@MoCo菜弟弟
看着自己的这点工资,和公司交的那微薄的公积金,以及对幸福生活的向往,想换一家待遇好点的公司,既然换那就好好的打造自己,自己也不能这么一直咸鱼下去,给自己不到一年半的时间把自己打造的诱人一点,不管哪方面的,每天都学一点,那怕就学半小时,加油菜弟弟
情报收集
被动信息收集
whois查询
使用kali linux 的whois查询寻找testfire.net
msf5 > whois testfire.net
Netcraft
这块书上说
Netcraft(http://search.netcraft.com/)是一个网页界面的工具,
使用它我们能发现承载某个特定网站的服务器IP地址。
然后当我输入这个网址后
然后他给我们说他从这个网站上查明了testfire.net的IP地址是65.61.137.117,然后用whois一下
很难受
换个IP试试
nslookup
主动信息收集
nmap端口扫描
-sS 执行一次隐秘的TCP扫描
-Pn 不使用ping命令预先判断主机存活,在互联网上一般有很多服务器主机不允许ping,内网就没必要了。
msf端口扫描
msf > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
针对性扫描
服务器消息块协议扫描
获取系统版本号
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.57.137
rhosts => 192.168.57.137
msf5 auxiliary(scanner/smb/smb_version) > run
搜索配置不当的mssql
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/mssql/mssql_ping
msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.57.130/24
rhosts => 192.168.57.130/24
msf5 auxiliary(scanner/mssql/mssql_ping) > set threads 255
threads => 255
msf5 auxiliary(scanner/mssql/mssql_ping) > run
由于没环境(搭环境没搭出来)就不进行演示了
ssh服务扫描
msf5 auxiliary(scanner/mssql/mssql_ping) > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.57.130/24
rhosts => 192.168.57.130/24
msf5 auxiliary(scanner/ssh/ssh_version) > set threads 50
threads => 50
msf5 auxiliary(scanner/ssh/ssh_version) > run
FTP服务扫描
msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.57.1/24
rhosts => 192.168.57.1/24
msf5 auxiliary(scanner/ftp/ftp_version) > set threads 200
threads => 200
msf5 auxiliary(scanner/ftp/ftp_version) > run
扫描ftp是否允许匿名登录访问
msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous
msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.57.137/
rhosts => 192.168.57.137/
msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.57.137
rhosts => 192.168.57.137
msf5 auxiliary(scanner/ftp/anonymous) > run
[+] 192.168.57.137:21 - 192.168.57.137:21 - Anonymous READ (220 Microsoft FTP Service)
[*] 192.168.57.137:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ftp/anonymous) >
扫描显示这台服务器允许匿名用户登录,而且具有读和写的权限。
简单网管协议扫描(SNMP)
msf5 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.57.130/24
rhosts => 192.168.57.130/24
msf5 auxiliary(scanner/snmp/snmp_login) > set threads 200
threads => 200
msf5 auxiliary(scanner/snmp/snmp_login) > run