安装nmap

获取vulscan漏洞库

git clone https://github.com/scipag/vulscan scipag_vulscan

安装nmap

 sudo apt-get install nmap

nmap指令

$ nmap
Nmap 7.60 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:Can pass hostnames, IP addresses, networks, etc.Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254-iL <inputfilename>: Input from list of hosts/networks-iR <num hosts>: Choose random targets--exclude <host1[,host2][,host3],...>: Exclude hosts/networks--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:-sL: List Scan - simply list targets to scan-sn: Ping Scan - disable port scan-Pn: Treat all hosts as online -- skip host discovery-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes-PO[protocol list]: IP Protocol Ping-n/-R: Never do DNS resolution/Always resolve [default: sometimes]--dns-servers <serv1[,serv2],...>: Specify custom DNS servers--system-dns: Use OS's DNS resolver--traceroute: Trace hop path to each host
SCAN TECHNIQUES:-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sU: UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans--scanflags <flags>: Customize TCP scan flags-sI <zombie host[:probeport]>: Idle scan-sY/sZ: SCTP INIT/COOKIE-ECHO scans-sO: IP protocol scan-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:-p <port ranges>: Only scan specified portsEx: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9--exclude-ports <port ranges>: Exclude the specified ports from scanning-F: Fast mode - Scan fewer ports than the default scan-r: Scan ports consecutively - don't randomize--top-ports <number>: Scan <number> most common ports--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:-sV: Probe open ports to determine service/version info--version-intensity <level>: Set from 0 (light) to 9 (try all probes)--version-light: Limit to most likely probes (intensity 2)--version-all: Try every single probe (intensity 9)--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:-sC: equivalent to --script=default--script=<Lua scripts>: <Lua scripts> is a comma separated list ofdirectories, script-files or script-categories--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts--script-args-file=filename: provide NSE script args in a file--script-trace: Show all data sent and received--script-updatedb: Update the script database.--script-help=<Lua scripts>: Show help about scripts.<Lua scripts> is a comma-separated list of script-files orscript-categories.
OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:Options which take <time> are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).-T<0-5>: Set timing template (higher is faster)--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes--min-parallelism/max-parallelism <numprobes>: Probe parallelization--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifiesprobe round trip time.--max-retries <tries>: Caps number of port scan probe retransmissions.--host-timeout <time>: Give up on target after this long--scan-delay/--max-scan-delay <time>: Adjust delay between probes--min-rate <number>: Send packets no slower than <number> per second--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:-f; --mtu <val>: fragment packets (optionally w/given MTU)-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys-S <IP_Address>: Spoof source address-e <iface>: Use specified interface-g/--source-port <portnum>: Use given port number--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies--data <hex string>: Append a custom payload to sent packets--data-string <string>: Append a custom ASCII string to sent packets--data-length <num>: Append random data to sent packets--ip-options <options>: Send packets with specified ip options--ttl <val>: Set IP time-to-live field--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the given filename.-oA <basename>: Output in the three major formats at once-v: Increase verbosity level (use -vv or more for greater effect)-d: Increase debugging level (use -dd or more for greater effect)--reason: Display the reason a port is in a particular state--open: Only show open (or possibly open) ports--packet-trace: Show all packets sent and received--iflist: Print host interfaces and routes (for debugging)--append-output: Append to rather than clobber specified output files--resume <filename>: Resume an aborted scan--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML--webxml: Reference stylesheet from Nmap.Org for more portable XML--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:-6: Enable IPv6 scanning-A: Enable OS detection, version detection, script scanning, and traceroute--datadir <dirname>: Specify custom Nmap data file location--send-eth/--send-ip: Send using raw ethernet frames or IP packets--privileged: Assume that the user is fully privileged--unprivileged: Assume the user lacks raw socket privileges-V: Print version number-h: Print this help summary page.
EXAMPLES:nmap -v -A scanme.nmap.orgnmap -v -sn 192.168.0.0/16 10.0.0.0/8nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

扫描dnsmasq漏洞

 nmap -sV --script=./scipag_vulscan/vulscan.nse 192.168.1.1

Starting Nmap 7.60 ( https://nmap.org ) at 2022-11-11 10:00 CST
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 10:02 (0:00:22 remaining)
Nmap scan report for mytest.net (192.168.1.1)
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
53/tcp   open  domain  dnsmasq 2.81
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_

可以看到显示dnsmasq的版本号，存在版本号泄露

PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.81

wireshark抓包

nmap发送了

nmap请求报文

Domain Name System (query)Length: 30Transaction ID: 0x0006Flags: 0x0100 Standard query0... .... .... .... = Response: Message is a query.000 0... .... .... = Opcode: Standard query (0).... ..0. .... .... = Truncated: Message is not truncated.... ...1 .... .... = Recursion desired: Do query recursively.... .... .0.. .... = Z: reserved (0).... .... ...0 .... = Non-authenticated data: UnacceptableQuestions: 1Answer RRs: 0Authority RRs: 0Additional RRs: 0Queriesversion.bind: type TXT, class CHName: version.bind[Name Length: 12][Label Count: 2]Type: TXT (Text strings) (16)Class: CH (0x0003)[Response In: 20331]

设备回复报文

Domain Name System (response)Length: 55Transaction ID: 0x0006Flags: 0x8580 Standard query response, No error1... .... .... .... = Response: Message is a response.000 0... .... .... = Opcode: Standard query (0).... .1.. .... .... = Authoritative: Server is an authority for domain.... ..0. .... .... = Truncated: Message is not truncated.... ...1 .... .... = Recursion desired: Do query recursively.... .... 1... .... = Recursion available: Server can do recursive queries.... .... .0.. .... = Z: reserved (0).... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server.... .... ...0 .... = Non-authenticated data: Unacceptable.... .... .... 0000 = Reply code: No error (0)Questions: 1Answer RRs: 1Authority RRs: 0Additional RRs: 0Queriesversion.bind: type TXT, class CHName: version.bind[Name Length: 12][Label Count: 2]Type: TXT (Text strings) (16)Class: CH (0x0003)Answersversion.bind: type TXT, class CHName: version.bindType: TXT (Text strings) (16)Class: CH (0x0003)Time to live: 0 (0 seconds)Data length: 13TXT Length: 12TXT: dnsmasq-2.81[Request In: 20327][Time: 0.003940000 seconds]

从回复报文可以看到包含了dnsmasq的版本号信息

问题分析

查看dnsmasq-2.81/src/config.h文件发现如下描述

NO_IDDon't report *.bind CHAOS info to clients, forward such requests upstream instead,Compiling with -DNO_ID removes the *.bind info structure.This includes: version, author, copyright, cachesize, cache insertions,evictions, misses & hits, auth & servers.

在dnsmasq-2.81/src/option.c文件中有如下代码

#ifndef NO_IDadd_txt("version.bind", "dnsmasq-" VERSION, 0 );add_txt("authors.bind", "Simon Kelley", 0);add_txt("copyright.bind", COPYRIGHT, 0);add_txt("cachesize.bind", NULL, TXT_STAT_CACHESIZE);add_txt("insertions.bind", NULL, TXT_STAT_INSERTS);add_txt("evictions.bind", NULL, TXT_STAT_EVICTIONS);add_txt("misses.bind", NULL, TXT_STAT_MISSES);add_txt("hits.bind", NULL, TXT_STAT_HITS);
#ifdef HAVE_AUTHadd_txt("auth.bind", NULL, TXT_STAT_AUTH);
#endifadd_txt("servers.bind", NULL, TXT_STAT_SERVERS);
#endif

至此，可以发现通过设置NO_ID可以实现隐藏版本号

修改方法

修改dnsmasq-2.81/Makefile文件

将

COPTS         =

修改为

COPTS         = DNO_ID

修改之后重新编译dnsmasq再次测试，发现不显示版本号信息了，扫描信息如下

$ nmap -sV --script=./scipag_vulscan/vulscan.nse 192.168.1.1Starting Nmap 7.60 ( https://nmap.org ) at 2022-11-11 13:55 CST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 13:56 (0:00:15 remaining)
Stats: 0:00:51 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 13:56 (0:00:17 remaining)
Nmap scan report for mytest.net (192.168.1.1)
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
53/tcp   open  domain  pdnsd
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_

可以看到，版本号处不显示

PORT STATE SERVICE VERSION
53/tcp open domain pdnsd

[SDX12]隐藏显示dnsmasq的版本号信息，使其使用nmap无法扫描到版本信息方法实现相关推荐

信息收集搜索引擎收集、目录扫描、Git信息收集
信息收集搜索引擎收集.目录扫描.Git信息收集 Google Hacking 运算符高级语法语法数据库网络空间搜索引擎网络空间搜索引擎网络系统网络设备工业系统 OSINT 扫描工具标 ...
linux如何系统版本信息,【教程】如何查看Linux系统版本信息
[root@S-CentOS home]# cat /proc/version Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev ...
隐藏服务器header与web软件版本信息
引入每次当浏览器向Web服务器发起一个请求的时,都会伴随着一些HTTP头的发送.而这些HTTP头是用于给Web服务器提供一些额外信息以便于处理请求.比如说吧.如果浏览器支持压缩功能,则浏览器会发送A ...
文件隐藏服务器版本信息吗,隐藏/屏蔽服务器信息与web软件版本信息
1.隐藏服务器系统信息在缺省情况下,当你登陆到linux系统,它会告诉你该linux发行版的名称.版本.内核版本.服务器的名称.为了不让这些默认的信息泄露出来,我们要进行下面的操作,让它只显示一个& ...
隐藏版本信息号返回服务器名,配置服务器版本信息隐藏
vi /etc/httpd.conf Include conf/extra/httpd-default.conf //去掉注释 cd /usr/local/httpd/conf/ vi extra/h ...
查看：OpenFOAM版本号+Linux-Ubuntu版本信息
查看:OpenFOAM版本号+Linux-Ubuntu版本信息 OpenFOAM版本号命令:icoFoam -help 输出结果如下 Linux-Ubuntu版本信息命令1:cat /proc/v ...
Apache实现盗链与防盗链与隐藏版本信息
文章目录一:盗链实操步骤 1.2:win 10 测试dns解析 1.3:首先需要手工编译安装Apache 1.4:make编译安装make install 1.5:编辑配置文件 1.6:客户机测试正 ...
web安全——隐藏版本信息
以命令curl -I www.google.com 查看结果如何: HTTP/1.1 302 Found Cache-Control: private Location: http://sorry.g ...
Tomcat中间件版本信息泄露
Tomcat服务在响应404/500等网络错误时,默认会将当前版本信息显示出来,这样就造成了中间件版本信息泄露这样的漏洞解决方案: 进入Tomcat下的lib目录,备份catalina.jar文件后 ...

[SDX12]隐藏显示dnsmasq的版本号信息，使其使用nmap无法扫描到版本信息方法实现

安装nmap

获取vulscan漏洞库

安装nmap

nmap指令

扫描dnsmasq漏洞

wireshark抓包

nmap请求报文

设备回复报文

问题分析

修改方法

[SDX12]隐藏显示dnsmasq的版本号信息，使其使用nmap无法扫描到版本信息方法实现相关推荐

最新文章

热门文章