Metasploit魔鬼训练营笔记

发表于 | 分类于 | 评论数:

Metasploit魔鬼训练营

外围信息收集

whois域名查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
msf > whois testfire.net
[*] exec: whois testfire.net

   Domain Name: TESTFIRE.NET
   Registry Domain ID: 8363973_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.corporatedomains.com
   Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Updated Date: 2017-07-19T05:16:54Z
   Creation Date: 1999-07-23T13:52:32Z
   Registry Expiry Date: 2018-07-23T13:52:32Z
   Registrar: CSC Corporate Domains, Inc.
   Registrar IANA ID: 299
   Registrar Abuse Contact Email: domainabuse@cscglobal.com
   Registrar Abuse Contact Phone: 8887802723
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: ASIA3.AKAM.NET
   Name Server: EUR2.AKAM.NET
   Name Server: EUR5.AKAM.NET
   Name Server: NS1-206.AKAM.NET
   Name Server: NS1-99.AKAM.NET
   Name Server: USC2.AKAM.NET
   Name Server: USC3.AKAM.NET
   Name Server: USW2.AKAM.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-10-25T00:31:59Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

nslookup域名查询

1
2
3
4
5
6
7
8
9
root@bt:~# nslookup
> set type=A
> testfire.net
Server:		10.10.10.2
Address:	10.10.10.2#53

Non-authoritative answer:
Name:	testfire.net
Address: 65.61.137.117

dig域名查询

root@bt:~#  dig @ns.watson.ibm.com testfire.net

IP2Location地理位置查询

1
2
3
4
[GeoIP服务](http://www.maxmind.com)
可通过这个网站上的经纬度,使用google地图进行定位

[QQc纯真数据库](http://www.cz88.net)

netcraft网站提供信息查询服务

1
2
3
[netcraft](http://searchdns.netcraft.com)
搜索“testfire.net”-->点击“lookup!”
获取更加详细的信息:(http://toolbar.netcraft.com/site_report?url=http://www.testfire.net)

IP2Domain反查域名

1
2
3
4
[旁注](http://www.ip-adress.com/reversr_ip)
因为一台服务器上可能运行多台虚拟机,使用不同的域名,但是用相同的IP,可以通过旁注获取其他网站的控制权,进而 实现迂回渗透的目的

[国内的反查询网址](http://www.7c.com)

搜索引擎信息查询

1
2
3
4
[Google黑客数据库](http://www.exploit-db.com/google-dorks)
两款自动查询工具:
SiteDigger:Dwnload at (http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx)
Search Diggity:Download at (http://www.stachliu.com)

搜索网站目录结构

直接在google中搜索

1
2
3
4
5
6
parent directory site:testfire.net

    留意的几种文件类型:
        inc:网站配置信息,数据库用户名/口令
        bak:文本编辑器编辑后留下的备份文件,方便理解程序的内容
        txt/sql:一般包含SQL脚本,透漏数据库结构信息

使用metasploit中的模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf > search dir_scanner

Matching Modules
================

   Name                                Disclosure Date  Rank    Description
   ----                                ---------------  ----    -----------
   auxiliary/scanner/http/dir_scanner                   normal  HTTP Directory Scanner


msf > use auxiliary/scanner/http/dir_scanner
msf  auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf  auxiliary(dir_scanner) > set RHOST www.testfire.net
RHOST => www.testfire.net
msf  auxiliary(dir_scanner) > exploit

检索特定类型的文件

直接在google中搜索

1
site:testfire.net filetype:xls

搜索网站中的Email地址

1
2
3
4
5
6
7
8
msf  auxiliary(dir_scanner) > use auxiliary/gather/search_email_collector
msf  auxiliary(search_email_collector) > set DOMAIN altoromutual.com
DOMAIN => altoromutual.com
msf  auxiliary(search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from altoromutual.com
通过对邮件地址的查询,结合社工的方式,对被攻击者更有效的实施钓鱼

搜索存在SQL注入的页面

直接在google搜索中搜索

1
2
site:testfire.net inurl:login
此网站存在注入点,输入字符未过滤

IP地址路由侦查

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@bt:~# traceroute 202.112.50.74
traceroute to 202.112.50.74 (202.112.50.74), 30 hops max, 60 byte packets
 1  bogon (10.10.10.2)  0.215 ms  0.128 ms  0.143 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

主机探测与端口扫描

Ping命令

1
2
3
4
5
6
7
8
9
10
11
root@bt:~# ping -c 5 www.dvssc.com
PING www.dvssc.com (10.10.10.129) 56(84) bytes of data.
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=1 ttl=64 time=2.28 ms
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=2 ttl=64 time=0.549 ms
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=3 ttl=64 time=0.513 ms
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=4 ttl=64 time=0.633 ms
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=5 ttl=64 time=0.525 ms

--- www.dvssc.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.513/0.901/2.287/0.694 ms

Metasploit主机发现模块

arp_sweep

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf > search arp_sweep
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                   Disclosure Date  Rank    Description
   ----                                   ---------------  ----    -----------
   auxiliary/scanner/discovery/arp_sweep                   normal  ARP Sweep Local Network Discovery


msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(arp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(arp_sweep) > run

[*] 10.10.10.1 appears to be up (VMware, Inc.).
[*] 10.10.10.2 appears to be up (VMware, Inc.).
[*] 10.10.10.128 appears to be up (VMware, Inc.).
[*] 10.10.10.129 appears to be up (VMware, Inc.).
[*] 10.10.10.130 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

udp_sweep

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf auxiliary(arp_sweep) > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(udp_sweep) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(udp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(udp_sweep) > run

[*] Sending 13 probes to 10.10.10.0->10.10.10.255 (256 hosts)
[*] Discovered NetBIOS on 10.10.10.129:137 (OWASPBWA:<00>:U :OWASPBWA:<03>:U :OWASPBWA:<20>:U :__MSBROWSE__:<01>:G :WORKGROUP:<1d>:U :WORKGROUP:<1e>:G :WORKGROUP:<00>:G :00:00:00:00:00:00)
[*] Discovered NetBIOS on 10.10.10.254:137 (METASPLOITABLE:<00>:U :METASPLOITABLE:<03>:U :METASPLOITABLE:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :00:00:00:00:00:00)
[*] Discovered NetBIOS on 10.10.10.1:137 (LIXU-PC:<00>:U :WORKGROUP:<00>:G :LIXU-PC:<20>:U :00:50:56:c0:00:08)
[*] Discovered DNS on 10.10.10.2:53 (af67818000010001000000000756455253494f4e0442494e440000100003c00c0010000300000005000d0c646e736d6173712d322e3531)
[*] Discovered NetBIOS on 10.10.10.130:137 (ROOT-TVI862UBEH:<00>:U :ROOT-TVI862UBEH:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :00:0c:29:94:e4:0e)
[*] Discovered DNS on 10.10.10.254:53 (BIND 9.4.2)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf > nmap -PU -sn 10.10.10.0/24[*] exec: nmap -PU -sn 10.10.10.0/24


Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-25 10:56 CST
Nmap scan report for bogon (10.10.10.1)
Host is up (0.00062s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (10.10.10.2)
Host is up (0.00056s latency).
MAC Address: 00:50:56:FE:22:F7 (VMware)
Nmap scan report for bogon (10.10.10.128)
Host is up (0.00082s latency).
MAC Address: 00:0C:29:46:81:2D (VMware)
Nmap scan report for bogon (10.10.10.129)
Host is up (0.00079s latency).
MAC Address: 00:0C:29:BA:5B:04 (VMware)
Nmap scan report for bogon (10.10.10.130)
Host is up (0.00066s latency).
MAC Address: 00:0C:29:94:E4:0E (VMware)
Nmap scan report for bogon (10.10.10.254)
Host is up (0.00052s latency).
MAC Address: 00:50:56:FD:FB:5C (VMware)
Nmap scan report for bogon (10.10.10.200)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 3.91 seconds

还有很多使用方法在其他笔记里

操作系统辨识

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf > nmap -sV 10.10.10.254
[*] exec: nmap -sV 10.10.10.254


Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-25 11:08 CST
Nmap scan report for bogon (10.10.10.254)
Host is up (0.000064s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:D7:13:2A (VMware)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds

端口扫描与服务类型探测

Metasploit中的端口扫描器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf > search portscan
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                              Disclosure Date  Rank    Description
   ----                                              ---------------  ----    -----------
   auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locator
   auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner
   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner
   auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner


msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 10.10.10.254
RHOSTS => 10.10.10.254
msf auxiliary(syn) > set THREADS 20
THREADS => 20

msf auxiliary(syn) > run

[*]  TCP OPEN 10.10.10.254:21
[*]  TCP OPEN 10.10.10.254:22
[*]  TCP OPEN 10.10.10.254:23
[*]  TCP OPEN 10.10.10.254:25
[*]  TCP OPEN 10.10.10.254:53
[*]  TCP OPEN 10.10.10.254:80
[*]  TCP OPEN 10.10.10.254:139
[*]  TCP OPEN 10.10.10.254:445
[*]  TCP OPEN 10.10.10.254:3306
[*]  TCP OPEN 10.10.10.254:3632
[*]  TCP OPEN 10.10.10.254:5432
[*]  TCP OPEN 10.10.10.254:8009
[*]  TCP OPEN 10.10.10.254:8180
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nmap端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf > nmap -sV -Pn 10.10.10.129
[*] exec: nmap -sV -Pn 10.10.10.129


Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-26 08:33 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.10.129
Host is up (0.00013s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.2.2
22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp  open  imap        Courier Imapd (released 2008)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
5001/tcp open  java-rmi    Java RMI
8080/tcp open  http-proxy?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5001-TCP:V=7.01%I=7%D=10/26%Time=59F12D51%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4,"\xac\xed\0\x05");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.01%I=7%D=10/26%Time=59F12D65%P=x86_64-pc-linux-gnu%r(S
SF:ocks5,6F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20Apache-Coyot
SF:e/1\.1\r\nDate:\x20Thu,\x2026\x20Oct\x202017\x2000:33:41\x20GMT\r\nConn
SF:ection:\x20close\r\n\r\n");
MAC Address: 00:0C:29:BA:5B:04 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.03 seconds

Back Track

1
2
Autoscan工具
使用方法P90

服务的扫描与查点

Metasploit提供的模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
msf > search _version
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                                     Disclosure Date  Rank    Description
   ----                                                     ---------------  ----    -----------
   auxiliary/fuzzers/ssh/ssh_version_15                                      normal  SSH 1.5 Version Fuzzer
   auxiliary/fuzzers/ssh/ssh_version_2                                       normal  SSH 2.0 Version Fuzzer
   auxiliary/fuzzers/ssh/ssh_version_corrupt                                 normal  SSH Version Corruption
   auxiliary/gather/ibm_sametime_version                    2013-12-27       normal  IBM Lotus Sametime Version Enumeration
   auxiliary/scanner/db2/db2_version                                         normal  DB2 Probe Utility
   auxiliary/scanner/ftp/ftp_version                                         normal  FTP Version Scanner
   auxiliary/scanner/h323/h323_version                                       normal  H.323 Version Scanner
   auxiliary/scanner/http/coldfusion_version                                 normal  ColdFusion Version Scanner
   auxiliary/scanner/http/http_version                                       normal  HTTP Version Detection
   auxiliary/scanner/http/joomla_version                                     normal  Joomla Version Scanner
   auxiliary/scanner/http/sap_businessobjects_version_enum                   normal  SAP BusinessObjects Version Detection
   auxiliary/scanner/http/ssl_version                       2014-10-14       normal  HTTP SSL/TLS Version Detection (POODLE scanner)
   auxiliary/scanner/imap/imap_version                                       normal  IMAP4 Banner Grabber
   auxiliary/scanner/ipmi/ipmi_version                                       normal  IPMI Information Discovery
   auxiliary/scanner/lotus/lotus_domino_version                              normal  Lotus Domino Version
   auxiliary/scanner/mysql/mysql_version                                     normal  MySQL Server Version Enumeration
   auxiliary/scanner/oracle/tnslsnr_version                 2009-01-07       normal  Oracle TNS Listener Service Version Query
   auxiliary/scanner/pop3/pop3_version                                       normal  POP3 Banner Grabber
   auxiliary/scanner/postgres/postgres_version                               normal  PostgreSQL Version Probe
   auxiliary/scanner/printer/printer_version_info                            normal  Printer Version Information Scanner
   auxiliary/scanner/sap/sap_mgmt_con_version                                normal  SAP Management Console Version Detection
   auxiliary/scanner/scada/digi_addp_version                                 normal  Digi ADDP Information Discovery
   auxiliary/scanner/scada/digi_realport_version                             normal  Digi RealPort Serial Server Version
   auxiliary/scanner/smb/smb_version                                         normal  SMB Version Detection
   auxiliary/scanner/smtp/smtp_version                                       normal  SMTP Banner Grabber
   auxiliary/scanner/snmp/aix_version                                        normal  AIX SNMP Scanner Auxiliary Module
   auxiliary/scanner/ssh/ssh_version                                         normal  SSH Version Scanner
   auxiliary/scanner/telnet/lantronix_telnet_version                         normal  Lantronix Telnet Service Banner Detection
   auxiliary/scanner/telnet/telnet_version                                   normal  Telnet Service Banner Detection
   auxiliary/scanner/vmware/vmauthd_version                                  normal  VMWare Authentication Daemon Version Scanner
   auxiliary/scanner/vxworks/wdbrpc_version                                  normal  VxWorks WDB Agent Version Scanner

Telnet服务扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf > use auxiliary/scanner/telnet/telnet_version 
msf auxiliary(telnet_version) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(telnet_version) > set THREADS 50
THREADS => 50
msf auxiliary(telnet_version) > run

[*] Scanned  39 of 256 hosts (15% complete)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  95 of 256 hosts (37% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 138 of 256 hosts (53% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 185 of 256 hosts (72% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 235 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

SSH服务扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(ssh_version) > set THREADS 100
THREADS => 100
msf auxiliary(ssh_version) > run

[*] Scanned 101 of 256 hosts (39% complete)
[*] 10.10.10.129:22 SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 )
[*] Scanned 111 of 256 hosts (43% complete)
[*] Scanned 157 of 256 hosts (61% complete)
[*] 10.10.10.254:22 SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 )
[*] Scanned 197 of 256 hosts (76% complete)
[*] Scanned 198 of 256 hosts (77% complete)
[*] Scanned 199 of 256 hosts (77% complete)
[*] Scanned 200 of 256 hosts (78% complete)
[*] Scanned 213 of 256 hosts (83% complete)
[*] Scanned 237 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Oracle数据库服务查点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(tnslsnr_version) > set THREADS 100
THREADS => 100
msf auxiliary(tnslsnr_version) > run

[*] Scanned 101 of 256 hosts (39% complete)
[+] 10.10.10.130:1521 Oracle - Version: 32-bit Windows: Version 10.2.0.1.0 - Production
[*] Scanned 106 of 256 hosts (41% complete)
[*] Scanned 156 of 256 hosts (60% complete)
[*] Scanned 192 of 256 hosts (75% complete)
[*] Scanned 201 of 256 hosts (78% complete)
[*] Scanned 203 of 256 hosts (79% complete)
[*] Scanned 207 of 256 hosts (80% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 236 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

开放代理探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > set SITE www.google.com
SITE => www.google.com
msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1/24
RHOSTS => 24.25.24.1/24
msf auxiliary(open_proxy) > set MULTIPORTS true
MULTIPORTS => true
msf auxiliary(open_proxy) > set VERIFY_CONNECT true
VERIFY_CONNECT => true
msf auxiliary(open_proxy) > set THREADS 100
THREADS => 100
msf auxiliary(open_proxy) > run

[*] Scanned  83 of 256 hosts (32% complete)
[*] Scanned  94 of 256 hosts (36% complete)
[*] Scanned  95 of 256 hosts (37% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 190 of 256 hosts (74% complete)
[*] Scanned 191 of 256 hosts (74% complete)
[*] Scanned 206 of 256 hosts (80% complete)
[*] Scanned 250 of 256 hosts (97% complete)
[*] Scanned 255 of 256 hosts (99% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

SSH猜测与嗅探

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf auxiliary(open_proxy) > use auxiliary/scanner/ssh/ssh_login 
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/zidian.txt
PASS_FILE => /root/zidian.txt
msf auxiliary(ssh_login) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_login) > set RHOSTS 10.10.10.254
RHOSTS => 10.10.10.254
msf auxiliary(ssh_login) > run

[*] 10.10.10.254:22 SSH - Starting bruteforce
[-] 10.10.10.254:22 SSH - Failed: 'root:123456'
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.254:22 SSH - Failed: 'root:'
[-] 10.10.10.254:22 SSH - Failed: 'root:toor'
[-] 10.10.10.254:22 SSH - Failed: 'root:4138848'
[+] 10.10.10.254:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
#爆破成功,字典文件可以自己选择
[*] Command shell session 1 opened (10.10.10.200:43118 -> 10.10.10.254:22) at 2017-10-26 09:17:33 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

psnuffle口令探测

1
2
3
4
5
6
7
8
9
10
11
12
msf auxiliary(ssh_login) > use auxiliary/sniffer/psnuffle 
msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed

[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
msf auxiliary(psnuffle) > [*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....

# 在实际的渗透过程中,只有在得到能够接入对方网络的初始访问点之后,才能方便使用psnuffle模块

网络漏洞扫描

黑盒扫描,白盒扫描

OpenVAS

详细内容参见P100

使用GSA

详细内容参见P102

在Metasploit中使用OpenVAS

1
2
3
4
5
6
7
8
9
10
11
12
13
msf > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*] 
[*] OpenVAS integration requires a database connection. Once the 
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*] 
[*] Successfully loaded plugin: OpenVAS
msf > openvas_connect admin your_openvas_passwd 10.10.10.128 9390 ok
[*] Connecting to OpenVAS instance at 10.10.10.128:9390 with username admin...


#后续步骤在P106

查找特定服务漏洞

Nmap的使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf > nmap -P0 --script=smb-check-vulns 10.10.10.130
[*] exec: nmap -P0 --script=smb-check-vulns 10.10.10.130


Starting Nmap 5.51SVN ( http://nmap.org ) at 2017-11-04 20:37 EDT
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.00083s latency).
Not shown: 985 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
777/tcp  open  multiling-http
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1032/tcp open  iad3
1521/tcp open  oracle
6002/tcp open  X11:2
7001/tcp open  afs3-callback
7002/tcp open  afs3-prserver
8099/tcp open  unknown
MAC Address: 00:0C:29:94:E4:0E (VMware)

Host script results:
| smb-check-vulns: 
|   MS08-067: VULNERABLE
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

漏洞结果分析

渗透测试信息数据库与共享(P110)

metasploit数据库

Metasploit中使用PostreSQL数据库

Nmap与渗透测试数据库

OpenVAS与渗透测试数据库

共享自己的渗透测试数据库

Web应用渗透技术

OWASP Web TOP 10

  • SQL注入
  • 跨站脚本
  • 跨站伪造请求
  • 会话认证管理缺陷
  • 安全误配置
  • 不安全密码存储
  • 不安全对象参考
  • 限制URL访问失败
  • 缺乏传输层保护
  • 未验证的重定向和跳转

Metasploit中的wmap Web漏洞扫描器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

msf > help

wmap Commands
=============

    Command       Description
    -------       -----------
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns


Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    advanced      Displays advanced options for one or more modules
    back          Move back from the current context
    banner        Display an awesome metasploit banner
    cd            Change the current working directory
    color         Toggle color
    connect       Communicate with a host
    edit          Edit the current module with $VISUAL or $EDITOR
    exit          Exit the console
    get           Gets the value of a context-specific variable
    getg          Gets the value of a global variable
    grep          Grep the output of another command
    help          Help menu
    info          Displays information about one or more modules
    irb           Drop into irb scripting mode
    jobs          Displays and manages jobs
    kill          Kill a job
    load          Load a framework plugin
    loadpath      Searches for and loads modules from a path
    makerc        Save commands entered since start to a file
    options       Displays global options or for one or more modules
    popm          Pops the latest module off the stack and makes it active
    previous      Sets the previously loaded module as the current module
    pushm         Pushes the active or list of modules onto the module stack
    quit          Exit the console
    reload_all    Reloads all modules from all defined module paths
    rename_job    Rename a job
    resource      Run the commands stored in a file
    route         Route traffic through a session
    save          Saves the active datastores
    search        Searches module names and descriptions
    sessions      Dump session listings and display information about sessions
    set           Sets a context-specific variable to a value
    setg          Sets a global variable to a value
    show          Displays modules of a given type, or all modules
    sleep         Do nothing for the specified number of seconds
    spool         Write console output into a file as well the screen
    threads       View and manipulate background threads
    unload        Unload a framework plugin
    unset         Unsets one or more context-specific variables
    unsetg        Unsets one or more global variables
    use           Selects a module by name
    version       Show the framework and console library version numbers


Database Backend Commands
=========================

    Command           Description
    -------           -----------
    creds             List all credentials in the database
    db_connect        Connect to an existing database
    db_disconnect     Disconnect from the current database instance
    db_export         Export a file containing the contents of the database
    db_import         Import a scan result file (filetype will be auto-detected)
    db_nmap           Executes nmap and records the output automatically
    db_rebuild_cache  Rebuilds the database-stored module cache
    db_status         Show the current database status
    hosts             List all hosts in the database
    loot              List all loot in the database
    notes             List all notes in the database
    services          List all services in the database
    vulns             List all vulnerabilities in the database
    workspace         Switch between database workspaces



msf > wmap_sites -a http://202.112.50.74
[*] Site created.
msf > wmap_sites -l
Available sites
===============

     Id  Host           Vhost          Port  # Pages  # Forms
     --  ----           -----          ----  -------  -------
     0   202.112.50.74  202.112.50.74  80    0        0



msf > wmap_targets -t http://202.112.50.74
msf > wmap_run -t
[*] Testing target:
[*] 	Site: 202.112.50.74 (202.112.50.74)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2017-11-04 21:00:34 -0400

=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.

=[ Web Server testing ]=
============================================================
[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/http_version ...
[*] Loaded auxiliary/scanner/http/open_proxy ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/robots_txt ...
[*] Loaded auxiliary/scanner/http/svn_scanner ...
[*] Loaded auxiliary/scanner/http/verb_auth_bypass ...
[*] Loaded auxiliary/scanner/http/vhost_scanner ...
[*] Loaded auxiliary/scanner/http/web_vulndb ...
[*] Loaded auxiliary/scanner/http/webdav_internal_ip ...
[*] Loaded auxiliary/scanner/http/webdav_scanner ...
[*] Loaded auxiliary/scanner/http/webdav_website_content ...

=[ File/Dir testing ]=
============================================================
[*] Loaded auxiliary/scanner/http/backup_file ...
[*] Loaded auxiliary/scanner/http/brute_dirs ...
[*] Loaded auxiliary/scanner/http/copy_of_file ...
[*] Loaded auxiliary/scanner/http/dir_listing ...
[*] Loaded auxiliary/scanner/http/dir_scanner ...
[*] Loaded auxiliary/scanner/http/dir_webdav_unicode_bypass ...
[*] Loaded auxiliary/scanner/http/file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/files_dir ...
[*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass ...
[*] Loaded auxiliary/scanner/http/prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/replace_ext ...
[*] Loaded auxiliary/scanner/http/trace_axd ...
[*] Loaded auxiliary/scanner/http/writable ...

=[ Unique Query testing ]=
============================================================
[*] Loaded auxiliary/scanner/http/blind_sql_query ...
[*] Loaded auxiliary/scanner/http/error_sql_injection ...

=[ Query testing ]=
============================================================

=[ General testing ]=
============================================================
[*] Analysis completed in 4.058472156524658 seconds.
[*] Done.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[*] Testing target:
[*] 	Site: 202.112.50.74 (202.112.50.74)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2017-11-04 21:02:27 -0400

=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.

=[ Web Server testing ]=
============================================================
Module auxiliary/admin/http/contentkeeper_fileaccess

[*] Attempting to connect to 202.112.50.74:80
Module auxiliary/admin/http/tomcat_administration
Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 202.112.50.74:80
Module auxiliary/scanner/http/frontpage_login
Module auxiliary/scanner/http/http_version
Module auxiliary/scanner/http/open_proxy
Module auxiliary/scanner/http/options
Module auxiliary/scanner/http/robots_txt
Module auxiliary/scanner/http/svn_scanner
Module auxiliary/scanner/http/verb_auth_bypass
Module auxiliary/scanner/http/vhost_scanner
[*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
Module auxiliary/scanner/http/web_vulndb
[*]  >> Exception during launch from auxiliary/scanner/http/web_vulndb: The following options failed to validate: VULNCSV.
Module auxiliary/scanner/http/webdav_internal_ip
Module auxiliary/scanner/http/webdav_scanner
Module auxiliary/scanner/http/webdav_website_content

=[ File/Dir testing ]=
============================================================




msf > vulns   //查看扫描的信息,现在是一个不完整的信息,上面的漏洞扫描过程中止了
[*] Time: 2017-09-04 11:55:41 UTC Vuln: host=10.10.10.254 name=auxiliary/scanner/ssh/ssh_login refs=CVE-1999-0502

渗透模块 (P130)

  • Metasploit中已有的模块

Web应用漏洞扫描探测

  • 各种Web扫描工具(P130)
-------------本文结束感谢您的阅读-------------
0%