编写banner识别脚本

  • A+
所属分类:安全开发

编写banner识别脚本


Bannerchain kill 攻击链里面属于:侦查信息收集阶段,banner其实是需要建立tcp三次握手请求,返回的服务内容里面获取特征信息来判断服务,可以理解为指纹识别。像zmapmasscan、这些工具用的无状态扫描都是没完成tcp三次握手,所以说端口识别速度快只能用无状态扫描工具,而用指纹识别工具是速度就没有这么快,所以有优势和缺点。

zoomeye 网络空间资产搜索引擎,提出的理念就是以前有漏洞找不到目标,而存在了像zoomeye这样的资产搜索引擎后......等,就很好解决了这个问题,只需要搜索关键词就能从数据库关联出资产,很好解决爆出了oday1daynday武器化漏洞,很好找到目标在哪里。所以说像banner指纹识别就是解决看得见的问题。



编写指纹流程


编写banner识别脚本


首先需要确定识别的服务,这是我看shodan的官方白皮书里面介绍的支持多少种识别服务,然后写了一个小脚本,输入默认端口找对应服务,规则库规则不多。

编写banner识别脚本


代码

#! /usr/bin/python3
import sys
print(''' _ _ | | | | _ __ ___ _ __| |_ ___ ___ __ _ _ __ ___| |__ | '_ / _ | '__| __/ __|/ _ / _` | '__/ __| '_ | |_) | (_) | | | |___ __/ (_| | | | (__| | | | | .__/ ___/|_| __|___/___|__,_|_| ___|_| |_| | | |_|
>>微信公众号:漏洞感知>>>QQ交流群:801830727>>>>用法:portsearch.py 445>>>>>说明:方便查询默认端口应用协议的小工具>>>>>>规则数:200
''')
try: strport = sys.argv[1] portdata = { '7':'Echo', '11':'Systat', '13 ':'Daytime', '15':'Netstat', '17':'Quote of the day', '19':'Character generator', '21':'FTP', '22':'SSH', '23':'Telnet', '25':'SMTP', '26':'SSH', '37':'rdate', '49':'TACACS+', '53':'DNS', '67':'DHCP', '69':'TFTP, BitTorrent', '70':'Gopher', '79':'Finger', '80':'HTTP, malware', '81':'HTTP, malware', '82':' HTTP, malware', '83':'HTTP', '84':'HTTP', '88':'Kerberos', '102':'Siemens S7', '104':'DICOM', '110':'POP3', '111':'Portmapper', '113':'identd', '119 ':'NNTP', '123':'NTP', '129':'Password generator protocol', '137':'NetBIOS', '143':'IMAP', '161':'SNMP', '175':'IBM Network Job Entry', '179':'BGP', '195':'TA14-353a', '311':'OS X Server Manager', '389':'LDAP,CLDAP', '443':'HTTPS,QUIC', '444':'TA14-353a, Dell SonicWALL', '445':'SMB', '465':'SMTPS', '500':'IKE (VPN)', '502':'Modbus', '503':'Modbus', '515':'Line Printer Daemon', '520':'RIP', '523':'IBM DB2', '554':'RTSP', '587':'SMTP mail submission', '623':'IPMI', '626':'OS X serialnumbered', '636':'LDAPS', '666':'Telnet', '771':'Realport', '789':'Redlion Crimson3', '873':'rsync', '902':'VMWare authentication', '992':'Telnet (secure)', '993':'IMAP with SSL', '995':'POP3 with SSL', '1010':'malware', '1023':'Telnet', '1025':'Kamstrup', '1099':'Java RMI', '1177':'malware', '1200':'Codesys', '1234':'udpxy', '1434':'MS-SQL monitor', '1515':'malware', '1521':'Oracle TNS', '1604':'Citrix, malware', '1723':'PPTP', '1741':'CiscoWorks', '1833':'MQTT', '1900':'UPnP', '1911':'Niagara Fox', '4444':'malware', '4500':'IKE NAT-T (VPN)', '4567':'Modem web interface', '4664':'Qasar', '4730':'Gearman', '4782':'Qasar', '4800':'Moxa Nport', '4840':'OPC UA', '4911':'Niagara Fox with SSL', '4949':'Munin', '5006':'MELSEC-Q', '5007':'MELSEC-Q', '5008 ':'NetMobility', '5009':'Apple Airport Administration', '5060':'SIP', '5094':'HART-IP', '5222':'XMPP', '5269':'XMPP Server-to-Server', '5353':'mDNS', '5357':'Microsoft-HTTPAPI/2.0', '5432':'PostgreSQL', '5577':'Flux LED', '5601':'Kibana', '5632':'PCAnywhere', '5672':'RabbitMQ', '5900':'VNC', '5901':'VNC', '5938':'TeamViewer', '5984':'CouchDB', '6000':'X11', '6001':'X11', '6379':'Redis', '6666':'Voldemort database, malware', '6667':'IRC', '6881':'BitTorrent DHT', '6969':'TFTP, BitTorrent', '7218':'Sierra wireless (Telnet)', '7474':'Neo4j database', '7548':'CWMP (HTTPS)', '7777':'Oracle', '8008':'Chromecast', '8009':'Vizio HTTPS', '8010':'Intelbras DVR', '8060':'Roku web interface', '8069':'OpenERP', '8087':'Riak', '8090':'Insteon HUB', '8099':'Yahoo SmartTV', '8112':'Deluge (HTTP)', '8126':'StatsD', '8139':'Puppet agent', '8140':'Puppet master', '8181':'GlassFish Server (HTTPS)', '8333':'Bitcoin', '8334':'Bitcoin node dashboard (HTTP)', '8443':'HTTPS', '8554':'RTSP', '8800':'HTTP', '8880':'Websphere SOAP', '8888':'HTTP, Andromouse', '8889':'SmartThings Remote Access', '9000':'Vizio HTTPS', '9001':'Tor OR', '9002':'Tor OR', '9009':'Julia', '9042':'Cassandra CQL', '9051':'Tor Control', '9100':'Printer Job Language', '9151':'Tor Control', '9160':'Apache Cassandra', '9191':'Sierra wireless (HTTP)', '9418':'Git', '9443':'Sierra wireless (HTTPS)', '9595':'LANDesk Management Agent', '9600':'OMRON', '9633':'DarkTrack RAT', '9869':'OpenNebula', '10001':'Automated Tank Gauge,Ubiquiti', '10243':'Microsoft-HTTPAPI/2.0', '10554':'RTSP', '11211':'Memcache', '12345':'malware,Sierra wireless (Telnet)', '17000':'Bose SoundTouch', '17185':'VxWorks WDBRPC', '11300':'Beanstalk', '13579':'Media player classic web interface', '14147':'Filezilla FTP', '16010':'Apache Hbase', '16992':'Intel AMT', '16993':'Intel AMT', '18245':'General Electric SRTP', '20000':'DNP3', '20547':'ProconOS', '21025':'Starbound', '21379':'Matrikon OPC', '23023':'Telnet', '23424':'Serviio', '25105':'Insteon Hub', '25565':'Minecraft', '27015':'Steam A2S server query, Steam RCon', '27016':'Steam A2S server query', '27017':'MongoDB', '28015':'Steam A2S server query', '28017':'MongoDB (HTTP)', '30313':'Gardasoft Lighting', '30718':'Lantronix Setup', '32400':'Plex', '37777':'Dahuva DVR', '44818':'EtherNet/IP', '47808':'Bacnet', '49152':'Supermicro (HTTP)', '49153':'WeMo Link', '50070':'HDFS Namenode', '51106':'Deluge (HTTP)', '53413':'Netis backdoor', '54138':'Toshiba PoS', '55443':'McAfee', '55553':'Metasploit', '55554':'Metasploit', '62078':'Apple iDevice', '64738':'Mumble',
}
print('[+]请参考查询结果:',portdata.get(strport)) except: print('[*]usage: portsearch.py 445')


确定想编写的服务指纹,想写个radmin的指纹识别脚本,radmin百度百科介绍:Radmin (Remote Administrator)是一款屡获殊荣的远程控制软件,它将远程控制、外包服务组件、以及网络监控结合到一个系统里,提供最快速、强健而安全的工具包。


radmin服务端默认端口是4899,先从nmap目录下nmap-service-probes文件找指纹搜索关键词radmin。下面十六进制转义字符是指纹 后面的V/3.xx是指纹版本,后面的cpe是美国nist国家技术研究院的一个项目 用来区分软件的供应链信息。


match radmin m|^x01x00x00x00x25x09x00x01x10x08x01x00x09x08| p/Famatech Radmin/ v/2.X/ i/Windows Authentication/ o/Windows/ cpe:/a:famatech:radmin:2/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x0ax00x01x10x08x01x00x0ax08| p/Famatech Radmin/ v/2.X/ i/Radmin Authentication/ o/Windows/ cpe:/a:famatech:radmin:2/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x00x00x02x12x08x02x00x00x0a| p/Famatech Radmin/ v/3.X/ i/Radmin Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x71x00x02x12x08x02x00x71x0a| p/Famatech Radmin/ v/3.X/ i/Windows Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x08x00x02x12x08x02x00x08x0a| p/Famatech Radmin/ v/3.X/ i/Radmin Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x79x00x02x12x08x02x00x79x0a| p/Famatech Radmin/ v/3.X/ i/Windows Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x59x00x02x12x08x02x00x59x0a| p/Famatech Radmin/ v/3.3/ o/Windows/ cpe:/a:famatech:radmin:3.3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x04x00x02x12x08x02x00x04x0a| p/Famatech Radmin/ v/3.0/ o/Windows/ cpe:/a:famatech:radmin:3.0/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x09x00x00x10x4fx2fx10x00x00x04x00x00x00x1c| p/Famatech Radmin/ v/3.X/ i/Source IP blocked/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/a
softmatch radmin m|^x01x00x00x00x25.x00..x08.x00..|s p/Famatech Radmin/ o/Windows/ cpe:/a:famatech:radmin/ cpe:/o:microsoft:windows/a


首先通过国内的zoomeyefofaquake找下radmin服务目标。

编写banner识别脚本

关键词service:"radmin" zoomeye还没添加radmin识别规则。


编写banner识别脚本

关键词protocol=="radmin" fofa还没添加radmin识别规则。


编写banner识别脚本

关键词service:"radmin" quake添加了radmin识别规则。


所以说作为消费者多试试多样性的产品,因为每个产品背后数据源多多少少有点不同。


编写banner识别脚本

通过quake找到一个目标1.247.245.126:4899 可以看一下右边可以看到这条数据的扫描日期。在这个网络世界ip资产也在不断调整变化,数据也有时间差的。首先用nmap扫描一下4899端口确定一下radmin 版本。

编写banner识别脚本


确定版本radmin  Famatech Radmin 3.X (Source IP blocked)

PORT     STATE SERVICE VERSION4899/tcp open  radmin  Famatech Radmin 3.X (Source IP blocked)


然后找到这条指纹

match radmin m|^x01x00x00x00x09x00x00x10x4fx2fx10x00x00x04x00x00x00x1c| p/Famatech Radmin/ v/3.X/ i/Source IP blocked/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/


socket建立请求

#! /usr/bin/python3
import socket
address = (str('1.247.245.126'), int('4899'))#socket.SOCK_DGRAM UDP#socket.SOCK_STREAM TCPrdamin = socket.socket(socket.AF_INET,socket.SOCK_STREAM)rdamin.settimeout(3)rdamin.connect(address)rtspdata = 'x01x00x00x00x09x00x00x10x4fx2fx10x00x00x04x00x00x00x1c'rdamin.sendall(str.encode(rtspdata))data = rdamin.recv(1024)#radmin.recv TCP#radmin.recvfrom udppf = str(data)print(data) #返回数据

与quake请求结果对比确定是radmin服务,然后根据这个返回的结果添加特征对比就能判断radmin服务了,不过不同的radmin版本发送的请求包不同返回的数据包也不同,所以需要发送多个请求来判断,不同的服务可能请求方式不同,大概编写banner流程是这样的。

x01x00x00x00x09x00x00x10O/x10x00x00x04x00x00x00x1c

编写banner识别脚本

本文始发于微信公众号(漏洞感知):编写banner识别脚本

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: