Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描(翻譯)

第二章 信息收集和掃描

在本章中,咱們將學習如下內容javascript

使用Metasploit被動收集信息php

使用Metasploit主動收集信息java

使用Nmap進行端口掃描ios

使用db_nmap方式進行端口掃描web

使用ARP進行主機發現shell

UDP服務探測數據庫

SMB掃描和枚舉apache

SSH版本掃描windows

FTP掃描api

SMTP枚舉

SNMP枚舉

HTTP掃描

WinRM掃描和爆破

Nessus結合使用

NeXpose結合使用

OpenVAS結合使用

簡介

信息收集是滲透測試中首先要作的重要事項之一,目的是儘量多的查找關於目標的信息,咱們掌握的信息越多,滲透成功的機會越大。在信息收集階段,咱們主要任務是收集關於目標機器的一切信息,好比IP地址,開放的服務,開放的端口。這些信息在滲透測試過程當中啓到了相當重要的做用。爲了實現這一目的,咱們將在本章學習各類掃描技術、如SMB掃描、SSH服務掃描,FTP掃描、SNMP枚舉、HTTP掃描以及WinRM掃描和暴力破解。

收集信息的方式主要有三種:

一、被動信息收集:這種方式是指在不物理鏈接或訪問目標的時候,獲取目標的相關信息,這意味着咱們須要使用其餘信息來源得到目標信息。好比查詢whois信息。假設咱們的目標是一個在線的Web服務,那麼經過whois查詢能夠得到它的ip地址,域名信息,子域信息,服務器位置信息等。

二、主動信息收集:這種方式是指與目標創建邏輯鏈接獲取信息,這種方式能夠進一步的爲咱們提供目標信息,讓咱們對目標的安全性進一步理解。在端口掃描中,使用最經常使用的主動掃描技術,探測目標開放的端口和服務。

三、社會工程學:這種方式相似於被動信息收集,主要是針對人爲錯誤,信息以打印輸出、電話交談、電子郵件等形式泄露。使用這種方法的技術有不少,收集信息的方式也不盡相同,所以,社會工程學自己就是一個技術範疇。

社會工程的受害者被誘騙發佈他們沒有意識到會被用來攻擊企業網絡的信息。例如,企業中的員工可能會被騙向僞裝是她信任的人透露員工的身份號碼。儘管該員工編號對員工來講彷佛沒有價值,這使得他在一開始就更容易泄露信息,但社會工程師能夠將該員工編號與收集到的其餘信息一塊兒使用,以便更快的找到進入企業網絡的方法。

一、使用Metasploit進行被動信息收集

在本章中,咱們將詳細學習信息收集的各類被動和主動技術。首先,咱們將學習分析最經常使用和最容易被忽視的被動信息收集技術,而後,咱們將重點關注經過端口掃描獲取信息。Metasploit 具備多種內置掃描功能,以及一些與之集成的第三方工具,以進一步加強端口掃描功能。咱們將學習使用內置的掃描儀,以及一些與Metasploit 框架結合使用的第三方掃描工具。讓咱們開始吧。

準備工做

咱們將從公司域名開始收集信息,獲取公司有關信息,收集子域名,檢測蜜罐、收集電子郵件地址等。

怎麼作

Metasploit中有好幾個信息收集模塊,在本節中,咱們將學習使用其中的一些模塊,建議你自行探索學習全部的信息收集模塊。

DNS記錄掃描和枚舉

DNS掃描和枚舉模塊可用於從給定的DNS服務器收集有關域名的信息,執行各類DNS查詢(如域傳送,反向查詢,SRV記錄等)

一、程序位於auxiliary模塊中,進入msfconsole後,咱們可使用use命令調用咱們想要的模塊,咱們要使用的auxiliary/gather/enum_dns模塊。使用use auxiliary/gather/enum_dns 進入模塊,輸入info能夠查看模塊的信息,包括做者,描述,基本配置信息等。

msf5 > use auxiliary/gather/enum_dns //切換到 enum_dns模塊
msf5 auxiliary(gather/enum_dns) > info //查看模塊信息

       Name: DNS Record Scanner and Enumerator
     Module: auxiliary/gather/enum_dns
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>
  Nixawk

Check supported:
  No

Basic options:
  Name         Current Setting                                              Required  Description
  ----         ---------------                                              --------  -----------
  DOMAIN                                                                    yes       The target domain
  ENUM_A       true                                                         yes       Enumerate DNS A record
  ENUM_AXFR    true                                                         yes       Initiate a zone transfer against each NS record
  ENUM_BRT     false                                                        yes       Brute force subdomains and hostnames via the supplied wordlist
  ENUM_CNAME   true                                                         yes       Enumerate DNS CNAME record
  ENUM_MX      true                                                         yes       Enumerate DNS MX record
  ENUM_NS      true                                                         yes       Enumerate DNS NS record
  ENUM_RVL     false                                                        yes       Reverse lookup a range of IP addresses
  ENUM_SOA     true                                                         yes       Enumerate DNS SOA record
  ENUM_SRV     true                                                         yes       Enumerate the most common SRV records
  ENUM_TLD     false                                                        yes       Perform a TLD expansion by replacing the TLD with the IANA TLD list
  ENUM_TXT     true                                                         yes       Enumerate DNS TXT record
  IPRANGE                                                                   no        The target address range or CIDR identifier
  NS                                                                        no        Specify the nameserver to use for queries (default is system DNS)
  STOP_WLDCRD  false                                                        yes       Stops bruteforce enumeration if wildcard resolution is detected
  THREADS      1                                                            no        Threads for ENUM_BRT
  WORDLIST     /usr/share/metasploit-framework/data/wordlists/namelist.txt  no        Wordlist of subdomains

Description:
  This module can be used to gather information about a domain from a
  given DNS server by performing various DNS queries such as zone
  transfers, reverse lookups, SRV record brute forcing, and other
  techniques.

References:
  https://cvedetails.com/cve/CVE-1999-0532/
  OSVDB (492)

msf5 auxiliary(gather/enum_dns) >
複製代碼

二、設置須要查詢的域名,設置線程數量,而後運行它

msf5 auxiliary(gather/enum_dns) > set DOMAIN packtpub.com  //設置須要查詢的域名
DOMAIN => packtpub.com
msf5 auxiliary(gather/enum_dns) > set THREADS 10 //設置線程數
THREADS => 10
msf5 auxiliary(gather/enum_dns) > run

[*] querying DNS NS records for packtpub.com                                                       
[+] packtpub.com NS: dns3.easydns.org.                                                             
[+] packtpub.com NS: dns4.easydns.info.                                                          
[+] packtpub.com NS: dns1.easydns.com.  
[+] packtpub.com NS: dns2.easydns.net.                
...                                                         
[*] Auxiliary module execution completed                                                                                                                 
msf5 auxiliary(gather/enum_dns) >                  
複製代碼

從輸出信息中能夠看到獲取的DNS記錄

更多

dns掃描和枚舉模塊也能夠用於主動信息收集,經過爆破的方式,設置ENUM_BRTtrue,能夠經過字典暴力枚舉子域名和主機名。WORDLIST選項能夠設置字典文件。

CorpWatch 公司名稱信息收集

收集公司信息也是必不可少的,咱們可使用 CorpWatch公司名稱信息搜索模塊:auxiliary/gather/corpwatch_lookup_name,經過該模塊能夠收集公司的名稱,地址,部門和行業信息。該模塊與CorpWatch API鏈接,以獲取給定公司名稱的公開可用信息。

API申請:api.corpwatch.org

切換到auxiliary/gather/corpwatch_lookup_name模塊,設置好公司名字,設置信息顯示的數量

msf5 > use auxiliary/gather/corpwatch_lookup_name 
msf5 auxiliary(gather/corpwatch_lookup_name) > set COMPANY_NAME Microsoft
COMPANY_NAME => Microsoft
msf5 auxiliary(gather/corpwatch_lookup_name) > set LIMIT 1
LIMIT => 1
msf5 auxiliary(gather/corpwatch_lookup_name) > run

[*] Company Information
---------------------------------
[*] CorpWatch (cw) ID): cw_4803
[*] Company Name: MICROSOFT CORP
[*] Address: ONE MICROSOFT WAY, REDMOND WA 98052-6399
[*] Sector: Business services
[*] Industry: Services-prepackaged software
[*] Auxiliary module execution completed
msf5 auxiliary(gather/corpwatch_lookup_name) > 
複製代碼

Tip:此網站被Q,須要配置代理才能使用這個服務。

搜索引擎子域名蒐集器

收集子域名是尋找新目標的好辦法,咱們可使用搜索引擎子域名收集模塊。

模塊名:auxiliary/gather/searchengine_subdomains_collector

YahooBing收集域名的子域信息

切換到這個模塊,設置好要要查詢的域名,而後運行

msf5 > use auxiliary/gather/searchengine_subdomains_collector
msf5 auxiliary(gather/searchengine_subdomains_collector) > set TARGET packtpub.com
TARGET => packtpub.com
msf5 auxiliary(gather/searchengine_subdomains_collector) > run

[*] Searching Bing for subdomains from domain:packtpub.com
[*] Searching Yahoo for subdomains from domain:packtpub.com
[+] domain:packtpub.com subdomain: subscription.packtpub.com
[*] Searching Bing for subdomains from ip:54.171.32.62
[*] Searching Yahoo for subdomains from ip:54.171.32.62
[+] ip:54.171.32.62 subdomain: niobase.com
[+] ip:54.171.32.62 subdomain: demandpeoples.vote
[*] Searching Bing for subdomains from ip:34.240.217.226
[-] ip:34.240.217.226 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.240.217.226
[+] ip:34.240.217.226 subdomain: www.snp.org
[+] ip:34.240.217.226 subdomain: answerthepublic.com
[*] Searching Bing for subdomains from ip:34.243.45.171
[-] ip:34.243.45.171 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.243.45.171
[*] Searching Bing for subdomains from ip:34.248.41.77
[*] Searching Yahoo for subdomains from ip:34.248.41.77
[+] ip:34.248.41.77 subdomain: www.buzzi.space
[+] ip:34.248.41.77 subdomain: www.bookishfirst.com
[+] ip:34.248.41.77 subdomain: www.vizlib.com
[+] ip:34.248.41.77 subdomain: www.alphacodeincubate.club
[+] ip:34.248.41.77 subdomain: www.appliedmldays.org
[+] ip:34.248.41.77 subdomain: www.accessable.co.uk
[*] Searching Bing for subdomains from ip:34.254.137.88
[-] ip:34.254.137.88 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.254.137.88
複製代碼

經過這個模塊,咱們收集到了一些新的目標。

咱們已經學習了一些基礎模塊的使用,讓咱們來學習使用一些更強大的工具吧。

Censys 搜索

Censys是一個互聯網設備搜索引擎,Censys每日經過ZMapZGrab掃描互聯網上的主機和網站,持續監控互聯網上全部可訪問的服務器和設備。

咱們可使用Censys搜索模塊,經過Censys REST API進行信息查詢。能夠檢索超過100W的網站和設備信息。

Tip:若是須要使用Censys搜索模塊,須要去https://censys.io註冊得到API和密鑰

msf5 > use auxiliary/gather/censys_search
msf5 auxiliary(gather/censys_search) > set CENSYS_DORK packtpub.com //設置目標站點
CENSYS_DORK => packtpub.com
msf5 auxiliary(gather/censys_search) > set CENSYS_SEARCHTYPE ipv4 //設置搜索類型
CENSYS_SEARCHTYPE => ipv4
msf5 auxiliary(gather/censys_search) > set CENSYS_SECRET l5xZ******Z4xzVmIPZ0P //設置censys密鑰
CENSYS_SECRET => l5xZa0zJ*******VlCZ4xzVmIPZ0P
msf5 auxiliary(gather/censys_search) > set CENSYS_UID 24d813a********c1b3e80c9e //設置 API_ID
CENSYS_UID => 24d813a******2-89c1b3e80c9e
msf5 auxiliary(gather/censys_search) > run

[+] 109.234.207.108 - 443/https,80/http
[+] 109.234.207.108 - 443/https,80/http
[+] 34.253.81.66 - 443/https,80/http
[+] 34.253.81.66 - 443/https,80/http
[+] 123.252.235.122 - 443/https
[+] 109.234.200.116 - 443/https
[+] 83.166.169.240 - 443/https,22/ssh,80/http
......
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 172.104.243.217 - 80/http
[+] 66.42.34.69 - 443/https,80/http
[+] 66.42.34.69 - 443/https,80/http
[*] Auxiliary module execution completed
msf5 auxiliary(gather/censys_search) > 
複製代碼

收集到了很是多的IP信息和端口信息

Shodan 搜索引擎

Shodan搜索引擎是一個付費的互聯網設備搜索引擎,Shodan運行你搜索網站的Banners信息,設備的元數據,好比設備的位置,主機名,操做系統等。

Tip:一樣要使用Shodan搜索模塊,須要先去Shodan官網( www.shodan.io)註冊獲取API Key。

msf5 > use auxiliary/gather/shodan_search 
msf5 auxiliary(gather/shodan_search) > set QUERY hostname:packtpub.com //設置目標機器
QUERY => hostname:packtpub.com
msf5 auxiliary(gather/shodan_search) > set SHODAN_APIKEY SDaE*******ABKTxJ3 //設置shodan api key
SHODAN_APIKEY => SDaEijF******dudxCABKTxJ3
msf5 auxiliary(gather/shodan_search) > run

[*] Total: 3 on 1 pages. Showing: 1 page(s)
[*] Collecting data, please wait...

Search Results
==============

 IP:Port             City        Country         Hostname
 -------             ----        -------         --------
 83.166.169.228:80   Nottingham  United Kingdom  packtpub.com
 83.166.169.248:443  Nottingham  United Kingdom  imap.packtpub.com
 83.166.169.248:80   Nottingham  United Kingdom  imap.packtpub.com

[*] Auxiliary module execution completed
複製代碼

經過Shodan搜索模塊能夠找到更多目標的信息,好比 IP 地址,開放的端口,位置信息等。

Shodan 蜜罐檢查

檢測目標是否爲蜜罐,避免浪費時間或由於試圖攻擊蜜罐而被封鎖。使用Shodan Honeyscore Client模塊,能夠利用Shodan搜索引擎檢測目標是否爲蜜罐。結果返回爲01的評級分數,若是是1,則是一個蜜罐。

msf5 > use auxiliary/gather/shodan_honeyscore 
msf5 auxiliary(gather/shodan_honeyscore) > set SHODAN_APIKEY SDa******CABKTxJ3
SHODAN_APIKEY => SDaEij*****xCABKTxJ3
msf5 auxiliary(gather/shodan_honeyscore) > set TARGET 83.166.169.248
TARGET => 83.166.169.248
msf5 auxiliary(gather/shodan_honeyscore) > run

[*] Scanning 83.166.169.248
[-] 83.166.169.248 is not a honeypot
[*] 83.166.169.248 honeyscore: 0.0/1.0
[*] Auxiliary module execution completed
msf5 auxiliary(gather/shodan_honeyscore) > 
複製代碼
郵箱信息收集

收集郵箱信息是滲透測試中常見的部分,它可讓咱們瞭解互聯網上目標的痕跡,以便用於後續的暴力攻擊以及網絡釣魚等活動。

咱們可使用auxiliary/gather/search_email_collector模塊,該模塊是利用搜索引擎獲取與目標有關的電子郵件信息。

msf5 > use auxiliary/gather/search_email_collector 
msf5 auxiliary(gather/search_email_collector) > set DOMAIN packtpub.com
DOMAIN => packtpub.com
msf5 auxiliary(gather/search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from packtpub.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from packtpub.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from packtpub.com
[*] Extracting emails from Yahoo search results...
[*] Located 3 email addresses for packtpub.com
....
[*] Auxiliary module execution completed
複製代碼

從輸出信息來看,能夠看到該模塊利用GoogleBingYohoo搜索目標有關的電子郵件地址。

二、使用Metasploit進行主動信息收集

一般來講,經過掃描進行主動信息收集,從這一步開始,咱們將直接與目標進行邏輯鏈接。

端口掃描是一個有趣的信息收集過程,它涉及對目標系統更深刻的搜索,可是因爲主動端口掃描涉及對目標系統直接訪問,可能會被防火牆和入侵檢測系統檢測到。

怎麼作

Metasploit框架中,有各類各樣的端口掃描模塊可供咱們使用,從而容許咱們準確的對目標系統進行探測。咱們能夠經過search portscan 命令查看這些模塊。

msf5 > search portscan

Matching Modules
================

 # Name Disclosure Date Rank Check Description
   -  ----                                              ---------------  ----    -----  -----------
   1  auxiliary/scanner/http/wordpress_pingback_access                   normal  Yes    Wordpress Pingback Locator
   2  auxiliary/scanner/natpmp/natpmp_portscan                           normal  Yes    NAT-PMP External Port Scanner
   3  auxiliary/scanner/portscan/ack                                     normal  Yes    TCP ACK Firewall Scanner
   4  auxiliary/scanner/portscan/ftpbounce                               normal  Yes    FTP Bounce Port Scanner
   5  auxiliary/scanner/portscan/syn                                     normal  Yes    TCP SYN Port Scanner
   6  auxiliary/scanner/portscan/tcp                                     normal  Yes    TCP Port Scanner
   7  auxiliary/scanner/portscan/xmas                                    normal  Yes    TCP "XMas" Port Scanner
   8  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner
複製代碼
TCP 端口掃描

讓咱們從TCP端口掃描模塊開始,看看咱們能獲取目標的哪些信息?

咱們要使用的模塊是use auxiliary/scanner/portscan/tcp

Tip:咱們將利用此模塊掃描滲透測試實驗環境的網絡,請遵照當地法律法規,請勿直接掃描互聯網設備。

msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.177.0/24 //設置目標網絡
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/portscan/tcp) > set THREADS 100 //設置線程數
THREADS => 100
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.177.1:        - 192.168.177.1:22 - TCP OPEN
[+] 192.168.177.1:        - 192.168.177.1:21 - TCP OPEN
複製代碼

Tip:掃描器模塊通常使用RHOSTS,表示掃描整個網絡,而不是RHOST(單機)

當咱們使用Metasploit模塊的時候,可使用show options查看全部可配置的選項,使用show missing查看必需要配置的選項。

msf5 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > show missing

Module options (auxiliary/scanner/portscan/tcp):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier

msf5 auxiliary(scanner/portscan/tcp) > 
複製代碼
TCP SYN 掃描

相對普通的TCP掃描來講,SYN掃描速度更快,由於它不會完成TCP三次握手,並且能夠在必定程度上躲避防火牆和入侵檢測系統的檢測。

使用的模塊是auxiliary/scanner/portscan/syn,使用該模塊,須要指定端口範圍。

msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set INTERFACE eth0 //設置網卡
INTERFACE => eth0
msf5 auxiliary(scanner/portscan/syn) > set PORTS 1-10000 //設置端口範圍
PORTS => 1-10000
msf5 auxiliary(scanner/portscan/syn) > set THREADS 256 //設置線程數
THREADS => 256
msf5 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.177.0/24 //設置目標網絡
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/portscan/syn) > run
複製代碼

三、端口掃描:Nmap 方式

Nmap是安全人員首選的強大網絡掃描工具,咱們將從初級到高級,詳細分析Nmap的各類掃描技術。

準備工做

你能夠直接在msfconsole中運行Nmap,可是若是要將結果導入到Metasploit數據庫中,須要使用-oX選項導出XML格式的報告文件,而後使用db_import命令將結果導入進來。

怎麼作

一、啓動msfconsole,而後輸入nmap

msf5 > nmap
[*] exec: nmap

Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
複製代碼

二、進行TCP掃描,使用-sT 參數,這是默認和最基本的掃描方式,它會完成TCP三次握手來檢測目標機器上的端口。

msf5 > nmap -sT 192.168.177.144                                              
[*] exec: nmap -sT 192.168.177.144                                           
                                                                             
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:20 CST              
Nmap scan report for 192.168.177.144                                         
Host is up (0.00044s latency).                                               
Not shown: 990 filtered ports                                                
PORT      STATE SERVICE                                                      
21/tcp    open  ftp                                                          
22/tcp    open  ssh                                                          
80/tcp    open  http                                                         
4848/tcp  open  appserv-http                                                 
8022/tcp  open  oa-system                                                    
8080/tcp  open  http-proxy                                                   
8383/tcp  open  m2mservices                                                  
9200/tcp  open  wap-wsp                                                      
49153/tcp open  unknown                                                      
49154/tcp open  unknown                                                      
MAC Address: 00:0C:29:D7:02:F6 (VMware)                                      
                                                                             
Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds                  
msf5 >                                                                       
複製代碼

Tip:當未指定端口範圍的時候,nmap默認掃描常見的1000個端口。

三、進行TCP SYN掃描,使用-sS參數,SYN掃描不會創建完整的TCP三次握手過程,也稱半開鏈接掃描,SYN掃描被認爲是一種比較隱蔽的掃描技術。

msf5 > nmap -sS 192.168.177.144 -p 22-5000
[*] exec: nmap -sS 192.168.177.144 -p 22-5000

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:29 CST
Nmap scan report for 192.168.177.144
Host is up (0.00037s latency).
Not shown: 4975 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1617/tcp open  nimrod-agent
4848/tcp open  appserv-http
MAC Address: 00:0C:29:D7:02:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds
msf5 >
複製代碼

大多數狀況下,TCP鏈接掃描和SYN掃描輸出結果是類似的,惟一的區別是,SYN更難被防火牆和IDS檢測到。固然現代的防火牆幾乎都能捕獲SYN掃描,-p參數設置咱們想要掃描的端口範圍。

四、UDP掃描使用-sU參數,用於識別目標機器上開放的UDP端口掃描技術,UDP掃描會發送空的(沒有數據)UDP報頭到目標端口,僅經過ICMP消息來判斷目標端口是否開放。

msf5 > nmap -sU 192.168.177.144
[*] exec: nmap -sU 192.168.177.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:36 CST
Nmap scan report for 192.168.177.144
Host is up (0.00035s latency).
Not shown: 999 open|filtered ports
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 00:0C:29:D7:02:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.36 seconds
msf5 >
複製代碼

TIp:不指定端口範圍的狀況下,默認掃描常見的1000個UDP端口

它是如何工做的

咱們分析了三種不一樣類型的nmap掃描,它們在滲透測試中很是有用。Nmap提供了許多種不一樣的掃描方是,這裏咱們只重點討論這三種,即TCP鏈接掃描、SYN隱蔽掃描和UDP掃描。能夠將Nmap的不一樣掃描選項組合到一塊兒使用,已便對目標進行更高級和更復雜的掃描。

在滲透測試中,掃描過程能夠提供不少有用的結果。掃描中收集的信息構成了後續滲透測試的基礎,所以強烈建議你掌握掃描類型的相關知識,讓咱們更深刻了解下咱們剛剛學習的這些掃描技術。

TCP鏈接掃描是最基本的掃描技術,此掃描過程會與目標創建完整的TCP鏈接。它使用操做系統網絡功能創建鏈接,掃描程序向目標發送SYN數據包,若是端口開放,目標會返回ACK消息。而後掃描程序向目標發送ACK報文,成功創建鏈接,這就是所謂的三次握手過程。鏈接打開後當即終止,這種技術有它的優勢,但很容易被防火牆和IDS檢測到。

SYN掃描是另外一種類型的TCP掃描,但它不會與目標創建完整的鏈接。 它不使用操做系統的網絡功能,而上生成原始IP包並監視響應報文。若是目標端口是開放的,目標會響應ACK消息,而後掃描程序會發送RST結束鏈接。所以又稱爲半開掃描。這也被認爲是一種隱蔽掃描技術,能夠避免被一些防火牆和IDS檢測到。

UDP掃描是一種無鏈接掃描技術,所以,不管目標是否收到數據包,都不會返回信息給掃描程序。若是目標端口關閉,則掃描程序會收到ICMP端口不可達的消息。若是沒有消息,掃描器會認爲端口是開放的。因爲防火牆會阻止數據包,此方法會返回錯誤結果,所以不會生成響應消息,掃描器會報告端口爲打開狀態。

更多

讓咱們進一步探索Nmap掃描,學習如何將不一樣掃描類型組合到一塊兒

操做系統和版本檢測

除了端口掃描以外,Nmap還提供一些高級的選項,這些選項能夠幫助咱們獲取目標的更多信息。其餘使用最普遍的選項之一是操做系統識別選項:-O。能夠幫助咱們識別目標計算機的操做系統類型。

如下是操做系統識別掃描結果:

msf5 > nmap -O 192.168.177.144
[*] exec: nmap -O 192.168.177.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:12 CST
Nmap scan report for 192.168.177.144
Host is up (0.00035s latency).
Not shown: 990 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
4848/tcp  open  appserv-http
8022/tcp  open  oa-system
8080/tcp  open  http-proxy
8383/tcp  open  m2mservices
9200/tcp  open  wap-wsp
49153/tcp open  unknown
49154/tcp open  unknown
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.51 seconds
複製代碼

如你所見,Nmap成功識別了目標機器的操做系統類型。

另一種普遍使用的高級選項是對開放端口服務的版本檢測,參數是-sV。它能夠與以前的掃描參數結合使用。

msf5 > nmap -sV 192.168.177.144
[*] exec: nmap -sV 192.168.177.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:17 CST
Nmap scan report for 192.168.177.144
Host is up (0.00043s latency).
Not shown: 990 filtered ports
PORT      STATE SERVICE           VERSION
21/tcp    open  ftp               Microsoft ftpd
22/tcp    open  ssh               OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http              Microsoft IIS httpd 7.5
4848/tcp  open  ssl/appserv-http?
8022/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
8080/tcp  open  http              Sun GlassFish Open Source Edition  4.0
8383/tcp  open  ssl/http          Apache httpd
9200/tcp  open  http              Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7)
49153/tcp open  msrpc             Microsoft Windows RPC
49154/tcp open  msrpc             Microsoft Windows RPC
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.54 seconds
msf5 >
複製代碼
隱蔽掃描

有時候必須以隱蔽方式進行掃描,默認狀況下,防火牆和IDS日誌會記錄你的IP,nmap中提供了-D選項來增長迷惑性。

此選項並不能阻止防火牆和IDS記錄你的IP,只是增長迷惑性,它會經過添加其餘IP地址,讓目標覺得是多個IP在攻擊。好比,你添加了兩個誘導IP,防火牆或IDS日誌會顯示數據包是從三個不一樣的IP地址發送的,一個是你的,其餘兩個是你添加的虛假地址。

msf5 > nmap -sT 192.168.177.144 -D 192.168.177.34,192.168.177.56
複製代碼

這個例子中-D後面的IP地址是虛假的IP地址,它會和原始IP地址一同出如今目標機器的網絡日誌文件中,這會迷惑對方的網絡管理員,讓他們覺得這三個IP都是僞造的。但不能添加太多虛假IP地址,否則會影響掃描結果。所以,只要使用必定數量的地址就行。

四、端口掃描:db_nmap 方式

使用db_nmap的好處在於能夠將結果直接存儲到Metasploit數據庫中,而再也不須要db_import進行導入。

準備工做

db_nmap命令是msfconsole中的一部分,因此只須要啓動msfconsole並使用就行了。參數就和在命令行中單獨使用nmap同樣。

怎麼作

在第一章中,咱們已經學習了db_nmap的一些基本用法,因此如今咱們將瞭解一些更高級的特性。在下面的例子中,你將學習如何使用其中的一些特性。

msf5 > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -
複製代碼

-Pn:跳過主機發現過程

-sTV:TCP掃描和檢測開放端口服務版本信息

-T4:設置時間模板,加速掃描

--open:只顯示開放端口

--min-parallelism:探測報文的併發數

--version-all:嘗試每一個探測,保證對每一個端口嘗試每一個探測報文,獲取服務更具體的版本

-p -:表示掃描全部的端口(1-65535)

輸出結果以下:

msf5 > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:41 CST
[*] Nmap: Nmap scan report for 192.168.177.144
[*] Nmap: Host is up (0.00059s latency).
[*] Nmap: Not shown: 65516 filtered ports
[*] Nmap: Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
[*] Nmap: PORT      STATE SERVICE           VERSION
[*] Nmap: 21/tcp    open  ftp               Microsoft ftpd
[*] Nmap: 22/tcp    open  ssh               OpenSSH 7.1 (protocol 2.0)
[*] Nmap: 80/tcp    open  http              Microsoft IIS httpd 7.5
[*] Nmap: 1617/tcp  open  rmiregistry       Java RMI
[*] Nmap: 4848/tcp  open  ssl/appserv-http?
[*] Nmap: 5985/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 8020/tcp  open  http              Apache httpd
[*] Nmap: 8022/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: 8027/tcp  open  unknown
[*] Nmap: 8080/tcp  open  http              Sun GlassFish Open Source Edition  4.0
[*] Nmap: 8282/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: 8383/tcp  open  ssl/http          Apache httpd
[*] Nmap: 8484/tcp  open  http              Jetty winstone-2.8
[*] Nmap: 8585/tcp  open  http              Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
[*] Nmap: 9200/tcp  open  http              Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7)
[*] Nmap: 49153/tcp open  msrpc             Microsoft Windows RPC
[*] Nmap: 49154/tcp open  msrpc             Microsoft Windows RPC
[*] Nmap: 49207/tcp open  rmiregistry       Java RMI
[*] Nmap: 49209/tcp open  tcpwrapped
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 593.00 seconds
msf5 >
複製代碼
Nmap 腳本引擎

Nmap腳本引擎(NSE)是Nmap最強大和最靈活的特性之一,它能夠將Nmap轉爲漏洞掃描器使用。NSE有超過600個腳本,分爲好幾類,有非侵入式的,也有侵入式的,好比暴力破解,漏洞利用和拒絕服務攻擊。你能夠在Kali/user/share/nmap/scripts目錄中找到這些腳本。或者用locate搜索*.nse也能夠找到。

root@osboxes:~# locate *.nse
/usr/share/nmap/scripts/targets-xml.nse
/usr/share/nmap/scripts/teamspeak2-version.nse
/usr/share/nmap/scripts/telnet-brute.nse
/usr/share/nmap/scripts/telnet-encryption.nse
/usr/share/nmap/scripts/telnet-ntlm-info.nse
/usr/share/nmap/scripts/tftp-enum.nse
/usr/share/nmap/scripts/tls-alpn.nse
/usr/share/nmap/scripts/tls-nextprotoneg.nse
/usr/share/nmap/scripts/tls-ticketbleed.nse
/usr/share/nmap/scripts/tn3270-screen.nse
/usr/share/nmap/scripts/tor-consensus-checker.nse
/usr/share/nmap/scripts/traceroute-geolocation.nse
/usr/share/nmap/scripts/tso-brute.nse
/usr/share/nmap/scripts/tso-enum.nse
/usr/share/nmap/scripts/unittest.nse
/usr/share/nmap/scripts/unusual-port.nse
複製代碼

它的用法以下:

nmap --script <scriptname> <host ip>
複製代碼

db_nmap中一樣可使用,咱們試試用NSE腳原本查找目標的HTTP/HTTPS漏洞

msf5 > db_nmap --open -sTV -Pn -p 80,8020,8022,8080,8282,8383,8484,8585,9200 --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup- 
finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,ssl-poodle,ssl-heartbleed,http-webdav-scan,h 
ttp-iis-webdav-vuln 192.168.177.144           
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 14:03 CST                           
[*] Nmap: Nmap scan report for 192.168.177.144
[*] Nmap: Host is up (0.00052s latency).  
[*] Nmap: PORT     STATE SERVICE  VERSION  
[*] Nmap: 80/tcp   open  http     Microsoft IIS httpd 7.5 
[*] Nmap: | http-methods:   
[*] Nmap: |   Supported Methods: OPTIONS TRACE GET HEAD POST                                        [*] Nmap: |_  Potentially risky methods: TRACE                                                      [*] Nmap: |_http-server-header: Microsoft-IIS/7.5                                                    [*] Nmap: | http-vhosts:                                                                            [*] Nmap: |_127 names had status 200                                                                [*] Nmap: 8020/tcp open  http     Apache httpd                                                     
[*] Nmap: |_http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.           
[*] Nmap: | http-methods:                                                                            [*] Nmap: |   Supported Methods: GET HEAD POST PUT DELETE OPTIONS                                   
[*] Nmap: |_  Potentially risky methods: PUT DELETE                                                 
[*] Nmap: |_http-server-header: Apache                                                             
[*] Nmap: | http-vhosts:                       
複製代碼

從輸出結果看到,目標主機的HTTP/HTTPS服務啓用了一些危險的方法,好比DELETE/PUT等。

五、基於ARP的主機發現

經過ARP請求能夠枚舉本地網絡中的存活主機,爲咱們提供了一種簡單而快速識別目標方法。

準備工做

當攻擊者和目標機器處於同一個局域網時,能夠經過執行ARP掃描發現主機

怎麼作

一、使用ARP掃描模塊(auxiliary/scanner/discovery/arp_sweep),設置目標地址範圍和併發線程,而後運行。

msf5 > use auxiliary/scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/discovery/arp_sweep) > run

[+] 192.168.177.1 appears to be up (VMware, Inc.).
[+] 192.168.177.2 appears to be up (VMware, Inc.).
[+] 192.168.177.144 appears to be up (VMware, Inc.).
[+] 192.168.177.254 appears to be up (VMware, Inc.).
[+] 192.168.177.2 appears to be up (VMware, Inc.).
[+] 192.168.177.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/arp_sweep) >
複製代碼

二、若是啓動了數據庫,結果將存儲在Metasploit數據庫中,可使用hosts顯示已經發現的主機。

msf5 auxiliary(scanner/discovery/arp_sweep) > hosts

Hosts
=====

address          mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---                ----  -------  ---------  -----  -------  ----  --------
34.240.217.226
34.248.41.77
54.171.32.62
192.168.177.1    00:50:56:c0:00:08        Unknown                    device
192.168.177.2    00:50:56:fa:c4:65
192.168.177.139  00:0c:29:c6:a9:e5        Unknown                    device
192.168.177.142  00:0c:29:92:63:8c        Linux               2.6.X  server
192.168.177.144  00:0c:29:d7:02:f6        Unknown                    device
192.168.177.254  00:50:56:ec:3c:cf

複製代碼

六、UDP 服務識別

UDP服務掃描模塊運行咱們檢測模板系統的UDP服務。因爲UDP是一個無鏈接協議(不面向鏈接),因此探測比TCP困難。使用UDP服務探測模塊能夠幫助咱們找到一些有用的信息。

怎麼作

選擇auxiliary/scanner/discovery/udp_sweep模塊,設置目標範圍,而後運行掃描便可

msf5 > use auxiliary/scanner/discovery/udp_sweep
msf5 auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.144/24
msf5 auxiliary(scanner/discovery/udp_sweep) > run

[*] Sending 13 probes to 192.168.177.0->192.168.177.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.177.144:137 (METASPLOITABLE3:<20>:U :METASPLOITABLE3:<00>:U :WORKGROUP:<00>:G :00:0c:29:d7:02:f6)
[*] Discovered SNMP on 192.168.177.144:161 (Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free))
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/udp_sweep) >
複製代碼

七、SMB掃描和枚舉

多年來,SMB協議(一種在 Microsoft Windows系統中使用網絡文件共享的協議)已被證實是最容易被攻擊的協議之一,它容許攻擊者枚舉目標文件和用戶,甚至遠程代碼執行。

怎麼作

使用無需身份驗證的SMB共享枚舉模塊,能夠幫助咱們收集一些有價值的信息,好比共享名稱,操做系統版本等。

模塊名:auxiliary/scanner/smb/smb_enumshares

msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 192.168.177.144:139   - Login Failed: Unable to Negotiate with remote host
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼

SMB共享枚舉模塊在後續的攻擊階段也很是有用,經過提供憑據,能夠輕鬆的枚舉共享和文件列表

msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumshares) > set ShowFiles true
ShowFiles => true
msf5 auxiliary(scanner/smb/smb_enumshares) > set SpiderShares true
SpiderShares => true
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 192.168.177.144:139   - Login Failed: Unable to Negotiate with remote host
[+] 192.168.177.144:445   - ADMIN$ - (DS) Remote Admin
[+] 192.168.177.144:445   - C$ - (DS) Default share
[+] 192.168.177.144:445   - IPC$ - (I) Remote IPC
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumshares) >
複製代碼

Metasploit還提供其餘的一些SMB掃描模塊,讓咱們看看其餘模塊的用法。

三、SMB版本檢測模塊能夠檢測SMB的版本

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_version) > run

[+] 192.168.177.144:445   - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:METASPLOITABLE3) (workgroup:WORKGROUP )
[*] 192.168.177.144:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼

四、用戶枚舉模塊能夠經過SAM RPC服務枚舉哪些用戶存在

msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.177.144:445   - METASPLOITABLE3 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leah_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >
複製代碼

五、SMB登陸檢測模塊能夠測試SMB登陸

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_login) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.177.144:445   - 192.168.177.144:445 - Starting SMB login bruteforce
[-] 192.168.177.144:445   - 192.168.177.144:445 - Failed: '.\vagrant:admin',
[-] 192.168.177.144:445   - 192.168.177.144:445 - Failed: '.\vagrant:admin123',
[+] 192.168.177.144:445   - 192.168.177.144:445 - Success: '.\vagrant:vagrant' Administrator
[*] 192.168.177.144:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >
複製代碼

六、MS17-010永恆之藍漏洞檢測模塊

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.177.144:445   - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.177.144:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >
複製代碼

七、其餘的模塊,都在 auxiliary/scanner/smb/中,能夠敲 TAB鍵查看,你能夠一個個學習,這裏就不一一舉例講解。

msf5 > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/impacket/dcomexec      
use auxiliary/scanner/smb/smb1                   
use auxiliary/scanner/smb/smb_login
.....         
複製代碼

八、SSH 版本掃描和檢測

SSH是一個普遍使用的遠程登陸程序。它使用強大的加密提供身份認證和保證機密性。在本節中,咱們將經過SSH版本掃描模塊,肯定目標使用的SSH版本,肯定是否爲易受攻擊的SSH版本,若是是,咱們能夠利用它。

準備工做

在以前的掃描中,咱們發現目標機器開放了TCP 22端口,這也是SSH的默認端口,咱們用SSH版本探測模塊來獲取目標系統上運行的SSH版本信息。

怎麼作

一、模塊名稱:auxiliary/scanner/ssh/ssh_version

msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/ssh/ssh_version) > run

[+] 192.168.177.144:22    - SSH server version: SSH-2.0-OpenSSH_7.1 ( service.version=7.1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.1 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.177.144:22    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_version) >
複製代碼

固然這裏的RHOSTS 選項也能夠指定爲網絡地址,從而掃描整個網段。

獲取版本信息以後,咱們就能夠搜索該版本的漏洞。

二、測試經常使用口令登陸SSH,可使用SSH登陸測試模塊

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/ssh/ssh_login) > set USERNAME user
USERNAME => user
msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf5 auxiliary(scanner/ssh/ssh_login) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼

三、若是登陸成功了,能夠用sessions 查看會話和與目標進行會話交互

msf5 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

No active sessions.

複製代碼

九、FTP掃描

使用FTP掃描模塊對網絡中全部的FTP服務進行版本掃描

準備工做

FTP版本掃描模塊運行咱們檢測正在運行的FTP版本

怎麼作

一、使用auxiliary/scanner/ftp/ftp_version模塊,設置好掃描範圍和線程,就能夠運行掃描了。

msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/ftp/ftp_version) > run

[+] 192.168.177.1:21      - FTP Banner: '220 Serv-U FTP Server v15.0 ready...\x0d\x0a'
[+] 192.168.177.144:21    - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] 192.168.177.0/24:21   - Scanned  78 of 256 hosts (30% complete)
[*] 192.168.177.0/24:21   - Scanned 123 of 256 hosts (48% complete)
[*] 192.168.177.0/24:21   - Scanned 125 of 256 hosts (48% complete)
[*] 192.168.177.0/24:21   - Scanned 129 of 256 hosts (50% complete)
[*] 192.168.177.0/24:21   - Scanned 130 of 256 hosts (50% complete)
[*] 192.168.177.0/24:21   - Scanned 255 of 256 hosts (99% complete)
[*] 192.168.177.0/24:21   - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ftp/ftp_version) >
複製代碼

二、與以前的掃描同樣,掃描結果會保存到數據庫中,可使用services命令查看已經檢測的服務信息。

msf5 auxiliary(scanner/ftp/ftp_version) > services                                                     
Services                                                                                               
========                                                                                           
host             port   proto  name              state  info                                           
----             ----   -----  ----              -----  ----                                           
192.168.177.1    21     tcp    ftp               open   220 Serv-U FTP Server v15.0 ready...\x0d\x0a   
192.168.177.144  21     tcp    ftp               open   220 Microsoft FTP Service\x0d\x0a           
192.168.177.144  22     tcp    ssh               open   SSH-2.0-OpenSSH_7.1                         
192.168.177.144  80     tcp    http              open   Microsoft IIS httpd 7.5                     
複製代碼

十、SMTP枚舉

SMTP服務偶兩個容許枚舉用戶的內部命令:VRFY(確認有效用戶名)和EXPN(顯示用戶的實際地址,別名和郵件列表)

準備工做

SMTP用戶枚舉模塊經過實現這些SMTP命令從而枚舉有效的用戶列表

怎麼作

默認狀況下,SMTP枚舉模塊使用unix_users.txt(文件位於: /usr/share/metasploit- framework/data/wordlists/)文件做爲字典,你也能夠指定本身的字典文件。切換到auxiliary/scanner/smtp/smtp_enum模塊,設置好目標和線程,而後開始。

msf5 > use auxiliary/scanner/smtp/smtp_enum                                                        
msf5 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.177.145                               
RHOSTS => 192.168.177.145                         
msf5 auxiliary(scanner/smtp/smtp_enum) > set THREADS 256  
THREADS => 256                                      
msf5 auxiliary(scanner/smtp/smtp_enum) > run        
[*] 192.168.177.145:25    - 192.168.177.145:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)                                             
[+] 192.168.177.145:25    - 192.168.177.145:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data   
[*] 192.168.177.145:25    - Scanned 1 of 1 hosts (100% complete)       
[*] Auxiliary module execution completed             
msf5 auxiliary(scanner/smtp/smtp_enum) >  
複製代碼

輸出結果中顯示了目標Metasploitable 2中有效的SMTP用戶

十一、SNMP枚舉

簡單網絡管理協議(SNMP)是用於管理網絡設備的協議,好比監控設備的狀態信息,接口信息,網絡接口的數據吞吐量等。經過SNMP掃描器能夠找到特定系統的大量信息。本節中,咱們將學習如何使用它。

準備工做

Metasploit有一個專門用於掃描 SNMP 設備的內置輔助模塊。在進行攻擊以前必須先了解它。首先,團體字符串(只讀/讀寫)在能夠在設備自己上挖掘或修改的信息類型中起着重要做用。管理信息庫 (MIB) 接口容許咱們查詢設備和提取信息。

Tip:若是目標系統爲Windows且配置了SNMP(一般是RO/RW團體字符串),咱們能夠提取系統重啓時間,系統上的用戶名,系統網絡信息,運行的服務等各類有價值的信息。

當經過SNMP查詢時候,能夠經過MIB API進行設備信息提取。Metasploit在其數據庫中加載默認MIB列表,它們用於查詢設備獲取更多信息。

怎麼作

一、經過SNMP登陸模塊能夠經過公共團體名登陸到目標系統。

msf5 > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.177.144,145
RHOSTS => 192.168.177.144,145
msf5 auxiliary(scanner/snmp/snmp_login) > run

[+] 192.168.177.144:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/snmp/snmp_login) >
複製代碼

二、經過SNMP掃描模塊收集信息,好比端口,服務,主機名,進程等信息。

msf5 > use auxiliary/scanner/snmp/snmp_enum                                                                                                             
msf5 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.177.144                                                                                     
RHOSTS => 192.168.177.144                                                                                                                               
msf5 auxiliary(scanner/snmp/snmp_enum) > run                                                                                                            
[+] 192.168.177.144, Connected.                                                                                                                         
[*] System information:                                                                                                                                 
Host IP                       : 192.168.177.144     
Hostname                      : metasploitable3     
Description                   : Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocess
r Free)                                                                                                                                                
Contact                       : -                  
Location                      : -                   
Uptime snmp                   : 01:18:04.40         
Uptime system                 : 01:16:09.69         
System date                   : 2019-4-12 16:44:05.7                                                                                                    
[*] User accounts:                                                                                                                                     
["sshd"]                                             
["Guest"]                                         
["greedo"]                                           
["vagrant"]                                         
["han_solo"]                                         
["kylo_ren"]                                         
["boba_fett"]                                     
["chewbacca"]                                       
["ben_kenobi"]                                                                                     .....                                               
[*] Network information:                            
IP forwarding enabled         : no                   
Default TTL                   : 128                
TCP segments received         : 70121              
TCP segments sent             : 70024               
TCP segments retrans          : 23                   
Input datagrams               : 634                
Delivered datagrams           : 825   
....
[*] Network interfaces:

Interface                     : [ up ] Software Loopback Interface 1
Id                            : 1
Mac Address                   : :::::
....
複製代碼

十二、HTTP掃描

超文本傳輸協議(HTTP)是一個應用層協議,它是萬維網通訊的基礎。它被衆多的應用程序使用,從物聯網(IoT)設備到移動應用程序。它也是搜索漏洞的好地方。

準備工做

HTTP SSL證書檢測模塊能夠檢測Web服務器的證書。

Robots.txt內容檢測模塊能夠搜索robots.txt文件並分析裏面的內容。

若是服務端容許未受權的PUT請求方法,則能夠將任意的Web頁面插入到網站目錄中,從而致使執行破壞性的代碼或者往服務器填充垃圾數據,從而形成拒絕服務攻擊。

Jenkins-CI HTTP掃描模塊能夠枚舉未受權的Jenkins-CI服務。

怎麼作

一、檢測目標的HTTP SSL證書

msf5 > use auxiliary/scanner/http/cert
msf5 auxiliary(scanner/http/cert) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/cert) > set RPORT 8383
RPORT => 8383
msf5 auxiliary(scanner/http/cert) > run

[*] 192.168.177.144:8383  - 192.168.177.144 - 'Desktop Central' : '2010-09-08 12:24:44 UTC' - '2020-09-05 12:24:44 UTC'
[*] 192.168.177.144:8383  - Scanned 1 of 1 hosts (100% complete)
複製代碼

二、檢測robots.txt文件

msf5 > use auxiliary/scanner/http/robots_txt
msf5 auxiliary(scanner/http/robots_txt) > set PATH /mutillidae
PATH => /mutillidae
msf5 auxiliary(scanner/http/robots_txt) > set RHOSTS 192.168.177.145
RHOSTS => 192.168.177.145
msf5 auxiliary(scanner/http/robots_txt) > run

[*] [192.168.177.145] /mutillidae/robots.txt found
[+] Contents of Robots.txt:
User-agent: *
Disallow: ./passwords/
Disallow: ./config.inc
Disallow: ./classes/
Disallow: ./javascript/
Disallow: ./owasp-esapi-php/
Disallow: ./documentation/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/robots_txt) >
複製代碼

三、HTTP可寫路徑 PUT/DELETE 文件訪問模塊能夠經過PUTDELETE請求上傳和刪除Web服務器上的內容。

msf5 > use auxiliary/scanner/http/http_put
msf5 auxiliary(scanner/http/http_put) > set PATH /uploads
PATH => /uploads
msf5 auxiliary(scanner/http/http_put) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/http_put) > set RPORT 8585
RPORT => 8585
msf5 auxiliary(scanner/http/http_put) > run

[+] File uploaded: http://192.168.177.144:8585/uploads/msf_http_put_test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_put) >
複製代碼

四、Jenkins-CI掃描模塊

msf5 > use auxiliary/scanner/http/jenkins_enum
msf5 auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/jenkins_enum) > set RPORT 8484
RPORT => 8484
msf5 auxiliary(scanner/http/jenkins_enum) > set TARGETURI /
TARGETURI => /
msf5 auxiliary(scanner/http/jenkins_enum) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼

1三、WinRM掃描和爆破

Windows遠程管理(WinRM)是WS-Management協議的Microsoft實現。該協議是基於簡單對象訪問協議(SOAP)的、防火牆友好的標準協議,使來自不一樣供應商的硬件和操做系統可以互相交互。

準備工做

WinRM身份認證方法檢測模塊經過向目標發現HTTP/HTTPS請求,檢測是否爲WinRM服務,若是是,將會檢測支持的身份認證方法。

經過SMB_login模塊能夠檢索目標的登陸憑證。咱們能夠用WinRM命令運行模塊測試是否能夠經過WinRM服務運行Windows命令。

怎麼作

一、WinRM身份認證檢測

msf5 > use auxiliary/scanner/winrm/winrm_auth_methods
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run

[+] 192.168.177.144:5985: Negotiate protocol supported
[+] 192.168.177.144:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_auth_methods) >
複製代碼

二、使用WinRM命令運行模塊

msf5 > use auxiliary/scanner/winrm/winrm_cmd
msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD hostname
CMD => hostname
msf5 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator
USER => Administrator
msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD vagrant
PASSWORD => vagrant
msf5 auxiliary(scanner/winrm/winrm_cmd) > run

[+] 192.168.177.144:5985 : metasploitable3

[+] Results saved to /root/.msf4/loot/20190412172543_default_192.168.177.144_winrm.cmd_result_858044.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_cmd) >
複製代碼

能夠看到,咱們成功在目標機上執行了命令。

到目前爲止,咱們已經瞭解了端口掃描的基礎知識,以及學會了Nmap的使用。經過其餘一些工具的許欸,進一步提升了掃描和信息收集的技術。在接下來的小節中,咱們將介紹其餘幾種掃描目標可用服務和端口的工具,這些工具還能夠幫助咱們肯定特定服務和端口可能存在的漏洞類型。

剩下的三小節,關於三種漏洞掃描器與Metasploit結合使用的技術和方法將在下一篇文章中講解,敬請期待

1四、與Nessus結合使用

1五、與NeXpose結合使用

1六、與OpenVAS結合使用

第二章 信息收集與掃描-續

說明

原書:《Metasploit Penetration Testing Cookbook - Third Edition》

www.packtpub.com/networking-…

本文由合天網安實驗室編譯,轉載請註明來源。

關於合天網安實驗室

合天網安實驗室(www.hetianlab.com)-國內領先的實操型網絡安全在線教育平臺

真實環境,在線實操學網絡安全 ; 實驗內容涵蓋:系統安全,軟件安全,網絡安全,Web安全,移動安全,CTF,取證分析,滲透測試,網安意識教育等。

相關文章
相關標籤/搜索