文章目录
前期情报收集
1.被动
(1)whois查询
msf6 > whois baidu.com
[*] exec: whois baidu.com
(2)Shodan搜素
shodan常用命令:
asn 区域自治编号
port 端口
org ip所属组织机构
os 操作系统类型
http.html 网页内容
html.title 网页标题
http.server http请求返回中server的类型
http.status http请求返回响应码的状态
city 市
country 国家
product 所使用的软件或产品
vuln CVE漏洞编号,例如:vuln:CVE-2014-0723
net 搜索一个网段,例如:123.23.1.0/24
(3)nslookup
Microsoft Windows [版本 10.0.15063]
(c) 2017 Microsoft Corporation。保留所有权利。
C:\Users\28177>nslookup
默认服务器: webhosting.gz.cn
Address: 202.98.198.167
> baidu.com
服务器: webhosting.gz.cn
Address: 202.98.198.167
非权威应答:
名称: baidu.com
Addresses: 39.156.69.79
220.181.38.148
>
2.主动
(1)nmap端口扫描
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 > db_nmap -sV baidu.com
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 10:13 CST
[*] Nmap: Nmap scan report for baidu.com (220.181.38.148)
[*] Nmap: Host is up (0.043s latency).
[*] Nmap: Other addresses for baidu.com (not scanned): 39.156.69.79
[*] Nmap: Not shown: 998 filtered ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http Apache httpd
[*] Nmap: 443/tcp open ssl/http Baidu Front End httpd 1.0.8.18
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 26.13 seconds
msf6 >
常用nmap命令参数:
1) 获取远程主机的系统类型及开放端口
nmap -sS -P0 -sV -O
这里的 < target > 可以是单一 IP, 或主机名,或域名,或子网
-sS TCP SYN 扫描 (又称半开放,或隐身扫描)
-P0 允许你关闭 ICMP pings.
-sV 打开系统版本检测
-O 尝试识别远程操作系统
其它选项:
-A 同时打开操作系统指纹和版本检测
-v 详细输出扫描情况.
nmap -sS -P0 -A -v < target >
2) 列出开放了指定端口的主机列表
nmap -sT -p 80 -oG – 10.0.1.* | grep open
3) 在网络寻找所有在线主机
nmap -sP 10.0.1.*
4) Ping 指定范围内的 IP 地址
nmap -sP 10.0.1.100-254
5) 在某段子网上查找未占用的 IP
nmap -T4 -sP 10.0.1.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp
6) 在局域网上扫找 Conficker 蠕虫病毒
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 10.0.1.1-254
7) 扫描网络上的恶意接入点
nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.1.0/24
8 ) 使用诱饵扫描方法来扫描主机端口
sudo nmap -sS 10.0.1.10 -D 10.0.1.11
9) 显示网络上共有多少台 Linux 及 Win 设备?
nmap -F -O 10.0.1.1-254|grep "Running:" >/tmp/os; echo "`cat /tmp/os |grep linux |wc -l` Linux dervice(s)"; echo "`cat /tmp/os |grep Windows |wc -l` Windows Device"
(2)高级nmap扫描:TCP空闲扫描
msf6 > use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), range CIDR identifier, or hosts file w
ith syntax 'file:<path>'
RPORT 80 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 500 yes The reply read timeout in milliseconds
msf6 auxiliary(scanner/ip/ipidseq) > set rhosts baidu.com
rhosts => baidu.com
msf6 auxiliary(scanner/ip/ipidseq) > set threads 100
thrends => 100
msf6 auxiliary(scanner/ip/ipidseq) > run
[*] 39.156.69.79's IPID sequence class: Randomized
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] 220.181.38.148's IPID sequence class: Randomized
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 39.156.69.79 220.181.38.148
[*] exec: nmap -PN -sI 39.156.69.79 220.181.38.148
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 10:51 CST
Idle scan zombie 39.156.69.79 (39.156.69.79) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!
(3)使用metasploit进行端口扫描
msf6 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use 6
msf6 auxiliary(scanner/portscan/syn) > options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in mill
iseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to
+/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or host
s file with syntax 'file:<path>'
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host
)
TIMEOUT 500 yes The reply read timeout in milliseconds
msf6 auxiliary(scanner/portscan/syn) > set rhosts baidu.com
rhosts => baidu.com
msf6 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf6 auxiliary(scanner/portscan/syn) > options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in mill
iseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to
+/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS baidu.com yes The target host(s), range CIDR identifier, or host
s file with syntax 'file:<path>'
SNAPLEN 65535 yes The number of bytes to capture
THREADS 100 yes The number of concurrent threads (max one per host
)
TIMEOUT 500 yes The reply read timeout in milliseconds
msf6 auxiliary(scanner/portscan/syn) > run
[+] TCP OPEN 39.156.69.79:80
[+] TCP OPEN 220.181.38.148:80
...
3.针对性扫描
(1)smb服务
msf6 auxiliary(scanner/ip/ipidseq) > search smb_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/ip/ipidseq) > use 0
msf6 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file wit
h syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_version) > set threads 100
threads => 100
msf6 auxiliary(scanner/smb/smb_version) > setg threads 100
threads => 100
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.1.1/24: - Scanned 63 of 256 hosts (24% complete)
[*] 192.168.1.109:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:2d 0h 18m 54s) (guid:{91626752-019c-42b1-b617-5613472b7d6d}) (authentication domain:DOUBLE-DESK699)
[+] 192.168.1.109:445 - Host is running Windows 10 Home China (build:15063) (name:DOUBLE-DESK699) (workgroup:WORKGROUP)
[*] 192.168.1.115:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{7d1d709f-fd69-4aaf-bff4-c1ce93c37e99}) (authentication domain:DESKTOP-A6DM1DT)
[*] 192.168.1.1/24: - Scanned 106 of 256 hosts (41% complete)
[*] 192.168.1.1/24: - Scanned 107 of 256 hosts (41% complete)
[*] 192.168.1.1/24: - Scanned 107 of 256 hosts (41% complete)
[*] 192.168.1.1/24: - Scanned 161 of 256 hosts (62% complete)
[*] 192.168.1.1/24: - Scanned 205 of 256 hosts (80% complete)
[*] 192.168.1.1/24: - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.1.1/24: - Scanned 206 of 256 hosts (80% complete)
[*] 192.168.1.1/24: - Scanned 254 of 256 hosts (99% complete)
[*] 192.168.1.1/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >
结果中可以看到扫描主机操作系统和安装的补丁
msf6 auxiliary(scanner/smb/smb_version) > back
msf6 > hosts -u -c address,os_name,svcs,vulns,workspace
Hosts
=====
address os_name svcs vulns workspace
------- ------- ---- ----- ---------
39.156.69.79 Unknown 2 0 default
192.168.1.1 embedded 2 0 default
192.168.1.101 Unknown 1 0 default
192.168.1.102 Linux 1 0 default
192.168.1.103 0 0 default
192.168.1.105 0 0 default
192.168.1.106 Windows XP 2 0 default
192.168.1.107 0 0 default
192.168.1.108 Windows XP 4 0 default
192.168.1.109 Windows 10 4 1 default
192.168.1.110 0 0 default
192.168.1.111 0 0 default
192.168.1.112 Windows XP 1 0 default
192.168.1.113 0 0 default
192.168.1.115 Windows XP 1 3 default
220.181.38.148 Unknown 2 0 default
查看数据库中保存的结果
(2)搜索Microsoft SQL Server
msf6 > search mssql_ping
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mssql/mssql_ping normal No MSSQL Ping Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mssql/mssql_ping
msf6 > use 0
msf6 auxiliary(scanner/mssql/mssql_ping) > options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), range CIDR identifier, or ho
sts file with syntax 'file:<path>'
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 100 yes The number of concurrent threads (max one per ho
st)
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN op
tion set)
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/mssql/mssql_ping) > run
[*] 192.168.1.1/24: - Scanned 43 of 256 hosts (16% complete)
[*] 192.168.1.1/24: - Scanned 70 of 256 hosts (27% complete)
[*] 192.168.1.1/24: - Scanned 85 of 256 hosts (33% complete)
[*] 192.168.1.1/24: - Scanned 121 of 256 hosts (47% complete)
[*] 192.168.1.1/24: - Scanned 137 of 256 hosts (53% complete)
[*] 192.168.1.1/24: - Scanned 166 of 256 hosts (64% complete)
[*] 192.168.1.1/24: - Scanned 186 of 256 hosts (72% complete)
[*] 192.168.1.1/24: - Scanned 213 of 256 hosts (83% complete)
[*] 192.168.1.1/24: - Scanned 231 of 256 hosts (90% complete)
[*] 192.168.1.1/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
(3)ssh服务
msf6 auxiliary(scanner/mssql/mssql_ping) > search ssh_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/fuzzers/ssh/ssh_version_15 normal No SSH 1.5 Version Fuzzer
1 auxiliary/fuzzers/ssh/ssh_version_2 normal No SSH 2.0 Version Fuzzer
2 auxiliary/fuzzers/ssh/ssh_version_corrupt normal No SSH Version Corruption
3 auxiliary/scanner/ssh/ssh_version normal No SSH Version Scanner
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/mssql/mssql_ping) > use 3
msf6 auxiliary(scanner/ssh/ssh_version) > options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file wit
h syntax 'file:<path>'
RPORT 22 yes The target port (TCP)
THREADS 100 yes The number of concurrent threads (max one per host)
TIMEOUT 30 yes Timeout for the SSH probe
msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/ssh/ssh_version) > run
[*] 192.168.1.1/24:22 - Scanned 56 of 256 hosts (21% complete)
[*] 192.168.1.1/24:22 - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.1.1/24:22 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.1.1/24:22 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.1.1/24:22 - Scanned 150 of 256 hosts (58% complete)
[*] 192.168.1.1/24:22 - Scanned 198 of 256 hosts (77% complete)
[*] 192.168.1.1/24:22 - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.1.1/24:22 - Scanned 220 of 256 hosts (85% complete)
[*] 192.168.1.1/24:22 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.1/24:22 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_version) >
(4)ftp服务
msf6 auxiliary(scanner/ssh/ssh_version) > search ftp_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ftp/ftp_version normal No FTP Version Scanner
1 auxiliary/scanner/ftp/ftp_version_by_xz21 normal No ftp version scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ftp/ftp_version_by_xz21
msf6 auxiliary(scanner/ssh/ssh_version) > use 0
msf6 auxiliary(scanner/ftp/ftp_version) > options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target host(s), range CIDR identifier, or hosts file
with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
THREADS 100 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/ftp/ftp_version) > run
[*] 192.168.1.1/24:21 - Scanned 60 of 256 hosts (23% complete)
[*] 192.168.1.1/24:21 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.1.1/24:21 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.1.1/24:21 - Scanned 105 of 256 hosts (41% complete)
[*] 192.168.1.1/24:21 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.1.1/24:21 - Scanned 199 of 256 hosts (77% complete)
[*] 192.168.1.1/24:21 - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.1.1/24:21 - Scanned 250 of 256 hosts (97% complete)
[*] 192.168.1.1/24:21 - Scanned 251 of 256 hosts (98% complete)
[*] 192.168.1.1/24:21 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
如果发现服务器可以使用metasploit模块查看可不可以匿名登录
msf6 auxiliary(scanner/ftp/ftp_version) > search ftp/anonymous
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ftp/anonymous normal No Anonymous FTP Access Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/ftp_version) > use 0
设置参数即可
(5)SNMP服务
msf6 auxiliary(scanner/ftp/anonymous) > search snmp_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/snmp/snmp_login normal No SNMP Community Login Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/ftp/anonymous) > use 0
msf6 auxiliary(scanner/snmp/snmp_login) > options
Module options (auxiliary/scanner/snmp/snmp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in th
e current database
DB_ALL_PASS false no Add all passwords in the current database
to the list
DB_ALL_USERS false no Add all users in the current database to t
he list
PASSWORD no The password to test
PASS_FILE /usr/share/metasploit-fr no File containing communities, one per line
amework/data/wordlists/s
nmp_default_pass.txt
RHOSTS yes The target host(s), range CIDR identifier,
or hosts file with syntax 'file:<path>'
RPORT 161 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for
a host
THREADS 100 yes The number of concurrent threads (max one
per host)
USER_AS_PASS false no Try the username as the password for all u
sers
VERBOSE true yes Whether to print output for all attempts
VERSION 1 yes The SNMP version to scan (Accepted: 1, 2c,
all)
msf6 auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/snmp/snmp_login) > run
[*] Scanned 100 of 256 hosts (39% complete)
[*] Scanned 100 of 256 hosts (39% complete)
[*] Scanned 101 of 256 hosts (39% complete)
[*] Scanned 123 of 256 hosts (48% complete)
[*] Scanned 170 of 256 hosts (66% complete)
[*] Scanned 187 of 256 hosts (73% complete)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 209 of 256 hosts (81% complete)
[*] Scanned 245 of 256 hosts (95% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/snmp/snmp_login) >
总结
本文详细介绍了进行渗透测试前期情报收集的方法及实践操作,仅供学习
扫一扫
2960
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
