1-5、环境配置、主机探测、端口扫描、漏洞扫描

二层主机发现优缺点

二层主机发现指:利用ISO中链路层中的协议进行主机发现。一般使用ARP协议。
优点:（局域网中通信使用ARP协议，利用MAC地址作为对应的识别地址)
1、速度快
2、可靠性高
无法扫描经过路由的主机

二层发现工具：

arping
netdiscover

三层发现工具：

ping 查看一个网段存活的三层主机fping -g 192.168.1.1/24对目标进行三层发现，特点，发送自定义ICMP包hping3 -c 2 --icmp 192.168.1.1自定义icmp的code进行pinghping3 -c 3 -1 192.168.1.1 --icmpcode 1`

四层发现工具：

nmap 192.168.1.54

┌──(root㉿kali)-[~]
└─# nmap 192.168.1.54
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-16 12:15 EST
Nmap scan report for 192.168.1.54
Host is up (0.00028s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)
PORT     STATE  SERVICE
22/tcp   open   ssh
9090/tcp closed zeus-admin
MAC Address: 00:0C:29:84:47:4B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds

hping3 --udp -c 3 IP

nWatch.py什么脚本

git clone https://github.com/Cyber-Forensic/nWatch.git
用不了。。。

=================================================

=================================================

4、端口扫描

nmap
nmap IP地
dmitry
dmitry -p 进行tcp端口扫描

netcat
nc -nvz IP地址 端口范围

端口分类

0-65535
TCP端口和UDP端口，
TCP和UDP 两个协议是独立的，因此各自的端口好也是相互独立的，
TCP有235端口
UDP也有235端口

默认端口0-1023
注册端口1024-49151
动态端口49152-65535

nmap IP地址 --script banner -p 端口号

单个端口扫描

┌──(root㉿kali)-[~]
└─# nmap -p 22 192.168.1.122 --script banner
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-17 22:53 EST
Nmap scan report for 192.168.1.122
Host is up (0.00019s latency).

PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_8.7
MAC Address: 00:0C:29:42:60:34 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

多个端口扫描

┌──(root㉿kali)-[~]
└─# nmap 192.168.1.222 --script banner -p 20-30
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-18 00:12 EST
Nmap scan report for 192.168.1.222
Host is up (0.00030s latency).

PORT   STATE    SERVICE
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp open     ssh
|_banner: SSH-2.0-OpenSSH_8.7
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp
26/tcp filtered rsftp
27/tcp filtered nsw-fe
28/tcp filtered unknown
29/tcp filtered msg-icp
30/tcp filtered unknown
MAC Address: 00:0C:29:42:60:34 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

dmitry -pb IP地址

┌──(root㉿kali)-[~]
└─# dmitry -pb 22 192.168.1.122
Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host Name for 192.168.1.122
Continuing with limited modules
HostIP:192.168.1.122
HostName:

Gathered TCP Port information for 192.168.1.122
---------------------------------

 Port           State
22/tcp          open
>> SSH-2.0-OpenSSH_8.7

Portscan Finished: Scanned 150 ports, 148 ports were in state closed

All scans completed, exiting

nc -nv 192.168.1.222 22

┌──(root㉿kali)-[~]
└─# nc -nv 192.168.1.222 20-30
(UNKNOWN) [192.168.1.222] 30 (?) : No route to host
(UNKNOWN) [192.168.1.222] 29 (?) : No route to host
(UNKNOWN) [192.168.1.222] 28 (?) : No route to host
(UNKNOWN) [192.168.1.222] 27 (?) : No route to host
(UNKNOWN) [192.168.1.222] 26 (?) : No route to host
(UNKNOWN) [192.168.1.222] 25 (smtp) : No route to host
(UNKNOWN) [192.168.1.222] 24 (?) : No route to host

(UNKNOWN) [192.168.1.222] 23 (telnet) : No route to host
(UNKNOWN) [192.168.1.222] 22 (ssh) open
SSH-2.0-OpenSSH_8.7
Invalid SSH identification string.
(UNKNOWN) [192.168.1.222] 21 (ftp) : No route to host
(UNKNOWN) [192.168.1.222] 20 (ftp-data) : No route to host

端口服务版本信息获取

nmap -p 端口 -sV IP地址

查看目标主机所有开放的端口服务版本

┌──(root㉿kali)-[~]
└─# nmap -sV 192.168.1.222
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-18 00:23 EST
Nmap scan report for 192.168.1.222
Host is up (0.00024s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 8.7 (protocol 2.0)
9090/tcp closed zeus-admin
MAC Address: 00:0C:29:42:60:34 (VMware)

Service detection performed. 
Nmap done: 1 IP address (1 host up) scanned in 5.25 seconds

查看单个端口的服务版本信息

┌──(root㉿kali)-[~]
└─# nmap -p 22 -sV 192.168.1.222               
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-18 00:21 EST
Nmap scan report for 192.168.1.222
Host is up (0.00025s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.7 (protocol 2.0)
MAC Address: 00:0C:29:42:60:34 (VMware)

Service detection performed. 
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

操作系统版本信息获取

查看目标主机运行在什么操作系统上
nmap -O 192.168.1.222

┌──(root㉿kali)-[~]
└─# nmap -O 192.168.1.222 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-18 00:27 EST
Nmap scan report for 192.168.1.222
Host is up (0.00035s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)
PORT     STATE  SERVICE
22/tcp   open   ssh
9090/tcp closed zeus-admin
MAC Address: 00:0C:29:42:60:34 (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
Network Distance: 1 hop

OS detection performed.
Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds

查看目标主机所有信息！！！需授权！！！

nmap -A -v -T4 192.168.1.222

┌──(root㉿kali)-[~]
└─# nmap -A -v -T4 192.168.1.222
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-18 00:29 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Initiating ARP Ping Scan at 00:29
Scanning 192.168.1.222 [1 port]
Completed ARP Ping Scan at 00:29, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:29
Completed Parallel DNS resolution of 1 host. at 00:29, 0.03s elapsed
Initiating SYN Stealth Scan at 00:29
Scanning 192.168.1.222 [1000 ports]
Discovered open port 22/tcp on 192.168.1.222
Completed SYN Stealth Scan at 00:29, 4.89s elapsed (1000 total ports)
Initiating Service scan at 00:29
Scanning 1 service on 192.168.1.222
Completed Service scan at 00:29, 0.01s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.1.222
NSE: Script scanning 192.168.1.222.
Initiating NSE at 00:29
Completed NSE at 00:29, 0.06s elapsed
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Nmap scan report for 192.168.1.222
Host is up (0.00028s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 8.7 (protocol 2.0)
| ssh-hostkey: 
|   256 bb:bd:8d:05:08:4c:18:2b:34:ff:ef:2a:76:2b:e7:9f (ECDSA)
|_  256 c2:68:1a:b7:1a:97:92:81:1f:06:d3:b0:3c:c5:bc:c1 (ED25519)
9090/tcp closed zeus-admin
MAC Address: 00:0C:29:42:60:34 (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
Uptime guess: 35.317 days (since Sat Nov 12 16:53:42 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.1.222

NSE: Script Post-scanning.
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Initiating NSE at 00:29
Completed NSE at 00:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
           Raw packets sent: 2018 (90.486KB) | Rcvd: 27 (2.398KB)

nmap -script vuln -T4 192.168.1.101

=================================================

=================================================

5、Web应用程序漏洞扫描

Web漏洞扫描器:
1、Owasp-zap
2、AWVS
3、Appscan
4、Nikto
5、Burpsuite

OWASP-ZAP是OWASP组织开发的用于Web应用程序漏洞扫描器，免费开源，并且不断更新

nikto -host IP地址 --针对HTTP服务器

sqlmap -u "注入地址"

sqlmap -u "注入地址" --tables 获取对应的表名
弹出admin后
sqlmap -u "注入地址" -T admin --columns

sqlmap -u "注入地址" -T admin -C "admin,password" --dump
获取对应的数据

获取的数据是md5加密的密文。
可以解密，看运气。