MSF魔鬼訓練營-3.2.2 操作系統辨識

利用操作系統視頻進行社會工程學攻擊。
例如在探測到目標用戶所使用的網絡設備、服務器設備廠家型號等信息后。可偽裝成相關廠家的技術人員通過電話、郵件等方式與系統管理員取得聯系得到信任。
NMAP

示例： 使用 -PU -sn 掃描存活主機 使用 -O判斷系統 -sV對版本信息進行辨識 -A獲取更詳細的服務和操作系統信息
msf > nmap -PU -sn 192.168.1.0/24
[*] exec: nmap -PU -sn 192.168.1.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:00 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 192.168.1.102
Host is up (0.0016s latency).
Nmap scan report for 192.168.1.104
Host is up (0.0034s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 36.16 seconds
msf > nmap -O 192.168.1.102
[*] exec: nmap -O 192.168.1.102

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:01 CST
Nmap scan report for 192.168.1.102
Host is up (0.0017s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
msf > nmap -O 192.168.1.104
[*] exec: nmap -O 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:01 CST
Nmap scan report for 192.168.1.104
Host is up (0.0025s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Device type: general purpose
Running: Microsoft Windows 8.1
OS CPE: cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 8.1 Enterprise
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds
msf > nmap -O -sV 192.168.1.104
[*] exec: nmap -O -sV 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:14 CST
Nmap scan report for 192.168.1.104
Host is up (0.0024s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.40%E=4%D=9/8%OT=135%CT=1%CU=31933%PV=Y%DS=2%DC=I%G=Y%TM=59B297F
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=101%TI=I%CI=I%TS=7)SEQ(SP=FF
OS:%GCD=1%ISR=101%CI=I%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT
OS:11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000
OS:%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=40%W=2000%O=M5B4NW8NNS%CC=N%Q=)T
OS:1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=16
OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 2 hops
Service Info: Host: PC-20150927TDPG; OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.63 seconds
msf > nmap -O -sV -A 192.168.1.104
[*] exec: nmap -O -sV -A 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:18 CST
Nmap scan report for 192.168.1.104
Host is up (0.0023s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 8.1
OS CPE: cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 8.1 Enterprise
Network Distance: 2 hops
Service Info: Host: PC-20150927TDPG; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -21m41s, deviation: 0s, median: -21m41s
|_nbstat: NetBIOS name: PC-20150927TDPG, NetBIOS user: <unknown>, NetBIOS MAC: 90:2b:34:e9:9b:ea (Giga-byte Technology)
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: PC-20150927TDPG
| NetBIOS computer name: PC-20150927TDPG\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2017-09-08T20:58:16+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 1.20 ms RT-AC54U.lan (192.168.3.1)
2 1.77 ms 192.168.1.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.54 seconds