SCANNING
(Tương tác trực tiếp để thu thập thông tin)
I- Protocol: ICMP, IP, TCP, UDP
* Internet: Application -> Transport (TCP, UDP) -> Internet (IP v4) -> Link (Ethernet)
1. ICMP là protocol ở lớp network, chỉ cần đóng gói 3 lớp
Yêu cầu phân biệt thế nào là request, thế nào là reply qua Type/Code
Type=0 -> Code: Echo Reply
Type=0 -> Code: Echo Request
2. IP
Sử dung tool wireshark-win32-1.6.0 để thu thập các gói tin trong quá trình trao đổi
Chọn capture/Interface, lọc gói icmp
Su dung nmap-4.68-setup.exe cho WinXP hoac wireshark8 cho Win7
Capture thay goi icmp voi Type : IP (0x8000), nhu vay day chinh la IP v4
Nhin Port cuar TCP de biet Application
1 goi tin co toi da 65536 bytes
Type of Service xac dinh dich vu uu tien
3. TCP
Duoc gan sau lop Application va de tai tao du lieu va gom 2 truong Squence Number Ackowledgement Number
Source port laf dong, Destination port la tinh
4. UDP la giao thuc rut gon cua TCP, khong bat tay, ko kiem tra nen thieu do tin cay nhung van can de giam tai cho TCP (dung cho xem phim, nghe nhac...)
II- Scanning (tùy biến gói tin để hỏi)
1. IP Protocol:
Dùng NMap để gửi
nmap -sO <target> (IP/hostname, Range, subnet): vis du nmap -sO 192.168.14.1-10
Kiem tra may 192.168.14.201 cho ket qua:
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 17:57 SE Asia Standard Time
Interesting protocols on 192.168.14.201:
Not shown: 253 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
6 open tcp
17 open udp
MAC Address: 00:24:01:ED:1C:42 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 6.657 seconds
2. UDP Port
nmap -sU 192.168.14.201
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 18:07 SE Asia Standard Time
Interesting ports on 192.168.14.201:
Not shown: 1482 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
4500/udp open|filtered sae-urn
MAC Address: 00:24:01:ED:1C:42 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.922 seconds
Chay Wiserk cho ket qua ro hon vơi type 3 code 3 hoac dung Nmap voi tham so khac:
nmap -sU <target> -p <port>123,30,40
1-100
Vi du quet nmap -sU -p 123,30 192.168.14.201
Thay:
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 18:14 SE Asia Standard Time
Interesting ports on 192.168.14.201:
PORT STATE SERVICE
30/udp closed unknown
123/udp open|filtered ntp
MAC Address: 00:24:01:ED:1C:42 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.656 seconds
Cac OS khac nhau co cach xu ly UDP giong nhau nhung IP khac nhau: Neu 256 gói thảy qua đêu im hêt thì phải đóng thêm gói ICMP nữa để lớp trên trả lại
3. TCP Port
TCP Port va UDP Port la 2 ung dung doc lap nen ko nhat thiet giong nhau
3.1. TCP Connect (bat tay 3 buoc): nmap -sT 192.168.14.201
Kết quả nay hơi lâu bởi phải bắt tay 3 bước
3.2. SYN Scan: nmap -sS 192.168.14.201
Kết quả nhanh hơn và ko tốn tài nguyên:
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 18:35 SE Asia Standard Time
Interesting ports on 192.168.14.201:
Not shown: 1709 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3389/tcp open ms-term-serv
MAC Address: 00:24:01:ED:1C:42 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.906 seconds
Một số máy chủ xây dựng dịch vụ cảnh báo nếu phát hiện scan port nên phải gửi FINISH
3.3. Fin Scan là quét Port nhưng dùng cờ Finish ( trường hợp bất thường của giao thức: chưa syn đã finish) nên thấy cờ lạ có thể drop hết: nmap -sF 192.168.14.201
hoặc để cho nhanh dùng nmap -sS -p 21,80 -reason 192.168.14.201
Thấy:
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 18:52 SE Asia Standard Time
Interesting ports on 192.168.14.201:
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp closed http reset
MAC Address: 00:24:01:ED:1C:42 (Unknown)
Tiếp nmap -sF -p 21,80 -reason 192.168.14.201
Thấy
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 18:53 SE Asia Standard Time
Interesting ports on 192.168.14.201:
PORT STATE SERVICE REASON
21/tcp open|filtered ftp no-response
80/tcp open|filtered http no-response
MAC Address: 00:24:01:ED:1C:42 (Unknown)
3.4. Null Scan
3.5. XMas Scan (P, U, A)
3.6. ACK Scan: quét bằng cờ ACK, kết quả trả hết. Dùng để check quá trình đi qua firewall
Vd nmap -sA 192.168.14.201
ISA ko nhưng lọc port mà lọc cả phiên nữa nên ko thể dùng phương thức này
3.7. Idle Scan: mượn IP để quét, Windows với gói tăng mỗi lần quét: nmap -sI IP1 <target>
Dùng Wireshark bắt gói ICMP thấy phân mảnh Fragment offset: 0 với Identification: 0x555c (21852)
Vd nmap -sI 192.168.14.15 192.168.14.201
Kết quả:
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-01 19:16 SE Asia Standard Time
Idle scan using zombie 192.168.14.15 (192.168.14.15:80); Class: Incremental
Interesting ports on 192.168.14.201:
Not shown: 1709 closed|filtered ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3389/tcp open ms-term-serv
MAC Address: 00:24:01:ED:1C:42 (Unknown)
Máy mượn IP phải chạy Windows
III- Services
Dung nmap quet nmap -sO 192.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 17:48 Pacific Daylight Time
Interesting protocols on 192.168.14.19:
Not shown: 253 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
6 open tcp
17 open udp
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Khong thay gi. Quet TCP bang lenh nmap -sT -92.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 17:59 Pacific Daylight Time
Interesting ports on 192.168.14.19:
Not shown: 989 filtered ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
366/tcp open odmr
445/tcp open microsoft-ds
587/tcp open submission
1000/tcp open cadlock
Tiep tuc quet UDP port ang lenh nmap -sS-92.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 17:50 Pacific Daylight Time
Interesting ports on 192.168.14.19:
Not shown: 1701 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
366/tcp open odmr
445/tcp open microsoft-ds
587/tcp open submission
1000/tcp open cadlock
1026/tcp open LSA-or-nterm
3000/tcp open ppp
3389/tcp open ms-term-serv
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Quet 1000 port dau tien nmap -sS -p 1-1000 192.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 17:51 Pacific Daylight Time
Interesting ports on 192.168.14.19:
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
366/tcp open odmr
445/tcp open microsoft-ds
587/tcp open submission
1000/tcp open cadlock
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Mot firewall chan loc goi tin, cam ping thi se cam protocol so 1. cam web la cam protocol 6
Muon quet luon khong can ping dung lenh nmap -sS -p 1-1000 192.168.14.19 -PN
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 17:54 Pacific Daylight Time
Interesting ports on 192.168.14.19:
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
366/tcp open odmr
445/tcp open microsoft-ds
587/tcp open submission
1000/tcp open cadlock
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Neu nhu nguoi quan tri lap trinh thay doi port cho cac ung dung khac nhau cho noi bo (vi du doi port 80), may quet van thay nhung khong chac dung ung dung do la web. Vay phai lam gi?
1. Get Banner
- Dung phan mem Telnet (luu y khong phai ung dung hay giao thuc Telnet): dung tool nay de bat tay voi may chu de lay web
san lai nmap -sS 192.168.14.19
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
366/tcp open odmr
445/tcp open microsoft-ds
587/tcp open submission
1000/tcp open cadlock
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
3000/tcp open ppp
3389/tcp open ms-term-serv
Dung cmd telnet 192.168.14.19 25 co banner ‘220 nhatnghe.com ESMTP MDaemon 10.0.2 UNREGISTERED; Tue, 13 Sep 2011 18:22:42 +0 700’
Dung cmd telnet 192.168.14.19 80 khong co gi. Khong duyet web thong thuong duoc.
Dung cmd telnet 192.168.14.19 3030 thay banner ‘220 Microsoft FTP Service’. Thu dung ftp://192.168.14.19:3030/, OK
Dung cmd telnet 192.168.14.19 3389 khong co gi. Remote khong duoc.
2. Request: Co the doc noi dung file nmap-services de biet cac dich vu.
Hoac request co the chi quet port 80 nmap -sS -sV -p 80 192.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 18:28 Pacific Daylight Time
Interesting ports on 192.168.14.19:
PORT STATE SERVICE VERSION
80/tcp open microsoft-rdp Microsoft Terminal Service
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Service Info: OS: Windows
Cos the remote bawng cach vao cmd: mstsc 192.168.14.19:80
Hoac request co the chi quet port 3389 nmap -sS -sV -p 3389 192.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 18:31 Pacific Daylight Time
Interesting ports on 192.168.14.19:
PORT STATE SERVICE VERSION
3389/tcp open http Microsoft IIS httpd
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Service Info: OS: Windows
Duyet web bang http://192.168.14:3389
IV- OS
1. Service: Scan de biet cac dich vu dac thu cua OS. Vi du IIS chi chay tren platform Windows, nhung apache chay ca tren Win va Linux
TTL cua Win la 128 nhung Linux khac. Nhung ro nhat la xem dong goi nhu the nao.
2. Protocol: nmap -O 192.168.14.19
Starting Nmap 4.68 ( http://nmap.org ) at 2011-09-13 18:42 Pacific Daylight Time
Interesting ports on 192.168.14.19:
Not shown: 1701 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
366/tcp open odmr
445/tcp open microsoft-ds
587/tcp open submission
1000/tcp open cadlock
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
3000/tcp open ppp
3389/tcp open ms-term-serv
MAC Address: 00:06:7B:13:B3:12 (Toplink C&C)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
Neu quet may khac phai tat firewall
Hay vao nmap.org de nghien cuu them
Không có nhận xét nào:
Đăng nhận xét