0x00 前言

参考Micro8系列第二十三课:https://micro8.gitbook.io/micro8/contents-1/21-30/22-ji-yu-smb-fa-xian-nei-wang-cun-huo-zhu-ji

参考Micro8系列第二十四课:https://micro8.gitbook.io/micro8/contents-1/21-30/24-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-er-ji

参考Micro8系列第二十五课:https://micro8.gitbook.io/micro8/contents-1/21-30/25-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-san-ji

参考Micro8系列第二十六课:https://micro8.gitbook.io/micro8/contents-1/21-30/26-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-si-ji

参考Micro8系列第二十七课:https://micro8.gitbook.io/micro8/contents-1/21-30/27-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-wu-ji

参考Micro8系列第二十八课:https://micro8.gitbook.io/micro8/contents-1/21-30/28-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-liu-ji#er-shi-ba-ji-yu-windowsgatherenumdomain-fa-xian-yu-zhong-cun-huo-zhu-ji

0x01 search支持type类型搜索

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf6 > search scanner type:auxiliary

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/appletv/appletv_display_image normal No Apple TV Image Remote Control
1 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control
2 auxiliary/admin/smb/check_dir_file normal No SMB Scanner Check File/Directory Utility
3 auxiliary/admin/teradata/teradata_odbc_sql 2018-03-29 normal No Teradata ODBC SQL Query Module
...
588 auxiliary/scanner/wproxy/att_open_proxy 2017-08-31 normal No Open WAN-to-LAN proxy on AT&T routers
589 auxiliary/scanner/wsdd/wsdd_query normal No WS-Discovery Information Discovery
590 auxiliary/scanner/x11/open_x11 normal No X11 No-Auth Scanner

0x02 auxiliary/scanner/discovery/arp_sweep

该模块是基于ARP协议来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The number of seconds to wait for new data

msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 172.17.0.0/24
RHOSTS => 172.17.0.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > exploit
SIOCSIFFLAGS: Operation not permitted

[+] 172.17.0.1 appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x03 auxiliary/scanner/discovery/udp_sweep

该模块是基于UDP协议来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf auxiliary(scanner/discovery/udp_sweep) > show options 

Module options (auxiliary/scanner/discovery/udp_sweep):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/discovery/udp_sweep) > exploit

[*] Sending 13 probes to 192.168.1.0‐>192.168.1.255 (256 hosts)
[*] Discovered DNS on 192.168.1.1:53 (ce2a8500000100010000000007564552 53494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f7
5206d757374206265206a6f6b696e67)
[*] Discovered NetBIOS on 192.168.1.2:137 (JOHN‐PC:<00>:U :WORKGROUP:<00>:G :JOHN‐PC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U
:__MSBROWSE__ <01>:G :4c:cc:6a:e3:51:27)
[*] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :WIN03X64:<03>:U
:ADMINISTRA TOR:<03>:U :WIN03X64:<01>:U :00:0c:29:85:d6:7d)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x04 auxiliary/scanner/discovery/udp_probe

该模块是基于UDP协议来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf auxiliary(scanner/discovery/udp_probe) > show options 

Module options (auxiliary/scanner/discovery/udp_probe):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
CHOST no The local client address
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/discovery/udp_probe) > exploit

[+] Discovered NetBIOS on 192.168.1.2:137 (JOHN‐PC:<00>:U :WORKGROUP:
<00>:G :JOHN‐PC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U
:__MSBROWSE__ <01>:G :4c:cc:6a:e3:51:27)
[+] Discovered DNS on 192.168.1.1:53 (de778500000100010000000007564552 53494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f7
5206d757374206265206a6f6b696e67)
[*] Scanned 43 of 256 hosts (16% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 89 of 256 hosts (34% complete)
[+] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :WIN03X64:<03>:U
:ADMINISTRA TOR:<03>:U :WIN03X64:<01>:U :00:0c:29:85:d6:7d)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 140 of 256 hosts (54% complete)
[*] Scanned 163 of 256 hosts (63% complete)
[*] Scanned 184 of 256 hosts (71% complete)
[*] Scanned 212 of 256 hosts (82% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x05 auxiliary/scanner/dns/dns_amp

该模块是基于DNS协议来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf auxiliary(scanner/dns/dns_amp) > show options 

Module options (auxiliary/scanner/dns/dns_amp):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BATCHSIZE 256 yes The number of hosts to probe in each set
DOMAINNAME isc.org yes Domain to use for the DNS request
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
QUERYTYPE ANY yes Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY)
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 53 yes The target port (UDP)
SNAPLEN 65535 yes The number of bytes to capture
THREADS 50 yes The number of concurrent threads
TIMEOUT 500 yes The number of seconds to wait for new data

msf auxiliary(scanner/dns/dns_amp) > exploit

[*] Sending DNS probes to 192.168.1.0‐>192.168.1.255 (256 hosts)
[*] Sending 67 bytes to each host using the IN ANY isc.org request
[+] 192.168.1.1:53 ‐ Response is 530 bytes [7.91x Amplification]
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x06 auxiliary/scanner/http/http_version

该模块用于探测内网的HTTP服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf auxiliary(scanner/http/http_version) > show options 

Module options (auxiliary/scanner/http/http_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
Proxies no A proxy chain of format type:host:port[,type:host:port] [...]
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 20 yes The number of concurrent threads
VHOST no HTTP server virtual host

msf auxiliary(scanner/http/http_version) > exploit

[+] 192.168.1.1:80
[*] Scanned 27 of 256 hosts (10% complete)
[*] Scanned 63 of 256 hosts (24% complete)
[*] Scanned 82 of 256 hosts (32% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[+] 192.168.1.119:80 Microsoft‐IIS/6.0 ( Powered by ASP.NET )
[*] Scanned 129 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 182 of 256 hosts (71% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x07 auxiliary/scanner/ftp/ftp_version

该模块用于探测内网的FTP服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf auxiliary(scanner/ftp/ftp_version) > show options 

Module options (auxiliary/scanner/ftp/ftp_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/ftp/ftp_version) > exploit

[*] Scanned 51 of 256 hosts (19% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 100 of 256 hosts (39% complete)
[+] 192.168.1.119:21 ‐ FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 133 of 256 hosts (51% complete)
[*] Scanned 183 of 256 hosts (71% complete)
[*] Scanned 197 of 256 hosts (76% complete)
[*] Scanned 229 of 256 hosts (89% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x08 auxiliary/scanner/smb/smb_version

该模块用于探测内网的SMB服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf auxiliary(scanner/smb/smb_version) > show options 

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 20 yes The number of concurrent threads

msf auxiliary(scanner/smb/smb_version) > exploit

[+] 192.168.1.2:445 ‐ Host is running Windows 7 Ultimate SP1 (build:7601) (name:JOHN‐PC) (workgroup:WORKGROUP )
[*] Scanned 40 of 256 hosts (15% complete)
[*] Scanned 60 of 256 hosts (23% complete)
[*] Scanned 79 of 256 hosts (30% complete)
[+] 192.168.1.119:445 ‐ Host is running Windows 2003 R2 SP2 (build:3790) (name:WIN03X64)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 181 of 256 hosts (70% complete)
[*] Scanned 206 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x09 auxiliary/scanner/ssh/ssh_version

该模块用于探测内网的SSH服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf auxiliary(scanner/ssh/ssh_version) > show options 

Module options (auxiliary/scanner/ssh/ssh_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 22 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe

msf auxiliary(scanner/ssh/ssh_version) > exploit

[+] 192.168.1.5:22 ‐ SSH server version: SSH‐2.0‐OpenSSH_7.9p1 Debian‐5 ( service.version=7.9p1 openssh.comment=Debian‐5 service.vendor=OpenBSD
service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openb
sd:openssh:7.9p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe
23=cpe:/o:debian:debian_linux:‐ service.protocol=ssh fingerprint_db=ssh.banner )
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 95 of 256 hosts (37% complete)
[*] Scanned 100 of 256 hosts (39% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 131 of 256 hosts (51% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 206 of 256 hosts (80% complete)
[*] Scanned 235 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x0A auxiliary/scanner/telnet/telnet_version

该模块用于探测内网的TELNET服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf auxiliary(scanner/telnet/telnet_version) > show options 

Module options (auxiliary/scanner/telnet/telnet_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
PASSWORD no The password for the specified username
RHOSTS 192.168.1.119 yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as

msf auxiliary(scanner/telnet/telnet_version) > exploit

[+] 192.168.1.119:23 ‐ 192.168.1.119:23 TELNET Welcome to Microsoft Telnet Service \x0a\x0a\x0dlogin:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x0B auxiliary/scanner/mysql/mysql_version

该模块用于探测内网的MySQL服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf auxiliary(scanner/mysql/mysql_version) > show options 

Module options (auxiliary/scanner/mysql/mysql_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
RHOSTS 192.168.1.115 yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/mysql/mysql_version) > exploit

[+] 192.168.1.115:3306 ‐ 192.168.1.115:3306 is running MySQL 5.1.52‐community (protocol 10)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x0C auxiliary/scanner/netbios/nbname

该模块是基于NetBIOS来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf auxiliary(scanner/netbios/nbname) > show options 

Module options (auxiliary/scanner/netbios/nbname):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 137 yes The target port (UDP)
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/netbios/nbname) > exploit

[*] Sending NetBIOS requests to 192.168.1.0‐>192.168.1.255 (256 hosts)
[+] 192.168.1.2 [JOHN‐PC] OS:Windows Names:(JOHN‐PC, WORKGROUP, __MSBROWSE__) Addresses:(192.168.1.2, 192.168.163.1, 192.168.32.1)Mac:4c:cc:6a:e3:51:27
[+] 192.168.1.115 [VM_2003X86] OS:Windows Names:(VM_2003X86,WORKGROUP) Addresses:(192.168.1.115) Mac:00:0c:29:af:ce:cc Virtual Machine:VMWare
[+] 192.168.1.119 [WIN03X64] OS:Windows User:ADMINISTRATOR Names:(WIN03X64, WORKGROUP, ADMINISTRATOR) Addresses:(192.168.1.119)Mac:00:0c:29:85:d6:7d Virtual Machine:VMWare
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

0x0D auxiliary/scanner/http/title

该模块用于探测内网的HTTP服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf auxiliary(scanner/http/title) > show options 

Module options (auxiliary/scanner/http/title):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
Proxies no A proxy chain of format type:host:port[,type:host:port] [...]
RHOSTS 192.168.1.115,119 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SHOW_TITLES true yes Show the titles on the console as they are grabbed
SSL false no Negotiate SSL/TLS for outgoing connections
STORE_NOTES true yes Store the captured information in notes. Use "no tes‐t http.title" to view
TARGETURI / yes The base path
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/http/title) > exploit

[*] [192.168.1.115:80] [C:200] [R:] [S:Microsoft‐IIS/6.0] 协同管理系统
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

0x0E auxiliary/scanner/db2/db2_version

该模块用于探测内网的db2服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf auxiliary(scanner/http/title) > use auxiliary/scanner/db2/db2_version
msf auxiliary(scanner/db2/db2_version) > show options

Module options (auxiliary/scanner/db2/db2_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
DATABASE toolsdb yes The name of the target database
RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
RPORT 50000 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads
TIMEOUT 5 yes Timeout for the DB2 probe

msf auxiliary(scanner/db2/db2_version) > exploit

0x0F auxiliary/scanner/portscan/ack

该模块是基于TCP协议的ACK报文扫描端口来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf auxiliary(scanner/portscan/ack) > show options 

Module options (auxiliary/scanner/portscan/ack):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/‐ DELAY) in milliseconds.
PORTS 445 yes Ports to scan (e.g. 22‐25,80,110‐900)
RHOSTS 192.168.1.115,119 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 50 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds

msf auxiliary(scanner/portscan/ack) > exploit

[*] TCP UNFILTERED 192.168.1.115:445
[*] TCP UNFILTERED 192.168.1.119:445
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

0x10 auxiliary/scanner/portscan/tcp

该模块是基于TCP协议扫描端口来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf auxiliary(scanner/portscan/tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/‐ DELAY) in milliseconds.
PORTS 445 yes Ports to scan (e.g. 22‐25,80,110‐900)
RHOSTS 192.168.1.115,119,2 yes The target address range or CIDR identifier
THREADS 50 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds

msf auxiliary(scanner/portscan/tcp) > exploit

[+] 192.168.1.2: ‐ 192.168.1.2:445 ‐ TCP OPEN
[*] Scanned 1 of 3 hosts (33% complete)
[+] 192.168.1.119: ‐ 192.168.1.119:445 ‐ TCP OPEN
[+] 192.168.1.115: ‐ 192.168.1.115:445 ‐ TCP OPEN
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed

0x11 auxiliary/scanner/portscan/syn

该模块是基于TCP协议的SYN报文扫描端口来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf auxiliary(scanner/portscan/syn) > show options 

Module options (auxiliary/scanner/portscan/syn):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in millisecond s
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/‐ DELAY) in milliseconds.
PORTS 445 yes Ports to scan (e.g. 22‐25,80,110‐900)
RHOSTS 192.168.1.115 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 50 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds

msf auxiliary(scanner/portscan/syn) > exploit

[+] TCP OPEN 192.168.1.115:445

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x12 auxiliary/scanner/portscan/ftpbounce

该模块是基于FTP Bounce攻击来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf auxiliary(scanner/portscan/ftpbounce) > show options 

Module options (auxiliary/scanner/portscan/ftpbounce):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BOUNCEHOST 192.168.1.119 yes FTP relay host
BOUNCEPORT 21 yes FTP relay port
DELAY 0 yes The delay between connections, per thread, in millisecond s
FTPPASS mozilla@example.com no The password for the specified usernam e
FTPUSER anonymous no The username to authenticate as
JITTER 0 yes The delay jitter factor (maximum value by which to +/‐ DELAY) in milliseconds.
PORTS 22‐25 yes Ports to scan (e.g. 22‐25,80,110‐900)
RHOSTS 192.168.1.119 yes The target address range or CIDR identifier
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/portscan/ftpbounce) > exploit

[+] 192.168.1.119:21 ‐ TCP OPEN 192.168.1.119:22
[+] 192.168.1.119:21 ‐ TCP OPEN 192.168.1.119:23
[+] 192.168.1.119:21 ‐ TCP OPEN 192.168.1.119:24
[+] 192.168.1.119:21 ‐ TCP OPEN 192.168.1.119:25
[*] 192.168.1.119:21 ‐ Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x13 auxiliary/scanner/portscan/xmas

该模块是基于TCP Xmax扫描来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf auxiliary(scanner/portscan/xmas) > show options 

Module options (auxiliary/scanner/portscan/xmas):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in millisecond s
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/‐ DELAY) in milliseconds.
PORTS 80 yes Ports to scan (e.g. 22‐25,80,110‐900)
RHOSTS 192.168.1.119 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 50 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds

msf auxiliary(scanner/portscan/xmas) > exploit

0x14 auxiliary/scanner/rdp/rdp_scanner

该模块是基于RDP服务扫描来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf auxiliary(scanner/rdp/rdp_scanner) > show options 

Module options (auxiliary/scanner/rdp/rdp_scanner):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
CredSSP true yes Whether or not to request CredSSP
EarlyUser false yes Whether to support Earlier User Authorization Result PDU
RHOSTS 192.168.1.2,115,119 yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads
TLS true yes Wheter or not request TLS security

msf auxiliary(scanner/rdp/rdp_scanner) > exploit

[*] Scanned 1 of 3 hosts (33% complete)
[+] 192.168.1.115:3389 ‐ Identified RDP
[*] Scanned 2 of 3 hosts (66% complete)
[+] 192.168.1.119:3389 ‐ Identified RDP
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed

0x15 auxiliary/scanner/smtp/smtp_version

该模块用于探测内网的SMTP服务。

1
2
3
4
5
6
7
8
9
10
11
msf auxiliary(scanner/smtp/smtp_version) > show options 

Module options (auxiliary/scanner/smtp/smtp_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
RHOSTS 192.168.1.5 yes The target address range or CIDR identifier
RPORT 25 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/smtp/smtp_version) > exploit

0x16 auxiliary/scanner/pop3/pop3_version

该模块用于探测内网的POP3服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf auxiliary(scanner/pop3/pop3_version) > show options 

Module options (auxiliary/scanner/pop3/pop3_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
RHOSTS 192.168.1.110‐120 yes The target address range or CIDR identifier
RPORT 110 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/pop3/pop3_version) > exploit

[*] Scanned 5 of 11 hosts (45% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed

0x17 auxiliary/scanner/postgres/postgres_version

该模块用于探测内网的PostgreSQL服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf auxiliary(scanner/postgres/postgres_version) > show options 

Module options (auxiliary/scanner/postgres/postgres_version):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
DATABASE template1 yes The database to authenticate against
PASSWORD msf no The password for the specified username. Leave blank for a random password.
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 5432 yes The target port
THREADS 50 yes The number of concurrent threads
USERNAME msf yes The username to authenticate as
VERBOSE false no Enable verbose output

msf auxiliary(scanner/postgres/postgres_version) > exploit

[*] 127.0.0.1:5432 Postgres ‐ Version PostgreSQL 9.6.6 on x86_64‐pc‐li
nux‐gnu, compiled by gcc (Debian 4.9.2‐10) 4.9.2, 64‐bit (Post‐Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x18 auxiliary/scanner/ftp/anonymous

该模块是基于FTP匿名访问来发现内网存活主机。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf auxiliary(scanner/ftp/anonymous) > show options 

Module options (auxiliary/scanner/ftp/anonymous):

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 192.168.1.100‐120 yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 50 yes The number of concurrent threads

msf auxiliary(scanner/ftp/anonymous) > exploit

[+] 192.168.1.115:21 ‐ 192.168.1.115:21 ‐ Anonymous READ (220 Slyar Ftpserver)
[+] 192.168.1.119:21 ‐ 192.168.1.119:21 ‐ Anonymous READ (220 FTPserver)
[*] Scanned 3 of 21 hosts (14% complete)
[*] Scanned 6 of 21 hosts (28% complete)
[*] Scanned 17 of 21 hosts (80% complete)
[*] Scanned 21 of 21 hosts (100% complete)
[*] Auxiliary module execution completed

0x19 db_nmap和hosts内置命令

MSF内置强大的端口扫描工具Nmap,为了更好的区别,内置命令为:db_nmap,并且会自动存储nmap扫描结果到数据库中,方便快速查询已知存活主机,以及更快捷的进行团队协同作战,使用方法与nmap一致。也是在实战中最常用到的发现内网存活主机方式之一。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf exploit(multi/handler) > db_nmap ‐p 445 ‐T4 ‐sT 192.168.1.115‐120
‐‐open
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019‐02‐17 15:17 EST
[*] Nmap: Nmap scan report for 192.168.1.115
[*] Nmap: Host is up (0.0025s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 445/tcp open microsoft‐ds
[*] Nmap: MAC Address: 00:0C:29:AF:CE:CC (VMware)
[*] Nmap: Nmap scan report for 192.168.1.119
[*] Nmap: Host is up (0.0026s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 445/tcp open microsoft‐ds
[*] Nmap: MAC Address: 00:0C:29:85:D6:7D (VMware)
[*] Nmap: Nmap done: 6 IP addresses (2 hosts up) scanned in 13.35 seconds

运行db_nmap命令如果出现Database not connected错误,退出msfconsole并执行以下命令:

1
2
3
4
5
6
7
8
root@kali:/home/kali# msfdb init
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.3/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil

hosts命令可以查看数据库中已发现的内网存活主机:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf exploit(multi/handler) > hosts 

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
‐‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐‐
1.34.37.188 firewall
10.0.0.2 00:24:1d:dc:3b:16
10.0.0.3 00:e0:81:bf:b9:7b
10.0.0.4 00:30:6e:ca:10:b8
10.0.0.5 9c:8e:99:c4:63:74 2013XXXXX Windows 2008 SP1 client
...
10.0.0.242 00:13:57:01:d4:71
10.0.0.243 00:13:57:01:d4:73
....
10.162.110.30 firewall
59.125.110.178 firewall
127.0.0.1 Unknown device
172.16.204.8 WIN‐6FEAACQJ691 Windows 2012 server
172.16.204.9 WIN‐6FEAACQJ691 Windows 2012 server
172.16.204.21 IDS Windows 2003 SP2 server
192.168.1.5 JOHN‐PC Windows 7 SP1 client
192.168.1.101 JOHN‐PC Windows 7 Ultimate SP1 client
192.168.1.103 LAPTOP‐9994K8RP Windows 10 client
192.168.1.115 00:0c:29:af:ce:cc VM_2003X86 Windows 2003 SP2 server
192.168.1.116 WIN‐S4H51RDJQ3M Windows 2012 server
192.168.1.119 00:0c:29:85:d6:7d WIN03X64 Windows 2003 SP2 server
192.168.1.254 Unknown device
192.168.50.30 WINDOWS‐G4MMTV8 Windows 7 SP1 client
192.168.100.2 Unknown device
192.168.100.10

同样hosts命令也支持数据库中查询与搜索,方便快速对应目标存活主机:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf exploit(multi/handler) > hosts ‐h
Usage: hosts [ options ] [addr1 addr2 ...]

OPTIONS:
‐a,‐‐add Add the hosts instead of searching
‐d,‐‐delete Delete the hosts instead of searching
‐c <col1,col2> Only show the given columns (see list below)
‐C <col1,col2> Only show the given columns until the next restart (see list below)
‐h,‐‐help Show this help information
‐u,‐‐up Only show hosts which are up
‐o <file> Send output to a file in csv format
‐O <column> Order rows by specified column number
‐R,‐‐rhosts Set RHOSTS from the results of the search
‐S,‐‐search Search string to filter by
‐i,‐‐info Change the info of a host
‐n,‐‐name Change the name of a host
‐m,‐‐comment Change the comment of a host
‐t,‐‐tag Add or specify a tag to a range of hosts

msf exploit(multi/handler) > hosts ‐S 192

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
‐‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐‐
192.168.1.5 JOHN‐PC Windows 7 SP1 client
192.168.1.101 JOHN‐PC Windows 7 Ultimate SP1 client
192.168.1.103 LAPTOP‐9994K8RP Windows 10 client
192.168.1.115 00:0c:29:af:ce:cc VM_2003X86 Windows 2003 SP2 server
192.168.1.116 WIN‐S4H51RDJQ3M Windows 2012 server
192.168.1.119 00:0c:29:85:d6:7d WIN03X64 Windows 2003 SP2 server
192.168.1.254 Unknown device
192.168.50.30 WINDOWS‐G4MMTV8 Windows 7 SP1 client
192.168.100.2 Unknown device
192.168.100.10

0x1A post/windows/gather/arp_scanner

在实战中,许多特殊环境下scanner模块、db_nmap内置命令等均不能快速符合实战渗透诉求,尤其在域中的主机存活发现,而post下的模块弥补了该诉求,以便快速了解域中存活主机。

该后渗透模块用于探测域内存活主机:

1
2
3
4
5
6
meterpreter > run windows/gather/arp_scanner RHOSTS=192.168.1.110‐120 THREADS=20

[*] Running module against VM_2003X86
[*] ARP Scanning 192.168.1.110‐120
[+] IP: 192.168.1.115 MAC 00:0c:29:af:ce:cc (VMware, Inc.)
[+] IP: 192.168.1.119 MAC 00:0c:29:85:d6:7d (VMware, Inc.)

0x1B post/windows/gather/enum_ad_computers

该后渗透模块用于探测域内存活主机:

1
meterpreter > run windows/gather/enum_ad_computers

0x1C post/windows/gather/enum_computers

该后渗透模块用于探测域内存活主机:

1
2
3
4
meterpreter > run windows/gather/enum_computers 

[*] Running module against VM_2003X86
[‐] This host is not part of a domain.

0x1D post/windows/gather/enum_domain

该后渗透模块用于探测域内存活主机:

1
meterpreter > run windows/gather/enum_domain

0x1E post/windows/gather/enum_domains

该后渗透模块用于探测域内存活主机:

1
2
3
4
meterpreter > run windows/gather/enum_domains 

[*] Enumerating DCs for WORKGROUP
[‐] No Domain Controllers found...

0x1F post/windows/gather/enum_ad_user_comments

该后渗透模块用于探测域内存活主机:

1
meterpreter > run windows/gather/enum_ad_user_comments

0x20 其他post下的模块

列举如下:

  • linux/gather/enum_network
  • linux/busybox/enum_hosts
  • windows/gather/enum_ad_users
  • windows/gather/enum_domain_tokens
  • windows/gather/enum_snmp