Pasywne zbieranie informacji

Przeprowadmy szybko wyszukiwanie whois dla strony http://www.packtpub.com i przeanalizujmy dane wyjciowe. Dane wynikowe mog by obszerne, wic skupimy si tylko na istotnych elementach:
  
   root@bt:~# whois www.packtpub.com	
   Domain Name: PACKTPUB.COM
   Registrar: EASYDNS TECHNOLOGIES, INC.
   Whois Server: whois.easydns.com
   Referral URL: http://www.easydns.com
   Name Server: NS1.EASYDNS.COM
   Name Server: NS2.EASYDNS.COM
   Name Server: NS3.EASYDNS.ORG
   Name Server: NS6.EASYDNS.NET
   Name Server: REMOTE1.EASYDNS.COM
   Name Server: REMOTE2.EASYDNS.COM
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 09-feb-2011
   Creation Date: 09-may-2003
   Expiration Date: 09-may-2016

Przeanalizujmy zapytanie dig dla strony http://www.packtpub.com:

root@bt:~# dig www.packtpub.com
; <<>> DiG 9.7.0-P1 <<>> www.packtpub.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1583
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; QUESTION SECTION:
;www.packtpub.com.   	 IN    A

;; ANSWER SECTION:
www.packtpub.com.    1200    IN    CNAME    packtpub.com.
packtpub.com.   	 1200    IN    A    83.166.169.228

;; AUTHORITY SECTION:
packtpub.com.   	 1200    IN    NS    remote1.easydns.com.
packtpub.com.   	 1200    IN    NS    ns2.easydns.com.
packtpub.com.   	 1200    IN    NS    ns6.easydns.net.
packtpub.com.   	 1200    IN    NS    ns3.easydns.org.
packtpub.com.   	 1200    IN    NS    ns1.easydns.com.
packtpub.com.   	 1200    IN    NS    remote2.easydns.com.

;; ADDITIONAL SECTION:
ns3.easydns.org.    5951    IN    A    64.68.192.10


Polecenie nslookup jest prawie tak samo elastyczne jak dig, ale zapewnia atwiejsz domyln metod identyfikowania hostw podstawowych, takich jak serwery pocztowe oraz DNS:

root@bt:~# nslookup www.packtpub.com
Server:   	 220.226.6.104
Address:    220.226.6.104#53

Non-authoritative answer:
www.packtpub.com    canonical name = packtpub.com.
Name:    packtpub.com
Address: 83.166.169.228
=====================================================================

Skanowanie portw za pomoc narzdzia Nmap

msf > nmap -sT -p1-10000 192.168.56.102
[*] exec: nmap -sT -p1-10000 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:03 IST
Nmap scan report for 192.168.56.102
Host is up (0.0058s latency).

Not shown: 9997 closed ports

PORT	STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:34:A8:87


msf > nmap -sS 192.168.56.102
[*] exec: nmap -sS 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:17 IST
Nmap scan report for 192.168.56.102
Host is up (0.0019s latency).

Not shown: 997 closed ports

PORT	STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:34:A8:87 

Skanowanie UDP 

msf > nmap sU p9001 192.168.56.102

Jeli cel zwraca pakiet RST (resetuj poczenie), wtedy port jest uznawany za niefiltrowany:

msf > nmap -sA 192.168.56.102
[*] exec: nmap -sA 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:19 IST
Nmap scan report for 192.168.56.102
Host is up (0.0011s latency).

Not shown: 999 filtered ports

PORT 	     STATE  	    SERVICE
9001/tcp      unfiltered           tor-orport

MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)

Wykrywanie systemu operacyjnego i wersji usug:

msf > nmap -O 192.168.56.102
[*] exec: nmap -O 192.168.56.102


Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 02:25 IST
Nmap scan report for 192.168.56.102
Host is up (0.0014s latency).

MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
Device type: general purpose

Running: Microsoft Windows XP|2003

Inn szeroko stosowan opcj narzdzia nmap jest wykrywanie wersji usug [-sV] uruchomionych na rnych otwartych portach na maszynie docelowej. Moe by ona stosowana cznie z kadym omwionym dotd rodzajem skanowania, aby doda kolejn porcj informacji o tym, jaka wersja usug jest uruchomiona na otwartych portach maszyny docelowej:
msf > nmap -sT -sV 192.168.56.102
[*] exec: nmap -sV 192.168.56.102

Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 02:27 IST
Nmap scan report for 192.168.56.102
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT	                STATE             SERVICE  	                   VERSION
135/tcp              open          msrpc Microsoft Windows RPC
139/tcp              open             netbios-ssn
445/tcp              open         microsoft-ds Microsoft Windows XP 
MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
Service Info: OS: Windows


======================================================================

Skanowanie portw za pomoc narzdzia DNmap 

Aby przeledzi ca ciek dostpu do narzdzia dnmap, wprowad nastpujce polecenie:

root@bt : #cd /pentest/scanners/dnmap
root@bt : /pentest/scanners/dnmap#

Aby utworzy plik tekstowy o nazwie np. polecenia.txt zawierajcy wszystkie polecenia narzdzia nmap, ktre maj by wykonane, wpisz:
	nmap -A -Pn -v -p1-1024 192.168.56.103
	nmap -A -Pn -v -p1024-10000 192.168.56.103

Aby uruchomi serwer dnmap, wprowad nastpujce polecenie:

root@bt:/pentest/scanners/dnmap# python dnmap_server.py -f ~/polecenia.txt
+----------------------------------------------------------------------+
| dnmap_server Version 0.6 
|
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version. 
|
| 
|
| Author: Garcia Sebastian, eldraco@gmail.com 
|
| www.mateslab.com.ar 
|
+----------------------------------------------------------------------+

=| MET:0:00:30.015147 | Amount of Online clients: 0 |=

Teraz przejdmy do uycia pliku dnmap_client.py. Aby uruchomi klienta dnmap, uyj nastpujcego polecenia:

root@bt:/pentest/scanners/dnmap# python dnmap_client.py -h
+----------------------------------------------------------------------+
| dnmap_server Version 0.6 
|
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |  
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

usage: dnmap_client.py <options>
options:
  -s, --server-ip   IP address of dnmap server.
  -p, --server-port   Port of dnmap server. Dnmap port defaults to 46001
  -a, --alias      Your name alias so we can give credit to you for your help. Optional
  -d, --debug      Debuging.
  -m, --max-rate      Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.

Teraz musimy tylko wprowadzi adres IP serwera, numer portu oraz nazw klienta, np. klient1:

root@bt:/pentest/scanners/dnmap# python dnmap_client.py -s 192.168.129.138 -a klient1
+----------------------------------------------------------------------+
+----------------------------------------------------------------------+
| dnmap_server Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
+ No -oA given. We add it anyway so not to lose the results. Added 
-oA 5807742
         Command Executed: nmap -A -Pn -v -p1-1024 192.168.129.138 
-oA 5807742 
         Sending output to the server...
Waiting for more commands....
+ No -oA given. We add it anyway so not to lose the results. Added 
-oA 71264162
         Command Executed: nmap -A -Pn -v -p1024-10000 
192.168.129.138 -oA 71264162
         Sending output to the server...
Waiting for more commands....
^Connection lost. Reason: Connection to the other side was lost in a non-clean fashion: Connection lost.
Trying to reconnect in 10 secs. Please wait...


Jeli wrcimy teraz do serwera, otrzymamy nastpujce dane wynikowe:

+ Client ID connected: 192.168.56.102:49747 (client1)
=| MET:0:00:55.011100 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         1               May 23 18:26:27 ( 0' 1")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:00.015067 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         1               May 23 18:26:27 ( 0' 6")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:05.014816 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         1               May 23 18:26:27 ( 0'11")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:10.010916 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1        2               May 23 18:26:43 ( 0' 0")         0h 0m          0.6     True           3.8            1.9       Executing

=| MET:0:01:20.014574 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         2               May 23 18:26:43 ( 0'10")         0h 0m          0.6     True           3.8            1.9       Executing

=| MET:0:01:30.010685 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status
client1         2               May 23 18:27:00 ( 0' 4")         0h 0m          0.6     True           3.6            2.5       Online

+ Connection lost for client1 (192.168.56.102:49747).
=| MET:0:01:35.011836 | Amount of Online clients: 0 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin      Status

^Croot@bt:/pentest/scanners/dnmap# ls
dnmap_client.py  dnmap_server.py  nmap_results  README  serwer.pem
root@bt:/pentest/scanners/dnmap# cd nmap_results/
root@bt:/pentest/scanners/dnmap/nmap_results# ls
5807742.nmap  71264162.nmap
====================================================================================

Skanowanie SMB 

nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Rezultat wykonania skryptu bdzie nastpujcy:

Host script results:
|  smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, test1234, TsInternetUser

Host script results:
|  smb-enum-users:
|  |  RON-WIN2K-TEST\Administrator (RID: 500)
|  |  |  Description: Built-in account for administering the computer/domain
|  |  |_ Flags:       Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\Guest (RID: 501)
|  |  |  Description: Built-in account for guest access to the computer/domain
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
|  |  |  Full name:   Internet Guest Account
|  |  |  Description: Built-in account for anonymous access to Internet Information Services
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
|  |  |  Full name:   Launch IIS Process Account
|  |  |  Description: Built-in account for Internet Information Services to start out of process applications
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\test1234 (RID: 1005)
|  |  |_ Flags:       Normal user account
|  |  RON-WIN2K-TEST\TsInternetUser (RID: 1000)
|  |  |  Full name:   TsInternetUser
|  |  |  Description: This user account is used by Terminal Services.
|_ |_ |_ Flags:       Password not required, Password does not expire, Normal user account


Smb_enum_shares:-

nmap --script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
Rezultat wykonania skryptu bdzie nastpujcy:

Host script results:
   smb-enum-shares:
|  |  ADMIN$
|  |  |  Type: STYPE_DISKTREE_HIDDEN
|  |  |  Comment: Remote Admin
|  |  |  Users: 0, Max: <unlimited>
|  |  |  Path: C:\WINNT
|  |  |  Anonymous access: <none>
|  |  |_ Current user ('administrator') access: READ/WRITE
|  |  C$
|  |  |  Type: STYPE_DISKTREE_HIDDEN
|  |  |  Comment: Default share
|  |  |  Users: 0, Max: <unlimited>
|  |  |  Path: C:\
|  |  |  Anonymous access: <none>
|  |  |_ Current user ('administrator') access: READ
|  |  IPC$
|  |  |  Type: STYPE_IPC_HIDDEN
|  |  |  Comment: Remote IPC
|  |  |  Users: 1, Max: <unlimited>
|  |  |  Path:
|  |  |  Anonymous access: READ <not a file share>
|_ |_ |_ Current user ('administrator') access: READ <not a file share>
=========================================================================================


Skanowanie FTP

Nmap p 21 v oN rezultaty.txt open script ftp-anon 192.169.1.0/24
========================================================================================

Zamiatanie SNMP 

msf  auxiliary(snmp_enum) > run
[+] 172.16.194.172, Connected.
[*] System information:
Host IP                       : 172.16.194.172
Hostname                      : metasploitable
Description                   : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Contact                       : msfdev@metasploit.com
Location                      : Metasploit Lab
Uptime snmp                   : 02:35:38.71
Uptime system                 : 00:20:13.21
System date                   : 2012-7-9 18:11:11.0
[*] Network information:
IP forwarding enabled         : no
Default TTL                   : 64
TCP segments received         : 19
TCP segments sent         : 21
TCP segments retrans          : 0
Input datagrams               : 5055
Delivered datagrams           : 5050
Output datagrams              : 4527
...fragment usunity... 
[*] Device information:
Id                  Type                Status              Descr               
768                 Processor           unknown             GenuineIntel: Intel(R) Core(TM) i7-2860QM CPU @ 2.50GHz
1025                Network             unknown             network interface lo
1026                Network             unknown             network interface eth0
1552                Disk Storage        unknown             SCSI disk (/dev/sda)
3072                Coprocessor         unknown             Guessing that there's a floating point co-processor
[*] Processes:
Id                  Status              Name                Path                Parameters          
1                   runnable            init                /sbin/init                              
2                   runnable            kthreadd            kthreadd                                
3                   runnable            migration/0         migration/0                             
4                   runnable            ksoftirqd/0         ksoftirqd/0                             
5                   runnable            watchdog/0          watchdog/0                              
6                   runnable            events/0            events/0                                
7                   runnable            khelper             khelper                                 
41                  runnable            kblockd/0           kblockd/0                               
68                  runnable            kseriod             kseriod       
...fragment usunity... 
5696                runnable            su                  su                                      
5697                runnable            bash                bash                                    
5747                running             snmpd               snmpd                                   
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
==================================================================================

Skanowanie luk w zabezpieczeniach za pomoc narzdzia Nessus


msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3 
msf > load nessus

[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus


msf > nessus_connect root:toor@localhost ok
[*] Connecting to https://127.0.0.1:8834/ as root
[*] Authenticated

msf > nessus_scan_new 1 testscan 192.168.56.102
[*] Creating scan from policy number 1, called "testscan" and scanning 192.168.56.102
[*] Scan started.  uid is 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f

msf > nessus_report_list
[+] Nessus Report List

ID                   Name          Status     
                     ----          ------    
9d337e9b-82c7-
89a1-a19-4ef154b82    testscan    completed
f624de2444e6ad18a1f  


msf > nessus_report_get 9d337e9b-82c7-89a1-a1944ef154b82f624de2444e6ad18a1f
[*] importing 9d337e9b-82c7-89a1-a1944ef154b82f624de2444e6ad18a1f
===========================================================================

Scanning with NeXpose

msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3 

msf > load nexpose

msf > nexpose_connect darklord:toor@localhost ok

[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username darklord...


. Let us perform a quick scan on our target using NeXpose.

msf > nexpose_discover 192.168.56.102

[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses


msf > hosts -c address,os_name,os_flavor
Hosts
=====
address         os_name            os_flavor
-------         -------            ---------
192.168.56.102  Microsoft Windows     XP
msf >


[*] Importing 'Nexpose XML (v2)' data
[*] Importing host 192.168.56.102
[*] Successfully imported /root/nexposelist.xml
====================================================================






























 




