kali下服务信息搜集及Wafw00f 检测IDS_IPS

1,Nmap

Nmap工具是用于端口扫描和漏洞诊断的代表性工具。

/usr/share/nmap

# nmap -v

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-14 17:27 UTC

常用参数：

-sT : TCP open扫描

-sS:   TCP half open扫描，不建立SYN扫描

-sF:   TCP FIN扫描利用，fin数据包扫描

-sN:   TCP NULL扫描，利用NULL数据包扫描

-sX:   TCP Xmas扫描，利用FIN，PSH，URG数据包扫描

-sP:   利用ping协议查看主机激活状态

-sU:   UDP端口扫描

-O:    辨认对象主机操作系统

Example:

# nmap -sT -p22 121.42.27.192

# nmap  -sS -p 80,8080,8081,8082,8088,9000  192.168.1.0/24  -oA file.xml

2,Nmap NSE

Nmap NSE比Nmap更强大且灵活，不仅可以搜集，NFS,SMB,RPC等信息，而且还可以执行域名查询，whios搜集以及其他网络频段服务器的后门安装检测，漏洞诊断等诸多业务。

/usr/share/nmap/scripts  所有脚本的存放路径。使用nmap –script=scriptname 就可以使用。

#nmap  –script-update 可以更新脚本数据

http://nmap.org/nsedoc/lib/nmap.html

Example:

# nmap –script=default    www.mrliangqi.com

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-14 17:32 UTC

Nmap scan report for www.mrliangqi.com (121.42.27.192)

Host is up (0.063s latency).

Not shown: 994 closed ports

PORT     STATE    SERVICE

22/tcp   open     ssh

| ssh-hostkey:

|   1024 b8:0f:34:1b:4d:a2:88:0e:ef:ad:5d:81:5f:b1:9d:cf (DSA)

|_  2048 84:75:c3:3b:67:a7:9e:92:c1:d4:df:a1:5d:80:c3:89 (RSA)

80/tcp   open     http

|_http-title: Waf\xE9\x98\xB2\xE7\x81\xAB\xE5\xA2\x99

139/tcp  filtered netbios-ssn

443/tcp  open     https

|_http-title: Waf\xE9\x98\xB2\xE7\x81\xAB\xE5\xA2\x99

| ssl-cert: Subject: commonName=mrliangqi.com

| Not valid before: 2016-04-28T09:23:49

|_Not valid after:  2018-04-28T09:23:49

|_ssl-date: 2016-05-14T09:32:21+00:00; -8h00m05s from scanner time.

| tls-nextprotoneg:

|_  http/1.1

1720/tcp filtered h323q931

3306/tcp open     mysql

| mysql-info:

|   Protocol: 53

|   Version: .6.29

|   Thread ID: 135524

|   Capabilities flags: 63487

|   Some Capabilities: IgnoreSigpipes, ConnectWithDatabase, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, SupportsTransactions, Support41Auth, InteractiveClient, IgnoreSpaceBeforeParenthesis, FoundRows, LongPassword, ODBCClient, SupportsCompression, Speaks41ProtocolNew, SupportsLoadDataLocal, LongColumnFlag

|   Status: Autocommit

|_  Salt: Qv!=PXJL}Q[Ux{%AXudu

3,Dmitry

dmitry是简单的控制台环境应用程序，在linux中尽可能更多的收集相关主机信息，由c编写，dmitry的基本功能是利用启动时间报告和TCP端口扫描信息，简单的whios查询来获取对象主机信息。

Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host

-o   Save output to %host.txt or to file specified by -o file 将内容保存文件

-i     Perform a whois lookup on the IP address of a host 对ip进行whios查询

-w   Perform a whois lookup on the domain name of a host 对域名进行whios查询

-n   Retrieve Netcraft.com information on a host   搜索主机的netcraft.com信息

-s    Perform a search for possible subdomains        搜索正在使用的下级域名

-e    Perform a search for possible email addresses 搜索正在使用的下级邮箱

-p   Perform a TCP port scan on a host   TCP端口扫描

-f    Perform a TCP port scan on a host showing output reporting filtered ports 执行TCP端口扫描并同时显示筛选端口

-b   Read in the banner received from the scanned port 读取被扫描端口发送的标志

-t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )Requires the -p flagged to be passed 进行TCP端口扫描作业时指定的TTL值默认2

Example:

# dmitry  -p 5 www.mrliangqi.com

4,Wafw00f （查看IDS/IPS是否启用）

wafwoof是python脚本写的，用于监测网络服务器是否处于网络WAF保护状态，这个不仅可以发展测试战略，还能开发出绕过WAF的高级应用。

Options:

-h, –help            show this help message and exit

-v, –verbose         enable verbosity – multiple -v options increase

verbosity

-a, –findall         Find all WAFs, do not stop testing on the first one

-r, –disableredirect

Do not follow redirections given by 3xx responses

-t TEST, –test=TEST  Test for one specific WAF

-l, –list            List all WAFs that we are able to detect

–xmlrpc              Switch on the XML-RPC interface instead of CUI

–xmlrpcport=XMLRPCPORT

Specify an alternative port to listen on, default 8001

-V, –version         Print out the version

Example:

# wafw00f www.mrliangqi.com

^     ^

_   __  _   ____ _   __  _    _   ____

///7/ /.’ \ / __////7/ /,’ \ ,’ \ / __/

| V V // o // _/ | V V // 0 // 0 // _/

|_n_,’/_n_//_/   |_n_,’ \_,’ \_,’/_/

<         …’

WAFW00F – Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking http://www.mrliangqi.com

Generic Detection results:

#No WAF detected by the generic detection #当看到这段，表示没有waf.感觉也不是非常准确。

Number of requests: 14

5,UA-tester （收集网络服务信息）

UA-tester是在user-agent字符串目录基础上比较网络服务器回应头的渗透测试python脚本。

Usage :

-u / –url Complete URL

-f / –file <Path to User Agent file>

-s / –single provide single user-agent string

-d / –default Select the UA String type(s) to check.

-o / –output <Path to output file> CSV formated output

-v / –verbose results>> Recommended

–debug See debug messages (This isn’t the switch you’re looking for)

Example :

# ua-tester  -d -m -u www.mrliangqi.com

more Example:

./UATester.py -u www.example.com -f ./useragentlist.txt -v

./UATester.py -u https://www.wordpress.com

./UATester.py -u http://www.defaultserver.com -v –debug

./UATester.py -u facebook.com -v -d MDBX

./UATester.py -u https://www.google.com -s “MySpecialUserAgent”

./UATester.py -u blog.c22.cc -d MC -o ./output.csv

以上内容pdf版本下载：kali下服务信息搜集及Wafw00f 检测IDS_IPS.pdf