第一步:使用Metasploit调用nmap
试验前准备
首先,使用putty连接到kali,具体过程可以参考我的上一篇博客,接着使用使用su命令切换到root用户
$ su root
密码:
root@xw:/home/wyy#
密码:
root@xw:/home/wyy#
切换到root目录
root@xw:/home/wyy# cd
root@xw:~#
root@xw:~#
启动Metasploit
root@xw:~# msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.16.18-dev ]
+ -- --=[ 1703 exploits - 969 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.16.18-dev ]
+ -- --=[ 1703 exploits - 969 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
调用nmap扫描一个网段
msf > nmap -sn -v 192.168.68.0/24
[*] exec: nmap -sn -v 192.168.68.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-26 19:37 CST
Initiating ARP Ping Scan at 19:37
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 19:37, 2.00s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 19:37
Completed Parallel DNS resolution of 255 hosts. at 19:37, 0.03s elapsed
Nmap scan report for 192.168.68.0 [host down]
Nmap scan report for 192.168.68.1
Host is up (0.0013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.68.2
Host is up (0.00039s latency).
MAC Address: 00:50:56:ED:92:54 (VMware)
Nmap scan report for 192.168.68.3 [host down]
Nmap scan report for 192.168.68.135 [host down]
Nmap scan report for 192.168.68.136 [host down]
Nmap scan report for 192.168.68.138 [host down]
Nmap scan report for 192.168.68.139
Host is up (0.00051s latency).
MAC Address: 00:0C:29:D6:52:D9 (VMware)
Nmap scan report for 192.168.68.140 [host down]
Nmap scan report for 192.168.68.253 [host down]
Nmap scan report for 192.168.68.254
Host is up (0.00036s latency).
MAC Address: 00:50:56:E1:F3:57 (VMware)
Nmap scan report for 192.168.68.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 19:37
Completed Parallel DNS resolution of 1 host. at 19:37, 0.03s elapsed
Nmap scan report for 192.168.68.137
Host is up.
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.49 seconds
Raw packets sent: 507 (14.196KB) | Rcvd: 5 (140B)
[*] exec: nmap -sn -v 192.168.68.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-26 19:37 CST
Initiating ARP Ping Scan at 19:37
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 19:37, 2.00s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 19:37
Completed Parallel DNS resolution of 255 hosts. at 19:37, 0.03s elapsed
Nmap scan report for 192.168.68.0 [host down]
Nmap scan report for 192.168.68.1
Host is up (0.0013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.68.2
Host is up (0.00039s latency).
MAC Address: 00:50:56:ED:92:54 (VMware)
Nmap scan report for 192.168.68.3 [host down]
Nmap scan report for 192.168.68.135 [host down]
Nmap scan report for 192.168.68.136 [host down]
Nmap scan report for 192.168.68.138 [host down]
Nmap scan report for 192.168.68.139
Host is up (0.00051s latency).
MAC Address: 00:0C:29:D6:52:D9 (VMware)
Nmap scan report for 192.168.68.140 [host down]
Nmap scan report for 192.168.68.253 [host down]
Nmap scan report for 192.168.68.254
Host is up (0.00036s latency).
MAC Address: 00:50:56:E1:F3:57 (VMware)
Nmap scan report for 192.168.68.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 19:37
Completed Parallel DNS resolution of 1 host. at 19:37, 0.03s elapsed
Nmap scan report for 192.168.68.137
Host is up.
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.49 seconds
Raw packets sent: 507 (14.196KB) | Rcvd: 5 (140B)
参数以及结果解释:
-sn:进行ping扫描不进行端口扫描
-v:显示扫描详细信息
结果解析:
Nmap scan report for 192.168.68.139
Host is up (0.00051s latency).#表示nmap用时0.00051s检测到该主机存活
MAC Address: 00:0C:29:D6:52:D9 (VMware)#该行表示存活主机的mac地址以及可能的设备,本例可以看到存活的主机是vmware虚拟机
Host is up (0.00051s latency).#表示nmap用时0.00051s检测到该主机存活
MAC Address: 00:0C:29:D6:52:D9 (VMware)#该行表示存活主机的mac地址以及可能的设备,本例可以看到存活的主机是vmware虚拟机
第二步:使用Metasploit中的模块执行扫描
本次调用的模块为auxiliary/scanner/portscan/syn,扫描的IP为192.168.68.139
命令如下:
msf > use auxiliary/scanner/portscan/syn #使用相关模块
msf auxiliary(syn) > show options #查看需要设置那些参数
Module options (auxiliary/scanner/portscan/syn): #带yes为必选项,no的为可选项
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set rhosts 192.168.68.139 #设置目标地址
rhosts => 192.168.68.139
msf auxiliary(syn) > set threads 1000 #设置线程数
threads => 1000
msf auxiliary(syn) > run #执行脚本
[+] TCP OPEN 192.168.68.139:21
[+] TCP OPEN 192.168.68.139:22
[+] TCP OPEN 192.168.68.139:23
[+] TCP OPEN 192.168.68.139:25
[+] TCP OPEN 192.168.68.139:53
msf auxiliary(syn) > show options #查看需要设置那些参数
Module options (auxiliary/scanner/portscan/syn): #带yes为必选项,no的为可选项
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set rhosts 192.168.68.139 #设置目标地址
rhosts => 192.168.68.139
msf auxiliary(syn) > set threads 1000 #设置线程数
threads => 1000
msf auxiliary(syn) > run #执行脚本
[+] TCP OPEN 192.168.68.139:21
[+] TCP OPEN 192.168.68.139:22
[+] TCP OPEN 192.168.68.139:23
[+] TCP OPEN 192.168.68.139:25
[+] TCP OPEN 192.168.68.139:53
可以发现速度比较慢,扫描端口可以使用另外一款工具,号称六分钟扫描整个互联网
masscan
github连接:https://github.com/robertdavidgraham/masscan