[SDX12]隐藏显示dnsmasq的版本号信息,使其使用nmap无法扫描到版本信息方法实现
安装nmap
获取vulscan漏洞库
git clone https://github.com/scipag/vulscan scipag_vulscan
安装nmap
sudo apt-get install nmap
nmap指令
$ nmap
Nmap 7.60 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:Can pass hostnames, IP addresses, networks, etc.Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254-iL <inputfilename>: Input from list of hosts/networks-iR <num hosts>: Choose random targets--exclude <host1[,host2][,host3],...>: Exclude hosts/networks--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:-sL: List Scan - simply list targets to scan-sn: Ping Scan - disable port scan-Pn: Treat all hosts as online -- skip host discovery-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes-PO[protocol list]: IP Protocol Ping-n/-R: Never do DNS resolution/Always resolve [default: sometimes]--dns-servers <serv1[,serv2],...>: Specify custom DNS servers--system-dns: Use OS's DNS resolver--traceroute: Trace hop path to each host
SCAN TECHNIQUES:-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sU: UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans--scanflags <flags>: Customize TCP scan flags-sI <zombie host[:probeport]>: Idle scan-sY/sZ: SCTP INIT/COOKIE-ECHO scans-sO: IP protocol scan-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:-p <port ranges>: Only scan specified portsEx: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9--exclude-ports <port ranges>: Exclude the specified ports from scanning-F: Fast mode - Scan fewer ports than the default scan-r: Scan ports consecutively - don't randomize--top-ports <number>: Scan <number> most common ports--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:-sV: Probe open ports to determine service/version info--version-intensity <level>: Set from 0 (light) to 9 (try all probes)--version-light: Limit to most likely probes (intensity 2)--version-all: Try every single probe (intensity 9)--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:-sC: equivalent to --script=default--script=<Lua scripts>: <Lua scripts> is a comma separated list ofdirectories, script-files or script-categories--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts--script-args-file=filename: provide NSE script args in a file--script-trace: Show all data sent and received--script-updatedb: Update the script database.--script-help=<Lua scripts>: Show help about scripts.<Lua scripts> is a comma-separated list of script-files orscript-categories.
OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:Options which take <time> are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).-T<0-5>: Set timing template (higher is faster)--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes--min-parallelism/max-parallelism <numprobes>: Probe parallelization--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifiesprobe round trip time.--max-retries <tries>: Caps number of port scan probe retransmissions.--host-timeout <time>: Give up on target after this long--scan-delay/--max-scan-delay <time>: Adjust delay between probes--min-rate <number>: Send packets no slower than <number> per second--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:-f; --mtu <val>: fragment packets (optionally w/given MTU)-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys-S <IP_Address>: Spoof source address-e <iface>: Use specified interface-g/--source-port <portnum>: Use given port number--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies--data <hex string>: Append a custom payload to sent packets--data-string <string>: Append a custom ASCII string to sent packets--data-length <num>: Append random data to sent packets--ip-options <options>: Send packets with specified ip options--ttl <val>: Set IP time-to-live field--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the given filename.-oA <basename>: Output in the three major formats at once-v: Increase verbosity level (use -vv or more for greater effect)-d: Increase debugging level (use -dd or more for greater effect)--reason: Display the reason a port is in a particular state--open: Only show open (or possibly open) ports--packet-trace: Show all packets sent and received--iflist: Print host interfaces and routes (for debugging)--append-output: Append to rather than clobber specified output files--resume <filename>: Resume an aborted scan--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML--webxml: Reference stylesheet from Nmap.Org for more portable XML--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:-6: Enable IPv6 scanning-A: Enable OS detection, version detection, script scanning, and traceroute--datadir <dirname>: Specify custom Nmap data file location--send-eth/--send-ip: Send using raw ethernet frames or IP packets--privileged: Assume that the user is fully privileged--unprivileged: Assume the user lacks raw socket privileges-V: Print version number-h: Print this help summary page.
EXAMPLES:nmap -v -A scanme.nmap.orgnmap -v -sn 192.168.0.0/16 10.0.0.0/8nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
扫描dnsmasq漏洞
nmap -sV --script=./scipag_vulscan/vulscan.nse 192.168.1.1
Starting Nmap 7.60 ( https://nmap.org ) at 2022-11-11 10:00 CST
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 10:02 (0:00:22 remaining)
Nmap scan report for mytest.net (192.168.1.1)
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.81
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_
可以看到显示dnsmasq的版本号,存在版本号泄露
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.81
wireshark抓包
nmap发送了
nmap请求报文
Domain Name System (query)Length: 30Transaction ID: 0x0006Flags: 0x0100 Standard query0... .... .... .... = Response: Message is a query.000 0... .... .... = Opcode: Standard query (0).... ..0. .... .... = Truncated: Message is not truncated.... ...1 .... .... = Recursion desired: Do query recursively.... .... .0.. .... = Z: reserved (0).... .... ...0 .... = Non-authenticated data: UnacceptableQuestions: 1Answer RRs: 0Authority RRs: 0Additional RRs: 0Queriesversion.bind: type TXT, class CHName: version.bind[Name Length: 12][Label Count: 2]Type: TXT (Text strings) (16)Class: CH (0x0003)[Response In: 20331]
设备回复报文
Domain Name System (response)Length: 55Transaction ID: 0x0006Flags: 0x8580 Standard query response, No error1... .... .... .... = Response: Message is a response.000 0... .... .... = Opcode: Standard query (0).... .1.. .... .... = Authoritative: Server is an authority for domain.... ..0. .... .... = Truncated: Message is not truncated.... ...1 .... .... = Recursion desired: Do query recursively.... .... 1... .... = Recursion available: Server can do recursive queries.... .... .0.. .... = Z: reserved (0).... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server.... .... ...0 .... = Non-authenticated data: Unacceptable.... .... .... 0000 = Reply code: No error (0)Questions: 1Answer RRs: 1Authority RRs: 0Additional RRs: 0Queriesversion.bind: type TXT, class CHName: version.bind[Name Length: 12][Label Count: 2]Type: TXT (Text strings) (16)Class: CH (0x0003)Answersversion.bind: type TXT, class CHName: version.bindType: TXT (Text strings) (16)Class: CH (0x0003)Time to live: 0 (0 seconds)Data length: 13TXT Length: 12TXT: dnsmasq-2.81[Request In: 20327][Time: 0.003940000 seconds]
从回复报文可以看到包含了dnsmasq的版本号信息
问题分析
查看dnsmasq-2.81/src/config.h文件发现如下描述
NO_IDDon't report *.bind CHAOS info to clients, forward such requests upstream instead,Compiling with -DNO_ID removes the *.bind info structure.This includes: version, author, copyright, cachesize, cache insertions,evictions, misses & hits, auth & servers.
在dnsmasq-2.81/src/option.c文件中有如下代码
#ifndef NO_IDadd_txt("version.bind", "dnsmasq-" VERSION, 0 );add_txt("authors.bind", "Simon Kelley", 0);add_txt("copyright.bind", COPYRIGHT, 0);add_txt("cachesize.bind", NULL, TXT_STAT_CACHESIZE);add_txt("insertions.bind", NULL, TXT_STAT_INSERTS);add_txt("evictions.bind", NULL, TXT_STAT_EVICTIONS);add_txt("misses.bind", NULL, TXT_STAT_MISSES);add_txt("hits.bind", NULL, TXT_STAT_HITS);
#ifdef HAVE_AUTHadd_txt("auth.bind", NULL, TXT_STAT_AUTH);
#endifadd_txt("servers.bind", NULL, TXT_STAT_SERVERS);
#endif
至此,可以发现通过设置NO_ID可以实现隐藏版本号
修改方法
修改dnsmasq-2.81/Makefile文件
将
COPTS =
修改为
COPTS = DNO_ID
修改之后重新编译dnsmasq再次测试,发现不显示版本号信息了,扫描信息如下
$ nmap -sV --script=./scipag_vulscan/vulscan.nse 192.168.1.1Starting Nmap 7.60 ( https://nmap.org ) at 2022-11-11 13:55 CST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 13:56 (0:00:15 remaining)
Stats: 0:00:51 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 13:56 (0:00:17 remaining)
Nmap scan report for mytest.net (192.168.1.1)
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain pdnsd
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_
可以看到,版本号处不显示
PORT STATE SERVICE VERSION
53/tcp open domain pdnsd
[SDX12]隐藏显示dnsmasq的版本号信息,使其使用nmap无法扫描到版本信息方法实现相关推荐
- 信息收集搜索引擎收集、目录扫描、Git信息收集
信息收集搜索引擎收集.目录扫描.Git信息收集 Google Hacking 运算符 高级语法 语法数据库 网络空间搜索引擎 网络空间 搜索引擎 网络系统 网络设备 工业系统 OSINT 扫描工具 标 ...
- linux如何系统版本信息,【教程】如何查看Linux系统版本信息
[root@S-CentOS home]# cat /proc/version Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev ...
- 隐藏服务器header与web软件版本信息
引入 每次当浏览器向Web服务器发起一个请求的时,都会伴随着一些HTTP头的发送.而这些HTTP头是用于给Web服务器提供一些额外信息以便于处理请求.比如说吧.如果浏览器支持压缩功能,则浏览器会发送A ...
- 文件隐藏服务器版本信息吗,隐藏/屏蔽服务器信息与web软件版本信息
1.隐藏服务器系统信息 在缺省情况下,当你登陆到linux系统,它会告诉你该linux发行版的名称.版本.内核版本.服务器的名称.为了不让这些默认的信息泄露出来,我们要进行下面的操作,让它只显示一个& ...
- 隐藏版本信息号返回服务器名,配置服务器版本信息隐藏
vi /etc/httpd.conf Include conf/extra/httpd-default.conf //去掉注释 cd /usr/local/httpd/conf/ vi extra/h ...
- 查看:OpenFOAM版本号+Linux-Ubuntu版本信息
查看:OpenFOAM版本号+Linux-Ubuntu版本信息 OpenFOAM版本号 命令:icoFoam -help 输出结果如下 Linux-Ubuntu版本信息 命令1:cat /proc/v ...
- Apache实现盗链与防盗链与隐藏版本信息
文章目录 一:盗链实操步骤 1.2:win 10 测试dns解析 1.3:首先需要手工编译安装Apache 1.4:make编译安装make install 1.5:编辑配置文件 1.6:客户机测试正 ...
- web安全——隐藏版本信息
以命令curl -I www.google.com 查看结果如何: HTTP/1.1 302 Found Cache-Control: private Location: http://sorry.g ...
- Tomcat中间件版本信息泄露
Tomcat服务在响应404/500等网络错误时,默认会将当前版本信息显示出来,这样就造成了中间件版本信息泄露这样的漏洞 解决方案: 进入Tomcat下的lib目录,备份catalina.jar文件后 ...
最新文章
- Linux下路由表调试工具traceroute
- 30针4k屏_华为发布智慧办公战略产品 企业智慧屏系列
- 定位城市_北方城市如何利用GPS定位器减轻铲雪工作压力?
- MySQL buffer pool中的三种链
- 谷歌五笔输入法电脑版_“五笔输入法”打字速度更快,为什么却没啥人用?
- 折半查找算法及分析(手工过程)
- 两个向量之间的夹角公式_向量的内积
- 数据科学 python_适用于数据科学的Python vs(和)R
- 哈哈哈,只有程序员才懂的黑色幽默 ... ...
- zigbee协议栈的系统相关函数的使用 仿照协议栈写事件
- zabbix设置mysql登陆免报警_zabbix3.0.2 监控mysql服务down的时候不触发报警的问题修复...
- 在北上广,年薪不到40W意味着什么?
- java 调用枚举种方法_Java中枚举类型的一种使用方式
- Numpy Mathematical functions 数学函数
- c/c++入门教程 - 2.4.5 c++运算符重载(加号、左移、递增、赋值、关系、函数调用)
- 微信小程序API之request
- 线段树详解(转)这个博客很棒~
- Gym100923H Por Costel and the Match
- .NET中过滤TextBox中输入的html标签
- eclipse 搭建python环境