Metasploit从入门到放弃系列教程第二节扫描发现-CSDN博客

本文链接：https://blog.csdn.net/qq_37706414/article/details/78639139

本文是Metasploit从入门到放弃系列的第二节，主要讲解如何通过Metasploit调用nmap进行网络扫描。首先介绍了试验前的准备工作和启动Metasploit的步骤，然后详细阐述了调用nmap扫描网段的参数及其结果解释，最后讨论了使用Metasploit内置模块执行扫描的方法。

摘要由CSDN通过智能技术生成

第一步：使用Metasploit调用nmap

试验前准备

首先，使用putty连接到kali，具体过程可以参考我的上一篇博客，接着使用使用su命令切换到root用户

$ su root
密码：
root@xw:/home/wyy#

切换到root目录

root@xw:/home/wyy# cd
root@xw:~#

启动Metasploit

root@xw:~# msfconsole

# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

=[ metasploit v4.16.18-dev ]
+ -- --=[ 1703 exploits - 969 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

调用nmap扫描一个网段

msf > nmap -sn -v 192.168.68.0/24
[*] exec: nmap -sn -v 192.168.68.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-26 19:37 CST
Initiating ARP Ping Scan at 19:37
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 19:37, 2.00s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 19:37
Completed Parallel DNS resolution of 255 hosts. at 19:37, 0.03s elapsed
Nmap scan report for 192.168.68.0 [host down]
Nmap scan report for 192.168.68.1
Host is up (0.0013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.68.2
Host is up (0.00039s latency).
MAC Address: 00:50:56:ED:92:54 (VMware)
Nmap scan report for 192.168.68.3 [host down]

Nmap scan report for 192.168.68.135 [host down]
Nmap scan report for 192.168.68.136 [host down]
Nmap scan report for 192.168.68.138 [host down]
Nmap scan report for 192.168.68.139
Host is up (0.00051s latency).
MAC Address: 00:0C:29:D6:52:D9 (VMware)
Nmap scan report for 192.168.68.140 [host down]

Nmap scan report for 192.168.68.253 [host down]
Nmap scan report for 192.168.68.254
Host is up (0.00036s latency).
MAC Address: 00:50:56:E1:F3:57 (VMware)
Nmap scan report for 192.168.68.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 19:37
Completed Parallel DNS resolution of 1 host. at 19:37, 0.03s elapsed
Nmap scan report for 192.168.68.137
Host is up.
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.49 seconds
Raw packets sent: 507 (14.196KB) | Rcvd: 5 (140B)

参数以及结果解释：

-sn:进行ping扫描不进行端口扫描

-v:显示扫描详细信息

结果解析：

Nmap scan report for 192.168.68.139
Host is up (0.00051s latency).#表示nmap用时0.00051s检测到该主机存活
MAC Address: 00:0C:29:D6:52:D9 (VMware)#该行表示存活主机的mac地址以及可能的设备，本例可以看到存活的主机是vmware虚拟机

第二步：使用Metasploit中的模块执行扫描

本次调用的模块为auxiliary/scanner/portscan/syn，扫描的IP为192.168.68.139

命令如下:

msf > use auxiliary/scanner/portscan/syn #使用相关模块
msf auxiliary(syn) > show options #查看需要设置那些参数

Module options (auxiliary/scanner/portscan/syn): #带yes为必选项，no的为可选项

Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds

msf auxiliary(syn) > set rhosts 192.168.68.139 #设置目标地址
rhosts => 192.168.68.139
msf auxiliary(syn) > set threads 1000 #设置线程数
threads => 1000
msf auxiliary(syn) > run #执行脚本

[+] TCP OPEN 192.168.68.139:21
[+] TCP OPEN 192.168.68.139:22
[+] TCP OPEN 192.168.68.139:23
[+] TCP OPEN 192.168.68.139:25
[+] TCP OPEN 192.168.68.139:53

可以发现速度比较慢，扫描端口可以使用另外一款工具，号称六分钟扫描整个互联网

masscan

github连接：https://github.com/robertdavidgraham/masscan