非非非非常抱歉!
本人是課題負責人,但是由於前兩天在openvas上卡了一段時間,博客做的拖沓了,給各位道歉!🤐
我看其他負責人和組長寫的都很清晰了,我的博客寫了一些我的體會,主要放在前面,還希望剛開始做的同學可以看一看。操作部分我以代碼段為主,方便大家查看。
實驗概述
本次實驗的難度不大,就是掌握信息搜集的最基礎技能與常用工具的使用方法,命令都很簡單,大家在做的時候知道自己在做什么就好,不要單純的輸入命令,我在操作部分也盡我所能地解釋了一部分操作,引入了一些知識點詳解。
重點提示
metasploit模塊使用的一般步驟
什么是metasploit?
Metasploit是一款開源的安全漏洞檢測工具……Metasploit是一個免費的、可下載的框架,通過它可以很容易地獲取、開發並對計算機軟件漏洞實施攻擊……它本身附帶數百個已知軟件漏洞的專業級漏洞攻擊工具。
百度百科的索引官網是(http://www.metasploit.cn),但這個直接是打不開的,如果直接把后綴的“cn”改成“com”,就可以導向(https://www.metasploit.com),倒是可以打開的,內有metasploit的詳細介紹,metasploit也有Windows版本,大家也可以試試。
本實驗中的metasploit
我們可以把metasploit簡單的理解成一個工具箱,它統一了應用於計算機系統與網絡設備安全所需的各類工具的“規格”,我們需要什么,就使用什么。
本實驗中大量使用到metasploit,基本步驟可以歸納如下:
use [模塊名稱]
set [參數]
……
set [參數]
show options
run/exploit
理解起來也很容易,使用什么工具,設定何種參數,比如RHOST、THREADS等,檢視一下工具的參數,開始探測(運行)。
有以上的理解,那么本次實驗中使用metasploit就有了直觀的認識。
metasploit支持多行一起輸入,可以先編輯好幾行的命令,使用ctrl+shift+c和ctrl+shift+v直接輸入命令。
metasploit的更詳細用法
https://www.fujieace.com/metasploit/
以上網站有metasploit各類模塊的使用方法,我在實驗中也測試了一些,博文比較具有實踐性,大家有興趣可以試試。
Openvas的安裝提示
什么是Openvas?
OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
The scanner is accompanied by a vulnerability tests feed with a long history and daily updates. This Greenbone Community Feed includes more than 50,000 vulnerability tests.
簡單來說,OpenVAS (Open Vulnerability Assessment System)是開放式漏洞評估系統,其核心部件是一個服務器,包括一套望樓漏洞測試程序,可以檢測遠程系統和應用程序中的安全問題。
名詞掃盲
| 名稱 | 功能 |
|---|---|
| gvmd | GVM10自帶的守護進程 |
| openvasmd | GVM9及之前的守護進程的叫法 |
| openvassd | GVM的掃描器進程,作用就是進行漏洞掃描,並將結果反饋給管理模塊。 |
| OSPd | 多個掃描器之間使用OSP協議進行通信,而OSPd就是通信進程。 |
| GOS | 全稱Greenbone Operating System。GSM設備的操作系統。提供商業版本,具有企業支持功能的GVM框架。 |
| GSM | 全稱Greenbone Security Manager,綠骨公司系列產品之一,常以應用程序或虛擬機形式出現。 |
| GMP | 全稱Greenbone Management Protocol,聽名字就知道是管理協議,gvmd和openvasmd使用該協議、基於XML與其他模塊進行通信,以前叫OMP。 |
| OSP | 全稱Open Scanner Protocol,多種綠骨公司產品之間用於通信的協議 |
| GVM | 全稱Greenbone Vulnerability Manager,這是許多服務的一個框架,作為一個商業產品也是組成GSM的一部分,以前直接叫openvas。 |
| GVM9 | GVM9代版本,也叫OpenVas9,用在GOS 4代系列。 |
| GVM10 | GVM10代版本,用在GOS 5代系列。 |
| GSE | 全稱Greenbone Source Edition,綠骨應用棧,支撐漏洞掃描,漏洞管理,GVM等,用以支持第三方調用,比如Linux的某個分支提供GVM,但它是以GSE為基礎構建的。 |
本文作者:LittleT1ger,來自FreeBuf.COM
地址:https://www.freebuf.com/sectool/226016.html
官方參考文檔:https://readthedocs.org/projects/gvm-tools/downloads/pdf/latest/
怎么安裝Openvas?
Openvas的安裝花了我很長時間,我首先和大家說我最后的解決辦法:
重裝Kali
我聽說不少朋友已經這么做了23333
我回想我的安裝過程最大的問題可能是——硬盤不足
如果按照kali的硬盤推薦大小20G,在經過幾次實驗過后,硬盤可能已經有些滿了(如果大家不像我電腦內存256G,財大氣粗給kali50G,這話當我沒說=。=),這時候安裝openvas,很可能遇到安裝不完全的問題。
這個時候可能有朋友就要問了,如果安裝不了,系統為什么會允許開始安裝呢?
如果大家細致理解老師知道手冊里安裝逐條命令的意義,其實能夠猜到一些,除了openvas本體,還有許多的數據需要安裝,與軟件相匹配的環境未完成,軟件雖然已經下載,但永遠無法運行。
之所以寫在前面,就是希望大家切不要走我的老路,以下幾個建議可能不全對,但是大家心里留個底,也好。
- 首先使用“df -lh ”查看一下硬盤大小,最好留在2G左右,我的新虛擬機安裝完成之后占用了1.1G。如果更新過程中有缺項是會有提示的,但是命令行比較長,大家可能不太會注意到。
- “apt-get update”和“apt-get dist-upgrade”是類似“更新系統”的操作,這兩個操作與“apt-get install openvas”乃至后面的“openvas-check-setup”順序一定不要顛倒。
- 一定要記得使用虛擬機快照功能(我不會是最后一個開始用這個的吧嗚嗚),如果發現自己做的不對,可以隨時回頭,相比較重裝系統,占用一些硬盤空間不能好的太多。
- 如果你的安裝沒有問題,那么你的安裝一定順風順水!如果遇到些奇奇怪怪的、上網都查不出來的問題,本人誠懇地建議您回頭是岸,可以稍作研究,能解決更好,切勿執迷不悟=。=
實驗步驟
各種搜索技巧的應用
metasploit提供的msf-dir_scanner網頁目錄結構掃描輔助模塊
dir_scanner是Metasploit當中的一個輔助模塊,參數設置完成后使用exploit或者run命令發起攻擊。
開始攻擊前的參數設置:
THREADS 攻擊使用的線程數,數值越大力度越大,數值小不容易被發現
RHOSTS 目標網址或IP地址,url或IP前后http://和具體路徑
以本人的博客為例,使用命令:
use auxiliary/scanner/http/dir_scanner
set rhosts https://www.cnblogs.com/PeterDon-WorkHardPlayHard/
set threads 30
exploit
結果:
msf5 auxiliary(scanner/http/dir_scanner) > exploit
[*] Detecting error code
[*] Detecting error code
[*] Detecting error code
[*] Using code '502' as not found for 101.37.113.127
[*] Using code '502' as not found for 114.55.187.58
[*] Using code '502' as not found for 114.55.205.139
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/dir_scanner) > traceroute www.cnblogs.com
[*] exec: traceroute www.cnblogs.com
IP路由偵查工具traceroute
這個大家都比較熟悉了
命令
traceroute www.cnblogs.com
結果:
traceroute to www.cnblogs.com (114.55.205.139), 30 hops max, 60 byte packets
1 _gateway (192.168.233.2) 0.349 ms 0.271 ms 0.224 ms
2 * * *
3 * * *
4 * * *
5 * * *
搜索特定類型的文件
這個操作老師上課已經講過,直接使用百度也可以使用圖形化界面調整一些參數
命令:
site:edu.cn filetype:xls
圖示:
DNS IP注冊信息的查詢(以www.baidu.com為例)
whois、nslookup、dig的使用方式基本一致。
whois
直接在metasploit終端輸入
whois [目標網站]
通過whois我們即可找到所謂的“3R”信息,這里不贅述了。
附錄里有我查看百度的命令行結果。
nslookup
msf5 auxiliary(scanner/http/dir_scanner) > nslookup baidu.com
[*] exec: nslookup baidu.com
Server: 192.168.233.2
Address: 192.168.233.2#53
Non-authoritative answer:
Name: baidu.com
Address: 39.156.69.79
Name: baidu.com
Address: 220.181.38.148
dig
msf5 auxiliary(scanner/http/dir_scanner) > dig baidu.com
[*] exec: dig baidu.com
; <<>> DiG 9.11.5-P1-1-Debian <<>> baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12558
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;baidu.com. IN A
;; ANSWER SECTION:
baidu.com. 5 IN A 39.156.69.79
baidu.com. 5 IN A 220.181.38.148
;; AUTHORITY SECTION:
baidu.com. 5 IN NS ns4.baidu.com.
baidu.com. 5 IN NS ns1.baidu.com.
baidu.com. 5 IN NS ns2.baidu.com.
baidu.com. 5 IN NS ns7.baidu.com.
baidu.com. 5 IN NS ns3.baidu.com.
;; ADDITIONAL SECTION:
ns2.baidu.com. 5 IN A 220.181.33.31
ns3.baidu.com. 5 IN A 112.80.248.64
ns4.baidu.com. 5 IN A 14.215.178.80
ns1.baidu.com. 5 IN A 202.108.22.220
ns7.baidu.com. 5 IN A 180.76.76.92
;; Query time: 10 msec
;; SERVER: 192.168.233.2#53(192.168.233.2)
;; WHEN: 二 4月 21 09:24:30 CST 2020
;; MSG SIZE rcvd: 229
IP-address
還可使用IP-address網站,使用上述方法查到的IP進行搜索即可。
基本的掃描技術(以自己主機為目標)
主機發現
做這一部分實驗的時候可以再打開一個虛擬機,便於探查,不過要注意虛擬機的網絡設置,可以使用ip add和ping查看網絡狀態。
ping
這個大家都相當熟悉了,在Windows即可實現。
win+R
cmd
ping www.baidu.com
ping命令 發送ICMP報文的方法檢測活躍主機
namp
kali其實也自帶了nmap(我經常手滑達成namp,然后報錯找不到命令=。=)
root@kali-2-20174306:~# nmap -sn 192.168.124.121
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 00:32 CST
Nmap scan report for 192.168.124.121
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
metasploit
位於modules/auxiliary/scanner/discovery 主要有
- arp_sweep
- ipv6_multicast_ping
- ipv6_neighbor
- ipv6_neighbor_router_advertise
- ment, udp_probe,udp_sweep
arp_sweep一看就知道使用arp掃描本地局域網的活躍主機,metasploit模塊的一般思路這里就不再贅述了,如果使用其他模塊,操作基本一致,可以提前使用show命令,查看有哪些參數。
命令:
use auxiliary/scanner/discovery/arp_sweep
show options
set RHOSTS 192.168.233.135/24
set THREADS 30
exploit
結果:
msf5 auxiliary(scanner/discovery/arp_sweep) > exploit
[+] 192.168.233.1 appears to be up (VMware, Inc.).
[+] 192.168.233.2 appears to be up (VMware, Inc.).
[+] 192.168.233.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
端口掃描
metasploit提供的auxiliary/scanner/portscan/tcp
命令:
use auxiliary/scanner/portscan/tcp
show options
set RHOSTS 192.168.233.135/24
set THREADS 30
exploit
這里能導出很長的報表,可能需要花些時間,這里列舉一部分:
msf5 auxiliary(scanner/portscan/tcp) > exploit
[+] 192.168.233.1: - 192.168.233.1:7 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:9 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:13 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:19 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:17 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:135 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:139 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:443 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:445 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:902 - TCP OPEN
[+] 192.168.233.1: - 192.168.233.1:912 - TCP OPEN
……
nmap
使用nmap可以探測開放的TCP服務
命令:
nmap -sS [IP]
如果要探測本機Windows的話,需要關閉防火牆和防護軟件。
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 00:44 CST
Nmap scan report for 192.168.43.1
Host is up (0.00011s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1688/tcp open nsjtp-data
nmap詳解:https://www.cnblogs.com/LyShark/p/10637507.html
| 參數 | 功能 |
|---|---|
| -sS/sT/sA/sW/sM | 使用TCP SYN方式掃描TCP端口 |
| -sU | 指定使用UDP掃描方式確定目標主機的UDP端口狀況 |
| -sN/sF/sX | 指定使用TCP Null, FIN, and Xmas scans秘密掃描方式來協助探測對方的TCP端口狀態 |
| -sO | 使用IP protocol 掃描確定目標機支持的協議類型 |
OS及服務版本探測
命令:
nmap -sV [IP]
本機結果:
msf5 > nmap -sV 192.168.43.1
[*] exec: nmap -sV 192.168.43.1
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-21 16:45 CST
Nmap scan report for 192.168.43.1
Host is up (0.00051s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime
17/tcp open qotd Windows qotd (English)
19/tcp open chargen
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/https
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1688/tcp open msrpc Microsoft Windows RPC
這里舉例分析一下:
Remote Procedure Call (RPC)調用是WINDOWS使用的一個協議,提供進程間交互通信,允許程序在遠程機器上運行任意程序
NetBiOS 即Network Basic Input Output System(網絡基本輸入輸出系統),是一種應用程序接口(API),
具體服務的查點
這里的服務就是指主機的一些服務,操作步驟基本一致。
telnet
=。=大二的時候學Java用過telnet,其實win10上的telnet已經是閹割版了,telnet里的“tel”就已經顯現出它的歷史悠久。
use auxiliary/scanner/telnet/telnet_version
set RHOSTS 192.168.43.1
set THREADS 30
run
msf5 auxiliary(scanner/telnet/telnet_version) > run
[-] 192.168.43.1:23 - A network issue has occurred: The connection was refused by the remote host (192.168.43.1:23).
[*] 192.168.43.1:23 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
SSH
SSH 為 Secure Shell 的縮寫……SSH 為建立在應用層基礎上的安全協議。SSH 是較可靠,專為遠程登錄會話和其他網絡服務提供安全性的協議。
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.43.1
set THREADS 30
run
msf5 auxiliary(scanner/ssh/ssh_version) > run
[*] 192.168.43.1:22 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Oracle數據庫服務查點
use auxiliary/scanner/oracle/tnslsnr_version
set RHOSTS 192.168.43.1
set THREADS 30
run
msf5 auxiliary(scanner/oracle/tnslsnr_version) > run
[*] 192.168.43.1:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
開放代理探測
開放代理指一個能被所有互聯網用戶訪問的代理服務器。
use auxiliary/scanner/http/open_proxy
set RHOSTS 192.168.43.1
run
msf5 auxiliary(scanner/http/open_proxy) > run
[*] Scanned 1 of 1 hosts (100% complete)
漏洞掃描(以自己主機為目標)
Openvas的安裝
這里再次提醒大家前述的幾條建議:
提前安裝、硬盤大小、保證順序、虛擬機快照、回頭是岸
建議大家閱讀老師的指導文檔:https://gitee.com/wildlinux/NetSec/blob/master/ExpGuides/0x52_漏洞掃描-OpenVAS.md
其實如果安裝操作正確,openvas的安裝花費的只是時間,大家完全可以睡前執行set-up,早上起來看到“It seems like your OpenVAS-9 installation is OK.”就可以心滿意足地開始實驗了。
如果openvas成功安裝的命令行結果我放在附錄,大家可以看一下自己的報錯卡在哪一個step。
這里我就粘貼老師的指導文檔了,具體方法如下所示:
(1)更新軟件包列表。
# apt-get update
執行以上命令后,獲取最近的軟件包列表。
(2)獲取到最新的軟件包。
# apt-get dist-upgrade
執行以上命令后,對有更新的包進行下載並安裝。
(3)重新安裝OpenVAS工具。
# apt-get install openvas
完成以上就代表你的openvas本體基本搞定,but!這事兒沒結束
執行檢查
openvas-check-setup
根據報錯進行運行,這里舉個栗子
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.3.
OK: redis-server is present in version v=5.0.7.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
ERROR: The NVT collection is very small.
FIX: Run a synchronization script like greenbone-nvt-sync.
我們可以直接關注 ERROR 和 FIX ,一般FIX的最后一句即為解決辦法,這里的解決辦法就是
greenbone-nvt-sync
這一步可能要花較長的時間,建議睡覺時運行
舉例2:
ERROR: No users found. You need to create at least one user to log in.
It is recommended to have at least one user with role Admin.
FIX: create a user by running 'openvasmd --create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'
這里的解決辦法就是創建用戶
create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'
以下是回頭是岸式報錯:
真的不是沒有辦法,只是相較起來重裝更直接,因為當你遇到這些問題,就說明可能后續問題更多。
ERROR: No OpenVAS Scanner (openvassd) found.
/usr/bin/openvas-check-setup: 142: cannot create /tmp/openvas-check-setup.log: Permission denied
FIX: Please install OpenVAS Scanner.
/usr/bin/openvas-check-setup: 142: cannot create /tmp/openvas-check-setup.log: Permission denied
翻譯:文件創建沒有權限,就算已經是root也不行,用chmod改也不行,而且網上基本沒有這個報錯的解決
ERROR: redis-server is not running or not listening on socket: /var/run/redis/redis-server.sock
FIX: You should start the redis-server or configure it to listen on socket: /var/run/redis/redis-server.sock
翻譯:redis的socket有問題,有沒有解決辦法,有!很詳細,但是不一定能成功。
Openvas的使用
做到這里就要恭喜大家,實驗快結束了
啟動Openvas:
openvas-start
看到運行成功之后就可以直接打開主頁:https://127.0.0.1:9392
這里直接點開瀏覽器可能攔截,莫怕,莫亂點,我們能看懂。
如果發現自己忘了之前敲得是啥用戶和密碼,回命令行再加一個用戶也行
openvasmd --user=admin --new-password=admin
登錄之后,點擊順序:
- 綠色圖標下的Scans一欄里的Tasks
- Dashboard下方的紫色小魔棒
- 輸入本機IP
- 開始掃描
- 掃描完成,點擊任務,點擊Full and fast,可以看到具體的漏洞報告。
掃描需要花一定時間,建議關閉Windows防護牆和防護軟件,不建議掃描的時候亂點,可能報錯。
圖示:
查看漏洞及后續操作
這里我查看了兩個漏洞,一個是華為的,另一個是其他同學也試過的FTP,大家可以自行選擇。
24 huawei-sa-20180425-02-buffer
點擊Full and fast里的家族,就可以看到各個族系的漏洞,下圖是華為的漏洞家族:
具體到24 huawei-sa-20180425-02-buffer,我查了一下華為官方,找到了這個漏洞報告(https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20180425-02-buffer-cn)
表述是這樣的:
部分華為產品存在一個非法內存訪問的安全漏洞。一個未經認證的攻擊必須通過特定方式向受影響產品發送畸形的SCCP報文。由於對報文中部分字段缺乏校驗,成功利用這個漏洞可以導致緩沖區錯誤以及部分服務異常。 (漏洞編號:HWPSIRT-2017-11055)
此漏洞的CVE編號為: CVE-2017-17314.
華為已發布版本修復該漏洞。
所以解決這個漏洞,及時更新版本即可。
FTP
這里我查看了兩個漏洞,都是評分較高的。
第一個可以通過更新解決。
第二個居然還沒有解決辦法
實驗后續問題
哪些組織負責DNS,IP的管理。
Internet 域名與地址管理機構(ICANN)負責全球的域名根服務器、DNS和IP地址管理。
ICANN是為承擔域名系統管理IP地址分配,協議參數配置,以及主服務器系統管理等職能而設立的非盈利機構。
它設立三個支持組織:地址支持組織(ASO)負責IP地址系統的管理;域名支持組織(DNSO)負責互聯網上的域名系統(DNS)的管理;協議支持組織(PSO)負責涉及Internet協議的唯一參數的分配。
什么是3R信息。
- 注冊人(Registrant)
- 注冊商(Registrar)
- 官方注冊局(Registry)
使用whois命令可以查看到該部分的信息
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-09T04:30:46Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
評價下掃描結果的准確性。
我覺得還是比較准確的吧,我們目前使用的軟件也都是最新的,網站也可以看到實時的漏洞報告等內容。
實驗補充內容
whios baidu.com
msf5 auxiliary(scanner/http/dir_scanner) > whois baidu.com
[*] exec: whois baidu.com
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-09T04:30:46Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2026-10-11T11:05:17Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.BAIDU.COM
Name Server: NS2.BAIDU.COM
Name Server: NS3.BAIDU.COM
Name Server: NS4.BAIDU.COM
Name Server: NS7.BAIDU.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-04-21T01:16:01Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-08T20:59:33-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895770
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant State/Province: Beijing
Registrant Country: CN
Registrant Email: Select Request Email Form at https://domains.markmonitor.com/whois/baidu.com
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin State/Province: Beijing
Admin Country: CN
Admin Email: Select Request Email Form at https://domains.markmonitor.com/whois/baidu.com
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech State/Province: Beijing
Tech Country: CN
Tech Email: Select Request Email Form at https://domains.markmonitor.com/whois/baidu.com
Name Server: ns3.baidu.com
Name Server: ns4.baidu.com
Name Server: ns7.baidu.com
Name Server: ns1.baidu.com
Name Server: ns2.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-04-20T18:16:17-0700 <<<
For more information on WHOIS status codes, please visit:
https://www.icann.org/resources/pages/epp-status-codes
If you wish to contact this domain’s Registrant, Administrative, or Technical
contact, and such email address is not visible above, you may do so via our web
form, pursuant to ICANN’s Temporary Specification. To verify that you are not a
robot, please enter your email address to receive a link to a page that
facilitates email communication with the relevant contact(s).
Web-based WHOIS:
https://domains.markmonitor.com/whois
If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to whoisrequest@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.
The data in MarkMonitor’s WHOIS database is provided for information purposes,
and to assist persons in obtaining information about or related to a domain
name’s registration record. While MarkMonitor believes the data to be accurate,
the data is provided "as is" with no guarantee or warranties regarding its
accuracy.
By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
(1) allow, enable, or otherwise support the transmission by email, telephone,
or facsimile of mass, unsolicited, commercial advertising, or spam; or
(2) enable high volume, automated, or electronic processes that send queries,
data, or email to MarkMonitor (or its systems) or the domain name contacts (or
its systems).
MarkMonitor reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor Domain Management(TM)
Protecting companies and consumers in a digital world.
Visit MarkMonitor at https://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
Openvas成功安裝
root@kali-2-20174306:~# openvas-check-setup
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-9
(add '--v6' or '--v7' or '--v8'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.3.
OK: redis-server is present in version v=5.0.7.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 58924 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
WARNING: The initial NVT cache has not yet been generated.
SUGGEST: Start OpenVAS Scanner for the first time to generate the cache.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 7.0.3.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 184.
OK: OpenVAS Manager expects database at revision 184.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 58924 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 7.0.3.
OK: Your OpenVAS certificate infrastructure passed validation.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.5.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on a Unix domain socket.
WARNING: OpenVAS Manager is running and listening only on the local interface.
This means that you will not be able to access the OpenVAS Manager from the
outside using GSD or OpenVAS CLI.
SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want
a local service only.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
WARNING: Your version of nmap is not fully supported: 7.70
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
WARNING: Could not find rpm binary, LSC credential package generation for RPM and DEB based targets will not work.
SUGGEST: Install rpm.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
It seems like your OpenVAS-9 installation is OK.
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Metapsloit 端口掃描
來源:https://www.fujieace.com/metasploit/port-scanning-2.html
Nmap 和 db_nmap
使用通常從命令行使用的選項運行Nmap。如果我們希望我們的掃描被保存到我們的數據庫中,我們將省略輸出標志並使用db_nmap。
msf5 > db_nmap -v -sV 192.168.233.255 -oA subnet_2
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-21 08:10 CST
[*] Nmap: NSE: Loaded 43 scripts for scanning.
[*] Nmap: Initiating ARP Ping Scan at 08:10
[*] Nmap: Scanning 192.168.233.255 [1 port]
[*] Nmap: Completed ARP Ping Scan at 08:10, 0.47s elapsed (1 total hosts)
[*] Nmap: Nmap scan report for 192.168.233.255 [host down]
[*] Nmap: Read data files from: /usr/bin/../share/nmap
[*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
[*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 0.94 seconds
[*] Nmap: Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
Metasploit 漏洞掃描
默認情況下,所有掃描儀模塊都將THREADS值設置為'1'。THREADS值設置並發線程的數量,同時掃描使用。將此值設置為較高的數字以加快掃描速度或降低掃描速度以減少網絡流量,但一定要遵守以下准則:
- 原生Win32系統上的THREADS值保持在16以下
- 在Cygwin下運行MSF時,請將THREADS保持在200以下
- 在類Unix操作系統上,THREADS可以設置為256。
SMB登錄檢查
用smb_login掃描訪問
發現自己的一種常見情況是擁有一個有效的用戶名和密碼組合,並且想知道你可以在哪里使用它。這是SMB登錄檢查掃描程序非常有用的地方,因為它將連接到一系列主機並確定用戶名/密碼組合是否可以訪問目標。
https://www.fujieace.com/metasploit/smb-login-check.html
VNC認證
VNC驗證無掃描儀 是用於Metasploit的一個輔助模塊。
msf5 auxiliary(scanner/smb/smb_login) > use auxiliary/scanner/vnc/vnc_none_auth
msf5 auxiliary(scanner/vnc/vnc_none_auth) > show options
Module options (auxiliary/scanner/vnc/vnc_none_auth):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 5900 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 192.168.233.255/24
RHOSTS => 192.168.233.255/24
msf5 auxiliary(scanner/vnc/vnc_none_auth) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/vnc/vnc_none_auth) > run
[*] 192.168.233.255/24:5900 - Scanned 46 of 256 hosts (17% complete)
[*] 192.168.233.255/24:5900 - Scanned 53 of 256 hosts (20% complete)
[*] 192.168.233.255/24:5900 - Scanned 99 of 256 hosts (38% complete)
[*] 192.168.233.255/24:5900 - Scanned 103 of 256 hosts (40% complete)
[*] 192.168.233.255/24:5900 - Scanned 130 of 256 hosts (50% complete)
[*] 192.168.233.255/24:5900 - Scanned 168 of 256 hosts (65% complete)
[*] 192.168.233.255/24:5900 - Scanned 184 of 256 hosts (71% complete)
[*] 192.168.233.255/24:5900 - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.233.255/24:5900 - Scanned 232 of 256 hosts (90% complete)
[*] 192.168.233.255/24:5900 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed