜索引擎
https://www.zoomeye.org/
可以看做是"国产的Shodan",由知道创宇出品
Zoomeye使用
手册
https://www.zoomeye.org/help/manual
过滤词
主机设备
ip
os
app
service
port
product
country
ver
cidr
hostname
Web设备
site
ip
title
app
header
keywords
desc
title
视角
https://www.zoomeye.org/vision/
https://www.zoomeye.org/
API
https://www.zoomeye.org/api
案例
site:zhihu.com
title:电影
wordpress
wordpress product:"Apache httpd"
wordpress product:"Apache httpd" port:443
wordpress product:"Apache httpd" port:443 country:Japan
discuz product:"Microsoft IIS httpd"
tips
https://fofa.so/
目标扫描
Nmap
简介
Nmap是安全渗透领域最强大的开源端口扫描器,能跨平台支持运行
Kali linux 2017集成了nmap 7
Windows平台需要安装nmap7(vc2013/msvcr/msvcp)
Nmap支持IP、端口、操作系统、应用服务等信息探测,支持基于脚本的扫描
除了基于命令行实现,目前也支持通过Zenmap来实现图形化操作
https://nmap.org/
http://sectools.org/
使用
基于命令行操作
查看nmap命令行帮助
nmap -help
主机发现
nmap -sn 192.168.199.0/24
root@kali:~# nmap -sn 192.168.199.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 11:53 EDT
Nmap scan report for Hiwifi.lan (192.168.199.1)
Host is up (0.019s latency).
MAC Address: D4:EE:07:54:C1:9E (Hiwifi)
Nmap scan report for WIN-D8AQGLD2TT5.lan (192.168.199.116)
Host is up (0.00063s latency).
MAC Address: AC:BC:32:8B:56:DF (Apple)
Nmap scan report for DESKTOP-QEB30T2.lan (192.168.199.152)
Host is up (0.38s latency).
MAC Address: 74:E5:0B:F0:69:B8 (Intel Corporate)
Nmap scan report for owaspbwa.lan (192.168.199.174)
Host is up (0.00027s latency).
MAC Address: 00:0C:29:91:E4:7F (VMware)
Nmap scan report for kali.lan (192.168.199.247)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 3.85 seconds
端口扫描
nmap -sS -p1-1000 192.168.199.174
采用TCP半开扫描,指定端口范围
root@kali:~# nmap -sS -p1-1000 192.168.199.174
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 11:59 EDT
Nmap scan report for owaspbwa.lan (192.168.199.174)
Host is up (0.00028s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
MAC Address: 00:0C:29:91:E4:7F (VMware)
系统扫描
nmap -O 192.168.199.174
root@kali:~# nmap -O 192.168.199.174
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 12:02 EDT
Nmap scan report for owaspbwa.lan (192.168.199.174)
Host is up (0.00051s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
5001/tcp open commplex-link
8080/tcp open http-proxy
8081/tcp open blackice-icecap
MAC Address: 00:0C:29:91:E4:7F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
root@kali:~# nmap -O 192.168.199.116
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 12:03 EDT
Nmap scan report for WIN-D8AQGLD2TT5.lan (192.168.199.116)
Host is up (0.00048s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1040/tcp open netsaint
1111/tcp open lmsocialserver
5357/tcp open wsdapi
MAC Address: 00:0C:29:08:E0:7A (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.86 seconds
版本扫描
nmap -sV 192.168.199.174
root@kali:~# nmap -sV 192.168.199.174
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 12:07 EDT
Nmap scan report for owaspbwa.lan (192.168.199.174)
Host is up (0.00031s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Courier Imapd (released 2008)
443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open java-rmi Java RMI
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open http Jetty 6.1.25
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.40%I=7%D=5/26%Time=592852B6%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
MAC Address: 00:0C:29:91:E4:7F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.79 seconds
root@kali:~# nmap -sV 192.168.199.116
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 12:09 EDT
Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 12:10 (0:00:36 remaining)
Nmap scan report for WIN-D8AQGLD2TT5.lan (192.168.199.116)
Host is up (0.00030s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1040/tcp open msrpc Microsoft Windows RPC
1111/tcp open msrpc Microsoft Windows RPC
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 00:0C:29:08:E0:7A (VMware)
Service Info: Host: WIN-D8AQGLD2TT5; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.35 seconds
综合扫描
nmap -A 192.168.199.174
root@kali:~# nmap -A 192.168.199.174
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 12:23 EDT
Nmap scan report for owaspbwa.lan (192.168.199.174)
Host is up (0.00052s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ea:83:1e:45:5a:a6:8c:43:1c:3c:e3:18:dd:fc:88:a5 (DSA)
|_ 2048 3a:94:d8:3f:e0:a2:7a:b8:c3:94:d7:5e:00:55:0c:a7 (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
|_http-title: owaspbwa OWASP Broken Web Applications
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Courier Imapd (released 2008)
|_imap-capabilities: NAMESPACE IDLE CHILDREN SORT OK THREAD=REFERENCES ACL2=UNIONA0001 QUOTA CAPABILITY IMAP4rev1 THREAD=ORDEREDSUBJECT ACL completed UIDPLUS
443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
|_http-title: owaspbwa OWASP Broken Web Applications
| ssl-cert: Subject: commonName=owaspbwa
| Not valid before: 2013-01-02T21:12:38
|_Not valid after: 2022-12-31T21:12:38
|_ssl-date: 2017-05-26T16:17:33+00:00; -5m50s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open java-rmi Java RMI
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Site doesn't have a title.
8081/tcp open http Jetty 6.1.25
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(6.1.25)
|_http-title: Choose Your Path
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.40%I=7%D=5/26%Time=59285674%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
MAC Address: 00:0C:29:91:E4:7F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -5m50s, deviation: 0s, median: -5m50s
|_nbstat: NetBIOS name: OWASPBWA, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms owaspbwa.lan (192.168.199.174)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.46 seconds
脚本扫描
nmap --script=default 192.168.199.174
使用默认脚本进行扫描
nmap --script=auth 172.16.70.214
检测部分应用弱口令
Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-15 02:26 EDT
Nmap scan report for 172.16.70.214
Host is up (0.00026s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-default-accounts:
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
|_http-default-accounts:
445/tcp open microsoft-ds
5001/tcp open commplex-link
8080/tcp open http-proxy
|_http-default-accounts:
8081/tcp open blackice-icecap
MAC Address: 00:0C:29:AD:F3:98 (VMware)
nmap --script=brute 192.168.199.174
进行简单的暴力破解
nmap --script=vuln 192.168.199.174
检测是否存在常见漏洞
nmap --script=broadcast 192.168.199.174
对局域网进行更多的服务探测
nmap --script=smb-brute.nse 192.168.199.174
smb服务扫描
map --script=smb-check-vulns.nse --script-args=unsafe=1 192.168.199.174
进行smb漏洞扫描
map --script=smb-vuln-conficker.nse --script-args=unsafe=1 192.168.199.174
(7.4版本)进行smb漏洞扫描
nmap --script=telnet-brute 192.168.199.174
对telnet服务破解
nmap -p3306 --script=mysql-empty-password.nse 192.168.199.174
对mysql进行空口令扫描
nmap --script=ssh-hostkey.nse 172.16.70.213
要求扫描出ssh的key
nmap --script=ssh-* 172.16.70.213
调用所有的SSH脚本进行扫描
nmap --script=http-* 172.16.70.213
调用所有http脚本进行扫描
nmap --script=mysql-* 172.16.70.213
调用所有的mysql脚本进行扫描
root@kali:/usr/share/nmap/scripts# pwd
/usr/share/nmap/scripts
基于图形化操作
zenmap界面
intense scan
说明
nmap -T4 -A -v 192.168.199.174
-T
设置速度等级,1到5级,数字越大,速度越快
-A
综合扫描
-v
输出扫描过程
举例
子主题 1
子主题 2
intense scan plus udp
说明
nmap -sS -sU -T4 -A -v 192.168.199.174
-T
设置速度等级,1到5级,数字越大,速度越快
-A
综合扫描
-v
输出扫描过程
-sS
TCP全连接扫描
-sU
UDP扫描
举例
intense scan all tcp ports
说明
nmap -p 1-65535 -T4 -A -v 192.168.199.174
-T
设置速度等级,1到5级,数字越大,速度越快
-A
综合扫描
-v
输出扫描过程
-p
指定端口范围,默认扫描1000个端口
举例
intense scan no ping
说明
nmap -T4 -A -v -Pn 192.168.199.174
-T
设置速度等级,1到5级,数字越大,速度越快
-A
综合扫描
-v
输出扫描过程
-Pn
不做ping扫描,例如针对防火墙等安全产品
举例
ping scan
说明
nmap -sn 192.168.199.0/24
-sn
只做ping扫描,不做端口扫描
nmap -sn -T4 -v 14.29.117.0/24
快速ping扫描
举例
quick scan
说明
nmap -T4 -F 192.168.199.0/24
-T
设置速度等级,1到5级,数字越大,速度越快
-F
fast模式,只扫描常见服务端口,比默认端口(1000个)还少
举例
quick scan plus
说明
nmap -sV -T4 -O -F --version-light 192.168.199.174
-T
设置速度等级,1到5级,数字越大,速度越快
-F
fast模式,只扫描常见服务端口,比默认端口(1000个)还少
-sV
扫描系统和服务版本
-O
扫描操作系统版本
举例
quick traceroute
说明
nmap -sn --traceroute www.baidu.com
举例
regular scan
说明
nmap www.baidu.com
默认扫描
举例
slow comprehensive scan
说明
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" www.baidu.com
综合扫描
指定扫描端口、扫描脚本
举例
OpenVAS
简介
OpenVAS(Open Vulnerability Assessment System)是非常强大的开源漏洞扫描系统,Nessus开源版
提供全面而强大的漏洞扫描和漏洞管理功能,支持扫描插件定制,能输出HTML/PDF/XML等格式的安全报告
支持Web图形化界面操作,采用greenbone界面,操作方便简洁
http://www.openvas.org/
http://www.greenbone.net/
使用
安装OpenVAS
Kali linux 2017支持最新openvas 9.0
https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
https://www.kali.org/news/kali-linux-20171-release/
apt-get update
apt install openvas
下载安装包
root@kali:~# apt-get install openvas
若安装出现失败,可能是源的问题,可以修改为国内源
1、打开更新源文件
leafpad /etc/apt/sources.list
2、添加kali源并保存
kali源
#中科大
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
#阿里云
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
#清华大学
deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
#浙大
deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
#东软大学
deb http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib
deb-src http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib
#官方源
deb http://http.kali.org/kali kali-rolling main non-free contrib
deb-src http://http.kali.org/kali kali-rolling main non-free contrib
3、进行apt更新
apt-get update && apt-get upgrade && apt-get dist-upgrade
4、删除已下载的包
apt-get clean
5、重启系统
reboot
安装openvas
root@kali:~# openvas-setup
检查安装
root@kali:~# openvas-check-setup
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-9
It seems like your OpenVAS-9 installation is OK.
启动服务
root@kali:~# openvas-start
root@kali:~# openvas-start
Starting OpenVas Services
Starting Greenbone Security Assistant: gsad.
Starting OpenVAS Scanner: openvassd.
Starting OpenVAS Manager: openvasmd.
查看状态
root@kali:~# netstat -antp
root@kali:~# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 1222/openvasmd
tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 2410/openvassd: Wa
tcp 0 0 127.0.0.1:9392 0.0.0.0:* LISTEN 7128/gsad
manager监听端口为9390,scanner监听端口为9391,administrator监听端口为9392
修改默认服务IP和端口
root@kali:~# vi /etc/default/greenbone-security-assistant
启动服务失败修复方法
使用过程中,如果突然启动不了openvas,可能是数据库出现了问题
apt-get purge redis-server
apt-get purge openvas
apt-get install openvas
openvas-setup
使用OpenVAS
初始访问
https://127.0.0.1:9392
需要用https而不是http
初始账号密码
用户名admin
jaykingchen
密码:(安装过程最后给出)
6f17e2fb-e5c0-438e-9e9e-44812ef150af
软件界面
新建扫描task
高级扫描task
查看扫描报告
导出扫描报告
管理扫描规则
查看扫描规则
导出导入规则
修改扫描设置
域名遍历
简介
Web网站的目录遍历和域名暴破是渗透测试中经常使用的方法
通过遍历和爆破,除了能够找到常规的针对普通用户的信息之外
还能找到隐藏的,更有价值的敏感目录和文件,例如admin或robots等页面或文件
DirBuster
简介
OWASP出品的域名和目录遍历工具,基于Java编写,支持多线程
可暴力破解网站目录和文件(包括隐藏的),可以让我们更好的了解目标信息
寻找有价值的网站内容如密码文件、后台管理地址等
使用
界面介绍
扫描案例1
启动dirbuster
配置dirbuster
指定域名
http://www.baidu.com
加载字典
字典路径/usr/share/wordlists/dirbuster
选择线程
默认为10,勾选go faster之后,调整为200
扫描路径
若不设置,则从根路径开始
执行暴破
导出报告
扫描案例2
只扫描某个目录下的子目录和文件
不勾选递归,这样不会扫描到其他目录,整个进度也快很多
御剑后台扫描
简介
国产专门扫描后台管理地址的工具
使用
界面介绍
扫描案例
设置域名
设置线程和超时时间
这里为默认
选择网站类型
如果不知道后端语言,则全选
如果知道网站类型,例如PHP后台语言,则只选择PHP,这样效率会提高很多
网站类型可以通过漏扫器来判断
Layer子域名挖掘机
简介
根据输入域名,暴力破解子域名
使用
指纹识别
简介
目录遍历或者域名暴破研究的是内容是:掌握网站的“前前后后”,即网站的地图和架构
而指纹识别研究的是:这个网站用什么开源系统?什么CMS系统做的?用什么论坛系统做的?用哪个技术架构做的?
wordpress
discuz 3.x 7.x
php
如果Discuz 7.x论坛/织梦CMS爆发重大漏洞,则我们通过指纹识别找到对应网站,就可以轻松实现漏洞利用
Whatweb
简介
获取目标网站的系统、容器、脚本版本信息
使用
whatweb -h
查看参数
whatweb 192.168.199.174
基础扫描
whatweb 192.168.199.174 -a 3 -v
详细输出
主动级别设置为3
httprint
简介
httprint是一款Web指纹识别工具,支持windows/mac/linux平台,支持图形化界面
http://www.net-square.com/httprint.html
使用
导入域名和签名
输入域名
导出报告
御剑指纹识别
简介
Windows平台下的Web指纹识别,对国产CMS和论坛识别度较高,速度较快
使用
0 条评论
下一页