1.DNS和IP挖掘目标信息
1.1 whois域名注册信息查询
root@kali:~# whois 0xdawn.cn
1.2 nslookup与dig域名查询
root@kali:~# nslookup
> set type=A //对IP地址进行解析
> www.0xdawn.cn
root@kali:~# dig @dns19.hichina.com 0xdawn.cn
1.3 IP to Location地理位置查询
1.4 IP to Domain反查域名
https://www.webscan.cc
https://www.ip-adress.com/reverse-ip-lookup
1.5 子域名挖掘
Sublist3r、Layer子域名挖掘机
root@kali:~/tools/Sublist3r# python sublist3r.py -v -d baidu.com
2.搜索引擎
2.1 Google Hacking
关键字 | 说明 |
---|---|
Site | 指定域名 |
Inurl | URL中存在关键字的网页 |
Intext | 网页正文中的关键字 |
Filetype | 指定文件类型 |
Intitle | 网页标题中的关键字 |
link | 返回和指定url做了链接的url |
Info | 查找指定站点的一些基本信息 |
cache | 搜索Google里关于某些内容的缓存 |
2.2 探索网站目录结构
dirsearch
root@kali:~/tools/dirsearch# python3 dirsearch.py -u "http://www.0xdawn.cn" -e*
msfconsole
msf5 > use auxiliary/scanner/http/dir_scanner
msf5 auxiliary(scanner/http/dir_scanner) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/http/dir_scanner) > set RHOSTS www.0xdawn.cn
RHOSTS => www.0xdawn.cn
msf5 auxiliary(scanner/http/dir_scanner) > exploit
2.3 检索特定类型文件
Google查找网站上的一些特定文件,如通讯录等excel文件
site:0xdawn.cn filetype:xls
2.4 搜索网站中的E-mail地址
msfconsole
msf5 > use auxiliary/gather/search_email_collector
msf5 auxiliary(gather/search_email_collector) > set DOMAIN 0xdawn.cn
DOMAIN => 0xdawn.cn
msf5 auxiliary(gather/search_email_collector) > run
3.主机探测与端口扫描
3.1 ICMP Ping命令
root@kali:~# ping -c 5 www.0xdawn.cn //有时也可用于查找真实IP
3.2 Nmap主机探测
root@kali:~# nmap -sP 192.168.0.0/24 //仅发现存活主机
3.3 Metasploit主机发现模块
msf5 > use auxiliary/scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/discovery/arp_sweep) > run
3.4 操作系统辨识
root@kali:~# nmap -O 192.168.115.141
3.5 端口扫描与服务类型探测
metasploit中的端口扫描模块
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.115.141
RHOSTS => 192.168.115.141
msf5 auxiliary(scanner/portscan/syn) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/portscan/syn) > run
nmap端口扫描
root@kali:~# nmap -sS -p 0-65535 192.168.115.141
root@kali:~# nmap -sV -p 0-65535 192.168.115.141 //列出服务详细信息
4.服务扫描与查点
Metasploit的Scanner辅助模块中,有很多用于服务扫描和查点的工具
msf5 > search _version
4.1 Telnet服务扫描
msf5 > use auxiliary/scanner/telnet/telnet_version
msf5 auxiliary(scanner/telnet/telnet_version) > set RHOSTS 192.168.115.0/24
RHOSTS => 192.168.115.0/24
msf5 auxiliary(scanner/telnet/telnet_version) > set THREADS 100
THREADS => 100
msf5 auxiliary(scanner/telnet/telnet_version) > run
探测结果如下:
[+] 192.168.115.140:23 - 192.168.115.140:23 TELNET
4.2 SSH服务扫描与口令猜测
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.115.0/24
RHOSTS => 192.168.115.0/24
msf5 auxiliary(scanner/ssh/ssh_version) > set THREADS 100
THREADS => 100
msf5 auxiliary(scanner/ssh/ssh_version) > run
msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.115.140
RHOSTS => 192.168.115.140
msf5 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/piata_ssh_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/piata_ssh_userpass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > exploit
4.3 MySQL数据库服务查点
msf5 > use auxiliary/scanner/mysql/mysql_version
msf5 auxiliary(scanner/mysql/mysql_version) > set RHOSTS 192.168.115.0/24
RHOSTS => 192.168.115.0/24
msf5 auxiliary(scanner/mysql/mysql_version) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/mysql/mysql_version) > run
MySQL弱口令猜测
msf5 auxiliary(scanner/mysql/mysql_version) > use auxiliary/scanner/mysql/mysql_login
msf5 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.115.140
RHOSTS => 192.168.115.140
msf5 auxiliary(scanner/mysql/mysql_login) > set THREADS 100
THREADS => 100
msf5 auxiliary(scanner/mysql/mysql_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/piata_ssh_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/piata_ssh_userpass.txt
msf5 auxiliary(scanner/mysql/mysql_login) > exploit
4.4 Oracle数据库服务查点
msf5 > use auxiliary/scanner/oracle/tnslsnr_version
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set RHOSTS 192.168.115.0/24
RHOSTS => 192.168.115.0/24
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/oracle/tnslsnr_version) > run
4.5 FTP服务扫描与口令猜测
msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.115.0/24
RHOSTS => 192.168.115.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set THREADS 50
THREADS => 50
msf5 auxiliary(scanner/ftp/ftp_version) > run
FTP弱口令猜测
msf5 auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/ftp_login
msf5 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 192.168.115.140
RHOSTS => 192.168.115.140
msf5 auxiliary(scanner/ftp/ftp_login) > set PASS_FILE /root/password
PASS_FILE => /root/password
msf5 auxiliary(scanner/ftp/ftp_login) > set USER_FILE /root/username
USER_FILE => /root/username
msf5 auxiliary(scanner/ftp/ftp_login) > exploit
hydra爆破ftp
root@kali:~# hydra -L /root/username -P /root/password -vV 192.168.115.140 ftp
5.网络漏洞扫描
5.1 nmap常见漏洞扫描
root@kali:~# nmap -script vuln 192.168.115.140
5.2 OpenVAS
5.3 Nessus
5.4 Nmap高级漏洞扫描
nmap-vulners
需下载脚本
cd /usr/share/nmap/scripts
git clone https://github.com/vulnersCom/nmap-vulners.git
使用方法
root@kali:~# nmap --script=nmap-vulners -sV 192.168.115.140
vulscan
同上
cd /usr/share/nmap/scripts
git clone https://github.com/scipag/vulscan.git
使用方法
nmap --script=vulscan -sV 192.168.115.140
更新配置数据
cd vulscan/utilities/updater
chmod +x updateFiles.sh
./updataFiles.sh