Shulou(Shulou.com)06/01 Report--

Recently, I have been thinking that in Web***, positive * * is a way of thinking, horizontal and vertical * * is also a way of thinking. In the process of *, the protection of the target master station is getting stricter and stricter, while the C segment or B end of the IP address where the target is located is relatively easy. This * involves the collection and setting of target information. The main way to collect these target information is sub-domain name brute force cracking and port scanning. The brute force cracking of sub-domain names will be specifically introduced in the next article. This article mainly introduces the ideas of port scanning and application.

one。 Port scan preparation 1. Download pentestbox

Pentestbox is an integrated test platform under Windows. Its official website address is https://pentestbox.org/. The latest version is 2.2. You can download programs with and without Metasploit at the download address:

Https://sourceforge.net/projects/pentestbox/files/

Https://nchc.dl.sourceforge.net/project/pentestbox/PentestBox-with-Metasploit-v2.2.exe

After the download is complete, extract the exe file and then use it.

two。 Download the latest version of nmap and upgrade pentestbox

Currently, the latest stable version of nmap is version 7.6 (https://nmap.org/dist/nmap-7.60-win32.zip). Download it locally and locate the PentestBox installation directory, such as E:\ PentestBox\ bin\ nmap, overwrite all the files extracted from nmap-7.60-win32.zip to this directory, and upgrade nmap in pentestbox to the latest version.

3. Collate and determine the target information

Through the brute force cracking of the sub-domain name, obtain the IP address of the current sub-domain name, organize these addresses, and form the C end of the IP address where the sub-domain name or domain name address is located, such as 192.168.1.1-254. If it is a single target, you can obtain the real IP address of the domain name by ping or domain name query.

Second, use NMAP to scan 1.nmap scanning parameters in detail

Usage:nmap [Scan Type (s)] [Options] {target specification}

TARGETSPECIFICATION:

Can pass hostnames, IP addresses, networks,etc.

Ex: scanme.nmap.org, microsoft.com/24192.168.0.1; 10.0.0-255.1-254

-iL: enter a list of hosts or networks. The iL parameter is followed by the name of the input file, which contains IP address, IP address range or network address.

-iR: randomly select targets for scanning. 0 means scanning forever.

-- exclude: exclude hosts / networks

-- excludefile: expel the host or network from the file

Host discovery:

-sL: List Scan-simple list scanning, which is rarely used, is to find simple information about the host and does not contain information such as ports.

-sn: Ping scan-cannot scan the port. It mainly finds the list of hosts and understands the operation of the hosts.

-Pn: process all hosts online and skip host discovery

-PS/PA/PU/PY [portlist]: use TCPSYN/ACK, UDP or SCTP to discover the given port.

-PE/PP/PM: ICMP echo, timestamp, and subnet mask request discovery probe

-PO [protocol list]: IP protocol Ping, followed by a list of protocols

-n: no domain name resolution, never reverse domain name resolution for active IP addresses it discovers.

-R: tell Nmap to always reverse domain name resolution for the destination IP address.

-- system-dns: use the system domain name resolver. By default, Nmap resolves the domain name by sending a query directly to the domain name server configured on your host. To improve performance, many requests (usually dozens) are executed concurrently. Specify this option if you want to use the parser that comes with the system.

-- traceroute: tracks the jump path of each host

Scanning technology:

-sS/sT/sA/sW/sM: TCPSYN/Connect () / ACK/Window/Maimon scans

-sS: TCP SYN scan (semi-open scan). SYN scan, as the most popular scanning option by default, performs very fast, scanning thousands of ports per second on a fast network without a firewall.

-sT: TCP connect () scan, TCP connection scan will leave scan connection log.

-sU: UDP scan, which can be used in conjunction with TCP scan such as SYN scan (- sS) to check both protocols at the same time. UDP scan speed is slow.

-sN: Null scan without setting any flag bits (tcp flag header is 0)

-sF: FIN scan, setting only the TCP FIN flag bit.

-sX: Xmas scan, set FIN,PSH, and URG flag bits.

The key advantage of sN;-sF;-sX (TCP Null,FIN,and Xmas scanning) scanning is that they can evade some stateless firewalls and message filtering routers. Another advantage is that these scan types are even more secretive than SYN scans.

-- scanflags: custom TCP scans,-- the scanflags option allows you to design your own scans by specifying any TCP flag bit. The scanflags option can be a numeric tag value such as 9 (PSH and FIN), but it is easier to use character names. As long as it is any combination of URG, ACK,PSH and RST,SYN,and FIN.

-sI (Idlescan), this advanced scanning method allows true TCP port blind scanning of the target (meaning that no message is sent from your real IP address to the destination). Instead, side-channel*** uses the known IP segmented ID sequence generation algorithm on the zombie host to snoop on open ports on the target. The IDS system will show that the scan is from the zombie machine you specified. In addition to extreme concealment (because it does not send any messages from the real IP address), this scan type can establish an IP-based trust relationship between machines. The port list is from the perspective of the zombie host. Displays open ports.

-sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: scan the IP protocol to determine which IP protocols (TCP,ICMP,IGMP, etc.) are supported by the target. Protocol scanning works in a similar manner to UDP scanning. Instead of looping over the port domain of the UDP message, it loops over the 8 bits of the IP protocol domain and sends the IP header. The header is usually empty, does not contain data, or even the correct header for the declared protocol, TCP,UDP, and ICMP are three exceptions. Three of them will use normal protocol headers because otherwise some systems refuse to send them, and Nmap has functions to create them.

-b:FTP bounce scanning, an interesting feature of the FTP protocol is its support for so-called proxy ftp connections. It allows users to connect to a FTP server and then requires files to be sent to a third-party server. This feature has been abused at many levels, so many servers have stopped supporting it. One of these is to cause the FTP server to scan the ports of other hosts. Simply request the FTP server to take turns sending a file to the port of interest on the target host. The error message describes whether the port is open or closed. This is a good way to bypass firewalls because FTP servers are often placed where they can access more internal hosts than Web hosts. Nmap supports ftp bounce scanning with the-b option. The parameter format is: @:. Is the name or IP address of some fragile FTP server. You might be able to omit: if anonymous users (user:anonymouspassword:-wwwuser@) are open on the server. The port number (and the preceding colon) can also be omitted if the default FTP port (21) is used.

Port description and scan order:

-p: scan only the specified port, for example-p22 betweenp1-65535;-p Uorel 53pl-65535;-p Upura 53pl 111rect 137pct 21-25p80pr 139ptw 80pl-25pl 80pl 139pm 80pl Spur9

-- exclude-ports: excludes scan ports from the scan port range.

-F: fast scan (limited ports)

-r: do not scan ports in random order, scan ports sequentially

-- top-ports: scan number for the most common ports

Service and version information probe:

-sV: open version and service probe. You can use-A to turn on operating system probe and version probe at the same time

-- version-intensity: set version scan intensity from 0 to 9. The default is 7. The higher the value, the more accurate it is, but the longer the scan time.

-- version-light: turn on lightweight mode and scan quickly, but it is also slightly less likely to identify services.

-- version-all: make sure that every probe message is tried on each port (strength 9)

-- version-trace: tracks version scanning activity and prints out detailed debugging information about ongoing scans

Script scan:

-sC: equivalent to-- script=default

-- script=: is a comma-separated list of directories, script files, or script categories. Common nmap scripts are in the scripts directory, such as the ftp brute force cracking script "ftp-brute.nse".

-- script-args=: improves scanning parameters

-- script-args-file=filename: provide NSE script parameters in the file

-- script-trace: displays all data sent and received

-- script-updatedb: update script database online.

-- script-help=: displays help information for scripts.

Server version probe:

-O: enable operating system detection, or use-A to enable both operating system detection and version detection

-- osscan-limit: performs operating system detection against the specified target

-- osscan-guess: speculates the result of the operating system test

Time and performance:

Option to set seconds, or append to milliseconds, s-seconds, ms- milliseconds, m-minutes, h-hours

-T: set the time scan template. T 0-5 is paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4) and insane (5), respectively. The Polite mode slows down the scan speed to use less bandwidth and target host resources. The default is T3Magee aggressive mode, which assumes that the user has a suitable and reliable network to speed up the scan. The Insane model assumes that users have a particularly fast network or are willing to sacrifice accuracy for speed.

-- min-hostgroup/max-hostgroup: resizes parallel scan groups

-- min-parallelism/max-parallelism: adjusts the parallelism of probe packets

-- min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout: adjust the probe message timeout-- max-retries: the number of ports retransmitted by the scanning probe

-- host-timeout: how long does it take to abandon the target scan?

-- scan-delay/--max-scan-delay: adjust the delay time in the probe

-- min-rate: send no less than packets per second

-- max-rate: no more than packets are sent per second

Firewall / IDS evasion and spoofing:

-f;-- mtu: message package, segmented with a small IP packet using the specified MTU (optionallyw/given MTU). The idea is to segment the TCP header into several packages, making it more difficult to detect packet filters, IDS and other tools

-D: covert scanning using bait

-S: source address spoofing

-e: use the specified interface

-g/--source-port: source port spoofing

-- proxies: pass the connection through the HTTP / Socks4 proxy

-- data: appends a custom payload to the sent packet

-- data-string: appends a custom ASCII string to the packet sent

-- data-length: appends random data to the sent packet

-- ip-options: sends a packet with the specified IP option

-- ttl: sets the ttl value of IP

-- spoof-mac: deceive your MAC address

-- badsum: send packets to forge TCP/UDP/SCTP check

Output:

-oN/-oX/-oS/-oG: output normal scan results, XML, script boy, and Grep output format, and specify the output file name

-oA: three main output formats at a time

-v: incremental level (better with-vv ormore)

-d: improve debugging level (better with-dd ormore)

-- reason: shows the reason why the port is in a particular state.

-- open: only open (or possibly open) ports are displayed

-- packet-trace: displays the sending and receiving of all packets

-- iflist: print host interfaces and routes (for debugging)

-- append-output: appends to the specified output file, not garbled

-- resume: resume aborting scan

-- stylesheet: set up XSL stylesheets and transform XML output

Webxml: refer to the Nmap.org style of the more portable XML.

-- no-stylesheet: ignore XSL stylesheets declared by XML and use this option to prevent Nmap's XML output from being associated with any XSL stylesheet

Other options:

-6: enable IPv6 scanning

-A: intense scan mode option, enable OS, version, script scan and trace routes

-- datadir: indicates the location of the user's Nmap data file

-- send-eth/--send-ip: sent using the original Ethernet frame or at the original IP layer

-- privileged: assume that the user has full permissions

-- unprivileged: assume that the user does not have the original socket privilege

-V: print version number

-h: use help information

two。 Use an example

(1) nmap-vscanme.nmap.org

Scan all reserved TCP ports (port 1000) in the host scanme.nmap.org. Option-v enables detail mode.

(2) nmap-sS-Oscanme.nmap.org/24

Conduct a secret SYN scan for 255hosts in the "Class C" network segment where the host Saznme is located. At the same time, try to determine the operating system type of each working host. This scan requires root permissions because of SYN scanning and operating system detection.

(3) nmap-sV-p22, 53, 110, 143, 4564, 198.116.0-255.1-127,

Host enumeration and TCP scanning are carried out for 188.116 8-bit subnets in Class B network segment. This test is used to determine if the system is running sshd, DNS, imapd, or 4564 ports. If these ports are open, version detection is used to determine which application is running.

(4) nmap-v-iR100000-P0-p80

Randomly select 100000 hosts to scan whether the Web server (port 80) is running. It is a waste of time to send a probe message to determine whether the host is working, and only one port of the host needs to be detected, so use-P0 to disable the host list.

(5) nmap-P0-p80-oX logs/pb-port80scan.xml-oG logs/pb-port80scan.gnmap 216.163.128.20

Scan 4096 IP addresses, look for Web servers (not ping), and save the results in Grep and XML formats.

(6) host-lcompany.com | cut-d-f 4 | nmap-v-iL-

Perform a DNS zone transfer to discover the hosts in the company.com, and then provide the IP address to Nmap. The above commands are used for regional transmission in other GNU/Linux-- systems with different commands.

3. Common scanning

(1) nmap-p 1-65535-T4-A-v 47.91.163.1-254-oX 47.91.163.1-254.xml

Scan 47.91.163.1-254segments of IP addresses, using fast scan mode, output 47.91.163.1-254.xml

(2) nmap-v 47.91.163.1-254

Scan common TCP ports on C side

(3) nmap-O 47.91.163.1

Probe 47.91.163.1 server OS version and TCP port opening

(4) nmap-sn 10.0.1.161-166

Scan for surviving hosts

(5) nmap-e eth0 10.0.1.161-S 10.0.1.168-Pn

Scan 10.0.1.161 using the camouflage address 10.0.1.168

(6) nmap-iflist

View local routes and interfaces

(7) nmap-- script smb-vuln-ms17-010.nse-p 445 192.168.1.1

Nmap-script=samba-vuln-cve-2012-1182murp 139 192.168.1.3

Use the vulnerability script smb-vuln-ms17-010.nse to detect host 192.168.1.1.

(8) nmap-script whois-domain.nse www.secbang.com

Get the domain name registration of secbang.com. The script supports foreign domain names well.

(9) nmap--script ftp-brute-p 21 127.0.0.1

Violently cracked the ftp account of 127.0.0.1

(10) nmap-sV-script=http-enum 127.0.0.1

Enumerate the directories of 127.0.0.1

4. Actual combat scanning

Scan the sorted IP address field or IP:

(1) scan a single IP address range

Nmap-p 1-65535-T4-A-v 47.91.163.1-254-oX 47.91.163.1-254.xml

(2) scan the IP address range

Nmap-p 1-65535-T4-A-v-iLmytarget.txt-oX mytarget.xml

three。 Analysis and processing of scanning results

1. View scanned files

In some cases, the scan is carried out on the server, and after the scan is finished, the scan results are downloaded locally for viewing, as shown in figure 1, and the XSL stylesheet parsing causes an error. The usual reason is that the nmap.xsl file in nmap is in the wrong location, as shown in figure 2, just set the correct file location. For example, the original nmap address is:

C:/Program Files (x86) / Nmap/nmap.xsl

The new address is:

E:\ Tools\ Test platform\ PentestBox-with-Metasploit-v2.2\ bin\ nmap\ nmap.xsl

Replace it in the xml file of the scan results, keeping in mind that you need to change the path symbol "\" to "/".

Figure 1 View xml display error

Figure 2 modify the file location

two。 Analyze and process the scan results

(1) View Port Open CVM from the overview

As shown in figure 3, after opening the xml file, the scan summary is displayed at the top of the file, the result with a background color indicates that the port is open, and the IP displayed in black font indicates that the port is not open or that the firewall has blocked and filtered.

Figure 3 View scan overview

(2) check the scan results one by one

Check the IP address on the light green bottom one by one, such as 47.91.163.219, as shown in figure 4. When you open it, you can see the scan results such as IP address and port opening, and some details will be displayed in open.

Figure 4 check the scan results and scan the details.

(3) Test whether the scan port is open.

Use http://ip:port for access testing to see if the web page can be accessed properly, for example, in this case, http://47.91.163.174:8080/ can be accessed properly, and the system uses tomcat, as shown in figure 5.

Figure 5 access to scan results

(4) skills

Use the Ctrl+F shortcut key in the browser to retrieve the keywords you want to view. All test results should be recorded to facilitate the selection of * methods at a later stage.

3. Further *

By analyzing the scan results, we can directly or indirectly test the open services of the server and possible vulnerabilities. For example, on the Java platform, we can test whether there are struts series vulnerabilities, as shown in figure 6. Some targets also need to carry out violent cracking, tool scanning and other work until vulnerabilities are found and permissions are obtained.

Figure 6 directly test for vulnerabilities

In the further *, we need to combine multiple knowledge points, and we need to carry out corresponding retrieval according to the problems. The ideas for reference are as follows:

(1) sort out the architecture of the target and try to solve the loopholes in the architecture.

(2) if there is a login management interface, try to log in with a weak password and break it violently.

(3) use scanners such as wvs to scan the site for vulnerabilities

(4) use burpsuite to analyze and test the vulnerability of the site.

(5) if it is an unfamiliar system, you can search through search engines such as Baidu to see whether there have been loopholes and exploitation methods on the Internet.

(6) download the same kind of source code to build the environment for testing, understand the loopholes in the system, summarize and reproduce the vulnerabilities, and test the actual system.

(7) Mining the possible loopholes in the system.

(8) use XSS to obtain administrator's password and other information.

(9) if you have a mailbox, you can use msf to generate * * / apk for social work *.

(10) if all methods fail, just wait and reorganize your thinking.

Reference article:

Https://nmap.org/man/zh/

Http://www.nmap.com.cn/doc/manual.shtm

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.