Shulou(Shulou.com)06/01 Report--

Security issues are the most common demand in the vast network. Many people who want to conduct penetration testing services on the website want to protect the security of the website from being invaded and attacked. Here, Sine has sorted out packet analysis and sniffing host service types in penetration security testing, as well as identification application services such as port scanning, to comprehensively evaluate website security.

8.2.1. TCPDump

TCPDump is a data packet capture analysis tool, which can completely intercept the data packets transmitted in the network to provide analysis. It supports filtering against the network layer, protocol, host, network, or port, and provides logical statements to filter packets.

8.2.1.1. Common command line options

-B buffer size for grabbing traffic. If it is too small, packets may be lost. Unit: KB-c grabs n packets and then exits.-C A file record is created after the packet currently recorded exceeds a certain size. The unit specifies the traffic that the Nic crawls through for MB-i-n does not translate address-r reads saved pcap file-s intercepts snaplen bytes of data from each message. 0 outputs brief protocol-related information for all data-Q, and the output lines are relatively short. -W will no longer be written after writing cnt files-w can be named in strftime format when saving traffic to file time packet, for example,% Y_%m_%d_%H_%M_%S.pcap-G time packet-v produces detailed output,-vv-vvv produces more detailed output-X output header and package contents-Z converts the user before writing the file

8.2.2. Bro

Bro is an open source network traffic analysis tool that supports multiple protocols and can analyze traffic in real time or offline.

8.2.2.1. Command Lin

8.2.2.2. Script

In order to extend and customize the functionality of Bro, Bro provides an event-driven scripting language.

8.2.3. Tcpflow

Tcpflow is also a package grabbing tool, which is characterized by displaying data content in streams. When analyzing data from protocols such as HTTP, it is more convenient to use tcpflow.

8.2.3.1. Common command line options

-b max_bytes defines maximum crawl flow-e name specifies parsed scanner-i interface specifies crawl interface-o outputdir specifies output folder-r file reads files-R file reads files, but only reads complete files

8.2.4. Tshark

The command line tool of WireShark can extract the data you want through commands, can be redirected to the file, and can also be combined with the upper language to call the command line to achieve data processing.

8.2.4.1. Input interface

-I specifies the capture interface. The default is the first non-local circular interface.-f sets the packet capture filtering expression and follows the libpcap filtering syntax. This option is filtered in the process of packet capture. If you are analyzing local files, it is not necessary to use-s to set the snapshot length to read the complete data packet. Because there is a 65535 limit for transmission in the network, a value of 0 represents a snapshot length of 65535. The default is 65535p, which works in non-mixed mode. That is, you are only concerned about the traffic related to this machine-B sets the size of the buffer, which is only valid for windows. The default is 2M-y to set the data link layer protocol for packet capture. If it is not set, it defaults to the first protocol found by-L-D to print the list of interfaces and exit-L to list the data link layer protocols supported by this machine for the-y parameter. -r setting to read local files

8.2.4.2. Capture stop option

-c captures n packets and ends with unlimited captures by default-a duration:NUM stops capturing after num seconds filesize:NUM stops capturing after numKB files:NUM stops capturing after capturing num files

8.2.4.3. Processing option

-Y uses the syntax of the read filter to replace the-R option-n to disable all address name resolution (all is allowed by default)-N to enable address name resolution at a certain layer. M represents the MAC layer, n represents the network layer, t represents the transport layer, and C represents the current asynchronous DNS lookup. If the-n and-N parameters exist at the same time,-n is ignored. If the-n and-N parameters are not written, all address name resolution is turned on by default. -d unpack and output the specified data according to the relevant protocol. If you want to unpack the traffic of tcp 8888 port according to http, it should be written as-d tcp.port==8888,http. You can use tshark-d to list all supported valid selectors.

8.2.4.4. Output option

-w sets the output file for raw data. Set the output file format for stdout-F when not set, default is .pcapng, use tshark-F to list all supported output file types-V add details output-O display only the details of the protocol specified by this option-P even if the decoding result is written to the file, print the summary information of the package-S line separator-x set in the decoding output result Each packet displays specific data in the form of HEX dump-T pdml | ps | text | fields | psml sets the format of the output of the decoding result. The default is text-e. If the-T option specifies,-e is used to specify which fields to output-t a | ad | d | dd | r | u | ud to set the time format of the decoding result-us | hms formatted output seconds-l after each packet is output, the flush standard output is used in combination with the-z option for statistical analysis-X: extension Lua_script, read_format-z statistics options, specific reference documents

8.2.4.5. Other options

Network penetration test sniffing

8.3. Sniffing tool

8.3.1. Nmap

Nmap [...] [] {}

8.3.1.1. Specify the target

CIDR style 192.168.1.0 www.baidu.com,www.zhihu.com 24 comma split line 10.22-25.43.32 from file-iL excluding unwanted host-- exclude-- excludefile

8.3.1.2. Host discovery

-sL List Scan- simply list targets to scan-sn/-sP Ping Scan- disable port scan-Pn Treat all hosts as online-- skip host discovery-sS/sT/sA/sW/sM TCP SYN/Connect () / ACK/Window/Maimon scans-sU UDP Scan-sN/sF/sX TCP Null, FIN, and Xmas scans

8.2.1.3. Port scan

-- TCP scan customized by scanflags-P0 has no pingPS [port list] (TCP SYN ping) / / need root on UnixPA [port list] (TCP ACK ping) PU [port list] (UDP ping) PR (Arp ping) p F Fast scan r does not use random sequence scan

8.2.1.4. Service and version probe

-sV version probe-allports does not exclude any ports for version detection-version-intensity sets version scan intensity-version-light opens lightweight mode / / level 2--version-all attempts each probe / / level 9--version-trace tracking version scan activity-sR RPC scan

8.2.1.5. Operating system scan

-O enable operating system detection-- osscan-limit performs operating system detection for specified targets-- osscan-guess--fuzzy speculates the operating system detection result

8.2.1.6. Time and performance

Adjust the size of the parallel scan group-- min-hostgroup--max-hostgroup adjust the parallelism of the probe message-- min-parallelism--max-parallelism adjust the probe message timeout-- min_rtt_timeout-- max-rtt-timeout-- initial-rtt-timeout abandon the low-speed target host-- host-timeout adjust the time interval of the probe message-- scan-delay--max_scan-delay setting time template-T

8.2.1.7. Related to evading penetration testing

Mtu uses the specified MTU

-D using decoy covert scanning-S source address cajoling-e using specified interface-source-port;-g source port spoofing-data-length sending messages with random data-ttl setting random sequence of ttl--randomize-hosts to target hosts-spoof-mac MAC address spoofing

8.2.1.8. Output

8.2.1.9. Details and debugging

-v detail level of information-d [level] debug level--packet-trace tracks messages sent and received-iflist enumerates the detection and bypass methods encountered in website security penetration testing of interfaces and routes, all of which are based on one purpose. In order to ensure the security of the website or platform, if you want to know more about security testing and penetration test evaluation before launch, you can consult a professional website security company to meet the testing requirements. Domestic recommended Sinesafe, Green Alliance, Kai Ming Star, convinced and so on are all very good security companies.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.