针对性扫描是指寻找目标网络中存在的已知可利用漏洞或能够轻松获取后门的特定操作系统、服务、软件以及配置缺陷。举例来说,在目标网络中快速地扫描存在MS08-067漏洞的主机是非常普遍的活动,因为MS08-067(仍然)是一个普遍存在的安全漏洞,并且能够让你很快地取得System的访问权限,比起扫描整个网络中所有漏洞后再攻击要容易的多。
1.服务器消息块协议扫描
Metasploit可以利用他的smb_version模块来遍历一个网络,并获取Windows系统的版本号
执行模块、列出参数并对RHOSTS参数进行设定后开始扫描:

msf > use scanner/smb/smb_version
msf  auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf  auxiliary(smb_version) > set RHOSTS 192.168.119.132
RHOSTS => 192.168.119.132
msf  auxiliary(smb_version) > run

[*] 192.168.119.132:139 is running Windows XP Service Pack 3 (language: Chinese - Traditional) (name:PC-201403241103) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

  

2.搜索配置不当的Microsoft SQL Server
配置不当的Microsoft SQL Server(MS SQL)通常是竟如目标系统的第一个后门
MS SQL安装后,它默认监听在TCP端口1433上或使用随机的动态TCP端口。如果在随机的TCP端口上进行MS SQL监听,只需要简单的对UDP端口1434进行查询,便能或缺这个随机的TCP端口号。Metasploit有一个模块mssql_ping可以实现该操作

msf > use scanner/mssql/mssql_ping
msf  auxiliary(mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf  auxiliary(mssql_ping) > set RHOSTS 192.168.119.132
RHOSTS => 192.168.119.132
msf  auxiliary(mssql_ping) > set THREADS 255
THREADS => 255
msf  auxiliary(mssql_ping) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

  

我安装的是SQL Server版本如下:
Microsoft SQL Server Management Studio						9.00.1399.00
Microsoft Analysis Services 客户端工具						2005.090.1399.00
Microsoft 数据访问组件 (MDAC)						2000.085.1132.00 (xpsp.080413-0852)
Microsoft MSXML						2.6 3.0 5.0 6.0 
Microsoft Internet Explorer						8.0.6001.18702
Microsoft .NET Framework						2.0.50727.42
操作系统						5.1.2600

  

3.SSH服务器扫描
如果在扫描过程中遇到一些主机运行着SSH(安全 Shell),你应该对SSH的版本进行识别SSH是一种安全的协议,但是这里的安全仅数据传输的加密,很多SSH的实现版本中均被发现了安全漏洞。不要认为你永远不会遇到一台没哟安装补丁的老机器,这种幸运的事很哟可能就会落在你的头上。可以用Metasploit框架的ssh_version模块来识别目标服务器上运行的SSH版本。

msf > use scanner/ssh/ssh_version
msf  auxiliary(ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    22               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   TIMEOUT  30               yes       Timeout for the SSH probe

msf  auxiliary(ssh_version) > set RHOSTS 192.168.119.144
RHOSTS => 192.168.119.144
msf  auxiliary(ssh_version) > run

[*] 192.168.119.144:22, SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(ssh_version) > 

 4.FTP扫描

   FTP是一种复杂且缺乏安全性的应用层协议,FTP服务器经常是进入一个目标网络最便捷的途径

msf  auxiliary(anonymous) > use scanner/ftp/ftp_version
msf  auxiliary(ftp_version) > show options

Module options (auxiliary/scanner/ftp/ftp_version):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS   192.168.119.141      yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port
   THREADS  1                    yes       The number of concurrent threads

msf  auxiliary(ftp_version) > set RHOSTS 192.126.119.48
RHOSTS => 192.126.119.48
msf  auxiliary(ftp_version) > run

[*] 192.126.119.48:21 FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed