MFS 服务扫描与爆破
MSF 服务发现
常用来发现局域网内,的常见服务,比如HTTP,FTP,TELNET等.
MSF模块搜索:
[root@localhost ~]# msfconsole
msf5 > search scanner type:auxiliary
msf5 > search scanner/http type:auxiliary // 搜索所有与HTTP相关的模块
发现HTTP服务: 基于scanner/http/http_version发现HTTP服务.
msf5 > use scanner/http/http_version
msf5 auxiliary(scanner/http/http_version) > show options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/http_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/http/http_version) > set rport 80
rport => 80
msf5 auxiliary(scanner/http/http_version) > exploit
[+] 192.168.1.7:80 Apache/2.4.6 (CentOS) PHP/5.4.16 ( Powered by PHP/5.4.16, 302-login.php )
[+] 192.168.1.3:80 Apache/2.5.0 (CentOS) PHP/7.0.0 ( Powered by PHP/7.0.0, 302-admin.php )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
发现SMB服务: 基于scanner/smb/smb_version发现SMB服务.
msf5 > use scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/smb/smb_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/smb/smb_version) > exploit
[+] 192.168.1.2:445 - Host is running Windows 10 China (name:lyshark) (workgroup:lyshark)
[*] 192.168.1.7:445 - Host could not be identified: Windows 6.1 (Samba 4.8.3)
[*] 192.168.1.0/24:445 - Scanned 26 of 256 hosts (10% complete)
[*] 192.168.1.0/24:445 - Caught interrupt from the console...
[*] Auxiliary module execution completed
发现FTP服务: 基于scanner/ftp/ftp_version发现FTP服务
msf5 > use scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/ftp/ftp_version) > exploit
[+] 192.168.1.7:21 - FTP Banner: '220 (vsFTPd 3.0.2)\x0d\x0a'
[*] 192.168.1.0/24:21 - Scanned 32 of 256 hosts (12% complete)
[*] 192.168.1.0/24:21 - Caught interrupt from the console...
[*] Auxiliary module execution completed
发现SSH服务: 基于auxiliary/scanner/ssh/ssh_version发现SSH服务
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 22 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/ssh/ssh_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/ssh/ssh_version) > exploit
[+] 192.168.1.7:22 - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.1.0/24:22 - Caught interrupt from the console...
[*] Auxiliary module execution completed
发现Telnet服务: 基于auxiliary/scanner/telnet/telnet_version发现TELNET服务
msf5 > use auxiliary/scanner/telnet/telnet_version
msf5 auxiliary(scanner/telnet/telnet_version) > show options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/telnet/telnet_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/telnet/telnet_version) > exploit
[-] 192.168.1.1:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.1:23).
[-] 192.168.1.7:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.7:23).
[-] 192.168.1.0:23 - A network issue has occurred: The host (192.168.1.0:23) was unreachable.
[-] 192.168.1.10:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.10:23).
[-] 192.168.1.3:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.3:23).
[-] 192.168.1.5:23 - A network issue has occurred: The host (192.168.1.5:23) was unreachable.
[*] 192.168.1.0/24:23 - Caught interrupt from the console...
[*] Auxiliary module execution completed
发现MySQL服务: 基于auxiliary/scanner/mysql/mysql_version发现mysql服务
msf5 > use auxiliary/scanner/mysql/mysql_version
msf5 auxiliary(scanner/mysql/mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/mysql/mysql_version) > set rport 3306
rport => 3306
msf5 auxiliary(scanner/mysql/mysql_version) > exploit
[*] 192.168.1.7:3306 - 192.168.1.7:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.7' is not allowed to connect to this MariaDB server
[*] 192.168.1.7:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
发现MSSQL服务: 基于auxiliary/scanner/mssql/mssql_ping发现SQL Server服务
msf5 > use auxiliary/scanner/mssql/mssql_ping
msf5 auxiliary(scanner/mssql/mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 10 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/mssql/mssql_ping) > set threads 10
threads => 10
msf5 auxiliary(scanner/mssql/mssql_ping) > run
发现Oracle服务: 基于auxiliary/scanner/oracle/tnslsnr_version发现Oracle服务
msf5 > use auxiliary/scanner/oracle/tnslsnr_version
msf5 auxiliary(scanner/oracle/tnslsnr_version) > show options
Module options (auxiliary/scanner/oracle/tnslsnr_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/oracle/tnslsnr_version) > run
## MSF 主机的发现
MSF提供了一些辅助模块,可以实现主机发现,这些模块位于modules/auxiliary/scanner/discovery/目录中,主要有以下几个arp_sweep,ipv6_multicast_ping,ipv6_neighbor,ipv6_neighbor_router_advertisement,udp_probe,udp_sweep,接下来主要看常用的几个模块的使用技巧.
ARP发现内网主机: 基于scanner/discovery/arp_sweep发现内网存活主机.
msf5 > use scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 10 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 10
threads => 10
msf5 auxiliary(scanner/discovery/arp_sweep) > exploit
[+] 192.168.1.1 appears to be up (UNKNOWN).
[+] 192.168.1.2 appears to be up (UNKNOWN).
[+] 192.168.1.2 appears to be up (UNKNOWN).
[+] 192.168.1.1 appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
UDP发现内网主机: 基于scanner/discovery/udp_sweep发现内网存活主机.
msf5 > use scanner/discovery/udp_sweep
msf5 auxiliary(scanner/discovery/udp_sweep) > show options
Module options (auxiliary/scanner/discovery/udp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
THREADS 10 yes The number of concurrent threads
msf5 auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/udp_sweep) > exploit
[*] Sending 13 probes to 192.168.1.0->192.168.1.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.1.2:137 (lyshark:<20>:U :lysahrk:<00>:U :lyshark:<00>:G :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :a4:be:c8:fe:ac:z4)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
ACK发现内网主机: 基于auxiliary/scanner/portscan/ack扫描内网存活主机.
msf5 > use auxiliary/scanner/portscan/ack
msf5 auxiliary(scanner/portscan/ack) > show options
Module options (auxiliary/scanner/portscan/ack):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 10 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf5 auxiliary(scanner/portscan/ack) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/ack) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/ack) > exploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
SYN发现内网主机: 基于auxiliary/scanner/portscan/syn扫描内网存活主机.
msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 10 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/syn) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/syn) > run
TCP发现内网主机: 基于auxiliary/scanner/portscan/tcp扫描内网存活主机.
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.1.7 yes The target address range or CIDR identifier
THREADS 10 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.1.7: - 192.168.1.7:21 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:22 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:80 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:139 - TCP OPEN
[+] 192.168.1.7: - 192.168.1.7:445 - TCP OPEN
[*] 192.168.1.7: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
### MSF 服务爆破
对于发现的服务,下一个目标就是尝试爆破其登陆密码,爆破是否能够成功,这里需要有一个社工好了的字典,这里只是演示几个服务爆破的使用方法,这里只演示爆破的配置,爆破时间过长,不做具体实验.
SSH口令爆破:
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.7
set username root
set pass_file /root/pass.txt
set threads 10
exploit
Samba口令爆破:
use auxiliary/scanner/smb/smb_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
set threads 10
exploit
FTP口令爆破:
use scanner/ftp/ftp_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
set threads 10
exploit
MySQL口令爆破:
search mysql
use auxiliary/scanner/mysql/mysql_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit
Postgresql口令爆破:
use auxiliary/scanner/postgres/postgres_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit
Tomcat口令爆破:
search tomcat
use auxiliary/scanner/http/tomcat_mgr_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit
Telnet口令爆破:
use auxiliary/scanner/telnet/telnet_login
set rhosts 192.168.1.7
set username administrator
set pass_file /root/pass.txt
exploit
MFS 服务扫描与爆破的更多相关文章
- 小白日记11:kali渗透测试之服务扫描-banner、dmitry、nmap特征库、操作系统识别、SNMP
服务扫描 不能单纯的以端口辨别服务.很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率.确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入 ...
- metasploit常用服务扫描和利用模块
metasploit常用服务扫描和利用模块 SMB扫描 smb枚举auxiliary/scanner/smb/smb_enumusers 扫描命名管道auxiliary/scanner/smb/pip ...
- Kali学习笔记12:服务扫描
关于什么是服务扫描不多介绍,通俗来看: 我已经扫描到目标机器某个端口开放,接下来我需要知道开放这个端口的是什么应用 情景: 我的Kali机器IP地址:192.168.22.130 我要扫描的Metas ...
- Linux常用网络工具:批量主机服务扫描之netcat
netcat又叫做瑞士军刀,是黑客和系统管理员常用的网络工具,最初开发的目的是文件传输,后来发展出很多强大的功能,比如也可以完成批量主机服务扫描. 之前介绍了另一个更常用的批量主机服务扫描工具:nma ...
- Linux常用网络工具:批量主机服务扫描之nmap
Linux下有很多强大网络扫描工具,网络扫描工具可以分为:主机扫描.主机服务扫描.路由扫描等. 之前已经写过常用的主机扫描和路由扫描工具,nmap支持批量主机扫描和主机服务扫描. nmap的安装直接使 ...
- Oracle服务扫描工具Oscanner
Oracle服务扫描工具Oscanner Oracle是甲骨文公司推出的关系型数据库,适用于中大规模数据存储,如大型企业.电信.银行等行业.Kali Linux集成了Oracle服务扫描专向工具O ...
- 内网探测之SPN服务扫描及相关利用
在写下一个大块之前,补充一些小知识点,也没啥新东西 0x01简介 如果常规扫描服务,结果不理想,非常GG,可以考虑使用SPN进行服务扫描,这是为了借助Kerberos的正常查询行为(向域控发起LDAP ...
- 小白日记13:kali渗透测试之服务扫描(三)-SMTB扫描、防火墙识别、负载均衡识别、WAF识别
SMTP扫描 SMTP(Simple Mail Transfer Protocol)即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则,由它来控制信件的中转方式.SMTP协议属于TCP/ ...
- metasploit framework(十):SSH扫描、爆破
SSH版本扫描 SSH密码爆破 设置爆破字典 run开始
随机推荐
- String和StringBuilder、StringBuffer的区别
String对象一旦创建之后该对象是不可更改的,但后两者的对象是变量,是可以更改的. String:适用于少量的字符串操作的情况 StringBuilder:适用于单线程下在字符缓冲区进行大量操作的情 ...
- 【Noip模拟 20160929】花坛迷宫
题目描述 圣玛格丽特学园的一角有一个巨大.如迷宫般的花坛.大约有一个人这么高的大型花坛,做成迷宫的形状,深受中世纪贵族的喜爱.维多利加的小屋就坐落在这迷宫花坛的深处.某一天早晨,久城同学要穿过这巨大的 ...
- Helm简介
什么是Helm 微服务和容器化给复杂应用部署与管理带来了极大的挑战.Helm是目前Kubernetes服务编排领域的唯一开源子项目,作为Kubernetes应用的一个包管理工具,可理解为Kuberne ...
- 一个free异常引发的异常
有同事反馈说自己的线程不工作,查看堆栈发现其打印如下: # # # # # # # # , info= # <signal handler called> # # # # # # # , ...
- Spring系列之Spring常用注解总结 转载
Spring系列之Spring常用注解总结 传统的Spring做法是使用.xml文件来对bean进行注入或者是配置aop.事物,这么做有两个缺点:1.如果所有的内容都配置在.xml文件中,那么.x ...
- Reboot-less node fencing in Oracle Clusterware 11g Release 2
在进行一次RAC的高可用性测试时,当private网卡的网线被拔掉之后,没有出现传说中的有一个节点被CRS强制重启,取而代之的是node2上面的ASM实例和RDBMS实例被关闭:当网线被重新插上时,n ...
- 【VBA】ExcelファイルのOpen
※変数の定義を強制する方法: 一番上に.「Option Explicit」を追加して.変数の定義が必須となる. ソース Private Sub CommandButton2_Click() //スクリ ...
- Python设计模式 - UML - 部署图(Deployment Diagram)
简介 部署图也称配置图,用来显示系统中硬件和软件的物理架构.从中可以了解到软件和硬件组件之间的物理拓扑.连接关系以及处理节点的分布情况. 部署图建模步骤 - 找出需要进行部署的各类节点,如网络硬件设备 ...
- 织梦会员 Warning: preg_replace(): The /e modifier is no longer supported, us...
http://php.net/manual/zh/reference.pcre.pattern.modifiers.php#reference.pcre.pattern.modifiers.eval ...
- SVD及其在推荐系统中的作用
本文先从几何意义上对奇异值分解SVD进行简单介绍,然后分析了特征值分解与奇异值分解的区别与联系,最后用python实现将SVD应用于推荐系统. 1.SVD详解 SVD(singular value d ...