使用Metasploit扫描服务
同样,除了使用Nmap来扫描我们的目标网络上的服务外,Metasploit还包含各种各样的扫描仪,用于各种服务,通常帮助您确定目标机器上可能存在易受攻击的运行服务。
内容
1、 SSH服务
2、FTP服务
一、SSH服务
之前的扫描显示我们在两台机器上打开了TCP端口22。SSH非常安全,但漏洞并非闻所未闻,从您的目标收集尽可能多的信息总是值得的。
msf > services -p 22 -c name,port,proto
Services
========
host name port proto
---- ---- ---- -----
172.16.194.163 ssh 22 tcp
172.16.194.172 ssh 22 tcp
我们将加载' ssh_version '辅助扫描器,并发出' set '命令来设置' RHOSTS '选项。从那里我们可以通过简单的键入'run';
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 172.16.194.163 172.16.194.172
RHOSTS => 172.16.194.163 172.16.194.172
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.194.163 172.16.194.172 yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf auxiliary(ssh_version) > run
[*] 172.16.194.163:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
[*] Scanned 1 of 2 hosts (050% complete)
[*] 172.16.194.172:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
二、FTP服务
配置不良的FTP服务器通常是您需要访问整个网络的立足点,因此无论您何时遇到通常位于TCP端口21上的开放式FTP端口,都可以检查是否允许匿名访问。因为我们只打算扫描1台主机,所以我们将THREADS设置为1。
msf > services -p 21 -c name,proto
Services
========
host name proto
---- ---- -----
172.16.194.172 ftp tcp
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 172.16.194.172
RHOSTS => 172.16.194.172
msf auxiliary(anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 172.16.194.172 yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(anonymous) > run
[*] 172.16.194.172:21 Anonymous READ (220 (vsFTPd 2.3.4))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
在很短的时间内,只需很少的工作,我们就可以获得关于驻留在我们网络上的主机的大量信息,从而为我们提供了更好地了解我们进行渗透测试时所面临的情况。
显然有太多的扫描仪供我们展示案例。不过,Metasploit Framework非常适合您的所有扫描和识别需求。
msf > search auxiliary/scanner/
截止目前为止,显示全部约有515种工具;