20155217 "Network Confrontation" Exp06 Information Collection and Vulnerability Scanning
Practical content
- Application of various search techniques
- Query of DNS IP registration information
- Basic scanning techniques: host discovery, port scanning, OS and service version detection, enumeration of specific services
- Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and patch vulnerabilities
collect message
Mining the information of the target website by DNS and IP
whois query
- By
whois
querying the DNS
registrant and contact information, you can see the registered company, server, and related information of the registrant and administrator:
nslookup query
- Then you can search for the specific geographic location of this IP address in Baidu:
dig query
- Used to
dig
look up IP addresses: dig can look up exact results from official DNS servers:
Information collection through search engines
Search for a specific type of file
- We can use search engines such as Baidu to query the information we want.
- In Baidu's search bar, enter
filetype:文件格式 关键字 site:edu.cn
the URL that can search for files with a specific format including keywords:
IP route reconnaissance
Tracert
The command will display the routes that the data packets pass through ip
, and these routes or the geographic location of the machine can be queried by ip:
Search URL directory structure: dir_scanner
- You can query the website directory structure:
Host Probing and Port Scanning
Active host scan
ICMP Ping Command
Nmap detection
- It can be seen that 4 hosts are active.
nmap -sS ip地址
Do a port scan: Scan the open TCP ports of the target host:
- It was found that there were no open ports. Baidu later learned that the default port of the ssh link is 22. After the system is installed, it is not enabled by default, and the configuration file needs to be modified.
vim /etc/ssh/sshd_config
找到#PasswordAuthentication yes 把#的注释去掉
将PermitRootLogin without-password修改为:PermitRootLogin yes
然后启动ssh服务:/etc/init.d/ssh start
nmap -sV IP地址
Detect the service version of the target host:
nmap -O
Detect the operating system of the target host:
nmap -sS -sU -top-ports 150 IP地址
: Scan the 150 most likely open ports for tcp and udp:
arp_sweep
Use ARP requests to enumerate active hosts on the local LAN: