隐藏技术和主动侦查

隐藏技术和主动侦查

隐藏技术

介绍

前提

  • 主动侦查建立在OSINT开源的被动侦查基础上,获取目标更多信息,已找到更多可能存在安全问题的地方。但是主动侦查会与目标进行大量交互,被目标检测到的可能性会更大。

目的

  • 避免目标检测出主动侦查的效果。

技术

  • 伪装工具签名
  • 将流量隐藏与合法流量中
  • 修改来源与类型

隐形扫描策略

  • 调整源IP栈和工具识别设置
    • User-Agent

    • 案例:使用metasploit http相关模块

    • ┌──(root💀kali)-[~/桌面]
      └─# msfconsole 
      msf6 > use auxiliary/fuzzers/http/http_form_field 
      msf6 auxiliary(fuzzers/http/http_form_field) > set UserAgent BaiduSpider
      UserAgent => BaiduSpider  
      msf6 auxiliary(fuzzers/http/http_form_field) > set RHOSTS baidu.com
      RHOSTS => baidu.com
      msf6 auxiliary(fuzzers/http/http_form_field) > run
      [*] Running module against 39.156.69.79
      
      [*] Grabbing webpage / from 39.156.69.79
      [*] Code : 200
      [-] No form found in response body
      [*] <html>
      <meta http-equiv="refresh" content="0;url=http://www.baidu.com/">
      </html>
      
      [*] Running module against 220.181.38.148
      [*] Grabbing webpage / from 220.181.38.148
      [*] Code : 200
      [-] No form found in response body
      [*] <html>
      <meta http-equiv="refresh" content="0;url=http://www.baidu.com/">
      </html>
      
      [*] Auxiliary module execution completed
      
  • 修改数据包参数

    • Nmap修改原始参数

    • 案例:nmap –spoof-mac Cisco –data-length 26 -sS 目标IP地址 -Pn -p 80

    • --spoof-mac mac地址
      --data-length 数据长度
      -sS 目标IP地址 
      -Pn 不进行ping探测
      -p 指定端口
      
      ┌──(root💀kali)-[~/桌面]
      └─# nmap --spoof-mac Cisco 192.168.10.131 -Pn -p 80            
      Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
      Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-22 09:14 EST
      Spoofing MAC address 00:00:0C:5D:18:B9 (Cisco Systems)
      Nmap done: 1 IP address (0 hosts up) scanned in 1.54 seconds
      
  • 使用代理匿名网络

    • tor网络
    • apt install tor
    • 编辑/etc/proxychains.conf
      • 确保socks5 127.0.0.1 9050存在
    • systemctl start tor
    • firefox www.whatismyip.com
    • proxychains firefox www.whatismyip.com

主动侦查

DNS侦查

  • DNS信息探测可以使用nslookup dig但是都是单一工具需要执行更多操作,因此使用综合工具更好。
    • dnsenum
      ┌──(root💀kali)-[~/桌面]
      └─# dnsenum baidu.com
      dnsenum VERSION:1.2.6
      -----   baidu.com   -----  
      ...
      
    • dnswalk

    • ┌──(root💀kali)-[~/桌面]
      └─# dnswalk baidu.com.                                                                                     
      Checking baidu.com.
      Getting zone transfer of baidu.com. from dns.baidu.com...failed
      FAIL: Zone transfer of baidu.com. from dns.baidu.com failed: REFUSED
      Getting zone transfer of baidu.com. from ns7.baidu.com...failed
      FAIL: Zone transfer of baidu.com. from ns7.baidu.com failed: REFUSED
      Getting zone transfer of baidu.com. from ns3.baidu.com...failed
      FAIL: Zone transfer of baidu.com. from ns3.baidu.com failed: REFUSED
      Getting zone transfer of baidu.com. from ns4.baidu.com...failed
      FAIL: Zone transfer of baidu.com. from ns4.baidu.com failed: REFUSED
      Getting zone transfer of baidu.com. from ns2.baidu.com...failed
      FAIL: Zone transfer of baidu.com. from ns2.baidu.com failed: REFUSED
      BAD: All zone transfer attempts of baidu.com. failed!
      5 failures, 0 warnings, 1 errors.
      

路由映射

网络诊断工具

  • 诊断网络错误所在

渗透测试人员眼中的映射路由

  • 目标正确路径
  • 可能过滤数据流量的控制设备

traceroute工具

  • kali linux UDP数据包
  • windows下相同工具 tracert ICMP数据包

www.iplocation.com

  • 将IP地址映射到地理位置

负载均衡探测

负载均衡建立在现有网络结构之上,它提供了一种廉价有效透明的方法扩展网络设备和服务器的带宽、增加吞吐量、加强网络数据处理能力、提高网络的灵活性和可用性。

lbd工具

┌──(root💀kali)-[~/桌面]
└─# lbd taobao.com 

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (http://ge.mine.nu)
                                    Proof-of-concept! Might give false positives.

Checking for DNS-Loadbalancing: FOUND
taobao.com has address 140.205.220.96
taobao.com has address 140.205.94.189

Checking for HTTP-Loadbalancing [Server]: 
 Tengine
 NOT FOUND

Checking for HTTP-Loadbalancing [Date]: 11:47:53, 11:47:53, 11:47:53, 11:47:53, 11:47:53, 11:47:53, 11:47:53, 11:47:54, 11:47:54, 11:47:54, 11:47:54, 11:47:54, 11:47:54, 11:47:54, 11:47:54, 11:47:55, 11:47:55, 11:47:55, 11:47:55, 11:47:55, 11:47:56, 11:47:56, 11:47:56, 11:47:56, 11:47:56, 11:47:57, 11:47:57, 11:47:57, 11:47:57, 11:47:57, 11:47:58, 11:47:58, 11:47:58, 11:47:58, 11:48:01, 11:48:01, 11:48:02, 11:48:02, 11:48:02, 11:48:02, 11:48:02, 11:48:02, 11:48:02, 11:48:02, 11:48:03, 11:48:03, 11:48:03, 11:48:03, 11:48:03, 11:48:03, NOT FOUND

Checking for HTTP-Loadbalancing [Diff]: NOT FOUND

taobao.com does Load-balancing. Found via Methods: DNS

WAF探测

Web应用防护系统(也称为:网站应用级入侵防御系统。英文:Web Application Firewall,简称: WAF)。

waf00f工具

┌──(root💀kali)-[~/桌面]
└─# wafw00f webb-l.top

                        ~ WAFW00F : v2.1.0 ~                                                                                                                                                                                               
        The Web Application Firewall Fingerprinting Toolkit                                                                                                                                                                                

[*] Checking https://webb-l.top
[+] The site https://webb-l.top is behind Open-Resty Lua Nginx (FLOSS) WAF.
[~] Number of requests: 2

存活主机探测

主机是否在线

nmap工具

┌──(root💀kali)-[~/桌面]
└─# nmap -sn 192.168.10.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-23 07:00 EST
Nmap scan report for 192.168.10.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.10.2
Host is up (0.00016s latency).
MAC Address: 00:50:56:E0:5B:71 (VMware)
Nmap scan report for 192.168.10.132
Host is up (0.00025s latency).
MAC Address: 00:0C:29:70:85:EA (VMware)
Nmap scan report for 192.168.10.254
Host is up (0.00056s latency).
MAC Address: 00:50:56:E6:57:AF (VMware)
Nmap scan report for 192.168.10.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds

netdiscover

┌──(root💀kali)-[~/桌面]
└─# netdiscover -r 192.168.10.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                    4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                                  _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.10.1    00:50:56:c0:00:08      1      60  VMware, Inc.                                                                  192.168.10.2    00:50:56:e0:5b:71      1      60  VMware, Inc.                                                                  192.168.10.132  00:0c:29:70:85:ea      1      60  VMware, Inc.                                                                  192.168.10.254  00:50:56:e6:57:af      1      60  VMware, Inc.  
 # 如果提示Finish,没有显示有主机列表可能是还没有扫描完成。

端口扫描

netcat

-v 显示详细信息
-z 指定ip
1-100 扫描端口
┌──(root💀kali)-[~/桌面]
└─# nc -v -z 192.168.10.132 1-100 
192.168.10.132: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.10.132] 80 (http) open
(UNKNOWN) [192.168.10.132] 22 (ssh) open

nmap

┌──(root💀kali)-[~/桌面]
└─# nmap -sV 192.168.10.132    
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-23 07:17 EST
Nmap scan report for 192.168.10.132
Host is up (0.00023s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:70:85:EA (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.75 seconds

大规模主机扫描

masscan工具

-p 端口 
--banners 广播
--rate 速度
┌──(root💀kali)-[~/桌面]
└─# masscan -p22,80 192.168.10.1/24 --banners --rate=10000                                                                                                                                                                            
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-02-23 12:23:30 GMT
Initiating SYN Stealth Scan
Scanning 256 hosts [2 ports/host]
Discovered open port 22/tcp on 192.168.10.132                                  
Discovered open port 80/tcp on 192.168.10.132  

arp广播

┌──(root💀kali)-[~/桌面]
└─# arp-scan 192.168.10.1/24                                                                                                                                                                                                           
Interface: eth0, type: EN10MB, MAC: 00:0c:29:cf:a6:9a, IPv4: 192.168.10.129
WARNING: host part of 192.168.10.1/24 is non-zero
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:c0:00:08       VMware, Inc.
192.168.10.2    00:50:56:e0:5b:71       VMware, Inc.
192.168.10.132  00:0c:29:70:85:ea       VMware, Inc.
192.168.10.254  00:50:56:e6:57:af       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.014 seconds (127.11 hosts/sec). 4 responded

ping扫描

┌──(root💀kali)-[~/桌面]
└─# fping -g 192.168.10.1/24                                                                                                                                                                                                           
192.168.10.2 is alive
^C192.168.10.1 is unreachable
192.168.10.3 is unreachable
192.168.10.4 is unreachable
192.168.10.5 is unreachable
...