为“端口扫描”准备Metapsloit
扫描仪和大多数其他辅助模块使用RHOSTS选项而不是RHOST。RHOSTS可以使用IP范围(192.168.1.20-192.168.1.30),CIDR范围(192.168.1.0/24),以逗号分隔的多个范围(192.168.1.0/24,192.168.3.0/24)和以行分隔的主机列表文件(文件:/tmp/hostlist.txt)。这是另一个可用于Nmap输出文件的用法。
默认情况下,所有扫描仪模块都将THREADS值设置为'1'。THREADS值设置并发线程的数量,同时扫描使用。将此值设置为较高的数字以加快扫描速度或降低扫描速度以减少网络流量,但一定要遵守以下准则:
原生Win32系统上的THREADS值保持在16以下
在Cygwin下运行MSF时,请将THREADS保持在200以下
在类Unix操作系统上,THREADS可以设置为256。
内容
1、Nmap 和 db_nmap
2、端口扫描
3、SMB版本扫描
4、空闲扫描
一、Nmap 和 db_nmap
我们可以使用db_nmap命令针对我们的目标运行Nmap,并且我们的扫描结果将自动存储在我们的数据库中。但是,如果您还希望稍后将扫描结果导入另一个应用程序或框架,则可能需要以XML格式导出扫描结果。拥有全部三个Nmap输出(xml,grepable和normal)总是不错的。因此,我们可以使用' -oA '标志运行Nmap扫描,然后使用所需的文件名生成三个输出文件,然后发出db_import命令来填充Metasploit数据库。
使用通常从命令行使用的选项运行Nmap。如果我们希望我们的扫描被保存到我们的数据库中,我们将省略输出标志并使用db_nmap。下面的例子就是“db_nmap -v -sV 192.168.1.0/24”。
msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1
[*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1
Starting Nmap 5.00 ( http://nmap.org ) at 2018-05-08 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...略...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)
二、端口扫描
除了运行Nmap之外,框架中还有许多其他端口扫描程序可供我们使用。
msf > search portscan
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
为了比较,我们将比较我们的端口80的Nmap扫描结果和Metasploit扫描模块。首先,让我们根据Nmap确定哪些主机打开了端口80。
msf > cat subnet_1.gnmap | grep 80/open | awk '{print $2}'
[*] exec: cat subnet_1.gnmap | grep 80/open | awk '{print $2}'
192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.109
192.168.1.116
192.168.1.150
我们之前运行的Nmap扫描是一个SYN扫描,因此我们将使用Metasploit通过eth0接口在整个子网上运行同一扫描,查找端口80。
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set INTERFACE eth0
INTERFACE => eth0
msf auxiliary(syn) > set PORTS 80
PORTS => 80
msf auxiliary(syn) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.1.1:80
[*] TCP OPEN 192.168.1.2:80
[*] TCP OPEN 192.168.1.10:80
[*] TCP OPEN 192.168.1.109:80
[*] TCP OPEN 192.168.1.116:80
[*] TCP OPEN 192.168.1.150:80
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
在这里,我们将加载'tcp'扫描器,并将其用于另一个目标。和前面提到的所有插件一样,它使用RHOSTS选项。请记住,我们可以发出' hosts -R '命令以自动将此选项与数据库中找到的主机一起设置。
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
RHOSTS => 172.16.194.172
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 172.16.194.172 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 10 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > run
[*] 172.16.194.172:25 - TCP OPEN
[*] 172.16.194.172:23 - TCP OPEN
[*] 172.16.194.172:22 - TCP OPEN
[*] 172.16.194.172:21 - TCP OPEN
[*] 172.16.194.172:53 - TCP OPEN
[*] 172.16.194.172:80 - TCP OPEN
[*] 172.16.194.172:111 - TCP OPEN
[*] 172.16.194.172:139 - TCP OPEN
[*] 172.16.194.172:445 - TCP OPEN
[*] 172.16.194.172:514 - TCP OPEN
[*] 172.16.194.172:513 - TCP OPEN
[*] 172.16.194.172:512 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >
我们可以看到Metasploit的内置扫描仪模块不仅能够为我们找到系统和开放端口。如果你碰巧在未安装Nmap的系统上运行Metasploit,它只是另一个优秀的工具。
三、SMB版本扫描
现在我们已经确定了网络上可用的主机,我们可以尝试确定它们正在运行的操作系统。这将有助于我们缩小我们的攻击范围,以针对特定系统,并阻止我们浪费时间在那些不易受到特定攻击的人身上。
由于我们的扫描系统中有许多端口445打开,我们将使用scanner / smb / version模块来确定在目标上运行的是哪个版本的Windows,以及哪个Samba版本在Linux主机上。
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.200-210
RHOSTS => 192.168.1.200-210
msf auxiliary(smb_version) > set THREADS 11
THREADS => 11
msf auxiliary(smb_version) > run
[*] 192.168.1.209:445 is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:XEN-2K3-FUZZ) (domain:WORKGROUP)
[*] 192.168.1.201:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-EXPLOIT) (domain:WORKGROUP)
[*] 192.168.1.202:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-DEBUG) (domain:WORKGROUP)
[*] Scanned 04 of 11 hosts (036% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
另请注意,如果我们现在发出hosts命令,则新获取的信息将存储在Metasploit的数据库中。
msf auxiliary(smb_version) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.201 Microsoft Windows XP SP3 client
192.168.1.202 Microsoft Windows XP SP3 client
192.168.1.209 Microsoft Windows 2003 R2 SP2 server
四、空闲扫描
Nmap的IPID空闲扫描允许我们在欺骗网络上另一主机的IP地址的同时扫描目标有点隐身。为了使这种类型的扫描能够正常工作,我们需要找到网络上空闲的主机,并使用增量或破碎小端增量的IPID序列。Metasploit包含模块扫描程序/ ip / ipidseq来扫描并查找符合要求的主机。
在免费的在线Nmap书籍中,您可以找到有关Nmap空闲扫描的更多信息。
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50
msf auxiliary(ipidseq) > run
[*] 192.168.1.1's IPID sequence class: All zeros
[*] 192.168.1.2's IPID sequence class: Incremental!
[*] 192.168.1.10's IPID sequence class: Incremental!
[*] 192.168.1.104's IPID sequence class: Randomized
[*] 192.168.1.109's IPID sequence class: Incremental!
[*] 192.168.1.111's IPID sequence class: Incremental!
[*] 192.168.1.114's IPID sequence class: Incremental!
[*] 192.168.1.116's IPID sequence class: All zeros
[*] 192.168.1.124's IPID sequence class: Incremental!
[*] 192.168.1.123's IPID sequence class: Incremental!
[*] 192.168.1.137's IPID sequence class: All zeros
[*] 192.168.1.150's IPID sequence class: All zeros
[*] 192.168.1.151's IPID sequence class: Incremental!
[*] Auxiliary module execution completed
从我们的扫描结果来看,我们有一些潜在的僵尸,我们可以用它来执行空闲扫描。我们将尝试使用192.168.1.109上的僵尸来扫描主机,看看我们是否得到了早先的相同结果。
msf auxiliary(ipidseq) > nmap -Pn -sI 192.168.1.109 192.168.1.114
[*] exec: nmap -Pn -sI 192.168.1.109 192.168.1.114
Starting Nmap 5.00 ( http://nmap.org ) at 2018-05-08 05:51 MDT
Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental
Interesting ports on 192.168.1.114:
Not shown: 996 closed|filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:41:F2:E8 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds