• [SDX12]隐藏显示dnsmasq的版本号信息,使其使用nmap无法扫描到版本信息方法实现

    安装nmap

    获取vulscan漏洞库

    git clone https://github.com/scipag/vulscan scipag_vulscan

    安装nmap

     sudo apt-get install nmap

     nmap指令

    1. $ nmap 
    2. Nmap 7.60 ( https://nmap.org )
    3. Usage: nmap [Scan Type(s)] [Options] {target specification}
    4. TARGET SPECIFICATION:
    5.   Can pass hostnames, IP addresses, networks, etc.
    6.   Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
    7.   -iL <inputfilename>: Input from list of hosts/networks
    8.   -iR <num hosts>: Choose random targets
    9.   --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
    10.   --excludefile <exclude_file>: Exclude list from file
    11. HOST DISCOVERY:
    12.   -sL: List Scan - simply list targets to scan
    13.   -sn: Ping Scan - disable port scan
    14.   -Pn: Treat all hosts as online -- skip host discovery
    15.   -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
    16.   -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
    17.   -PO[protocol list]: IP Protocol Ping
    18.   -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
    19.   --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
    20.   --system-dns: Use OS's DNS resolver
    21.   --traceroute: Trace hop path to each host
    22. SCAN TECHNIQUES:
    23.   -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
    24.   -sU: UDP Scan
    25.   -sN/sF/sX: TCP Null, FIN, and Xmas scans
    26.   --scanflags : Customize TCP scan flags
    27.   -sI : Idle scan
    28.   -sY/sZ: SCTP INIT/COOKIE-ECHO scans
    29.   -sO: IP protocol scan
    30.   -b : FTP bounce scan
    31. PORT SPECIFICATION AND SCAN ORDER:
    32.   -p : Only scan specified ports
    33.     Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
    34.   --exclude-ports : Exclude the specified ports from scanning
    35.   -F: Fast mode - Scan fewer ports than the default scan
    36.   -r: Scan ports consecutively - don't randomize
    37.   --top-ports <number>: Scan <number> most common ports
    38.   --port-ratio <ratio>: Scan ports more common than <ratio>
    39. SERVICE/VERSION DETECTION:
    40.   -sV: Probe open ports to determine service/version info
    41.   --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
    42.   --version-light: Limit to most likely probes (intensity 2)
    43.   --version-all: Try every single probe (intensity 9)
    44.   --version-trace: Show detailed version scan activity (for debugging)
    45. SCRIPT SCAN:
    46.   -sC: equivalent to --script=default
    47.   --script=<Lua scripts>: <Lua scripts> is a comma separated list of
    48.            directories, script-files or script-categories
    49.   --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
    50.   --script-args-file=filename: provide NSE script args in a file
    51.   --script-trace: Show all data sent and received
    52.   --script-updatedb: Update the script database.
    53.   --script-help=<Lua scripts>: Show help about scripts.
    54.            <Lua scripts> is a comma-separated list of script-files or
    55.            script-categories.
    56. OS DETECTION:
    57.   -O: Enable OS detection
    58.   --osscan-limit: Limit OS detection to promising targets
    59.   --osscan-guess: Guess OS more aggressively
    60. TIMING AND PERFORMANCE:
    61.   Options which take <time> are in seconds, or append 'ms' (milliseconds),
    62.   's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
    63.   -T<0-5>: Set timing template (higher is faster)
    64.   --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
    65.   --min-parallelism/max-parallelism <numprobes>: Probe parallelization
    66.   --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
    67.       probe round trip time.
    68.   --max-retries <tries>: Caps number of port scan probe retransmissions.
    69.   --host-timeout <time>: Give up on target after this long
    70.   --scan-delay/--max-scan-delay <time>: Adjust delay between probes
    71.   --min-rate <number>: Send packets no slower than <number> per second
    72.   --max-rate <number>: Send packets no faster than <number> per second
    73. FIREWALL/IDS EVASION AND SPOOFING:
    74.   -f; --mtu <val>: fragment packets (optionally w/given MTU)
    75.   -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
    76.   -S <IP_Address>: Spoof source address
    77.   -e <iface>: Use specified interface
    78.   -g/--source-port <portnum>: Use given port number
    79.   --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
    80.   --data <hex string>: Append a custom payload to sent packets
    81.   --data-string <string>: Append a custom ASCII string to sent packets
    82.   --data-length <num>: Append random data to sent packets
    83.   --ip-options <options>: Send packets with specified ip options
    84.   --ttl <val>: Set IP time-to-live field
    85.   --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
    86.   --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
    87. OUTPUT:
    88.   -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
    89.      and Grepable format, respectively, to the given filename.
    90.   -oA <basename>: Output in the three major formats at once
    91.   -v: Increase verbosity level (use -vv or more for greater effect)
    92.   -d: Increase debugging level (use -dd or more for greater effect)
    93.   --reason: Display the reason a port is in a particular state
    94.   --open: Only show open (or possibly open) ports
    95.   --packet-trace: Show all packets sent and received
    96.   --iflist: Print host interfaces and routes (for debugging)
    97.   --append-output: Append to rather than clobber specified output files
    98.   --resume <filename>: Resume an aborted scan
    99.   --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
    100.   --webxml: Reference stylesheet from Nmap.Org for more portable XML
    101.   --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
    102. MISC:
    103.   -6: Enable IPv6 scanning
    104.   -A: Enable OS detection, version detection, script scanning, and traceroute
    105.   --datadir <dirname>: Specify custom Nmap data file location
    106.   --send-eth/--send-ip: Send using raw ethernet frames or IP packets
    107.   --privileged: Assume that the user is fully privileged
    108.   --unprivileged: Assume the user lacks raw socket privileges
    109.   -V: Print version number
    110.   -h: Print this help summary page.
    111. EXAMPLES:
    112.   nmap -v -A scanme.nmap.org
    113.   nmap -v -sn 192.168.0.0/16 10.0.0.0/8
    114.   nmap -v -iR 10000 -Pn -p 80
    115. SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

    扫描dnsmasq漏洞

     nmap -sV --script=./scipag_vulscan/vulscan.nse 192.168.1.1

    1. Starting Nmap 7.60 ( https://nmap.org ) at 2022-11-11 10:00 CST
    2. Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
    3. Service scan Timing: About 66.67% done; ETC: 10:02 (0:00:22 remaining)
    4. Nmap scan report for mytest.net (192.168.1.1)
    5. Host is up (0.013s latency).
    6. Not shown: 997 filtered ports
    7. PORT     STATE SERVICE VERSION
    8. 53/tcp   open  domain  dnsmasq 2.81
    9. | vulscan: VulDB - https://vuldb.com:
    10. | No findings
    11. | 
    12. | MITRE CVE - https://cve.mitre.org:
    13. | No findings
    14. | 
    15. | SecurityFocus - https://www.securityfocus.com/bid/:
    16. | No findings
    17. | 
    18. | IBM X-Force - https://exchange.xforce.ibmcloud.com:
    19. | No findings
    20. | 
    21. | Exploit-DB - https://www.exploit-db.com:
    22. | No findings
    23. | 
    24. | OpenVAS (Nessus) - http://www.openvas.org:
    25. | No findings
    26. | 
    27. | SecurityTracker - https://www.securitytracker.com:
    28. | No findings
    29. | 
    30. | OSVDB - http://www.osvdb.org:
    31. | No findings
    32. |_

    可以看到显示dnsmasq的版本号,存在版本号泄露

    PORT     STATE SERVICE VERSION
    53/tcp   open  domain  dnsmasq 2.81

    wireshark抓包

    nmap发送了

     nmap请求报文

    1. Domain Name System (query)
    2.     Length: 30
    3.     Transaction ID: 0x0006
    4.     Flags: 0x0100 Standard query
    5.         0... .... .... .... = Response: Message is a query
    6.         .000 0... .... .... = Opcode: Standard query (0)
    7.         .... ..0. .... .... = Truncated: Message is not truncated
    8.         .... ...1 .... .... = Recursion desired: Do query recursively
    9.         .... .... .0.. .... = Z: reserved (0)
    10.         .... .... ...0 .... = Non-authenticated data: Unacceptable
    11.     Questions: 1
    12.     Answer RRs: 0
    13.     Authority RRs: 0
    14.     Additional RRs: 0
    15.     Queries
    16.         version.bind: type TXT, class CH
    17.             Name: version.bind
    18.             [Name Length: 12]
    19.             [Label Count: 2]
    20.             Type: TXT (Text strings) (16)
    21.             Class: CH (0x0003)
    22.     [Response In: 20331]

    设备回复报文

    1. Domain Name System (response)
    2.     Length: 55
    3.     Transaction ID: 0x0006
    4.     Flags: 0x8580 Standard query response, No error
    5.         1... .... .... .... = Response: Message is a response
    6.         .000 0... .... .... = Opcode: Standard query (0)
    7.         .... .1.. .... .... = Authoritative: Server is an authority for domain
    8.         .... ..0. .... .... = Truncated: Message is not truncated
    9.         .... ...1 .... .... = Recursion desired: Do query recursively
    10.         .... .... 1... .... = Recursion available: Server can do recursive queries
    11.         .... .... .0.. .... = Z: reserved (0)
    12.         .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
    13.         .... .... ...0 .... = Non-authenticated data: Unacceptable
    14.         .... .... .... 0000 = Reply code: No error (0)
    15.     Questions: 1
    16.     Answer RRs: 1
    17.     Authority RRs: 0
    18.     Additional RRs: 0
    19.     Queries
    20.         version.bind: type TXT, class CH
    21.             Name: version.bind
    22.             [Name Length: 12]
    23.             [Label Count: 2]
    24.             Type: TXT (Text strings) (16)
    25.             Class: CH (0x0003)
    26.     Answers
    27.         version.bind: type TXT, class CH
    28.             Name: version.bind
    29.             Type: TXT (Text strings) (16)
    30.             Class: CH (0x0003)
    31.             Time to live: 0 (0 seconds)
    32.             Data length: 13
    33.             TXT Length: 12
    34.             TXT: dnsmasq-2.81
    35.     [Request In: 20327]
    36.     [Time: 0.003940000 seconds]

     从回复报文可以看到包含了dnsmasq的版本号信息

    问题分析

    查看dnsmasq-2.81/src/config.h文件发现如下描述

    1. NO_ID
    2.    Don't report *.bind CHAOS info to clients, forward such requests upstream instead,Compiling with -DNO_ID removes the *.bind info structure.
    3.     This includes: version, author, copyright, cachesize, cache insertions,
    4.     evictions, misses & hits, auth & servers.

    在dnsmasq-2.81/src/option.c文件中有如下代码

    1. #ifndef NO_ID
    2.   add_txt("version.bind", "dnsmasq-" VERSION, 0 );
    3.   add_txt("authors.bind", "Simon Kelley", 0);
    4.   add_txt("copyright.bind", COPYRIGHT, 0);
    5.   add_txt("cachesize.bind", NULL, TXT_STAT_CACHESIZE);
    6.   add_txt("insertions.bind", NULL, TXT_STAT_INSERTS);
    7.   add_txt("evictions.bind", NULL, TXT_STAT_EVICTIONS);
    8.   add_txt("misses.bind", NULL, TXT_STAT_MISSES);
    9.   add_txt("hits.bind", NULL, TXT_STAT_HITS);
    10. #ifdef HAVE_AUTH
    11.   add_txt("auth.bind", NULL, TXT_STAT_AUTH);
    12. #endif
    13.   add_txt("servers.bind", NULL, TXT_STAT_SERVERS);
    14. #endif

     至此,可以发现通过设置NO_ID可以实现隐藏版本号

    修改方法

    修改dnsmasq-2.81/Makefile文件

    COPTS         = 

    修改为

    COPTS         = DNO_ID

    修改之后重新编译dnsmasq再次测试,发现不显示版本号信息了,扫描信息如下

    1. $ nmap -sV --script=./scipag_vulscan/vulscan.nse 192.168.1.1
    2.  
    3. Starting Nmap 7.60 ( https://nmap.org ) at 2022-11-11 13:55 CST
    4. Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
    5. Service scan Timing: About 66.67% done; ETC: 13:56 (0:00:15 remaining)
    6. Stats: 0:00:51 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
    7. Service scan Timing: About 66.67% done; ETC: 13:56 (0:00:17 remaining)
    8. Nmap scan report for mytest.net (192.168.1.1)
    9. Host is up (0.014s latency).
    10. Not shown: 997 filtered ports
    11. PORT     STATE SERVICE VERSION
    12. 53/tcp   open  domain  pdnsd
    13. | vulscan: VulDB - https://vuldb.com:
    14. | No findings
    15. | 
    16. | MITRE CVE - https://cve.mitre.org:
    17. | No findings
    18. | 
    19. | SecurityFocus - https://www.securityfocus.com/bid/:
    20. | No findings
    21. | 
    22. | IBM X-Force - https://exchange.xforce.ibmcloud.com:
    23. | No findings
    24. | 
    25. | Exploit-DB - https://www.exploit-db.com:
    26. | No findings
    27. | 
    28. | OpenVAS (Nessus) - http://www.openvas.org:
    29. | No findings
    30. | 
    31. | SecurityTracker - https://www.securitytracker.com:
    32. | No findings
    33. | 
    34. | OSVDB - http://www.osvdb.org:
    35. | No findings
    36. |_

    可以看到,版本号处不显示

    PORT     STATE SERVICE VERSION
    53/tcp   open  domain  pdnsd

  • 相关阅读:
    基于信息融合的风电机组关键部件状态识别
    c++ 泛型编程之类模板
    如何在idea中创建一个SpringBoot项目(超详细教学)
    Spring管理Bean(XML与注解方式)
    el-table的formatter属性的使用方法
    Spring中JDK与Cglib动态代理的区别
    linux 基础(10)进程管理
    C++征途 --- string容器
    【云原生Kubernetes系列第六篇】Kubernetes的认证和授权
    景区讲解小程序,扫码轻松获取多语言讲解服务
  • 原文地址:https://blog.csdn.net/wgl307293845/article/details/127800592