Detecting port scans and weak passwords Linux server

A weak password detection --John the Ripper

John the Ripper tools can help us to scan the system less user password security, and displays the results of the scan.

1, the installation The Ripper John:
John The Ripper source package fetch address:
https://pan.baidu.com/s/117J0GZ9moOHfUr-JAuOmug
extraction code: n76p
also be directly downloaded from the official website:
HTTPS: //www.openwall. com / john /

[root@localhost media]# tar zxf john-1.8.0.tar.gz -C /usr/src
[root@localhost media]# cd /usr/src/john-1.8.0/src/
[root@localhost src]# make clean linux-x86-64       #在run子目录下生成一个名为john的可执行程序。
[root@localhost src]# ls ../run/john                #确认已经生成可执行程序john
../run/john

2, weak-password account:

For servers equipped with John the Ripper, it is possible to / etc / shadow file directly detected, other Linux servers, files can be copied to shadow, and passed to John detection program, simply execute the program under John's run directory , shadow file to be detected as a command line parameter analysis can begin a weak password:
method 1: direct detection

[root@localhost src]# cp /etc/shadow /root/a.txt                      #准备待破解的密码文件
[root@localhost src]# cd ../run
[root@localhost run]# ./john /root/a.txt           #执行暴力破解
Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
#扫描结果，将密码和用户名都对应显示了出来
123456           (lv)                          
123456           (zhangsan)
123456           (admin)
123456           (root)
4g 0:00:00:29 100% 2/3 0.1340g/s 394.4p/s 404.0c/s 404.0C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[root@localhost run]# ./john --show /root/a.txt                 #破解出的密码也将保存到源文件中
root:123456::0:99999:7:::
lv:123456:18034:0:30:7:::
zhangsan:123456:18059:0:30:7:::
admin:123456:18059:0:30:7:::

4 password hashes cracked, 0 left

Method 2: Use password dictionary file is detected:
a dictionary file John the Ripper password.lst is provided by default, 3000 including a plurality of common weak password, if necessary, more can be added in the dictionary file password combination, or other direct use of more complete dictionary file:

[root@localhost run]# > john.pot                #清空已破解的密码，以便重新分析
[root@localhost run]# ./john --wordlist=./password.lst /root/a.txt         #使用密码字典进行检测
Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (lv)
123456           (zhangsan)
123456           (admin)
123456           (root)
4g 0:00:00:00 100% 4.301g/s 103.2p/s 412.9c/s 412.9C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Second, the network scanning --NMAP
NMAP port scanning is a powerful class security assessment tool, provides the Linux installation packages in the system tray, can also go to the official web https://nmap.org/ download the latest source package, NMAP is designed to detect numerous host huge number of network that supports ping scanning, multi-port detection, OS recognition and other technologies, the use of NMAP regularly scan the internal network, the network can identify uncontrolled application services, we should close the operation and maintenance personnel insecure services, in order to reduce security risks.

1, the installation:

[root@localhost /]# yum -y install nmap

2, scan Types Example Syntax:
①, scan type:

nmap [Scan Type] [options] <scan target ...>

Wherein the scan target may be a host name, IP address or network address, a plurality of space-separated targets required; common options are "-p", "- n", are used to specify the port scan, disable reverse DNS parsing (to speed up the scanning speed); scan type detector determines that manner, but also directly affect the result of the scan.

Comparison of several common scan types are as follows:

②, syntax examples:

[root@localhost /]# nmap 127.0.0.1             #扫描本机的tcp端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-06-13 05:21 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled.
Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

[root@localhost /]# nmap -sU 127.0.0.1              #扫描本机的UDP端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-06-13 05:22 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. 
Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 999 closed ports
PORT     STATE         SERVICE
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

In the scan results above, the STATE column indicates when the port is open to the open state, may be represented as a firewall filtering filtered, the port is closed in a closed state.

[root@localhost /]# nmap -p 21 192.168.1.0/24      #检查192.168.1.0网段中哪些主机提供FTP服务。
[root@localhost /]# nmap -n -sP 192.168.1.0/24     #检查1.0网段中有哪些存活主机（能ping通）。
[root@localhost /]# nmap -p 139,445 192.168.1.1-100    #检查1.1-1.100的IP地址中是否开启文件共享服务

Nmap scan type offered, there are many options, using different scanning needs, I just collected a small part.