-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b24c531
commit ef943b0
Showing
4 changed files
with
225 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# NAV | ||
|
||
- [踩点](./踩点.md) | ||
- [扫描](./扫描.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,194 @@ | ||
# 扫描 | ||
|
||
使用扫描来发现目标系统有哪些服务对外监听以及能直接从因特网访问 | ||
|
||
## ARP主机发现 | ||
|
||
- 使用arp-scan | ||
- arp-scan时在局域网内最合理最快的扫描工具 | ||
|
||
```shell | ||
my@my-PC:~$ sudo arp-scan 192.168.43.0/24 | ||
Interface: wlp3s0, datalink type: EN10MB (Ethernet) | ||
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) | ||
192.168.43.1 82:92:e3:d0:7f:d4 (Unknown) | ||
|
||
1 packets received by filter, 0 packets dropped by kernel | ||
Ending arp-scan 1.9: 256 hosts scanned in 2.531 seconds (101.15 hosts/sec). 1 responded | ||
``` | ||
|
||
- 使用nmap也能同样进行扫描 | ||
|
||
```shell | ||
sudo nmap -sn -PR 192.168.43.0/24 | ||
|
||
Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-09 09:00 CST | ||
Nmap scan report for 192.168.43.1 | ||
Host is up (0.0047s latency). | ||
MAC Address: 82:92:E3:D0:7F:D4 (Unknown) | ||
Nmap scan report for 192.168.43.242 | ||
Host is up. | ||
Nmap done: 256 IP addresses (2 hosts up) scanned in 3.82 seconds | ||
``` | ||
|
||
## ICMP主机发现 | ||
|
||
>ICMP协议是一种面向无连接的协议,用于传输出错报告控制信息。它是一个非常重要的协议,它对于网络安全具有极其重要的意义 | ||
### 响应报文 | ||
|
||
![](https://upload-images.jianshu.io/upload_images/661949-c12f10903433842a.png?imageMogr2/auto-orient/strip|imageView2/2/w/1200/format/webp) | ||
|
||
- 使用ping | ||
|
||
- 使用nmap扫描 | ||
|
||
```shell | ||
my@my-PC:~$ sudo nmap -sn -PE zbq.ismy.wang | ||
|
||
Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-09 10:04 CST | ||
Nmap scan report for zbq.ismy.wang (120.79.6.172) | ||
Host is up (0.067s latency). | ||
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds | ||
``` | ||
|
||
- 使用hping | ||
|
||
```shell | ||
my@my-PC:~$ sudo nping -c 2 --icmp --icmp-type time zbq.ismy.wang | ||
|
||
Starting Nping 0.7.40 ( https://nmap.org/nping ) at 2019-12-09 10:07 CST | ||
SENT (0.0627s) ICMP [192.168.43.242 > 120.79.6.172 Timestamp request (type=13/code=0) id=52393 seq=1 orig=0 recv=0 trans=0] IP [ttl=64 id=34535 iplen=40 ] | ||
SENT (1.0630s) ICMP [192.168.43.242 > 120.79.6.172 Timestamp request (type=13/code=0) id=52393 seq=2 orig=0 recv=0 trans=0] IP [ttl=64 id=34535 iplen=40 ] | ||
|
||
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A | ||
Raw packets sent: 2 (80B) | Rcvd: 0 (0B) | Lost: 2 (100.00%) | ||
Nping done: 1 IP address pinged in 2.09 seconds | ||
``` | ||
|
||
- windows 下可以使用superScan | ||
|
||
## TCP/UDP主机发现 | ||
|
||
|
||
- 使用nmap | ||
|
||
```shell | ||
my@my-PC:~$ nmap -Pn 192.168.43.1 | ||
|
||
Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-09 10:11 CST | ||
Nmap scan report for 192.168.43.1 | ||
Host is up (0.026s latency). | ||
Not shown: 999 closed ports | ||
PORT STATE SERVICE | ||
53/tcp open domain | ||
|
||
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds | ||
|
||
``` | ||
|
||
- 只扫描开启特定端口的主机 | ||
|
||
```shell | ||
my@my-PC:~$ sudo nmap -Pn -sS -p 53 192.168.43.0/24 | ||
|
||
Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-09 10:13 CST | ||
Nmap scan report for 192.168.43.1 | ||
Host is up (0.0079s latency). | ||
PORT STATE SERVICE | ||
53/tcp open domain | ||
MAC Address: 82:92:E3:D0:7F:D4 (Unknown) | ||
|
||
Nmap scan report for 192.168.43.242 | ||
Host is up (0.000052s latency). | ||
PORT STATE SERVICE | ||
53/tcp closed domain | ||
|
||
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.36 seconds | ||
``` | ||
|
||
- 使用nping | ||
|
||
```shell | ||
my@my-PC:~$ sudo nping -c 2 --tcp -p 53 --flags syn 192.168.43.1 | ||
|
||
Starting Nping 0.7.40 ( https://nmap.org/nping ) at 2019-12-09 10:14 CST | ||
SENT (0.0368s) TCP 192.168.43.242:30555 > 192.168.43.1:53 S ttl=64 id=55281 iplen=40 seq=2174361648 win=1480 | ||
RCVD (0.2232s) TCP 192.168.43.1:53 > 192.168.43.242:30555 SA ttl=64 id=0 iplen=44 seq=2937135821 win=65535 <mss 1460> | ||
SENT (1.0373s) TCP 192.168.43.242:30555 > 192.168.43.1:53 S ttl=64 id=55281 iplen=40 seq=2174361648 win=1480 | ||
RCVD (1.2432s) TCP 192.168.43.1:53 > 192.168.43.242:30555 SA ttl=64 id=0 iplen=44 seq=2952774060 win=65535 <mss 1460> | ||
|
||
Max rtt: 205.814ms | Min rtt: 186.441ms | Avg rtt: 196.127ms | ||
Raw packets sent: 2 (80B) | Rcvd: 2 (88B) | Lost: 0 (0.00%) | ||
Nping done: 1 IP address pinged in 1.28 seconds | ||
``` | ||
|
||
### 预防 | ||
|
||
- 密切留意ping活动 | ||
- 根据需求决定放行哪些ICMP请求 | ||
|
||
## 端口扫描 | ||
|
||
>>端口扫描是指某些别有用心的人发送一组端口扫描消息,试图以此侵入某台计算机,并了解其提供的计算机网络服务类型(这些网络服务均与端口号相关) | ||
### sS (TCP SYN扫描) | ||
|
||
这种扫描也叫做半开扫描,不会建立一条tcp连接,所以很隐蔽 | ||
|
||
```shell | ||
my@my-PC:~$ sudo nmap -sS 192.168.43.1 | ||
|
||
Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-09 10:26 CST | ||
Nmap scan report for 192.168.43.1 | ||
Host is up (0.050s latency). | ||
Not shown: 999 closed ports | ||
PORT STATE SERVICE | ||
53/tcp open domain | ||
MAC Address: 82:92:E3:D0:7F:D4 (Unknown) | ||
|
||
Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds | ||
``` | ||
|
||
- 添加D选项,可以假冒其他源IP发送请求,混杂在扫描请求当中 | ||
|
||
```shell | ||
my@my-PC:~$ sudo nmap -sS 192.168.43.1 -D 10.1.1.1 | ||
|
||
Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-09 10:33 CST | ||
Nmap scan report for 192.168.43.1 | ||
Host is up (0.062s latency). | ||
Not shown: 999 closed ports | ||
PORT STATE SERVICE | ||
53/tcp open domain | ||
MAC Address: 82:92:E3:D0:7F:D4 (Unknown) | ||
|
||
Nmap done: 1 IP address (1 host up) scanned in 5.55 seconds | ||
``` | ||
|
||
- FTP反弹扫描 | ||
|
||
它允许用户连接到一台FTP服务器,然后要求文件送到一台第三方服务器。 这个特性在很多层次上被滥用,所以许多服务器已经停止支持它了。其中一种就是导致FTP服务器对其它主机端口扫描。 只要请求FTP服务器轮流发送一个文件到目标主机上的所感兴趣的端口。 错误消息会描述端口是开放还是关闭的。 这是绕过防火墙的好方法 | ||
|
||
### 使用netcat扫描 | ||
|
||
```shell | ||
my@my-PC:~$ nc -v -z -w2 192.168.43.1 1-140 | ||
192.168.43.1: inverse host lookup failed: Unknown host | ||
(UNKNOWN) [192.168.43.1] 53 (domain) open | ||
``` | ||
|
||
### 预防 | ||
|
||
- 使用入侵检测系统(IDS) | ||
- 关闭不必要服务 | ||
|
||
## 操作系统检测 | ||
|
||
- 使用nmap -O 选项,探测操作系统类型 | ||
|
||
|
||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# 踩点 | ||
|
||
攻击者对某个组织进行有计划,有步骤的踩点,收集整理出一份关于该组织的安全剖析图 | ||
|
||
## 因特网踩点 | ||
|
||
- web网页 | ||
- 相关组织 | ||
- 地理信息 | ||
- 员工信息 | ||
- 近期重大事件 | ||
- 安全策略 | ||
- 搜索引擎 | ||
|
||
### whois | ||
|
||
- 通过whois,可以查询到域名拥有者信息 | ||
|
||
### DNS | ||
|
||
- 通过nslookup查询该组织的相关dns服务器信息 | ||
|
||
### 网络侦查 | ||
|
||
- traceroute可以侦查到目的主机传输路径经过的网际跳远 | ||
|