本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程

1. 外围信息搜集
2. 主机探测与端口扫描
3. 服务扫描与查点
4. 网络漏洞扫描
5. 渗透测试数据库与共享

###1. testfire.net###

testfire.net 是一个包含很多典型 Web 漏洞的模拟银行网站，是 IBM 为了演示 Appscan 所建立的测试网站

###2. 通过 DNS 和 IP 地址挖掘目标网络信息###

1. whois 域名注册信息查询包含域名所有者、服务商、管理员邮件地址、域名注册日期和国过期日期msf > whois testfire.net
[*] exec: whois testfire.netDomain Name: TESTFIRE.NETRegistry Domain ID: 8363973_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.corporatedomains.comRegistrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.htmlUpdated Date: 2017-07-19T05:16:54ZCreation Date: 1999-07-23T13:52:32ZRegistry Expiry Date: 2018-07-23T13:52:32ZRegistrar: CSC Corporate Domains, Inc.Registrar IANA ID: 299Registrar Abuse Contact Email: domainabuse@cscglobal.comRegistrar Abuse Contact Phone: 8887802723Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedName Server: ASIA3.AKAM.NETName Server: EUR2.AKAM.NETName Server: EUR5.AKAM.NETName Server: NS1-206.AKAM.NETName Server: NS1-99.AKAM.NETName Server: USC2.AKAM.NETName Server: USC3.AKAM.NETName Server: USW2.AKAM.NETDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-08-28T07:19:35Z <<<

2. nslookup 域名解析 IP
root@attacker:~# nslookup
> set type=A        #设置对IP地址进行解析
> testfire.net
Server:     10.10.10.2
Address:    10.10.10.2#53Non-authoritative answer:
Name:   testfire.net
Address: 65.61.137.117
> exitroot@attacker:~# nslookup
> set type=MX
> testfire.net
Server:     10.10.10.2
Address:    10.10.10.2#53Non-authoritative answer:
*** Can't find testfire.net: No answerAuthoritative answers can be found from:
testfire.netorigin = asia3.akam.netmail addr = hostmaster.akamai.comserial = 1366025603refresh = 43200retry = 7200expire = 604800minimum = 86400

3. dig 从官方 DNS 服务器上查询到精确的权威解答
root@attacker:~# dig @ns.watson.ibm.com testfire.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35209
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testfire.net.          IN  A;; Query time: 302 msec
;; SERVER: 129.34.20.80#53(129.34.20.80)
;; WHEN: Mon Aug 28 03:32:52 EDT 2017
;; MSG SIZE  rcvd: 41

4. IP2Location  通过 IP 查询地理位置查询国外的 IP 地址 https://www.maxmind.com/zh/home 使用其中的 GeoIP查询国内的 IP 地址 www.cz88.net

5. netcraft 查询网站的子域名http://searchdns.netcraft.com/获取网站更为详细的详细 http://toolbar.netcraft.com/site_report

6. IP2Domain 反查域名主要查询同一 IP 的不同虚拟主机查询国外的 IP 地址 www.ip-address.com/reverse_ip/65.61.137.117查询国内的 IP 地址 http://www.7c.com/

###3. 通过搜索引擎进行信息收集###

1. Google Hacking 技术
查看 Google 黑客数据库 https://www.exploit-db.com/google-hacking-database/
自动化工具 Sitedigger 下载链接 https://www.mcafee.com/us/downloads/free-tools/sitedigger.aspxSearch Diggity 下载链接

2. 探索网站的目录结构
在 Google 中搜索 “parent directory site:testfire.net” ，结果显示 demo.testfire.net - /bank/
inc文件：网站的配置信息
bak：备份文件
sql或txt：SQL脚本使用 msf 中的 brute_dirs、dir_listing、dir_scanner等辅助模块也可以完成
以 dir_scanner 为例：
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) > show optionsModule options (auxiliary/scanner/http/dir_scanner):Name        Current Setting                                          Required  Description----        ---------------                                          --------  -----------DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to usePATH        /                                                        yes       The path  to identify filesProxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]RHOSTS                                                               yes       The target address range or CIDR identifierRPORT       80                                                       yes       The target port (TCP)SSL         false                                                    no        Negotiate SSL/TLS for outgoing connectionsTHREADS     1                                                        yes       The number of concurrent threadsVHOST                                                                no        HTTP server virtual hostmsf auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS www.testfire.net
RHOSTS => www.testfire.net
msf auxiliary(dir_scanner) > exploit [*] Detecting error code[*] Using code '404' as not found for 65.61.137.117[*] Found http://65.61.137.117:80/Admin/ 403 (65.61.137.117)[*] Found http://65.61.137.117:80/admin/ 403 (65.61.137.117)[*] Found http://65.61.137.117:80/bank/ 200 (65.61.137.117)[*] Found http://65.61.137.117:80/images/ 403 (65.61.137.117)[*] Found http://65.61.137.117:80/static/ 403 (65.61.137.117)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
发现了隐藏目录 Admin，因为服务器返回403，表示没有权限，而不是 404 未找到文件
如果在根目录发现 rebot.txt 文件，则应该重视，表示了爬虫在抓取网页时应该遵循的规则

3. 检索天特定类型的文件在 Google 中搜索 ：site:testfire.net filetype:xls 显示一个文档包含了详细的联系人信息

4. 搜索网站中的 E-mail 地址使用 msf 的模块： serch_email_clooector

5. 搜索已存在 SQL 注入的页面 在 Google 中搜索 ：site:testfire.net inurl:login 得到了后台 URL 在用户名输入 “ admin 'OR' 1 ”，即可登录在用户名输入 “ test OR 1=1-- ”，任意输入密码，也可登录

###4. 主机探测与端口扫描###

1. ICMP Ping 扫描root@attacker:~# ping -c 5 www.dvssc.comPING www.dvssc.com (10.10.10.129) 56(84) bytes of data.64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=1 ttl=64 time=0.322 ms64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=2 ttl=64 time=0.211 ms64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=3 ttl=64 time=0.247 ms--- www.dvssc.com ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3055msrtt min/avg/max/mdev = 0.211/0.253/0.322/0.045 ms

2. msf 的主机发现模块
路径：/module/auxiliary/scanner/discovery/
主要有以下几个：arp_sweep、empty_udp、ipv6_multicast_ping、ipv6_neighbor、ipv6_neighbor_router_advertisement、udp_probe、udp_sweep
常用的：arp_sweep 使用 ARP 请求美剧本地局域网中的所有活跃主机udp_sweep 通过发送 UDP 数据包探查制定主机是否活跃，并发现主机上的 UDP 服务
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):Name       Current Setting  Required  Description----       ---------------  --------  -----------INTERFACE                   no        The name of the interfaceRHOSTS                      yes       The target address range or CIDR identifierSHOST                       no        Source IP AddressSMAC                        no        Source MAC AddressTHREADS    1                yes       The number of concurrent threadsTIMEOUT    5                yes       The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(arp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(arp_sweep) > run
[*] 10.10.10.1 appears to be up (VMware, Inc.).
[*] 10.10.10.2 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.129 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

3. 使用 Nmap 进行主机探测
-sn：使用 ICMP 的 Ping 扫描捕获网络中存活的主机
msf > nmap -sn 10.10.10.0/24[*] exec: nmap -sn 10.10.10.0/24Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:43 EDTNmap scan report for 10.10.10.1Host is up (0.00026s latency).MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 10.10.10.2Host is up (0.00048s latency).MAC Address: 00:50:56:F1:2E:08 (VMware)Nmap scan report for www.dvssc.com (10.10.10.129)Host is up (0.00019s latency).MAC Address: 00:0C:29:21:A3:A6 (VMware)Nmap scan report for gate.dvssc.com (10.10.10.254)Host is up (0.000076s latency).MAC Address: 00:0C:29:19:70:BF (VMware)Nmap scan report for attacker.dvssc.com (10.10.10.128)Host is up.Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds
-Pn：不使用 Ping 扫描
-PU：通过对开放的 UDP 端口进行探测，默认会列出开放的 TCP 端口，在使用 -sn ，仅探测存活主机，不对开放的 TCP 端口进行扫描
msf > nmap -PU -sn 10.10.10.0/24[*] exec: nmap -PU -sn 10.10.10.0/24Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:49 EDTNmap scan report for 10.10.10.1Host is up (0.00025s latency).MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 10.10.10.2Host is up (0.0013s latency).MAC Address: 00:50:56:F1:2E:08 (VMware)Nmap scan report for www.dvssc.com (10.10.10.129)Host is up (0.000073s latency).MAC Address: 00:0C:29:21:A3:A6 (VMware)Nmap scan report for gate.dvssc.com (10.10.10.254)Host is up (0.00017s latency).MAC Address: 00:50:56:E7:DA:ED (VMware)Nmap scan report for attacker.dvssc.com (10.10.10.128)Host is up.Nmap done: 256 IP addresses (5 hosts up) scanned in 2.00 seconds

4. 操作系统辨识
-O：对目标操作系统进行识别
msf > nmap -O 10.10.10.0/24[*] exec: nmap -O 10.10.10.0/24Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:51 EDTNmap scan report for 10.10.10.1Host is up (0.000081s latency).Not shown: 987 closed portsPORT      STATE SERVICE135/tcp   open  msrpc139/tcp   open  netbios-ssn443/tcp   open  https445/tcp   open  microsoft-ds902/tcp   open  iss-realsecure912/tcp   open  apex-mesh6000/tcp  open  X1124800/tcp open  unknown49152/tcp open  unknown49153/tcp open  unknown49156/tcp open  unknown49161/tcp open  unknown49163/tcp open  unknownMAC Address: 00:50:56:C0:00:08 (VMware)Device type: general purposeRunning: Microsoft Windows Vista|7|8.1OS CPE: cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1OS details: Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1Network Distance: 1 hopNmap scan report for 10.10.10.2Host is up (0.000086s latency).All 1000 scanned ports on 10.10.10.2 are closedMAC Address: 00:50:56:F1:2E:08 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: specializedRunning: VMware PlayerOS CPE: cpe:/a:vmware:playerOS details: VMware Player virtual NAT deviceNetwork Distance: 1 hopNmap scan report for www.dvssc.com (10.10.10.129)Host is up (0.00022s latency).Not shown: 991 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds5001/tcp open  commplex-link8080/tcp open  http-proxy8081/tcp open  blackice-icecapMAC Address: 00:0C:29:21:A3:A6 (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.17 - 2.6.36Network Distance: 1 hopNmap scan report for gate.dvssc.com (10.10.10.254)Host is up (0.00021s latency).Not shown: 977 closed portsPORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownMAC Address: 00:50:56:E7:DA:ED (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.33Network Distance: 1 hopNmap scan report for attacker.dvssc.com (10.10.10.128)Host is up (0.000057s latency).Not shown: 999 closed portsPORT   STATE SERVICE22/tcp open  sshDevice type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.8 - 4.6Network Distance: 0 hopsOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 256 IP addresses (5 hosts up) scanned in 7.17 seconds

5. 端口扫描与服务类型探测msf > search portscanMatching Modules================Name                                              Disclosure Date  Rank    Description----                                              ---------------  ----    -----------auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locatorauxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scannerauxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scannerauxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scannerauxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scannerauxiliary/scanner/portscan/tcp                                     normal  TCP Port Scannerauxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scannerauxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner几款扫描工具： natpmp_portscan         ack：通过 ACK 方式对防火墙上未被屏蔽的端口进行探测ftpbounce ：通过 ftp bounce 攻击的原理对 TCP 服务进行枚举 syn：使用发送 TCP SYN 标志的方式探测开放的端口  tcp: 通过一次完整的 TCP 连接来判断端口是否开放 xmas：通过发送 FIN、PSH、URG 标识，较为隐蔽 msf > use auxiliary/scanner/portscan/syn msf auxiliary(syn) > show options Module options (auxiliary/scanner/portscan/syn):Name       Current Setting  Required  Description----       ---------------  --------  -----------BATCHSIZE  256              yes       The number of hosts to scan per setDELAY      0                yes       The delay between connections, per thread, in millisecondsINTERFACE                   no        The name of the interfaceJITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)RHOSTS                      yes       The target address range or CIDR identifierSNAPLEN    65535            yes       The number of bytes to captureTHREADS    1                yes       The number of concurrent threadsTIMEOUT    500              yes       The reply read timeout in millisecondsmsf auxiliary(syn) > set RHOSTS 10.10.10.254RHOSTS => 10.10.10.254msf auxiliary(syn) > set THREADS 20THREADS => 20msf auxiliary(syn) > run[*]  TCP OPEN 10.10.10.254:22[*]  TCP OPEN 10.10.10.254:23[*]  TCP OPEN 10.10.10.254:53[*]  TCP OPEN 10.10.10.254:513[*]  TCP OPEN 10.10.10.254:514[*]  TCP OPEN 10.10.10.254:1099

6. Nmap 的端口扫描功能六个状态：open、closed、filter、unfilter、open|filter、closed|filter扫描参数：-sT： TCP connect 扫描-sS： TCP SYN 扫描-sF\-sX\-sN：通过发送一些标志位以避开检测-sP：发送 ICMP echo 请求探测主机是否存活，原理同 Ping -sU：探测开放了那些 UDP端口-sA：TCP ACK 扫描-sV：探测更详细的服务信息扫描选项：-Pn：扫描之前，不发送 ICMP echo 请求测试目标是否活跃-O：指纹特征扫描以获取远程主机的操作系统类型-F：快速扫描，只列出 nmap-services 中列出的端口-p <port>：制定端口或范围msf > nmap -sS -Pn 10.10.10.129[*] exec: nmap -sS -Pn 10.10.10.129Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:45 EDTNmap scan report for www.dvssc.com (10.10.10.129)Host is up (0.00010s latency).Not shown: 991 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http139/tcp  open  netbios-ssn143/tcp  open  imap443/tcp  open  https445/tcp  open  microsoft-ds5001/tcp open  commplex-link8080/tcp open  http-proxy8081/tcp open  blackice-icecapMAC Address: 00:0C:29:21:A3:A6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.20 second

7. 使用 nmap 探测更详细的服务信息msf > nmap -sV -Pn 10.10.10.129[*] exec: nmap -sV -Pn 10.10.10.129Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:46 EDTNmap scan report for www.dvssc.com (10.10.10.129)Host is up (0.000099s latency).Not shown: 991 closed portsPORT     STATE SERVICE     VERSION22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)143/tcp  open  imap        Courier Imapd (released 2008)443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)5001/tcp open  java-rmi    Java RMI8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.18081/tcp open  http        Jetty 6.1.251 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port5001-TCP:V=7.40%I=7%D=8/28%Time=59A4D583%P=x86_64-pc-linux-gnu%r(NUSF:LL,4,"\xac\xed\0\x05");MAC Address: 00:0C:29:21:A3:A6 (VMware)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.13 secondsmsf > nmap -sV -Pn 10.10.10.130[*] exec: nmap -sV -Pn 10.10.10.130Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:07 EDTNmap scan report for service.dvssc.com (10.10.10.130)Host is up (0.00015s latency).Not shown: 985 closed portsPORT     STATE SERVICE         VERSION21/tcp   open  ftp             Microsoft ftpd80/tcp   open  http            Microsoft IIS httpd 6.0135/tcp  open  msrpc           Microsoft Windows RPC139/tcp  open  netbios-ssn     Microsoft Windows netbios-ssn445/tcp  open  microsoft-ds    Microsoft Windows 2003 or 2008 microsoft-ds777/tcp  open  multiling-http?1025/tcp open  msrpc           Microsoft Windows RPC1026/tcp open  msrpc           Microsoft Windows RPC1030/tcp open  msrpc           Microsoft Windows RPC1031/tcp open  msrpc           Microsoft Windows RPC1521/tcp open  oracle-tns      Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)6002/tcp open  http            SafeNet Sentinel Protection Server httpd 7.37001/tcp open  afs3-callback?7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)8099/tcp open  http            Microsoft IIS httpd 6.01 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port777-TCP:V=7.40%I=7%D=8/28%Time=59A4DAC1%P=x86_64-pc-linux-gnu%r(KerSF:beros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(TerminSF:alServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\tSF:\xe0\x06");MAC Address: 00:0C:29:DB:51:D2 (VMware)Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 149.72 secondsmsf > nmap -sV -Pn 10.10.10.254[*] exec: nmap -sV -Pn 10.10.10.254Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:09 EDTNmap scan report for gate.dvssc.com (10.10.10.254)Host is up (0.00024s latency).Not shown: 977 closed portsPORT     STATE SERVICE     VERSION21/tcp   open  ftp         vsftpd 2.3.422/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)23/tcp   open  telnet      Linux telnetd25/tcp   open  smtp        Postfix smtpd53/tcp   open  domain      ISC BIND 9.4.280/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)111/tcp  open  rpcbind     2 (RPC #100000)139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)512/tcp  open  exec        netkit-rsh rexecd513/tcp  open  login?514/tcp  open  tcpwrapped1099/tcp open  rmiregistry GNU Classpath grmiregistry1524/tcp open  ingreslock?2049/tcp open  nfs         2-4 (RPC #100003)2121/tcp open  ftp         ProFTPD 1.3.13306/tcp open  mysql       MySQL 5.0.51a-3ubuntu55432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.75900/tcp open  vnc         VNC (protocol 3.3)6000/tcp open  X11         (access denied)6667/tcp open  irc         UnrealIRCd8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.11 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port1524-TCP:V=7.40%I=7%D=8/28%Time=59A4DAEE%P=x86_64-pc-linux-gnu%r(NUSF:LL,27,"\x1b\[01;31mroot@gate\x1b\[00m:\x1b\[01;34m/\x1b\[00m#\x20")%r(GMAC Address: 00:50:56:E7:DA:ED (VMware)Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 162.99 seconds

###5. 探测扫描结果分析###

主机	操作系统	主要的开放端口	对应服务版本
网站服务器(10.10.10.129)	Linux	SSH (22)	OpenSSH 5.3.p1
…	…	HTTP(80)	Apache httpd 2.2.14
…	…	netbios-ssn(139)	Samba smbd 3.X - 4.X
…	…	imap(143)	Courier Imapd (released 2008)
…	…	ssl/http(443)	Apache httpd 2.2.14
…	…	445/tcp open netbios-ssn (445)	Samba smbd 3.X - 4.X
…	…	java-rmi(5001)	Java RMI
…	…	ahttp(8080)	Apache Tomcat/Coyote JSP engine 1.1
后台服务器(10.10.10.130)	Windows	ftp(21)	Microsoft ftpd
…	…	http(80)	Microsoft IIS httpd 6.0
…	…	msrpc(135)	Microsoft Windows RPC
…	…	netbios-ssn(139)	Microsoft Windows netbios-ssn
…	…	microsoft-ds (445)	Microsoft Windows 2003 or 2008 microsoft-ds
…	…	msrpc (1025)	Microsoft Windows RPC
…	…	msrpc (1026)	Microsoft Windows RPC
…	…	msrpc (1030)	Microsoft Windows RPC
…	…	msrpc (1031)	Microsoft Windows RPC
…	…	oracle-tns(1521)	Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
…	…	http(6002)	SafeNet Sentinel Protection Server httpd 7.3
…	…	http(7002)	SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
…	…	http(8099)	Microsoft IIS httpd 6.0
网关服务器	10.10.10.254	ftp(21)	vsftpd 2.3.4
…	…	ssh(22)	OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
…	…	telnet(23)	Linux telnetd
…	…	smtp(25)
…	…	domain(53)	ISC BIND 9.4.2
…	…	http(80)	Apache httpd 2.2.8 ((Ubuntu) DAV/2)
…	…	rpcbind(111)	2 (RPC #100000)
…	…	netbios-ssn (139)	netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
…	…	netbios-ssn (445)	netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
…	…	exec(512)	netkit-rsh rexecd
…	…	rmiregistry(1099)	GNU Classpath grmiregistry
…	…	nfs(2049)	2-4 (RPC #100003)
…	…	ftp(2121)	ProFTPD 1.3.1
…	…	mysql(3306)	MySQL 5.0.51a-3ubuntu5
…	…	postgresql(5432)	PostgreSQL DB 8.3.0 - 8.3.7
…	…	vnc(5900) VNC (protocol 3.3)
…	…	X11(6000)	(access denied)
…	…	irc(6667)	UnrealIRCd
…	…	ajp13(8009)	Apache Jserv (Protocol v1.3)
…	…	http(8180)	Apache Tomcat/Coyote JSP engine 1.1

###6. 可能的攻击路线###

可能的攻击路线	攻击对象
口令猜解	10.10.10.129：SSH\Samba
10.10.10.130：SMB
10.10.10.254：FTP、SSH、Telnet、MySQL、PostreSQL
口令嗅探	10.10.10.254：FTP、Telnet
系统漏洞深入扫描	全部存活主机的开放端口
系统漏洞利用	所有开放网络服务中存在的安全漏洞
Web 应用漏洞扫描	10.10.10.129：Apache、Apache Tomcat
10.10.10.254： Apache、Apache Tomcat
Web 应用漏洞利用	10.10.10.129：Apache、Apache Tomcat
10.10.10.254：Apache、Apache Tomcat

###7. 服务扫描与查点###

确定开放端口后，通常会对相应端口上所运行服务的信息进行更深入的挖掘，通常称为网络查点。
msf 中的 Scanner 辅助模块中，有很多服务扫描和查点工具。常以[service_name]_version 和 [service_name]_login[service_name]_version：遍历网络中包含了某种服务的主机，并进一步确定服务的版本[service_name]_login：可对某种服务进行口令探测msf > search name:_versionMatching Modules================Name                                                     Disclosure Date  Rank     Description----                                                     ---------------  ----     -----------auxiliary/fuzzers/ssh/ssh_version_15                                      normal   SSH 1.5 Version Fuzzerauxiliary/fuzzers/ssh/ssh_version_2                                       normal   SSH 2.0 Version Fuzzerauxiliary/fuzzers/ssh/ssh_version_corrupt                                 normal   SSH Version Corruptionauxiliary/gather/ibm_sametime_version                    2013-12-27       normal   IBM Lotus Sametime Version Enumerationauxiliary/scanner/db2/db2_version                                         normal   DB2 Probe Utilityauxiliary/scanner/ftp/ftp_version                                         normal   FTP Version Scannerauxiliary/scanner/h323/h323_version                                       normal   H.323 Version Scannerauxiliary/scanner/http/coldfusion_version                                 normal   ColdFusion Version Scannerauxiliary/scanner/http/http_version                                       normal   HTTP Version Detectionauxiliary/scanner/http/joomla_version                                     normal   Joomla Version Scannerauxiliary/scanner/http/sap_businessobjects_version_enum                   normal   SAP BusinessObjects Version Detectionauxiliary/scanner/http/ssl_version                       2014-10-14       normal   HTTP SSL/TLS Version Detection (POODLE scanner)auxiliary/scanner/http/svn_scanner                                        normal   HTTP Subversion Scannerauxiliary/scanner/imap/imap_version                                       normal   IMAP4 Banner Grabberauxiliary/scanner/ipmi/ipmi_version                                       normal   IPMI Information Discoveryauxiliary/scanner/lotus/lotus_domino_version                              normal   Lotus Domino Versionauxiliary/scanner/mysql/mysql_version                                     normal   MySQL Server Version Enumerationauxiliary/scanner/oracle/tnslsnr_version                 2009-01-07       normal   Oracle TNS Listener Service Version Queryauxiliary/scanner/pop3/pop3_version                                       normal   POP3 Banner Grabberauxiliary/scanner/postgres/postgres_version                               normal   PostgreSQL Version Probeauxiliary/scanner/printer/printer_version_info                            normal   Printer Version Information Scannerauxiliary/scanner/sap/sap_mgmt_con_version                                normal   SAP Management Console Version Detectionauxiliary/scanner/scada/digi_addp_version                                 normal   Digi ADDP Information Discoveryauxiliary/scanner/scada/digi_realport_version                             normal   Digi RealPort Serial Server Versionauxiliary/scanner/scada/modbusdetect                     2011-11-01       normal   Modbus Version Scannerauxiliary/scanner/smb/smb_version                                         normal   SMB Version Detectionauxiliary/scanner/smtp/smtp_version                                       normal   SMTP Banner Grabberauxiliary/scanner/snmp/aix_version                                        normal   AIX SNMP Scanner Auxiliary Moduleauxiliary/scanner/ssh/ssh_version                                         normal   SSH Version Scannerauxiliary/scanner/telnet/lantronix_telnet_version                         normal   Lantronix Telnet Service Banner Detectionauxiliary/scanner/telnet/telnet_version                                   normal   Telnet Service Banner Detectionauxiliary/scanner/vmware/vmauthd_version                                  normal   VMWare Authentication Daemon Version Scannerauxiliary/scanner/vxworks/wdbrpc_version                                  normal   VxWorks WDB Agent Version Scannerexploit/multi/svn/svnserve_date                          2004-05-19       average  Subversion Date Svnserveexploit/windows/browser/crystal_reports_printcontrol     2010-12-14       normal   Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflowexploit/windows/fileformat/digital_music_pad_pls         2010-09-17       normal   Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflowexploit/windows/fileformat/orbit_download_failed_bof     2008-04-03       normal   Orbit Downloader URL Unicode Conversion Overflowexploit/windows/fileformat/realplayer_ver_attribute_bof  2013-12-20       normal   RealNetworks RealPlayer Version Attribute Buffer Overflowexploit/windows/ftp/filecopa_list_overflow               2006-07-19       average  FileCopa FTP Server Pre 18 Jul Versionexploit/windows/scada/iconics_genbroker                  2011-03-21       good     Iconics GENESIS32 Integer Overflow Version 9.21.201.01

1. 常见的网络服务扫描Telnet 服务扫描msf > use auxiliary/scanner/telnet/telnet_version msf auxiliary(telnet_version) > set RHOSTS 10.10.10.0/24RHOSTS => 10.10.10.0/24msf auxiliary(telnet_version) > set THREADS 100THREADS => 100msf auxiliary(telnet_version) > run[*] 10.10.10.254:23 gate.dvssc.com login:                 _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0agate.dvssc.com login:[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed结果显示：10.10.10.254 开放了 Telnet 服务 SSH 服务扫描msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(ssh_version) > set RHOSTS 10.10.10.0/24RHOSTS => 10.10.10.0/24msf auxiliary(ssh_version) > set THREADS 100THREADS => 100msf auxiliary(ssh_version) > run[*] 10.10.10.128:22       - SSH server version: SSH-2.0-OpenSSH_7.4p1 Debian-10[*] 10.10.10.129:22       - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 service.protocol=ssh fingerprint_db=ssh.banner )[*] 10.10.10.254:22       - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 service.protocol=ssh fingerprint_db=ssh.banner )[*] Auxiliary module execution completed结果显示：10.10.10.254 和 10.10.10.129 开放了 SSH 服务

2. Oracle 数据库服务查点msf > use auxiliary/scanner/oracle/tnslsnr_version msf auxiliary(tnslsnr_version) > set RHOSTS 10.10.10.0/24RHOSTS => 10.10.10.0/24msf auxiliary(tnslsnr_version) > set THREADS 50THREADS => 50msf auxiliary(tnslsnr_version) > run[*] Scanned  50 of 256 hosts (19% complete)[+] 10.10.10.130:1521 - 10.10.10.130:1521 Oracle - Version: 32-bit Windows: Version 10.2.0.1.0 - Production[*] Scanned 129 of 256 hosts (50% complete)[*] Scanned 167 of 256 hosts (65% complete)                [*] Scanned 184 of 256 hosts (71% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed结果显示：10.10.10.130 开放了 1521 端口（Oracle SQL）SQL Server 端口为 1433Oracle SQL 端口为 1521

3. 开放代理探测与利用open_proxy：方便地获取免费的 HTTP 代理服务器地址msf > use auxiliary/scanner/http/open_proxy msf auxiliary(open_proxy) > show optionsModule options (auxiliary/scanner/http/open_proxy):Name           Current Setting           Required  Description----           ---------------           --------  -----------CHECKURL       http://www.google.com     yes       The web site to test via alleged web proxyMULTIPORTS     false                     no        Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]RHOSTS                                   yes       The target address range or CIDR identifierRPORT          8080                      yes       The target port (TCP)SSL            false                     no        Negotiate SSL/TLS for outgoing connectionsTHREADS        1                         yes       The number of concurrent threadsVALIDCODES     200,302                   yes       Valid HTTP code for a successfully requestVALIDPATTERN   <TITLE>302 Moved</TITLE>  yes       Valid pattern match (case-sensitive into the headers and HTML body) for a successfully requestVERIFYCONNECT  false                     no        Enable CONNECT HTTP method checkVHOST                                    no        HTTP server virtual hostmsf auxiliary(open_proxy) > set SITE www.google.comSITE => www.google.commsf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254RHOSTS => 24.25.24.1-24.25.26.254msf auxiliary(open_proxy) > set MULTIPORTS trueMULTIPORTS => truemsf auxiliary(open_proxy) > set THREADS 100THREADS => 100msf auxiliary(open_proxy) > run[*] Scanned 102 of 766 hosts (13% complete)   [*] Scanned 397 of 766 hosts (51% complete)[*] Scanned 766 of 766 hosts (100% complete)[*] Auxiliary module execution completed

4. SSH 服务口令与嗅探msf > use auxiliary/scanner/ssh/ssh_loginmsf auxiliary(ssh_login) > set RHOSTS 10.10.10.254RHOSTS => 10.10.10.254msf auxiliary(ssh_login) > set USERNAME rootUSERNAME => rootmsf auxiliary(ssh_login) > set PASS_FILE /root/words.txtPASS_FILE => /root/words.txtmsf auxiliary(ssh_login) > set THREADS 50THREADS => 50msf auxiliary(ssh_login) > run[*] SSH - Starting bruteforce[-] SSH - Failed: 'root:123456'[-] SSH - Failed: 'root:ubuntu'[+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root) Linux gate.dvssc.com 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '[*] Command shell session 1 opened (10.10.10.128:42501 -> 10.10.10.254:22) at 2017-08-29 01:18:09 -0400[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

5. psnuffle 口令嗅探msf > use auxiliary/sniffer/psnuffle msf auxiliary(psnuffle) > run[*] Auxiliary module execution completed[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...msf auxiliary(psnuffle) > [*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...[*] Sniffing traffic.....

6. 在 Metasploit 内部使用 OpenVAS0. 开启 openvas 服务root@attacker:~# openvas-start1. 在 metasploit 中加载 openvasmsf > load openvas [*] Welcome to OpenVAS integration by kost and averagesecurityguy.[*] Successfully loaded plugin: OpenVAS2. 连接到 openvas ，用法：openvas_connect username password host port <ssl-confirm>    msf > openvas_connect admin toor 127.0.0.1 9390 ok [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...[+] OpenVAS list of targetsID                                    Name                                          Hosts         Max Hosts  In Use  Comment--                                    ----                                          -----         ---------  ------  -------5e78a0e1-6569-45d9-8474-d7c83d0ea8ff  test2                                         10.10.10.254  1          0       Metasploitable971d579a-b65c-406c-9737-b4d946fb68b1  UUUU                                          10.10.10.254  1          1       Mwtasploitable3. 列出 openvas 的配置选项msf > openvas_config_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.[+] OpenVAS list of configsID                                    Name--                                    ----085569ce-73ed-11df-83c3-002264764cea  empty2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate708f25c4-7489-11df-8094-002264764cea  Full and very deep74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate8715c877-47a0-438d-98a3-27c7a6ab2196  Discoverybbca7412-a950-11e3-9109-406186ea4fc5  System Discoverydaba56c8-73ec-11df-a475-002264764cea  Full and fast4. 创建扫描任务，Usage: openvas_task_create <name> <comment> <config_id> <target_id>msf > openvas_task_create test-scan "Scan of test2 Metasploitable" daba56c8-73ec-11df-a475-002264764cea 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff[+] OpenVAS list of tasksID                                    Name                               Comment                                 Status   Progress--                                    ----                               -------                                 ------   --------1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            New      -15. 开始扫描任务，用法：openvas_task_start <id>msf > openvas_task_start b4baa75d-9d51-4393-a8fd-66a0480bda28[+] OpenVAS list of tasksID                                    Name                               Comment                                 Status     Progress--                                    ----                               -------                                 ------     --------1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done       -1b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Requested  16. 列出扫描任务msf > openvas_task_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.[+] OpenVAS list of tasksID                                    Name                               Comment                                 Status   Progress--                                    ----                               -------                                 ------   --------1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Running  17. 列出扫描任务msf > openvas_task_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.[+] OpenVAS list of tasksID                                    Name                               Comment                                 Status   Progress--                                    ----                               -------                                 ------   --------1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Done     -18. 扫描完成后，列出扫描报告msf > openvas_report_listID                                    Task Name                          Start Time            Stop Time--                                    ---------                          ----------            ---------752e8852-68f4-4bff-a23c-92767a6c9bd7  test-scan                          2017-08-30T06:12:51Z  2017-08-30T06:13:06Zbabf1f94-c1ca-4b4e-b678-a0cd355c6a72  UUOO                               2017-08-30T00:42:12Z  2017-08-30T01:06:41Z9. 列出报告支持的格式msf > openvas_format_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.[+] OpenVAS list of report formatsID                                    Name           Extension  Summary--                                    ----           ---------  -------5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.10. 下载扫描报告，Usage: openvas_report_download <report_id> <format_id> <path> <report_name>msf > openvas_report_download [*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>msf > openvas_report_download 752e8852-68f4-4bff-a23c-92767a6c9bd7 c402cc3e-b531-11e1-9163-406186ea4fc5 /root/reports/ tast2_scan_report.pdf/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.[*] Saving report to /root/reports/tast2_scan_report.pdf

7. 查找特定服务漏洞nmap 脚本存放位置：/usr/share/nmap/scripts
root@attacker:/usr/share/nmap/scripts# nmap --script=smb-check-vulns 10.10.10.130
错误信息：NSE: failed to initialize the script engine:/usr/bin/../share/nmap/nse_main.lua:801: ‘smb-check-vulns.nse’ did not match a category, filename, or directory
这是由于从NMAP 6.49beta6开始，smb-check-vulns.nse脚本被取消了。
它被分为smb-vuln-conficker、?smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。
用户根据需要选择对应的脚本。如果不确定执行哪一个，可以使用smb-vuln-*.nse来指定所有的脚本文件。root@attacker:/usr/share/nmap/scripts# nmap --script=smb-vuln-*.nes 10.10.10.130Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-30 08:12 EDTmass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-serversmass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-serversNmap scan report for service.dvssc.com (10.10.10.130)Host is up (0.00022s latency).Not shown: 985 closed portsPORT     STATE SERVICE21/tcp   open  ftp80/tcp   open  http135/tcp  open  msrpc139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds777/tcp  open  multiling-http1025/tcp open  NFS-or-IIS1026/tcp open  LSA-or-nterm1027/tcp open  IIS1031/tcp open  iad21521/tcp open  oracle6002/tcp open  X11:27001/tcp open  afs3-callback7002/tcp open  afs3-prserver8099/tcp open  unknownMAC Address: 00:0C:29:DB:51:D2 (VMware)Host script results:| smb-vuln-cve2009-3103: |   VULNERABLE:|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)|     State: VULNERABLE|     IDs:  CVE:CVE-2009-3103|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, |           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a |           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE |           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, |           aka "SMBv2 Negotiation Vulnerability." |           |     Disclosure date: 2009-09-08|     References:|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103| smb-vuln-ms08-067: |   VULNERABLE:|   Microsoft Windows system vulnerable to remote code execution (MS08-067)|     State: VULNERABLE|     IDs:  CVE:CVE-2008-4250|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, |           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary |           code via a crafted RPC request that triggers the overflow during path canonicalization.|           |     Disclosure date: 2008-10-23|     References:|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx|_smb-vuln-ms10-054: false|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND| smb-vuln-ms17-010: |   VULNERABLE:|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)|     State: VULNERABLE|     IDs:  CVE:CVE-2017-0143|     Risk factor: HIGH|       A critical remote code execution vulnerability exists in Microsoft SMBv1|        servers (ms17-010).|           |     Disclosure date: 2017-03-14|     References:|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

###8. 漏洞扫描结果分析###

服务器	操作系统	高危漏洞	参考
后台服务器(10.10.10.130)	Windows	Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service	CVE-2017-7269
…	…	IIS FTP Service RCE and DoS Vulnerability."	CVE-2009-3023
…	…	IIS FTP Service RCE and DoS Vulnerability	CVE-2009-3023
…	…	Integer Overflow in IPP Service Vulnerability	CVE-2008-1446
…	…	Integer Overflow in IPP Service Vulnerability	CVE-2008-1446
…	…	IIS Authentication Memory Corruption Vulnerability.	CVE-2010-1256
…	…	"IIS Authentication Memory Corruption Vulnerability	CVE-2010-1256
…	…	The WebDAV extension in Microsoft Internet Information Services	CVE-2009-1535
…	…	IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability	CVE-2009-1535
…	…	Microsoft Internet Information Services	CVE-2009-4444
…	…	Microsoft Internet Information Services	CVE-2009-4444
…	…	IIS Repeated Parameter Request Denial of Service Vulnerability."	CVE-2010-1899
…	…	IIS Repeated Parameter Request Denial of Service Vulnerability."	CVE-2010-1899
…	…	Inverse Lookup Log Corruption (ILLC)	CVE-2003-1582
…	…	IIS FTP Service DoS Vulnerability	CVE-2009-2521
…	…	Inverse Lookup Log Corruption (ILLC)	CVE-2003-1582
…	…	IIS FTP Service DoS Vulnerability	CVE-2009-2521

服务器	操作系统	高危漏洞	参考
网关服务器(10.10.10.254)	Linux	ProFTPD Server SQL Inj ection Vulnerability	CVE-2009-0542
…	…	ProFTPD Long Command Handling Security Vulnerability	CVE-2008-4242
…	…	PHP< 5.2.13 Multiple Vulnerabilities	CVE-2010-1128
…	…	PHP’sqlite_single_query()’ and ‘sqlite_array_query()’ Arbitrary Code Execution
…	…	PHP Multiple Information Disclosure Vulnerabilities	CVE-2010-2190
…	…	Heap-based buffer overflow in’mbstring’ extension for PHP	CVE-2008-5557
…	…	PHP Multiple Vulnerabilities Dec-09	CVE-2009-4018
…	…	PHP ‘_gdGetColors()’ Buffer Overflow Vulnerability	CVE-2009-3546
…	…	http TRACE XSS attack	CVE-2004-2320
…	…	PHP Multiple Buffer Overflow Vulnerabilities	CVE-2008-3659
…	…	PHP Interruptions and Calltime Arbitrary Code Execution Vulnerability
…	…	PHP ‘SplObjectStorage’ Unserializer Arbitrary Code Execution Vulnerability	CVE-2010-2225
…	…	Samba SID Parsing Remote Buffer Overflow Vulnerability	CVE-2010-3069
…	…	Samba multiple vulnerabilities	CVE-2009-2813
…	…	Samba’mount.cifs’ Utility Local Privilege Escalation Vulnerability	CVE-2009-3297
…	…	Samba ‘SMB1Packet Chaining’ Unspecified Remote Memory Corruption Vulnerability	CVE-2010-2063

服务器	操作系统	高危漏洞	参考
网站服务器(10.10.10.129)	Linux	Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba	CVE-2013-4408
…	…	Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body	CVE-2014-0230
…	…	Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests	CVE-2011-3190
…	…	an attacker can reach JMX ports	CVE-2016-8735
…	…	Stack-based buffer overflow in Samba	CVE-2010-3069
…	…	allows remote attackers to inject a request into a session by sending this request during completion of the login form,	CVE-2013-2067
…	…	apache:tomcat:6.0.24 the attacker could poison a web-cache	CVE-2016-6816
…	…	Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba	CVE-2011-2522
…	…	The MS-SAMR and MS-LSAD protocol implementations in Samba	CVE-2016-2118
…	…	The session-persistence implementation in Apache Tomcat	CVE-2016-0714
…	…	allows remote authenticated users to obtain the “take ownership” privilege via an LSA connection.	CVE-2012-2111
…	…	Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header,	CVE-2010-2227
…	…	The default configuration of Apache Tomcat	CVE-2010-4312
…	…	allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.	CVE-2014-0227

###9. 渗透测试信息数据库 ###

db_nmap：将 namp 扫描结果直接存入数据库
db_import：将扫描器的扫描结果进行导入msf > db_status[*] postgresql selected, no connection
连接数据库：root@attacker:~# systemctl start postgresql.service
msf > db_status[*] postgresql connected to msf1. db_nmap：是 nmap 的一个封装，不同的是其将结果自动输入到数据库中msf > db_nmap -Pn -sV 10.10.10.0/24[*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 411.47 seconds
2. 也可以将数据库的结果导出为一个文件，并导入到渗透测试数据库中msf > nmap -Pn -sV -oX dmz 10.10.10.0/24root@attacker:~# ll dmz -rw-r--r-- 1 root root 18799 Sep  1 10:32 dmzmsf > db_import /root/dmz[*] Importing 'Nmap XML' data[*] Import: Parsing with 'Nokogiri v1.8.0'[*] Importing host 10.10.10.1[*] Importing host 10.10.10.2[*] Importing host 10.10.10.129[*] Importing host 10.10.10.130[*] Importing host 10.10.10.128[*] Successfully imported /root/dmz

###10. Openvas 与渗透测试数据库###

1. 连接 openvas root@attacker:~# openvas-start Starting OpenVas Servicesmsf > openvas_connect admin toor 127.0.0.1 9390 ok [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin.../usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.[+] OpenVAS connection successful
2. 找到想要导入的数据库msf > openvas_report_list[+] OpenVAS list of reportsID                                    Task Name    Start Time            Stop Time--                                    ---------    ----------            ---------07b3eba7-a110-4117-b603-7e50de27759f  Oswapbwa     2017-08-30T14:41:15Z  2017-08-31T03:02:28Z6a0bbe85-3eeb-49e1-8440-32988f6079c8  WIndows 2K3  2017-08-31T01:07:01Z  2017-08-31T01:47:53Zd7d88501-fe7d-44d3-8b70-566d49758e3a  Ubuntu-scan  2017-08-30T14:41:20Z  eac5169e-290e-4be1-9adf-8a401d806fb2  Ubuntu-Scan  2017-08-31T01:12:44Z  2017-08-31T03:30:24Z
3. 列出报告支持的格式    msf > openvas_format_list [+] OpenVAS list of report formatsID                                    Name           Extension  Summary--                                    ----           ---------  -------5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.
4. 导入数据库(将 opwaspbwa 扫描报告的 nbe 格式导入)msf > openvas_report_import 07b3eba7-a110-4117-b603-7e50de27759f 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5[*] Importing report to database.
5. 导入成功后，使用 vulns 查看导入的漏洞信息msf > vulns[*] Time: 2017-09-01 14:51:32 UTC Vuln: host=10.10.10.129 name=ICMP Timestamp Detection refs=CVE-1999-0524

###11. 共享你的渗透测试信息数据库###

在Metasploit中，可以使用两种方法共享渗透测试数据库
-让多台运行 Metasploit 的计算机连接到同一个网络数据库
-使用 MSF RPC服务-让多台运行 Metasploit 的计算机连接到同一个网络数据库
1. 查看 postgres 进程的运行情况root@gate:~# netstat -tulnp | grep "postgres"tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      4907/postgres   tcp6       0      0 :::5432                 :::*                    LISTEN      4907/postgres
2. 修改数据库监听地址root@attacker:~# vim /etc/postgresql/9.6/main/postgresql.conflisten_addresses = '0.0.0.0'  #59行 password_encryption = on    #88行
3. pg_hba.conf是客户端认证配置文件，定义如何认证客户端root@attacker:~# vim /etc/postgresql/9.6/main/pg_hba.conf host    all     all     0.0.0.0/24      md5     #93行
4. 重启 postgres 数据库服务root@attacker:~# systemctl restart postgresql.service
5. 再次查看 postgresql 服务运行是否正常root@attacker:~# netstat -tulnp |grep "postgres"tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      7564/postgres
6. 查看 msf 中 postgres 数据库的信息root@attacker:~# vim /usr/share/metasploit-framework/config/database.ymldevelopment: &pgsqladapter: postgresqldatabase: msfusername: msfpassword: adminhost: localhostport: 5432pool: 200timeout: 5
7. 关于数据库的信息如下：postgres 地址：10.10.10.128postgres 端口：5432postgres 用户：msfpostgres 口令：adminpostgresql 数据库：msf
8. 在另一台计算机启动 msf 终端msf > db_disconnect msf > db_status [*] postgresql selected, no connectionmsf > db_connect msf:admin@10.10.10.128:5432/msf[*] Rebuilding the module cache in the background...msf > db_status [*] postgresql connected to msf
9. 测试连接是否正常msf > hostsHosts=====address       mac                name                os_name        os_flavor  os_sp  purpose  info  comments-------       ---                ----                -------        ---------  -----  -------  ----  --------10.10.10.1    00:50:56:c0:00:08                      Windows Vista                    client         10.10.10.2    00:50:56:f0:84:fe                      Unknown                          device         10.10.10.128                     attacker.dvssc.com  Unknown                          device         10.10.10.129  00:0c:29:19:70:bf  www.dvssc.com       Unknown                          device         10.10.10.130  00:0c:29:db:51:d2  service.dvssc.com   Windows XP                       client         10.10.10.133                                         Linux                     3.X    server         10.10.10.254  00:0c:29:19:70:bf  gate.dvssc.com      Linux                     2.6.X  server         -使用 MSF RPC服务
1. 首先启动新的 msf rpc 服务，-P指定连接所需要的口令，-U指定连接所需要的用户名，-a绑定网络地址，默认127.0.0.1root@attacker:~# msfrpcd -P admin -U msf -a 0.0.0.0[[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...[*] MSGRPC backgrounding at 2017-09-06 21:38:09 -0400...root@attacker:~# netstat -tulnp| grep msfrpcdtcp        0      0 0.0.0.0:55553           0.0.0.0:*               LISTEN      1794/msfrpcd
2. 在另一台安装 msf4（版本匹配）的计算机上启动 MSF GUI（最新版是armitage）root@attacker:~# armitage   #会显示登录框Host 10.10.10.128Port 55553User msfPass admin
3. 这个登录框会连接到之前新建的 msfprcd 服务上，单击 Server，之前 10.10.10.128 主机上的渗透测试数据都在这里显示出来。msfprcd 不仅可以共享渗透测试数据库，还可以共享所有的 msf 模块和攻击载荷

《Metasploit 魔鬼训练营》03 情报搜集技术相关推荐

1. 《Metasploit 魔鬼训练营》博客目录

   本文将详细记录<Metasploit 渗透测试魔鬼训练营>的学习过程,采用目前最新版 Linux 系统搭建环境. Kali_linux 2017.1 amd64 OWASP Broken ...

2. Metasploit魔鬼训练营笔记

   提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 文章目录 前言 一.什么是渗透测试 二.初识Metasploit 1.针对Metasploitable2上samba服务漏洞的小实验 ...

3. metasploit魔鬼训练营学习笔记-3网络漏洞扫描

   一.漏洞扫描前期知识点梳理 1.通过网络对目标进行搜集主要技术有主机探测与端口扫描.服务扫描与查点与网络漏洞扫描等,最强大的开源网络扫描软件为Nmap和OpenVAS,都可以集成到metasploit ...

4. ————《metasploit 魔鬼训练营》学习笔记序言

   Data 2017.12.27 Time 0:44 2017年底,我刚过20岁生日.12.18那天,自己在健康心理学论文和打py代码中度过. 12月份中旬,在py绝技中看到了metasploit这个东 ...

5. 《Metasploit魔鬼训练营》环境搭建与前两章经历体会

   本人信息安全专业,这学期想学习渗透测试,就在b站上看推荐书籍,无意间发现了这本书,在国内也算比较出名,就买了一本仔细学习.开始是以故事的形式,我们作为公司新人,初次了解metasploit的结构.体系 ...

6. 《Metasploit 魔鬼训练营》04 Web 应用渗透测试

   本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程 OWASP Web 漏洞 TOP 10 基于 Metasploit 框架的 Web 应用渗透技术 Web 应用 ...

7. metasploit魔鬼训练营_XSS

   在owaspbwa环境下进行渗透,总结xss: ubuntu安装xsstrike模糊测试工具.之支持python3环境.XSStrike_模糊测试 Powerful fuzzing engine Co ...

8. 03|容器技术基本原理之Namespace

   以前被面试或者面试别人的时候,出现频率比较高的一个问题是:看你简历上写熟悉容器技术,那你是怎么理解容器的?还算可以的回答是:容器技术本身不是新的技术,容器本质上就是宿主机操作系统上的一个特殊的进程,利 ...

9. 网络安全自学笔记03 - 交换机技术

   交换机技术概念 一.交换机工作在数据链路层 1.数据链路层功能 数据链路的建立.维护与拆除 帧包装.帧传输.帧同步: 为了使传输中发生差错后只将有从.错的有限数据进行重发,数据链路层将比特流组合成以太 ...

10. metasploit 魔鬼训练营 学习笔记（2） 第四章（web一些漏洞与防止）

    第四章的主要内容是相关于网络渗透的一些web板块的知识,首先书中提出对于web的渗透攻击具有以下几点特点,首先web应用具有: 广泛性:当前的web应用无处不在,对于任何的app或者是网站都是与web ...

最新文章

1. save_path is not a valid checkpoint
2. linux方向键ascii_上下左右 方向键的ASCII码值是多少？
3. [Issue Fixed]-repo-error: .repo/manifests/: contains uncommitted changes
4. CSS固定背景的图片
5. 一网打尽2013最常用的NoSQL数据库
6. Dalvik线程模型
7. CSS选择器的权重与优先规
8. Consolidate Duplicate Conditional Fragments（合并重复的条件片段）
9. 信息学奥赛一本通C++语言——1087：级数求和
10. 3D空间中射线与三角形的交叉检测算法
11. 使用python的sklearn包实现CCA（典型相关分析）
12. 视频教程-Excel项目实战从入门到精通（兼容2007、2010、2013、2016）-Office/WPS
13. 企业短信平台发展趋势和展望——SUBMAIL赛邮
14. docker 部署jenkins + sonarqube + postgresql 代码扫描
15. CSS实现鼠标经过网页图标弹出微信二维码
16. 2018 新浪校招 PHP实习生 电话面试总结
17. 2014acm亚洲区域赛陕西赛总结
18. 为什么说电销企业需要智能电销系统原因？
19. Python生成器及send用法讲解
20. SwitchyOmega代理插件的安装与使用教程

热门文章

1. 《 嵌入式系统设计与实践》一一2.1 构建系统框图
2. 解决Veil—Evasion安装中git clone导致失败的问题
3. Contest chair of English humor speech contest-2013-8-30
4. Android2018年最新前沿框架和技术
5. 计算机其它离的360云盘,360云盘资源转到百度云 360云盘搬家教程
6. 驱动miniPCIE网络模块EC20硬件电路详解
7. python重复import_Python 中循环 import 造成的问题如何解决？
8. 装修纪~~从装修中体味人生
9. DuckDuckGo + Alfred
10. cocos creator播放声音控制台显示Simulator: jsb: ERROR