20155226 "Network Confrontation" exp6 information collection and vulnerability scanning
Answer questions after the experiment
Which organizations are responsible for DNS, IP management?
At present, domain name agencies mainly include the ICANN Council and CNNIC.
The Internet Domain Name and Address Administration (ICANN) is a non-profit organization established to undertake the functions of domain name system management, IP address allocation, protocol parameter configuration, and main server system management. It is now managed by IANA and other entities and the US government. . The ICANN Board is the core authority of ICANN.
Nature of CNNIC (Chinese Domain Name International Coordination Organization): CNNIC is a non-profit management and service organization whose purpose is to serve my country's Internet users and promote the healthy and orderly development of my country's Internet.
IANA is run by ICANN (Internet Corporation for Assigned Names and Numbers), the non-profit organization responsible for coordinating IANA's area of responsibility. IANA manages DNS domain name roots and .int, .arpa domain names, and IDN (Internationalized Domain Name) resources. IANA can also query the specific information of various top-level domain names around the world. Whether it is a well-known or unknown domain name suffix, you can find its detailed information, as well as the country where the management organization is located, address information, operating company, registry website, etc.
General database site: AfriNIC Africa Region, APNIC Asia Pacific Region, ARIN North America Region, LACNIC Latin America and some Caribbean Islands, RIPE NCC Europe, Middle East and Central Asia
What is 3R information?
Registrant
Registrar
Official Registry (Registry)
Practical content
Information collection
whois domain name registration information query
- When doing whois query, you need to remove prefixes such as www, because when registering a domain name, an upper-level domain name is usually registered, and the subdomain name is managed by its own domain name server, which may not be queried in the whois database.
- You can see that there are 5 servers
- Registrant information, address, phone number, etc.
- IANA ID
nslookup domain name query
- nslookup can get the result of the cache saved by the DNS resolution server, but it is not necessarily accurate.
you
dig can query exact results from official DNS servers
When you use dig to query a DNS server for a record, the server tells dig how long the record can remain in the cache.
Use a search engine to query the corresponding specific geographic location of an IP address
- Check the school website
- Comparison with baidu
- Select a domain name to view the bound domain name
search engine query technology
- Find the doc file
nmap scan
- Scan for live hosts
The port scan, which scans the default 1000 TCP ports out of 986 closed ports, shows 14 open TCP ports.
Use the tcp syn method to scan and view the open ports of the host. This is a basic scan method, and it's called a half-open scan, because this technique allows Nmap to obtain information about the remote host without going through a full handshake. Nmap sends a SYN packet to the remote host, but it does not generate any session. Therefore no logging is generated on the target host because no session is formed. This is the advantage of SYN scanning.
- Detect the operating system of the host, and you can see that it is windows or something.
Vulnerability Scan
- First install openvas
apt-get install openvas
and then configure (it takes some time, please be patient)
openvas-setup
After the configuration is successful, check the installation
openvas-check-setup
- Use the command openvasmd --user=admin --new-password=admin to add the admin account.
Scan host (buffer overflow vulnerability)
Vulnerability information
Experiment summary and experience
Information leakage is really serious. . Feeling like naked/covering your face.