20155324 "Network Confrontation" Exp06 Information Collection and Vulnerability Scanning

Practical content

Application of various search techniques
Query of DNS IP registration information
Basic scanning techniques: host discovery, port scanning, OS and service version detection, enumeration of specific services
Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and fix vulnerabilities
DNS IP registration information query

lab environment

Kali virtual machine, as an attack machine, IP address 172.16.2.130

windows server 2003

sp3 virtual machine, as the target machine, IP address 172.16.2.160

Both virtual machines' network connections are set to bridged mode.

3. Experimental steps

3.1 Passive Information Collection

(1) Whois domain name registration information query

(2) nslookup, dig domain name query

(3) IP Location location query

(5) IP2 anti-domain name query

(6) dir_scanner violently guesses the directory structure of the website

(7) Search for specific types of files

(8) IP route reconnaissance

TracertThe command will show the packets passed through ip, which ipcan be queried for these routes or the geographic location of the machine:

Active host scan

ICMP Ping Command

ping baidu.com

Nmap detection

nmap -snScan host:

It can be seen that 4 hosts are active.
nmap -sS ipPort scan by address: Scan the open TCP ports of the target host:

It was found that there were no open ports. Baidu later learned that the default port of the ssh link is 22. After the system is installed, it is not enabled by default, and the configuration file needs to be modified.

vim /etc/ssh/sshd_config

找到#PasswordAuthentication yes    把#的注释去掉

将PermitRootLogin without-password修改为：PermitRootLogin yes

然后启动ssh服务：/etc/init.d/ssh start

nmap -sV IPThe service version of the address detection target host:

nmap -ODetect the operating system of the target host:

nmap -sS -sU -top-ports 150 IP地址: Scan the 150 most likely open ports for tcp and udp:

Module in metasploit: arp_sweep

arp_sweepUse ARP requests to enumerate active hosts on the local LAN:

Service scan and enumeration

Network service scan

telent service scan

SSH service scan

Oracle Database Service Enumeration

Password guessing and sniffing

Vulnerability Scan

Install OpenVAS:

更新软件包列表：apt-get update

获取到最新的软件包：apt-get dist-upgrade

重新安装OpenVAS工具：apt-get install openvas

Configure OpenVAS service
After installation, run openvas-check-setup repeatedly, and proceed to the next step according to the prompts each time.

Use OpenVAS: Execute the command to openvasmd --user=admin --new-password=1234add an account, execute the command to openvas-startopen openvas, and the browser homepage will be opened automatically https://127.0.0.1:9392.

Select in the menu bar Tasks. After entering, click to Task Wizardcreate a new task wizard, enter the IP address of the host to be scanned in the column, and click Start ScansOK to start scanning:

Scan is complete:

Click Full and fast:

Click on an entry to view the relevant information:

Click on a vulnerability with a very high risk level, the detailed description is as follows:

Answer questions after the experiment

(1) Which organizations are responsible for the management of DNS and IP.

ICANN is responsible for DNS, IP management
There are three supporting bodies under ICANN

Address Supporting Organization (ASO): Responsible for the management of the IP address system

Domain Name Supporting Organization (DNSO): responsible for the

Domain Name System (DNS): Administration.

(2) What is 3R information.

The 3R information is:

Registrant

Registrar

Official Registry (Registry)

Experimental experience

This experiment is to give us a deeper and more comprehensive understanding of a series of practical projects such as host discovery, information collection, port scanning, service version detection, and vulnerability scanning.