MSF 服務發現
常用來發現區域網路内,的常見服務,比如HTTP,FTP,TELNET等.
MSF子產品搜尋:
[root@localhost ~]# msfconsole
msf5 > search scanner type:auxiliary
msf5 > search scanner/http type:auxiliary // 搜尋所有與HTTP相關的子產品
發現HTTP服務: 基于
scanner/http/http_version
發現HTTP服務.
msf5 > use scanner/http/http_version
msf5 auxiliary(scanner/http/http_version) > show options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/http_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/http/http_version) > set rport 80
rport => 80
msf5 auxiliary(scanner/http/http_version) > exploit
[+] 192.168.1.7:80 Apache/2.4.6 (CentOS) PHP/5.4.16 ( Powered by PHP/5.4.16, 302-login.php )
[+] 192.168.1.3:80 Apache/2.5.0 (CentOS) PHP/7.0.0 ( Powered by PHP/7.0.0, 302-admin.php )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
發現SMB服務: 基于
scanner/smb/smb_version
發現SMB服務.
msf5 > use scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/smb/smb_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/smb/smb_version) > exploit
[+] 192.168.1.2:445 - Host is running Windows 10 China (name:lyshark) (workgroup:lyshark)
[*] 192.168.1.7:445 - Host could not be identified: Windows 6.1 (Samba 4.8.3)
[*] 192.168.1.0/24:445 - Scanned 26 of 256 hosts (10% complete)
[*] 192.168.1.0/24:445 - Caught interrupt from the console...
[*] Auxiliary module execution completed
發現FTP服務: 基于
scanner/ftp/ftp_version
發現FTP服務
msf5 > use scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/ftp/ftp_version) > exploit
[+] 192.168.1.7:21 - FTP Banner: '220 (vsFTPd 3.0.2)\x0d\x0a'
[*] 192.168.1.0/24:21 - Scanned 32 of 256 hosts (12% complete)
[*] 192.168.1.0/24:21 - Caught interrupt from the console...
[*] Auxiliary module execution completed
發現SSH服務: 基于
auxiliary/scanner/ssh/ssh_version
發現SSH服務
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 22 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/ssh/ssh_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/ssh/ssh_version) > exploit
[+] 192.168.1.7:22 - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.1.0/24:22 - Caught interrupt from the console...
[*] Auxiliary module execution completed
發現Telnet服務: 基于
auxiliary/scanner/telnet/telnet_version
發現TELNET服務
msf5 > use auxiliary/scanner/telnet/telnet_version
msf5 auxiliary(scanner/telnet/telnet_version) > show options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/telnet/telnet_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/telnet/telnet_version) > exploit
[-] 192.168.1.1:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.1:23).
[-] 192.168.1.7:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.7:23).
[-] 192.168.1.0:23 - A network issue has occurred: The host (192.168.1.0:23) was unreachable.
[-] 192.168.1.10:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.10:23).
[-] 192.168.1.3:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.3:23).
[-] 192.168.1.5:23 - A network issue has occurred: The host (192.168.1.5:23) was unreachable.
[*] 192.168.1.0/24:23 - Caught interrupt from the console...
[*] Auxiliary module execution completed
發現MySQL服務: 基于
auxiliary/scanner/mysql/mysql_version
發現mysql服務
msf5 > use auxiliary/scanner/mysql/mysql_version
msf5 auxiliary(scanner/mysql/mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/mysql/mysql_version) > set rport 3306
rport => 3306
msf5 auxiliary(scanner/mysql/mysql_version) > exploit
[*] 192.168.1.7:3306 - 192.168.1.7:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.7' is not allowed to connect to this MariaDB server
[*] 192.168.1.7:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
發現MSSQL服務: 基于
auxiliary/scanner/mssql/mssql_ping
發現SQL Server服務
msf5 > use auxiliary/scanner/mssql/mssql_ping
msf5 auxiliary(scanner/mssql/mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 10 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/mssql/mssql_ping) > set threads 10
threads => 10
msf5 auxiliary(scanner/mssql/mssql_ping) > run
發現Oracle服務: 基于
auxiliary/scanner/oracle/tnslsnr_version
發現Oracle服務
msf5 > use auxiliary/scanner/oracle/tnslsnr_version
msf5 auxiliary(scanner/oracle/tnslsnr_version) > show options
Module options (auxiliary/scanner/oracle/tnslsnr_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/oracle/tnslsnr_version) > run
## MSF 主機的發現
MSF提供了一些輔助子產品,可以實作主機發現,這些子產品位于
modules/auxiliary/scanner/discovery/
目錄中,主要有以下幾個
arp_sweep
,
ipv6_multicast_ping
ipv6_neighbor
ipv6_neighbor_router_advertisement
udp_probe
udp_sweep
,接下來主要看常用的幾個子產品的使用技巧.
ARP發現内網主機: 基于
scanner/discovery/arp_sweep
發現内網存活主機.
msf5 > use scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 10 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 10
threads => 10
msf5 auxiliary(scanner/discovery/arp_sweep) > exploit
[+] 192.168.1.1 appears to be up (UNKNOWN).
[+] 192.168.1.2 appears to be up (UNKNOWN).
[+] 192.168.1.2 appears to be up (UNKNOWN).
[+] 192.168.1.1 appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
UDP發現内網主機: 基于
scanner/discovery/udp_sweep
msf5 > use scanner/discovery/udp_sweep
msf5 auxiliary(scanner/discovery/udp_sweep) > show options
Module options (auxiliary/scanner/discovery/udp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/udp_sweep) > exploit
[*] Sending 13 probes to 192.168.1.0->192.168.1.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.1.2:137 (lyshark:<20>:U :lysahrk:<00>:U :lyshark:<00>:G :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :a4:be:c8:fe:ac:z4)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
ACK發現内網主機: 基于
auxiliary/scanner/portscan/ack
掃描内網存活主機.
msf5 > use auxiliary/scanner/portscan/ack
msf5 auxiliary(scanner/portscan/ack) > show options
Module options (auxiliary/scanner/portscan/ack):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 10 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf5 auxiliary(scanner/portscan/ack) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/ack) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/ack) > exploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
SYN發現内網主機: 基于
auxiliary/scanner/portscan/syn
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 10 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/syn) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/syn) > run
TCP發現内網主機: 基于
auxiliary/scanner/portscan/tcp
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
THREADS 10 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.1.7: - 192.168.1.7:21 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:22 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:80 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:139 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:445 - TCP OPEN
[*] 192.168.1.7: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
### MSF 服務爆破
對于發現的服務,下一個目标就是嘗試爆破其登陸密碼,爆破是否能夠成功,這裡需要有一個社工好了的字典,這裡隻是示範幾個服務爆破的使用方法,這裡隻示範爆破的配置,爆破時間過長,不做具體實驗.
SSH密碼爆破:
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.7
set username root
set pass_file /root/pass.txt
set threads 10
exploit
Samba密碼爆破:
use auxiliary/scanner/smb/smb_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
set threads 10
exploit
FTP密碼爆破:
use scanner/ftp/ftp_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
set threads 10
exploit
MySQL密碼爆破:
search mysql
use auxiliary/scanner/mysql/mysql_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit
Postgresql密碼爆破:
use auxiliary/scanner/postgres/postgres_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit
Tomcat密碼爆破:
search tomcat
use auxiliary/scanner/http/tomcat_mgr_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit
Telnet密碼爆破:
use auxiliary/scanner/telnet/telnet_login
set rhosts 192.168.1.7
set username administrator
set pass_file /root/pass.txt
exploit
https://www.cnblogs.com/LyShark/p/10565941.html
版權聲明:本部落格文章與代碼均為學習時整理的筆記,部落格中除去明确标注有參考文獻的文章,其他文章
[均為原創]作品,轉載請
[添加出處],您添加出處是我創作的動力!
如果您惡意轉載本人文章并被本人發現,則您的整站文章,将會變為我的原創作品,請互相尊重 !![Kali Linux安裝AWVS漏掃工具[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)