Metapsloit 端口扫描

为“端口扫描”准备Metapsloit

扫描仪和大多数其他辅助模块使用RHOSTS选项而不是RHOST。RHOSTS可以使用IP范围(192.168.1.20-192.168.1.30),CIDR范围(192.168.1.0/24),以逗号分隔的多个范围(192.168.1.0/24,192.168.3.0/24)和以行分隔的主机列表文件(文件:/tmp/hostlist.txt)。这是另一个可用于Nmap输出文件的用法。

 

默认情况下,所有扫描仪模块都将THREADS值设置为'1'。THREADS值设置并发线程的数量,同时扫描使用。将此值设置为较高的数字以加快扫描速度或降低扫描速度以减少网络流量,但一定要遵守以下准则:

原生Win32系统上的THREADS值保持在16以下

在Cygwin下运行MSF时,请将THREADS保持在200以下

在类Unix操作系统上,THREADS可以设置为256。

Metapsloit 端口扫描 渗透测试

 

内容

1、Nmap 和 db_nmap

2、端口扫描

3、SMB版本扫描

4、空闲扫描

 

一、Nmap 和 db_nmap

我们可以使用db_nmap命令针对我们的目标运行Nmap,并且我们的扫描结果将自动存储在我们的数据库中。但是,如果您还希望稍后将扫描结果导入另一个应用程序或框架,则可能需要以XML格式导出扫描结果。拥有全部三个Nmap输出(xml,grepable和normal)总是不错的。因此,我们可以使用' -oA '标志运行Nmap扫描,然后使用所需的文件名生成三个输出文件,然后发出db_import命令来填充Metasploit数据库。

 

使用通常从命令行使用的选项运行Nmap。如果我们希望我们的扫描被保存到我们的数据库中,我们将省略输出标志并使用db_nmap。下面的例子就是“db_nmap -v -sV 192.168.1.0/24”。

msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1
[*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1

Starting Nmap 5.00 ( http://nmap.org ) at 2018-05-08 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...略...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)

 

二、端口扫描

除了运行Nmap之外,框架中还有许多其他端口扫描程序可供我们使用。

msf > search portscan

Matching Modules
================

   Name                                              Disclosure Date  Rank    Description
   ----                                              ---------------  ----    -----------
   auxiliary/scanner/http/wordpress_pingback_access                   normal  WordPress Pingback Locator
   auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner
   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner
   auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner

 

为了比较,我们将比较我们的端口80的Nmap扫描结果和Metasploit扫描模块。首先,让我们根据Nmap确定哪些主机打开了端口80。

msf > cat subnet_1.gnmap | grep 80/open | awk '{print $2}'
[*] exec: cat subnet_1.gnmap | grep 80/open | awk '{print $2}'

192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.109
192.168.1.116
192.168.1.150

 

我们之前运行的Nmap扫描是一个SYN扫描,因此我们将使用Metasploit通过eth0接口在整个子网上运行同一扫描,查找端口80。

msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(syn) > set INTERFACE eth0
INTERFACE => eth0
msf auxiliary(syn) > set PORTS 80
PORTS => 80
msf auxiliary(syn) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > run

[*] TCP OPEN 192.168.1.1:80
[*] TCP OPEN 192.168.1.2:80
[*] TCP OPEN 192.168.1.10:80
[*] TCP OPEN 192.168.1.109:80
[*] TCP OPEN 192.168.1.116:80
[*] TCP OPEN 192.168.1.150:80
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

 

在这里,我们将加载'tcp'扫描器,并将其用于另一个目标。和前面提到的所有插件一样,它使用RHOSTS选项。请记住,我们可以发出' hosts -R '命令以自动将此选项与数据库中找到的主机一起设置。

msf > use auxiliary/scanner/portscan/tcp
msf  auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf  auxiliary(tcp) > hosts -R

Hosts
=====

address         mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---                ----  -------  ---------  -----  -------  ----  --------
172.16.194.172  00:0C:29:D1:62:80        Linux    Ubuntu            server         

RHOSTS => 172.16.194.172

msf  auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   FILTER                        no        The filter string for capturing traffic
   INTERFACE                     no        The name of the interface
   PCAPFILE                      no        The name of the PCAP capture file to process
   PORTS        1-1024           yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       172.16.194.172   yes       The target address range or CIDR identifier
   SNAPLEN      65535            yes       The number of bytes to capture
   THREADS      10                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf  auxiliary(tcp) > run

[*] 172.16.194.172:25 - TCP OPEN
[*] 172.16.194.172:23 - TCP OPEN
[*] 172.16.194.172:22 - TCP OPEN
[*] 172.16.194.172:21 - TCP OPEN
[*] 172.16.194.172:53 - TCP OPEN
[*] 172.16.194.172:80 - TCP OPEN
[*] 172.16.194.172:111 - TCP OPEN
[*] 172.16.194.172:139 - TCP OPEN
[*] 172.16.194.172:445 - TCP OPEN
[*] 172.16.194.172:514 - TCP OPEN
[*] 172.16.194.172:513 - TCP OPEN
[*] 172.16.194.172:512 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(tcp) > 

我们可以看到Metasploit的内置扫描仪模块不仅能够为我们找到系统和开放端口。如果你碰巧在未安装Nmap的系统上运行Metasploit,它只是另一个优秀的工具。

 

三、SMB版本扫描

现在我们已经确定了网络上可用的主机,我们可以尝试确定它们正在运行的操作系统。这将有助于我们缩小我们的攻击范围,以针对特定系统,并阻止我们浪费时间在那些不易受到特定攻击的人身上。

 

由于我们的扫描系统中有许多端口445打开,我们将使用scanner / smb / version模块来确定在目标上运行的是哪个版本的Windows,以及哪个Samba版本在Linux主机上。

msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.200-210
RHOSTS => 192.168.1.200-210
msf auxiliary(smb_version) > set THREADS 11
THREADS => 11
msf auxiliary(smb_version) > run

[*] 192.168.1.209:445 is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:XEN-2K3-FUZZ) (domain:WORKGROUP)
[*] 192.168.1.201:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-EXPLOIT) (domain:WORKGROUP)
[*] 192.168.1.202:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-DEBUG) (domain:WORKGROUP)
[*] Scanned 04 of 11 hosts (036% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed

 

另请注意,如果我们现在发出hosts命令,则新获取的信息将存储在Metasploit的数据库中。

msf auxiliary(smb_version) > hosts

Hosts
=====

address        mac  name  os_name            os_flavor  os_sp  purpose  info  comments
-------        ---  ----  -------            ---------  -----  -------  ----  --------
192.168.1.201             Microsoft Windows  XP         SP3    client         
192.168.1.202             Microsoft Windows  XP         SP3    client         
192.168.1.209             Microsoft Windows  2003 R2    SP2    server

 

四、空闲扫描

Nmap的IPID空闲扫描允许我们在欺骗网络上另一主机的IP地址的同时扫描目标有点隐身。为了使这种类型的扫描能够正常工作,我们需要找到网络上空闲的主机,并使用增量或破碎小端增量的IPID序列。Metasploit包含模块扫描程序/ ip / ipidseq来扫描并查找符合要求的主机。

 

在免费的在线Nmap书籍中,您可以找到有关Nmap空闲扫描的更多信息。

msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > show options

Module options (auxiliary/scanner/ip/ipidseq):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50
msf auxiliary(ipidseq) > run

[*] 192.168.1.1's IPID sequence class: All zeros
[*] 192.168.1.2's IPID sequence class: Incremental!
[*] 192.168.1.10's IPID sequence class: Incremental!
[*] 192.168.1.104's IPID sequence class: Randomized
[*] 192.168.1.109's IPID sequence class: Incremental!
[*] 192.168.1.111's IPID sequence class: Incremental!
[*] 192.168.1.114's IPID sequence class: Incremental!
[*] 192.168.1.116's IPID sequence class: All zeros
[*] 192.168.1.124's IPID sequence class: Incremental!
[*] 192.168.1.123's IPID sequence class: Incremental!
[*] 192.168.1.137's IPID sequence class: All zeros
[*] 192.168.1.150's IPID sequence class: All zeros
[*] 192.168.1.151's IPID sequence class: Incremental!
[*] Auxiliary module execution completed

 

从我们的扫描结果来看,我们有一些潜在的僵尸,我们可以用它来执行空闲扫描。我们将尝试使用192.168.1.109上的僵尸来扫描主机,看看我们是否得到了早先的相同结果。

msf auxiliary(ipidseq) > nmap -Pn -sI 192.168.1.109 192.168.1.114
[*] exec: nmap -Pn -sI 192.168.1.109 192.168.1.114

Starting Nmap 5.00 ( http://nmap.org ) at 2018-05-08 05:51 MDT
Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental
Interesting ports on 192.168.1.114:
Not shown: 996 closed|filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:41:F2:E8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds
    A+
发布日期:2018年05月08日 15:15:55  所属分类:Metasploit
最后更新时间:2018-05-08 16:24:29
付杰
  • ¥ 39.0元
  • 市场价:39.0元
  • ¥ 298.0元
  • 市场价:498.0元
  • ¥ 499.0元
  • 市场价:499.0元
  • ¥ 98.0元
  • 市场价:398.0元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: