第二十四课:基于MSF发现内网存活主机第二季

释放双眼,带上耳机,听听看~!

注:请多喝点热水或者凉白开,可预防肾结石,通风等。 痛风可伴发肥胖症、高血压病、糖尿病、脂代谢紊乱等多种代谢性疾病。

攻击机: 192.168.1.5 Debian

靶机: 192.168.1.2 Windows 7

192.168.1.115 Windows 2003

192.168.1.119 Windows 2003

第一季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/discovery/arp_sweep
  • auxiliary/scanner/discovery/udp_sweep
  • auxiliary/scanner/ftp/ftp_version
  • auxiliary/scanner/http/http_version
  • auxiliary/scanner/smb/smb_version

第二季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/ssh/ssh_version
  • auxiliary/scanner/telnet/telnet_version
  • auxiliary/scanner/discovery/udp_probe
  • auxiliary/scanner/dns/dns_amp
  • auxiliary/scanner/mysql/mysql_version

六:基于auxiliary/scanner/ssh/ssh_version发现SSH服务

msf auxiliary(scanner/ssh/ssh_version) > show options Module options (auxiliary/scanner/ssh/ssh_version): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierRPORT 22 yes The target port (TCP)THREADS 50 yes The number of concurrent threadsTIMEOUT 30 yes Timeout for the SSH probe msf auxiliary(scanner/ssh/ssh_version) > exploit [+] 192.168.1.5:22 ‐ SSH server version: SSH‐2.0‐OpenSSH_7.9p1 Debian‐5 ( service.version=7.9p1 openssh.comment=Debian‐5 service.vendor=OpenBSDservice.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.9p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:‐ service.protocol=ssh fingerprint_db=ssh.banner )[*] Scanned 52 of 256 hosts (20% complete)[*] Scanned 95 of 256 hosts (37% complete)[*] Scanned 100 of 256 hosts (39% complete)[*] Scanned 103 of 256 hosts (40% complete)[*] Scanned 131 of 256 hosts (51% complete)[*] Scanned 154 of 256 hosts (60% complete)[*] Scanned 180 of 256 hosts (70% complete)[*] Scanned 206 of 256 hosts (80% complete)[*] Scanned 235 of 256 hosts (91% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

七:基于auxiliary/scanner/telnet/telnet_version发现TELNET服务

msf auxiliary(scanner/telnet/telnet_version) > show options Module options (auxiliary/scanner/telnet/telnet_version): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐PASSWORD no The password for the specified usernameRHOSTS 192.168.1.119 yes The target address range or CIDR identifierRPORT 23 yes The target port (TCP)THREADS 50 yes The number of concurrent threadsTIMEOUT 30 yes Timeout for the Telnet probeUSERNAME no The username to authenticate as msf auxiliary(scanner/telnet/telnet_version) > exploit [+] 192.168.1.119:23 ‐ 192.168.1.119:23 TELNET Welcome to Microsoft Telnet Service \x0a\x0a\x0dlogin:[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
null

八:基于scanner/discovery/udp_probe发现内网存活主机

msf auxiliary(scanner/discovery/udp_probe) > show options Module options (auxiliary/scanner/discovery/udp_probe): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐CHOST no The local client addressRHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierTHREADS 50 yes The number of concurrent threads msf auxiliary(scanner/discovery/udp_probe) > exploit [+] Discovered NetBIOS on 192.168.1.2:137 (JOHN‐PC:<00>:U :WORKGROUP:<00>:G :JOHN‐PC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U:__MSBROWSE__ <01>:G :4c:cc:6a:e3:51:27)[+] Discovered DNS on 192.168.1.1:53 (de778500000100010000000007564552  53494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f75206d757374206265206a6f6b696e67)[*] Scanned 43 of 256 hosts (16% complete)[*] Scanned 52 of 256 hosts (20% complete)[*] Scanned 89 of 256 hosts (34% complete)[+] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :WIN03X64:<03>:U:ADMINISTRA TOR:<03>:U :WIN03X64:<01>:U :00:0c:29:85:d6:7d)[*] Scanned 103 of 256 hosts (40% complete)[*] Scanned 140 of 256 hosts (54% complete)[*] Scanned 163 of 256 hosts (63% complete)[*] Scanned 184 of 256 hosts (71% complete)[*] Scanned 212 of 256 hosts (82% complete)[*] Scanned 231 of 256 hosts (90% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

九:基于auxiliary/scanner/dns/dns_amp发现内网存活主机

msf auxiliary(scanner/dns/dns_amp) > show options Module options (auxiliary/scanner/dns/dns_amp): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐BATCHSIZE 256 yes The number of hosts to probe in each setDOMAINNAME isc.org yes Domain to use for the DNS requestFILTER no The filter string for capturing trafficINTERFACE no The name of the interfacePCAPFILE no The name of the PCAP capture file to processQUERYTYPE ANY yes Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY)RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifierRPORT 53 yes The target port (UDP)SNAPLEN 65535 yes The number of bytes to captureTHREADS 50 yes The number of concurrent threadsTIMEOUT 500 yes The number of seconds to wait for new data msf auxiliary(scanner/dns/dns_amp) > exploit [*] Sending DNS probes to 192.168.1.0‐>192.168.1.255 (256 hosts)[*] Sending 67 bytes to each host using the IN ANY isc.org request[+] 192.168.1.1:53 ‐ Response is 530 bytes [7.91x Amplification][*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
null

十:基于auxiliary/scanner/mysql/mysql_version发现mysql服务

msf auxiliary(scanner/mysql/mysql_version) > show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐RHOSTS 192.168.1.115 yes The target address range or CIDR identifierRPORT 3306 yes The target port (TCP)THREADS 50 yes The number of concurrent threads msf auxiliary(scanner/mysql/mysql_version) > exploit [+] 192.168.1.115:3306 ‐ 192.168.1.115:3306 is running MySQL 5.1.52‐community (protocol 10)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
null

Micropoor

https://www.secshi.com

人已赞赏
安全工具

第二十三课:基于MSF发现内网存活主机第一季

2019-11-7 13:17:16

安全工具

第二十五课:基于MSF发现内网存活主机第三季

2019-11-7 13:18:44

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索