Network scanning and network reconnaissance
Affirmation: This article is to record the tasks assigned by the teacher. There is no illegal behavior. It is only for learning and use. The operations in the article do not cause harm or loss to others. All sensitive operations are completed in the virtual machine. I also hope that all students studying information security can abide by relevant network security laws and do not use them as illegal acts! ! !
Article Directory
-
- Network scanning and network reconnaissance
- 1. Use the search engine Google or Baidu to search for the pdf documents with the file name "network security" on the MIT website
- 2. Find out where the girl in the photo travels
- 3. Mobile phone location positioning
- 4. Encoding and decoding
- 5. Address information
- 6.NMAP use
- 7. Use ZoomEye to search for a Siemens industrial control equipment
- 8.Winhex simple data recovery and forensics
- Experiment summary
The purpose of network scanning and network reconnaissance
In addition to determining the target of the attack, the hacker's main job is to collect as much information about the target as possible before conducting a complete attack. This information mainly includes the target's operating system type and version, which services the target provides, the type and version of each service, and related social information.
The attacker generally uses seven basic steps to collect target information:
(1) Find the initial information, such as an IP address or a domain name;
(2) Find the network address range, or subnet mask;
(3) Find the mobile machine;
(4) Find open ports and entry points;
(5) Find out the operating system;
(6) Find out which service is running on each port;
(7) Find the possible loopholes in the target.
Introduction to common tools
-
Search engine: Google Hack or Baidu
Google Hack uses the power of Google search to search for the information we need in the vast Internet. Lightweight search can find out some legacy backdoors, background entrances that you don’t want to be discovered, middleweight search reveals some user information leaks, source code leaks, unauthorized access, etc., and heavyweight ones may be mdb file downloads. , CMS is not locked, install page, website configuration password, php remote file contains vulnerabilities and other important information.
-
WinHex
WinHex is a general-purpose hexadecimal editor as the core, which is specially used to deal with computer forensics, data recovery, low-level data processing, IT security, and various daily emergency situations. It is used to check and repair various Data loss caused by various files, undelete files, hard disk damage, digital camera card damage, etc.
-
Nmap
Nmap is a network reconnaissance and security scanning program. System administrators and individuals can use this software to scan large networks to obtain information such as which host is running and what services are provided. Nmap supports many scanning techniques, such as: UDP, TCP connect(), TCP SYN (half-open scan), ftp proxy (bounce attack), reverse sign, ICMP, FIN, ACK scanning, Xmas Tree (Xmas Tree), SYN scanning and Null scanning. Nmap also provides some advanced features, such as: detecting operating system type through TCP/IP protocol stack features, secret scanning, dynamic delay and retransmission calculation, parallel scanning, detecting closed hosts through parallel ping scanning, decoy scanning, avoidance Open port filtering detection, direct RPC scanning (no port mapping required), fragment scanning, and flexible target and port settings.
Nmap running will usually get a list of scanned host ports. Nmap will always give the service name (if possible), port number, status and protocol of the well known port. The status of each port is: open, filtered, unfiltered. The open state means that the target host can use the accept() system call to accept connections on this port. The filtered state means that firewalls, packet filters, and other network security software cover this port and prohibit Nmap from detecting whether it is open. Unfiltered means: this port is closed and there is no firewall/packet filtering software to isolate Nmap's detection attempts. Normally, the status of the port is basically unfiltered. Only when most of the scanned ports are in the filtered state, the ports in the unfiltered state will be displayed.
According to the function options used, Nmap can also report the following characteristics of the remote host: the operating system used, the TCP sequence, the user name that runs the application bound to each port, the DNS name, whether the host address is a spoofed address, and Some other things. -
Metasploit
Metasploit is an open source security vulnerability detection tool that can help security and IT professionals identify security issues, verify mitigation measures for vulnerabilities, and manage expert-driven security assessments to provide real security risk intelligence. These functions include smart development, code auditing, web application scanning, and social engineering.
1. Use the search engine Google or Baidu to search for the pdf documents with the file name "network security" on the MIT website
Use HTML knowledge to construct a search request: site!mit.edu filetype!pdf network security
2. Find out where the girl in the photo travels
By querying the information on the picture: letrentehuit,
we can find a cafe in Paris, France.
Further, we query the photos of previous years and compare it to find that the cafe in the picture is the same as the cafe in 2015.
3. Mobile phone location positioning
Through LAC (Location Area Code, location area code) and CID (Cell Identity, base station number, is a 16-bit data (range 0 to 65535) can query the location of the base station connected to the mobile phone, so as to initially determine the location of the mobile phone user.
Get the LAC and CID of your mobile phone:
How to get Android: Android: Dial *# #4636# #*Check after entering the phone information engineering mode
How to get iphone: iPhone: Dial *3001#12345#*Enter FieldTest to view
Note: This method is not available on all phones
4. Encoding and decoding
Decode Z29vZCBnb29kIHN0dWR5IQ==.
Through the "==" at the end, we can preliminarily conclude that it is base64 encoding.
Note: base64 is an encoding method, usually used to encode binary data into writable character data.
The encoded data is a string, which contains 64 characters: AZ, az, 0-9, +, /. (Actually 65 characters, "=" is a filling character). Therefore, we preliminarily judge it as a base64-based encoding through the "==" at the end.
The decoded information is: good good study!
5. Address information
An Ethernet frame is captured in the intranet. The source MAC address is 98-CA-33-02-27-B5; the destination IP address is 202.193.64.34. Answer the question: What brand of equipment is the user using? What website?
98-CA-33-02-27-B5: Apple
IP: Guilin City, Guangxi Zhuang Autonomous Region
Education Network of Institute of Electronics Industry
Since it is in Guilin, Guangxi Zhuang Autonomous Region, can we consider our school in general? So here we ping the official website of Guidian.
So the conclusion is that this is an Apple computer that visited Guidian's homepage.
Next, we visit https://whatismyipaddress.com to get MyIP information: 106.127.223.67
and then use ipconfig to query our local IP as: 192.168.1.105.
It is obvious that the two are not the same, so what is the reason? What?
The reason is that the internal network IP obtained by the local query, but the external network IP converted by the router is different from the query on this website.
6.NMAP use
To use NMAP to scan the port opening of Metasploitable2 (which requires downloading the virtual machine image), we need to be in the same network segment as the target machine, as shown in the figure:
Be sure to use it nmap+ipto scan the open status of the target port after the same network segment
You can see that Metasploitable2 has opened a lot of ports, and different ports correspond to different services. Here are some information I found on the Internet:
| The port number | service |
|---|---|
| ftp | Remote file transfer |
| ssh | Remote Connection |
| telnet | Telnet protocol |
| smtp | Provide a reliable and effective email transmission protocol |
| domain | Mapping domain names and IP addresses |
| http | Hypertext Transfer Protocol |
| rpcbind | rpcbind is very similar to BIND or actually any DNS server. When the RPC interface declaration is compiled into server and client stub code, a protocol number rpcgen will be selected or obtained. |
| netbios-ssn | Provide session service for connection-oriented communication |
| microsoft-ds | Telnet port |
| exec | The functions of the exec function family will not return after successful execution |
| login | Sign in |
| shell | Shell refers to an application that provides an interface through which users can access the services of the operating system kernel |
| rmiregistry | Used for communication between different virtual machines |
| Ingreslock | The Ingreslock backdoor program listens on port 1524, and you can directly obtain root privileges by connecting to port 1524 |
| nfs | Through the network, different machines and different operating systems can share each other's files |
| ccproxy-ftp | Mainly used for sharing broadband Internet access in the local area network, ADSL sharing Internet access, dedicated line proxy sharing, ISDN proxy sharing, satellite proxy sharing, Bluetooth proxy sharing and secondary proxy file transfer |
| mysql | database |
| postgresql | Relational database server |
| vnc | Remote connection (with GUI image interface) |
| X11 | X11 is also called X Window System, X Window System (X11 or X) is a bitmap display window system |
| irc | A network chat protocol |
| ajp13 | Directed packet protocol |
Then we use nmap -O IPto scan operating system information:
Then we come to NMAP to exhaust the login account and password of dvwa on Metasploitable2. First, we use the destination IP address with nmap scan, specify port 80, use the script nmap -p80 -script http-auth-finderto log the authorization page to get dvwa
Then use nmap -p-80 --script=http-form-brute --script-args=http-form-brute.path=/dvwa/login.php 192.168.154.133(Metasploitable2的IP地址)brute force cracking, where /dvwa/login.php is the path of the login interface, followed by the IP address of Metasploitable2 according to your actual address. The cracking process is slow, please be patient.
Eternal Blue-WannaCry worm exploits vulnerabilities
WannaCry (also called Wanna Decryptor), a "worm-like" ransomware software. Worm virus is a common computer virus. It is an independent program that can run without the intervention of computer users. It spreads by continuously gaining part or all of the control rights on the vulnerable computers in the network. This virus self-propagates and replicates through remote high-risk vulnerabilities, and the encrypted files use high-strength double RSA+AES encryption. At least for now, it is impossible to crack the secret key. It can only be prevented by preventing and patching frequently. Close ports such as 445 and 139, and install security software in time.
7. Use ZoomEye to search for a Siemens industrial control equipment
It can be seen that it has opened FTP, 80,443, and other ports. If the FTP port is opened, FTP will face buffer overflow attacks, information sniffing, shortcomings of secret name browsing, and browsing system vulnerabilities; opening 80,443 and other ports means that it may be If there is a web side, then vulnerabilities on the web side may also lead to attacks on the system.
8.Winhex simple data recovery and forensics
The elephant.jpg file cannot be opened, we use WinHex to repair it.
Open the file with winhex and change the file header to FF D8 DD E0 of the JPG file, that is, change the number in the figure to FF D8, save it and open it to get the original picture.
Then use winhex to open this file that is a smiley face, we can find tom is the killer at the end of the file. Combining this smiley face is not creepy.
There are many software for file recovery. I chose a software called Hi Format Data Recovery Master. The operation is very simple. You can complete the data recovery with just one click.
Experiment summary
This experiment made me realize that the Internet search engine is powerful, we can use it to complete many tasks; the use and search of picture information (active search and passive search); the use of nmap further; the use of winhex to achieve file modification And recovery.
These four modules give us a better understanding of network sniffing and network investigation, and lay the foundation for subsequent learning.