1.1 Metasploit信息收集
1.1.1 基于TCP协议收集主机信息
1.1.1.1 使用metasploit中的nmap服务扫描
msf6 > db_nmap -A -T4 -v 192.168.10.0/24
1.1.1.2 使用arp_sweep模块扫描
msf6 > search arp_sweep
msf6 > use auxiliary/scanner/discovery/arp_sweep msf6 auxiliary(scanner/discovery/arp_sweep) > show options
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.10.0/24 RHOSTS => 192.168.10.0/24 msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 30 THREADS => 30 msf6 auxiliary(scanner/discovery/arp_sweep) > run
msf6 auxiliary(scanner/discovery/arp_sweep) > hosts
PS.SHOST和SMAC可以伪造源ip和mac进行扫描
1.1.1.3 使用portscan模块扫描
msf6 > search portscan
msf6 > use auxiliary/scanner/portscan/syn msf6 auxiliary(scanner/portscan/syn) > show options
msf6 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.2.121 RHOSTS => 192.168.2.121 msf6 auxiliary(scanner/portscan/syn) > set PORTS 80 PORTS => 80 msf6 auxiliary(scanner/portscan/syn) > run [+] TCP OPEN 192.168.2.121:80 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
1.1.1.4 使用psnuffle模块进行密码嗅探*
PS.这个psnuffle模块可以像以前的dsniff命令一样去嗅探密码,只支持pop3、imap、ftp、http get协议。
msf6 > search psnuffle
msf6 > use auxiliary/sniffer/psnuffle msf6 auxiliary(sniffer/psnuffle) > info
msf6 auxiliary(sniffer/psnuffle) > set RHOSTS 192.168.1.74 RHOSTS => 192.168.1.74 msf6 auxiliary(sniffer/psnuffle) > run
1.1.2 基于SNMP协议收集主机信息*
1.1.2.1 使用snmp_enum模块扫描
msf6 > search snmp_enum
msf6 > use auxiliary/scanner/snmp/snmp_enum msf6 auxiliary(scanner/snmp/snmp_enum) > show options
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.2.121 RHOSTS => 192.168.2.121 msf6 auxiliary(scanner/snmp/snmp_enum) > run
1.1.3 基于SMB协议收集主机信息
1.1.3.1 使用smb_version模块扫描
PS.可以扫描出比较准确的系统版本号。
msf6 > search smb_version
msf6 > use auxiliary/scanner/smb/smb_version msf6 auxiliary(scanner/smb/smb_version) > show options
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.120 192.168.10.156 RHOSTS => 192.168.1.120 192.168.10.156 msf6 auxiliary(scanner/smb/smb_version) > run
msf6 > search smb_enumshares
msf6 > use auxiliary/scanner/smb/smb_enumshares msf6 auxiliary(scanner/smb/smb_enumshares) > show options
msf6 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.10.156 RHOSTS => 192.168.10.156 msf6 auxiliary(scanner/smb/smb_enumshares) > set SMBUser admin SMBUser => admin msf6 auxiliary(scanner/smb/smb_enumshares) > set SMBPass 12356 SMBPass => 12356 msf6 auxiliary(scanner/smb/smb_enumshares) > run
注:如果不配置SMBUser就扫描不到信息。
1.1.3.3 使用smb_lookupsid模块扫描
注: SID是Windows中每-一个用户的ID,更改用户名SID也是不会改变的。
msf6 > search smb_lookupsid
msf6 > use auxiliary/scanner/smb/smb_lookupsid msf6 auxiliary(scanner/smb/smb_lookupsid) > show options
msf6 auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 192.168.10.156 RHOSTS => 192.168.10.156 msf6 auxiliary(scanner/smb/smb_lookupsid) > set SMBUser admin SMBUser => admin msf6 auxiliary(scanner/smb/smb_lookupsid) > set SMBPass 123456 SMBPass => 123456 msf6 auxiliary(scanner/smb/smb_lookupsid) > run
1.1.4 基于SSH协议收集主机信息
1.1.4.1 扫描SSH版本
msf6 > search ssh_version
msf6 > use auxiliary/scanner/ssh/ssh_version msf6 auxiliary(scanner/ssh/ssh_version) > show options
msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.120 RHOSTS => 192.168.1.120 msf6 auxiliary(scanner/ssh/ssh_version) > run
1.1.5 基于FTP协议收集主机信息
1.1.5.1 扫描FTP版本
msf6 > search ftp_version
msf6 > use auxiliary/scanner/ftp/ftp_version msf6 auxiliary(scanner/ftp/ftp_version) > show options
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.1.120 RHOSTS => 192.168.1.120 msf6 auxiliary(scanner/ftp/ftp_version) > run
1.1.5.2 扫描FTP匿名登录
msf6 > search name:anonymous type:auxiliary
msf6 > use auxiliary/scanner/ftp/anonymous msf6 auxiliary(scanner/ftp/anonymous) > show options
msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.120 RHOSTS => 192.168.1.120 msf6 auxiliary(scanner/ftp/anonymous) > run
我的微信
如果有技术上的问题可以扫一扫我的微信
