《Metasploit 魔鬼训练营》03 情报搜集技术

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/Kevinhanser/article/details/77879138

本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程
1. 外围信息搜集
2. 主机探测与端口扫描
3. 服务扫描与查点
4. 网络漏洞扫描
5. 渗透测试数据库与共享

1. testfire.net

testfire.net 是一个包含很多典型 Web 漏洞的模拟银行网站,是 IBM 为了演示 Appscan 所建立的测试网站

2. 通过 DNS 和 IP 地址挖掘目标网络信息

1. whois 域名注册信息查询
    包含域名所有者、服务商、管理员邮件地址、域名注册日期和国过期日期

msf > whois testfire.net
[*] exec: whois testfire.net
   Domain Name: TESTFIRE.NET
   Registry Domain ID: 8363973_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.corporatedomains.com
   Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Updated Date: 2017-07-19T05:16:54Z
   Creation Date: 1999-07-23T13:52:32Z
   Registry Expiry Date: 2018-07-23T13:52:32Z
   Registrar: CSC Corporate Domains, Inc.
   Registrar IANA ID: 299
   Registrar Abuse Contact Email: domainabuse@cscglobal.com
   Registrar Abuse Contact Phone: 8887802723
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: ASIA3.AKAM.NET
   Name Server: EUR2.AKAM.NET
   Name Server: EUR5.AKAM.NET
   Name Server: NS1-206.AKAM.NET
   Name Server: NS1-99.AKAM.NET
   Name Server: USC2.AKAM.NET
   Name Server: USC3.AKAM.NET
   Name Server: USW2.AKAM.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-08-28T07:19:35Z <<<
2. nslookup 域名解析 IP
root@attacker:~# nslookup 
> set type=A        #设置对IP地址进行解析
> testfire.net
Server:     10.10.10.2
Address:    10.10.10.2#53

Non-authoritative answer:
Name:   testfire.net
Address: 65.61.137.117
> exit

root@attacker:~# nslookup 
> set type=MX
> testfire.net
Server:     10.10.10.2
Address:    10.10.10.2#53

Non-authoritative answer:
*** Can't find testfire.net: No answer

Authoritative answers can be found from:
testfire.net
    origin = asia3.akam.net
    mail addr = hostmaster.akamai.com
    serial = 1366025603
    refresh = 43200
    retry = 7200
    expire = 604800
    minimum = 86400 
3. dig 从官方 DNS 服务器上查询到精确的权威解答
root@attacker:~# dig @ns.watson.ibm.com testfire.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35209
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testfire.net.          IN  A

;; Query time: 302 msec
;; SERVER: 129.34.20.80#53(129.34.20.80)
;; WHEN: Mon Aug 28 03:32:52 EDT 2017
;; MSG SIZE  rcvd: 41
4. IP2Location  通过 IP 查询地理位置
    查询国外的 IP 地址 https://www.maxmind.com/zh/home 使用其中的 GeoIP
    查询国内的 IP 地址 www.cz88.net
5. netcraft 查询网站的子域名
    http://searchdns.netcraft.com/
    获取网站更为详细的详细 http://toolbar.netcraft.com/site_report
6. IP2Domain 反查域名
    主要查询同一 IP 的不同虚拟主机
    查询国外的 IP 地址 www.ip-address.com/reverse_ip/65.61.137.117
    查询国内的 IP 地址 http://www.7c.com/

3. 通过搜索引擎进行信息收集

1. Google Hacking 技术
查看 Google 黑客数据库 https://www.exploit-db.com/google-hacking-database/
自动化工具 Sitedigger 下载链接 https://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
           Search Diggity 下载链接 
2. 探索网站的目录结构
在 Google 中搜索 “parent directory site:testfire.net” ,结果显示 demo.testfire.net - /bank/
inc文件:网站的配置信息
bak:备份文件
sql或txt:SQL脚本

使用 msf 中的 brute_dirs、dir_listing、dir_scanner等辅助模块也可以完成
以 dir_scanner 为例:
msf > use auxiliary/scanner/http/dir_scanner 
msf auxiliary(dir_scanner) > show options

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                               yes       The target address range or CIDR identifier
   RPORT       80                                                       yes       The target port (TCP)
   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
   THREADS     1                                                        yes       The number of concurrent threads
   VHOST                                                                no        HTTP server virtual host

msf auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS www.testfire.net
RHOSTS => www.testfire.net
msf auxiliary(dir_scanner) > exploit 
    [*] Detecting error code
    [*] Using code '404' as not found for 65.61.137.117
    [*] Found http://65.61.137.117:80/Admin/ 403 (65.61.137.117)
    [*] Found http://65.61.137.117:80/admin/ 403 (65.61.137.117)
    [*] Found http://65.61.137.117:80/bank/ 200 (65.61.137.117)
    [*] Found http://65.61.137.117:80/images/ 403 (65.61.137.117)
    [*] Found http://65.61.137.117:80/static/ 403 (65.61.137.117)
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
发现了隐藏目录 Admin,因为服务器返回403,表示没有权限,而不是 404 未找到文件
如果在根目录发现 rebot.txt 文件,则应该重视,表示了爬虫在抓取网页时应该遵循的规则
3. 检索天特定类型的文件
    在 Google 中搜索 :site:testfire.net filetype:xls 显示一个文档
        包含了详细的联系人信息
4. 搜索网站中的 E-mail 地址
    使用 msf 的模块: serch_email_clooector   
5. 搜索已存在 SQL 注入的页面 
    在 Google 中搜索 :site:testfire.net inurl:login 得到了后台 URL 
        在用户名输入 “ admin 'OR' 1 ”,即可登录
        在用户名输入 “ test OR 1=1-- ”,任意输入密码,也可登录

4. 主机探测与端口扫描

1. ICMP Ping 扫描
    root@attacker:~# ping -c 5 www.dvssc.com
        PING www.dvssc.com (10.10.10.129) 56(84) bytes of data.
        64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=1 ttl=64 time=0.322 ms
        64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=2 ttl=64 time=0.211 ms
        64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=3 ttl=64 time=0.247 ms
        --- www.dvssc.com ping statistics ---
        4 packets transmitted, 4 received, 0% packet loss, time 3055ms
        rtt min/avg/max/mdev = 0.211/0.253/0.322/0.045 ms
2. msf 的主机发现模块
路径:/module/auxiliary/scanner/discovery/
主要有以下几个:arp_sweep、empty_udp、ipv6_multicast_ping、ipv6_neighbor、ipv6_neighbor_router_advertisement、udp_probe、udp_sweep
常用的:
    arp_sweep 使用 ARP 请求美剧本地局域网中的所有活跃主机
    udp_sweep 通过发送 UDP 数据包探查制定主机是否活跃,并发现主机上的 UDP 服务 
msf > use auxiliary/scanner/discovery/arp_sweep 
msf auxiliary(arp_sweep) > show options 
Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(arp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(arp_sweep) > run
[*] 10.10.10.1 appears to be up (VMware, Inc.).
[*] 10.10.10.2 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.129 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
3. 使用 Nmap 进行主机探测
-sn:使用 ICMP 的 Ping 扫描捕获网络中存活的主机
msf > nmap -sn 10.10.10.0/24
    [*] exec: nmap -sn 10.10.10.0/24
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:43 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.00026s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.00048s latency).
    MAC Address: 00:50:56:F1:2E:08 (VMware)
    Nmap scan report for www.dvssc.com (10.10.10.129)
    Host is up (0.00019s latency).
    MAC Address: 00:0C:29:21:A3:A6 (VMware)
    Nmap scan report for gate.dvssc.com (10.10.10.254)
    Host is up (0.000076s latency).
    MAC Address: 00:0C:29:19:70:BF (VMware)
    Nmap scan report for attacker.dvssc.com (10.10.10.128)
    Host is up.
    Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds
-Pn:不使用 Ping 扫描 
-PU:通过对开放的 UDP 端口进行探测,默认会列出开放的 TCP 端口,在使用 -sn ,仅探测存活主机,不对开放的 TCP 端口进行扫描
msf > nmap -PU -sn 10.10.10.0/24
    [*] exec: nmap -PU -sn 10.10.10.0/24
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:49 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.00025s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.0013s latency).
    MAC Address: 00:50:56:F1:2E:08 (VMware)
    Nmap scan report for www.dvssc.com (10.10.10.129)
    Host is up (0.000073s latency).
    MAC Address: 00:0C:29:21:A3:A6 (VMware)
    Nmap scan report for gate.dvssc.com (10.10.10.254)
    Host is up (0.00017s latency).
    MAC Address: 00:50:56:E7:DA:ED (VMware)
    Nmap scan report for attacker.dvssc.com (10.10.10.128)
    Host is up.
    Nmap done: 256 IP addresses (5 hosts up) scanned in 2.00 seconds
4. 操作系统辨识
-O:对目标操作系统进行识别
msf > nmap -O 10.10.10.0/24
    [*] exec: nmap -O 10.10.10.0/24
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:51 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.000081s latency).
    Not shown: 987 closed ports
    PORT      STATE SERVICE
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    443/tcp   open  https
    445/tcp   open  microsoft-ds
    902/tcp   open  iss-realsecure
    912/tcp   open  apex-mesh
    6000/tcp  open  X11
    24800/tcp open  unknown
    49152/tcp open  unknown
    49153/tcp open  unknown
    49156/tcp open  unknown
    49161/tcp open  unknown
    49163/tcp open  unknown
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Device type: general purpose
    Running: Microsoft Windows Vista|7|8.1
    OS CPE: cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1
    OS details: Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1
    Network Distance: 1 hop

    Nmap scan report for 10.10.10.2
    Host is up (0.000086s latency).
    All 1000 scanned ports on 10.10.10.2 are closed
    MAC Address: 00:50:56:F1:2E:08 (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: specialized
    Running: VMware Player
    OS CPE: cpe:/a:vmware:player
    OS details: VMware Player virtual NAT device
    Network Distance: 1 hop

    Nmap scan report for www.dvssc.com (10.10.10.129)
    Host is up (0.00022s latency).
    Not shown: 991 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    139/tcp  open  netbios-ssn
    143/tcp  open  imap
    443/tcp  open  https
    445/tcp  open  microsoft-ds
    5001/tcp open  commplex-link
    8080/tcp open  http-proxy
    8081/tcp open  blackice-icecap
    MAC Address: 00:0C:29:21:A3:A6 (VMware)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.17 - 2.6.36
    Network Distance: 1 hop

    Nmap scan report for gate.dvssc.com (10.10.10.254)
    Host is up (0.00021s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    23/tcp   open  telnet
    25/tcp   open  smtp
    53/tcp   open  domain
    80/tcp   open  http
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    512/tcp  open  exec
    513/tcp  open  login
    514/tcp  open  shell
    1099/tcp open  rmiregistry
    1524/tcp open  ingreslock
    2049/tcp open  nfs
    2121/tcp open  ccproxy-ftp
    3306/tcp open  mysql
    5432/tcp open  postgresql
    5900/tcp open  vnc
    6000/tcp open  X11
    6667/tcp open  irc
    8009/tcp open  ajp13
    8180/tcp open  unknown
    MAC Address: 00:50:56:E7:DA:ED (VMware)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Network Distance: 1 hop

    Nmap scan report for attacker.dvssc.com (10.10.10.128)
    Host is up (0.000057s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.8 - 4.6
    Network Distance: 0 hops

    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 256 IP addresses (5 hosts up) scanned in 7.17 seconds
5. 端口扫描与服务类型探测
    msf > search portscan
    Matching Modules
    ================

       Name                                              Disclosure Date  Rank    Description
       ----                                              ---------------  ----    -----------
       auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locator
       auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner
       auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
       auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
       auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
       auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
       auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner
       auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner

    几款扫描工具: 
        natpmp_portscan         
        ack:通过 ACK 方式对防火墙上未被屏蔽的端口进行探测
        ftpbounce :通过 ftp bounce 攻击的原理对 TCP 服务进行枚举 
        syn:使用发送 TCP SYN 标志的方式探测开放的端口  
        tcp: 通过一次完整的 TCP 连接来判断端口是否开放 
        xmas:通过发送 FIN、PSH、URG 标识,较为隐蔽 

    msf > use auxiliary/scanner/portscan/syn 
    msf auxiliary(syn) > show options 

    Module options (auxiliary/scanner/portscan/syn):

       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       BATCHSIZE  256              yes       The number of hosts to scan per set
       DELAY      0                yes       The delay between connections, per thread, in milliseconds
       INTERFACE                   no        The name of the interface
       JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
       PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
       RHOSTS                      yes       The target address range or CIDR identifier
       SNAPLEN    65535            yes       The number of bytes to capture
       THREADS    1                yes       The number of concurrent threads
       TIMEOUT    500              yes       The reply read timeout in milliseconds

    msf auxiliary(syn) > set RHOSTS 10.10.10.254
    RHOSTS => 10.10.10.254
    msf auxiliary(syn) > set THREADS 20
    THREADS => 20
    msf auxiliary(syn) > run
        [*]  TCP OPEN 10.10.10.254:22
        [*]  TCP OPEN 10.10.10.254:23
        [*]  TCP OPEN 10.10.10.254:53
        [*]  TCP OPEN 10.10.10.254:513
        [*]  TCP OPEN 10.10.10.254:514
        [*]  TCP OPEN 10.10.10.254:1099
6. Nmap 的端口扫描功能
    六个状态:open、closed、filter、unfilter、open|filter、closed|filter
    扫描参数:
        -sT: TCP connect 扫描
        -sS: TCP SYN 扫描
        -sF\-sX\-sN:通过发送一些标志位以避开检测
        -sP:发送 ICMP echo 请求探测主机是否存活,原理同 Ping 
        -sU:探测开放了那些 UDP端口
        -sA:TCP ACK 扫描
        -sV:探测更详细的服务信息
    扫描选项:
    -Pn:扫描之前,不发送 ICMP echo 请求测试目标是否活跃
    -O:指纹特征扫描以获取远程主机的操作系统类型
    -F:快速扫描,只列出 nmap-services 中列出的端口
    -p <port>:制定端口或范围

    msf > nmap -sS -Pn 10.10.10.129
        [*] exec: nmap -sS -Pn 10.10.10.129
        Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:45 EDT
        Nmap scan report for www.dvssc.com (10.10.10.129)
        Host is up (0.00010s latency).
        Not shown: 991 closed ports
        PORT     STATE SERVICE
        22/tcp   open  ssh
        80/tcp   open  http
        139/tcp  open  netbios-ssn
        143/tcp  open  imap
        443/tcp  open  https
        445/tcp  open  microsoft-ds
        5001/tcp open  commplex-link
        8080/tcp open  http-proxy
        8081/tcp open  blackice-icecap
        MAC Address: 00:0C:29:21:A3:A6 (VMware)
        Nmap done: 1 IP address (1 host up) scanned in 0.20 second
7. 使用 nmap 探测更详细的服务信息
    msf > nmap -sV -Pn 10.10.10.129
        [*] exec: nmap -sV -Pn 10.10.10.129
        Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:46 EDT
        Nmap scan report for www.dvssc.com (10.10.10.129)
        Host is up (0.000099s latency).
        Not shown: 991 closed ports
        PORT     STATE SERVICE     VERSION
        22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
        80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
        139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
        143/tcp  open  imap        Courier Imapd (released 2008)
        443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
        445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
        5001/tcp open  java-rmi    Java RMI
        8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
        8081/tcp open  http        Jetty 6.1.25
        1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
        SF-Port5001-TCP:V=7.40%I=7%D=8/28%Time=59A4D583%P=x86_64-pc-linux-gnu%r(NU
        SF:LL,4,"\xac\xed\0\x05");
        MAC Address: 00:0C:29:21:A3:A6 (VMware)
        Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
        Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds

    msf > nmap -sV -Pn 10.10.10.130
        [*] exec: nmap -sV -Pn 10.10.10.130
        Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:07 EDT
        Nmap scan report for service.dvssc.com (10.10.10.130)
        Host is up (0.00015s latency).
        Not shown: 985 closed ports
        PORT     STATE SERVICE         VERSION
        21/tcp   open  ftp             Microsoft ftpd
        80/tcp   open  http            Microsoft IIS httpd 6.0
        135/tcp  open  msrpc           Microsoft Windows RPC
        139/tcp  open  netbios-ssn     Microsoft Windows netbios-ssn
        445/tcp  open  microsoft-ds    Microsoft Windows 2003 or 2008 microsoft-ds
        777/tcp  open  multiling-http?
        1025/tcp open  msrpc           Microsoft Windows RPC
        1026/tcp open  msrpc           Microsoft Windows RPC
        1030/tcp open  msrpc           Microsoft Windows RPC
        1031/tcp open  msrpc           Microsoft Windows RPC
        1521/tcp open  oracle-tns      Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
        6002/tcp open  http            SafeNet Sentinel Protection Server httpd 7.3
        7001/tcp open  afs3-callback?
        7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
        8099/tcp open  http            Microsoft IIS httpd 6.0
        1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
        SF-Port777-TCP:V=7.40%I=7%D=8/28%Time=59A4DAC1%P=x86_64-pc-linux-gnu%r(Ker
        SF:beros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(Termin
        SF:alServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t
        SF:\xe0\x06");
        MAC Address: 00:0C:29:DB:51:D2 (VMware)
        Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
        Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 149.72 seconds

    msf > nmap -sV -Pn 10.10.10.254
        [*] exec: nmap -sV -Pn 10.10.10.254
        Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:09 EDT
        Nmap scan report for gate.dvssc.com (10.10.10.254)
        Host is up (0.00024s latency).
        Not shown: 977 closed ports
        PORT     STATE SERVICE     VERSION
        21/tcp   open  ftp         vsftpd 2.3.4
        22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
        23/tcp   open  telnet      Linux telnetd
        25/tcp   open  smtp        Postfix smtpd
        53/tcp   open  domain      ISC BIND 9.4.2
        80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
        111/tcp  open  rpcbind     2 (RPC #100000)
        139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
        445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
        512/tcp  open  exec        netkit-rsh rexecd
        513/tcp  open  login?
        514/tcp  open  tcpwrapped
        1099/tcp open  rmiregistry GNU Classpath grmiregistry
        1524/tcp open  ingreslock?
        2049/tcp open  nfs         2-4 (RPC #100003)
        2121/tcp open  ftp         ProFTPD 1.3.1
        3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
        5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
        5900/tcp open  vnc         VNC (protocol 3.3)
        6000/tcp open  X11         (access denied)
        6667/tcp open  irc         UnrealIRCd
        8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
        8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
        1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
        SF-Port1524-TCP:V=7.40%I=7%D=8/28%Time=59A4DAEE%P=x86_64-pc-linux-gnu%r(NU
        SF:LL,27,"\x1b\[01;31mroot@gate\x1b\[00m:\x1b\[01;34m/\x1b\[00m#\x20")%r(G
        MAC Address: 00:50:56:E7:DA:ED (VMware)
        Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
        Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 162.99 seconds

5. 探测扫描结果分析

主机 操作系统 主要的开放端口 对应服务版本
网站服务器(10.10.10.129) Linux SSH (22) OpenSSH 5.3.p1
.. .. HTTP(80) Apache httpd 2.2.14
.. .. netbios-ssn(139) Samba smbd 3.X - 4.X
.. .. imap(143) Courier Imapd (released 2008)
.. .. ssl/http(443) Apache httpd 2.2.14
.. .. 445/tcp open netbios-ssn (445) Samba smbd 3.X - 4.X
.. .. java-rmi(5001) Java RMI
.. .. ahttp(8080) Apache Tomcat/Coyote JSP engine 1.1
后台服务器(10.10.10.130) Windows ftp(21) Microsoft ftpd
.. .. http(80) Microsoft IIS httpd 6.0
.. .. msrpc(135) Microsoft Windows RPC
.. .. netbios-ssn(139) Microsoft Windows netbios-ssn
.. .. microsoft-ds (445) Microsoft Windows 2003 or 2008 microsoft-ds
.. .. msrpc (1025) Microsoft Windows RPC
.. .. msrpc (1026) Microsoft Windows RPC
.. .. msrpc (1030) Microsoft Windows RPC
.. .. msrpc (1031) Microsoft Windows RPC
.. .. oracle-tns(1521) Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
.. .. http(6002) SafeNet Sentinel Protection Server httpd 7.3
.. .. http(7002) SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
.. .. http(8099) Microsoft IIS httpd 6.0
网关服务器 10.10.10.254 ftp(21) vsftpd 2.3.4
.. .. ssh(22) OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
.. .. telnet(23) Linux telnetd
.. .. smtp(25)
.. .. domain(53) ISC BIND 9.4.2
.. .. http(80) Apache httpd 2.2.8 ((Ubuntu) DAV/2)
.. .. rpcbind(111) 2 (RPC #100000)
.. .. netbios-ssn (139) netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
.. .. netbios-ssn (445) netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
.. .. exec(512) netkit-rsh rexecd
.. .. rmiregistry(1099) GNU Classpath grmiregistry
.. .. nfs(2049) 2-4 (RPC #100003)
.. .. ftp(2121) ProFTPD 1.3.1
.. .. mysql(3306) MySQL 5.0.51a-3ubuntu5
.. .. postgresql(5432) PostgreSQL DB 8.3.0 - 8.3.7
.. .. vnc(5900) VNC (protocol 3.3)
.. .. X11(6000) (access denied)
.. .. irc(6667) UnrealIRCd
.. .. ajp13(8009) Apache Jserv (Protocol v1.3)
.. .. http(8180) Apache Tomcat/Coyote JSP engine 1.1

6. 可能的攻击路线

可能的攻击路线 攻击对象
口令猜解 10.10.10.129:SSH\Samba
10.10.10.130:SMB
10.10.10.254:FTP、SSH、Telnet、MySQL、PostreSQL
口令嗅探 10.10.10.254:FTP、Telnet
系统漏洞深入扫描 全部存活主机的开放端口
系统漏洞利用 所有开放网络服务中存在的安全漏洞
Web 应用漏洞扫描 10.10.10.129:Apache、Apache Tomcat
10.10.10.254: Apache、Apache Tomcat
Web 应用漏洞利用 10.10.10.129:Apache、Apache Tomcat
10.10.10.254:Apache、Apache Tomcat

7. 服务扫描与查点

确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入的挖掘,通常称为网络查点。
msf 中的 Scanner 辅助模块中,有很多服务扫描和查点工具。常以[service_name]_version 和 [service_name]_login
    [service_name]_version:遍历网络中包含了某种服务的主机,并进一步确定服务的版本
    [service_name]_login:可对某种服务进行口令探测

msf > search name:_version
    Matching Modules
    ================
       Name                                                     Disclosure Date  Rank     Description
       ----                                                     ---------------  ----     -----------
       auxiliary/fuzzers/ssh/ssh_version_15                                      normal   SSH 1.5 Version Fuzzer
       auxiliary/fuzzers/ssh/ssh_version_2                                       normal   SSH 2.0 Version Fuzzer
       auxiliary/fuzzers/ssh/ssh_version_corrupt                                 normal   SSH Version Corruption
       auxiliary/gather/ibm_sametime_version                    2013-12-27       normal   IBM Lotus Sametime Version Enumeration
       auxiliary/scanner/db2/db2_version                                         normal   DB2 Probe Utility
       auxiliary/scanner/ftp/ftp_version                                         normal   FTP Version Scanner
       auxiliary/scanner/h323/h323_version                                       normal   H.323 Version Scanner
       auxiliary/scanner/http/coldfusion_version                                 normal   ColdFusion Version Scanner
       auxiliary/scanner/http/http_version                                       normal   HTTP Version Detection
       auxiliary/scanner/http/joomla_version                                     normal   Joomla Version Scanner
       auxiliary/scanner/http/sap_businessobjects_version_enum                   normal   SAP BusinessObjects Version Detection
       auxiliary/scanner/http/ssl_version                       2014-10-14       normal   HTTP SSL/TLS Version Detection (POODLE scanner)
       auxiliary/scanner/http/svn_scanner                                        normal   HTTP Subversion Scanner
       auxiliary/scanner/imap/imap_version                                       normal   IMAP4 Banner Grabber
       auxiliary/scanner/ipmi/ipmi_version                                       normal   IPMI Information Discovery
       auxiliary/scanner/lotus/lotus_domino_version                              normal   Lotus Domino Version
       auxiliary/scanner/mysql/mysql_version                                     normal   MySQL Server Version Enumeration
       auxiliary/scanner/oracle/tnslsnr_version                 2009-01-07       normal   Oracle TNS Listener Service Version Query
       auxiliary/scanner/pop3/pop3_version                                       normal   POP3 Banner Grabber
       auxiliary/scanner/postgres/postgres_version                               normal   PostgreSQL Version Probe
       auxiliary/scanner/printer/printer_version_info                            normal   Printer Version Information Scanner
       auxiliary/scanner/sap/sap_mgmt_con_version                                normal   SAP Management Console Version Detection
       auxiliary/scanner/scada/digi_addp_version                                 normal   Digi ADDP Information Discovery
       auxiliary/scanner/scada/digi_realport_version                             normal   Digi RealPort Serial Server Version
       auxiliary/scanner/scada/modbusdetect                     2011-11-01       normal   Modbus Version Scanner
       auxiliary/scanner/smb/smb_version                                         normal   SMB Version Detection
       auxiliary/scanner/smtp/smtp_version                                       normal   SMTP Banner Grabber
       auxiliary/scanner/snmp/aix_version                                        normal   AIX SNMP Scanner Auxiliary Module
       auxiliary/scanner/ssh/ssh_version                                         normal   SSH Version Scanner
       auxiliary/scanner/telnet/lantronix_telnet_version                         normal   Lantronix Telnet Service Banner Detection
       auxiliary/scanner/telnet/telnet_version                                   normal   Telnet Service Banner Detection
       auxiliary/scanner/vmware/vmauthd_version                                  normal   VMWare Authentication Daemon Version Scanner
       auxiliary/scanner/vxworks/wdbrpc_version                                  normal   VxWorks WDB Agent Version Scanner
       exploit/multi/svn/svnserve_date                          2004-05-19       average  Subversion Date Svnserve
       exploit/windows/browser/crystal_reports_printcontrol     2010-12-14       normal   Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
       exploit/windows/fileformat/digital_music_pad_pls         2010-09-17       normal   Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow
       exploit/windows/fileformat/orbit_download_failed_bof     2008-04-03       normal   Orbit Downloader URL Unicode Conversion Overflow
       exploit/windows/fileformat/realplayer_ver_attribute_bof  2013-12-20       normal   RealNetworks RealPlayer Version Attribute Buffer Overflow
       exploit/windows/ftp/filecopa_list_overflow               2006-07-19       average  FileCopa FTP Server Pre 18 Jul Version
       exploit/windows/scada/iconics_genbroker                  2011-03-21       good     Iconics GENESIS32 Integer Overflow Version 9.21.201.01
1. 常见的网络服务扫描
    Telnet 服务扫描
        msf > use auxiliary/scanner/telnet/telnet_version 
        msf auxiliary(telnet_version) > set RHOSTS 10.10.10.0/24
        RHOSTS => 10.10.10.0/24
        msf auxiliary(telnet_version) > set THREADS 100
        THREADS => 100
        msf auxiliary(telnet_version) > run
        [*] 10.10.10.254:23 gate.dvssc.com login:                 _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0agate.dvssc.com login:
        [*] Scanned 256 of 256 hosts (100% complete)
        [*] Auxiliary module execution completed
        结果显示:10.10.10.254 开放了 Telnet 服务 

    SSH 服务扫描
        msf > use auxiliary/scanner/ssh/ssh_version 
        msf auxiliary(ssh_version) > set RHOSTS 10.10.10.0/24
        RHOSTS => 10.10.10.0/24
        msf auxiliary(ssh_version) > set THREADS 100
        THREADS => 100
        msf auxiliary(ssh_version) > run
        [*] 10.10.10.128:22       - SSH server version: SSH-2.0-OpenSSH_7.4p1 Debian-10
        [*] 10.10.10.129:22       - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 service.protocol=ssh fingerprint_db=ssh.banner )
        [*] 10.10.10.254:22       - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 service.protocol=ssh fingerprint_db=ssh.banner )
        [*] Auxiliary module execution completed
        结果显示:10.10.10.254 和 10.10.10.129 开放了 SSH 服务
2. Oracle 数据库服务查点
    msf > use auxiliary/scanner/oracle/tnslsnr_version 
        msf auxiliary(tnslsnr_version) > set RHOSTS 10.10.10.0/24
        RHOSTS => 10.10.10.0/24
        msf auxiliary(tnslsnr_version) > set THREADS 50
        THREADS => 50
        msf auxiliary(tnslsnr_version) > run
        [*] Scanned  50 of 256 hosts (19% complete)
        [+] 10.10.10.130:1521 - 10.10.10.130:1521 Oracle - Version: 32-bit Windows: Version 10.2.0.1.0 - Production
        [*] Scanned 129 of 256 hosts (50% complete)
        [*] Scanned 167 of 256 hosts (65% complete)             
        [*] Scanned 184 of 256 hosts (71% complete)
        [*] Scanned 256 of 256 hosts (100% complete)
        [*] Auxiliary module execution completed
        结果显示:10.10.10.130 开放了 1521 端口(Oracle SQL)
                SQL Server 端口为 1433
                Oracle SQL 端口为 1521
3. 开放代理探测与利用
    open_proxy:方便地获取免费的 HTTP 代理服务器地址
    msf > use auxiliary/scanner/http/open_proxy 
    msf auxiliary(open_proxy) > show options
    Module options (auxiliary/scanner/http/open_proxy):
       Name           Current Setting           Required  Description
       ----           ---------------           --------  -----------
       CHECKURL       http://www.google.com     yes       The web site to test via alleged web proxy
       MULTIPORTS     false                     no        Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123
       Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS                                   yes       The target address range or CIDR identifier
       RPORT          8080                      yes       The target port (TCP)
       SSL            false                     no        Negotiate SSL/TLS for outgoing connections
       THREADS        1                         yes       The number of concurrent threads
       VALIDCODES     200,302                   yes       Valid HTTP code for a successfully request
       VALIDPATTERN   <TITLE>302 Moved</TITLE>  yes       Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request
       VERIFYCONNECT  false                     no        Enable CONNECT HTTP method check
       VHOST                                    no        HTTP server virtual host
    msf auxiliary(open_proxy) > set SITE www.google.com
    SITE => www.google.com
    msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254
    RHOSTS => 24.25.24.1-24.25.26.254
    msf auxiliary(open_proxy) > set MULTIPORTS true
    MULTIPORTS => true
    msf auxiliary(open_proxy) > set THREADS 100
    THREADS => 100
    msf auxiliary(open_proxy) > run
    [*] Scanned 102 of 766 hosts (13% complete) 
    [*] Scanned 397 of 766 hosts (51% complete)
    [*] Scanned 766 of 766 hosts (100% complete)
    [*] Auxiliary module execution completed
4. SSH 服务口令与嗅探
    msf > use auxiliary/scanner/ssh/ssh_login
    msf auxiliary(ssh_login) > set RHOSTS 10.10.10.254
    RHOSTS => 10.10.10.254
    msf auxiliary(ssh_login) > set USERNAME root
    USERNAME => root
    msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt
    PASS_FILE => /root/words.txt
    msf auxiliary(ssh_login) > set THREADS 50
    THREADS => 50
    msf auxiliary(ssh_login) > run
    [*] SSH - Starting bruteforce
    [-] SSH - Failed: 'root:123456'
    [-] SSH - Failed: 'root:ubuntu'
    [+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root) Linux gate.dvssc.com 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
    [*] Command shell session 1 opened (10.10.10.128:42501 -> 10.10.10.254:22) at 2017-08-29 01:18:09 -0400
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
5. psnuffle 口令嗅探
    msf > use auxiliary/sniffer/psnuffle 
    msf auxiliary(psnuffle) > run
    [*] Auxiliary module execution completed

    [*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
    [*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
    [*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
    msf auxiliary(psnuffle) > [*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
    [*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
    [*] Sniffing traffic.....
6. 在 Metasploit 内部使用 OpenVAS

    0. 开启 openvas 服务
        root@attacker:~# openvas-start

    1. 在 metasploit 中加载 openvas
        msf > load openvas 
        [*] Welcome to OpenVAS integration by kost and averagesecurityguy.
        [*] Successfully loaded plugin: OpenVAS

    2. 连接到 openvas ,用法:openvas_connect username password host port <ssl-confirm>    
        msf > openvas_connect admin toor 127.0.0.1 9390 ok 
        [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
        [+] OpenVAS list of targets
        ID                                    Name                                          Hosts         Max Hosts  In Use  Comment
        --                                    ----                                          -----         ---------  ------  -------
        5e78a0e1-6569-45d9-8474-d7c83d0ea8ff  test2                                         10.10.10.254  1          0       Metasploitable
        971d579a-b65c-406c-9737-b4d946fb68b1  UUUU                                          10.10.10.254  1          1       Mwtasploitable

    3. 列出 openvas 的配置选项
        msf > openvas_config_list 
        /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
        [+] OpenVAS list of configs
        ID                                    Name
        --                                    ----
        085569ce-73ed-11df-83c3-002264764cea  empty
        2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
        698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
        708f25c4-7489-11df-8094-002264764cea  Full and very deep
        74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
        8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
        bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
        daba56c8-73ec-11df-a475-002264764cea  Full and fast

    4. 创建扫描任务,Usage: openvas_task_create <name> <comment> <config_id> <target_id>
        msf > openvas_task_create test-scan "Scan of test2 Metasploitable" daba56c8-73ec-11df-a475-002264764cea 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff
        [+] OpenVAS list of tasks
        ID                                    Name                               Comment                                 Status   Progress
        --                                    ----                               -------                                 ------   --------
        1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1
        b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            New      -1

    5. 开始扫描任务,用法:openvas_task_start <id>
        msf > openvas_task_start b4baa75d-9d51-4393-a8fd-66a0480bda28
        [+] OpenVAS list of tasks
        ID                                    Name                               Comment                                 Status     Progress
        --                                    ----                               -------                                 ------     --------
        1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done       -1
        b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Requested  1

    6. 列出扫描任务
        msf > openvas_task_list 
        /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
        [+] OpenVAS list of tasks
        ID                                    Name                               Comment                                 Status   Progress
        --                                    ----                               -------                                 ------   --------
        1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1
        b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Running  1

    7. 列出扫描任务
        msf > openvas_task_list 
        /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
        [+] OpenVAS list of tasks

        ID                                    Name                               Comment                                 Status   Progress
        --                                    ----                               -------                                 ------   --------
        1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1
        b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Done     -1

    8. 扫描完成后,列出扫描报告
        msf > openvas_report_list
        ID                                    Task Name                          Start Time            Stop Time
        --                                    ---------                          ----------            ---------
        752e8852-68f4-4bff-a23c-92767a6c9bd7  test-scan                          2017-08-30T06:12:51Z  2017-08-30T06:13:06Z
        babf1f94-c1ca-4b4e-b678-a0cd355c6a72  UUOO                               2017-08-30T00:42:12Z  2017-08-30T01:06:41Z

    9. 列出报告支持的格式
        msf > openvas_format_list 
        /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
        [+] OpenVAS list of report formats
        ID                                    Name           Extension  Summary
        --                                    ----           ---------  -------
        5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report
        50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.
        5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.
        6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.
        77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.
        9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.
        910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.
        9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.
        9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.
        a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.
        a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.
        a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.
        c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.
        c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.
        c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.

    10. 下载扫描报告,Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
        msf > openvas_report_download 
        [*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
        msf > openvas_report_download 752e8852-68f4-4bff-a23c-92767a6c9bd7 c402cc3e-b531-11e1-9163-406186ea4fc5 /root/reports/ tast2_scan_report.pdf
        /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
        [*] Saving report to /root/reports/tast2_scan_report.pdf

7. 查找特定服务漏洞

nmap 脚本存放位置:/usr/share/nmap/scripts
root@attacker:/usr/share/nmap/scripts# nmap --script=smb-check-vulns 10.10.10.130
错误信息:NSE: failed to initialize the script engine:
    /usr/bin/../share/nmap/nse_main.lua:801: ‘smb-check-vulns.nse’ did not match a category, filename, or directory
这是由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。
它被分为smb-vuln-conficker、?smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。
用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件。

root@attacker:/usr/share/nmap/scripts# nmap --script=smb-vuln-*.nes 10.10.10.130
    Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-30 08:12 EDT
    mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
    mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
    Nmap scan report for service.dvssc.com (10.10.10.130)
    Host is up (0.00022s latency).
    Not shown: 985 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    80/tcp   open  http
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    777/tcp  open  multiling-http
    1025/tcp open  NFS-or-IIS
    1026/tcp open  LSA-or-nterm
    1027/tcp open  IIS
    1031/tcp open  iad2
    1521/tcp open  oracle
    6002/tcp open  X11:2
    7001/tcp open  afs3-callback
    7002/tcp open  afs3-prserver
    8099/tcp open  unknown
    MAC Address: 00:0C:29:DB:51:D2 (VMware)

    Host script results:
    | smb-vuln-cve2009-3103: 
    |   VULNERABLE:
    |   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2009-3103
    |           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, 
    |           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a 
    |           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE 
    |           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, 
    |           aka "SMBv2 Negotiation Vulnerability." 
    |           
    |     Disclosure date: 2009-09-08
    |     References:
    |       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
    | smb-vuln-ms08-067: 
    |   VULNERABLE:
    |   Microsoft Windows system vulnerable to remote code execution (MS08-067)
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2008-4250
    |           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, 
    |           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary 
    |           code via a crafted RPC request that triggers the overflow during path canonicalization.
    |           
    |     Disclosure date: 2008-10-23
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
    |_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
    |_smb-vuln-ms10-054: false
    |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
    | smb-vuln-ms17-010: 
    |   VULNERABLE:
    |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2017-0143
    |     Risk factor: HIGH
    |       A critical remote code execution vulnerability exists in Microsoft SMBv1
    |        servers (ms17-010).
    |           
    |     Disclosure date: 2017-03-14
    |     References:
    |       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
    Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

8. 漏洞扫描结果分析

服务器 操作系统 高危漏洞 参考
后台服务器(10.10.10.130) Windows Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service CVE-2017-7269
.. .. IIS FTP Service RCE and DoS Vulnerability.” CVE-2009-3023
.. .. IIS FTP Service RCE and DoS Vulnerability CVE-2009-3023
.. .. Integer Overflow in IPP Service Vulnerability CVE-2008-1446
.. .. Integer Overflow in IPP Service Vulnerability CVE-2008-1446
.. .. IIS Authentication Memory Corruption Vulnerability. CVE-2010-1256
.. .. “IIS Authentication Memory Corruption Vulnerability CVE-2010-1256
.. .. The WebDAV extension in Microsoft Internet Information Services CVE-2009-1535
.. .. IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability CVE-2009-1535
.. .. Microsoft Internet Information Services CVE-2009-4444
.. .. Microsoft Internet Information Services CVE-2009-4444
.. .. IIS Repeated Parameter Request Denial of Service Vulnerability.” CVE-2010-1899
.. .. IIS Repeated Parameter Request Denial of Service Vulnerability.” CVE-2010-1899
.. .. Inverse Lookup Log Corruption (ILLC) CVE-2003-1582
.. .. IIS FTP Service DoS Vulnerability CVE-2009-2521
.. .. Inverse Lookup Log Corruption (ILLC) CVE-2003-1582
.. .. IIS FTP Service DoS Vulnerability CVE-2009-2521
服务器 操作系统 高危漏洞 参考
网关服务器(10.10.10.254) Linux ProFTPD Server SQL Inj ection Vulnerability CVE-2009-0542
.. .. ProFTPD Long Command Handling Security Vulnerability CVE-2008-4242
.. .. PHP< 5.2.13 Multiple Vulnerabilities CVE-2010-1128
.. .. PHP’sqlite_single_query()’ and ‘sqlite_array_query()’ Arbitrary Code Execution
.. .. PHP Multiple Information Disclosure Vulnerabilities CVE-2010-2190
.. .. Heap-based buffer overflow in’mbstring’ extension for PHP CVE-2008-5557
.. .. PHP Multiple Vulnerabilities Dec-09 CVE-2009-4018
.. .. PHP ‘_gdGetColors()’ Buffer Overflow Vulnerability CVE-2009-3546
.. .. http TRACE XSS attack CVE-2004-2320
.. .. PHP Multiple Buffer Overflow Vulnerabilities CVE-2008-3659
.. .. PHP Interruptions and Calltime Arbitrary Code Execution Vulnerability
.. .. PHP ‘SplObjectStorage’ Unserializer Arbitrary Code Execution Vulnerability CVE-2010-2225
.. .. Samba SID Parsing Remote Buffer Overflow Vulnerability CVE-2010-3069
.. .. Samba multiple vulnerabilities CVE-2009-2813
.. .. Samba’mount.cifs’ Utility Local Privilege Escalation Vulnerability CVE-2009-3297
.. .. Samba ‘SMB1Packet Chaining’ Unspecified Remote Memory Corruption Vulnerability CVE-2010-2063
服务器 操作系统 高危漏洞 参考
网站服务器(10.10.10.129) Linux Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba CVE-2013-4408
.. .. Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body CVE-2014-0230
.. .. Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests CVE-2011-3190
.. .. an attacker can reach JMX ports CVE-2016-8735
.. .. Stack-based buffer overflow in Samba CVE-2010-3069
.. .. allows remote attackers to inject a request into a session by sending this request during completion of the login form, CVE-2013-2067
.. .. apache:tomcat:6.0.24 the attacker could poison a web-cache CVE-2016-6816
.. .. Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba CVE-2011-2522
.. .. The MS-SAMR and MS-LSAD protocol implementations in Samba CVE-2016-2118
.. .. The session-persistence implementation in Apache Tomcat CVE-2016-0714
.. .. allows remote authenticated users to obtain the “take ownership” privilege via an LSA connection. CVE-2012-2111
.. .. Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, CVE-2010-2227
.. .. The default configuration of Apache Tomcat CVE-2010-4312
.. .. allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. CVE-2014-0227

9. 渗透测试信息数据库

db_nmap:将 namp 扫描结果直接存入数据库
db_import:将扫描器的扫描结果进行导入

msf > db_status
    [*] postgresql selected, no connection
连接数据库:
    root@attacker:~# systemctl start postgresql.service 
msf > db_status
    [*] postgresql connected to msf

1. db_nmap:是 nmap 的一个封装,不同的是其将结果自动输入到数据库中
    msf > db_nmap -Pn -sV 10.10.10.0/24
        [*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 411.47 seconds
2. 也可以将数据库的结果导出为一个文件,并导入到渗透测试数据库中
    msf > nmap -Pn -sV -oX dmz 10.10.10.0/24
    root@attacker:~# ll dmz 
        -rw-r--r-- 1 root root 18799 Sep  1 10:32 dmz
    msf > db_import /root/dmz
        [*] Importing 'Nmap XML' data
        [*] Import: Parsing with 'Nokogiri v1.8.0'
        [*] Importing host 10.10.10.1
        [*] Importing host 10.10.10.2
        [*] Importing host 10.10.10.129
        [*] Importing host 10.10.10.130
        [*] Importing host 10.10.10.128
        [*] Successfully imported /root/dmz

10. Openvas 与渗透测试数据库

1. 连接 openvas 
    root@attacker:~# openvas-start 
        Starting OpenVas Services
    msf > openvas_connect admin toor 127.0.0.1 9390 ok 
        [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
        /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
        [+] OpenVAS connection successful
2. 找到想要导入的数据库
    msf > openvas_report_list
        [+] OpenVAS list of reports
        ID                                    Task Name    Start Time            Stop Time
        --                                    ---------    ----------            ---------
        07b3eba7-a110-4117-b603-7e50de27759f  Oswapbwa     2017-08-30T14:41:15Z  2017-08-31T03:02:28Z
        6a0bbe85-3eeb-49e1-8440-32988f6079c8  WIndows 2K3  2017-08-31T01:07:01Z  2017-08-31T01:47:53Z
        d7d88501-fe7d-44d3-8b70-566d49758e3a  Ubuntu-scan  2017-08-30T14:41:20Z  
        eac5169e-290e-4be1-9adf-8a401d806fb2  Ubuntu-Scan  2017-08-31T01:12:44Z  2017-08-31T03:30:24Z
3. 列出报告支持的格式    
    msf > openvas_format_list 
        [+] OpenVAS list of report formats
        ID                                    Name           Extension  Summary
        --                                    ----           ---------  -------
        5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report
        50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.
        5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.
        6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.
        77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.
        9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.
        910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.
        9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.
        9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.
        a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.
        a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.
        a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.
        c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.
        c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.
        c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.
4. 导入数据库(将 opwaspbwa 扫描报告的 nbe 格式导入)
    msf > openvas_report_import 07b3eba7-a110-4117-b603-7e50de27759f 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
        [*] Importing report to database.
5. 导入成功后,使用 vulns 查看导入的漏洞信息
    msf > vulns
        [*] Time: 2017-09-01 14:51:32 UTC Vuln: host=10.10.10.129 name=ICMP Timestamp Detection refs=CVE-1999-0524 

11. 共享你的渗透测试信息数据库

Metasploit中,可以使用两种方法共享渗透测试数据库
-让多台运行 Metasploit 的计算机连接到同一个网络数据库
-使用 MSF RPC服务

-让多台运行 Metasploit 的计算机连接到同一个网络数据库
1. 查看 postgres 进程的运行情况
    root@gate:~# netstat -tulnp | grep "postgres"
        tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      4907/postgres   
        tcp6       0      0 :::5432                 :::*                    LISTEN      4907/postgres  
2. 修改数据库监听地址
    root@attacker:~# vim /etc/postgresql/9.6/main/postgresql.conf
        listen_addresses = '0.0.0.0'  #59行 
        password_encryption = on    #88行 
3. pg_hba.conf是客户端认证配置文件,定义如何认证客户端
    root@attacker:~# vim /etc/postgresql/9.6/main/pg_hba.conf 
        host    all     all     0.0.0.0/24      md5     #93行
4. 重启 postgres 数据库服务
    root@attacker:~# systemctl restart postgresql.service
5. 再次查看 postgresql 服务运行是否正常
    root@attacker:~# netstat -tulnp |grep "postgres"
        tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      7564/postgres
6. 查看 msf 中 postgres 数据库的信息
    root@attacker:~# vim /usr/share/metasploit-framework/config/database.yml
        development: &pgsql
          adapter: postgresql
          database: msf
          username: msf
          password: admin
          host: localhost
          port: 5432
          pool: 200
          timeout: 5
7. 关于数据库的信息如下:
    postgres 地址:10.10.10.128
    postgres 端口:5432
    postgres 用户:msf
    postgres 口令:admin
    postgresql 数据库:msf
8. 在另一台计算机启动 msf 终端
    msf > db_disconnect 
    msf > db_status 
        [*] postgresql selected, no connection
    msf > db_connect msf:admin@10.10.10.128:5432/msf
        [*] Rebuilding the module cache in the background...
    msf > db_status 
        [*] postgresql connected to msf
9. 测试连接是否正常
    msf > hosts
        Hosts
        =====

        address       mac                name                os_name        os_flavor  os_sp  purpose  info  comments
        -------       ---                ----                -------        ---------  -----  -------  ----  --------
        10.10.10.1    00:50:56:c0:00:08                      Windows Vista                    client         
        10.10.10.2    00:50:56:f0:84:fe                      Unknown                          device         
        10.10.10.128                     attacker.dvssc.com  Unknown                          device         
        10.10.10.129  00:0c:29:19:70:bf  www.dvssc.com       Unknown                          device         
        10.10.10.130  00:0c:29:db:51:d2  service.dvssc.com   Windows XP                       client         
        10.10.10.133                                         Linux                     3.X    server         
        10.10.10.254  00:0c:29:19:70:bf  gate.dvssc.com      Linux                     2.6.X  server         

-使用 MSF RPC服务
1. 首先启动新的 msf rpc 服务,-P指定连接所需要的口令,-U指定连接所需要的用户名,-a绑定网络地址,默认127.0.0.1
    root@attacker:~# msfrpcd -P admin -U msf -a 0.0.0.0
        [[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
        [*] MSGRPC backgrounding at 2017-09-06 21:38:09 -0400...
    root@attacker:~# netstat -tulnp| grep msfrpcd
        tcp        0      0 0.0.0.0:55553           0.0.0.0:*               LISTEN      1794/msfrpcd
2. 在另一台安装 msf4(版本匹配)的计算机上启动 MSF GUI(最新版是armitage)
    root@attacker:~# armitage   #会显示登录框
        Host 10.10.10.128
        Port 55553
        User msf
        Pass admin
3. 这个登录框会连接到之前新建的 msfprcd 服务上,单击 Server,之前 10.10.10.128 主机上的渗透测试数据都在这里显示出来。
        msfprcd 不仅可以共享渗透测试数据库,还可以共享所有的 msf 模块和攻击载荷
阅读更多 登录后自动展开
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页