Kali Linux渗透测试 144 Mestasploit 弱点扫描

本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程，教程为安全牛课堂里的《Kali Linux 渗透测试》课程

Kali Linux渗透测试（苑房弘）博客记录

1. 简介

• 根据信息收集结果搜索漏洞利用模块
• 结合外部漏洞扫描系统对大量IP地址段进行批量扫描
• 误判率、漏判率

2. VNC 密码破解

• use auxiliary/scanner/vnc/vnc_login

  msf > use auxiliary/scanner/vnc/vnc_login
  msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true
  msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20
  msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 10.10.10.142
  msf auxiliary(scanner/vnc/vnc_login) > run
  

3. VNC 无密码访问（未设置密码）

• use auxiliary/scanner/vnc/vnc_none_auth

• supported : None, free access!

  msf > use auxiliary/scanner/vnc/vnc_none_auth
  msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 10.10.10.142
  msf auxiliary(scanner/vnc/vnc_none_auth) > run
  

4. RDP 远程桌面漏洞

• use auxiliary/scanner/rdp/ms12_020_check

• 检查不会造成 DoS 攻击.

  msf > use auxiliary/scanner/rdp/ms12_020_check
  msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 10.10.10.140-150
  msf auxiliary(scanner/rdp/ms12_020_check) > run
  

  说明存在漏洞

5. 设备后门

• use auxiliary/scanner/ssh/juniper_backdoor #juniper 防火墙
• use auxiliary/scanner/ssh/fortinet_backdoor # fortinet 防火墙

6. VMware ESXi 密码爆破

• use auxiliary/scanner/vmware/vmauthd_login
• use auxiliary/scanner/vmware/vmware_enum_vms

7. 利用 WEB API 远程开启虚拟机

• use auxiliary/admin/vmware/poweron_vm

8. HTTP 弱点扫描

• 过期证书：use auxiliary/scanner/http/cert

  msf > use auxiliary/scanner/http/cert
  msf auxiliary(scanner/http/cert) > set RHOSTS 10.10.10.130-150
  msf auxiliary(scanner/http/cert) > set THREADS 20
  msf auxiliary(scanner/http/cert) > run
  

• 显示目录及文件

  • use auxiliary/scanner/http/dir_listing

    msf > use auxiliary/scanner/http/dir_listing
    msf auxiliary(scanner/http/dir_listing) > set RHOSTS 10.10.10.132
    msf auxiliary(scanner/http/dir_listing) > set PATH dav
    msf auxiliary(scanner/http/dir_listing) > run
    

  • use auxiliary/scanner/http/files_dir

    msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir
    msf auxiliary(scanner/http/files_dir) > set RHOSTS 10.10.10.132
    msf auxiliary(scanner/http/files_dir) > run
    

• WebDAV Unicode 编码身份验证绕过

  • use auxiliary/scanner/http/dir_webdav_unicode_bypass

    msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
    msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 10.10.10.132
    msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20
    msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run
    

• Tomcat 管理登录页面

  • use auxiliary/scanner/http/tomcat_mgr_login

    msf > use auxiliary/scanner/http/tomcat_mgr_login
    msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.132
    msf auxiliary(scanner/http/tomcat_mgr_login) > run
    

• 基于 HTTP 方法的身份验证绕过

  • use auxiliary/scanner/http/verb_auth_bypass

    msf > use auxiliary/scanner/http/verb_auth_bypass
    msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 10.10.10.132
    msf auxiliary(scanner/http/verb_auth_bypass) > run
    

• Wordpress 密码爆破

  • use auxiliary/scanner/http/wordpress_login_enum

    msf > use auxiliary/scanner/http/wordpress_login_enum
    msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 10.10.10.151
    msf auxiliary(scanner/http/wordpress_login_enum) > run
    

9. wmap

• WMAP WEB 应用扫描器

  • 根据 sqlmap 的工作方式开发
  • load wmap
  • wmap_sites -a http://1.1.1.1
  • wmap_targets -t http://1.1.1.1/mutillidae/index.php
  • wmap_run -t # 列出所有模块
  • wmap_run -e # 开始扫描
  • wmap_vulns -l # 查看扫描出的漏洞

  • vulns

    msf > load wmap
    msf > wmap_sites -h
    msf > wmap_sites -a http://10.10.10.132
    msf > wmap_targets -t http://10.10.10.132/mutillidae/index.php
    msf > wmap_run -h
    msf > wmap_run -t
    msf > wmap_run -e
    msf > wmap_vulns -l
    

    msf > vulns
    

10. openvas

• load openvas

  • 命令行模式，需要配置，使用频繁

    msf > load openvas 
    msf > openvas_help
    

• 使用扫描器扫描之后生成报告

  • msf 导入 nbe 格式扫描日志

  • db_import openvas.nbe

    msf > db_import 1.nbe
    msf > vulns 
    

11. MSF 直接调用 nessus 执行扫描

• load nessus
• nessus_help
• nessus_connect admin:[email protected]
• nessus_policy_list
• nessus_scan_new
• nessus_report_list