20155324 "Network Confrontation" Exp06 Information Collection and Vulnerability Scanning
Practical content
- Application of various search techniques
- Query of DNS IP registration information
- Basic scanning techniques: host discovery, port scanning, OS and service version detection, enumeration of specific services
Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and fix vulnerabilities
DNS IP registration information querylab environment
Kali virtual machine, as an attack machine, IP address 172.16.2.130
windows server 2003
sp3 virtual machine, as the target machine, IP address 172.16.2.160
Both virtual machines' network connections are set to bridged mode.
3. Experimental steps
3.1 Passive Information Collection
(1) Whois domain name registration information query
(2) nslookup, dig domain name query
(3) IP Location location query
(5) IP2 anti-domain name query
(6) dir_scanner violently guesses the directory structure of the website
(7) Search for specific types of files
(8) IP route reconnaissance
Tracert
The command will show the packets passed through ip
, which ip
can be queried for these routes or the geographic location of the machine:
Active host scan
ICMP Ping Command
ping baidu.com
Nmap detection
nmap -sn
Scan host:
It can be seen that 4 hosts are active.
nmap -sS ip
Port scan by address: Scan the open TCP ports of the target host:
It was found that there were no open ports. Baidu later learned that the default port of the ssh link is 22. After the system is installed, it is not enabled by default, and the configuration file needs to be modified.
vim /etc/ssh/sshd_config
找到#PasswordAuthentication yes 把#的注释去掉
将PermitRootLogin without-password修改为:PermitRootLogin yes
然后启动ssh服务:/etc/init.d/ssh start
nmap -sV IP
The service version of the address detection target host:
nmap -O
Detect the operating system of the target host:
nmap -sS -sU -top-ports 150 IP地址
: Scan the 150 most likely open ports for tcp and udp:
Module in metasploit: arp_sweep
arp_sweep
Use ARP requests to enumerate active hosts on the local LAN:
Service scan and enumeration
Network service scan
telent service scan
SSH service scan
Oracle Database Service Enumeration
Password guessing and sniffing
Vulnerability Scan
- Install OpenVAS:
更新软件包列表:apt-get update
获取到最新的软件包:apt-get dist-upgrade
重新安装OpenVAS工具:apt-get install openvas
- Configure OpenVAS service
- After installation, run openvas-check-setup repeatedly, and proceed to the next step according to the prompts each time.
- Use OpenVAS: Execute the command to
openvasmd --user=admin --new-password=1234
add an account, execute the command toopenvas-start
open openvas, and the browser homepage will be opened automaticallyhttps://127.0.0.1:9392
.
- Select in the menu bar
Tasks
. After entering, click toTask Wizard
create a new task wizard, enter the IP address of the host to be scanned in the column, and clickStart Scans
OK to start scanning:
- Scan is complete:
- Click
Full and fast
:
- Click on an entry to view the relevant information:
- Click on a vulnerability with a very high risk level, the detailed description is as follows:
Answer questions after the experiment
(1) Which organizations are responsible for the management of DNS and IP.
ICANN is responsible for DNS, IP management
There are three supporting bodies under ICANN
Address Supporting Organization (ASO): Responsible for the management of the IP address system
Domain Name Supporting Organization (DNSO): responsible for the
Domain Name System (DNS): Administration.
(2) What is 3R information.
The 3R information is:
Registrant
Registrar
Official Registry (Registry)
Experimental experience
This experiment is to give us a deeper and more comprehensive understanding of a series of practical projects such as host discovery, information collection, port scanning, service version detection, and vulnerability scanning.