1. 简介
- 根据信息收集结果搜索漏洞利用模块
- 结合外部漏洞扫描系统对大量IP地址段进行批量扫描
- 误判率、漏判率
2. VNC 密码破解
-
use auxiliary/scanner/vnc/vnc_login
msf > use auxiliary/scanner/vnc/vnc_login msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20 msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/vnc/vnc_login) > run
3. VNC 无密码访问(未设置密码)
- use auxiliary/scanner/vnc/vnc_none_auth
-
supported : None, free access!
msf > use auxiliary/scanner/vnc/vnc_none_auth msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/vnc/vnc_none_auth) > run
4. RDP 远程桌面漏洞
- use auxiliary/scanner/rdp/ms12_020_check
-
检查不会造成 DoS 攻击.
msf > use auxiliary/scanner/rdp/ms12_020_check msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 10.10.10.140-150 msf auxiliary(scanner/rdp/ms12_020_check) > run
说明存在漏洞
5. 设备后门
- use auxiliary/scanner/ssh/juniper_backdoor #juniper 防火墙
- use auxiliary/scanner/ssh/fortinet_backdoor # fortinet 防火墙
6. VMware ESXi 密码爆破
- use auxiliary/scanner/vmware/vmauthd_login
- use auxiliary/scanner/vmware/vmware_enum_vms
7. 利用 WEB API 远程开启虚拟机
- use auxiliary/admin/vmware/poweron_vm
8. HTTP 弱点扫描
-
过期证书:use auxiliary/scanner/http/cert
msf > use auxiliary/scanner/http/cert msf auxiliary(scanner/http/cert) > set RHOSTS 10.10.10.130-150 msf auxiliary(scanner/http/cert) > set THREADS 20 msf auxiliary(scanner/http/cert) > run
-
显示目录及文件
-
use auxiliary/scanner/http/dir_listing
msf > use auxiliary/scanner/http/dir_listing msf auxiliary(scanner/http/dir_listing) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/dir_listing) > set PATH dav msf auxiliary(scanner/http/dir_listing) > run
-
use auxiliary/scanner/http/files_dir
msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir msf auxiliary(scanner/http/files_dir) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/files_dir) > run
-
-
WebDAV Unicode 编码身份验证绕过
-
use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20 msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run
-
-
Tomcat 管理登录页面
-
use auxiliary/scanner/http/tomcat_mgr_login
msf > use auxiliary/scanner/http/tomcat_mgr_login msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/tomcat_mgr_login) > run
-
-
基于 HTTP 方法的身份验证绕过
-
use auxiliary/scanner/http/verb_auth_bypass
msf > use auxiliary/scanner/http/verb_auth_bypass msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/verb_auth_bypass) > run
-
-
Wordpress 密码爆破
-
use auxiliary/scanner/http/wordpress_login_enum
msf > use auxiliary/scanner/http/wordpress_login_enum msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 10.10.10.151 msf auxiliary(scanner/http/wordpress_login_enum) > run
-
9. wmap
-
WMAP WEB 应用扫描器
- 根据 sqlmap 的工作方式开发
- load wmap
- wmap_sites -a http://1.1.1.1
- wmap_targets -t http://1.1.1.1/mutillidae/index.php
- wmap_run -t # 列出所有模块
- wmap_run -e # 开始扫描
- wmap_vulns -l # 查看扫描出的漏洞
-
vulns
msf > load wmap msf > wmap_sites -h msf > wmap_sites -a http://10.10.10.132 msf > wmap_targets -t http://10.10.10.132/mutillidae/index.php msf > wmap_run -h msf > wmap_run -t msf > wmap_run -e msf > wmap_vulns -l
msf > vulns
10. openvas
-
load openvas
-
命令行模式,需要配置,使用频繁
msf > load openvas msf > openvas_help
-
-
使用扫描器扫描之后生成报告
- msf 导入 nbe 格式扫描日志
-
db_import openvas.nbe
msf > db_import 1.nbe msf > vulns
11. MSF 直接调用 nessus 执行扫描
- load nessus
- nessus_help
- nessus_connect admin:toor@1.1.1.1
- nessus_policy_list
- nessus_scan_new
- nessus_report_list
