以metasploit的虚拟机玩
– vi /etc/default/snmpd # 修改侦听端口 0.0.0.0
– linux的
▪ use auxiliary/scanner/snmp/snmp_login 登陆
▪ use auxiliary/scanner/snmp/snmp_enum 扫描信息
– windows
▪ use auxiliary/scanner/snmp/snmp_enumusers 枚举用户
▪ use auxiliary/scanner/snmp/snmp_enumshares
smb扫描
– smb版本扫描
▪ use auxiliary/scanner/smb/smb_version
– 扫描 命名管道 判断服务类型
▪ use auxiliary/scanner/smb/pipe_auditor
– 扫描 通过smb管道可以访问的 RCERPC 服务
▪ use auxiliary/scanner/smb/pipe_dcerpc_auditor
– smb共享枚举
▪ use auxiliary/scanner/smb/smb_enumshares
– smb用户枚举
▪ use auxiliary/scanner/smb/smb_enumusers
– SID枚举
▪ use auxiliary/scanner/smb/smb_lookupsid
ssh扫描
– ssh 版本扫描
▪ use auxiliary/scanner/ssh/ssh_version
▪ 1.0存在漏洞
– ssh 密码爆破
▪ use auxiliary/scanner/ssh/ssh_login
▪ 字典文件的位置 framework/data/wordlists
▪ 可以用美杜莎爆破
– ssh 公钥登陆
▪ use auxiliary/scanner/ssh/ssh_login_pubkey
▪ set KEY_FILE id_rsa
mssql 扫描
– TCP 1433 UDP 1434
▪ use auxiliary/scanner/mssql/mssql_ping
▪ 扫描微软的 mssql 使用的动态端口(非1433)
– 密码爆破
▪ use auxiliary/scanner/mssql/mssql_login
– 远程代码执行
▪ use auxiliary/admin/mssql/mssql_exec
▪ set CMD net user user pass /ADD # 加用户
ftp 扫描
– ftp 版本扫描 21
▪ use auxiliary/scanner/ftp/ftp_version
▪ use auxiliary/scanner/ftp/anonymous
▪ use auxiliary/scanner/ftp/ftp_login
弱点扫描
RDP 远程桌面漏洞
– 只是检查模块检查,不会造成dos攻击
▪ use auxiliary/scanner/rdp/ms12_020_check
▪ 存在漏洞后 search ms12_020
VMWare ESXi 密码爆破
▪ use auxiliary/scanner/vmware/vmauthd_login
▪ use auxiliary/scanner/vmware/vmware_enum_vms
http 弱点扫描
– 过期证书
▪ use auxiliary/scanner/http/cert
– 显示目录和证书
▪ use auxiliary/scanner/http/dir_listing
▪ use auxiliary/scanner/http/files_dir
– WebDAV Unicode 编码身份验证绕过
▪ use auxiliary/scanner/http/dir_webdav_unicode_bypass
– Tomcat 管理登陆页面
▪ use auxiliary/scanner/http/tomcat_mgr_login
– 基于 http 方法的身份绕过
▪ use auxiliary/scanner/http/verb_auth_bypass
– Wordpress 密码爆破
▪ use auxiliary/scanner/http/wordpress_login_enum
▪ set URI /wordpress/wp-login.php