每日彙整: 2018-10-22

樹莓派樹莓派之學習樹莓派之教育

OpenWrt 的世界︰樹莓派 3B 【路由器】移星轉斗《四‧二》 nmap ㄅ

三十六計》南北朝‧檀道濟

瞞天過海

備周則意怠;常見則不疑。陰在陽之內,不在陰之外。太陽,太陰 。

唐太宗貞觀十七年,太宗領軍三十萬東征,太宗會暈船,薛仁貴怕皇上不敢過海而退兵,故假扮為一豪民,拜見唐太宗,邀請太宗文武百官到他家作客,豪民家飾以繡幔彩錦,環繞於室,好不漂亮,太宗與百官遂於豪民家飲酒作樂。不久,房室搖晃,杯酒落地,太宗等人驚嚇,揭開繡幔彩錦,發現他與三十萬大軍已在海上。古時皇帝自稱天子,故瞞「天」過海的天,指的是皇帝,此計遂稱為瞞天過海。

兵法講究『陰陽』,伺候打探『消息』,事件給予『情報』。常見則『發生頻率』高,因太普通故不生疑,認為少有『資訊價值』也 !若說有人能從此處建立『資訊理論』,當真是『資訊 bit 』比特值極高的乎?

克勞德·夏農

克勞德·艾爾伍德·夏農Claude Elwood Shannon,1916年4月30日-2001年2月26日),美國數學家電子工程師密碼學家,被譽為資訊理論的創始人。[1][2]夏農是密西根大學學士,麻省理工學院博士。

1948年,夏農發表了劃時代的論文——通訊的數學原理,奠定了現代資訊理論的基礎。不僅如此,夏農還被認為是數位計算機理論和數位電路設計理論的創始人。1937年,21歲的夏農是麻省理工學院的碩士研究生,他在其碩士論文中提出,將布爾代數應用於電子領域,能夠構建並解決任何邏輯和數值關係,被譽為有史以來最具水平的碩士論文之一[3]。二戰期間,夏農為軍事領域的密分碼析——密碼破譯和保密通訊——做出了很大貢獻。

───

無奈這把『資訊尺』用了許多 丈二金剛摸不着頭的『術語』───傳輸器、通道、接收器、雜訊源、熵、期望值、機率、資訊內容… ,維基百科詞條讀來宛若『天書』耶??

Entropy (information theory)

In information theory, systems are modeled by a transmitter, channel, and receiver. The transmitter produces messages that are sent through the channel. The channel modifies the message in some way. The receiver attempts to infer which message was sent. In this context, entropy (more specifically, Shannon entropy) is the expected value (average) of the information contained in each message. ‘Messages’ can be modeled by any flow of information.

In a more technical sense, there are reasons (explained below) to define information as the negative of the logarithm of the probability distribution. The probability distribution of the events, coupled with the information amount of every event, forms a random variable whose expected value is the average amount of information, or entropy, generated by this distribution. Units of entropy are the shannon, nat, or hartley, depending on the base of the logarithm used to define it, though the shannon is commonly referred to as a bit.

The logarithm of the probability distribution is useful as a measure of entropy because it is additive for independent sources. For instance, the entropy of a coin toss is 1 shannon, whereas of m tosses it is m shannons. Generally, you need log2(n) bits to represent a variable that can take one of n values if n is a power of 2. If these values are equally probable, the entropy (in shannons) is equal to the number of bits. Equality between number of bits and shannons holds only while all outcomes are equally probable. If one of the events is more probable than others, observation of that event is less informative. Conversely, rarer events provide more information when observed. Since observation of less probable events occurs more rarely, the net effect is that the entropy (thought of as average information) received from non-uniformly distributed data is less than log2(n). Entropy is zero when one outcome is certain. Shannon entropy quantifies all these considerations exactly when a probability distribution of the source is known. The meaning of the events observed (the meaning of messages) does not matter in the definition of entropy. Entropy only takes into account the probability of observing a specific event, so the information it encapsulates is information about the underlying probability distribution, not the meaning of the events themselves.

Generally, entropy refers to disorder or uncertainty. Shannon entropy was introduced by Claude E. Shannon in his 1948 paper “A Mathematical Theory of Communication“.[1] Shannon entropy provides an absolute limit on the best possible average length of lossless encoding or compression of an information source. Rényi entropy generalizes Shannon entropy.

Definition

Named after Boltzmann’s Η-theorem, Shannon defined the entropy Η (Greek letter Eta) of a discrete random variable X with possible values {x1, …, xn} and probability mass function P(X) as:

\Eta(X) = \mathrm{E}[\mathrm{I}(X)] = \mathrm{E}[-\ln(\mathrm{P}(X))].

Here E is the expected value operator, and I is the information content of X.[4][5] I(X) is itself a random variable.

The entropy can explicitly be written as

\Eta(X) = \sum_{i=1}^n {\mathrm{P}(x_i)\,\mathrm{I}(x_i)} = -\sum_{i=1}^n {\mathrm{P}(x_i) \log_b \mathrm{P}(x_i)},

where b is the base of the logarithm used. Common values of b are 2, Euler’s number e, and 10, and the unit of entropy is shannon for b = 2, nat for b = e, and hartley for b = 10.[6] When b = 2, the units of entropy are also commonly referred to as bits.

In the case of p(xi) = 0 for some i, the value of the corresponding summand 0 logb(0) is taken to be 0, which is consistent with the limit:

\lim_{p\to0+}p\log (p) = 0.

When the distribution is continuous rather than discrete, the sum is replaced with an integral as

\Eta(X) = \int {\mathrm{P}(x)\,\mathrm{I}(x)} ~dx = -\int {\mathrm{P}(x) \log_b \mathrm{P}(x)} ~dx,

where P(x) represents a probability density function.

One may also define the conditional entropy of two events X and Y taking values xi and yj respectively, as

\Eta(X|Y)=\sum_{i,j}p(x_{i},y_{j})\log\frac{p(y_{j})}{p(x_{i},y_{j})}

where p(xi, yj) is the probability that X = xi and Y = yj. This quantity should be understood as the amount of randomness in the random variable X given the event Y.

─── 《W!O+ 的《小伶鼬工坊演義》︰神經網絡【學而堯曰】六

 

藉由『輸入』引發『輸出』回復之『特徵』分析,

Nmap

Nmap (Network Mapper) is a free and open-source security scanner, originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich),[2] used to discover hosts and services on a computer network, thus building a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host(s) and then analyzes the responses.

The software provides a number of features for probing computer networks, including host discovery and service and operating-system detection. These features are extensible by scripts that provide more advanced service detection,[3] vulnerability detection,[3] and other features. Nmap can adapt to network conditions including latency and congestion during a scan. The Nmap user community continues to develop and refine the tool.

Nmap started as a Linux-only utility,[4] but porting to Windows, Solaris, HP-UX, BSD variants (including macOS), AmigaOS, and IRIX have followed.[5] Linux is the most popular platform, followed closely by Windows.[6]

Features

Nmap features include:

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.[7]
  • OS detection – Determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine[8] (NSE) and Lua programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.[9]

Typical uses of Nmap:

  • Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.[10]
  • Identifying open ports on a target host in preparation for auditing.[11]
  • Network inventory, network mapping, maintenance and asset management.
  • Auditing the security of a network by identifying new servers.[12]
  • Generating traffic to hosts on a network, response analysis and response time measurement.[13]
  • Finding and exploiting vulnerabilities in a network.[14]
  • DNS queries and subdomain search

………

 

打響了網路管理員必備軟件的名號︰

Nmap 核心功能

主機發現

用於發現目標主機是否處於活動狀態。
Nmap 提供了多種檢測機制,可以更有效地辨識主機。例如可用來列舉目標網路中哪些主機已經開啟,類似於Ping命令的功能。

埠掃描

用於掃描主機上的埠狀態。
Nmap可以將埠辨識為開放(Open)、關閉(Closed)、過濾(Filtered)、未過濾(Unfiltered)、開放或過濾(Open|Filtered)、關閉或過濾(Closed|Filtered)。預設情況下,Nmap會掃描1660個常用的埠[1],可以覆蓋大多數基本應用情況。

版本偵測

用於辨識埠上執行的應用程式與程式版本。
Nmap目前可以辨識數千種應用的簽章(Signatures),檢測數百種應用協定。而對於不辨識的應用,Nmap預設會將應用的指紋(Fingerprint)列印出來,如果用戶確知該應用程式,那麼用戶可以將資訊提交到社群,為社群做貢獻。

作業系統偵測

用於辨識目標主機的作業系統類型、版本編號及裝置類型。
Nmap目前提供1500個作業系統或裝置的指紋資料庫[2],可以辨識通用PC系統、路由器、交換機等裝置類型。

防火牆/IDS規避和哄騙

Nmap提供多種機制來規避防火牆、IDS的的封鎖和檢查,便於秘密地探查目標主機的狀況。
基本的規避方式包括:分片、IP誘騙、IP偽裝、MAC位址偽裝。

NSE指令碼引擎

NSE是Nmap最強大最靈活的特性之一,可以用於增強主機發現、埠掃描、版本偵測和作業系統偵測等功能,還可以用來擴充進階的功能如web掃描、漏洞發現和漏洞利用等。Nmap使用Lua語言來作為NSE手稿語言,目前的Nmap指令碼庫已經支援350多個指令碼。

───

 

更是駭客愛用的工具也。

將之對著 OpenWrt 3B 『路由器』作次『掃描』 scan ︰

※ zenmap

apt-get install zenmap

 

不知多少『敏感資訊』暴露眼前︰

root@kali:~# nmap -A -T4 5.168.168.20
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-20 09:22 UTC
Nmap scan report for 5.168.168.20
Host is up (0.00048s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd (protocol 2.0)
80/tcp open  http    LuCI Lua http config
|_http-title: Site doesn't have a title (text/html).
MAC Address: B8:27:EB:D9:D7:2F (Raspberry Pi Foundation)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=10/20%OT=22%CT=1%CU=34614%PV=N%DS=1%DC=D%G=Y%M=B827EB%
OS:TM=5BCAF44B%P=arm-unknown-linux-gnueabihf)SEQ(SP=101%GCD=1%ISR=10F%TI=Z%
OS:CI=Z%II=I%TS=7)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4
OS:ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W
OS:5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=N%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 5.168.168.20

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.15 seconds

 

就從聽個故事開始吧◎

Nmap Network Scanning

Nmap Overview and Demonstration

Chapter 1. Getting Started with Nmap

Nmap Overview and Demonstration

Sometimes the best way to understand something is to see it in action. This section includes examples of Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand everything at once. This is simply a broad overview of features that are described in depth in later chapters. The “solutions” included throughout this book demonstrate many other common Nmap tasks for security auditors and network administrators.

Avatar Online

Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays. Felix spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and fascination since a childhood spent learning everything he could about networking, security, Unix, and phone systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of network intrusions as before, but with the added benefit of contractual immunity from prosecution and even a paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to announce that the sales department closed a pen-testing deal with the Avatar Online gaming company.

Avatar Online (AO) is a small company working to create the next generation of massive multi-player online role-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil Stevenson’s Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak of Valve Software’s upcoming game source code, AO quickly hired the security consultants. Felix’s task is to initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities found.

The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what IP address ranges the target is using, what hosts are available, what services those hosts are offering, general network topology details, and what firewall/filtering policies are in effect.

Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another geographical registry) lookups, DNS queries and zone transfer attempts, various web sleuthing techniques, and more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0.0/22. Felix checks the IP whois records anyway and confirms that these IP ranges are allocated to AO[1]. Felix subconsciously decodes the CIDR notation[2] and recognizes this as 1,280 IP addresses. No problem.

Being the careful type, Felix first starts out with what is known as an Nmap list scan (-sL option). This feature simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless -n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells[3]. Felix is doing this for another reason—to double-check that the IP ranges are correct. The systems administrator who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will not help if Felix accidentally compromises another company’s server! The command he uses and an excerpt of the results are shown in Example 1.1.

………