攻击机:
192.168.1.5 Debian

靶机:
192.168.1.2 Windows 7
192.168.1.119 Windows 2003

第一季主要介绍 scanner 下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/discovery/arp_sweep
  • auxiliary/scanner/discovery/udp_sweep
  • auxiliary/scanner/ftp/ftp_version
  • auxiliary/scanner/http/http_version
  • auxiliary/scanner/smb/smb_version

一:基于scanner/http/http_version发现HTTP服务

  3. Module options (auxiliary/scanner/http/http_version): 
  5. Name Current Setting Required Description
  6. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  7. Proxies no A proxy chain of format type:host:port[,type:host:port] [...]
  8. RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
  9. RPORT 80 yes The target port (TCP)
  10. SSL false no Negotiate SSL/TLS for outgoing connections
  11. THREADS 20 yes The number of concurrent threads
  12. VHOST no HTTP server virtual host 
  14. msf auxiliary(scanner/http/http_version) > exploit 
  16. [+] 192.168.1.1:80
  17. [*] Scanned 27 of 256 hosts (10% complete)
  18. [*] Scanned 82 of 256 hosts (32% complete)
  19. [*] Scanned 103 of 256 hosts (40% complete)
  20. [+] 192.168.1.119:80 MicrosoftIIS/6.0 ( Powered by ASP.NET )
  21. [*] Scanned 129 of 256 hosts (50% complete)
  22. [*] Scanned 154 of 256 hosts (60% complete)
  23. [*] Scanned 182 of 256 hosts (71% complete)
  24. [*] Scanned 205 of 256 hosts (80% complete)
  26. [*] Scanned 256 of 256 hosts (100% complete)
  27. [*] Auxiliary module execution completed

三:基于scanner/ftp/ftp_version发现FTP服务

  1. msf auxiliary(scanner/ftp/ftp_version) > show options 
  3. Module options (auxiliary/scanner/ftp/ftp_version): 
  5. Name Current Setting Required Description
  6. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  7. FTPPASS mozilla@example.com no The password for the specified username
  8. FTPUSER anonymous no The username to authenticate as
  9. RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
  10. RPORT 21 yes The target port (TCP)
  11. THREADS 50 yes The number of concurrent threads 
  13. msf auxiliary(scanner/ftp/ftp_version) > exploit 
  15. [*] Scanned 51 of 256 hosts (19% complete)
  16. [*] Scanned 52 of 256 hosts (20% complete)
  17. [*] Scanned 100 of 256 hosts (39% complete)
  18. [*] Scanned 103 of 256 hosts (40% complete)
  19. [*] Scanned 133 of 256 hosts (51% complete)
  20. [*] Scanned 183 of 256 hosts (71% complete)
  21. [*] Scanned 197 of 256 hosts (76% complete)
  23. [*] Scanned 231 of 256 hosts (90% complete)
  24. [*] Scanned 256 of 256 hosts (100% complete)
  25. [*] Auxiliary module execution completed

第二十三课:基于MSF发现内网存活主机第一季 - 图1

五:基于scanner/discovery/udp_sweep发现内网存活主机

  1. msf auxiliary(scanner/discovery/udp_sweep) > show options 
  3. Module options (auxiliary/scanner/discovery/udp_sweep): 
  5. Name Current Setting Required Description
  6. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  7. BATCHSIZE 256 yes The number of hosts to probe in each set
  8. RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
  9. THREADS 50 yes The number of concurrent threads 
  11. msf auxiliary(scanner/discovery/udp_sweep) > exploit 
  13. [*] Sending 13 probes to 192.168.1.0‐>192.168.1.255 (256 hosts)
  14. [*] Discovered DNS on 192.168.1.1:53 (ce2a8500000100010000000007564552  53494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f7
  15. 5206d757374206265206a6f6b696e67)
  16. [*] Discovered NetBIOS on 192.168.1.2:137 (JOHNPC:<00>:U :WORKGROUP:<00>:G :JOHNPC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U
  17. :__MSBROWSE__ <01>:G :4c:cc:6a:e3:51:27)
  18. [*] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :WIN03X64:<03>:U
  19. :ADMINISTRA TOR:<03>:U :WIN03X64:<01>:U :00:0c:29:85:d6:7d)
  20. [*] Auxiliary module execution completed