Metasploit渗透测试指南⽬录
Metasploit与nmap
1.将Nmap输出的结果导⼊metasploit
nmap -T4 -Pn -sS -A -l 192.168.0.0/24
msf5 > db_status
db_import /home/l
hosts -c address
2.在msf中使⽤nmap
db_nmap -sS -A 192.168.0.104
services -u
2.针对性扫描
1.SMB服务器消息块协议扫描
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.0.104 RHOSTS => 192.168.0.104
msf5 auxiliary(scanner/smb/smb_version) > run
2.搜寻配置不当的Mircrosoft SQL Server
msf5 > use auxiliary/scanner/mssql/mssql_ping
msf5 auxiliary(scanner/mssql/mssql_ping) > show options
msf5 auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/mssql/mssql_ping) > set THREADS 255 THREADS => 255
msf5 auxiliary(scanner/mssql/mssql_ping) > run
3.ssh服务扫描
msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/ssh/ssh_version) > set THREADS 100 THREADS => 100
msf5 auxiliary(scanner/ssh/ssh_version) > run
4.FTP扫描
1.版本扫描
scrapermsf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > show options
msf5 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set THREADS 100 THREADS => 100
msf5 auxiliary(scanner/ftp/ftp_version) > run
2.检查是否允许匿名登录
msf5 > use auxiliary/scanner/ftp/anonymous
msf5 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/ftp/anonymous) > set THREADS 100 THREADS => 100
msf5 auxiliary(scanner/ftp/anonymous) > run
5.简单⽹络管理协议扫描
msf5 > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/snmp/snmp_login) > set THREADS 100 THREADS => 100
msf5 auxiliary(scanner/snmp/snmp_login) > run
6.NetBIOS协议扫描
msf5 > use auxiliary/scanner/netbios/nbname
msf5 auxiliary(scanner/netbios/nbname) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24
msf5 auxiliary(scanner/netbios/nbname) > set THREADS 100
THREADS => 100
msf5 auxiliary(scanner/netbios/nbname) > run
漏洞扫描
使⽤Nessus扫描
dpkg -i Nessus-8.12.1-debian6_amd64.deb
/bin/systemctl start nessusd.service
kali:8834/
1.导⼊nessus扫描结果
msf5 > db_status
[*] Connected to msf. Connection type: postgresql.
msf5 > db_import /home/kali/Downloads/My_Basic_Network_ssus
msf5 > hosts -c address,svcs,vulns
vulns #查看漏洞详细信息列表
2.msf中使⽤nessus扫描
load nessus
nessus_connect nessus:nessus@localhost:8834 ok #连接nessus
nessus_policy_list #查看策略
nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets> #新建扫描⽬标
nessus_scan_launch #运⾏扫描
nessus_scan_list #查看扫描列表
nessus_db_imprt id #导⼊msf数据库
专⽤漏洞扫描器——1.验证SMB登录
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > show options
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.0.100-110
RHOSTS => 192.168.0.100-110
msf5 auxiliary(scanner/smb/smb_login) > set SMBUSER administrator
SMBUSER => administrator
msf5 auxiliary(scanner/smb/smb_login) > set SMBPASS 123
SMBPASS => 123
msf5 auxiliary(scanner/smb/smb_login) > set VERBOSE false #不输出所有的尝试
VERBOSE => false
msf5 auxiliary(scanner/smb/smb_login) > run
2.扫描开放的VNC虚拟⽹络计算空⼝令
msf5 > use auxiliary/scanner/vnc/vnc_none_auth
msf5 auxiliary(scanner/vnc/vnc_none_auth) > show options
Module options (auxiliary/scanner/vnc/vnc_none_auth):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 5900 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 192.168.0.105
RHOSTS => 192.168.0.105
msf5 auxiliary(scanner/vnc/vnc_none_auth) > run
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论