第二十三课:基于MSF发现内网存活主机第一季

释放双眼,带上耳机,听听看~!

注:请多喝点热水或者凉白开,可预防肾结石,通风等。 痛风可伴发肥胖症、高血压病、糖尿病、脂代谢紊乱等多种代谢性疾病。

攻击机: 192.168.1.5 Debian

靶机: 192.168.1.2 Windows 7

192.168.1.119 Windows 2003

MSF的search支持type搜索:

msf > search scanner type:auxiliary Matching Modules================ Name Disclosure Date Rank Check Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Controlauxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Controlauxiliary/admin/smb/check_dir_file normal Yes SMB Scanner CheckFile/Directory Utilityauxiliary/admin/teradata/teradata_odbc_sql 2018‐03‐29 normal Yes Teradata ODBC SQL Query Moduleauxiliary/bnat/bnat_scan normal Yes BNAT Scannerauxiliary/gather/citrix_published_applications normal No Citrix MetaFrame ICA Published Applications Scannerauxiliary/gather/enum_dns normal No DNS Record Scanner and Enumerator....auxiliary/scanner/winrm/winrm_cmd normal Yes WinRM Command Runnerauxiliary/scanner/winrm/winrm_login normal Yes WinRM Login Utilityauxiliary/scanner/winrm/winrm_wql normal Yes WinRM WQL Query Runnerauxiliary/scanner/wproxy/att_open_proxy 2017‐08‐31 normal Yes Open WAN‐to‐LAN proxy on AT&T routersauxiliary/scanner/wsdd/wsdd_query normal Yes WS‐Discovery Information Discoveryauxiliary/scanner/x11/open_x11 normal Yes X11 No‐Auth Scanner
null

第一季主要介绍 scanner 下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/discovery/arp_sweep
  • auxiliary/scanner/discovery/udp_sweep
  • auxiliary/scanner/ftp/ftp_version
  • auxiliary/scanner/http/http_version
  • auxiliary/scanner/smb/smb_version

一:基于scanner/http/http_version发现HTTP服务

msf auxiliary(scanner/http/http_version) > show options Module options (auxiliary/scanner/http/http_version): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐Proxies no A proxy chain of format type:host:port[,type:host:port] [...]RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTHREADS 20 yes The number of concurrent threadsVHOST no HTTP server virtual host msf auxiliary(scanner/http/http_version) > exploit [+] 192.168.1.1:80[*] Scanned 27 of 256 hosts (10% complete)[*] Scanned 63 of 256 hosts (24% complete)[*] Scanned 82 of 256 hosts (32% complete)[*] Scanned 103 of 256 hosts (40% complete)[+] 192.168.1.119:80 Microsoft‐IIS/6.0 ( Powered by ASP.NET )[*] Scanned 129 of 256 hosts (50% complete)[*] Scanned 154 of 256 hosts (60% complete)[*] Scanned 182 of 256 hosts (71% complete)[*] Scanned 205 of 256 hosts (80% complete)[*] Scanned 231 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

二:基于scanner/smb/smb_version发现SMB服务

msf auxiliary(scanner/smb/smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierSMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 20 yes The number of concurrent threads msf auxiliary(scanner/smb/smb_version) > exploit [+] 192.168.1.2:445 ‐ Host is running Windows 7 Ultimate SP1 (build:7601) (name:JOHN‐PC) (workgroup:WORKGROUP )[*] Scanned 40 of 256 hosts (15% complete)[*] Scanned 60 of 256 hosts (23% complete)[*] Scanned 79 of 256 hosts (30% complete)[+] 192.168.1.119:445 ‐ Host is running Windows 2003 R2 SP2 (build:3790) (name:WIN03X64)[*] Scanned 103 of 256 hosts (40% complete)[*] Scanned 128 of 256 hosts (50% complete)[*] Scanned 154 of 256 hosts (60% complete)[*] Scanned 181 of 256 hosts (70% complete)[*] Scanned 206 of 256 hosts (80% complete)[*] Scanned 231 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

三:基于scanner/ftp/ftp_version发现FTP服务

msf auxiliary(scanner/ftp/ftp_version) > show options Module options (auxiliary/scanner/ftp/ftp_version): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐FTPPASS mozilla@example.com no The password for the specified usernameFTPUSER anonymous no The username to authenticate asRHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierRPORT 21 yes The target port (TCP)THREADS 50 yes The number of concurrent threads msf auxiliary(scanner/ftp/ftp_version) > exploit [*] Scanned 51 of 256 hosts (19% complete)[*] Scanned 52 of 256 hosts (20% complete)[*] Scanned 100 of 256 hosts (39% complete)[+] 192.168.1.119:21 ‐ FTP Banner: '220 Microsoft FTP Service\x0d\x0a'[*] Scanned 103 of 256 hosts (40% complete)[*] Scanned 133 of 256 hosts (51% complete)[*] Scanned 183 of 256 hosts (71% complete)[*] Scanned 197 of 256 hosts (76% complete)[*] Scanned 229 of 256 hosts (89% complete)[*] Scanned 231 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

四:基于scanner/discovery/arp_sweep发现内网存活主机

msf auxiliary(scanner/discovery/arp_sweep) > show options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐INTERFACE no The name of the interfaceRHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierSHOST no Source IP AddressSMAC no Source MAC AddressTHREADS 50 yes The number of concurrent threadsTIMEOUT 5 yes The number of seconds to wait for new data msf auxiliary(scanner/discovery/arp_sweep) > exploit [+] 192.168.1.1 appears to be up (UNKNOWN).[+] 192.168.1.2 appears to be up (UNKNOWN).[+] 192.168.1.119 appears to be up (VMware, Inc.).[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

五:基于scanner/discovery/udp_sweep发现内网存活主机

msf auxiliary(scanner/discovery/udp_sweep) > show options Module options (auxiliary/scanner/discovery/udp_sweep): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐BATCHSIZE 256 yes The number of hosts to probe in each setRHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierTHREADS 50 yes The number of concurrent threads msf auxiliary(scanner/discovery/udp_sweep) > exploit [*] Sending 13 probes to 192.168.1.0‐>192.168.1.255 (256 hosts)[*] Discovered DNS on 192.168.1.1:53 (ce2a8500000100010000000007564552  53494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f75206d757374206265206a6f6b696e67)[*] Discovered NetBIOS on 192.168.1.2:137 (JOHN‐PC:<00>:U :WORKGROUP:<00>:G :JOHN‐PC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U:__MSBROWSE__ <01>:G :4c:cc:6a:e3:51:27)[*] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :WIN03X64:<03>:U:ADMINISTRA TOR:<03>:U :WIN03X64:<01>:U :00:0c:29:85:d6:7d)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

Micropoor

人已赞赏
安全工具安全教程

网站后台绕过验证管理员登录

2019-11-5 14:49:58

安全工具

第二十四课:基于MSF发现内网存活主机第二季

2019-11-7 13:18:04

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索