20155323 Liu Weiliang "Network Confrontation" Exp6 Information Collection and Vulnerability Scanning
practice goals
Master the most basic skills of information collection and the use of common tools.
Practical content
(1) Application of various search techniques
(2) Query of DNS IP registration information
(3) Basic scanning techniques: host discovery, port scanning, OS and service version detection, and enumeration of specific services
(4) Vulnerability Scanning: Can scan, read reports, check vulnerability descriptions, and fix vulnerabilities
practice process
Information collection
- whois query
In the virtual machine, you can use the
whois
command to query the domain name registration information, butwww.
the prefix of the URL to be queried should be removed. Here I use the Baidu URL for the experiment.
Here you can see the 3R registration information
Pulling down we can see a lot of information, such as server and registration information.
The reason for removing the prefix is that when registering a domain name, an upper-level domain name is usually registered, and the subdomain name is managed by its own domain name server.
- dig/nslookup query
nslookup is the default DNS dial test tool on Windows; dig is the default DNS dial test tool on Linux
First
nslookup
try to query Baidu
Check the obtained IP address for further inquiries.
You can also check on the SHODAN website
Or query on IP2Location
Then use the dig command to try to query Baidu
- tracert route detection
First, the route detection of the school's educational affairs network was carried out under Windows, but after two attempts, the requests in the middle all timed out.
I tried it again under Linux, and found that it still timed out. I asked my classmates to know that since our virtual machines use NAT, the TTL exceeded message returned by traceroute cannot be mapped to the source IP address, source port, and destination IP address. , destination port, and protocol, so the message cannot be routed back to the host.
- search engine query
I try to search for pdf documents about papers on the site-wide edu.cn site.
- host scan
namp -sn
command to scan the entire network segment for active hosts
nmap -sU
The command can scan the UDP protocol port information of the specified host
nmap -sS
The command can perform a TCP port scan of the specified host
nmap -O
Can scan the operating system of the specified host, here I am scanning the WIN7 virtual machine
nmap -sV
The command can scan the Microsoft service information version information of the specified host
- smb service enumeration
First enter the msf console and enter the
search smb_version
query module
Then enter
use auxiliary/scanner/smb/smb_version
the command to use the module
View the information that the module needs to configure and configure it. After the configuration is complete, perform the exploit to query.
Vulnerability Scan
First, enter the command under LINUX to
openvas-check-setup
query the installation status of openvas, but there is an error here. Here you need to use the command prompted in the terminal to repair step by step, and finally the configuration is completed.
Enter
openvas-start
the command to open openvas, and the website will pop up, but it shows that there is a problem with the connection
Click on the lower right corner
Advanced
for further settings, set the website as a trusted site and refresh it again to enter the web page, here log in with the default account and password
Click Task Wizard to create a new task, create a new task wizard, enter the IP address of the xp target machine to be scanned, and click Start Scans to confirm to start scanning.
Click
Full and fast ultlmate
to see the vulnerability information
We can choose one to view related vulnerabilities
You can also view the vulnerability details again
Answer question
(1) Which organizations are responsible for the management of DNS and IP.
ICANN is responsible for global domain name root servers, DNS and IP address management.
There are five regional registries. ARIN is mainly responsible for North America, RIPE is mainly responsible for Europe, APNIC is mainly responsible for Asia Pacific, LACNIC is mainly responsible for Latin America and AfriNIC is mainly responsible for Africa.
(2) What is 3R information.
Contains information about registrants, registrars, official registries
(3) Evaluate the accuracy of the scan results.
I'm not sure if the scan results are accurate, because I haven't been exposed to related experiments, but I think the scan results are still very complete. After all, there are a lot of options to view.
Experiment summary and experience
The difficulty of this experiment is not high, and the collection of relevant information has given me a lot of knowledge and benefited a lot. I didn't encounter any problems, and the experiment went smoothly.