Kali Linux渗透测试 144 Mestasploit 弱点扫描

本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程

Kali Linux渗透测试(苑房弘)博客记录

1. 简介

  • 根据信息收集结果搜索漏洞利用模块
  • 结合外部漏洞扫描系统对大量IP地址段进行批量扫描
  • 误判率、漏判率

2. VNC 密码破解

  • use auxiliary/scanner/vnc/vnc_login

    msf > use auxiliary/scanner/vnc/vnc_login
    msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true
    msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20
    msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 10.10.10.142
    msf auxiliary(scanner/vnc/vnc_login) > run
    

3. VNC 无密码访问(未设置密码)

  • use auxiliary/scanner/vnc/vnc_none_auth
  • supported : None, free access!

    msf > use auxiliary/scanner/vnc/vnc_none_auth
    msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 10.10.10.142
    msf auxiliary(scanner/vnc/vnc_none_auth) > run
    

4. RDP 远程桌面漏洞

  • use auxiliary/scanner/rdp/ms12_020_check
  • 检查不会造成 DoS 攻击.

    msf > use auxiliary/scanner/rdp/ms12_020_check
    msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 10.10.10.140-150
    msf auxiliary(scanner/rdp/ms12_020_check) > run
    

    说明存在漏洞

5. 设备后门

  • use auxiliary/scanner/ssh/juniper_backdoor #juniper 防火墙
  • use auxiliary/scanner/ssh/fortinet_backdoor # fortinet 防火墙

6. VMware ESXi 密码爆破

  • use auxiliary/scanner/vmware/vmauthd_login
  • use auxiliary/scanner/vmware/vmware_enum_vms

7. 利用 WEB API 远程开启虚拟机

  • use auxiliary/admin/vmware/poweron_vm

8. HTTP 弱点扫描

  • 过期证书:use auxiliary/scanner/http/cert

    msf > use auxiliary/scanner/http/cert
    msf auxiliary(scanner/http/cert) > set RHOSTS 10.10.10.130-150
    msf auxiliary(scanner/http/cert) > set THREADS 20
    msf auxiliary(scanner/http/cert) > run
    

  • 显示目录及文件

    • use auxiliary/scanner/http/dir_listing

      msf > use auxiliary/scanner/http/dir_listing
      msf auxiliary(scanner/http/dir_listing) > set RHOSTS 10.10.10.132
      msf auxiliary(scanner/http/dir_listing) > set PATH dav
      msf auxiliary(scanner/http/dir_listing) > run
      

    • use auxiliary/scanner/http/files_dir

      msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir
      msf auxiliary(scanner/http/files_dir) > set RHOSTS 10.10.10.132
      msf auxiliary(scanner/http/files_dir) > run
      

  • WebDAV Unicode 编码身份验证绕过

    • use auxiliary/scanner/http/dir_webdav_unicode_bypass

      msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
      msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 10.10.10.132
      msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20
      msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run
      
  • Tomcat 管理登录页面

    • use auxiliary/scanner/http/tomcat_mgr_login

      msf > use auxiliary/scanner/http/tomcat_mgr_login
      msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.132
      msf auxiliary(scanner/http/tomcat_mgr_login) > run
      
  • 基于 HTTP 方法的身份验证绕过

    • use auxiliary/scanner/http/verb_auth_bypass

      msf > use auxiliary/scanner/http/verb_auth_bypass
      msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 10.10.10.132
      msf auxiliary(scanner/http/verb_auth_bypass) > run
      

  • Wordpress 密码爆破

    • use auxiliary/scanner/http/wordpress_login_enum

      msf > use auxiliary/scanner/http/wordpress_login_enum
      msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 10.10.10.151
      msf auxiliary(scanner/http/wordpress_login_enum) > run
      

9. wmap

  • WMAP WEB 应用扫描器

    • 根据 sqlmap 的工作方式开发
    • load wmap
    • wmap_sites -a http://1.1.1.1
    • wmap_targets -t http://1.1.1.1/mutillidae/index.php
    • wmap_run -t # 列出所有模块
    • wmap_run -e # 开始扫描
    • wmap_vulns -l # 查看扫描出的漏洞
    • vulns

      msf > load wmap
      msf > wmap_sites -h
      msf > wmap_sites -a http://10.10.10.132
      msf > wmap_targets -t http://10.10.10.132/mutillidae/index.php
      msf > wmap_run -h
      msf > wmap_run -t
      msf > wmap_run -e
      msf > wmap_vulns -l
      

      msf > vulns
      

10. openvas

  • load openvas

    • 命令行模式,需要配置,使用频繁

      msf > load openvas 
      msf > openvas_help
      
  • 使用扫描器扫描之后生成报告

    • msf 导入 nbe 格式扫描日志
    • db_import openvas.nbe

      msf > db_import 1.nbe
      msf > vulns 
      

11. MSF 直接调用 nessus 执行扫描

  • load nessus
  • nessus_help
  • nessus_connect admin:[email protected]
  • nessus_policy_list
  • nessus_scan_new
  • nessus_report_list

你可能感兴趣的:(kali-linux)