Metasploit 辅助模块:扫描器 SNMP

snmp_enum

该snmp_enum模块进行详细的主机通过SNMP类似于独立工具snmpenum和snmpcheck主机或范围的枚举。

msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version

 

尽管您可以将一系列主机传递给此模块,但输出会变得非常混乱,因此最好一次只做一台主机。

msf auxiliary(snmp_enum) > set RHOSTS 192.168.1.2
RHOSTS => 192.168.1.2
msf auxiliary(snmp_enum) > run

[*] System information

Hostname                : Netgear-GSM7224
Description             : GSM7224 L2 Managed Gigabit Switch
Contact                 : dookie
Location                : Basement
Uptime snmp             : 56 days, 00:36:28.00
Uptime system           : -
System date             : -

[*] Network information

IP forwarding enabled   :  no
Default TTL             :  64
TCP segments received   :  20782
TCP segments sent       :  9973
TCP segments retrans.   :  9973
Input datagrams         :  4052407
Delivered datagrams     :  1155615
Output datagrams        :  18261

[*] Network interfaces

Interface [ up ] Unit: 1 Slot: 0 Port: 1 Gigabit - Level

	Id              : 1
	Mac address     : 00:0f:b5:fc:bd:24
	Type            : ethernet-csmacd
	Speed           : 1000 Mbps
	Mtu             : 1500
	In octets       : 3716564861
	Out octets      : 675201778
...snip...
[*] Routing information

     Destination         Next hop             Mask           Metric

         0.0.0.0      5.1.168.192          0.0.0.0                1
       1.0.0.127        1.0.0.127  255.255.255.255                0

[*] TCP connections and listening ports

   Local address       Local port   Remote address      Remote port            State

         0.0.0.0               23          0.0.0.0                0           listen
         0.0.0.0               80          0.0.0.0                0           listen
         0.0.0.0             4242          0.0.0.0                0           listen
       1.0.0.127             2222          0.0.0.0                0           listen

[*] Listening UDP ports

   Local address       Local port

         0.0.0.0                0
         0.0.0.0              161
         0.0.0.0              514

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enum) >

 

snmp_enumshares

该snmp_enumshares模块是一个简单的扫描仪,可以通过SNMP查询范围的主机,以确定任何可用的共享。

msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version >1/2c>

 

我们通过设置我们的RHOSTS范围和THREADS值来配置模块并让它运行。

msf auxiliary(snmp_enumshares) > set RHOSTS 192.168.1.200-210
RHOSTS => 192.168.1.200-210
msf auxiliary(snmp_enumshares) > set THREADS 11
THREADS => 11
msf auxiliary(snmp_enumshares) > run

[+] 192.168.1.201 
	shared_docs -  (C:\Documents and Settings\Administrator\Desktop\shared_docs)
[*] Scanned 02 of 11 hosts (018% complete)
[*] Scanned 03 of 11 hosts (027% complete)
[*] Scanned 05 of 11 hosts (045% complete)
[*] Scanned 07 of 11 hosts (063% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enumshares) >

 

snmp_enumusers

该snmp_enumusers模块经由SNMP查询一个主机范围,并收集在远程系统上的用户名的列表。

msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version >1/2c>

 

与大多数辅助模块一样,我们设置RHOSTS和THREADS值并启动它。

msf auxiliary(snmp_enumusers) > set RHOSTS 192.168.1.200-211
RHOSTS => 192.168.1.200-211
msf auxiliary(snmp_enumusers) > set THREADS 11
THREADS => 11
msf auxiliary(snmp_enumusers) > run

[+] 192.168.1.201 Found Users: ASPNET, Administrator, Guest, HelpAssistant, SUPPORT_388945a0, victim 
[*] Scanned 02 of 12 hosts (016% complete)
[*] Scanned 05 of 12 hosts (041% complete)
[*] Scanned 06 of 12 hosts (050% complete)
[*] Scanned 07 of 12 hosts (058% complete)
[*] Scanned 08 of 12 hosts (066% complete)
[*] Scanned 09 of 12 hosts (075% complete)
[*] Scanned 11 of 12 hosts (091% complete)
[*] Scanned 12 of 12 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enumusers) >

 

snmp_login

该snmp_login扫描仪,其扫描范围的IP地址来确定SNMP设备团体字符串的模块。

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > show options

Module options (auxiliary/scanner/snmp/snmp_login):

   Name              Current Setting                                                       Required  Description
   ----              ---------------                                                       --------  -----------
   BLANK_PASSWORDS   false                                                                 no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                     yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                 no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                 no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                 no        Add all users in the current database to the list
   PASSWORD                                                                                no        The password to test
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt  no        File containing communities, one per line
   RHOSTS                                                                                  yes       The target address range or CIDR identifier
   RPORT             161                                                                   yes       The target port
   STOP_ON_SUCCESS   false                                                                 yes       Stop guessing when a credential works for a host
   THREADS           1                                                                     yes       The number of concurrent threads
   USER_AS_PASS      false                                                                 no        Try the username as the password for all users
   VERBOSE           true                                                                  yes       Whether to print output for all attempts
   VERSION           1                                                                     yes       The SNMP version to scan (Accepted: 1, 2c, all)

 

我们使用默认词汇表设置我们的RHOSTS和THREADS值,并让扫描仪运行。

msf auxiliary(snmp_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(snmp_login) > set THREADS 254
THREADS => 254
msf auxiliary(snmp_login) > run

[+] SNMP: 192.168.1.2 community string: 'public' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'public' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[+] SNMP: 192.168.1.2 community string: 'private' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'private' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[*] Validating scan results from 2 hosts...
[*] Host 192.168.1.199 provides READ-WRITE access with community 'internal'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'public'
[*] Host 192.168.1.2 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.2 provides READ-ONLY access with community 'public'
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) >

我们的快速SNMP扫描在我们的网络上找到了两个设备的默认公共和私人社区字符串。此模块还可以成为网络管理员识别不安全配置的附加设备的有用工具。

 

 

snmp

    A+
发布日期:2018年06月20日 14:36:12  所属分类:Metasploit
最后更新时间:2018-06-20 15:10:36
付杰
  • ¥ 49.9元
  • 市场价:99.9元
  • ¥ 99.0元
  • 市场价:199.0元
  • ¥ 6.8元
  • 市场价:8.8元
  • ¥ 129.0元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: