20155232 "Network Confrontation" Exp 6 Information Collection and Vulnerability Scanning
1. Practical content
(1) Application of various search techniques
(2) Query of DNS IP registration information
(3) Basic scanning techniques: host discovery, port scanning, OS and service version detection, and enumeration of specific services
(4) Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and fix vulnerabilities
Second, the practice process record
(1) Information collection
whois
use
whoisTo query the DNS registrant and contact information, enter directly in the kali terminal:
whois baidu.com, the following is the query result:
question:
After inputting the command, the error shown in the figure is displayed. After searching online for a long time, I don't know what the problem is. .
Later, you can change to the kali installed by yourself before = =.
We can see the registered company, there are 4 servers, and the basic registered province, fax, telephone and other information.
The 3R registration information can be obtained from the above figure, including the registrant's name, organization, city and other information.
See the registered company, there are 5 servers, and the basic registered province, fax, telephone and other information.
nslookup,dig query
- Take the blog garden as an example to perform dig query
dig cnblogs.com
Next use
nslookupcommand to query,
nslookupand
digthe difference is,
nslookupThe result of the cache saved by the DNS resolution server can be obtained, but it is not necessarily accurate.
digPrecise results can be queried from official DNS servers:
- You can use the shodan search engine to query to get some registration information:
- You can also query by IP anti-domain name :
- Geolocation queries can be made using IP2Location :
tracert route detection
Use under Linux
tracerouteThe command detects the routes that the blog park passes through. We can query these routes or the geographical location of the machine through ip, and analyze the route taken by the data packets.
Since the virtual machine uses a NAT connection, the TTL exceeded message returned by traceroute cannot be mapped to the source IP address, source port, destination IP address, destination port and protocol, so the message cannot be routed back through reverse NAT, so re-route the message under Windows. For detection, you can query the location of these routes through the ip query tool on the Internet, and analyze the route taken by the data packet:
search engine query technology
- Use the search command format filetype:xxx NAME site:xxx.xxx to query
site:搜索范围限定在特定站点中
如果知道某个站点中有自己需要找的东西,就可以把搜索范围限定在这个站点中,提高查询效率。
Filetype:搜索范围限定在指定文档格式中
查询词用Filetype语法可以限定查询词出现在指定的文档中,支持文档格式有pdf,doc,xls,ppt,rtf,all(所有上面的文档格式)。对于找文档资料相当有帮助。- We can use search engines such as Baidu to query the information we want. For example, I want to query doc documents about scholarships on a website whose site scope is edu.cn:
Some personal information is disclosed in the document.
netdiscover discovery
Under linux, you can execute
netdiscoverThe command directly detects the host on the private network segment 192.168..
nmap scan
use
nmap –snCommand to scan for active hosts:
- Use TCP/SYN to scan the target host 192.168.128.139:
Scan port information using UDP protocol:
nmap -OScan a specific host operating system
Scan a specific host for Microsoft service version informationnmap -sV
smb service enumeration
use
msfconsoleThe command enters msf, and then enter
search_versionCommand query available enumeration auxiliary modules
enter
use auxiliary/scanner/smb/smb_versionInstructions use auxiliary modules to view the parameters that need to be configured:
After configuring the RHOSTS parameters, use
exploitThe command starts scanning, and the smb version information of the target host can be found:
(2) Vulnerability Scanning
Openvas Vulnerability Scan
Enter the command first
openvas-check-setupChecking the installation status, there is an error message:
- Install openvas:
apt-get update
apt-get install openvas- After installation, check the installation status and find an error:
Follow the FIX prompt to use the instructions to modify:
openvas-check-setupCheck if it is normal:
openvas-check-setup
openvasmd --migrate
openvas-manage-certs -a
openvas-manage-certs -a -f
openvasmd
openvas-check-setupFinal success:
use
openvas-startTurning on the service will automatically open the browser homepage https://127.0.0.1:9392:
question:
Error opening link:
solve:
Click Advanced, click the lower left corner, and
https://127.0.0.1:9392Set it as a trusted site, confirm..... can be opened normally.
- Create a new task, start scanning, and select Tasks in the menu bar:
Click after entering
Task WizardCreate a new task wizard, enter the IP address of the host to be scanned in the field, and click Start Scans to confirm to start scanning.
- View and analyze scan results
Open the details of the scan result as shown below
click
Full and fast:
Take the firewall as an example and click to view:
Check out one of the high-risk:
Check out the summary information for an approximate translation:
The remote host seems vulnerable to a bug wherein a remote attacker can circumvent the firewall by setting the ECE bit within the TCP flags field. At least one firewall (ipfw) is known to exhibit this sort of behavior.
Known vulnerable systems include all FreeBSD 3.x ,4.x, 3.5-STABLE, and 4.2-STABLE.远程主机似乎容易受到错误,远程攻击者可以通过TCP标志字段在ECE位设置绕过防火墙。至少一个防火墙(IPFW)是已知的具有这种行为。
已知的易受攻击的系统包括所有的FreeBSD 3,X,4,X,3.5-stable,和4.2-stable。Click to view the solution
If you are running FreeBSD 3.X, 4.x, 3.5-STABLE, 4.2-STABLE, upgrade your firewall. If you are not running FreeBSD, contact your firewall vendor for a patch.如果您运行的是FreeBSD 3,X,4,X,3.5-stable,4.2-stable,升级你的防火墙。如果你没有运行FreeBSD,联系你的防火墙厂商下载一个补丁。Details here include an overview of the vulnerability, the ports in question, the impact and consequences, workarounds and affected software and operating systems.
If you want to know the details of each vulnerability, you can go to the Microsoft Technology Center to view.
3. Answer the questions after the experiment
(1) Which organizations are responsible for the management of DNS and IP.
The Internet Corporation for Assigned Names and Numbers, or ICANN for short, determines the allocation of domain names and IP addresses. ICANN is a non-profit organization established to undertake the functions of domain name system management, IP address allocation, protocol parameter configuration, and main server system management. .
ICANN is responsible for coordinating and managing the technical elements of the DNS to ensure universal resolvability so that all Internet users can find valid addresses.
There are three supporting organizations under ICANN, of which the Address Supporting Organization (ASO) is responsible for the management of the IP address system; the Domain Name Supporting Organization (DNSO) is responsible for the management of the Domain Name System (DNS) on the Internet.
(2) What is 3R information.
- Registrant
- Registrar
- Official Registry (Registry)
3R registration information: scattered in the database maintained by the official registry or the registrar
Fourth, the experimental summary and experience
This experiment mainly obtains information through information collection and vulnerability scanning, which can be reflected by open ports and scanned vulnerabilities. If an attacker scans a network segment, it is easy to obtain some port information, and carry out attack. A lot of information can be found out through the IP address, such as geographic location, registrant, and contact information, etc. It is easy to leave clues to attackers on the Internet, and your own information is also easy to be stolen and stolen. Therefore, you need to scan your computer for vulnerabilities in a timely manner, you can find security vulnerabilities in time, solve security risks as soon as possible, and avoid intrusion or virus infection, which may cause security risks.