Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描 -續(翻譯)
第二章 信息收集和掃描-續
咱們將學習如下內容html
與Nessus結合使用linux
與NeXpose結合使用ios
與OpenVAS結合使用git
接上篇:第二章 信息收集與掃描github
1四、與Nessus結合
到目前爲止,咱們已經瞭解了端口掃描的基礎知識,以及學會了Nmap的使用。經過其餘一些工具的學習,進一步提升了掃描和信息收集的技術。在接下來的小節中,咱們將介紹其餘幾種掃描目標可用服務和端口的工具,這些工具還能夠幫助咱們肯定特定服務和端口可能存在的漏洞類型。讓咱們開始漏洞掃描之旅。shell
Nessus是使用最普遍的漏洞掃描器之一,它可用經過掃描目標發現漏洞並生成詳細的報告。Nessus是滲透測試中很是有用的工具。你可用使用它的GUI版本,也能夠在Metasploit控制檯中使用它。本書主要介紹在msfconsole中使用它。數據庫
準備工做
要使用Nessus須要先去Nessus官網註冊並取得Licenses。你可使用Nessus家庭版,此受權是免費的,它容許你掃描我的家庭網絡(小於16個IP地址)。而後下載軟件安裝包進行安裝。在Kali中須要下載.deb格式的包,而後使用dpkg -i進行安裝。api
家庭版密鑰申請地址:https://www.tenable.com/products/nessus-home瀏覽器
填寫註冊信息,完成註冊,而後會跳轉到下載頁面安全
根據本身的系統版本,下載32bit或者64bit版本
激活密鑰會發到你的郵箱裏面,請保存下來。
下載完成以後進行安裝:
root@osboxes:~# cd ~/Downloads/
root@osboxes:~/Downloads# ls
bettercap bettercap_linux_amd64_2.2.zip libpcap-1.8.1 libpcap-1.8.1.tar.gz Nessus-8.3.1-debian6_amd64.deb
root@osboxes:~/Downloads# dpkg -i Nessus-8.3.1-debian6_amd64.deb //安裝
Selecting previously unselected package nessus.
(Reading database ... 435326 files and directories currently installed.)
Preparing to unpack Nessus-8.3.1-debian6_amd64.deb ...
Unpacking nessus (8.3.1) ...
Setting up nessus (8.3.1) ...
Unpacking Nessus Scanner Core Components...
- You can start Nessus Scanner by typing /etc/init.d/nessusd start
- Then go to https://osboxes:8834/ to configure your scanner
Processing triggers for systemd (241-1) ...
root@osboxes:~/Downloads#
複製代碼
安裝完成以後,啓動Nessus服務
root@osboxes:~/Downloads# systemctl start nessusd.service
複製代碼
根據提示,使用瀏覽器打開網址https://osboxes:8834/或者https://127.0.0.1:8834進行配置
一、設置用戶名和密碼:
二、選擇Home,Professional or Manager,填寫激活密鑰進行受權激活。
三、激活完成後,Nessus還會安裝一系列組件,等待安裝完成(須要一段時間,請耐心等待)
安裝完成後,就能夠進行下一步操做了。
怎麼作
一、在msfconsole裏面載入nessus組件。
msf5 > load nessus //載入nessus組件
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf5 >
複製代碼
二、輸入nessus_help命令,能夠查看可用參數和幫助信息
msf5 > nessus_help
Command Help Text
------- ---------
Generic Commands
----------------- -----------------
nessus_connect Connect to a Nessus server
nessus_logout Logout from the Nessus server
nessus_login Login into the connected Nesssus server with a different username and password
nessus_save Save credentials of the logged in user to nessus.yml
nessus_help Listing of available nessus commands
nessus_server_properties Nessus server properties such as feed type, version, plugin set and server UUID.
nessus_server_status Check the status of your Nessus Server
nessus_admin Checks if user is an admin
nessus_template_list List scan or policy templates
nessus_folder_list List all configured folders on the Nessus server
nessus_scanner_list List all the scanners configured on the Nessus server
Nessus Database Commands
複製代碼
三、鏈接到Nessus服務,使用nessus_connect NessusUser:NessusPassword@127.0.0.1命令。
msf5 > nessus_connect nessusroot:Passw0rd@127.0.0.1 //鏈接到 Nessus 服務
[*] Connecting to https://127.0.0.1:8834/ as nessusroot
[*] User nessusroot authenticated successfully.
msf5 >
複製代碼
四、使用nessus_policy_list可用列出Nessus服務上的全部掃描策略。若是沒有,須要先在WebUI界面中建立策略。
msf5 > nessus_policy_list
[-] No policies found
msf5 >
複製代碼
提示沒有策略,咱們去建立一個
咱們選擇新建一個Basic Network Scan策略
配置好相關的參數,而後點保存
回到msfconsole裏面再次執行nessus_policy_list就看看到了
msf5 > nessus_policy_list
Policy ID Name Policy UUID
--------- ---- -----------
4 PenTest01 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65
msf5 >
複製代碼
五、建立nessus掃描,使用nessus_scan_new --help查看命令幫助信息:
msf5 > nessus_scan_new --help
[*] Usage:
[*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>
[*] Use nessus_policy_list to list all available policies with their corresponding UUIDs
msf5 >
複製代碼
六、建立掃描
msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 Metasploitable3 Windows_Machine 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called Metasploitable3 - Windows_Machine and scanning 192.168.177.144
[*] New scan added
[-] Error while running command nessus_scan_new: undefined method `[]' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/plugins/nessus.rb:979:in `cmd_nessus_scan_new'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:49:in `<main>'
msf5 >
複製代碼
這次會報錯:Error while running command nessus_scan_new: undefined method []' for nil:NilClass。這是因爲Nessus 7開始對遠程調用進行認證,從而致使Metasploit調用失敗。如今正在等待修復。
解決辦法:Nessus Plugin unable to create new scan · Issue #11117 · rapid7/metasploit-framework · GitHub github.com/rapid7/meta…
成功建立掃描:
msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 test test 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called test - test and scanning 192.168.177.144
[*] New scan added
[*] Use nessus_scan_launch 6 to launch the scan
Scan ID Scanner ID Policy ID Targets Owner
------- ---------- --------- ------- -----
6 1 5 192.168.177.144 nessusroot
msf5 >
複製代碼
七、使用nessus_scan_list可用查看掃描列表,以及它們的狀態
msf5 > nessus_scan_list
Scan ID Name Owner Started Status Folder
------- ---- ----- ------- ------ ------
6 test nessusroot empty 3
msf5 >
複製代碼
八、啓動掃描,使用nessus_scan_launch <Scan ID>啓動掃描
msf5 > nessus_scan_launch 6
[+] Scan ID 6 successfully launched. The Scan UUID is 67d8e87c-17a6-7693-0b41-666f40291e1464ae15bc02832ca3
msf5 >
複製代碼
再次查看狀態:
msf5 > nessus_scan_list
Scan ID Name Owner Started Status Folder
------- ---- ----- ------- ------ ------
6 test nessusroot running 3
msf5 >
複製代碼
九、查看掃描的詳細信息,使用nessus_scan_details <Scan ID> <info/hosts/vulnerabilities/history>
msf5 > nessus_scan_details 6 info //查看掃描狀態
Status Policy Scan Name Scan Targets Scan Start Time Scan End Time
------ ------ --------- ------------ --------------- -------------
running Basic Network Scan test 192.168.177.144 1555301230
msf5 > nessus_scan_details 6 hosts //查看主機
Host ID Hostname % of Critical Findings % of High Findings % of Medium Findings % of Low Findings
------- -------- ---------------------- ------------------ -------------------- -----------------
2 192.168.177.144 1 0 0 0
msf5 > nessus_scan_details 6 vulnerabilities //查看漏洞信息
Plugin ID Plugin Name Plugin Family Count
--------- ----------- ------------- -----
10114 ICMP Timestamp Request Remote Date Disclosure General 1
10150 Windows NetBIOS / SMB Remote Host Information Disclosure Windows 1
10287 Traceroute Information General 1
10394 Microsoft Windows SMB Log In Possible Windows 1
10736 DCE Services Enumeration Windows 8
10785 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
.....
msf5 > nessus_scan_details 6 history //查看掃描歷史
History ID Status Creation Date Last Modification Date
---------- ------ ------------- ----------------------
7 running 1555301230
msf5 >
複製代碼
在WebUI上也能夠看到咱們建立的掃描
十、當完成掃描後,使用nessus_db_import <Scan ID>將掃描結果導入到Metasploit中。
msf5 > nessus_scan_details 6 info
Status Policy Scan Name Scan Targets Scan Start Time Scan End Time
------ ------ --------- ------------ --------------- -------------
completed Basic Network Scan test 192.168.177.144 1555301230 1555302154
msf5 > nessus_db_import 6
[*] Exporting scan ID 6 is Nessus format...
[+] The export file ID for scan ID 6 is 2110513949
[*] Checking export status...
[*] Export status: loading
[*] Export status: ready
[*] The status of scan ID 6 export is ready
[*] Importing scan results to the database...
[*] Importing data of 192.168.177.144
[+] Done
msf5 >
複製代碼
導入進去以後,咱們就能使用hosts、services命令查看主機和目標服務的信息了。
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.177.1 Unknown device
192.168.177.144 00:0c:29:41:d2:48 METASPLOITABLE3 Windows 2008 Standard SP1 server
192.168.177.145 Unknown device
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.177.1 21 tcp ftp open 220 Serv-U FTP Server v15.0 ready...\x0d\x0a
192.168.177.144 21 tcp ftp open 220 Microsoft FTP Service\x0d\x0a
192.168.177.144 22 tcp ssh open SSH-2.0-OpenSSH_7.1
192.168.177.144 80 tcp www open Microsoft IIS httpd 7.5
192.168.177.144 135 tcp epmap open
192.168.177.144 137 udp netbios-ns open
.....
複製代碼
查看掃描結果中的漏洞信息,使用vulns指令
msf5 > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2019-04-12 07:52:51 UTC 192.168.177.144 MS17-010 SMB RCE Detection CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17-
010,URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/countercept/doublepulsar-detection-script,URL-htt
ps://technet.microsoft.com/en-us/library/security/ms17-010.aspx
2019-04-12 09:08:20 UTC 192.168.177.144 HTTP Writable Path PUT/DELETE File Access
OSVDB-397
2019-04-15 04:25:24 UTC 192.168.177.144 Elasticsearch Transport Protocol Unspecified Remote Code Execution CVE-2015-5377,NSS-105752,NSS-119499
2019-04-15 04:25:25 UTC 192.168.177.144 MySQL Server Detection NSS-10719
2019-04-15 04:25:25 UTC 192.168.177.144 Elasticsearch Detection NSS-109941
2019-04-15 04:25:25 UTC 192.168.177.144 ManageEngine Desktop Central 9 < Build 92027 Multiple Vulnerabilities CVE-2018-8722,NSS-108752
2019-04-15 04:25:25 UTC 192.168.177.144 Elasticsearch Unrestricted Access Information Disclosure NSS-101025
....
複製代碼
1五、與NeXpose結合
在本節,咱們將介紹另外一個極佳的漏洞掃描器:NeXpose。NexPose是領先的漏洞評估工具之一。NeXpose 是 Rapid7 經常使用的工具,它執行漏洞掃描並將結果導入到 Metasploit 數據庫中。NeXpose 的用法與 Nessus 相似,讓咱們快速瞭解一下如何使用 NeXpose。至於深刻探究就留給你們來完成了。
準備工做
NeXpose社區版,可申請免費試用1年:www.rapid7.com/info/nexpos…
郵箱必須是獨立的我的、學校、企業、機構等域名郵箱;第三方郵箱均無效!(如:gmail、新浪、網易、12六、騰訊等都視爲無效)。
註冊,而後下載安裝程序進行安裝。
註冊完成,而後下載安裝程序
安裝:安裝詢問過程,直接敲回車便可,而後填寫一個用戶信息,設置密碼等
root@osboxes:~# chmod +x Rapid7Setup-Linux64.bin
root@osboxes:~# ./Rapid7Setup-Linux64.bin
....
Do you want to continue?
Yes [y, Enter], No [n]
Gathering system information....
Security Console with local Scan Engine
If you do not have a console installed yet, this option is recommended. The console manages scan engines and all administrative operations.
Scan Engine only
This distributed engine can start scanning after being paired with a Security Console.
Select only the set of components you want to install:
Security Console with local Scan Engine [1, Enter]
Scan Engine only [2]
1
Where should Rapid7 Vulnerability Management be installed?
[/opt/rapid7/nexpose]
....
Select any additional installation tasks.
Initialize and start after installation?
Yes [y], No [n, Enter]
y
...
If you chose to start the Security Console as part of the installation, then it will be started upon installer completion.
Using the credentials you created during installation, log onto Nexpose at https://localhost:3780.
To start the service run: sudo systemctl start nexposeconsole.service
To start the service run: sudo systemctl start nexposeconsole.service
The Security Console is configured to automatically run at startup. See the
installation guide if you wish to modify start modes.
[Enter]
Finishing installation...
複製代碼
咱們設置的用戶名:nexpose 密碼:Faq3wANIK0 (根據本身喜愛設置)
啓動腳本,執行/opt/rapid7/nexpose/nsc/nsc.sh 或者systemctl start nexposeconsole,啓動須要一段時間,請耐心等待。
而後訪問https://localhost:3780配置,等待啓動完成,使用用戶名和密碼登陸,而後輸入咱們申請的Key激活產品
在msfconsole中載入nexpose組件,而後鏈接到nexpose服務
msf5 > load nexpose
▄▄▄ ▄▄ ▄▄▄ ▄▄▄
███ ██ ██ ▄██
██▀█ ██ ▄████▄ ████ ██▄███▄ ▄████▄ ▄▄█████▄ ▄████▄
██ ██ ██ ██▄▄▄▄██ ██ ██▀ ▀██ ██▀ ▀██ ██▄▄▄▄ ▀ ██▄▄▄▄██
██ █▄██ ██▀▀▀▀▀▀ ████ ██ ██ ██ ██ ▀▀▀▀██▄ ██▀▀▀▀▀▀
██ ███ ▀██▄▄▄▄█ ██ ██ ███▄▄██▀ ▀██▄▄██▀ █▄▄▄▄▄██ ▀██▄▄▄▄█
▀▀ ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀▀ ██ ▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀
██
[*] Nexpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf5 > nexpose_connect nexpose:Faq3wANIK0@127.0.0.1:3780
[*] Connecting to Nexpose instance at 127.0.0.1:3780 with username nexpose...
msf5 >
複製代碼
怎麼作
與NeXpose服務鏈接後,咱們就能夠掃描目標生成報告。NeXpose支持兩個掃描命令,一個是nexpose_scan,此命令會掃描目標而後導入結果到metasploit數據庫中,另一個是nexpose_discover,此命令僅發現主機和服務,不導入結果。
一、對目標進行快速掃描(執行最小服務發現掃描)
msf5 > nexpose_discover 192.168.177.144
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf5 >
複製代碼
二、查看nexpose_scan幫助
msf5 > nexpose_scan -h
Usage: nexpose_scan [options] <Target IP Ranges>
OPTIONS:
-E <opt> Exclude hosts in the specified range from the scan
-I <opt> Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c <opt> Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n <opt> The maximum number of IPs to scan at a time (default is 32)
-s <opt> The directory to store the raw XML files from the Nexpose instance (optional)
-t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process
msf5 >
複製代碼
三、要掃描目標,使用nexpose_scan -t <template> <target_id>
msf5 > nexpose_scan -t full-audit 192.168.177.144
[*] Scanning 1 addresses with template full-audit in sets of 32
[*] Completed the scan of 1 addresses
msf5 >
複製代碼
四、掃描完成後,導入結果到數據庫中,使用nexpose_site_import <site_id>
msf5 > nexpose_site_import 7
[*] Generating the export data file...
[*] Downloading the export data...
[*] Importing Nexpose data...
複製代碼
1六、與OpenVAS結合
OpenVAS( Open Vulnerability Assessment System)是Nessus項目的分支。是一個免費開源的漏洞掃描和漏洞管理工具。也是當前使用最爲普遍的漏洞掃描和管理開源解決方案。
怎麼作
一、在Kali上安裝 OpenVAS
root@osboxes:~# apt install openvas -y
複製代碼
二、設置openvas,包括下載規則,建立管理員用戶和服務。
root@osboxes:~# openvas-setup //這一步會下載不少東西,請耐心等待
[>] Updating OpenVAS feeds
[*] [1/3] Updating: NVT
--2019-04-15 13:54:37-- http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
Connecting to 192.168.1.91:1080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 22288483 (21M) [application/octet-stream]
....
通過漫長的等待...
[*] Opening Web UI (https://127.0.0.1:9392) in: 5... 4... 3... 2... 1...
[>] Checking for admin user
[*] Creating admin user
User created with password 'dc63c468-3780-4e3c-b30c-1597f4b91623'.
[+] Done
複製代碼
三、配置完成後,啓動openvas ,其實在上一步中已經啓動了。也能夠用下面的命令啓動
root@osboxes:~# openvas-start
複製代碼
訪問https://127.0.0.1:9392可登陸WebUI
四、在msfconsole中載入openvas組件
msf5 > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
msf5 >
複製代碼
五、查看幫助信息
msf5 > help openvas
OpenVAS Commands
================
Command Description
------- -----------
openvas_config_list Quickly display list of configs
openvas_connect Connect to an OpenVAS manager using OMP
openvas_debug Enable/Disable debugging
openvas_disconnect Disconnect from OpenVAS manager
openvas_format_list Display list of available report formats
openvas_help Displays help
openvas_report_delete Delete a report specified by ID
openvas_report_download Save a report to disk
openvas_report_import Import report specified by ID into framework
openvas_report_list Display a list of available report formats
openvas_target_create Create target (name, hosts, comment)
openvas_target_delete Delete target by ID
openvas_target_list Display list of targets
openvas_task_create Create a task (name, comment, target, config)
openvas_task_delete Delete task by ID
openvas_task_list Display list of tasks
openvas_task_pause Pause task by ID
openvas_task_resume Resume task by ID
openvas_task_resume_or_start Resume task or start task by ID
openvas_task_start Start task by ID
openvas_task_stop Stop task by ID
openvas_version Display the version of the OpenVAS server
msf5 >
複製代碼
六、使用 openvas_connect <username> <password> <host> <port>鏈接到OpenVAS服務
msf5 > openvas_connect admin dc63c468-3780-4e3c-b30c-1597f4b91623 127.0.0.1 9390
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
msf5 >
複製代碼
七、添加掃描目標,使用openvas_target_create <Name> <Hosts> <Comment>指令,參數包括描述信息,目標的IP
msf5 > openvas_target_create "Metasploitable3" 192.168.177.144 "Windows Target"
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
6455a780-092a-40dd-8c01-191a7612505a Metasploitable3 192.168.177.144 1 0 Windows Target
msf5 >
複製代碼
八、列出配置列表:openvas_config_list
msf5 > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs
ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast
msf5 >
複製代碼
九、建立任務,使用以下指令
openvas_task_create <name> <Comment> <config_id> <target_id>
複製代碼
msf5 > openvas_task_create "Metasploitable3" "Windows" 698f691e-7489-11df-9d8c-002264764cea 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
fb18cf93-a94b-4c9b-aadf-9408bd9a9186 Metasploitable3 Windows New -1
msf5 >
複製代碼
十、啓動任務,使用openvas_task_start <task_id>
msf5 > openvas_task_start fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>7993d76a-43b3-48c6-ac94-ca630e20db68</report_id></start_task_response></X>msf5 >
複製代碼
十一、查看進度,使用openvas_task_list
msf5 > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeou
t.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
fb18cf93-a94b-4c9b-aadf-9408bd9a9186 Metasploitable3 Windows Requested 1
msf5 >
複製代碼
十二、使用openvas_format_list 能夠查看OpenVAS支持的報告格式。
msf5 > openvas_format_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout i
nstead.
[+] OpenVAS list of report formats
ID Name Extension Summary
-- ---- --------- -------
5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.
msf5 >
複製代碼
1三、在WebUI一樣能夠看到咱們建立的任務狀態信息
1四、任務完成後,使用openvas_report_list 查看報告列表。
msf5 > openvas_report_list
[+] OpenVAS list of reports
ID Task Name Start Time Stop Time
-- --------- ---------- ---------
4ee7b572-a470-484c-962e-773d3a7eb7b1 Metasploitable3 2019-04-16T02:40:24Z 2019-04-16T03:07:15Z
7993d76a-43b3-48c6-ac94-ca630e20db68 Metasploitable3 2019-04-16T01:15:44Z
複製代碼
1五、使用openvas_report_import命令將報告導入到Metasploit中,僅支持NBE(legacy OpenVAS report)和XML格式導入。
msf5 > openvas_report_import 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
[*] Importing report to database.
複製代碼
可是這裏咱們使用的 Metasploit-5.0直接這麼導入會報錯,沒法導入,咱們先導出爲文件再用db_import導入就能夠了。
msf5 > openvas_report_download
[*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf5 > openvas_report_download 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 /tmp/ Metasploitable3
[*] Saving report to /tmp/Metasploitable3
msf5 > db_import /tmp/Metasploitable3
[*] Importing 'OpenVAS XML' data
[*] Successfully imported /tmp/Metasploitable3
msf5 >
複製代碼
1六、查看OpenVAS掃描的漏洞信息
msf5 > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2019-04-16 08:15:22 UTC 192.168.177.144 ICMP Timestamp Detection CVE-1999-0524
2019-04-16 08:15:23 UTC 192.168.177.144 Microsoft Windows IIS CVE-2010-3972,BID-45542
2019-04-16 08:15:23 UTC 192.168.177.144 Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-96704,BID-96705,BID-96706,BID-96707,BID-96709
2019-04-16 08:15:23 UTC 192.168.177.144 MS15-034 HTTP.sys Remote Code CVE-2015-1635
2019-04-16 08:15:23 UTC 192.168.177.144 Oracle Glass Fish Server CVE-2017-1000028
2019-04-16 08:15:23 UTC 192.168.177.144 SSL/TLS: Report 'Anonymous' Cipher Suites .....
複製代碼
第三章 服務端漏洞利用(預告)
在本章中,咱們將學習如下內容
一、攻擊Linux服務器
二、SQL注入攻擊
三、shell類型
四、攻擊Windows服務器
五、利用公用服務
六、MS17-010 永恆之藍 SMB遠程代碼執行Windows內核破壞
七、MS17-010 EternalRomance/EternalSynergy/EternalChampion
八、植入後門
九、拒絕服務攻擊
說明
原書:《Metasploit Penetration Testing Cookbook - Third Edition》
本文由合天網安實驗室編譯,轉載請註明來源。
關於合天網安實驗室
合天網安實驗室(www.hetianlab.com)-國內領先的實操型網絡安全在線教育平臺
真實環境,在線實操學網絡安全 ; 實驗內容涵蓋:系統安全,軟件安全,網絡安全,Web安全,移動安全,CTF,取證分析,滲透測試,網安意識教育等。
相關文章
- 1. Metasploit 滲透測試手冊第三版 第二章 信息收集與掃描(翻譯)
- 2. Metasploit 滲透測試手冊第三版 第一章 Metasploit快速入門(翻譯)
- 3. Metasploit 滲透測試手冊第三版 第三章 服務端漏洞利用(翻譯)
- 4. 二、滲透測試之信息收集
- 5. 滲透測試之信息收集(二)
- 6. 《滲透測試實戰第三版(紅隊版)》翻譯完成
- 7. 第一章---滲透測試之信息收集
- 8. Android 滲透測試學習手冊 第九章 編寫滲透測試報告
- 9. 滲透測試之信息收集
- 10. @滲透測試之信息收集
- 更多相關文章...
- • 第一個MyBatis程序 - MyBatis教程
- • 第一個Hibernate程序 - Hibernate教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • 三篇文章瞭解 TiDB 技術內幕 —— 說計算
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
