弱点扫描
HTTP常见弱点
查看证书是否过期
msf5 > use auxiliary/scanner/http/cert
显示目录及文件
目录
msf5 > use auxiliary/scanner/http/dir_listing
文件爆破
msf5 auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir
msf5 auxiliary(scanner/http/files_dir) > set rhosts 192.168.172.131
msf5 auxiliary(scanner/http/files_dir) > set threads 10
msf5 auxiliary(scanner/http/files_dir) > run
WebDAV Unicode 编码身份绕过
use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf5 auxiliary(scanner/http/dir_webdav_unicode_bypass) > set rhosts 192.168.172.131
threads => 10
msf5 auxiliary(scanner/http/dir_webdav_unicode_bypass) > run
Tomcat 管理界面爆破
msf5 > use auxiliary/scanner/http/tomcat_mgr_login
基于HTTP 方法(post)的身份绕过
msf5 > use auxiliary/scanner/http/verb_auth_bypass
WordPress CMS密码爆破(常用于个人网站)
msf5 > use auxiliary/scanner/http/wordpress_login_enum
WMAP WEB 应用扫描器
msf5 > load wmap
# 添加一个站点
msf5 > wmap_sites -a http://192.168.172.131
# 显示已添加站点
msf5 > wmap_sites -l
# 添加目标
msf5 > wmap_targets -t http://192.168.172.131/mutillidae/index.php
# 查看已添加目标
msf5 > wmap_targets -l
# 查看可用模块
msf5 > wmap_run -t
# 执行扫描
msf5 > wmap_run -e
# 查看已发现的弱点
msf5 > wmap_vulns -l
Nessus
- 启动
serive nessusd start
现在已经存在一个简单的端口扫描策略。
msf载入nessus模块:
msf6 > load nessus
查看帮助:
msf6 > nessus_help
连接Nessus:
msf6 > nessus_connect admin:admin@127.0.0.1:8834 ssl_verify
查看策略列表:
msf6 > nessus_policy_list
新建扫描:
# nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>
msf6 > nessus_scan_new bbd4f805-3966-d464-b2d1-0079eb89d69708c3a05ec2812bcf XP XP 192.168.172.133
查看扫描列表:
msf6 > nessus_scan_list
执行扫描任务:
msf6 > nessus_scan_launch 5