MSF魔鬼训练营-3.2.2 操作系统辨识

利用操作系统视频进行社会工程学攻击。
例如在探测到目标用户所使用的网络设备、服务器设备厂家型号等信息后。可伪装成相关厂家的技术人员通过电话、邮件等方式与系统管理员取得联系得到信任。
NMAP

示例： 使用 -PU -sn 扫描存活主机 使用 -O判断系统 -sV对版本信息进行辨识 -A获取更详细的服务和操作系统信息
msf > nmap -PU -sn 192.168.1.0/24
[*] exec: nmap -PU -sn 192.168.1.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:00 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 192.168.1.102
Host is up (0.0016s latency).
Nmap scan report for 192.168.1.104
Host is up (0.0034s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 36.16 seconds
msf > nmap -O 192.168.1.102
[*] exec: nmap -O 192.168.1.102

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:01 CST
Nmap scan report for 192.168.1.102
Host is up (0.0017s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
msf > nmap -O 192.168.1.104
[*] exec: nmap -O 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:01 CST
Nmap scan report for 192.168.1.104
Host is up (0.0025s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Device type: general purpose
Running: Microsoft Windows 8.1
OS CPE: cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 8.1 Enterprise
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds
msf > nmap -O -sV 192.168.1.104
[*] exec: nmap -O -sV 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:14 CST
Nmap scan report for 192.168.1.104
Host is up (0.0024s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.40%E=4%D=9/8%OT=135%CT=1%CU=31933%PV=Y%DS=2%DC=I%G=Y%TM=59B297F
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=101%TI=I%CI=I%TS=7)SEQ(SP=FF
OS:%GCD=1%ISR=101%CI=I%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT
OS:11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000
OS:%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=40%W=2000%O=M5B4NW8NNS%CC=N%Q=)T
OS:1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=16
OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 2 hops
Service Info: Host: PC-20150927TDPG; OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.63 seconds
msf > nmap -O -sV -A 192.168.1.104
[*] exec: nmap -O -sV -A 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 21:18 CST
Nmap scan report for 192.168.1.104
Host is up (0.0023s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 8.1
OS CPE: cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 8.1 Enterprise
Network Distance: 2 hops
Service Info: Host: PC-20150927TDPG; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -21m41s, deviation: 0s, median: -21m41s
|_nbstat: NetBIOS name: PC-20150927TDPG, NetBIOS user: <unknown>, NetBIOS MAC: 90:2b:34:e9:9b:ea (Giga-byte Technology)
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: PC-20150927TDPG
| NetBIOS computer name: PC-20150927TDPGx00
| Workgroup: WORKGROUPx00
|_ System time: 2017-09-08T20:58:16+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 1.20 ms RT-AC54U.lan (192.168.3.1)
2 1.77 ms 192.168.1.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.54 seconds