20160617 정보수집단계
[과제] dnsenum/dnsmap/dig 명령어의 출력 내용에 traceroute 명령어를 사용하여 대상 시스템의 DMZ 네트워크 맵을 그려보자.(10분)
-> 상용사이트(작은 사이트) 하나를 선정한다.
-> traceroute(visualroute) 사용하여 대상 시스템의 DMZ 네트워크 맵을 그린다.
-> !!!! 반드시 수동으로 작업해 주세요. !!!!
[참고] 네트워크 토폴로지를 그려주는 툴
(사용) SolarWins
[실습3] theharvester CMD
■ theharvester 개요
theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual
hosts, open ports/ banners, and employee names from different public sources
(search engines, pgp key servers).
Is a really simple tool, but very effective for the early stages of a penetration
test or just to know the visibility of your company in the Internet.
■ 소스코드 다운로드
● http://code.google.com/p/dnsmap/
[실습] theharvester 명령어 사용법
(KaliLinux)
# theharvester
*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.6 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
Usage: theharvester options
-d: Domain to search or company name
-b: data source: google, googleCSE, bing, bingapi, pgp
linkedin, google-profiles, people123, jigsaw,
twitter, googleplus, all
-s: Start in result number X (default: 0)
-v: Verify host name via dns resolution and search for virtual hosts
-f: Save the results into an HTML and XML file
-n: Perform a DNS reverse query on all ranges discovered
-c: Perform a DNS brute force for the domain name
-t: Perform a DNS TLD expansion discovery
-e: Use this DNS server
-l: Limit the number of results to work with(bing goes from 50 to 50 results,
-h: use SHODAN database to query discovered hosts
google 100 to 100, and pgp doesn't use this option)
Examples:
theharvester -d microsoft.com -l 500 -b google
theharvester -d microsoft.com -b pgp
theharvester -d microsoft -l 200 -b linkedin
theharvester -d apple.com -b googleCSE -l 500 -s 300
[참고] -d <data source> 대해서
------------------------------------------------------------------------------
-google: google search engine - www.google.com
-googleCSE: google custom search engine
-google-profiles: google search engine, specific search for Google profiles
-bing: microsoft search engine - www.bing.com
-bingapi: microsoft search engine, through the API (you need to add your Key in
the discovery/bingsearch.py file)
-pgp: pgp key server - pgp.rediris.es
-linkedin: google search engine, specific search for Linkedin users
-vhost: Bing virtual hosts search
-twitter: twitter accounts related to an specific domain (uses google search)
-googleplus: users that works in target company (uses google search)
-yahoo: Yahoo search engine
-baidu: Baidu search engine
-shodan: Shodan Computer search engine, will search for ports and banner of the
discovered hosts (http://www.shodanhq.com/)
------------------------------------------------------------------------------
# theharvester -d soldesk.com -l 500 -b google
*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.6 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
[-] Searching in Google:
Searching 0 results...
Searching 100 results...
Searching 200 results...
Searching 300 results...
Searching 400 results...
Searching 500 results...
[+] Emails found:
------------------
test@soldesk.com
jclee@soldesk.com
webmaster@soldesk.com
designer@soldesk.com
hrd@soldesk.com
msms@soldesk.com
jdkal@soldesk.com
@sun.soldesk.com
kim10322@soldesk.com
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs...
183.111.174.9:www.soldesk.com
183.111.174.9:sun.soldesk.com
183.111.174.9:w.soldesk.com
# theharvester -d soldesk.com -l 500 -b all
*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.6 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
Full harvest..
[-] Searching in Google..
Searching 0 results...
Searching 100 results...
Searching 200 results...
Searching 300 results...
Searching 400 results...
Searching 500 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
Searching 50 results...
Searching 100 results...
Searching 150 results...
Searching 200 results...
Searching 250 results...
Searching 300 results...
Searching 350 results...
Searching 400 results...
Searching 450 results...
Searching 500 results...
[-] Searching in Exalead..
Searching 50 results...
Searching 100 results...
Searching 150 results...
Searching 200 results...
Searching 250 results...
Searching 300 results...
Searching 350 results...
Searching 400 results...
Searching 450 results...
Searching 500 results...
Searching 550 results...
[+] Emails found:
------------------
test@soldesk.com
jclee@soldesk.com
webmaster@soldesk.com
designer@soldesk.com
hrd@soldesk.com
msms@soldesk.com
jdkal@soldesk.com
@sun.soldesk.com
kim10322@soldesk.com
@soldesk.com
consultant@soldesk.com
jdkal@soldesk.com
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs...
183.111.174.9:www.soldesk.com
183.111.174.9:sun.soldesk.com
183.111.174.9:w.soldesk.com
183.111.174.9:www.soldesk.com
[+] Virtual hosts:
==================
183.111.174.9 ccbandfestival.com
183.111.174.9 cool365.kr
183.111.174.9 rah.kr
183.111.174.9 www.madeul.org
183.111.174.9 psent.co.kr
183.111.174.9 xfind.co.kr
183.111.174.9 www.youthcabin.kr
183.111.174.9 www.topmc.co.kr
183.111.174.9 yechan365.com
183.111.174.9 vhost.kr
183.111.174.9 www.psent.co.kr
183.111.174.9 ww.madeul.org
183.111.174.9 torrent.cool365.kr
183.111.174.9 shinedesign.co.kr
183.111.174.9 www.apielsa.com
183.111.174.9 wwww.mlibaba.com
183.111.174.9 gstaron.cafe24.com
183.111.174.9 www.czzjyzjy.blog.china.mlibaba.com
183.111.174.9 cielonda.com
183.111.174.9 mlibaba.com
183.111.174.9 toc.vhost.kr
183.111.174.9 cctopband.com
183.111.174.9 util.cool365.kr
183.111.174.9 movie.cool365.kr
183.111.174.9 occcvrr.vhost.kr
183.111.174.9 czzjyzjy.blog.china.mlibaba.com
183.111.174.9 movie.vhost.kr
183.111.174.9 fl.yechan365.com
183.111.174.9 g8.vhost.kr
183.111.174.9 mumushop.co.kr
183.111.174.9 m.cool365.kr
183.111.174.9 s1.vhost.kr
183.111.174.9 misogirl.me
183.111.174.9 app.cool365.kr
183.111.174.9 m.mlibaba.com
183.111.174.9 file.vhost.kr
183.111.174.9 t1.vhost.kr
183.111.174.9 s5.vhost.kr
183.111.174.9 www.evitaclinic.com
183.111.174.9 www.mumushop.co.kr
183.111.174.9 down.cool365.kr
183.111.174.9 3warfan.com
183.111.174.9 k8.vhost.kr
183.111.174.9 t2.vhost.kr
183.111.174.9 jerseys---www.mlibaba.com
183.111.174.9 isearch.cool365.kr
183.111.174.9 g1.vhost.kr
183.111.174.9 click.cool365.kr
183.111.174.9 apps.vhost.kr
183.111.174.9 www.shop.xfind.co.kr
183.111.174.9 file.xfind.co.kr
183.111.174.9 www.iphone1x.com
183.111.174.9 s3.vhost.kr
183.111.174.9 s8.vhost.kr
183.111.174.9 m.xfind.co.kr
-> 약간 시간이 걸린다.(검색 대상에 따라 5분 ~ 10분정도)
C:\Users\soldeskN\Desktop\JS\Security과정공유디렉토리(part1)\04_과정진행\04_정규과정\02_정보수집단계\02_스캐닝.hwp
스캐닝(SCAN)
1. 용어
풋프린팅(Footprinting)
● 공격 대상의 정보를 모으는 방법(기술적인 해킹 공격, 신문, 게시판, 구글링등)
● 풋 프린팅에는 매우 다양한 기법이 있으며, 매우 넓은 범위가 포함된다.
사회공학(Social Engineering)
● 기술적인 해킹에 의한 방법이 아닌, 개인적인 인간관계, 업무적 관계 등을 이용한 방법(EX: 훔쳐보기등)
● 비 기술적인 경로를 이용해서 정보를 모으는 방법
2. 스캐닝(Scanning)
스캔(Scan)
● 서비스를 제공하는 서버의 작동 여부와 제공하고 있는 서비스를 확인
● TCP 기반의 프로토콜의 질의(Request)/응답(Response) 메커니즘 사용
● 열려 있는 포트, 제공하는 서비스, 동작중인 데몬의 버전, 운영체제의 버전, 취약점 등 다양한 정보 획득 가능
● 일반적으로 nmap, nessus, nexpose, openVAS 등을 사용
ICMP Scan(EX: ping, traceroute)
● ping은 네트워크와 시스템이 정상적으로 작동하는지 확인하는 유틸러티
● ICMP(Internet Control Messaging Protocol)를 사용
Service Scan
● 특정 애플리케이션이 동작하는 경우 반드시 구동되는 포트가 있다는 것에 기인하여 확인
● telnet 유틸러티 사용(EX: telnet 192.168.20.200 443)
3. 스캐닝 도구
스캔 범위에 의한 스캐닝 도구의 종류
● 시스템 진단 도구- 진단 대상 시스템에 설치되어 시스템의 내부 보안 취약점 진단- 단순 패스워드, 패치 현황, 중요 파일 변조 여부, 백도어, 루트킷(Rootkit) 설치여부 체크
● 네트워크 스캐닝 도구- 네트워크 상의 특정 시스템에 설치/시스템 원격 진단- 주요 네트워크 서비스들에 대한 정보 수집, 해킹 가능여부 및 취약점 점검, 백도어 설치 여부 체크
● 전문 스캐닝 도구- 데이터 베이스 스캐닝 도구- 방화벽 룰셋(Ruleset) 테스트 도구- 웹 서버 취약점 진단 도구- 소스 코드 취약점 진단 도구
진단순서(EX : 모의해킹, 모의진단)
(ㄱ) 시스템 진단 도구(각 서버에script 실행)
(ㄴ) 네트워크 스캐닝 도구(취약점 통합 진단 도구(nussus))
(ㄷ) 전문 스캐닝 도구(취약점 개별 진단 도구(DB, WEB))
(ㄹ) 개인적으로 진단
[참고] 국내외 상용 스캐닝 도구의 비교
● 국내는 시스템 진단 툴 위주, 국외는 네트워크 스캐닝 툴 위주
● ISS와 netRecon이 세계 시장의 50 ~ 60% 차지
● 최근 스캐닝 툴에 대한 관심이 높아지면서 외국에서 많은 사용제품이 출시되고 있음.
■ 정보 수집 과정의 종류
□ 검색 엔진을 사용하는 경우(EX: 구글링) □ 인터넷(정보보안사이트)을 통해 정보를 확인하는 방법(EX: exploit-db.com) □ 구글 검색을 통해 정보를 확인하는 방법(EX: 구글해킹)
□ DNS 서버를 사용하는 경우(EX: dnsenum CMD)
□ 사회공학적인 기법(Social Engineering)을 사용하는 경우(EX: SET)
□ 스캐너를 사용하는 방법 □ 일반 스캐너를 사용하는 방법(EX: nmap/zenmap) □ 취약점 스캐너를 사용하는 방법(EX: Nessus/OpenVAS/Nexpose)
4. nmap(Netowrk Mapper) CMD
nmap CMD
- Host sweep : 호스트의 alive 유무 확인
- Port scan : 호스트의 포트 open 유무 확인
■ nmap 명령어의 주요 옵션
옵션
설명
-sT
TCP Open Scan
-sS
TCP Half Open Scan(세션을 성립시키지 않는 SYN 스캔)
-sF
TCP FIN Scan(FIN 패킷을 이용한 스캔)
-sN
TCP NULL Scan(NULL 패킷을 이용한 스캔)
-sX
TCP Xmas 스캔(FIN, PSH, URG 패킷을 이용한 스캔)
-sP
ping 이용한 호스트 활성화 여부 확인
-sU
UDP Port Scan
-O
대상 호스트의 운영체제 판별
-F
Fast scan
-sV
Service Version
-> -A, -T4, -v(-vv), -o
칼리리눅스에서는
Information Gathering > Network Scanners > Nmap
를 선택하거나 혹인 nmap(zenmap) 명령어를 사용하면 된다.
(1) UDP Open Scan
● 공격자는 UDP 패킷을 전송- 포트 Open : 응답 없음- 포트 Close: ICMP Unreachable 회신
Port Open
Port Close
공격자 피해자
| |
| UDP 패킷 |
|---------------> |
| |
| 응답 X |
|<--------------- |
| |
| |
공격자 피해자
| |
| UDP 패킷 |
|---------------> |
| |
|ICMP Unreachable |
|<--------------- |
| |
| |
# nmap -sU -p 53 192.168.20.200 (kaliLinux -> linux200)
[실습] UDP Open Scan 패킷을 분석
(2) TCP Open Scan
● 공격자는 TCP SYN 패킷 전송- 포트 Open : SYN/ACK 패킷 회신후 ACK 전송- 포트 Close: RST/ACK 패킷 회신
Port Open
Port Close
공격자 피해자
| |
| SYN |
|---------------> |
| SYN/ACK |
|<--------------- |
| ACK |
|---------------> |
| |
공격자 피해자
| |
| SYN |
|---------------> |
| |
| RST/ACK |
|<--------------- |
| |
| |
# nmap -sT -p 22 192.168.20.200 (kaliLinux -> linux200)
[실습] TCP Open Scan 패킷 분석
(3) TCP Half Open Scan(Stealth Scan)
● 공격자는 TCP SYN 패킷 전송- 포트 Open : SYN/ACK 패킷 회신 후 RST 패킷 전송- 포트 Close: RST/ACK 패킷 회신
Port Open
Port Close
공격자 피해자
| |
| SYN |
|---------------> |
| SYN/ACK |
|<--------------- |
| RST |
|---------------> |
| |
공격자 피해자
| |
| SYN |
|---------------> |
| |
| RST/ACK |
|<--------------- |
| |
| |
# nmap -sS -p 23 192.168.20.200 (kaliLinux -> linux200)
[실습] TCP Half Open Scan 패킷 분석
[참고] Stealth Scan 이란?
● 스캔하는 대상에 단순히 로그를 남기지 않는다.
● 공격 대상을 속이고 자신의 위치 또한 숨기는 스캔이다.(EX: TCP Half Open Scan, FIN Scan, Xmas Scan, NULL Scan)
(4) FIN, Xmas, NULL Scan
● 공격자가 FIN Scan인 경우 : TCP FIN 패킷 전송 Xmas Scan인 경우: TCP FIN/PSH/URG 패킷 전송 NULL Scan인 경우: TCP NULL 패킷 전송- 포트 Open : 응답없음- 포트 Close: RST 패킷 회신
Port Open
Port Close
공격자 피해자
| FIN |
| NULL |
| Xmas |
|---------------> |
| |
| 응답 없음 |
| |
공격자 피해자
| FIN |
| NULL |
| Xmas |
|---------------> |
| RST 패킷 |
|<-------------- |
| |
FIN Scan 인 경우) # nmap -sF -p 21 192.168.20.200 (kaliLinux -> linux200)
Xman Scan인 경우) # nmap -sX -p 21 192.168.20.200 (kaliLinux -> linux200)
NULL Scan인 경우) # nmap -sN -p 21 192.168.20.200 (kaliLinux -> linux200)
[실습] TCP FIN SCAN 패킷 분석
[실습] TCP NULL SCAN 패킷 분석
[실습] TCP Xmas SCAN 패킷 분석
[실습] 인터넷을 활용하여 nmap 사용하는 방법에 대해서 정리
● zenmap을 실행하여 명령어를 정리한다.
● 인터넷상의 문서를 통해 nmap 사용법을 정리한다.
(linux200) # yum -y install nmap-frontend
# xnmap &
(windows) zenmap 실행
(KaliLinux) # zenmap &
[참고] nmap/zenmap 사용방법
[참고] dnmap 이용한 분산 nmap 수행하기
What is dnmap?
--------------
dnmap is a framework to distribute nmap scans among several clients. It reads an already created file with nmap commands and send those commands to each client connected to it.
The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client.
Usually you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you)
Topology
--------
|--------------------|
| nmap commands file |
|--------------------|
|
|
V
|--------------|
| dnmap_server |
|--------------|
|
| |--------------|
|- | dnmap_client |-> Packets to the net...
| |--------------|
|
| |--------------|
|- | dnmap_client |-> Packets to the net...
| |--------------|
|
| |--------------|
|- | dnmap_client |-> Packets to the net...
| |--------------|
.
.
Basic usage
-----------
1- Put some nmap commands on a file like commands.txt
2- Start the dnmap_server
./dnmap_server -f commands.txt
3- Start any number of clients
./dnmap_client -s <server-ip> -a <alias>
The server will start to give nmap commands to the clients and results will b
e stored on both sides.
dnmap_server features
---------------------
● If the server gets down, clients continue trying to connect until the server gets back online.
● If the server gets down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
● You can add new commands to the original file without having to stop the server. The server will read them automatically.
● If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
● It will store every detail of the operations in a log file.
● It shows real time statistics about the operation of each client, including:
- Number of commands executed
- Last time seen
- Uptime
- Version of the client
- If the client is being run as root or not.
- It calculates the amount of commands executed per minute
- The historic average of the amount of commands executed per minute
- The status of the client (Online, Offline, Executing or Storing)
● You can choose which port to use. Defaults to 46001
● Only the Online clients are shown in the running stats.
dnmap_client features
---------------------
● If the server gets down, it keeps connecting to it until it gets up again.
● Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
● It only executes the nmap command. It deletes the command send by the server and changes it by the known and trusted nmap binary on the system.
● You can select an alias for your user.
● You can change which port the client connects to.
● If the command sent by the server does not have a -oA option, the client add it anyway to the command, so it will always have a local copy of the output.
● If the server sends a min-rate parameter, it is striped out.
● You can control the nmap scanning rate regarthless of servers sent parameters.
● Tell the server if you are root or not, so it can change the nmap commands accordingly.
About nmap file commands creation
---------------------------------
Nmap is a great tool and it can manage large scans quite well. It is not wise to send only one port and one host to each of your clients. You would want to send at least one host with a lot of ports to each client. Or one different network to each client. If you divide the commands too much the distributed scan will be slower that one unique computer.
Example commands in the file that are OK:
nmap -sS -p22 192.168.1.0/24 -v -n -oA 192.168.1.0
nmap -sS -p22 192.168.2.0/24 -v -n -oA 192.168.3.0
nmap -sS -p22 192.168.3.0/24 -v -n -oA 192.168.4.0
nmap -sP -p22 192.168.3.0/24 -v -n -oA 192.168.4.0
nmap -sS --top-ports 100 192.168.3.3 -v -n -oA 192.168.3.3.top100
nmap -sS --top-ports 100 192.168.3.4 -v -n -oA 192.168.3.4.top100
nmap -sS --top-ports 100 192.168.3.5 -v -n -oA 192.168.3.5.top100
Example commands in the file you should avoid:
nmap -sS -p22 192.168.1.1 -v -n -oA 192.168.1.1
nmap -sS -p22 192.168.1.2 -v -n -oA 192.168.1.2
nmap -sS -p22 192.168.1.3 -v -n -oA 192.168.1.3
■ dnmap(Distributed nmap) : 분산을 이용한 엔맵 수행
● 서버와 클라이언트로 구성되어 있으며 서버가 클라이언트로 nmap 명령을 보내면 클라이언트가 내용을 받아서 실행한다.
● 여러 검사를 혼자 수행할 경우 부하가 심해지는데 dnmap을 사용하면 부하를 클라이언트로 분산시키는 효과를 볼수 있다. 또한 nmap의 결과는 서버와 클라이언트 양쪽에 로그 파일로 저장된다.
[실습] dnmap 사용하기
실습 시스템
● KaliLinux(dnmap CMD)
● linux200(CentOS)
● win2008(windows 2008)
● Firewall(CentOS)
실습 환경
● 실습에서는 KaliLinux 내에 서버/클라이언트를 같이 구성한다.
① 패키지 설치 확인
(KaliLinux)
[참고] 패키지 관리 명령어 사용하는 방법에 대한 비교
■ (Debian 계열) SuSe + Debian + Utuntu
# dpkg -l
# dpkg -l <PKG>
# dpkg -L <PKG>
# dpkg -S /bin/ls
# dpkg -s coreutils
■ (RedHat 계열) RedHat + CentOS + Fedora
# rpm -qa
# rpm -q <PKG>
# rpm -ql <PKG>
# rpm -qf /bin/ls
# rpm -qi coreutils
# dpkg -l dnmap (# dpkg -l | grep dnmap)
희망상태=알수없음(U)/설치(I)/지우기(R)/깨끗이(P)/고정(H)
| 상태=아님(N)/설치(I)/설정(C)/풀림(U)/절반설정(F)/일부설치(H)/트리거대기(W)/
| / 트리거밀림(T)
|/ 오류?=(없음)/다시설치필요(R) (상태, 오류가 대문자=불량)
||/ 이름 버전 Architecture 설명
+++-==============-============-============-=================================
ii dnmap 0.6-1kali2 all Distributed nmap framework
# dpkg -L dnmap
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/dnmap
/usr/share/doc/dnmap/README.gz
/usr/share/doc/dnmap/copyright
/usr/share/doc/dnmap/changelog.Debian.gz
/usr/share/dnmap
/usr/share/dnmap/server.pem
/usr/bin
/usr/bin/dnmap_client
/usr/bin/dnmap_server
② (dnmap_server 에서) 명령 파일 작성
# mkdir -p /root/bin
# cd /root/bin
# vi dnmap_command.txt
nmap -sS -p 22 192.168.10.0/24 -v -n -oA 192.168.10.0
nmap -sS -p 22 192.168.20.0/24 -v -n -oA 192.168.20.0
# man nmap
-sS -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-p -p <port ranges>: Only scan specified ports
-v -v: Increase verbosity level (use -vv or more for greater effect)
-n -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-oA -oA <basename>: Output in the three major formats at once
③ (dnmap_server 에서)dnmap 서버 실행
# dnmap_server -h
+----------------------------------------------------------------------+
| dnmap_server Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+----------------------------------------------------------------------+
usage: /usr/bin/dnmap_server <options>
options:
-f, --nmap-commands Nmap commands file
-p, --port TCP port where we listen for connections.
-L, --log-file Log file. Defaults to /var/log/dnmap_server.conf.
-l, --log-level Log level. Defaults to info.
-v, --verbose_level Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet.
-t, --client-timeout How many time should we wait before marking a client Offline. We still remember its values just in case it cames back.
-s, --sort Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, AvrCmdXMin, Status
-P, --pem-file pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory.
dnmap_server uses a '<nmap-commands-file-name>.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again,
just delete the '<nmap-commands-file-name>.dnmaptrace' file
# dnmap_server -f dnmap_command.txt
+----------------------------------------------------------------------+
| dnmap_server Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+----------------------------------------------------------------------+
=| MET:0:00:00.000514 | Amount of Online clients: 0 |=
=| MET:0:00:05.005597 | Amount of Online clients: 0 |=
..... (중략) .....
④ (dnmap_clinet 에서)클라이언트 실행
# dnmap_client -h
+----------------------------------------------------------------------+
| dnmap Client Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+----------------------------------------------------------------------+
usage: /usr/bin/dnmap_client <options>
options:
-s, --server-ip IP address of dnmap server.
-p, --server-port Port of dnmap server. Dnmap port defaults to 46001
-a, --alias Your name alias so we can give credit to you for your help. Optional
-d, --debug Debuging.
-m, --max-rate Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.
# dnmap_client -s 192.168.20.50
+----------------------------------------------------------------------+
| dnmap Client Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+----------------------------------------------------------------------+
Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
Command Executed: nmap -sS -p22 192.168.10.0/24 -v -n -oA 192.168.10.0
..... (중략) .....
⑤ (dnmap_server 에서)출력 내용 확인
● 일정한 시간이 흐른 이후에 결과가 nmap_output 디렉토리에 생성된다.
# cd /root/bin
# ls
nmap_output/ nmap_results/
nmap_output/ dnmap_server 출력 결과
nmap_results/ dnmap_client 출력 결과
# cd nmap_output
# ls
192.168.10.0.gnmap 192.168.10.0.xml 192.168.20.0.nmap
192.168.10.0.nmap 192.168.20.0.gnmap 192.168.20.0.xml
# cat 192.168.10.0.top100.nmap
-> 출력 내용 생략
# cat 192.168.20.0.top100.nmap
-> 출력 내용 생략
[실습] dnmap.sh 파일 만들기
● 분산 nmap 수행
● 구조
(dnmap server) ---------------->
# vi dnmap_CMD.txt
nmap ......
nmap ...... (dnmap client1)
# ./dnmap.sh # nmap ......
-> resultA
(dnmap client2)
# nmap ......
-> resultB
<----------------
# cat result.txt
----------------------------------------------------------------------
(이론1) ssh/scp/sftp CMD 사용법
----------------------------------------------------------------------
■ ssh CMD 사용법
# ssh <USER>@<IP> (EX) # ssh 192.168.20.200
# ssh <USER>@<IP> <CMD> (EX) # ssh 192.168.20.200 hostname
사용시스템
- linux200 (192.168.20.200)
- KaliLinux (192.168.20.50)
(KaliLinux)
# ssh 192.168.20.200
root 사용자로 로그인
# hostname
# id
# exit
# cd ~/.ssh
# cat known_hosts
# ssh user01@192.168.20.200
user01 사용자로 로그인
$ hostname
$ id
$ exit
#
# cd ~/.ssh
# > known_hosts
# ssh 192.168.20.200 hostname
yes
root 사용자의 암호 입력
# ssh user01@192.168.20.200 id
user01 사용자의 암호 입력
# ssh user01@192.168.20.200 "hostname ; id"
user01 사용자의 암호 입력
■ scp CMD 사용법
# scp file1 192.168.20.200:/tmp
# scp file1 192.168.20.200:/tmp/file2
# scp 192.168.20.200:/tmp/file2 /test
# scp -r dir1 192.168.20.200:/tmp
# cd ~/.ssh
# > known_hosts
# scp /root/bin/reverse_test.exe 192.168.20.200:/tmp
root 사용자의 암호 입력
# ssh 192.168.20.200 ls -l /tmp/reverse*
root 사용자의 암호 입력
# scp 192.168.20.200:/tmp/reverse* /test
root 사용자의 암호 입력
# ls -l /test/reverse*
# scp -r /test 192.168.20.200:/tmp
root 사용자의 암호 입력
# ls -l /test
# ssh 192.168.20.200 ls -l /tmp/test
root 사용자의 암호 입력
------------------------------------------
(이론2) 인증 없이 명령어 수행
------------------------------------------
-------- hostA ------ ------- hostB -------
# ssh-keygen CMD
- id_rsa
- id_rsa.pub --------------------> authorized_keys
(KaliLinux)
# ssh-keygen -t rsa (# ssh-keygen -t dsa)
<ENTER>
<ENTER>
<ENTER>
# cd ~/.ssh
# ls
id_rsa /* private key file */
id_rsa.pub /* public key file */
# scp id_rsa.pub 192.168.20.200:/root/.ssh/authorized_keys
root 사용자의 암호 입력
# ssh 192.168.20.200 ls -l /root/.ssh
-> root 사용자 암호 입력 없이 명령어 수행 가능
# ssh 192.168.20.200
# hostname
# id
# exit
# scp 192.168.20.200:/etc/hosts /test
# cat /test/hosts
# cd ~/.ssh
# ls
# mv id_rsa.pub authorized_keys
# service ssh restart
# ssh 192.168.20.50 hostname
(Debian 계열) # update-rc.d ssh defaults
# service ssh restart
(RedHat 계열) # chkconfig sshd on
# service sshd restart
----------------------------------------
(이론3) 스크립트를 작성해 보자
----------------------------------------
# cmd.sh CMD
(EX) cmd.sh hostname
(KaliLinux)
# service ssh restart
# cd /root/bin
# vi cmd.sh
#!/bin/bash
echo "----------- KaliLinux -----------"
ssh 192.168.20.50 $*
echo
echo "----------- linux200 -----------"
ssh 192.168.20.200 $*
echo
# chmod 755 cmd.sh
# ./cmd.sh hostname
# ./cmd.sh cat /etc/hosts
# ./copy.sh file1 /tmp
---------------------------------
scp file1 192.168.20.50:/tmp
scp file1 192.168.20.200:/tmp
---------------------------------
# cd /root/bin
# vi copy.sh
#!/bin/bash
scp $1 192.168.20.50:$2
scp $1 192.168.20.200:$2
# chmod 755 copy.sh
# ./copy.sh /etc/hosts /tmp
# ./cmd.sh ls -l /tmp/hosts*
프로그램을 작성해 보자.
(프로그램 실행)
# cat nmap_CMD.txt
-------------------------------------
nmap CMD 1(192.168.10.0/24 스캐닝) : nmap -sS -p22 192.168.10.0/24 -v -n -oA 192.168.10.0
nmap CMD 2(192.168.20.0/24 스캐닝) : nmap -sS -p22 192.168.20.0/24 -v -n -oA 192.168.20.0
-------------------------------------
# vi dnmap.sh
--------------------------------------
프로그램을 작성
--------------------------------------
# ./dnmap.sh
-> nmap_CMD.txt 파일 읽기
-> (clinet 1) nmap CMD 1 /* clinet 1 = KaliLinux(192.168.10.0/24) */
# ssh 192.168.20.50 "nmap CMD 1"
-> (client 2) nmap CMD 2 /* client 2 = linux200 (192.168.20.0/24) */
# ssh 192.168.20.200 "nmap CMD 2"
# cd nmap_output
# ls
192.168.10.0_nmap.txt
192.168.20.0_nmap.txt
#