像zoomeye 网络空间资产搜索引擎,提出的理念就是以前有漏洞找不到目标,而存在了像zoomeye这样的资产搜索引擎后......等,就很好解决了这个问题,只需要搜索关键词就能从数据库关联出资产,很好解决爆出了oday、1day、nday武器化漏洞,很好找到目标在哪里。所以说像banner指纹识别就是解决看得见的问题。
编写指纹流程
首先需要确定识别的服务,这是我看shodan的官方白皮书里面介绍的支持多少种识别服务,然后写了一个小脚本,输入默认端口找对应服务,规则库规则不多。
代码
#! /usr/bin/python3import sysprint('''_ _| | | |_ __ ___ _ __| |_ ___ ___ __ _ _ __ ___| |__| '_ / _ | '__| __/ __|/ _ / _` | '__/ __| '_| |_) | (_) | | | |___ __/ (_| | | | (__| | | || .__/ ___/|_| __|___/___|__,_|_| ___|_| |_|| ||_|微信公众号:漏洞感知>QQ交流群:801830727>>用法:portsearch.py 445>>>说明:方便查询默认端口应用协议的小工具>>>>规则数:200条''')try:strport = sys.argv[1]portdata = {'7':'Echo','11':'Systat','13 ':'Daytime','15':'Netstat','17':'Quote of the day','19':'Character generator','21':'FTP','22':'SSH','23':'Telnet','25':'SMTP','26':'SSH','37':'rdate','49':'TACACS+','53':'DNS','67':'DHCP','69':'TFTP, BitTorrent','70':'Gopher','79':'Finger','80':'HTTP, malware','81':'HTTP, malware','82':' HTTP, malware','83':'HTTP','84':'HTTP','88':'Kerberos','102':'Siemens S7','104':'DICOM','110':'POP3','111':'Portmapper','113':'identd','119 ':'NNTP','123':'NTP','129':'Password generator protocol','137':'NetBIOS','143':'IMAP','161':'SNMP','175':'IBM Network Job Entry','179':'BGP','195':'TA14-353a','311':'OS X Server Manager','389':'LDAP,CLDAP','443':'HTTPS,QUIC','444':'TA14-353a, Dell SonicWALL','445':'SMB','465':'SMTPS','500':'IKE (VPN)','502':'Modbus','503':'Modbus','515':'Line Printer Daemon','520':'RIP','523':'IBM DB2','554':'RTSP','587':'SMTP mail submission','623':'IPMI','626':'OS X serialnumbered','636':'LDAPS','666':'Telnet','771':'Realport','789':'Redlion Crimson3','873':'rsync','902':'VMWare authentication','992':'Telnet (secure)','993':'IMAP with SSL','995':'POP3 with SSL','1010':'malware','1023':'Telnet','1025':'Kamstrup','1099':'Java RMI','1177':'malware','1200':'Codesys','1234':'udpxy','1434':'MS-SQL monitor','1515':'malware','1521':'Oracle TNS','1604':'Citrix, malware','1723':'PPTP','1741':'CiscoWorks','1833':'MQTT','1900':'UPnP','1911':'Niagara Fox','4444':'malware','4500':'IKE NAT-T (VPN)','4567':'Modem web interface','4664':'Qasar','4730':'Gearman','4782':'Qasar','4800':'Moxa Nport','4840':'OPC UA','4911':'Niagara Fox with SSL','4949':'Munin','5006':'MELSEC-Q','5007':'MELSEC-Q','5008 ':'NetMobility','5009':'Apple Airport Administration','5060':'SIP','5094':'HART-IP','5222':'XMPP','5269':'XMPP Server-to-Server','5353':'mDNS','5357':'Microsoft-HTTPAPI/2.0','5432':'PostgreSQL','5577':'Flux LED','5601':'Kibana','5632':'PCAnywhere','5672':'RabbitMQ','5900':'VNC','5901':'VNC','5938':'TeamViewer','5984':'CouchDB','6000':'X11','6001':'X11','6379':'Redis','6666':'Voldemort database, malware','6667':'IRC','6881':'BitTorrent DHT','6969':'TFTP, BitTorrent','7218':'Sierra wireless (Telnet)','7474':'Neo4j database','7548':'CWMP (HTTPS)','7777':'Oracle','8008':'Chromecast','8009':'Vizio HTTPS','8010':'Intelbras DVR','8060':'Roku web interface','8069':'OpenERP','8087':'Riak','8090':'Insteon HUB','8099':'Yahoo SmartTV','8112':'Deluge (HTTP)','8126':'StatsD','8139':'Puppet agent','8140':'Puppet master','8181':'GlassFish Server (HTTPS)','8333':'Bitcoin','8334':'Bitcoin node dashboard (HTTP)','8443':'HTTPS','8554':'RTSP','8800':'HTTP','8880':'Websphere SOAP','8888':'HTTP, Andromouse','8889':'SmartThings Remote Access','9000':'Vizio HTTPS','9001':'Tor OR','9002':'Tor OR','9009':'Julia','9042':'Cassandra CQL','9051':'Tor Control','9100':'Printer Job Language','9151':'Tor Control','9160':'Apache Cassandra','9191':'Sierra wireless (HTTP)','9418':'Git','9443':'Sierra wireless (HTTPS)','9595':'LANDesk Management Agent','9600':'OMRON','9633':'DarkTrack RAT','9869':'OpenNebula','10001':'Automated Tank Gauge,Ubiquiti','10243':'Microsoft-HTTPAPI/2.0','10554':'RTSP','11211':'Memcache','12345':'malware,Sierra wireless (Telnet)','17000':'Bose SoundTouch','17185':'VxWorks WDBRPC','11300':'Beanstalk','13579':'Media player classic web interface','14147':'Filezilla FTP','16010':'Apache Hbase','16992':'Intel AMT','16993':'Intel AMT','18245':'General Electric SRTP','20000':'DNP3','20547':'ProconOS','21025':'Starbound','21379':'Matrikon OPC','23023':'Telnet','23424':'Serviio','25105':'Insteon Hub','25565':'Minecraft','27015':'Steam A2S server query, Steam RCon','27016':'Steam A2S server query','27017':'MongoDB','28015':'Steam A2S server query','28017':'MongoDB (HTTP)','30313':'Gardasoft Lighting','30718':'Lantronix Setup','32400':'Plex','37777':'Dahuva DVR','44818':'EtherNet/IP','47808':'Bacnet','49152':'Supermicro (HTTP)','49153':'WeMo Link','50070':'HDFS Namenode','51106':'Deluge (HTTP)','53413':'Netis backdoor','54138':'Toshiba PoS','55443':'McAfee','55553':'Metasploit','55554':'Metasploit','62078':'Apple iDevice','64738':'Mumble',}print('[+]请参考查询结果:',portdata.get(strport))except:print('[*]usage: portsearch.py 445')
确定想编写的服务指纹,想写个radmin的指纹识别脚本,radmin百度百科介绍:Radmin (Remote Administrator)是一款屡获殊荣的远程控制软件,它将远程控制、外包服务组件、以及网络监控结合到一个系统里,提供最快速、强健而安全的工具包。
radmin服务端默认端口是4899,先从nmap目录下nmap-service-probes文件找指纹搜索关键词radmin。下面十六进制转义字符是指纹 后面的V/3.xx是指纹版本,后面的cpe是美国nist国家技术研究院的一个项目 用来区分软件的供应链信息。
match radmin m|^x01x00x00x00x25x09x00x01x10x08x01x00x09x08| p/Famatech Radmin/ v/2.X/ i/Windows Authentication/ o/Windows/ cpe:/a:famatech:radmin:2/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x0ax00x01x10x08x01x00x0ax08| p/Famatech Radmin/ v/2.X/ i/Radmin Authentication/ o/Windows/ cpe:/a:famatech:radmin:2/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x00x00x02x12x08x02x00x00x0a| p/Famatech Radmin/ v/3.X/ i/Radmin Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x71x00x02x12x08x02x00x71x0a| p/Famatech Radmin/ v/3.X/ i/Windows Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x08x00x02x12x08x02x00x08x0a| p/Famatech Radmin/ v/3.X/ i/Radmin Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x79x00x02x12x08x02x00x79x0a| p/Famatech Radmin/ v/3.X/ i/Windows Authentication/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x59x00x02x12x08x02x00x59x0a| p/Famatech Radmin/ v/3.3/ o/Windows/ cpe:/a:famatech:radmin:3.3/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x25x04x00x02x12x08x02x00x04x0a| p/Famatech Radmin/ v/3.0/ o/Windows/ cpe:/a:famatech:radmin:3.0/ cpe:/o:microsoft:windows/amatch radmin m|^x01x00x00x00x09x00x00x10x4fx2fx10x00x00x04x00x00x00x1c| p/Famatech Radmin/ v/3.X/ i/Source IP blocked/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/asoftmatch radmin m|^x01x00x00x00x25.x00..x08.x00..|s p/Famatech Radmin/ o/Windows/ cpe:/a:famatech:radmin/ cpe:/o:microsoft:windows/a
首先通过国内的zoomeye、fofa、quake找下radmin服务目标。
关键词service:"radmin" zoomeye还没添加radmin识别规则。
关键词protocol=="radmin" fofa还没添加radmin识别规则。
关键词service:"radmin" quake添加了radmin识别规则。
所以说作为消费者多试试多样性的产品,因为每个产品背后数据源多多少少有点不同。
通过quake找到一个目标1.247.245.126:4899 可以看一下右边可以看到这条数据的扫描日期。在这个网络世界ip资产也在不断调整变化,数据也有时间差的。首先用nmap扫描一下4899端口确定一下radmin 版本。
确定版本radmin Famatech Radmin 3.X (Source IP blocked)
PORT STATE SERVICE VERSION4899/tcp open radmin Famatech Radmin 3.X (Source IP blocked)
然后找到这条指纹
match radmin m|^x01x00x00x00x09x00x00x10x4fx2fx10x00x00x04x00x00x00x1c| p/Famatech Radmin/ v/3.X/ i/Source IP blocked/ o/Windows/ cpe:/a:famatech:radmin:3/ cpe:/o:microsoft:windows/socket建立请求
#! /usr/bin/python3import socketaddress = (str('1.247.245.126'), int('4899'))#socket.SOCK_DGRAM UDP#socket.SOCK_STREAM TCPrdamin = socket.socket(socket.AF_INET,socket.SOCK_STREAM)rdamin.settimeout(3)rdamin.connect(address)rtspdata = 'x01x00x00x00x09x00x00x10x4fx2fx10x00x00x04x00x00x00x1c'rdamin.sendall(str.encode(rtspdata))data = rdamin.recv(1024)#radmin.recv TCP#radmin.recvfrom udppf = str(data)print(data) #返回数据
与quake请求结果对比确定是radmin服务,然后根据这个返回的结果添加特征对比就能判断radmin服务了,不过不同的radmin版本发送的请求包不同返回的数据包也不同,所以需要发送多个请求来判断,不同的服务可能请求方式不同,大概编写banner流程是这样的。
x01x00x00x00x09x00x00x10O/x10x00x00x04x00x00x00x1c
本文始发于微信公众号(漏洞感知):编写banner识别脚本
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论