安全2

# echo love > love.txt 创建一个文件love.txt，内容是love
# cat love.txt
love

# gpg -c love.txt 创建加密，显示如下，并要求你输入2次密码来确认，假设我们输入密码是123：

gpg: 已创建目录‘/root/.gnupg’
gpg: 新的配置文件‘/root/.gnupg/gpg.conf’已建立
gpg: 警告：在‘/root/.gnupg/gpg.conf’里的选项于此次运行期间未被使用
gpg: 钥匙环‘/root/.gnupg/pubring.gpg’已建立

# ls love.txt* 它会生成原名的.gpg文件：love.txt.gpg
love.txt love.txt.gpg

# cat love.txt 查看源文件love.txt未加密前的内容
love

# cat love.txt.gpg 查看加密后生成的文件love.txt.gpg的内容，会发现是加密的，看不懂
��|-m+��!9@>��.\��a|��ݮ(��1EAr[root@10 ~]#

# gpg -d love.txt.gpg > a.txt 用本机来解密love.txt.gpg，并重定向到a.txt。因为之前是在本机加密的，所以不用输入密码
gpg: 钥匙环‘/root/.gnupg/secring.gpg’已建立
gpg: CAST5 加密过的数据
gpg: 以 1 个密码加密
gpg: 警告：报文未受到完整的保护

# cat a.txt
love

[root@10 ~]# scp /root/love.txt.gpg 192.168.4.20:/root/ 远程传加密的文件love.txt.gpg给主机20
######################################################################################
20

# ls
love.txt.gpg ...

# gpg -d love.txt.gpg 需要输入密码才能查看
gpg: 已创建目录‘/root/.gnupg’
gpg: 新的配置文件‘/root/.gnupg/gpg.conf’已建立
gpg: 警告：在‘/root/.gnupg/gpg.conf’里的选项于此次运行期间未被使用
gpg: 钥匙环‘/root/.gnupg/secring.gpg’已建立
gpg: 钥匙环‘/root/.gnupg/pubring.gpg’已建立
gpg: CAST5 加密过的数据
gpg: 以 1 个密码加密
love 这是解密后的结果
gpg: 警告：报文未受到完整的保护

# gpg -d love.txt.gpg > b.txt
gpg: CAST5 加密过的数据
gpg: 以 1 个密码加密
gpg: 警告：报文未受到完整的保护
[root@20 ~]# cat b.txt
love
######################################################################################

非对称加密：私钥(解密)，公钥(加密)

userA(生成一对密钥)
userA把(公钥)传给userB
userB使用(公钥)加密数据，并把数据传给userA
userA使用(密钥)解密

######################################################################################
创建密钥

# gpg --gen-key

显示如下：
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

请选择您要使用的密钥种类：
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (仅用于签名)
(4) RSA (仅用于签名)
您的选择？回车，默认用RSA算法
RSA 密钥长度应在 1024 位与 4096 位之间。
您想要用多大的密钥尺寸？(2048) 回车，默认密钥尺寸2048位
您所要求的密钥尺寸是 2048 位
请设定这把密钥的有效期限。
0 = 密钥永不过期
<n> = 密钥在 n 天后过期
<n>w = 密钥在 n 周后过期
<n>m = 密钥在 n 月后过期
<n>y = 密钥在 n 年后过期
密钥的有效期限是？(0) 输入大写字母O,设置密钥永不过期
密钥永远不会过期
以上正确吗？(y/n)y 输入y确认

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

真实姓名：summer 输入姓名summer
电子邮件地址：summer@163.com 输入邮件summer@163.com
注释：this key is for lili 输入注释，随便写的。this key is for lili
您选定了这个用户标识：
“summer (this key is for lili) <summer@163.com>”

更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)？O 大写字母O是确定不用改

如果想要更改信息，就写对应的大写字母。大写字母O是确定不用改，然后会跳出图形界面来让你是否输入密码来保护密钥，这个密码不是用来解密的！而是要先输入密码才能取出密钥！图形界面如果不输入保护密钥的密码，就要确定很多次！不停的点确定，才能成功！
######################################################################################
成功后提示如下：

您需要一个密码来保护您的私钥。

您不想要有密码――这个想法实在是遭透了！
不过，我仍然会照您想的去做。您任何时候都可以变更您的密码，仅需要
再次执行这个程序，并且使用“--edit-key”选项即可。

我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。
gpg: /root/.gnupg/trustdb.gpg：建立了信任度数据库
gpg: 密钥 2FE87B6F 被标记为绝对信任
公钥和私钥已经生成并经签名。

gpg: 正在检查信任度数据库
gpg: 需要 3 份勉强信任和 1 份完全信任，PGP 信任模型
gpg: 深度：0 有效性： 1 已签名： 0 信任度：0-，0q，0n，0m，0f，1u
pub 2048R/2FE87B6F 2018-12-08
密钥指纹 = 4C45 3A42 4255 8AF0 23DB 74F5 8176 D439 2FE8 7B6F
uid summer (this key is for lili) <summer@163.com>
sub 2048R/2E7DCBAD 2018-12-08
######################################################################################
如果字符界面退出来不好，就
reset
mv /dev/random{,.bak}
ln -s /dev/urandom /dev/random
######################################################################################
查看生成的密钥

# gpg --list-keys
显示信息如下：
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/2FE87B6F 2018-12-08 这个/后的值2FE87B6F也是密钥，但比较难记
uid summer (this key is for lili) <summer@163.com> 这个是我们之前设置的(名字或邮箱名)都代表：密钥
sub 2048R/2E7DCBAD 2018-12-08 这个/后的值2E7DCBAD也是密钥，但比较难记
######################################################################################
导出密钥(可用用户名/邮箱名/pub/sub的值来导出密钥)

# gpg -a --export summer@163.com > mykey 用邮箱名来导出密钥
如果不加-a，导出来的文件查看时是乱码。
我们之前设置的(名字summer或邮件summer@163.com)都代表密钥,mykey是存放密钥的文件，可以自己随意命名，但最好能见名知义。

# gpg -a --export summer > mykey1 用用户名来导出密钥
# gpg -a --export 2FE87B6F > mykey2 用pub的值来导出密钥
# gpg -a --export 2E7DCBAD > mykey3 用sub的值来导出密钥
######################################################################################
不管用什么方式导出密钥，密钥文件里的内容都是一样的，可以用md5sum来看值。

# md5sum mykey
6d5a1ed2d5ff2409434a12483828809e mykey

# md5sum mykey1
6d5a1ed2d5ff2409434a12483828809e mykey1

# md5sum mykey2
6d5a1ed2d5ff2409434a12483828809e mykey2

# md5sum mykey3
6d5a1ed2d5ff2409434a12483828809e mykey3

# diff mykey mykey1 比较2个密钥文件的md5sum的值，没有输出，代表内容一样
# diff mykey mykey2
# diff mykey mykey3
######################################################################################
# cat mykey 查看密钥文件里的内容，虽然看不懂，但是都是键盘上的字母。如果上面导出不加a，是乱码的。

里面内容如下：
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBFwLKe8BCADLRlQX2LZLYfgSB1AjlOO++rS4A8Bgadv4sTUQDEilaD6Rscs8
o3Z5Uxf8ruGvwZIXrWvyE8DprtvedDXGQVBg5x6o4/xDXl+QXP3YBAHngu2d1G8L
WTVua/vl8kCXmGi9B3p+NSLTqb6zLirjE/EixA2zxKpDKvKuB7a9e62pclKGyUK5
mO7QMSp61lqVBvW2G2slT5oe9G3CZSsZIlqe+9KKM3ETFrlv9i4HomVTzr5YaWEH
0YOQ5ca59GKgXXjNgSNgNtTewUuDcGlOKMZwpoaBZNr3FdF3accFmjnZ2aPBK4xo
xs6vY6lqq1MprDkgN7aLymEG0L7gEavQXWZfABEBAAG0LnN1bW1lciAodGhpcyBr
ZXkgaXMgZm9yIGxpbGkpIDxzdW1tZXJAMTYzLmNvbT6JATkEEwECACMFAlwLKe8C
GwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCBdtQ5L+h7b0HVCACiNc6F
JEYSH/JTTfYGa7BMEf+pSogwe6E38YFcpnrRzoIjvxIe6/1hl4dZEdAJfxpaMyZ0
XKF2ZYMf5okSE+IBsjzrlOIktdddYN4QBNM08D0n0lfyH1JJwlT52hoxIUV2FxOM
Xgnjj7ZgYy/6tgV2B/HySngqUPAjPxnSFWRJZyRHW13iX3Ti95l8M0fp55ZGDnRj
vHMDUhSbenrJu3aNVl0O9E4tibCfg9QaP5k60wGOyVAmY629AMkMnqxSvPeARwhJ
U6eKstnCG4wwdZJX9p7yg0cFZmGSGZtZp/NqrWo3lKJJJamIODldTwCJxanrPll2
zj/LOU/FCvSNH+/8uQENBFwLKe8BCADGfzuh9TvgRY5CyxZV39wxW0x4cJjDOTo6
gXxV+1MPfH+RbgpjPB9hWdAmijCf106RO5ngrRsu4gtgijMrAPBll1Nziv/u04wO
qRofL8jCS9cESR23OURyEy0swy5czR/Jz28Ny0PFngffmaS0h+A1yuGILFbgw97s
dYqk8J+x062p7ZUDdhwfCp/Hxn+L9zFx7EYZ7fSn6GpAepB0ycgPJRVe0XG318FJ
8BfuAJcJziH/WZQmxVntwnPl2F/9/bukvPmnqFXQhGB5mMK7uLgSqzKNeKepLFMp
ZPrKbPEHsG7OqEkUh2wTBN+KXHSpO8qBrsP+PWEPkpB3ZAcpe/3zABEBAAGJAR8E
GAECAAkFAlwLKe8CGwwACgkQgXbUOS/oe29tqQf/cOVLpMs4GuZ7hRxj8HFHw1zL
/WtiDgpPqpCoHn1IDRta1+0/h2YT7v738OL5XR+DvwCiYfSCBez2uVf8YrSRDUXC
gdaFamxvwypRpOsEvfuXgCQUV/+TU+PlSyxVbeZbu34AITmk1WOxCHDe4X0czu5h
xGpXUayQ32VFHoiS22Hyxbu9Ly+vuDnm6xMFWfT3EasHGWnHL4xVbNfhdc01DZRw
zxFkrxgg3PK5wNv7+75fzDI7fIt6CQlxPc0t61qQInwbGzn5IpQTE5LtAwZBF5/q
NFilosuQE9dHmc9jPKjzt/E2NfV7c1XvHxdWpP0cqwP+lJQ/ODzgbGcaQ7MEog==
=WzqY
-----END PGP PUBLIC KEY BLOCK-----

# scp mykey 192.168.4.30:/root/ 传密钥文件给30主机的/root目录下
######################################################################################
实验演示,仅供参考：如果不加-a，导出来的文件查看时是乱码。

# gpg --export summer@163.com > mykeytest

# cat mykeytest
\
)��FTضKa�P#��`i��5
H�h>��<�vyS��k��t5�AP`��C^_�\��o
�ĪC*��{��rR��B��1*z�Z��k%O��m�e+"Z��Ҋ3q�o�.�eSξXiaу��ƹ�b�]x́#`6��K�piN(�p��d��wi��9�٣�+�h�ίc�j�S)�9 7��aо��]f_�.summer (this key is for lili) <summer@163.com>�9#\
)�

�
�v�9/�{oA�5΅$F�SM�k�L��J�0{�7��\�z�΂#��a��Y� Z3&t\�ve��<��$��]`��4�='�W�RI�T��1!Ev�^ ㏶`c/��v��Jx*P�#?�dIg$G[]�_t��|3G��Ftc�sR�zzɻv�V]�N-��?�:��P&c��
��R��IS��0u�W��Gfa��Y��j�j7��I%��89]O�ũ�>Yv�?�9O�
######################################################################################
30

# gpg --list-keys 还没导入密钥前，是看不到密钥信息的。
提示如下：
gpg: 已创建目录‘/root/.gnupg’
gpg: 新的配置文件‘/root/.gnupg/gpg.conf’已建立
gpg: 警告：在‘/root/.gnupg/gpg.conf’里的选项于此次运行期间未被使用
gpg: 钥匙环‘/root/.gnupg/pubring.gpg’已建立
gpg: /root/.gnupg/trustdb.gpg：建立了信任度数据库

# gpg --import /root/mykey 要导入的密钥文件名。之前传过来是放在哪里的，就写哪里路径下的密钥名。
提示如下：
gpg: 钥匙环‘/root/.gnupg/secring.gpg’已建立
gpg: 密钥 2FE87B6F：公钥“summer (this key is for lili) <summer@163.com>”已导入
gpg: 合计被处理的数量：1
gpg: 已导入：1 (RSA: 1)

# gpg --list-key 导入密钥后，能看到密钥信息了。
显示信息如下：
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/2FE87B6F 2018-12-08
uid summer (this key is for lili) <summer@163.com>
sub 2048R/2E7DCBAD 2018-12-08
######################################################################################
30 用公钥加密数据，并传给10

# echo hello > hello.txt 先创建一个文件hello.txt，内容是hello
# cat hello.txt
hello

# gpg -e -r summer@163.com hello.txt -e是加密，-r是用哪个公钥
gpg: 2E7DCBAD：没有证据表明这把密钥真的属于它所声称的持有者

pub 2048R/2E7DCBAD 2018-12-08 summer (this key is for lili) <summer@163.com>
主钥指纹： 4C45 3A42 4255 8AF0 23DB 74F5 8176 D439 2FE8 7B6F
子钥指纹： BFD8 755B A790 35DE 1C87 B441 FAF4 67C0 2E7D CBAD

这把密钥并不一定属于用户标识声称的那个人。如果您真的知道自
己在做什么，您可以在下一个问题回答 yes。

无论如何还是使用这把密钥吗？(y/N)y 输入y确认

# ls hello.txt* 生成同名的.gpg文件
hello.txt hello.txt.gpg

# cat hello.txt.gpg 直接看的.gpg文件是乱码的，因为必须要解密才能看
�
��g�.}˭�
j T�� !g�b��_��@s��_��l�_��l�DTg��c��0�� |{�((��N��2�|b��O|��F��?UbC��{�/x!�+m��Ê�U|.��R�|��
%|�SH��puh�'��G�-�"4��t `AP~��7�I��ܠ ��Ȭ%��M�YM$w5[Haei��M��V��ud5��(B�Vr=�/y� �4��cZ0��to�IK汐��`��'�!��H�

# scp hello.txt.gpg 192.168.4.10:/root/ 把加密后的文件传给10
######################################################################################
10用密钥解密，看30传过来的数据

# gpg -d hello.txt.gpg > hello.txt 用密钥解密hello.txt.gpg，并重定向到hello.txt
gpg: 由 2048 位的 RSA 密钥加密，钥匙号为 2E7DCBAD、生成于 2018-12-08
“summer (this key is for lili) <summer@163.com>”

# cat hello.txt 可以查看hello.txt的内容了
hello
######################################################################################
非对称密钥：私密(签名)，公钥(验证签名)

发文件前(签名)---->打开前(验证签名)---->打开

# tar -zcf log.tar /var/log
tar: 从成员名中删除开头的“/”

# ls log.tar
log.tar

# gpg -b log.tar -b是给文件签名，一对一的，只针对log.tar这个文件签名

# ls log.tar* 生成同名的.sig签名，是一对一的，这个签名只针对 log.tar这文件有效，是唯一的，不是其他文件的签名。
log.tar log.tar.sig

把签名文件与签名,这2样传给有公钥的主机30
# scp log.tar log.tar.sig 192.168.4.30:/root/
######################################################################################
30

# ls
log.tar log.tar.sig ... ...

# gpg --verify log.tar.sig log.tar 先写签名，再写文件。验证签名，它会和公钥一起验证
显示如下：
gpg: 于 2018年12月08日星期六 11时38分53秒 CST 创建的签名，使用 RSA，钥匙号 2FE87B6F
gpg: 完好的签名，来自于“summer (this key is for lili) <summer@163.com>”
gpg: 警告：这把密钥未经受信任的签名认证！
gpg: 没有证据表明这个签名属于它所声称的持有者。
主钥指纹： 4C45 3A42 4255 8AF0 23DB 74F5 8176 D439 2FE8 7B6F

# gpg --verify log.tar log.tar.sig 如果顺序错误，会报错，并有提示.sig是签名，要先写这个签名
gpg: 找不到有效的 OpenPGP 数据。
gpg: 签名无法被验证。
请记住签名文件(.sig或.asc)
应该是在命令行中给定的第一个文件。

# gpg --verify log.tar.sig hello.txt 试着用签名检测其他的文件hello.txt，会发现失败，因为该签名只对log.tar这个文件有效
显示如下：
gpg: 于 2018年12月08日星期六 11时38分53秒 CST 创建的签名，使用 RSA，钥匙号 2FE87B6F
gpg: 已损坏的签名，来自于“summer (this key is for lili) <summer@163.com>”
######################################################################################
10

# yum -y install aide
# vim /etc/aide.conf

... ... 省略号中间的不用改动，只是了解一下
3 @@define DBDIR /var/lib/aide 这是定义的目录
4 @@define LOGDIR /var/log/aide
5
6 # The location of the database to be read.
7 database=file:@@{DBDIR}/aide.db.gz 被人攻击后，拿原来的文件改名去掉new，校验加对比。
8
9 # The location of the database to be written.
10 #database_out=sql:host:port:database:login_name:passwd:table
11 #database_out=file:aide.db.new
12 database_out=file:@@{DBDIR}/aide.db.new.gz 第一次校验，叫new在定义的目录下。然后拷贝到U盘里。第二次校验还叫new
... ...

先99G 跳到99行
ctrl+v 变成可视模式
一路摁住向下的箭头到最后一行
shift+i 又跳到原来的99行
#
Esc

98 /root/ DATAONLY 添加这行
######################################################################################
# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 第一次校验后把new去掉改名。因为第二次检测它还叫new这名字
######################################################################################
# aide --check 目前没有改动，检测没问题

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!
######################################################################################
# echo "x" > /root/x.txt 新建一个文件叫/root/x.txt

# aide --check 它能检测出被添加了一个文件
显示信息如下：
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-12-08 14:25:32

Summary:
Total number of files: 207
Added files: 1 被添加的文件个数1
Removed files: 0 被删除的文件个数0
Changed files: 0 被改动的文件个数0

---------------------------------------------------
Added files:
---------------------------------------------------

added: /root/x.txt 被人添加了/root/x.txt这个文件
######################################################################################
# rm -rf hello.txt 删除一个文件
]
# aide --check 它能检测出被删了一个文件
显示信息如下：
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-12-08 14:27:19

Summary:
Total number of files: 207
Added files: 1 被添加的文件个数1
Removed files: 1 被删除的文件个数1
Changed files: 0 被改动的文件个数0

---------------------------------------------------
Added files:
---------------------------------------------------

added: /root/x.txt

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /root/hello.txt 被人删了/root/hello.txt这个文件
######################################################################################
# echo "xyz" >> mykey 给文件追加内容

# aide --check 它能检测出被改动了一个文件
显示信息如下：
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-12-08 14:28:27

Summary:
Total number of files: 207
Added files: 1 被添加的文件个数1
Removed files: 1 被删除的文件个数1
Changed files: 1 被改动的文件个数1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /root/x.txt 被人添加了/root/x.txt这个文件

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /root/hello.txt 被人删了/root/hello.txt这个文件

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/mykey 被人修改了/root/mykey这个文件

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /root/mykey
Size : 1739 , 1743
SHA256 : 71WQkvY9+lSb+irnHvjI4x8FqZYaQb5e , T93nkNHtzZQiEIVtCRytLotnkZKz6ar0

改之前大小1739，改之后1743
改之前哈希值71WQkvY9+lSb+irnHvjI4x8FqZYaQb5e，改之后哈希值T93nkNHtzZQiEIVtCRytLotnkZKz6ar0
######################################################################################
经常改动的文件不要检测如/var/lib/mysql，因为会显示很多信息。

# vim /etc/aide.conf

先99G 跳到99行
ctrl+v 变成可视模式
一路摁住向下的箭头一直摁到最后一行
x 又变回原来的样子，之前加注释的还是加注释，没注释的继续没注释
######################################################################################
30

# yum -y install nmap

# nmap -sP 192.168.4.254

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 14:48 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.4.254
Host is up (0.00011s latency).
MAC Address: 52:54:00:37:78:11 (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
######################################################################################
# nmap -n -sP 192.168.4.254 加-n不做反向域名解析

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 14:48 CST
Nmap scan report for 192.168.4.254
Host is up (0.00011s latency).
MAC Address: 52:54:00:37:78:11 (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
######################################################################################
# nmap -n -sP 192.168.4.0/24 能测一个网段，很快出结果，检测得出4.10/20/30/254已开机

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 14:49 CST
Nmap scan report for 192.168.4.10
Host is up (0.00053s latency). 说上面这个IP已开机 Host is up
MAC Address: 52:54:00:F1:5B:7C (QEMU Virtual NIC)
Nmap scan report for 192.168.4.20
Host is up (0.00059s latency).
MAC Address: 52:54:00:44:C6:DD (QEMU Virtual NIC)
Nmap scan report for 192.168.4.254
Host is up (0.00043s latency).
MAC Address: 52:54:00:37:78:11 (QEMU Virtual NIC)
Nmap scan report for 192.168.4.30
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.96 seconds 说一共有4个主机开机了(4 hosts up)

现在有一个最新软件，能几十分钟内测试出全世界的所有IPV4的IP的开关情况！！！
######################################################################################
# nmap -sT 192.168.4.254 看开了什么端口,不用的服务就关掉。为了安全，因为开的端口越多，越容易受攻击。

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:10 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.4.254
Host is up (0.0018s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2049/tcp open nfs
5900/tcp open vnc
MAC Address: 52:54:00:37:78:11 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
######################################################################################
# nmap -sT 192.168.4.11 如果对方没开机，是检测不出来的

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:11 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
######################################################################################
# nmap -sT 192.168.4.11

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:13 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.4.10
Host is up (0.0010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3260/tcp open iscsi
MAC Address: 52:54:00:F1:5B:7C (QEMU Virtual NIC)

Nmap scan report for 192.168.4.20
Host is up (0.00035s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3260/tcp open iscsi
MAC Address: 52:54:00:44:C6:DD (QEMU Virtual NIC)

Nmap scan report for 192.168.4.254
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2049/tcp open nfs
5900/tcp open vnc
MAC Address: 52:54:00:37:78:11 (QEMU Virtual NIC)

Nmap scan report for 192.168.4.30
Host is up (0.00064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs

Nmap done: 256 IP addresses (4 hosts up) scanned in 2.20 seconds
######################################################################################
# nmap -sS 192.168.4.11 速度更快，因为比sT少了一个确认的步骤。它先连对方，对方回应后就确定对方已经开机了。就不继续确认了。

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:17 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
[root@30 ~]# nmap -sS 192.168.4.10

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:17 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.4.10
Host is up (0.00066s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3260/tcp open iscsi
MAC Address: 52:54:00:F1:5B:7C (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
######################################################################################
# nmap -sU 192.168.4.10 扫描UDP，很慢很慢，不建议。回车一次显示一次进度。而且时间要越来越久

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:22 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 1.93% done; ETC: 15:27 (0:05:04 remaining) 完成进度1.93%，扫描结束需要5分钟
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 2.75% done; ETC: 15:27 (0:04:43 remaining)
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 2.82% done; ETC: 15:30 (0:08:02 remaining)
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 3.02% done; ETC: 15:31 (0:08:34 remaining) 完成进度3.02%，扫描结束需要8分钟，时间要越来越久
######################################################################################
# traceroute www.baidu.com 去到百度要经过多少路由，多少跳

显示如下：
traceroute to www.baidu.com (14.215.177.38), 30 hops max, 60 byte packets
1 static-176-130-2-1.ftth.abo.bbox.fr (176.130.2.1) 0.487 ms 0.963 ms 1.079 ms
2 szlg.szmis.cn (192.168.1.1) 0.904 ms 0.875 ms 0.826 ms
3 100.64.0.1 (100.64.0.1) 85.921 ms 85.867 ms 86.795 ms
4 202.105.153.77 (202.105.153.77) 4.102 ms 4.635 ms 4.107 ms
5 202.105.158.54 (202.105.158.54) 8.422 ms 202.105.158.89 (202.105.158.89) 4.033 ms 3.971 ms
6 113.96.4.42 (113.96.4.42) 13.867 ms 113.96.4.94 (113.96.4.94) 32.431 ms 113.96.4.90 (113.96.4.90) 23.632 ms
7 * * *
8 14.29.117.234 (14.29.117.234) 23.455 ms * 14.29.117.238 (14.29.117.238) 7.270 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
######################################################################################
# nmap -A 192.168.4.254 它会进入到改IP开的服务里，看一下有什么内容并列出来

Starting Nmap 6.40 ( http://nmap.org ) at 2018-12-08 15:28 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
NSOCK ERROR [24.3540s] mksock_bind_addr(): Bind to 0.0.0.0:80 failed (IOD #22): Address already in use (98)
NSOCK ERROR [24.4220s] mksock_bind_addr(): Bind to 0.0.0.0:111 failed (IOD #28): Address already in use (98)
NSOCK ERROR [24.4440s] mksock_bind_addr(): Bind to 0.0.0.0:80 failed (IOD #39): Address already in use (98)
Nmap scan report for 192.168.4.254
Host is up (0.000071s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| dr-xr-xr-x 5 0 0 2048 Nov 14 2016 ceph
| -rw-r--r-- 1 0 0 63305912 Oct 29 01:07 lnmp_soft.tar.gz
| drwxrwxrwx 2 0 0 4096 Nov 16 18:45 mha-soft-student [NSE: writeable]
| -rw-r--r-- 1 0 0 981687 Oct 20 09:51 nginx-1.12.2.tar.gz
| drwxr-xr-x 2 0 0 4096 Aug 03 2017 pub
| dr-xr-xr-x 9 0 0 4096 Jul 11 2017 rhel7
| drwxrwxrwx 2 0 0 4096 Apr 26 2018 share [NSE: writeable]
|_-rw-r--r-- 1 0 0 89 Oct 29 03:39 virt.conf
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 37:af:35:48:2a:ed:f7:b9:c2:6b:d8:fe:fa:6c:7b:02 (RSA)
|_256 dc:95:db:de:7e:c3:7d:34:ff:41:d4:e5:bb:97:5f:e9 (ECDSA)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/udp nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/udp mountd
| 100021 1,3,4 34153/udp nlockmgr
| 100021 1,3,4 47786/tcp nlockmgr
| 100024 1 38802/tcp status
| 100024 1 45029/udp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=room9pc01.tedu.cn/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2018-10-25T12:34:56+00:00
|_Not valid after: 2019-10-25T12:34:56+00:00
|_ssl-date: 2038-11-09T23:26:18+00:00; +19y336d15h57m27s from local time.
2049/tcp open nfs 3-4 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/udp nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/udp mountd
| 100021 1,3,4 34153/udp nlockmgr
| 100021 1,3,4 47786/tcp nlockmgr
| 100024 1 38802/tcp status
| 100024 1 45029/udp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
5900/tcp open vnc VNC (protocol 3.7)
| vnc-info:
| Protocol version: 3.7
| Security types:
|_ TLS
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=12/8%OT=21%CT=1%CU=37247%PV=Y%DS=0%DC=L%G=Y%TM=5C0B72B
OS:3%P=x86_64-redhat-linux-gnu)SEQ(SP=109%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=A
OS:)OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5
OS:=MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=AAAA%W2=AAAA%W3=AAAA%W4=AAAA%W5=AAAA%W
OS:6=AAAA)ECN(R=Y%DF=Y%T=40%W=AAAA%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)

Network Distance: 0 hops
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.61 seconds
######################################################################################
nmap是扫描工具
tcpdump是抓包工具+其他(IP地址欺骗，DHCP欺骗)

# yum -y install vsftpd
# systemctl restart vsftpd

# useradd tom
# echo 12345678 | passwd --stdin tom
# echo niuben > /home/tom/nb.txt
# cat /home/tom/nb.txt
niuben
######################################################################################
30

# yum -y install ftp
# ftp 192.168.4.10
Connected to 192.168.4.10 (192.168.4.10).
220 (vsFTPd 3.0.2)
Name (192.168.4.10:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls 可以看到刚才创建的nb.txt的内容
227 Entering Passive Mode (192,168,4,10,148,69).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 7 Dec 08 08:15 nb.txt
226 Directory send OK.

ftp> quit
221 Goodbye.
######################################################################################
10 ftp服务端

# tcpdump -A tcp port 21
显示如下
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

一开始是没有信息的，除非这时候有人访问本机的ftp
######################################################################################
30 访问10的ftp

# ftp 192.168.4.10
Connected to 192.168.4.10 (192.168.4.10).
220 (vsFTPd 3.0.2)
Name (192.168.4.10:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
######################################################################################
10 抓包抓到信息了，里面有30登陆10的ftp的用户名和密码之类的信息

自动跳出下面信息
..................
16:36:41.659660 IP 192.168.4.30.40470 > 10.ftp: Flags [P.], seq 1:11, ack 21, win 229, options [nop,nop,TS val 20442537 ecr 25305979], length 10: FTP: USER tom
E..>.T@.@..........
....{..................
.7....#{USER tom 30登陆ftp时的用户名tom

..................
16:36:53.011800 IP 192.168.4.30.40470 > 10.ftp: Flags [P.], seq 11:26, ack 55, win 229, options [nop,nop,TS val 20453889 ecr 25308736], length 15: FTP: PASS 12345678
E..C.V@.@..........
....{..................
.8.....@PASS 12345678 30登陆ftp时的密码12345678
######################################################################################
10 将抓包的信息导入到文件ftp.log

# tcpdump -A tcp port 21 -w ftp.log
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

一开始是没有信息的，除非这时候有人访问本机的ftp
######################################################################################
30 访问10的ftp

# tcpdump -A -r ftp.log | egrep "USER|PASS"

过滤得出的信息如下：
reading from file ftp.log, link-type EN10MB (Ethernet)
16:43:40.986843 IP 192.168.4.30.40476 > 10.ftp: Flags [P.], seq 1:11, ack 21, win 229, options [nop,nop,TS val 20861864 ecr 25725819], length 10: FTP: USER tom
.>S....{USER tom 过滤得出用户是tom
16:43:44.742670 IP 192.168.4.30.40476 > 10.ftp: Flags [P.], seq 11:26, ack 55, win 229, options [nop,nop,TS val 20865620 ecr 25728063], length 15: FTP: PASS 12345678
.>bT...?PASS 12345678 过滤得出密码是12345678
######################################################################################
10 安装nginx，设置用户认证

真机传包给10，这个lnmp_soft.tar.gz包里有nginx包
# scp '/root/桌面/我的笔记新/6Nginx/lnmp_soft.tar.gz' 192.168.4.10:/root/

# yum -y install gcc pcre-devel openssl-devel
# useradd -s /sbin/nologin nginx
# cd lnmp_soft/
# tar -xf nginx-1.12.2.tar.gz
# cd nginx-1.12.2/
# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module
# make && make install

# vim /usr/local/nginx/conf/nginx.conf
... ...
server {
listen 80;
server_name localhost;
auth_basic "Input Password:"; 添加这行
auth_basic_user_file "/usr/local/nginx/pass"; 添加这行
... ...

# yum -y install httpd-tools
# htpasswd -c /usr/local/nginx/pass lily
New password: 输入密码123456
Re-type new password: 再次输入密码123456
Adding password for user lily

# cat /usr/local/nginx/pass
lily:$apr1$oUdFwy0x$exbXmxqpm8JrNioHgHEDK0

# ln -s /usr/local/nginx/sbin/nginx /sbin/
# nginx

# tcpdump -A host 192.168.4.10 and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
一开始是没有信息的，除非这时候有人访问本机的网页，即80端口
######################################################################################
30

# firefox 192.168.4.10
进入网页后，会要求你输入用户名和密码，就输入用户名lily，密码123456
#####################################################################################
10 抓包抓到信息了，里面有30登陆10的网页的用户名和密码

自动跳出下面信息
..................
Authorization: Basic bGlseToxMjM0NTY= 这个bGlseToxMjM0NTY=就是用户名和密码。这个是明文，不是加密，是编码而已，可算出值的
..................

查看base64编码内容

# echo "bGlseToxMjM0NTY=" | base64 -d
lily:123456[root@10 ~]# printf "lily:123456" | base64 显示是连着的，不过不影响。
bGlseToxMjM0NTY=

分开看的效果更明显：
# echo "bGlseToxMjM0NTY=" | base64 -d
lily:123456

# printf "lily:123456" | base64
bGlseToxMjM0NTY=

工作中要用sftp，这是加密，用xshell远程工具，点击上面中间的文件夹图标，左边显示的是电脑，右边显示的是linux，可以互相拖拽里面的文件，左边到右边。不同平台间传文件最好都用这个。ftp默认明文。ssh一旦启动，就会自动启动sftp
重要网页要用https

posted @ 2019-04-30 22:55 安于夏阅读(851) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

安全2

公告