扫描目标服务
扫描技术
- 对端口扫描:默认用SYN进行扫描
- 对服务识别:发出探针报文,返回确认值,确认服务
- 对版本识别:发出探针报文,返回报文信息,分析出服务的版本
扫描服务 -sV
# nmap -sV 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST Nmap scan report for 192.168.0.106 Host is up (0.00034s latency). Not shown: 985 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28) 445/tcp open microsoft-ds? 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2269 2383/tcp open ms-olap4? 3000/tcp open ppp? 3306/tcp open mysql MariaDB (unauthorized) 5555/tcp open freeciv? 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8100/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28) 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : =====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)======= SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\ SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20 SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\ SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\ SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400 SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2 SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1 SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/ SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\ SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\ SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\ SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201; SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT SF:\r\nContent-Length:\x2029\r\n\r\nFound\.\n\n" SF:); ===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)======= SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\ SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\" SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\ SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040 SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\ SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}"); MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds
将扫描结果存为XML文件名
#nmap -oX nmap.xml 192.168.0.106 tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST Nmap scan report for 192.168.0.106 Host is up (0.00023s latency). Not shown: 985 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql 5555/tcp open freeciv 8009/tcp open ajp13 8080/tcp open http-proxy 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
扫描WEB服务器
Web 服务器的软件构成
编写的应用(内部) |
编程语言:PHPJSP ASP ASP.net(内部) |
Web服务器:IISApache Nginx Tomcat(外部) |
操作系统:Windows Linux(外部) |
用dirb扫描目录结构
# dirb http://192.168.0.106:8080/sec/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Jun 15 10:34:09 2022 URL_BASE: http://192.168.0.106:8080/sec/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.0.106:8080/sec/ ---- ==> DIRECTORY: http://192.168.0.106:8080/sec/1/ ==> DIRECTORY: http://192.168.0.106:8080/sec/10/ ==> DIRECTORY: http://192.168.0.106:8080/sec/13/ ==> DIRECTORY: http://192.168.0.106:8080/sec/14/ ==> DIRECTORY: http://192.168.0.106:8080/sec/15/ ==> DIRECTORY: http://192.168.0.106:8080/sec/2/ ==> DIRECTORY: http://192.168.0.106:8080/sec/20/ ==> DIRECTORY: http://192.168.0.106:8080/sec/21/ ==> DIRECTORY: http://192.168.0.106:8080/sec/22/ ==> DIRECTORY: http://192.168.0.106:8080/sec/23/ ==> DIRECTORY: http://192.168.0.106:8080/sec/24/ ==> DIRECTORY: http://192.168.0.106:8080/sec/25/ ==> DIRECTORY: http://192.168.0.106:8080/sec/3/ ==> DIRECTORY: http://192.168.0.106:8080/sec/30/ ==> DIRECTORY: http://192.168.0.106:8080/sec/32/ ==> DIRECTORY: http://192.168.0.106:8080/sec/4/ ==> DIRECTORY: http://192.168.0.106:8080/sec/42/ ==> DIRECTORY: http://192.168.0.106:8080/sec/5/ ==> DIRECTORY: http://192.168.0.106:8080/sec/7/ ==> DIRECTORY: http://192.168.0.106:8080/sec/8/ ==> DIRECTORY: http://192.168.0.106:8080/sec/9/ ==> DIRECTORY: http://192.168.0.106:8080/sec/css/ ==> DIRECTORY: http://192.168.0.106:8080/sec/upload/ + http://192.168.0.106:8080/sec/web.xml (CODE:200|SIZE:1189) ==> DIRECTORY: http://192.168.0.106:8080/sec/WEB-INF/ ---- Entering directory: http://192.168.0.106:8080/sec/1/ ---- + http://192.168.0.106:8080/sec/1/index.htm (CODE:200|SIZE:248) ==> DIRECTORY: http://192.168.0.106:8080/sec/1/js/ ==> DIRECTORY: http://192.168.0.106:8080/sec/1/jsp/ ---- Entering directory: http://192.168.0.106:8080/sec/10/ ---- ==> DIRECTORY: http://192.168.0.106:8080/sec/10/img/ + http://192.168.0.106:8080/sec/10/index.html (CODE:200|SIZE:1107) ==> DIRECTORY: http://192.168.0.106:8080/sec/10/jsp/ … ---- Entering directory: http://192.168.0.106:8080/sec/1/js/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/1/jsp/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/10/img/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/10/jsp/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/13/jsp/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/15/image/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/20/js/ ---- ---- Entering directory: http://192.168.0.106:8080/sec/20/jsp/ ---- …
用whatweb扫描Web server
# whatweb http://192.168.0.106:8080/sec/ http://192.168.0.106:8080/sec/ [200 OK] Apache, Cookies[JSESSIONID], Country[RESERVED][ZZ], HTTPServer[Apache-Coyote/1.1], HttpOnly[JSESSIONID], IP[192.168.0.106], Java, Title[WEB 安全测试实验]
扫描操作系统漏洞
扫描某个漏洞
#nmap --script ftp-vsftpd-backdoor 192.168.0.106 [*] exec: nmap --script ftp-vsftpd-backdoor 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:16 CST Nmap scan report for 192.168.0.106 Host is up (0.00099s latency). Not shown: 985 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql 5555/tcp open freeciv 8009/tcp open ajp13 8080/tcp open http-proxy 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds
通过分类扫描漏洞
基本使用 --script vuln
nse目录/usr/share/nmap/scripts
#nmap --script vuln 192.168.0.106 nmap --script vuln 192.168.0.106 [*] exec: nmap --script vuln 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:21 CST Nmap scan report for 192.168.0.106 Host is up (0.00066s latency). Not shown: 985 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http | http-enum: | /reportserver/: Microsoft SQL Report Service (401 Unauthorized) |_ /reports/: Potentially interesting folder (401 Unauthorized) |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA | Modulus Type: Safe prime | Modulus Source: RFC2409/Oakley Group 2 | Modulus Length: 1024 | Generator Length: 8 | Public Key Length: 1024 | References: |_ https://weakdh.org |_http-trace: TRACE is enabled | http-enum: | /examples/: Sample scripts | /test.php: Test page | /PMA/: phpMyAdmin | /pma/: phpMyAdmin | /active/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28' | /demo/: Potentially interesting folder | /icons/: Potentially interesting folder w/ directory listing | /img/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28' | /sec/: Potentially interesting folder | /server-info/: Potentially interesting folder |_ /server-status/: Potentially interesting folder |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s |_tls-ticketbleed: ERROR: Script execution failed (use -d to debug) | ssl-poodle: | VULNERABLE: | SSL POODLE information leak | State: VULNERABLE | IDs: BID:70574 CVE:CVE-2014-3566 | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other | products, uses nondeterministic CBC padding, which makes it easier | for man-in-the-middle attackers to obtain cleartext data via a | padding-oracle attack, aka the "POODLE" issue. | Disclosure date: 2014-10-14 | Check results: | TLS_RSA_WITH_3DES_EDE_CBC_SHA | References: | https://www.imperialviolet.org/2014/10/14/poodle.html | https://www.openssl.org/~bodo/ssl-poodle.pdf | https://www.securityfocus.com/bid/70574 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql |_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug) 5555/tcp open freeciv 8009/tcp open ajp13 8080/tcp open http-proxy | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 | http-enum: | /examples/: Sample scripts | /test.html: Test page | /manager/html/upload: Apache Tomcat (401 Unauthorized) | /manager/html: Apache Tomcat (401 Unauthorized) | /docs/: Potentially interesting folder |_ /sec/: Potentially interesting folder 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR Nmap done: 1 IP address (1 host up) scanned in 329.10 seconds
利用第三方vulscan进行扫描
安装
#cd /usr/share/nmap/scripts #git clone https://github.com/scipag/vulscan.git
多出一个vulscan目录
更新脚本
#cd /usr/share/nmap/scripts/vulscan/utilities/updater # chmod +x updateFiles.sh ./ updateFile.sh
速度特别慢
使用
必须加-sV
全部扫描
# nmap --script=vulscan/vulscan.nse -sV 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:50 CST
仅扫描某个csv
# nmap --script=vulscan/vulscan.nse --script-args vulscandb=scipuldb.csv -sV 192.168.0.106
专业扫描工具
- Rapid7 Nexpose(商用,部分免费)
- Tenable Nessus(商用,部分免费)
- OpenVAS(完全免费)
扫描WEB应用
2017 OWASP TOP 10
序号 |
名称 |
攻击难易度 |
漏洞普遍性 |
检查难易度 |
技术影响 |
A1 |
注入 |
3 |
2 |
3 |
3 |
A2 |
失效的身份认证 |
3 |
2 |
2 |
3 |
A3 |
敏感数据泄露 |
2 |
3 |
2 |
3 |
A4 |
XML外部实体(XXE) |
2 |
2 |
3 |
3 |
A5 |
失效的访问控制 |
2 |
2 |
2 |
3 |
A6 |
安全配置错误 |
3 |
3 |
3 |
2 |
A7 |
跨站脚本(XSS) |
3 |
3 |
3 |
2 |
A8 |
不安全的反序列化 |
1 |
2 |
2 |
3 |
A9 |
使用含有已知漏洞的组件 |
2 |
3 |
2 |
2 |
A10 |
不足的日志记录和监控 |
2 |
3 |
1 |
2 |
Zaproxy的使用
# apt install zaproxy
# zaproxy
PHP代码审计工具RIPS
扫描PHP程序,下载rips-0.55放在htdocs下,通过http://IP/rips-0.55l来访问
Netcat扫描
扫描指定端口
#nc -v 192.168.0.106 8080 192.168.0.106: inverse host lookup failed: Unknown host (UNKNOWN) [192.168.0.106] 8080 (http-alt) open