这几天又学习了下神器,做了下笔记。
Kali linux 下
启动 msfconsole
启动数据库
Service postgresql start
查看
Service postgresql status
msf > service postgressql start
[*] exec: service postgressql start
Help帮助
创建一个工作台
Workspace -a 名
在msf中查看是否连接
msf > db_status
[*] postgresql connected to msf
msf > workspace -a test
[*] Added workspace: test
msf > 进入工作台
Workspqce 工作台名称
删除工作台
Workspqce 工作台名 -d
使用nmap扫描主机
msf > workspace test
[*] Workspace: test
msf > db_nmap -sS 100.78.205.58
结果
msf > workspace test
[*] Workspace: test
msf > db_nmap -sS 100.78.205.58
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-13 16:20 CST
[*] Nmap: Nmap scan report for 100.78.205.58
[*] Nmap: Host is up (0.030s latency).
[*] Nmap: Not shown: 996 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 5357/tcp open wsdapi
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 63.74 seconds
导出
msf > db_export 1.xml
导入
Db_import 名
导出位置在。。
可以输入pwd看当前位置就会导到哪个位置
查看扫描的主机
hosts
查看扫描结果
Db_services
信息收集模块
可以进行whois查询的
msf > whois baidu.com
[*] exec: whois baidu.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Server Name: BAIDU.COM.CN
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Server Name: BAIDU.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: INSTRA CORPORATION PTY, LTD.
Whois Server: whois.instra.net
Referral URL: http://www.instra.com
Server Name: BAIDU.COM.S18.4BO.CN
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Server Name: BAIDU.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.203
Registrar: TUCOWS DOMAINS INC.
Whois Server: whois.tucows.com
Referral URL: http://www.tucowsdomains.com
Server Name: BAIDU.COM.ZZZZZZ.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: INSTRA CORPORATION PTY, LTD.
Whois Server: whois.instra.net
Referral URL: http://www.instra.com………………….
**Nslookup
查DNS也可以**
Nmap 后面加-O就可以看操作系统
启动postgresql后,在打开msf就自动连接了。
也可以手动连接
db_connect postgres:[email protected]/msf
也可以连接mysql,当然这个就一定要手动了
db_connectroot:[email protected]/msf3
连接本机mysql的msf3数据库
Mysql的默认密码toor,使用db_conner连接时会自动创建msf3库
扫描网段中的存活ip
Msf> use auxiliary/scanner/ip/ipidseq
IP序号ID扫描器。与nmap的 -sI -O选项类似
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(ipidseq) > set RHOSTS 192.168.20/42
RHOSTS => 192.168.2。0/42
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50
msf auxiliary(ipidseq) > run 启动清除那个设置
Unset 参数名
使用portscan模块
扫描端口
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE no The name of the interface
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > 特定扫描
Smb_version模块
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) > 服务器信息块(SMB)是一个网络文件共享协议,它允许应用程序和终端用户从远端的文件服务器访问文件资源
找mssql主机 也就是sqlserver
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf auxiliary(mssql_ping) > 写着可以用TAB补全建看看是否能补全,也是看看写没写错,或者补全
SSH 服务器扫描
msf auxiliary(mssql_ping) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf auxiliary(ssh_version) > 我直接从一个模块进入到另一个模块了
基本都是设置目标主机和线程
Telnet服务器扫描
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
msf auxiliary(telnet_version) > FTP主机扫描
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(ftp_version) > 这些用法基本一样
扫描 FTP匿名登陆
*msf auxiliary(ftp_version) > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads*扫描到后,在开一个窗口直接 ftp IP 就可以进入,用户名 anonymous 密码为空 就可以进入了。
有的都不用输入用户名
扫描局域网中有哪些主机存活
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier扫描网站目录
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) > show options
Module options (auxiliary/scanner/http/dir_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use
PATH / yes The path to identify files
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host扫描SNMP主机
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > show options
Module options (auxiliary/scanner/snmp/snmp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The password to test
PASS_FILE /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt no File containing communities, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 161 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USER_AS_PASS false no Try the username as the password for all users
VERBOSE true yes Whether to print output for all attempts
VERSION 1 yes The SNMP version to scan (Accepted: 1, 2c, all)简单网络管理协议(SNMP),由一组网络管理的标准组成,包含一个应用层协议(application layer protocol)、数据库模型(database schema)和一组资源对象。该协议能够支持网络管理系统,用以监测连接到网络上的设备是否有任何引起管理上关注的情况。
搜索网站中的E-mail地址
msf > use auxiliary/gather/search_email_collector DOMAIN设置域名
没有线程设置
这个用的是Google的~~
嗅探抓包
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run直接run就可以
但是只能抓FTP
时间: 2024-10-12 09:03:47