在本章中,咱們將學習如下內容javascript
使用Metasploit
被動收集信息php
使用Metasploit
主動收集信息java
使用Nmap
進行端口掃描ios
使用db_nmap
方式進行端口掃描web
使用ARP
進行主機發現shell
UDP
服務探測數據庫
SMB
掃描和枚舉apache
SSH
版本掃描windows
FTP
掃描api
SMTP
枚舉
SNMP
枚舉
HTTP
掃描
WinRM
掃描和爆破
與Nessus
結合使用
與NeXpose
結合使用
與OpenVAS
結合使用
信息收集是滲透測試中首先要作的重要事項之一,目的是儘量多的查找關於目標的信息,咱們掌握的信息越多,滲透成功的機會越大。在信息收集階段,咱們主要任務是收集關於目標機器的一切信息,好比IP
地址,開放的服務,開放的端口。這些信息在滲透測試過程當中啓到了相當重要的做用。爲了實現這一目的,咱們將在本章學習各類掃描技術、如SMB
掃描、SSH
服務掃描,FTP
掃描、SNMP
枚舉、HTTP
掃描以及WinRM
掃描和暴力破解。
收集信息的方式主要有三種:
一、被動信息收集:這種方式是指在不物理鏈接或訪問目標的時候,獲取目標的相關信息,這意味着咱們須要使用其餘信息來源得到目標信息。好比查詢whois
信息。假設咱們的目標是一個在線的Web服務,那麼經過whois
查詢能夠得到它的ip
地址,域名信息,子域信息,服務器位置信息等。
二、主動信息收集:這種方式是指與目標創建邏輯鏈接獲取信息,這種方式能夠進一步的爲咱們提供目標信息,讓咱們對目標的安全性進一步理解。在端口掃描中,使用最經常使用的主動掃描技術,探測目標開放的端口和服務。
三、社會工程學:這種方式相似於被動信息收集,主要是針對人爲錯誤,信息以打印輸出、電話交談、電子郵件等形式泄露。使用這種方法的技術有不少,收集信息的方式也不盡相同,所以,社會工程學自己就是一個技術範疇。
社會工程的受害者被誘騙發佈他們沒有意識到會被用來攻擊企業網絡的信息。例如,企業中的員工可能會被騙向僞裝是她信任的人透露員工的身份號碼。儘管該員工編號對員工來講彷佛沒有價值,這使得他在一開始就更容易泄露信息,但社會工程師能夠將該員工編號與收集到的其餘信息一塊兒使用,以便更快的找到進入企業網絡的方法。
在本章中,咱們將詳細學習信息收集的各類被動和主動技術。首先,咱們將學習分析最經常使用和最容易被忽視的被動信息收集技術,而後,咱們將重點關注經過端口掃描獲取信息。Metasploit
具備多種內置掃描功能,以及一些與之集成的第三方工具,以進一步加強端口掃描功能。咱們將學習使用內置的掃描儀,以及一些與Metasploit
框架結合使用的第三方掃描工具。讓咱們開始吧。
咱們將從公司域名開始收集信息,獲取公司有關信息,收集子域名,檢測蜜罐、收集電子郵件地址等。
Metasploit
中有好幾個信息收集模塊,在本節中,咱們將學習使用其中的一些模塊,建議你自行探索學習全部的信息收集模塊。
DNS
掃描和枚舉模塊可用於從給定的DNS服務器收集有關域名的信息,執行各類DNS
查詢(如域傳送,反向查詢,SRV記錄等)
一、程序位於auxiliary
模塊中,進入msfconsole
後,咱們可使用use
命令調用咱們想要的模塊,咱們要使用的auxiliary/gather/enum_dns
模塊。使用use auxiliary/gather/enum_dns
進入模塊,輸入info
能夠查看模塊的信息,包括做者,描述,基本配置信息等。
msf5 > use auxiliary/gather/enum_dns //切換到 enum_dns模塊
msf5 auxiliary(gather/enum_dns) > info //查看模塊信息
Name: DNS Record Scanner and Enumerator
Module: auxiliary/gather/enum_dns
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Carlos Perez <carlos_perez@darkoperator.com>
Nixawk
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The target domain
ENUM_A true yes Enumerate DNS A record
ENUM_AXFR true yes Initiate a zone transfer against each NS record
ENUM_BRT false yes Brute force subdomains and hostnames via the supplied wordlist
ENUM_CNAME true yes Enumerate DNS CNAME record
ENUM_MX true yes Enumerate DNS MX record
ENUM_NS true yes Enumerate DNS NS record
ENUM_RVL false yes Reverse lookup a range of IP addresses
ENUM_SOA true yes Enumerate DNS SOA record
ENUM_SRV true yes Enumerate the most common SRV records
ENUM_TLD false yes Perform a TLD expansion by replacing the TLD with the IANA TLD list
ENUM_TXT true yes Enumerate DNS TXT record
IPRANGE no The target address range or CIDR identifier
NS no Specify the nameserver to use for queries (default is system DNS)
STOP_WLDCRD false yes Stops bruteforce enumeration if wildcard resolution is detected
THREADS 1 no Threads for ENUM_BRT
WORDLIST /usr/share/metasploit-framework/data/wordlists/namelist.txt no Wordlist of subdomains
Description:
This module can be used to gather information about a domain from a
given DNS server by performing various DNS queries such as zone
transfers, reverse lookups, SRV record brute forcing, and other
techniques.
References:
https://cvedetails.com/cve/CVE-1999-0532/
OSVDB (492)
msf5 auxiliary(gather/enum_dns) >
複製代碼
二、設置須要查詢的域名,設置線程數量,而後運行它
msf5 auxiliary(gather/enum_dns) > set DOMAIN packtpub.com //設置須要查詢的域名
DOMAIN => packtpub.com
msf5 auxiliary(gather/enum_dns) > set THREADS 10 //設置線程數
THREADS => 10
msf5 auxiliary(gather/enum_dns) > run
[*] querying DNS NS records for packtpub.com
[+] packtpub.com NS: dns3.easydns.org.
[+] packtpub.com NS: dns4.easydns.info.
[+] packtpub.com NS: dns1.easydns.com.
[+] packtpub.com NS: dns2.easydns.net.
...
[*] Auxiliary module execution completed
msf5 auxiliary(gather/enum_dns) >
複製代碼
從輸出信息中能夠看到獲取的DNS
記錄
dns
掃描和枚舉模塊也能夠用於主動信息收集,經過爆破的方式,設置ENUM_BRT
爲true
,能夠經過字典暴力枚舉子域名和主機名。WORDLIST
選項能夠設置字典文件。
收集公司信息也是必不可少的,咱們可使用 CorpWatch
公司名稱信息搜索模塊:auxiliary/gather/corpwatch_lookup_name
,經過該模塊能夠收集公司的名稱,地址,部門和行業信息。該模塊與CorpWatch API
鏈接,以獲取給定公司名稱的公開可用信息。
API
申請:api.corpwatch.org
切換到auxiliary/gather/corpwatch_lookup_name
模塊,設置好公司名字,設置信息顯示的數量
msf5 > use auxiliary/gather/corpwatch_lookup_name
msf5 auxiliary(gather/corpwatch_lookup_name) > set COMPANY_NAME Microsoft
COMPANY_NAME => Microsoft
msf5 auxiliary(gather/corpwatch_lookup_name) > set LIMIT 1
LIMIT => 1
msf5 auxiliary(gather/corpwatch_lookup_name) > run
[*] Company Information
---------------------------------
[*] CorpWatch (cw) ID): cw_4803
[*] Company Name: MICROSOFT CORP
[*] Address: ONE MICROSOFT WAY, REDMOND WA 98052-6399
[*] Sector: Business services
[*] Industry: Services-prepackaged software
[*] Auxiliary module execution completed
msf5 auxiliary(gather/corpwatch_lookup_name) >
複製代碼
Tip:此網站被Q,須要配置代理才能使用這個服務。
收集子域名是尋找新目標的好辦法,咱們可使用搜索引擎子域名收集模塊。
模塊名:auxiliary/gather/searchengine_subdomains_collector
從Yahoo
和Bing
收集域名的子域信息
切換到這個模塊,設置好要要查詢的域名,而後運行
msf5 > use auxiliary/gather/searchengine_subdomains_collector
msf5 auxiliary(gather/searchengine_subdomains_collector) > set TARGET packtpub.com
TARGET => packtpub.com
msf5 auxiliary(gather/searchengine_subdomains_collector) > run
[*] Searching Bing for subdomains from domain:packtpub.com
[*] Searching Yahoo for subdomains from domain:packtpub.com
[+] domain:packtpub.com subdomain: subscription.packtpub.com
[*] Searching Bing for subdomains from ip:54.171.32.62
[*] Searching Yahoo for subdomains from ip:54.171.32.62
[+] ip:54.171.32.62 subdomain: niobase.com
[+] ip:54.171.32.62 subdomain: demandpeoples.vote
[*] Searching Bing for subdomains from ip:34.240.217.226
[-] ip:34.240.217.226 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.240.217.226
[+] ip:34.240.217.226 subdomain: www.snp.org
[+] ip:34.240.217.226 subdomain: answerthepublic.com
[*] Searching Bing for subdomains from ip:34.243.45.171
[-] ip:34.243.45.171 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.243.45.171
[*] Searching Bing for subdomains from ip:34.248.41.77
[*] Searching Yahoo for subdomains from ip:34.248.41.77
[+] ip:34.248.41.77 subdomain: www.buzzi.space
[+] ip:34.248.41.77 subdomain: www.bookishfirst.com
[+] ip:34.248.41.77 subdomain: www.vizlib.com
[+] ip:34.248.41.77 subdomain: www.alphacodeincubate.club
[+] ip:34.248.41.77 subdomain: www.appliedmldays.org
[+] ip:34.248.41.77 subdomain: www.accessable.co.uk
[*] Searching Bing for subdomains from ip:34.254.137.88
[-] ip:34.254.137.88 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.254.137.88
複製代碼
經過這個模塊,咱們收集到了一些新的目標。
咱們已經學習了一些基礎模塊的使用,讓咱們來學習使用一些更強大的工具吧。
Censys
是一個互聯網設備搜索引擎,Censys
每日經過ZMap
和ZGrab
掃描互聯網上的主機和網站,持續監控互聯網上全部可訪問的服務器和設備。
咱們可使用Censys
搜索模塊,經過Censys REST API
進行信息查詢。能夠檢索超過100W的網站和設備信息。
Tip:若是須要使用Censys
搜索模塊,須要去https://censys.io
註冊得到API和密鑰
msf5 > use auxiliary/gather/censys_search
msf5 auxiliary(gather/censys_search) > set CENSYS_DORK packtpub.com //設置目標站點
CENSYS_DORK => packtpub.com
msf5 auxiliary(gather/censys_search) > set CENSYS_SEARCHTYPE ipv4 //設置搜索類型
CENSYS_SEARCHTYPE => ipv4
msf5 auxiliary(gather/censys_search) > set CENSYS_SECRET l5xZ******Z4xzVmIPZ0P //設置censys密鑰
CENSYS_SECRET => l5xZa0zJ*******VlCZ4xzVmIPZ0P
msf5 auxiliary(gather/censys_search) > set CENSYS_UID 24d813a********c1b3e80c9e //設置 API_ID
CENSYS_UID => 24d813a******2-89c1b3e80c9e
msf5 auxiliary(gather/censys_search) > run
[+] 109.234.207.108 - 443/https,80/http
[+] 109.234.207.108 - 443/https,80/http
[+] 34.253.81.66 - 443/https,80/http
[+] 34.253.81.66 - 443/https,80/http
[+] 123.252.235.122 - 443/https
[+] 109.234.200.116 - 443/https
[+] 83.166.169.240 - 443/https,22/ssh,80/http
......
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 172.104.243.217 - 80/http
[+] 66.42.34.69 - 443/https,80/http
[+] 66.42.34.69 - 443/https,80/http
[*] Auxiliary module execution completed
msf5 auxiliary(gather/censys_search) >
複製代碼
收集到了很是多的IP信息和端口信息
Shodan
搜索引擎是一個付費的互聯網設備搜索引擎,Shodan
運行你搜索網站的Banners
信息,設備的元數據,好比設備的位置,主機名,操做系統等。
Tip:一樣要使用Shodan
搜索模塊,須要先去Shodan
官網( www.shodan.io)註冊獲取API Key。
msf5 > use auxiliary/gather/shodan_search
msf5 auxiliary(gather/shodan_search) > set QUERY hostname:packtpub.com //設置目標機器
QUERY => hostname:packtpub.com
msf5 auxiliary(gather/shodan_search) > set SHODAN_APIKEY SDaE*******ABKTxJ3 //設置shodan api key
SHODAN_APIKEY => SDaEijF******dudxCABKTxJ3
msf5 auxiliary(gather/shodan_search) > run
[*] Total: 3 on 1 pages. Showing: 1 page(s)
[*] Collecting data, please wait...
Search Results
==============
IP:Port City Country Hostname
------- ---- ------- --------
83.166.169.228:80 Nottingham United Kingdom packtpub.com
83.166.169.248:443 Nottingham United Kingdom imap.packtpub.com
83.166.169.248:80 Nottingham United Kingdom imap.packtpub.com
[*] Auxiliary module execution completed
複製代碼
經過Shodan
搜索模塊能夠找到更多目標的信息,好比 IP 地址,開放的端口,位置信息等。
檢測目標是否爲蜜罐,避免浪費時間或由於試圖攻擊蜜罐而被封鎖。使用Shodan Honeyscore Client
模塊,能夠利用Shodan
搜索引擎檢測目標是否爲蜜罐。結果返回爲0
到1
的評級分數,若是是1
,則是一個蜜罐。
msf5 > use auxiliary/gather/shodan_honeyscore
msf5 auxiliary(gather/shodan_honeyscore) > set SHODAN_APIKEY SDa******CABKTxJ3
SHODAN_APIKEY => SDaEij*****xCABKTxJ3
msf5 auxiliary(gather/shodan_honeyscore) > set TARGET 83.166.169.248
TARGET => 83.166.169.248
msf5 auxiliary(gather/shodan_honeyscore) > run
[*] Scanning 83.166.169.248
[-] 83.166.169.248 is not a honeypot
[*] 83.166.169.248 honeyscore: 0.0/1.0
[*] Auxiliary module execution completed
msf5 auxiliary(gather/shodan_honeyscore) >
複製代碼
收集郵箱信息是滲透測試中常見的部分,它可讓咱們瞭解互聯網上目標的痕跡,以便用於後續的暴力攻擊以及網絡釣魚等活動。
咱們可使用auxiliary/gather/search_email_collector
模塊,該模塊是利用搜索引擎獲取與目標有關的電子郵件信息。
msf5 > use auxiliary/gather/search_email_collector
msf5 auxiliary(gather/search_email_collector) > set DOMAIN packtpub.com
DOMAIN => packtpub.com
msf5 auxiliary(gather/search_email_collector) > run
[*] Harvesting emails .....
[*] Searching Google for email addresses from packtpub.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from packtpub.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from packtpub.com
[*] Extracting emails from Yahoo search results...
[*] Located 3 email addresses for packtpub.com
....
[*] Auxiliary module execution completed
複製代碼
從輸出信息來看,能夠看到該模塊利用Google
、Bing
和Yohoo
搜索目標有關的電子郵件地址。
一般來講,經過掃描進行主動信息收集,從這一步開始,咱們將直接與目標進行邏輯鏈接。
端口掃描是一個有趣的信息收集過程,它涉及對目標系統更深刻的搜索,可是因爲主動端口掃描涉及對目標系統直接訪問,可能會被防火牆和入侵檢測系統檢測到。
在Metasploit
框架中,有各類各樣的端口掃描模塊可供咱們使用,從而容許咱們準確的對目標系統進行探測。咱們能夠經過search portscan
命令查看這些模塊。
msf5 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/scanner/http/wordpress_pingback_access normal Yes Wordpress Pingback Locator
2 auxiliary/scanner/natpmp/natpmp_portscan normal Yes NAT-PMP External Port Scanner
3 auxiliary/scanner/portscan/ack normal Yes TCP ACK Firewall Scanner
4 auxiliary/scanner/portscan/ftpbounce normal Yes FTP Bounce Port Scanner
5 auxiliary/scanner/portscan/syn normal Yes TCP SYN Port Scanner
6 auxiliary/scanner/portscan/tcp normal Yes TCP Port Scanner
7 auxiliary/scanner/portscan/xmas normal Yes TCP "XMas" Port Scanner
8 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
複製代碼
讓咱們從TCP
端口掃描模塊開始,看看咱們能獲取目標的哪些信息?
咱們要使用的模塊是use auxiliary/scanner/portscan/tcp
Tip:咱們將利用此模塊掃描滲透測試實驗環境的網絡,請遵照當地法律法規,請勿直接掃描互聯網設備。
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.177.0/24 //設置目標網絡
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/portscan/tcp) > set THREADS 100 //設置線程數
THREADS => 100
msf5 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.177.1: - 192.168.177.1:22 - TCP OPEN
[+] 192.168.177.1: - 192.168.177.1:21 - TCP OPEN
複製代碼
Tip:掃描器模塊通常使用RHOSTS
,表示掃描整個網絡,而不是RHOST
(單機)
當咱們使用Metasploit
模塊的時候,可使用show options
查看全部可配置的選項,使用show missing
查看必需要配置的選項。
msf5 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf5 auxiliary(scanner/portscan/tcp) > show missing
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
msf5 auxiliary(scanner/portscan/tcp) >
複製代碼
相對普通的TCP
掃描來講,SYN
掃描速度更快,由於它不會完成TCP
三次握手,並且能夠在必定程度上躲避防火牆和入侵檢測系統的檢測。
使用的模塊是auxiliary/scanner/portscan/syn
,使用該模塊,須要指定端口範圍。
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set INTERFACE eth0 //設置網卡
INTERFACE => eth0
msf5 auxiliary(scanner/portscan/syn) > set PORTS 1-10000 //設置端口範圍
PORTS => 1-10000
msf5 auxiliary(scanner/portscan/syn) > set THREADS 256 //設置線程數
THREADS => 256
msf5 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.177.0/24 //設置目標網絡
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/portscan/syn) > run
複製代碼
Nmap
是安全人員首選的強大網絡掃描工具,咱們將從初級到高級,詳細分析Nmap
的各類掃描技術。
你能夠直接在msfconsole
中運行Nmap
,可是若是要將結果導入到Metasploit
數據庫中,須要使用-oX
選項導出XML
格式的報告文件,而後使用db_import
命令將結果導入進來。
一、啓動msfconsole
,而後輸入nmap
msf5 > nmap
[*] exec: nmap
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
複製代碼
二、進行TCP
掃描,使用-sT
參數,這是默認和最基本的掃描方式,它會完成TCP三次握手來檢測目標機器上的端口。
msf5 > nmap -sT 192.168.177.144
[*] exec: nmap -sT 192.168.177.144
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:20 CST
Nmap scan report for 192.168.177.144
Host is up (0.00044s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
4848/tcp open appserv-http
8022/tcp open oa-system
8080/tcp open http-proxy
8383/tcp open m2mservices
9200/tcp open wap-wsp
49153/tcp open unknown
49154/tcp open unknown
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds
msf5 >
複製代碼
Tip:當未指定端口範圍的時候,nmap
默認掃描常見的1000個端口。
三、進行TCP SYN
掃描,使用-sS
參數,SYN
掃描不會創建完整的TCP三次握手過程,也稱半開鏈接掃描,SYN
掃描被認爲是一種比較隱蔽的掃描技術。
msf5 > nmap -sS 192.168.177.144 -p 22-5000
[*] exec: nmap -sS 192.168.177.144 -p 22-5000
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:29 CST
Nmap scan report for 192.168.177.144
Host is up (0.00037s latency).
Not shown: 4975 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1617/tcp open nimrod-agent
4848/tcp open appserv-http
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds
msf5 >
複製代碼
大多數狀況下,TCP
鏈接掃描和SYN
掃描輸出結果是類似的,惟一的區別是,SYN
更難被防火牆和IDS檢測到。固然現代的防火牆幾乎都能捕獲SYN
掃描,-p
參數設置咱們想要掃描的端口範圍。
四、UDP
掃描使用-sU
參數,用於識別目標機器上開放的UDP
端口掃描技術,UDP
掃描會發送空的(沒有數據)UDP
報頭到目標端口,僅經過ICMP
消息來判斷目標端口是否開放。
msf5 > nmap -sU 192.168.177.144
[*] exec: nmap -sU 192.168.177.144
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:36 CST
Nmap scan report for 192.168.177.144
Host is up (0.00035s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 16.36 seconds
msf5 >
複製代碼
TIp:不指定端口範圍的狀況下,默認掃描常見的1000個UDP
端口
咱們分析了三種不一樣類型的nmap
掃描,它們在滲透測試中很是有用。Nmap
提供了許多種不一樣的掃描方是,這裏咱們只重點討論這三種,即TCP
鏈接掃描、SYN
隱蔽掃描和UDP
掃描。能夠將Nmap
的不一樣掃描選項組合到一塊兒使用,已便對目標進行更高級和更復雜的掃描。
在滲透測試中,掃描過程能夠提供不少有用的結果。掃描中收集的信息構成了後續滲透測試的基礎,所以強烈建議你掌握掃描類型的相關知識,讓咱們更深刻了解下咱們剛剛學習的這些掃描技術。
TCP
鏈接掃描是最基本的掃描技術,此掃描過程會與目標創建完整的TCP
鏈接。它使用操做系統網絡功能創建鏈接,掃描程序向目標發送SYN
數據包,若是端口開放,目標會返回ACK
消息。而後掃描程序向目標發送ACK
報文,成功創建鏈接,這就是所謂的三次握手過程。鏈接打開後當即終止,這種技術有它的優勢,但很容易被防火牆和IDS檢測到。
SYN
掃描是另外一種類型的TCP
掃描,但它不會與目標創建完整的鏈接。 它不使用操做系統的網絡功能,而上生成原始IP
包並監視響應報文。若是目標端口是開放的,目標會響應ACK
消息,而後掃描程序會發送RST
結束鏈接。所以又稱爲半開掃描。這也被認爲是一種隱蔽掃描技術,能夠避免被一些防火牆和IDS檢測到。
UDP
掃描是一種無鏈接掃描技術,所以,不管目標是否收到數據包,都不會返回信息給掃描程序。若是目標端口關閉,則掃描程序會收到ICMP
端口不可達的消息。若是沒有消息,掃描器會認爲端口是開放的。因爲防火牆會阻止數據包,此方法會返回錯誤結果,所以不會生成響應消息,掃描器會報告端口爲打開狀態。
讓咱們進一步探索Nmap
掃描,學習如何將不一樣掃描類型組合到一塊兒
除了端口掃描以外,Nmap
還提供一些高級的選項,這些選項能夠幫助咱們獲取目標的更多信息。其餘使用最普遍的選項之一是操做系統識別選項:-O
。能夠幫助咱們識別目標計算機的操做系統類型。
如下是操做系統識別掃描結果:
msf5 > nmap -O 192.168.177.144
[*] exec: nmap -O 192.168.177.144
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:12 CST
Nmap scan report for 192.168.177.144
Host is up (0.00035s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
4848/tcp open appserv-http
8022/tcp open oa-system
8080/tcp open http-proxy
8383/tcp open m2mservices
9200/tcp open wap-wsp
49153/tcp open unknown
49154/tcp open unknown
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.51 seconds
複製代碼
如你所見,Nmap
成功識別了目標機器的操做系統類型。
另一種普遍使用的高級選項是對開放端口服務的版本檢測,參數是-sV
。它能夠與以前的掃描參數結合使用。
msf5 > nmap -sV 192.168.177.144
[*] exec: nmap -sV 192.168.177.144
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:17 CST
Nmap scan report for 192.168.177.144
Host is up (0.00043s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
80/tcp open http Microsoft IIS httpd 7.5
4848/tcp open ssl/appserv-http?
8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8080/tcp open http Sun GlassFish Open Source Edition 4.0
8383/tcp open ssl/http Apache httpd
9200/tcp open http Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7)
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.54 seconds
msf5 >
複製代碼
有時候必須以隱蔽方式進行掃描,默認狀況下,防火牆和IDS日誌會記錄你的IP,nmap
中提供了-D
選項來增長迷惑性。
此選項並不能阻止防火牆和IDS記錄你的IP
,只是增長迷惑性,它會經過添加其餘IP
地址,讓目標覺得是多個IP在攻擊。好比,你添加了兩個誘導IP
,防火牆或IDS日誌會顯示數據包是從三個不一樣的IP地址發送的,一個是你的,其餘兩個是你添加的虛假地址。
msf5 > nmap -sT 192.168.177.144 -D 192.168.177.34,192.168.177.56
複製代碼
這個例子中-D
後面的IP
地址是虛假的IP
地址,它會和原始IP
地址一同出如今目標機器的網絡日誌文件中,這會迷惑對方的網絡管理員,讓他們覺得這三個IP
都是僞造的。但不能添加太多虛假IP地址,否則會影響掃描結果。所以,只要使用必定數量的地址就行。
使用db_nmap
的好處在於能夠將結果直接存儲到Metasploit
數據庫中,而再也不須要db_import
進行導入。
db_nmap
命令是msfconsole
中的一部分,因此只須要啓動msfconsole
並使用就行了。參數就和在命令行中單獨使用nmap
同樣。
在第一章中,咱們已經學習了db_nmap
的一些基本用法,因此如今咱們將瞭解一些更高級的特性。在下面的例子中,你將學習如何使用其中的一些特性。
msf5 > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -
複製代碼
-Pn
:跳過主機發現過程
-sTV
:TCP掃描和檢測開放端口服務版本信息
-T4
:設置時間模板,加速掃描
--open
:只顯示開放端口
--min-parallelism
:探測報文的併發數
--version-all
:嘗試每一個探測,保證對每一個端口嘗試每一個探測報文,獲取服務更具體的版本
-p -
:表示掃描全部的端口(1-65535)
輸出結果以下:
msf5 > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:41 CST
[*] Nmap: Nmap scan report for 192.168.177.144
[*] Nmap: Host is up (0.00059s latency).
[*] Nmap: Not shown: 65516 filtered ports
[*] Nmap: Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp Microsoft ftpd
[*] Nmap: 22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
[*] Nmap: 80/tcp open http Microsoft IIS httpd 7.5
[*] Nmap: 1617/tcp open rmiregistry Java RMI
[*] Nmap: 4848/tcp open ssl/appserv-http?
[*] Nmap: 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 8020/tcp open http Apache httpd
[*] Nmap: 8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: 8027/tcp open unknown
[*] Nmap: 8080/tcp open http Sun GlassFish Open Source Edition 4.0
[*] Nmap: 8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: 8383/tcp open ssl/http Apache httpd
[*] Nmap: 8484/tcp open http Jetty winstone-2.8
[*] Nmap: 8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
[*] Nmap: 9200/tcp open http Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7)
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49207/tcp open rmiregistry Java RMI
[*] Nmap: 49209/tcp open tcpwrapped
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 593.00 seconds
msf5 >
複製代碼
Nmap
腳本引擎(NSE
)是Nmap
最強大和最靈活的特性之一,它能夠將Nmap
轉爲漏洞掃描器使用。NSE
有超過600個腳本,分爲好幾類,有非侵入式的,也有侵入式的,好比暴力破解,漏洞利用和拒絕服務攻擊。你能夠在Kali
的/user/share/nmap/scripts
目錄中找到這些腳本。或者用locate
搜索*.nse
也能夠找到。
root@osboxes:~# locate *.nse
/usr/share/nmap/scripts/targets-xml.nse
/usr/share/nmap/scripts/teamspeak2-version.nse
/usr/share/nmap/scripts/telnet-brute.nse
/usr/share/nmap/scripts/telnet-encryption.nse
/usr/share/nmap/scripts/telnet-ntlm-info.nse
/usr/share/nmap/scripts/tftp-enum.nse
/usr/share/nmap/scripts/tls-alpn.nse
/usr/share/nmap/scripts/tls-nextprotoneg.nse
/usr/share/nmap/scripts/tls-ticketbleed.nse
/usr/share/nmap/scripts/tn3270-screen.nse
/usr/share/nmap/scripts/tor-consensus-checker.nse
/usr/share/nmap/scripts/traceroute-geolocation.nse
/usr/share/nmap/scripts/tso-brute.nse
/usr/share/nmap/scripts/tso-enum.nse
/usr/share/nmap/scripts/unittest.nse
/usr/share/nmap/scripts/unusual-port.nse
複製代碼
它的用法以下:
nmap --script <scriptname> <host ip>
複製代碼
在db_nmap
中一樣可使用,咱們試試用NSE
腳原本查找目標的HTTP/HTTPS
漏洞
msf5 > db_nmap --open -sTV -Pn -p 80,8020,8022,8080,8282,8383,8484,8585,9200 --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-
finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,ssl-poodle,ssl-heartbleed,http-webdav-scan,h
ttp-iis-webdav-vuln 192.168.177.144
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 14:03 CST
[*] Nmap: Nmap scan report for 192.168.177.144
[*] Nmap: Host is up (0.00052s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http Microsoft IIS httpd 7.5
[*] Nmap: | http-methods:
[*] Nmap: | Supported Methods: OPTIONS TRACE GET HEAD POST [*] Nmap: |_ Potentially risky methods: TRACE [*] Nmap: |_http-server-header: Microsoft-IIS/7.5 [*] Nmap: | http-vhosts: [*] Nmap: |_127 names had status 200 [*] Nmap: 8020/tcp open http Apache httpd
[*] Nmap: |_http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.
[*] Nmap: | http-methods: [*] Nmap: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS
[*] Nmap: |_ Potentially risky methods: PUT DELETE
[*] Nmap: |_http-server-header: Apache
[*] Nmap: | http-vhosts:
複製代碼
從輸出結果看到,目標主機的HTTP/HTTPS
服務啓用了一些危險的方法,好比DELETE
/PUT
等。
經過ARP
請求能夠枚舉本地網絡中的存活主機,爲咱們提供了一種簡單而快速識別目標方法。
當攻擊者和目標機器處於同一個局域網時,能夠經過執行ARP
掃描發現主機
一、使用ARP
掃描模塊(auxiliary/scanner/discovery/arp_sweep
),設置目標地址範圍和併發線程,而後運行。
msf5 > use auxiliary/scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.177.1 appears to be up (VMware, Inc.).
[+] 192.168.177.2 appears to be up (VMware, Inc.).
[+] 192.168.177.144 appears to be up (VMware, Inc.).
[+] 192.168.177.254 appears to be up (VMware, Inc.).
[+] 192.168.177.2 appears to be up (VMware, Inc.).
[+] 192.168.177.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/arp_sweep) >
複製代碼
二、若是啓動了數據庫,結果將存儲在Metasploit
數據庫中,可使用hosts
顯示已經發現的主機。
msf5 auxiliary(scanner/discovery/arp_sweep) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
34.240.217.226
34.248.41.77
54.171.32.62
192.168.177.1 00:50:56:c0:00:08 Unknown device
192.168.177.2 00:50:56:fa:c4:65
192.168.177.139 00:0c:29:c6:a9:e5 Unknown device
192.168.177.142 00:0c:29:92:63:8c Linux 2.6.X server
192.168.177.144 00:0c:29:d7:02:f6 Unknown device
192.168.177.254 00:50:56:ec:3c:cf
複製代碼
UDP
服務掃描模塊運行咱們檢測模板系統的UDP
服務。因爲UDP
是一個無鏈接協議(不面向鏈接),因此探測比TCP
困難。使用UDP
服務探測模塊能夠幫助咱們找到一些有用的信息。
選擇auxiliary/scanner/discovery/udp_sweep
模塊,設置目標範圍,而後運行掃描便可
msf5 > use auxiliary/scanner/discovery/udp_sweep
msf5 auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.144/24
msf5 auxiliary(scanner/discovery/udp_sweep) > run
[*] Sending 13 probes to 192.168.177.0->192.168.177.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.177.144:137 (METASPLOITABLE3:<20>:U :METASPLOITABLE3:<00>:U :WORKGROUP:<00>:G :00:0c:29:d7:02:f6)
[*] Discovered SNMP on 192.168.177.144:161 (Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free))
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/udp_sweep) >
複製代碼
多年來,SMB
協議(一種在 Microsoft Windows系統中使用網絡文件共享的協議)已被證實是最容易被攻擊的協議之一,它容許攻擊者枚舉目標文件和用戶,甚至遠程代碼執行。
使用無需身份驗證的SMB
共享枚舉模塊,能夠幫助咱們收集一些有價值的信息,好比共享名稱,操做系統版本等。
模塊名:auxiliary/scanner/smb/smb_enumshares
msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumshares) > run
[-] 192.168.177.144:139 - Login Failed: Unable to Negotiate with remote host
[*] 192.168.177.144: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼
SMB
共享枚舉模塊在後續的攻擊階段也很是有用,經過提供憑據,能夠輕鬆的枚舉共享和文件列表
msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumshares) > set ShowFiles true
ShowFiles => true
msf5 auxiliary(scanner/smb/smb_enumshares) > set SpiderShares true
SpiderShares => true
msf5 auxiliary(scanner/smb/smb_enumshares) > run
[-] 192.168.177.144:139 - Login Failed: Unable to Negotiate with remote host
[+] 192.168.177.144:445 - ADMIN$ - (DS) Remote Admin
[+] 192.168.177.144:445 - C$ - (DS) Default share
[+] 192.168.177.144:445 - IPC$ - (I) Remote IPC
[*] 192.168.177.144: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumshares) >
複製代碼
Metasploit
還提供其餘的一些SMB
掃描模塊,讓咱們看看其餘模塊的用法。
三、SMB
版本檢測模塊能夠檢測SMB
的版本
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_version) > run
[+] 192.168.177.144:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:METASPLOITABLE3) (workgroup:WORKGROUP )
[*] 192.168.177.144:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼
四、用戶枚舉模塊能夠經過SAM RPC
服務枚舉哪些用戶存在
msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumusers) > run
[+] 192.168.177.144:445 - METASPLOITABLE3 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leah_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.177.144: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >
複製代碼
五、SMB
登陸檢測模塊能夠測試SMB
登陸
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_login) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.177.144:445 - 192.168.177.144:445 - Starting SMB login bruteforce
[-] 192.168.177.144:445 - 192.168.177.144:445 - Failed: '.\vagrant:admin',
[-] 192.168.177.144:445 - 192.168.177.144:445 - Failed: '.\vagrant:admin123',
[+] 192.168.177.144:445 - 192.168.177.144:445 - Success: '.\vagrant:vagrant' Administrator
[*] 192.168.177.144:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >
複製代碼
六、MS17-010
永恆之藍漏洞檢測模塊
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.177.144:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.177.144:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >
複製代碼
七、其餘的模塊,都在 auxiliary/scanner/smb/
中,能夠敲 TAB
鍵查看,你能夠一個個學習,這裏就不一一舉例講解。
msf5 > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/impacket/dcomexec
use auxiliary/scanner/smb/smb1
use auxiliary/scanner/smb/smb_login
.....
複製代碼
SSH
是一個普遍使用的遠程登陸程序。它使用強大的加密提供身份認證和保證機密性。在本節中,咱們將經過SSH
版本掃描模塊,肯定目標使用的SSH
版本,肯定是否爲易受攻擊的SSH
版本,若是是,咱們能夠利用它。
在以前的掃描中,咱們發現目標機器開放了TCP
22
端口,這也是SSH
的默認端口,咱們用SSH
版本探測模塊來獲取目標系統上運行的SSH
版本信息。
一、模塊名稱:auxiliary/scanner/ssh/ssh_version
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.177.144:22 - SSH server version: SSH-2.0-OpenSSH_7.1 ( service.version=7.1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.1 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.177.144:22 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_version) >
複製代碼
固然這裏的RHOSTS
選項也能夠指定爲網絡地址,從而掃描整個網段。
獲取版本信息以後,咱們就能夠搜索該版本的漏洞。
二、測試經常使用口令登陸SSH
,可使用SSH
登陸測試模塊
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/ssh/ssh_login) > set USERNAME user
USERNAME => user
msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf5 auxiliary(scanner/ssh/ssh_login) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼
三、若是登陸成功了,能夠用sessions
查看會話和與目標進行會話交互
msf5 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
No active sessions.
複製代碼
使用FTP
掃描模塊對網絡中全部的FTP
服務進行版本掃描
FTP
版本掃描模塊運行咱們檢測正在運行的FTP
版本
一、使用auxiliary/scanner/ftp/ftp_version
模塊,設置好掃描範圍和線程,就能夠運行掃描了。
msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.177.1:21 - FTP Banner: '220 Serv-U FTP Server v15.0 ready...\x0d\x0a'
[+] 192.168.177.144:21 - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] 192.168.177.0/24:21 - Scanned 78 of 256 hosts (30% complete)
[*] 192.168.177.0/24:21 - Scanned 123 of 256 hosts (48% complete)
[*] 192.168.177.0/24:21 - Scanned 125 of 256 hosts (48% complete)
[*] 192.168.177.0/24:21 - Scanned 129 of 256 hosts (50% complete)
[*] 192.168.177.0/24:21 - Scanned 130 of 256 hosts (50% complete)
[*] 192.168.177.0/24:21 - Scanned 255 of 256 hosts (99% complete)
[*] 192.168.177.0/24:21 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ftp/ftp_version) >
複製代碼
二、與以前的掃描同樣,掃描結果會保存到數據庫中,可使用services
命令查看已經檢測的服務信息。
msf5 auxiliary(scanner/ftp/ftp_version) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.1 21 tcp ftp open 220 Serv-U FTP Server v15.0 ready...\x0d\x0a
192.168.177.144 21 tcp ftp open 220 Microsoft FTP Service\x0d\x0a
192.168.177.144 22 tcp ssh open SSH-2.0-OpenSSH_7.1
192.168.177.144 80 tcp http open Microsoft IIS httpd 7.5
複製代碼
SMTP
服務偶兩個容許枚舉用戶的內部命令:VRFY
(確認有效用戶名)和EXPN
(顯示用戶的實際地址,別名和郵件列表)
SMTP
用戶枚舉模塊經過實現這些SMTP
命令從而枚舉有效的用戶列表
默認狀況下,SMTP
枚舉模塊使用unix_users.txt
(文件位於: /usr/share/metasploit- framework/data/wordlists/)文件做爲字典,你也能夠指定本身的字典文件。切換到auxiliary/scanner/smtp/smtp_enum
模塊,設置好目標和線程,而後開始。
msf5 > use auxiliary/scanner/smtp/smtp_enum
msf5 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.177.145
RHOSTS => 192.168.177.145
msf5 auxiliary(scanner/smtp/smtp_enum) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/smtp/smtp_enum) > run
[*] 192.168.177.145:25 - 192.168.177.145:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.177.145:25 - 192.168.177.145:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] 192.168.177.145:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smtp/smtp_enum) >
複製代碼
輸出結果中顯示了目標Metasploitable 2
中有效的SMTP
用戶
簡單網絡管理協議(SNMP
)是用於管理網絡設備的協議,好比監控設備的狀態信息,接口信息,網絡接口的數據吞吐量等。經過SNMP
掃描器能夠找到特定系統的大量信息。本節中,咱們將學習如何使用它。
Metasploit
有一個專門用於掃描 SNMP
設備的內置輔助模塊。在進行攻擊以前必須先了解它。首先,團體字符串(只讀/讀寫)在能夠在設備自己上挖掘或修改的信息類型中起着重要做用。管理信息庫 (MIB
) 接口容許咱們查詢設備和提取信息。
Tip:若是目標系統爲Windows且配置了SNMP(一般是RO/RW團體字符串),咱們能夠提取系統重啓時間,系統上的用戶名,系統網絡信息,運行的服務等各類有價值的信息。
當經過SNMP
查詢時候,能夠經過MIB API
進行設備信息提取。Metasploit
在其數據庫中加載默認MIB
列表,它們用於查詢設備獲取更多信息。
一、經過SNMP
登陸模塊能夠經過公共團體名登陸到目標系統。
msf5 > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.177.144,145
RHOSTS => 192.168.177.144,145
msf5 auxiliary(scanner/snmp/snmp_login) > run
[+] 192.168.177.144:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/snmp/snmp_login) >
複製代碼
二、經過SNMP
掃描模塊收集信息,好比端口,服務,主機名,進程等信息。
msf5 > use auxiliary/scanner/snmp/snmp_enum
msf5 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/snmp/snmp_enum) > run
[+] 192.168.177.144, Connected.
[*] System information:
Host IP : 192.168.177.144
Hostname : metasploitable3
Description : Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocess
r Free)
Contact : -
Location : -
Uptime snmp : 01:18:04.40
Uptime system : 01:16:09.69
System date : 2019-4-12 16:44:05.7
[*] User accounts:
["sshd"]
["Guest"]
["greedo"]
["vagrant"]
["han_solo"]
["kylo_ren"]
["boba_fett"]
["chewbacca"]
["ben_kenobi"] .....
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 70121
TCP segments sent : 70024
TCP segments retrans : 23
Input datagrams : 634
Delivered datagrams : 825
....
[*] Network interfaces:
Interface : [ up ] Software Loopback Interface 1
Id : 1
Mac Address : :::::
....
複製代碼
超文本傳輸協議(HTTP
)是一個應用層協議,它是萬維網通訊的基礎。它被衆多的應用程序使用,從物聯網(IoT)設備到移動應用程序。它也是搜索漏洞的好地方。
HTTP SSL
證書檢測模塊能夠檢測Web
服務器的證書。
Robots.txt
內容檢測模塊能夠搜索robots.txt
文件並分析裏面的內容。
若是服務端容許未受權的PUT
請求方法,則能夠將任意的Web
頁面插入到網站目錄中,從而致使執行破壞性的代碼或者往服務器填充垃圾數據,從而形成拒絕服務攻擊。
Jenkins-CI HTTP
掃描模塊能夠枚舉未受權的Jenkins-CI
服務。
一、檢測目標的HTTP SSL
證書
msf5 > use auxiliary/scanner/http/cert
msf5 auxiliary(scanner/http/cert) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/cert) > set RPORT 8383
RPORT => 8383
msf5 auxiliary(scanner/http/cert) > run
[*] 192.168.177.144:8383 - 192.168.177.144 - 'Desktop Central' : '2010-09-08 12:24:44 UTC' - '2020-09-05 12:24:44 UTC'
[*] 192.168.177.144:8383 - Scanned 1 of 1 hosts (100% complete)
複製代碼
二、檢測robots.txt
文件
msf5 > use auxiliary/scanner/http/robots_txt
msf5 auxiliary(scanner/http/robots_txt) > set PATH /mutillidae
PATH => /mutillidae
msf5 auxiliary(scanner/http/robots_txt) > set RHOSTS 192.168.177.145
RHOSTS => 192.168.177.145
msf5 auxiliary(scanner/http/robots_txt) > run
[*] [192.168.177.145] /mutillidae/robots.txt found
[+] Contents of Robots.txt:
User-agent: *
Disallow: ./passwords/
Disallow: ./config.inc
Disallow: ./classes/
Disallow: ./javascript/
Disallow: ./owasp-esapi-php/
Disallow: ./documentation/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/robots_txt) >
複製代碼
三、HTTP
可寫路徑 PUT/DELETE 文件訪問模塊能夠經過PUT
和DELETE
請求上傳和刪除Web
服務器上的內容。
msf5 > use auxiliary/scanner/http/http_put
msf5 auxiliary(scanner/http/http_put) > set PATH /uploads
PATH => /uploads
msf5 auxiliary(scanner/http/http_put) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/http_put) > set RPORT 8585
RPORT => 8585
msf5 auxiliary(scanner/http/http_put) > run
[+] File uploaded: http://192.168.177.144:8585/uploads/msf_http_put_test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_put) >
複製代碼
四、Jenkins-CI
掃描模塊
msf5 > use auxiliary/scanner/http/jenkins_enum
msf5 auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/jenkins_enum) > set RPORT 8484
RPORT => 8484
msf5 auxiliary(scanner/http/jenkins_enum) > set TARGETURI /
TARGETURI => /
msf5 auxiliary(scanner/http/jenkins_enum) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
複製代碼
Windows
遠程管理(WinRM
)是WS-Management
協議的Microsoft
實現。該協議是基於簡單對象訪問協議(SOAP)的、防火牆友好的標準協議,使來自不一樣供應商的硬件和操做系統可以互相交互。
WinRM
身份認證方法檢測模塊經過向目標發現HTTP/HTTPS
請求,檢測是否爲WinRM
服務,若是是,將會檢測支持的身份認證方法。
經過SMB_login
模塊能夠檢索目標的登陸憑證。咱們能夠用WinRM
命令運行模塊測試是否能夠經過WinRM
服務運行Windows
命令。
一、WinRM
身份認證檢測
msf5 > use auxiliary/scanner/winrm/winrm_auth_methods
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run
[+] 192.168.177.144:5985: Negotiate protocol supported
[+] 192.168.177.144:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_auth_methods) >
複製代碼
二、使用WinRM
命令運行模塊
msf5 > use auxiliary/scanner/winrm/winrm_cmd
msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD hostname
CMD => hostname
msf5 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator
USER => Administrator
msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD vagrant
PASSWORD => vagrant
msf5 auxiliary(scanner/winrm/winrm_cmd) > run
[+] 192.168.177.144:5985 : metasploitable3
[+] Results saved to /root/.msf4/loot/20190412172543_default_192.168.177.144_winrm.cmd_result_858044.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_cmd) >
複製代碼
能夠看到,咱們成功在目標機上執行了命令。
到目前爲止,咱們已經瞭解了端口掃描的基礎知識,以及學會了Nmap的使用。經過其餘一些工具的許欸,進一步提升了掃描和信息收集的技術。在接下來的小節中,咱們將介紹其餘幾種掃描目標可用服務和端口的工具,這些工具還能夠幫助咱們肯定特定服務和端口可能存在的漏洞類型。
剩下的三小節,關於三種漏洞掃描器與Metasploit
結合使用的技術和方法將在下一篇文章中講解,敬請期待
Nessus
結合使用NeXpose
結合使用OpenVAS
結合使用原書:《Metasploit Penetration Testing Cookbook - Third Edition》
本文由合天網安實驗室編譯,轉載請註明來源。
關於合天網安實驗室
合天網安實驗室(www.hetianlab.com)-國內領先的實操型網絡安全在線教育平臺
真實環境,在線實操學網絡安全 ; 實驗內容涵蓋:系統安全,軟件安全,網絡安全,Web安全,移動安全,CTF,取證分析,滲透測試,網安意識教育等。