聲明與友善提醒
- 本篇目的是介紹基本滲透的工具,了解「最基本」的偵查或攻擊方式,讓服務在規劃的時候更有概念。
- 本篇基本上使用
www.ptt.cc 一站做測試,目的是 Demo;掃描結果僅供參考、也不會實際執行密碼測試指令。
- 請勿攻擊網路上的服務或網站。
環境
用到的工具
nmapgobusterhydra- 順便補充 Shodan 搜尋引擎
A) nmap
用途
- 強大的掃描工具,通常用在檢查 Port、服務版本、狀態掃描。
安裝
1
2
3
4
|
$ brew install nmap
# CentOS
# yum install nmap
|
Example Command
1
|
$ nmap -sC -sV <target site>
|
例如:
1
|
$ nmap -sC -sV www.ptt.cc
|
經過 145 秒後得到以下結果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 23:48 CST
Nmap scan report for www.ptt.cc (104.21.235.87)
Host is up (0.076s latency).
Other addresses for www.ptt.cc (not scanned): 2606:4700:3038::6815:eb57 2606:4700:3038::6815:eb58 104.21.235.88
Not shown: 992 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
19/tcp closed chargen
80/tcp open http Cloudflare http proxy
|_http-server-header: cloudflare
|_http-title: Did not follow redirect to https://www.ptt.cc/
135/tcp closed msrpc
139/tcp closed netbios-ssn
443/tcp open ssl/http Cloudflare http proxy
| ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:ptt.cc, DNS:sni.cloudflaressl.com, DNS:*.ptt.cc
| Not valid before: 2021-07-04T00:00:00
|_Not valid after: 2022-07-03T23:59:59
| http-title: \xE9\xA6\x96\xE9\xA0\x81 - \xE6\x89\xB9\xE8\xB8\xA2\xE8\xB8\xA2\xE5\xAF\xA6\xE6\xA5\xAD\xE5\x9D\x8A
|_Requested resource was https://www.ptt.cc/index.html
|_http-server-header: cloudflare
593/tcp closed http-rpc-epmap
8080/tcp open http Cloudflare http proxy
|_http-server-header: cloudflare
8443/tcp open ssl/http Cloudflare http proxy
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:ptt.cc, DNS:sni.cloudflaressl.com, DNS:*.ptt.cc
| Not valid before: 2021-07-04T00:00:00
|_Not valid after: 2022-07-03T23:59:59
|_http-server-header: cloudflare
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.45 seconds
|
- 可以看出此主機開放的 port、提供 web service 的服務與版本、SSL 憑證的相關資訊。
- 不同網站或服務可能會需要不同時間。
指令細節 (man page) 可以參考
B) gobuster
用途
- 暴力猜測網址下的子資料夾 (URL)
- 利用 DNS** 暴力猜測** sub-domain
安裝
1
2
3
4
5
6
|
# Github
https://github.com/OJ/gobuster
# Release
https://github.com/OJ/gobuster/releases
|
Mac 上下載後解壓縮,記得更改權限:
1
|
$ chmod a+x /path/to/unzipped/gobuster-darwin-amd64/gobuster
|
同時也要在系統偏好設定允許執行:
系統偏好設定 > 安全性與隱私權 > 強制打開
而因為要暴力猜測,所以會需要一個 wordlist;
例如這裡:
Example Command
1
2
3
4
5
6
7
|
# Sub-directory
$ ./gobuster dir -k -w ~/Downloads/common.txt -u https://<FQDN>
^^^^^
如果沒寫,預設會使用 http
# Sub-domain
$ ./gobuster dns -d <DOMAIN NAME> -w ~/Downloads/common.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$ ./gobuster dir -k -w ~/Downloads/common.txt -u https://www.ptt.cc
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://www.ptt.cc
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /Users/____/Downloads/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/04/04 23:51:05 Starting gobuster in directory enumeration mode
===============================================================
/bbs (Status: 302) [Size: 138] [--> https://www.ptt.cc/bbs/index.html]
/captcha (Status: 200) [Size: 2130]
/cgi-bin/ (Status: 302) [Size: 138] [--> https://www.ptt.cc/cgi-bin/index.html]
/contact (Status: 502) [Size: 150]
===============================================================
2022/04/04 23:52:11 Finished
===============================================================
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
$ ./gobuster dns -d ptt.cc -w ~/Downloads/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: ptt.cc
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /Users/____/Downloads/common.txt
===============================================================
2022/04/04 23:59:18 Starting gobuster in DNS enumeration mode
===============================================================
Found: A.ptt.cc
Found: B.ptt.cc
Found: C.ptt.cc
Found: D.ptt.cc
Found: E.ptt.cc
Found: Images.ptt.cc
Found: News.ptt.cc
Found: RSS.ptt.cc
Found: a.ptt.cc
Found: b.ptt.cc
Found: bbs.ptt.cc
Found: c.ptt.cc
Found: cache.ptt.cc
Found: d.ptt.cc
Found: e.ptt.cc
Found: images.ptt.cc
Found: mrtg.ptt.cc
Found: new.ptt.cc
Found: news.ptt.cc
Found: node.ptt.cc
Found: old.ptt.cc
Found: rss.ptt.cc
Found: term.ptt.cc
Found: web.ptt.cc
Found: ws.ptt.cc
Found: www.ptt.cc
===============================================================
2022/04/05 00:00:28 Finished
===============================================================
|
C) hydra
用途
安裝
1
2
3
4
5
6
|
# Github: https://github.com/vanhauser-thc/thc-hydra
$ brew install hydra
# CentOS
# yum install hydra
|
同樣,因為需要暴力猜測,所以需要一個 wordlist (密碼測試);可以在這邊下載:
https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt (一百多 MB)
Example Command
1
2
3
|
# 使用 wordlist
$ hydra -l <login account> -P rockyou.txt https-get://<FQDN>
|
暴力猜測 example
1
2
3
4
5
6
|
$ hydra -l ftp -x 3:8:a ftp://localhost/
$ hydra -l ftp -x 3:8:Aa1 ftp://localhost/
$ hydra -l ftp -x 2:4:Aa1/ ftp://localhost/
# -x minimum_length:maximum_length:charset
|
charset:a 代表小寫字母、A 代表大寫字母、1 代表數字;其餘給定的字串就是代表該字串。
這邊不會真的去猜測密碼,只列出基本使用指令。
詳細文件可以參考:
https://github.com/vanhauser-thc/thc-hydra
D) Shodan
介紹
- 根據需求搜尋公開 IP, Port, service 的搜尋引擎,例如搜尋
port:3389 相關的服務。
- 根據「網管人 - 最危險搜尋引擎Shodan 連網設備無防護全曝光」:
Shodan 會去掃描全世界的 IP,它採取的運作方式是全天候的掃描及更新資料庫,因此使用者能迅速地獲得目前最新的資訊。Shodan 會搜尋全球的物聯網設備並擷取其相關資訊,其中包括可得到 IP 位址、運行的服務、系統資訊等。
更多細節可以參考: