龙空技术网

渗透测试最重要的部分(三)(信息收集)

石老师小跟班 171

前言:

此刻看官们对“chunkedapache”都比较关心,我们都需要了解一些“chunkedapache”的相关资讯。那么小编也在网摘上汇集了一些对于“chunkedapache””的相关知识,希望大家能喜欢,兄弟们一起来了解一下吧!

系统指纹识别1. 可以使用nmap进行识别 O参数

nmap -O 10.10.100.103#返回数据如下Starting Nmap 7.91 (  ) at 2021-02-05 22:41 CSTNmap scan report for 10.10.100.103Host is up (0.00028s latency).Not shown: 993 closed portsPORT     STATE SERVICE21/tcp   open  ftp80/tcp   open  http135/tcp  open  msrpc139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds1026/tcp open  LSA-or-nterm3306/tcp open  mysqlMAC Address: 00:0C:29:28:F9:63 (VMware)Device type: general purposeRunning: Microsoft Windows 2003OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2OS details: Microsoft Windows Server 2003 SP1 or SP2Network Distance: 1 hopOS detection performed. Please report any incorrect results at  .Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds

还有一个p0f这个工具,它是被动扫描识别工具,在最新的kali上并没有安装它,需要执行sudo apt-get install p0f 安装

#操作方法p0f -h 查看参数 p0f -h--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---p0f: invalid option -- 'h'Usage: p0f [ ...options... ] [ 'filter rule' ]Network interface options:  -i iface  - listen on the specified network interface  -r file   - read offline pcap data from a given file  -p        - put the listening interface in promiscuous mode  -L        - list all available interfacesOperating mode and output settings:  -f file   - read fingerprint database from 'file' (/etc/p0f/p0f.fp)  -o file   - write information to the specified log file  -s name   - answer to API queries at a named unix socket  -u user   - switch to the specified unprivileged account and chroot  -d        - fork into background (requires -o or -s)Performance-related options:  -S limit  - limit number of parallel API connections (20)  -t c,h    - set connection / host cache age limits (30s,120m)  -m c,h    - cap the number of active connections / hosts (1000,10000)Optional filter expressions (man tcpdump) can be specified in the commandline to prevent p0f from looking at incidental network traffic.Problems? You can reach the author at <lcamtuf@coredump.cx>.#监听一块网卡,telnet ,ping ,手动触发等如 p0f -i eth0  监听网卡,访问10.10.100.103 显示为如下.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (syn+ack) ]-|这里并没有获取到服务器信息| server   = 10.10.100.103/80| os       = ??? 这里并没有获取到服务器信息| dist     = 0| params   = none| raw_sig  = 4:128+0:0:1460:mss*44,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:ts1-:0|`----.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (mtu) ]-|| server   = 10.10.100.103/80| link     = Ethernet or modem| raw_mtu  = 1500|`----.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (http request) ]-|| client   = 10.10.100.110/52530| app      = Firefox 10.x or newer| lang     = English| params   = none| raw_sig  = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml                                       ,application/xml;q=0.9,image/webp,*/*;q=0.8],                                       Accept-Language=[en-US,en;q=0.5],                                       Accept-Encoding=[gzip, deflate],Connection=[keep-alive],                                       Upgrade-Insecure-Requests=[1],?Cache-Control:Accept-Charset                                       ,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101                                       Firefox/78.0|`----.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (http response) ]-|| server   = 10.10.100.103/80| app      = Apache 2.x  #app地址| lang     = none| params   = none包括一些详细信息| raw_sig  = 1:Date,Server,X-Powered-By=[PHP/5.4.45],Keep-Alive=[timeout=5, max=100],Connection=[Keep-Alive],Transfer-Encoding=[chunked],Content-Type:Accept-Ranges:Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
其他信息收集工具1.recon-ng
它是由python编写的一个开源框架和msf长的差不多,用它来查找子域名是比较方便的  ,在最新的kali里没有安装应用,默认打开是使用不了的,如下图
这个可以看到,没有可用的模块可以 使用,需要使用 marketplace install all 进行安装,安装后如下
使用模块 modules load 模块名搜索模块 modules search  模块名案例:查找百度子域名(一个完整的流程)#创建一个新的工作区recon-ng -w baidu#使用对应的模块这里选用bing  可以搜索
使用modules load 模块名进行加载,这里可以用tab键补全哦
查看参数并设置
执行 run (这里只截取了一部分)
搜索到的结果会显示的hosts里show hosts 可以查看
这里已经知道域名了,但是想显示ip地址,也可以加载另一个模块,使用上一个查询出来的结果使用这个模块 modules load recon/hosts-hosts/resolve
options set source query select host from hosts (这里呢相当于在hosts里查指定的列的数据做为source)
执行run,可以对域名进行解析
执行 show hosts 也可以进行查看
也可以执行导出,查询导出模块modules search report
和使用别的模块一样,这里省略了呀,只显示最后结果吧
更多的模块,可以查看帮助文档

标签: #chunkedapache