Metasploits使用入门

情报收集战术

外围信息搜索

• whois 域名注册信息查询
• nslookup/dig 根据域名查询ip
• IP2Location 根据IP查询地址（www.cz88.net）
• netcraft 服务器信息查询服务
• IP2Domain 反查域名（www.7c.com)

搜索引擎收集

• Google Hacking(GHDB, SiteDigger, Search Diggity)
• 网站目录的结构探索

site:sanlianchem.com.cn admin

msf > use auxiliary/scanner/http/dir_scanner 
msf auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS www.sanlianchem.com.cn
RHOSTS => www.sanlianchem.com.cn
msf auxiliary(dir_scanner) > exploit 

[*] Detecting error code
[*] Using code '404' as not found for 122.224.81.235
[+] Found http://122.224.81.235:80/icons/ 404 (122.224.81.235)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

• 查找特定文件类型（site:XXX.com filetype:xls）
• 搜索网站中的Email地址

msf > use auxiliary/gather/search_email_collector 
msf auxiliary(search_email_collector) > set DOMAIN baidu.com
DOMAIN => baidu.com
msf auxiliary(search_email_collector) > run

• SQL注入

site:testfire.net inurl:login

=> 然后SQL注入测试，但是一般搞不定

主机发现

• auxiliary/scanner/discovery/…
• nmap <选项> <目标>

nmap -sP xxx //使用ICMP的Ping扫描
nmap -PU -sn xxx //使用UDP扫描, 且仅探测主机不扫描端口
nmap -O xxx //探测操作系统

• 端口扫描器

msf > search portscan

Matching Modules
================

   Name                                              Disclosure Date  Rank    Description
   ----                                              ---------------  ----    -----------
   auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locator
   auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner
   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner
   auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner

常见网络服务

• ssh口令猜测

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options 

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts

Web应用渗透

• sqlmap

alert(1);