系統指紋識別1. 可以使用nmap進行識別 O引數
nmap -O 10.10.100.103#返回資料如下Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-05 22:41 CSTNmap scan report for 10.10.100.103Host is up (0.00028s latency).Not shown: 993 closed portsPORT STATE SERVICE21/tcp open ftp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds1026/tcp open LSA-or-nterm3306/tcp open mysqlMAC Address: 00:0C:29:28:F9:63 (VMware)Device type: general purposeRunning: Microsoft Windows 2003OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2OS details: Microsoft Windows Server 2003 SP1 or SP2Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds還有一個p0f這個工具,它是被動掃描識別工具,在最新的kali上並沒有安裝它,需要執行sudo apt-get install p0f 安裝
#操作方法p0f -h 檢視引數 p0f -h--- p0f 3.09b by Michal Zalewski <[email protected]> ---p0f: invalid option -- 'h'Usage: p0f [ ...options... ] [ 'filter rule' ]Network interface options: -i iface - listen on the specified network interface -r file - read offline pcap data from a given file -p - put the listening interface in promiscuous mode -L - list all available interfacesOperating mode and output settings: -f file - read fingerprint database from 'file' (/etc/p0f/p0f.fp) -o file - write information to the specified log file -s name - answer to API queries at a named unix socket -u user - switch to the specified unprivileged account and chroot -d - fork into background (requires -o or -s)Performance-related options: -S limit - limit number of parallel API connections (20) -t c,h - set connection / host cache age limits (30s,120m) -m c,h - cap the number of active connections / hosts (1000,10000)Optional filter expressions (man tcpdump) can be specified in the commandline to prevent p0f from looking at incidental network traffic.Problems? You can reach the author at <[email protected]>.#監聽一塊網絡卡,telnet ,ping ,手動觸發等如 p0f -i eth0 監聽網絡卡,訪問10.10.100.103 顯示為如下.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (syn+ack) ]-|這裡並沒有獲取到伺服器資訊| server = 10.10.100.103/80| os = ??? 這裡並沒有獲取到伺服器資訊| dist = 0| params = none| raw_sig = 4:128+0:0:1460:mss*44,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:ts1-:0|`----.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (mtu) ]-|| server = 10.10.100.103/80| link = Ethernet or modem| raw_mtu = 1500|`----.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (http request) ]-|| client = 10.10.100.110/52530| app = Firefox 10.x or newer| lang = English| params = none| raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml ,application/xml;q=0.9,image/webp,*/*;q=0.8], Accept-Language=[en-US,en;q=0.5], Accept-Encoding=[gzip, deflate],Connection=[keep-alive], Upgrade-Insecure-Requests=[1],?Cache-Control:Accept-Charset ,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0|`----.-[ 10.10.100.110/52530 -> 10.10.100.103/80 (http response) ]-|| server = 10.10.100.103/80| app = Apache 2.x #app地址| lang = none| params = none包括一些詳細資訊| raw_sig = 1:Date,Server,X-Powered-By=[PHP/5.4.45],Keep-Alive=[timeout=5, max=100],Connection=[Keep-Alive],Transfer-Encoding=[chunked],Content-Type:Accept-Ranges:Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45它是由python編寫的一個開源框架和msf長的差不多,用它來查詢子域名是比較方便的 ,在最新的kali裡沒有安裝應用,預設開啟是使用不了的,如下圖這個可以看到,沒有可用的模組可以 使用,需要使用 marketplace install all 進行安裝,安裝後如下使用模組 modules load 模組名搜尋模組 modules search 模組名案例:查詢百度子域名(一個完整的流程)#建立一個新的工作區recon-ng -w baidu#使用對應的模組這裡選用bing 可以搜尋使用modules load 模組名進行載入,這裡可以用tab鍵補全哦檢視引數並設定執行 run (這裡只截取了一部分)搜尋到的結果會顯示的hosts裡show hosts 可以檢視這裡已經知道域名了,但是想顯示ip地址,也可以載入另一個模組,使用上一個查詢出來的結果使用這個模組 modules load recon/hosts-hosts/resolveoptions set source query select host from hosts (這裡呢相當於在hosts裡查指定的列的資料做為source)執行run,可以對域名進行解析執行 show hosts 也可以進行檢視也可以執行匯出,查詢匯出模組modules search report和使用別的模組一樣,這裡省略了呀,只顯示最後結果吧更多的模組,可以檢視幫助文件
最新評論