美文网首页
0x02 主动信息收集

0x02 主动信息收集

作者: Gatociego | 来源:发表于2018-12-05 16:34 被阅读0次

    查看端口扫描模块

    search portscan
    
    Matching Modules
    ================
    
       Name                                              Disclosure Date  Rank    Description
       ----                                              ---------------  ----    -----------
       auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locator
       auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner
       auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
       auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
       auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
       auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
       auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner
       auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner
    

    tcp端口扫描

    use auxiliary/scanner/portscan/tcp                             
    msf > use auxiliary/scanner/portscan/tcp
    msf auxiliary(scanner/portscan/tcp) > show options 
    
    Module options (auxiliary/scanner/portscan/tcp):
    
       Name         Current Setting  Required  Description
       ----         ---------------  --------  -----------
       CONCURRENCY  10               yes       The number of concurrent ports to check per host
       DELAY        0                yes       The delay between connections, per thread, in milliseconds
       JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
       PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
       RHOSTS                        yes       The target address range or CIDR identifier
       THREADS      1                yes       The number of concurrent threads
       TIMEOUT      1000             yes       The socket connect timeout in milliseconds
    
    msf auxiliary(scanner/portscan/tcp) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/portscan/tcp) > set threads 100
    threads => 100
    msf auxiliary(scanner/portscan/tcp) > run
    

    tcp协议同步SYN扫描

    msf > use auxiliary/scanner/portscan/syn 
    msf auxiliary(scanner/portscan/syn) > show options 
    
    Module options (auxiliary/scanner/portscan/syn):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       BATCHSIZE  256              yes       The number of hosts to scan per set
       DELAY      0                yes       The delay between connections, per thread, in milliseconds
       INTERFACE                   no        The name of the interface
       JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
       PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
       RHOSTS                      yes       The target address range or CIDR identifier
       SNAPLEN    65535            yes       The number of bytes to capture
       THREADS    1                yes       The number of concurrent threads
       TIMEOUT    500              yes       The reply read timeout in milliseconds
    
    msf auxiliary(scanner/portscan/syn) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/portscan/syn) > set threads 10
    threads => 10
    msf auxiliary(scanner/portscan/syn) > run
    

    nmap扫描

    arp sweep

    msf > use auxiliary/scanner/discovery/arp_sweep 
    msf auxiliary(scanner/discovery/arp_sweep) > show options 
    
    Module options (auxiliary/scanner/discovery/arp_sweep):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       INTERFACE                   no        The name of the interface
       RHOSTS                      yes       The target address range or CIDR identifier
       SHOST                       no        Source IP Address
       SMAC                        no        Source MAC Address
       THREADS    1                yes       The number of concurrent threads
       TIMEOUT    5                yes       The number of seconds to wait for new data
    
    msf auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/discovery/arp_sweep) > set threads 100
    threads => 100
    msf auxiliary(scanner/discovery/arp_sweep) > run
    

    udp sweeper

    msf > use auxiliary/scanner/discovery/udp_sweep 
    msf auxiliary(scanner/discovery/udp_sweep) > show options 
    
    Module options (auxiliary/scanner/discovery/udp_sweep):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       BATCHSIZE  256              yes       The number of hosts to probe in each set
       RHOSTS                      yes       The target address range or CIDR identifier
       THREADS    10               yes       The number of concurrent threads
    
    msf auxiliary(scanner/discovery/udp_sweep) > set threads 100
    threads => 100
    msf auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/discovery/udp_sweep) > run
    

    smb共享目录枚举

    msf > use auxiliary/scanner/smb/smb_enumshares 
    msf auxiliary(scanner/smb/smb_enumshares) > show options 
    
    Module options (auxiliary/scanner/smb/smb_enumshares):
    
       Name            Current Setting  Required  Description
       ----            ---------------  --------  -----------
       LogSpider       3                no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
       MaxDepth        999              yes       Max number of subdirectories to spider
       RHOSTS                           yes       The target address range or CIDR identifier
       SMBDomain       .                no        The Windows domain to use for authentication
       SMBPass                          no        The password for the specified username
       SMBUser                          no        The username to authenticate as
       ShowFiles       false            yes       Show detailed information when spidering
       SpiderProfiles  true             no        Spider only user profiles when share = C$
       SpiderShares    false            no        Spider shares recursively
       THREADS         1                yes       The number of concurrent threads
    
    msf auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/smb/smb_enumshares) > set threads 100
    threads => 100
    msf auxiliary(scanner/smb/smb_enumshares) > run
    
    # 结果
    [*] Scanned 101 of 256 hosts (39% complete)
    [-] 192.168.10.122:139    - Login Failed: Unable to Negotiate with remote host
    [-] 192.168.10.128:139    - Login Failed: Unable to Negotiate with remote host
    [*] Scanned 105 of 256 hosts (41% complete)
    [*] 192.168.10.122:445    - Windows 2003  (Unknown)
    [+] 192.168.10.122:445    - IPC$ - (I) Remote IPC
    [+] 192.168.10.122:445    - ADMIN$ - (DS) Remote Admin
    [+] 192.168.10.122:445    - C$ - (DS) Default share
    [*] Scanned 108 of 256 hosts (42% complete)
    [*] Scanned 199 of 256 hosts (77% complete)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    

    smb版本扫描

    msf > use auxiliary/scanner/smb/smb_version 
    msf auxiliary(scanner/smb/smb_version) > show options 
    
    Module options (auxiliary/scanner/smb/smb_version):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       RHOSTS                      yes       The target address range or CIDR identifier
       SMBDomain  .                no        The Windows domain to use for authentication
       SMBPass                     no        The password for the specified username
       SMBUser                     no        The username to authenticate as
       THREADS    1                yes       The number of concurrent threads
    
    msf auxiliary(scanner/smb/smb_version) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/smb/smb_version) > set threads 100
    threads => 100
    msf auxiliary(scanner/smb/smb_version) > run
    
    # 结果
    
    [*] Scanned 101 of 256 hosts (39% complete)
    [*] Scanned 104 of 256 hosts (40% complete)
    [+] 192.168.10.122:445    - Host is running Windows 2003 (build:3790) (name:ROOT-TVI862UBEH) (workgroup:WORKGROUP )
    [+] 192.168.10.128:445    - Host is running Windows XP SP3 (language:English) (name:DH-CA8822AB9589) (workgroup:WORKGROUP )
    [*] Scanned 204 of 256 hosts (79% complete)
    [*] 192.168.10.254:445    - Host could not be identified: Unix (Samba 3.0.20-Debian)
    [*] Scanned 247 of 256 hosts (96% complete)
    [*] Scanned 248 of 256 hosts (96% complete)
    [*] Scanned 254 of 256 hosts (99% complete)
    [*] Scanned 255 of 256 hosts (99% complete)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    

    smb用户枚举

    msf > use auxiliary/scanner/smb/smb_enumusers
    msf auxiliary(scanner/smb/smb_enumusers) > show options 
    
    Module options (auxiliary/scanner/smb/smb_enumusers):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       RHOSTS                      yes       The target address range or CIDR identifier
       SMBDomain  .                no        The Windows domain to use for authentication
       SMBPass                     no        The password for the specified username
       SMBUser                     no        The username to authenticate as
       THREADS    1                yes       The number of concurrent threads
    
    msf auxiliary(scanner/smb/smb_enumusers) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/smb/smb_enumusers) > set threads 100
    threads => 100
    msf auxiliary(scanner/smb/smb_enumusers) > run
    
    # 结果
    [*] Scanned 101 of 256 hosts (39% complete)
    [*] Scanned 104 of 256 hosts (40% complete)
    [*] Scanned 203 of 256 hosts (79% complete)
    [*] Scanned 204 of 256 hosts (79% complete)
    [+] 192.168.10.254:139    - METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
    [*] Scanned 229 of 256 hosts (89% complete)
    [*] Scanned 246 of 256 hosts (96% complete)
    [*] Scanned 248 of 256 hosts (96% complete)
    [*] Scanned 249 of 256 hosts (97% complete)
    [*] Scanned 250 of 256 hosts (97% complete)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    

    smb尝试登陆

    msf > use auxiliary/scanner/smb/smb_login 
    msf auxiliary(scanner/smb/smb_login) > show options 
    
    Module options (auxiliary/scanner/smb/smb_login):
    
       Name               Current Setting  Required  Description
       ----               ---------------  --------  -----------
       ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
       BLANK_PASSWORDS    false            no        Try blank passwords for all users
       BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
       DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
       DB_ALL_PASS        false            no        Add all passwords in the current database to the list
       DB_ALL_USERS       false            no        Add all users in the current database to the list
       DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
       DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
       PASS_FILE                           no        File containing passwords, one per line
       PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
       Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
       RECORD_GUEST       false            no        Record guest-privileged random logins to the database
       RHOSTS                              yes       The target address range or CIDR identifier
       RPORT              445              yes       The SMB service port (TCP)
       SMBDomain          .                no        The Windows domain to use for authentication
       SMBPass                             no        The password for the specified username
       SMBUser                             no        The username to authenticate as
       STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
       THREADS            1                yes       The number of concurrent threads
       USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
       USER_AS_PASS       false            no        Try the username as the password for all users
       USER_FILE                           no        File containing usernames, one per line
       VERBOSE            true             yes       Whether to print output for all attempts
    
    msf auxiliary(scanner/smb/smb_login) > show missing 
    
    Module options (auxiliary/scanner/smb/smb_login):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target address range or CIDR identifier
    
    msf auxiliary(scanner/smb/smb_login) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/smb/smb_login) > set threads 100
    threads => 100
    msf auxiliary(scanner/smb/smb_login) > run
    

    smb漏洞 ms17-010

    msf > use auxiliary/scanner/smb/smb_ms17_010 
    msf auxiliary(scanner/smb/smb_ms17_010) > show options 
    
    Module options (auxiliary/scanner/smb/smb_ms17_010):
    
       Name         Current Setting                                                 Required  Description
       ----         ---------------                                                 --------  -----------
       CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
       CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
       CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
       NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
       RHOSTS                                                                       yes       The target address range or CIDR identifier
       RPORT        445                                                             yes       The SMB service port (TCP)
       SMBDomain    .                                                               no        The Windows domain to use for authentication
       SMBPass                                                                      no        The password for the specified username
       SMBUser                                                                      no        The username to authenticate as
       THREADS      1                                                               yes       The number of concurrent threads
    
    msf auxiliary(scanner/smb/smb_ms17_010) > show missing 
    
    Module options (auxiliary/scanner/smb/smb_ms17_010):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target address range or CIDR identifier
    
    msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/smb/smb_ms17_010) > set threads 100
    threads => 100
    msf auxiliary(scanner/smb/smb_ms17_010) > run
    
    # 结果
    
    [*] Scanned 101 of 256 hosts (39% complete)
    [*] Scanned 104 of 256 hosts (40% complete)
    [+] 192.168.10.122:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 x86 (32-bit)
    [+] 192.168.10.128:445    - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
    [*] Scanned 163 of 256 hosts (63% complete)
    [*] Scanned 178 of 256 hosts (69% complete)
    [-] 192.168.10.254:445    - Host does NOT appear vulnerable.
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    

    ssh版本扫描

    msf > use auxiliary/scanner/ssh/ssh_version 
    msf auxiliary(scanner/ssh/ssh_version) > show options 
    
    Module options (auxiliary/scanner/ssh/ssh_version):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       RHOSTS                    yes       The target address range or CIDR identifier
       RPORT    22               yes       The target port (TCP)
       THREADS  1                yes       The number of concurrent threads
       TIMEOUT  30               yes       Timeout for the SSH probe
    
    msf auxiliary(scanner/ssh/ssh_version) > set threads 100
    threads => 100
    msf auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/ssh/ssh_version) > run
    
    # 结果
    *] Scanned 101 of 256 hosts (39% complete)
    [+] 192.168.10.115:22     - SSH server version: SSH-2.0-OpenSSH_7.8p1 Debian-1 ( service.version=7.8p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.8p1 os.vendor=Debian os.device=General os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )
    [+] 192.168.10.123:22     - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu7 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:5.3p1 os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:10.04 service.protocol=ssh fingerprint_db=ssh.banner )
    [*] Scanned 102 of 256 hosts (39% complete)
    [*] Scanned 156 of 256 hosts (60% complete)
    [+] 192.168.10.254:22     - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:4.7p1 os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:8.04 service.protocol=ssh fingerprint_db=ssh.banner )
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    

    ssh登陆爆破

    msf auxiliary(scanner/ssh/ssh_login) > show options 
    
    Module options (auxiliary/scanner/ssh/ssh_login):
    
       Name              Current Setting  Required  Description
       ----              ---------------  --------  -----------
       BLANK_PASSWORDS   false            no        Try blank passwords for all users
       BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
       DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
       DB_ALL_PASS       false            no        Add all passwords in the current database to the list
       DB_ALL_USERS      false            no        Add all users in the current database to the list
       PASSWORD                           no        A specific password to authenticate with
       PASS_FILE                          no        File containing passwords, one per line
       RHOSTS            192.168.10.0/24  yes       The target address range or CIDR identifier
       RPORT             22               yes       The target port
       STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
       THREADS           100              yes       The number of concurrent threads
       USERNAME                           no        A specific username to authenticate as
       USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
       USER_AS_PASS      false            no        Try the username as the password for all users
       USER_FILE                          no        File containing usernames, one per line
       VERBOSE           false            yes       Whether to print output for all attempts
    
    msf auxiliary(scanner/ssh/ssh_login) > set user_file /root/user_list.txt
    user_file => /root/user_list.txt
    msf auxiliary(scanner/ssh/ssh_login) > set pass_file /roor/pass_list.txt
    pass_file => /roor/pass_list.txt
    msf auxiliary(scanner/ssh/ssh_login) > set threads 100
    threads => 100
    msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/ssh/ssh_login) > run
    

    ftp版本扫描

    msf > use auxiliary/scanner/ftp/ftp_version 
    msf auxiliary(scanner/ftp/ftp_version) > show options 
    
    Module options (auxiliary/scanner/ftp/ftp_version):
    
       Name     Current Setting      Required  Description
       ----     ---------------      --------  -----------
       FTPPASS  mozilla@example.com  no        The password for the specified username
       FTPUSER  anonymous            no        The username to authenticate as
       RHOSTS                        yes       The target address range or CIDR identifier
       RPORT    21                   yes       The target port (TCP)
       THREADS  1                    yes       The number of concurrent threads
    
    msf auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/ftp/ftp_version) > set threads 100
    threads => 100
    msf auxiliary(scanner/ftp/ftp_version) > run
    
    # 结果
    [*] Scanned 101 of 256 hosts (39% complete)
    [+] 192.168.10.122:21     - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
    [*] Scanned 105 of 256 hosts (41% complete)
    [*] Scanned 135 of 256 hosts (52% complete)
    [*] Scanned 140 of 256 hosts (54% complete)
    [*] Scanned 184 of 256 hosts (71% complete)
    [*] Scanned 255 of 256 hosts (99% complete)
    [+] 192.168.10.254:21     - FTP Banner: '220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.10.254]\x0d\x0a'
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    

    SMTP枚举

    msf > use auxiliary/scanner/smtp/smtp_enum 
    msf auxiliary(scanner/smtp/smtp_enum) > show options 
    
    Module options (auxiliary/scanner/smtp/smtp_enum):
    
       Name       Current Setting                                                Required  Description
       ----       ---------------                                                --------  -----------
       RHOSTS                                                                    yes       The target address range or CIDR identifier
       RPORT      25                                                             yes       The target port (TCP)
       THREADS    1                                                              yes       The number of concurrent threads
       UNIXONLY   true                                                           yes       Skip Microsoft bannered servers when testing unix users
       USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.
    
    msf auxiliary(scanner/smtp/smtp_enum) > set threads 100
    threads => 100
    msf auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.10.0/24
    rhosts => 192.168.10.0/24
    msf auxiliary(scanner/smtp/smtp_enum) > run
    

    SNMP

    # snmp默认账号登陆
    use auxiliary/scanner/snmp/snmp_login
    use auxiliary/scanner/snmp/snmp_enum
    

    HTTP ssl证书扫描

    use auxiliary/scanner/http/cert
    set rhost 192.168.10.0/24
    set rport 8383
    run
    

    http robots.txt文件内容获取

    use auxiliary/scanner/http/robots_txt
    set path /mutilidae
    set rhost 192.168.10.10
    run
    

    http协议危险方法PUT/DELETE检查

    use auxiliary/scanner/http/http_put
    set path /uploads
    set rhost 192.168.10.10
    set rport 8585
    run
    

    web服务jenkins枚举

    set rhost 192.168.10.10
    set rport 8585
    set targeturi /
    run
    

    windows远程管理认证

    use auxiliary/scanner/winrm/winrm_auth_methods
    set rhost 192.168.10.10
    run
    

    windows远程管理终端

    user auxiliary/scanner/winrm/winrm_cmd
    set cmd hostname
    set rhosts 192.168.10.10
    set username administrarot
    set password 。。。
    run
    

    相关文章

      网友评论

          本文标题:0x02 主动信息收集

          本文链接:https://www.haomeiwen.com/subject/abxwcqtx.html