MSF-信息收集、发现和端口扫描

MSF–信息收集

  • Nmap扫描

    • db_nmap -sV 192.168.0.1/24
  • Auxiliary扫描模块

    • 主机发现

      • search arp
      • use auxiliary/scanner/discovery/arp_sweep
      • set INTERFACE RHOSTS SHOST SMAC THREADS
      • run
    • 端口扫描

      • search portscan
      • use auxiliary/scanner/portscan/syn
      • set INTERFACE、PORTS、RHOSTS、THREADS
      • run
    • idle扫描

      • 查找ipidseq主机
        • use auxiliary/scanner/ip/ipidseq
        • set rhosts 192.168.43.1/24
        • run
      • nmap -PN -sI 192.168.43.117
    • UDP扫描

      • use /auxiliary/scanner/discovery/udp_sweep
      • ~/udp_probe

  • 密码嗅探

    • psnuffle,支持从pcap抓包文件提取密码,功能类似于dnsniff
    • 支持pop3 imap ftp httpget
  • SNMP扫描

    • metasploitable:vi /etc/default/snmpd
      • 修改侦听地址
    • use auxiliary/scanner/snmp/snmp_login
    • use auxiliary/scanner/snmp/snmp_enum
    • ~enumusers
    • ~enumshares
  • SMB版本扫描

    • use auxiliary/scanner/smb/smb_version
  • 扫描命名管道,判断SMB服务类型(账号,密码)

    • use auxiliary/scanner/smb/pipe_auditor
  • 扫描通过SMB管道可以访问的DCERPC服务

    • use auxiliary/scanner/smb/pipe_dcerpc_auditor
  • SMB共享枚举(账号、密码)

    • use auxiliary/scanner/smb/smb_enumshares
  • SMB用户枚举

    • use auxiliary/scanner/smb/smb_enumusers
  • 用户sid枚举

    • use auxiliary/scanner/smb/smb_lookupsid

  • SSH版本扫描

    • use auxiliary/scanner/ssh/ssh_version
  • SSH密码爆破

    • use auxiliary/scanner/ssh/ssh_login
      • set userpass_file /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
      • set verbose true
      • run
  • SSH公钥登陆

    • use auxiliary/scanner/ssh/ssh_login_pubikey
      • set key_file id_rsa(通过各种方式获得的key)
      • set username root
      • run
  • Windows缺少的补丁

    • 基于已经取得的session进行检测

    • use post/windows/gather/enum_patches

    • 检查失败

      • Known bug in WMI query, try migrating to another process
      • 迁移到另一个进程再次尝试
  • Mssql扫描端口

    • TCP 1433或动态端口/如果是动态端口,则在UDP1434查询TCP端口号
    • use auxiliary/scanner/mssql/mssql_ping
  • 爆破mssql密码

    • use auxiliary/scanner/mssql/mssql_login
  • 远程执行代码

    • use auxiliary/admin/mssql/mssql_exec
    • set cmd net user user pass /add
  • FTP版本扫描

    • search ftp_version
  • FTP是否支持匿名登陆

    • search anonymous
    • search ftp/anoymous
    • search ftp_login
  • use auxiliary/scanner/[tab]

    • 多尝试,实操。