banner信息表示欢迎语,其中会包含一些敏感信息,所以获取banner也属于信息收集的范畴。在banner信息中,可以获取到软件开发商、软件名称、服务类型、版本号等。而版本号有时候就会存在公开的CVE问题,可以直接进行利用。
banner信息获取的基础是在和目标建立连接的基础后的,只有建立了连接才能获取到banner信息。当目标对banner信息进行隐藏或配置了禁止读取时,则获取不到。
另类服务识别方法:根据特征和响应字段,不同的响应可用于识别底层操作系统。
一、nc方法获取banner信息
root@kali:~# nc -nv 10.0.0.52 22
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.52:22.
SSH-2.0-OpenSSH_7.4二、dmitry获取banner信息
root@kali:~# dmitry #输入dmitry查看常用参数
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passedroot@kali:~# dmitry -pb 10.0.0.52
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 10.0.0.52
Continuing with limited modules
HostIP:10.0.0.52
HostName:
Gathered TCP Port information for 10.0.0.52
---------------------------------
Port State
22/tcp open
>> SSH-2.0-OpenSSH_7.4
Portscan Finished: Scanned 150 ports, 148 ports were in state closed
All scans completed, exiting三、nmap获取banner信息
root@kali:~# nmap -sT 10.0.0.52 -p 22 --script=banner.nse
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 21:42 CST
Nmap scan report for 10.0.0.52
Host is up (0.00052s latency).
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_7.4
MAC Address: 00:0C:29:81:16:8A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
#获取范围内的端口
root@kali:~# nmap -sT 10.0.0.52 -p 1-100 --script=banner.nse
#该路径存放了各种扫描脚本
cd /usr/share/nmap/scripts[root@db2 ~]# yum install -y nginx
[root@db2 ~]# systemctl start nginix
[root@db2 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8937/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6960/sshd
tcp6 0 0 :::80 :::* LISTEN 8937/nginx: master
tcp6 0 0 :::22 :::* LISTEN 6960/sshd [root@db2 ~]# nmap 10.0.0.52 -p1-100 -sV #获取banner详细信息
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 21:56 CST
Nmap scan report for 10.0.0.52
Host is up (0.00024s latency).
Not shown: 98 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http nginx 1.20.1
MAC Address: 此处省略
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.62 seconds四、amap获取banner信息
apt-get install amap
amap -B 10.0.0.52 22
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-16 21:50:53 - BANNER mode
Banner on 10.0.0.52:22/tcp : SSH-2.0-OpenSSH_7.4\r\n
amap v5.4 finished at 2021-11-16 21:50:53
root@kali:/usr/share/nmap/scripts# amap 10.0.0.52 1-100 -qb
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-16 22:04:50 - APPLICATION MAPPING mode
Protocol on 10.0.0.52:80/tcp matches http - banner: HTTP/1.1 200 OK\r\nServer nginx/1.20.1\r\nDate Tue, 16 Nov 2021 140451 GMT\r\nContent-Type text/html\r\nContent-Length 4833\r\nLast-Modified Fri, 16 May 2014 151248 GMT\r\nConnection close\r\nETag "53762af0-12e1"\r\nAccept-Ranges bytes\r\n\r\n<!DOCTYPE H
Protocol on 10.0.0.52:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nServer nginx/1.20.1\r\nDate Tue, 16 Nov 2021 140451 GMT\r\nContent-Type text/html\r\nContent-Length 4833\r\nLast-Modified Fri, 16 May 2014 151248 GMT\r\nConnection close\r\nETag "53762af0-12e1"\r\nAccept-Ranges bytes\r\n\r\n<!DOCTYPE H
Protocol on 10.0.0.52:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_7.4\r\n
Protocol on 10.0.0.52:22/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_7.4\r\n
0 Comments