En la primera tarea de la unidad 1, se trata de obtener información de servidores externos.
Los comandos básicos que se utilizarán son:
- Ping
- Whois
- Nmap
Se puede realizar un ping directamente a la dirección IP o bien al dominio. Con la opción -c y un número se define la cantidad de ping a realizar.
sergio@tux:~$ ping 192.168.1.1 -c 4 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.95 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.887 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.865 ms 64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.883 ms --- 192.168.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.865/1.146/1.950/0.464 ms sergio@tux:~$
sergio@tux:~$ ping www.lemaker.org -c 4 PING www.lemaker.org (120.25.215.191) 56(84) bytes of data. 64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=1 ttl=44 time=331 ms 64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=2 ttl=44 time=332 ms 64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=3 ttl=44 time=373 ms 64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=4 ttl=44 time=368 ms --- www.lemaker.org ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 331.379/351.571/373.880/19.756 ms sergio@tux:~$
En algunos casos, los servidores se configuran para que no contesten a la peticiones de ping.
sergio@tux:~$ ping www.guadalinex.org -c 4 PING inv2.juntadeandalucia.es (217.12.28.33) 56(84) bytes of data. --- inv2.juntadeandalucia.es ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3007ms sergio@tux:~$
WHOIS, es un protocolo con el que podemos obtener información del propietario de un dominio, email, dirección, etc.
Mediante el comando whois dominio obtendremos dicha información, también podemos guardarla directamente en un fichero añadiendo >>.
sergio@tux:~$ whois lemaker.org >> whois_lemaker.log sergio@tux:~$
Contenido whois lemaker.org
Domain Name:LEMAKER.ORG Domain ID: D170120242-LROR Creation Date: 2013-11-07T08:22:43Z Updated Date: 2015-08-19T09:49:10Z Registry Expiry Date: 2017-11-07T08:22:43Z Sponsoring Registrar:Chengdu West Dimension Digital Technology Co., Ltd. (R1898-LROR) Sponsoring Registrar IANA ID: 1556 WHOIS Server: Referral URL: Domain Status: ok -- http://www.icann.org/epp#ok Registrant ID:1556-75475-d-001 Registrant Name:Fu Lanhui Registrant Organization:Shenzhen Lemaker Science Technology Co Ltd. Registrant Street: HIT Campus of ShenZhen University Town, XiLi Registrant City:Shenzhen Registrant State/Province:GD Registrant Postal Code:518055 Registrant Country:CN Registrant Phone:+86.00100000001 Registrant Phone Ext: Registrant Fax: +86.075526033009 Registrant Fax Ext: Registrant Email:709983059@qq.com Admin ID:1556-75475-a-001 Admin Name:Joe Zheng Admin Organization:Joe Zheng Admin Street: HIT Campus of ShenZhen University Town, XiLi Admin City:Shenzhen Admin State/Province:GD Admin Postal Code:518055 Admin Country:CN Admin Phone:+86.075536330749 Admin Phone Ext: Admin Fax: +86.075536330749 Admin Fax Ext: Admin Email:joe.zheng@lemaker.org Tech ID:1556-75475-t-001 Tech Name:Fu Lanhui Tech Organization:Shenzhen Lemaker Science Technology Co Ltd. Tech Street: HIT Campus of ShenZhen University Town, XiLi Tech City:Shenzhen Tech State/Province:GD Tech Postal Code:518055 Tech Country:CN Tech Phone:+86.00100000001 Tech Phone Ext: Tech Fax: +86.075526033009 Tech Fax Ext: Tech Email:709983059@qq.com Name Server:S1.DNSNS5.COM Name Server:S2.DNSNS5.COM Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: DNSSEC:Unsigned Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.El tercer comando Nmap, sirve para escanear puertos y servicios de un servidor.
Algunas de las opciones interesantes son:
-O detección sistema operativo
-v modo detallado
-sV versiones
-A sistema operativo y versiones
-T4 incrementar los tiempos
Detección sistema operativo lemaker.org
sergio@tux:~$ sudo nmap -O -v lemaker.org
[sudo] password for sergio:
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-26 12:46 CEST
Initiating Ping Scan at 12:46
Scanning lemaker.org (120.25.215.191) [4 ports]
Completed Ping Scan at 12:46, 1.41s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:46
Completed Parallel DNS resolution of 1 host. at 12:46, 0.01s elapsed
Initiating SYN Stealth Scan at 12:46
Scanning lemaker.org (120.25.215.191) [1000 ports]
SYN Stealth Scan Timing: About 8.50% done; ETC: 12:52 (0:05:34 remaining)
SYN Stealth Scan Timing: About 16.50% done; ETC: 12:52 (0:05:09 remaining)
SYN Stealth Scan Timing: About 24.10% done; ETC: 12:52 (0:04:47 remaining)
SYN Stealth Scan Timing: About 32.50% done; ETC: 12:52 (0:04:11 remaining)
SYN Stealth Scan Timing: About 43.10% done; ETC: 12:51 (0:03:19 remaining)
SYN Stealth Scan Timing: About 38.60% done; ETC: 12:53 (0:04:48 remaining)
Increasing send delay for 120.25.215.191 from 0 to 5 due to max_successful_tryno increase to 4
SYN Stealth Scan Timing: About 45.18% done; ETC: 12:53 (0:04:17 remaining)
SYN Stealth Scan Timing: About 53.20% done; ETC: 12:53 (0:03:33 remaining)
SYN Stealth Scan Timing: About 59.78% done; ETC: 12:53 (0:03:03 remaining)
Discovered open port 80/tcp on 120.25.215.191
SYN Stealth Scan Timing: About 65.93% done; ETC: 12:53 (0:02:36 remaining)
Discovered open port 22/tcp on 120.25.215.191
Increasing send delay for 120.25.215.191 from 5 to 10 due to 11 out of 23 dropped probes since last increase.
SYN Stealth Scan Timing: About 84.87% done; ETC: 12:52 (0:00:59 remaining)
Completed SYN Stealth Scan at 12:52, 365.51s elapsed (1000 total ports)
Initiating OS detection (try #1) against lemaker.org (120.25.215.191)
adjust_timeouts2: packet supposedly had rtt of -56517 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -56517 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -77059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -77059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99119 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99119 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99662 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99662 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -89396 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -89396 microseconds. Ignoring time.
Retrying OS detection (try #2) against lemaker.org (120.25.215.191)
Nmap scan report for lemaker.org (120.25.215.191)
Host is up (0.33s latency).
Not shown: 977 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
20000/tcp closed dnp
20005/tcp closed btx
20031/tcp closed unknown
20222/tcp closed ipulse-ics
20828/tcp closed unknown
21571/tcp closed unknown
22939/tcp closed unknown
23502/tcp closed unknown
24444/tcp closed unknown
24800/tcp closed unknown
25734/tcp closed unknown
25735/tcp closed unknown
26214/tcp closed unknown
27000/tcp closed flexlm0
27352/tcp closed unknown
27353/tcp closed unknown
27355/tcp closed unknown
27356/tcp closed unknown
27715/tcp closed unknown
30000/tcp closed unknown
Device type: general purpose|WAP|storage-misc|media device|broadband router
Running (JUST GUESSING): Linux 2.6.X|2.4.X|3.X (94%), Linksys Linux 2.4.X (91%), HP embedded (91%), Netgear embedded (89%), Western Digital embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linksys:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.4 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:3 cpe:/h:netgear:dg834g cpe:/o:westerndigital:wd_tv
Aggressive OS guesses: Linux 2.6.32 (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (91%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), HP P2000 G3 NAS device (91%), Linux 3.0 (89%), Netgear DG834G WAP or Western Digital WD TV media player (89%), Linux 3.2 (88%), Linux 2.4.18 (88%), Linux 2.6.38 (88%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 379.39 seconds
Raw packets sent: 5666 (253.036KB) | Rcvd: 315 (23.068KB)
sergio@tux:~$
No se puede determinar la versión del sistema operativo, pero nos indica en % los posibles.
Detección sistema operativo y versiones.
sergio@tux:~$ nmap -T4 -A -v lemaker.org >> nmap_lemaker.log sergio@tux:~$
Contenido nmap -T4 -A -v lemaker.org
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-26 13:07 CEST NSE: Loaded 110 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 13:07 Scanning lemaker.org (120.25.215.191) [2 ports] Completed Ping Scan at 13:07, 3.50s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:07 Completed Parallel DNS resolution of 1 host. at 13:07, 0.00s elapsed Initiating Connect Scan at 13:07 Scanning lemaker.org (120.25.215.191) [1000 ports] Discovered open port 22/tcp on 120.25.215.191 Discovered open port 80/tcp on 120.25.215.191 Connect Scan Timing: About 21.40% done; ETC: 13:09 (0:01:54 remaining) Increasing send delay for 120.25.215.191 from 0 to 5 due to 11 out of 22 dropped probes since last increase. Connect Scan Timing: About 24.35% done; ETC: 13:11 (0:03:10 remaining) Connect Scan Timing: About 27.30% done; ETC: 13:12 (0:04:02 remaining) Increasing send delay for 120.25.215.191 from 5 to 10 due to 11 out of 11 dropped probes since last increase. Connect Scan Timing: About 30.25% done; ETC: 13:13 (0:04:39 remaining) Connect Scan Timing: About 33.20% done; ETC: 13:14 (0:05:04 remaining) Connect Scan Timing: About 38.20% done; ETC: 13:16 (0:05:27 remaining) Connect Scan Timing: About 53.80% done; ETC: 13:16 (0:04:26 remaining) Connect Scan Timing: About 63.95% done; ETC: 13:16 (0:03:12 remaining) Connect Scan Timing: About 70.85% done; ETC: 13:16 (0:02:45 remaining) Connect Scan Timing: About 76.95% done; ETC: 13:17 (0:02:16 remaining) Connect Scan Timing: About 82.80% done; ETC: 13:17 (0:01:45 remaining) Connect Scan Timing: About 88.30% done; ETC: 13:17 (0:01:13 remaining) Connect Scan Timing: About 93.70% done; ETC: 13:17 (0:00:40 remaining) Completed Connect Scan at 13:17, 613.05s elapsed (1000 total ports) Initiating Service scan at 13:17 Scanning 2 services on lemaker.org (120.25.215.191) Completed Service scan at 13:17, 7.25s elapsed (2 services on 1 host) NSE: Script scanning 120.25.215.191. Initiating NSE at 13:17 Completed NSE at 13:18, 23.98s elapsed Nmap scan report for lemaker.org (120.25.215.191) Host is up (0.38s latency). Not shown: 994 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) | ssh-hostkey: 1024 20:dd:d7:6f:30:57:34:c1:17:13:97:0f:c8:aa:06:a2 (DSA) |_2048 b0:0f:aa:ce:c9:8a:95:c0:7c:1f:78:48:3d:8f:5a:e4 (RSA) 80/tcp open http nginx |_http-favicon: Unknown favicon MD5: D7A9C4E1F7BD1804B152F93603FA0055 |_http-generator: Discuz! X3.2 |_http-methods: No Allow or Public header in OPTIONS response (status code 301) | http-robots.txt: 22 disallowed entries (15 shown) | /api/ /data/ /source/ /install/ /template/ /config/ | /uc_client/ /uc_server/ /static/ /admin.php /search.php |_/member.php /api.php /misc.php /connect.php | http-title: LeMaker|The Open Source SBCs Community |_Requested resource was http://www.lemaker.org/ 443/tcp closed https 21571/tcp closed unknown 22939/tcp closed unknown 27356/tcp closed unknown NSE: Script Post-scanning. Initiating NSE at 13:18 Completed NSE at 13:18, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 650.57 seconds
Detección servicios y versiones.
sergio@tux:~$ nmap -T4 -sV -v lemaker.org Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-26 13:48 CEST NSE: Loaded 23 scripts for scanning. Initiating Ping Scan at 13:48 Scanning lemaker.org (120.25.215.191) [2 ports] Completed Ping Scan at 13:48, 0.38s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:48 Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed Initiating Connect Scan at 13:48 Scanning lemaker.org (120.25.215.191) [1000 ports] Discovered open port 80/tcp on 120.25.215.191 Discovered open port 3306/tcp on 120.25.215.191 Discovered open port 22/tcp on 120.25.215.191 Connect Scan Timing: About 15.30% done; ETC: 13:51 (0:02:52 remaining) Increasing send delay for 120.25.215.191 from 0 to 5 due to 11 out of 23 dropped probes since last increase. Connect Scan Timing: About 18.45% done; ETC: 13:53 (0:04:30 remaining) Connect Scan Timing: About 21.55% done; ETC: 13:55 (0:05:31 remaining) Increasing send delay for 120.25.215.191 from 5 to 10 due to 11 out of 11 dropped probes since last increase. Connect Scan Timing: About 24.75% done; ETC: 13:56 (0:06:08 remaining) Connect Scan Timing: About 28.15% done; ETC: 13:57 (0:06:33 remaining) Connect Scan Timing: About 54.90% done; ETC: 13:57 (0:04:12 remaining) Connect Scan Timing: About 63.65% done; ETC: 13:58 (0:03:43 remaining) Connect Scan Timing: About 70.45% done; ETC: 13:59 (0:03:12 remaining) Connect Scan Timing: About 76.35% done; ETC: 13:59 (0:02:39 remaining) Connect Scan Timing: About 81.95% done; ETC: 13:59 (0:02:05 remaining) Connect Scan Timing: About 90.75% done; ETC: 13:59 (0:01:02 remaining) Completed Connect Scan at 13:58, 609.29s elapsed (1000 total ports) Initiating Service scan at 13:58 Scanning 3 services on lemaker.org (120.25.215.191) Completed Service scan at 13:58, 7.31s elapsed (3 services on 1 host) NSE: Script scanning 120.25.215.191. Nmap scan report for lemaker.org (120.25.215.191) Host is up (0.31s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 443/tcp closed https 3306/tcp open mysql MySQL 5.6.25-log 23502/tcp closed unknown Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 617.84 seconds sergio@tux:~$
Con los diferentes análisis que se han realizado, encontramos 3 puertos abiertos (22, 80, y 3306), servicios ssh, http y mysql con sus respectivas versiones.
Para determinar si existen vulnerabilidades en algunos de los servicios encontrados, se puede consultar la Base de Datos de Vulnerabilidades Nacional de Estados Unidos (NVD)
En el servicio ssh versión 5.3, se han detectado 2 vulnerabilidades (busqueda), nginx se han detectado 20 vulnerabilidades (busqueda) y en el servicio mysql 0 vulnerabilidades (busqueda)
0 comentarios:
Publicar un comentario