MSF–信息收集
Nmap扫描
- db_nmap -sV 192.168.0.1/24
Auxiliary扫描模块
主机发现
- search arp
- use auxiliary/scanner/discovery/arp_sweep
- set INTERFACE RHOSTS SHOST SMAC THREADS
- run
端口扫描
- search portscan
- use auxiliary/scanner/portscan/syn
- set INTERFACE、PORTS、RHOSTS、THREADS
- run
idle扫描
- 查找ipidseq主机
- use auxiliary/scanner/ip/ipidseq
- set rhosts 192.168.43.1/24
- run
- nmap -PN -sI 192.168.43.117
- 查找ipidseq主机
UDP扫描
- use /auxiliary/scanner/discovery/udp_sweep
- ~/udp_probe
密码嗅探
- psnuffle,支持从pcap抓包文件提取密码,功能类似于dnsniff
- 支持pop3 imap ftp httpget
SNMP扫描
- metasploitable:vi /etc/default/snmpd
- 修改侦听地址
- use auxiliary/scanner/snmp/snmp_login
- use auxiliary/scanner/snmp/snmp_enum
- ~enumusers
- ~enumshares
- metasploitable:vi /etc/default/snmpd
SMB版本扫描
- use auxiliary/scanner/smb/smb_version
扫描命名管道,判断SMB服务类型(账号,密码)
- use auxiliary/scanner/smb/pipe_auditor
扫描通过SMB管道可以访问的DCERPC服务
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
SMB共享枚举(账号、密码)
- use auxiliary/scanner/smb/smb_enumshares
SMB用户枚举
- use auxiliary/scanner/smb/smb_enumusers
用户sid枚举
- use auxiliary/scanner/smb/smb_lookupsid
SSH版本扫描
- use auxiliary/scanner/ssh/ssh_version
SSH密码爆破
- use auxiliary/scanner/ssh/ssh_login
- set userpass_file /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
- set verbose true
- run
- use auxiliary/scanner/ssh/ssh_login
SSH公钥登陆
- use auxiliary/scanner/ssh/ssh_login_pubikey
- set key_file id_rsa(通过各种方式获得的key)
- set username root
- run
- use auxiliary/scanner/ssh/ssh_login_pubikey
Windows缺少的补丁
基于已经取得的session进行检测
use post/windows/gather/enum_patches
检查失败
- Known bug in WMI query, try migrating to another process
- 迁移到另一个进程再次尝试
Mssql扫描端口
- TCP 1433或动态端口/如果是动态端口,则在UDP1434查询TCP端口号
- use auxiliary/scanner/mssql/mssql_ping
爆破mssql密码
- use auxiliary/scanner/mssql/mssql_login
远程执行代码
- use auxiliary/admin/mssql/mssql_exec
- set cmd net user user pass /add
FTP版本扫描
- search ftp_version
FTP是否支持匿名登陆
- search anonymous
- search ftp/anoymous
- search ftp_login
use auxiliary/scanner/[tab]
- 多尝试,实操。