小白日记13：kali渗透测试之服务扫描（三）-SMTB扫描、防火墙识别、负载均衡识别、WAF识别

SMTP扫描

SMTP（Simple Mail Transfer Protocol）即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则，由它来控制信件的中转方式。SMTP协议属于TCP/IP协议簇，它帮助每台计算机在发送或中转信件时找到下一个目的地。通过SMTP协议所指定的服务器,就可以把E-mail寄到收信人的服务器上了，整个过程只要几分钟。SMTP服务器则是遵循SMTP协议的发送邮件服务器，用来发送或中转发出的电子邮件。

SMB扫描针对机器去发现其漏洞，SMTP扫描为主动发现目标系统的邮件账号（被动信息收集也能收集到一些）。用途：社会工程学

初级方法

root@kali:~# nc -nv 192.168.1.107 25            #连接25端口
(UNKNOWN) [192.168.1.107] 25 (smtp) open
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root                                     #输入：尝试确认是否有root账号
252 2.0.0 root<strong>
</strong>

Nmap 前提：做了端口扫描知道目标主机开启25端口
扫描用户账号

root@kali:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
#尝试枚举账号     #指定使用什么方式，默认用root账号，也可加别的参数（指定字典）
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 21:06 CST
Nmap scan report for smtp.163.com (220.181.12.16)
Host is up (0.044s latency).
Other addresses for smtp.163.com (not scanned): 220.181.12.17 220.181.12.18 220.181.12.11 220.181.12.12 220.181.12.13 220.181.12.14 220.181.12.15
rDNS record for 220.181.12.16: m12-16.163.com
PORT   STATE SERVICE
25/tcp open  smtp
| smtp-enum-users:
|_  Couldn't find any accounts

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

指定字典扫描邮箱账号：smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
扫描邮件开放中继：【如果开放了邮件中继，所有人都可以使用该邮件服务器】

root@kali:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 21:11 CST
Nmap scan report for smtp.163.com (220.181.12.15)
Host is up (0.043s latency).
Other addresses for smtp.163.com (not scanned): 220.181.12.14 220.181.12.13 220.181.12.12 220.181.12.11 220.181.12.18 220.181.12.17 220.181.12.16
rDNS record for 220.181.12.15: m12-15.163.com
PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed

Nmap done: 1 IP address (1 host up) scanned in 3.62 seconds

注：都可以用python脚本实现

防火墙识别

尽量隐蔽的情况下，扫描出防火墙上开放的端口，通过检查回包，可能识别端口是否被防火墙过滤。【被过滤的端口，不是防火墙上的端口，而是内部主机向外发起请求的临时端口】但设备多种多样，结果存在一定误差

如何判断四种情况：/Uploads/Images/Content/201609/12/8e5bd3e5be96bcab078dc4b5eafc9b0a





python脚本扫描

#!/usr/bin/python

from scapy.all import*
import logging
logging.getLogger( "scapy.runtime" ).setLevel(logging.ERROR)
import sys

if len( sys.argv ) !=3:
print "Usage - ./Firewalk_scan.py [Target.IP] [Target Port]"
print "Example - ./Firewalk_scan.py 1.1.1.1 443"
print "Example will determine if filtering exists on port 443 of Host 1.1.1.1"
sys.exit()

ip = sys.argv[1]
port = int(sys.argv[2])

ACK_response = sr1(IP(dst=ip)/TCP(dport=port,flags="A"),timeout=1,verbose=0)
SYN_response = sr1(IP(dst=ip)/TCP(dport=port,flags="S"),timeout=1,verbose=0)

if ((ACK_response == None) or (SYN_response == None)):
print "Port is either unstatefully filtered or host is down"
<strong>elif ((ACK_response == None) or (SYN_response == None)) and not ((ACK_response == None) and (SYN_response == None)):
print "Stateful filtering in place"    #防火墙在线#此句有逻辑问题，尚未修改</strong>
elif int(SYN_response[TCP].flags) == 18:
print "Port is unfiltered and open"
elif int(SYN_response[TCP].flags) == 20:
print "Port is unfiltered and closed"
else:
print "Unable to determine if the port is filtered"<strong>
</strong>

Nmap对防火墙的识别

root@kali:~# nmap -p22 192.168.1.141 -sA

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 23:18 CST
Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)
Host is up (0.00021s latency).
PORT   STATE      SERVICE
22/tcp unfiltered ssh
MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

根据其对SYN和ACK包的应答，去匹配上图类型

负载均衡识别

负载均衡从其应用的地理结构上分为本地负载均衡(Local Load Balance)和全局负载均衡(Global Load Balance，也叫地域负载均衡)，本地负载均衡是指对本地的服务器群做负载均衡，全局负载均衡是指对分别放置在不同的地理位置、有不同网络结构的服务器群间作负载均衡。它提供了一种廉价有效透明的方法扩展网络设备和服务器的带宽、增加吞吐量、加强网络数据处理能力、提高网络的灵活性和可用性。
简单来说是DNS，即同一个域名对应不同IP。
分类：http://lusongsong.com/reed/158.html
基于web的服务负载均衡经常使用Nginx、Apache应用层负载均衡

Lbd（直接加域名，或者加IP）

root@kali:~# lbd www.baidu.com

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.

<strong>Checking for DNS-Loadbalancing: FOUND
www.a.shifen.com has address 14.215.177.38
www.a.shifen.com has address 14.215.177.37

Checking for HTTP-Loadbalancing [Server]:           #应用层负载均衡
bfe/1.0.8.18
NOT FOUND</strong>

Checking for HTTP-Loadbalancing [Date]: 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, NOT FOUND

Checking for HTTP-Loadbalancing [Diff]: FOUND
< Last-Modified: Mon, 13 Jun 2016 02:50:17 GMT
> Last-Modified: Mon, 13 Jun 2016 02:50:12 GMT
< ETag: "575e1f69-115"
> ETag: "575e1f64-115"

www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]<strong>
</strong>

WAF识别

WAF（Web Application Firewall）的中文名称叫做“Web应用防火墙”，利用国际上公认的一种说法，WAF的定义是这样的：Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。通过从上面对WAF的定义中，我们可以很清晰的了解到，WAF是一种工作在应用层的、通过特定的安全策略来专门为Web应用提供安全防护的产品。

WAF攻防实战：http://secsky.sinaapp.com/216.html
基于规则WAF过滤【可绕过】，基于机器学习结合语法词法分析的WAF将成为主流，几乎可防止所有的SQL注入

wafw00f 

<strong>root@kali:~# wafw00f -l                         #列出其可检测的WAF
</strong>
^     ^
_   __  _   ____ _   __  _    _   ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Profense
NetContinuum
Barracuda
HyperGuard
BinarySec
Teros
F5 Trafficshield
F5 ASM
Airlock
Citrix NetScaler
ModSecurity
IBM Web Application Security
IBM DataPower
DenyALL
dotDefender
webApp.secure
BIG-IP
URLScan
WebKnight
SecureIIS
Imperva
ISA Server

<strong>root@kali:~# wafw00f http://www.microsoft.com</strong> 
^     ^
_   __  _   ____ _   __  _    _   ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking http://www.microsoft.com Generic Detection results:
The site http://www.microsoft.com seems to be behind a WAF
Reason: The server returned a different response code when a string trigged the blacklist.
Normal response code is "400", while the response code to an attack is "403"
Number of requests: 16

nmap检测WAF

root@kali:~# nmap www.microsoft.com <strong>--script=http-waf-detect.nse</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 23:51 CST

小白日记，未完待续……