Kali Linux Penetration Test 144 Mestasploit Vulnerability Scan

Others 2022-04-27 11:32:49 views: 0

This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom

Kali Linux Penetration Testing (Yuan Fanghong) Blog Record

1 Introduction

  • Search for exploit modules based on information collection results
  • Combined with an external vulnerability scanning system to scan a large number of IP address segments in batches
  • Misjudgment rate, missed judgment rate

2. VNC password cracking

  • use auxiliary/scanner/vnc/vnc_login

    msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true
msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20
msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/vnc/vnc_login) > run

3. VNC passwordless access (no password set)

  • use auxiliary/scanner/vnc/vnc_none_auth

  • supported : None, free access!

    msf > use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/vnc/vnc_none_auth) > run

4. RDP Remote Desktop Vulnerability

  • use auxiliary/scanner/rdp/ms12_020_check

  • Checking does not cause a DoS attack.

    msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 10.10.10.140-150
msf auxiliary(scanner/rdp/ms12_020_check) > run

    Indicates that there is a vulnerability

5. Device backdoor

  • use auxiliary/scanner/ssh/juniper_backdoor #juniper firewall
  • use auxiliary/scanner/ssh/fortinet_backdoor # fortinet firewall

6. VMware ESXi password cracking

  • use auxiliary/scanner/vmware/vmauthd_login
  • use auxiliary/scanner/vmware/vmware_enum_vms

7. Use WEB API to remotely start the virtual machine

  • use auxiliary/admin/vmware/poweron_vm

8. HTTP Vulnerability Scanning

  • Expired certificates: use auxiliary/scanner/http/cert

    msf > use auxiliary/scanner/http/cert
msf auxiliary(scanner/http/cert) > set RHOSTS 10.10.10.130-150
msf auxiliary(scanner/http/cert) > set THREADS 20
msf auxiliary(scanner/http/cert) > run

  • Display directories and files

    • use auxiliary/scanner/http/dir_listing

      msf > use auxiliary/scanner/http/dir_listing
msf auxiliary(scanner/http/dir_listing) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/dir_listing) > set PATH dav
msf auxiliary(scanner/http/dir_listing) > run

    • use auxiliary/scanner/http/files_dir

      msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir
msf auxiliary(scanner/http/files_dir) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/files_dir) > run

  • WebDAV Unicode encoding authentication bypass

    • use auxiliary/scanner/http/dir_webdav_unicode_bypass

      msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run

  • Tomcat admin login page

    • use auxiliary/scanner/http/tomcat_mgr_login

      msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/tomcat_mgr_login) > run

  • Authentication bypass based on HTTP methods

    • use auxiliary/scanner/http/verb_auth_bypass

      msf > use auxiliary/scanner/http/verb_auth_bypass
msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/verb_auth_bypass) > run

  • Wordpress password blasting

    • use auxiliary/scanner/http/wordpress_login_enum

      msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 10.10.10.151
msf auxiliary(scanner/http/wordpress_login_enum) > run

9. wmap

  • WMAP WEB APPLICATION SCANNER

    • Developed according to how sqlmap works
    • load wmap
    • wmap_sites -a http://1.1.1.1
    • wmap_targets -t http://1.1.1.1/mutillidae/index.php
    • wmap_run -t # list all modules
    • wmap_run -e # start scanning
    • wmap_vulns -l # View scanned vulnerabilities

    • vulns

      msf > load wmap
msf > wmap_sites -h
msf > wmap_sites -a http://10.10.10.132
msf > wmap_targets -t http://10.10.10.132/mutillidae/index.php
msf > wmap_run -h
msf > wmap_run -t
msf > wmap_run -e
msf > wmap_vulns -l


      msf > vulns

10. openvas

  • load openvas

    • Command line mode, requires configuration, frequently used

      msf > load openvas 
msf > openvas_help

  • Generate a report after scanning with the scanner

    • msf import nbe format scan log

    • db_import openvas.nbe

      msf > db_import 1.nbe
msf > vulns

11. MSF directly calls nessus to scan

  • load nessus
  • nessus_help
  • nessus_connect admin:[email protected]
  • nessus_policy_list
  • nessus_scan_new
  • nessus_report_list

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325570193&siteId=291194637
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com