Nmap and Nikto scanning

First pass the local VMware start-up Kali Attack aircraft and Metasploitable2 Drone aircraft

Port scanning

Use ip addr perhaps ifconfig First take a look at the target plane ip Address

stay Kali It uses nmap + IP First scan the target in the default way

in fact nmap The default scanning method of is -sS That is to say SYN scanning , This scanning method is based on TCP The first two of the three handshakes , Do not establish a complete connection , Therefore, it has relative concealment and high speed

Changing nmap Parameters such as scan type need to be provided root jurisdiction , The Default scan does not require , For convenience , I used all the commands this time root jurisdiction

The Default scan will scan by default 1000 One of the most commonly used ports , This method will display the open status of the port of the scanning target and the corresponding service , Some other information about the target will also be displayed, such as MAC Address , even to the extent that nmap It will also identify where the physical equipment of the target aircraft comes from

Here, only open The port of , In fact, there are other port States

• open： The port is open
• closed： The port is closed
• filtered： The port is Firewall/IDS/IPS shielding , Its state cannot be determined
• unfiltered： The port is not masked , But whether it is open or not needs to be further determined
• open|filtered： The port is open or blocked
• closed|filtered： The port is closed or shielded

What if we only want to know the status information of a port ,nmap There is also a command parameter -p You can specify the port to scan , For example, here we scan 3306 That is to say MySQL Common ports for

If we still want to know MySQL The version information of is convenient for later SQL Inject Well , We can use -sV Parameter scanning to get the version information of this service

Sometimes we want to know all the scanning details , And these nmap Will automatically hide , Now we can use -v perhaps -vv To show these details

If you still want to know the target operating system and version we scanned , We just need to use -O Parameter to get

Last, last , There is another most comprehensive parameter -A, Commonly known as universal scanning , Will start system version detection , Service version detection , Script scanning and traceroute And so on , Of course, this is time-consuming , So we continue to only scan 3306 port

You can see , in the light of MySQL This service , Just scan out so much information , Like agreements , Version number , Threads ID as well as MySQL The service is “ handshake ” Used in capabilities flags A functional sign

When enough information is obtained ,nmap It also supports some simple vulnerability exploitation using scripts , Like this MySQL service , You can use scripts to test weak passwords , Burst code , In fact, we use -A This parameter has been used for comprehensive scanning MySQL A script for mysql-info

nmap It also supports the function of controlling the scanning speed , Use -T0 To -T5 From slow to fast , commonly T0 and T1 It is used to avoid IDS（ intrusion detection system ） Detection of , The default speed is T3, and T4 and T5 Generally, some accuracy will be sacrificed for high-speed scanning

Here is T0 and T5 Velocity contrast … I've been waiting here T0 ten minutes , I don't know how long it will take …13 Minutes. , I really feel the speed of this mode …15 Minutes. , At the thought of the Default scan I just wrote above 1000 I feel terrible at the first port …20 Minutes. , I regret making this comparison , But now it's useless to cancel the task … I need to leave the experimental environment because of something , This comparison can only be invalidated , As of now , This T0 Already swept 41 minute , Let's compare T5 The speed of , All in all ,T0 It's really, really slow

Vulnerability scanning

nikto yes Kali Bring one with you web Vulnerability scanner , Can identify the target website , There are security vulnerabilities on the server

We use -h perhaps -host Parameter to specify the scanned ip Address or url Address , Only host Option nikto It is the normal scanning mode , Below these OSVDB The numbers represent different website vulnerabilities , You can go to Corresponding website Go up and find its connection CVE The corresponding relationship of vulnerability number

For example, the scanning results will prompt many sensitive directories that may have information leakage points , For example, those who build stations Readme.txt file ,ChangeLog journal , also phpmyadmin Is a database management background ,phpinfo.php It may be the developer's test page , Can be displayed phpinfo() Result

because nikto Default pair 80 Port scan , But and nmap equally ,nikto You can also specify ports for scanning , Use -port Parameters, you can select the port , Our target's website services are 80 On port , So nothing can be swept out

We can also scan a specified directory , Use -c + Catalog That's all right.

You can see that the logs and sensitive configuration files have been scanned

During the scanning process, you can also display some scanning details through some interactive commands , For example, during scanning, we input p It can display the scanning progress