《Metasploit 魔鬼训练营》03 情报搜集技术
本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程
- 外围信息搜集
- 主机探测与端口扫描
- 服务扫描与查点
- 网络漏洞扫描
- 渗透测试数据库与共享
###1. testfire.net###
testfire.net 是一个包含很多典型 Web 漏洞的模拟银行网站,是 IBM 为了演示 Appscan 所建立的测试网站
###2. 通过 DNS 和 IP 地址挖掘目标网络信息###
1. whois 域名注册信息查询
包含域名所有者、服务商、管理员邮件地址、域名注册日期和国过期日期
msf > whois testfire.net
[*] exec: whois testfire.net
Domain Name: TESTFIRE.NET
Registry Domain ID: 8363973_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2017-07-19T05:16:54Z
Creation Date: 1999-07-23T13:52:32Z
Registry Expiry Date: 2018-07-23T13:52:32Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: ASIA3.AKAM.NET
Name Server: EUR2.AKAM.NET
Name Server: EUR5.AKAM.NET
Name Server: NS1-206.AKAM.NET
Name Server: NS1-99.AKAM.NET
Name Server: USC2.AKAM.NET
Name Server: USC3.AKAM.NET
Name Server: USW2.AKAM.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-08-28T07:19:35Z <<<
2. nslookup 域名解析 IP
root@attacker:~# nslookup
> set type=A #设置对IP地址进行解析
> testfire.net
Server: 10.10.10.2
Address: 10.10.10.2#53
Non-authoritative answer:
Name: testfire.net
Address: 65.61.137.117
> exit
root@attacker:~# nslookup
> set type=MX
> testfire.net
Server: 10.10.10.2
Address: 10.10.10.2#53
Non-authoritative answer:
*** Can't find testfire.net: No answer
Authoritative answers can be found from:
testfire.net
origin = asia3.akam.net
mail addr = hostmaster.akamai.com
serial = 1366025603
refresh = 43200
retry = 7200
expire = 604800
minimum = 86400
3. dig 从官方 DNS 服务器上查询到精确的权威解答
root@attacker:~# dig @ns.watson.ibm.com testfire.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35209
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testfire.net. IN A
;; Query time: 302 msec
;; SERVER: 129.34.20.80#53(129.34.20.80)
;; WHEN: Mon Aug 28 03:32:52 EDT 2017
;; MSG SIZE rcvd: 41
4. IP2Location 通过 IP 查询地理位置
查询国外的 IP 地址 https://www.maxmind.com/zh/home 使用其中的 GeoIP
查询国内的 IP 地址 www.cz88.net
5. netcraft 查询网站的子域名
http://searchdns.netcraft.com/
获取网站更为详细的详细 http://toolbar.netcraft.com/site_report
6. IP2Domain 反查域名
主要查询同一 IP 的不同虚拟主机
查询国外的 IP 地址 www.ip-address.com/reverse_ip/65.61.137.117
查询国内的 IP 地址 http://www.7c.com/
###3. 通过搜索引擎进行信息收集###
1. Google Hacking 技术
查看 Google 黑客数据库 https://www.exploit-db.com/google-hacking-database/
自动化工具 Sitedigger 下载链接 https://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
Search Diggity 下载链接
2. 探索网站的目录结构
在 Google 中搜索 “parent directory site:testfire.net” ,结果显示 demo.testfire.net - /bank/
inc文件:网站的配置信息
bak:备份文件
sql或txt:SQL脚本
使用 msf 中的 brute_dirs、dir_listing、dir_scanner等辅助模块也可以完成
以 dir_scanner 为例:
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) > show options
Module options (auxiliary/scanner/http/dir_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use
PATH / yes The path to identify files
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS www.testfire.net
RHOSTS => www.testfire.net
msf auxiliary(dir_scanner) > exploit
[*] Detecting error code
[*] Using code '404' as not found for 65.61.137.117
[*] Found http://65.61.137.117:80/Admin/ 403 (65.61.137.117)
[*] Found http://65.61.137.117:80/admin/ 403 (65.61.137.117)
[*] Found http://65.61.137.117:80/bank/ 200 (65.61.137.117)
[*] Found http://65.61.137.117:80/images/ 403 (65.61.137.117)
[*] Found http://65.61.137.117:80/static/ 403 (65.61.137.117)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
发现了隐藏目录 Admin,因为服务器返回403,表示没有权限,而不是 404 未找到文件
如果在根目录发现 rebot.txt 文件,则应该重视,表示了爬虫在抓取网页时应该遵循的规则
3. 检索天特定类型的文件
在 Google 中搜索 :site:testfire.net filetype:xls 显示一个文档
包含了详细的联系人信息
4. 搜索网站中的 E-mail 地址
使用 msf 的模块: serch_email_clooector
5. 搜索已存在 SQL 注入的页面
在 Google 中搜索 :site:testfire.net inurl:login 得到了后台 URL
在用户名输入 “ admin 'OR' 1 ”,即可登录
在用户名输入 “ test OR 1=1-- ”,任意输入密码,也可登录
###4. 主机探测与端口扫描###
1. ICMP Ping 扫描
root@attacker:~# ping -c 5 www.dvssc.com
PING www.dvssc.com (10.10.10.129) 56(84) bytes of data.
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=1 ttl=64 time=0.322 ms
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=2 ttl=64 time=0.211 ms
64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=3 ttl=64 time=0.247 ms
--- www.dvssc.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3055ms
rtt min/avg/max/mdev = 0.211/0.253/0.322/0.045 ms
2. msf 的主机发现模块
路径:/module/auxiliary/scanner/discovery/
主要有以下几个:arp_sweep、empty_udp、ipv6_multicast_ping、ipv6_neighbor、ipv6_neighbor_router_advertisement、udp_probe、udp_sweep
常用的:
arp_sweep 使用 ARP 请求美剧本地局域网中的所有活跃主机
udp_sweep 通过发送 UDP 数据包探查制定主机是否活跃,并发现主机上的 UDP 服务
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(arp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(arp_sweep) > run
[*] 10.10.10.1 appears to be up (VMware, Inc.).
[*] 10.10.10.2 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.129 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] 10.10.10.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
3. 使用 Nmap 进行主机探测
-sn:使用 ICMP 的 Ping 扫描捕获网络中存活的主机
msf > nmap -sn 10.10.10.0/24
[*] exec: nmap -sn 10.10.10.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:43 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00048s latency).
MAC Address: 00:50:56:F1:2E:08 (VMware)
Nmap scan report for www.dvssc.com (10.10.10.129)
Host is up (0.00019s latency).
MAC Address: 00:0C:29:21:A3:A6 (VMware)
Nmap scan report for gate.dvssc.com (10.10.10.254)
Host is up (0.000076s latency).
MAC Address: 00:0C:29:19:70:BF (VMware)
Nmap scan report for attacker.dvssc.com (10.10.10.128)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds
-Pn:不使用 Ping 扫描
-PU:通过对开放的 UDP 端口进行探测,默认会列出开放的 TCP 端口,在使用 -sn ,仅探测存活主机,不对开放的 TCP 端口进行扫描
msf > nmap -PU -sn 10.10.10.0/24
[*] exec: nmap -PU -sn 10.10.10.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:49 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.0013s latency).
MAC Address: 00:50:56:F1:2E:08 (VMware)
Nmap scan report for www.dvssc.com (10.10.10.129)
Host is up (0.000073s latency).
MAC Address: 00:0C:29:21:A3:A6 (VMware)
Nmap scan report for gate.dvssc.com (10.10.10.254)
Host is up (0.00017s latency).
MAC Address: 00:50:56:E7:DA:ED (VMware)
Nmap scan report for attacker.dvssc.com (10.10.10.128)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.00 seconds
4. 操作系统辨识
-O:对目标操作系统进行识别
msf > nmap -O 10.10.10.0/24
[*] exec: nmap -O 10.10.10.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:51 EDT
Nmap scan report for 10.10.10.1
Host is up (0.000081s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
6000/tcp open X11
24800/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49156/tcp open unknown
49161/tcp open unknown
49163/tcp open unknown
MAC Address: 00:50:56:C0:00:08 (VMware)
Device type: general purpose
Running: Microsoft Windows Vista|7|8.1
OS CPE: cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1
Network Distance: 1 hop
Nmap scan report for 10.10.10.2
Host is up (0.000086s latency).
All 1000 scanned ports on 10.10.10.2 are closed
MAC Address: 00:50:56:F1:2E:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running: VMware Player
OS CPE: cpe:/a:vmware:player
OS details: VMware Player virtual NAT device
Network Distance: 1 hop
Nmap scan report for www.dvssc.com (10.10.10.129)
Host is up (0.00022s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
5001/tcp open commplex-link
8080/tcp open http-proxy
8081/tcp open blackice-icecap
MAC Address: 00:0C:29:21:A3:A6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Nmap scan report for gate.dvssc.com (10.10.10.254)
Host is up (0.00021s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:50:56:E7:DA:ED (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Nmap scan report for attacker.dvssc.com (10.10.10.128)
Host is up (0.000057s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.6
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.17 seconds
5. 端口扫描与服务类型探测
msf > search portscan
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
几款扫描工具:
natpmp_portscan
ack:通过 ACK 方式对防火墙上未被屏蔽的端口进行探测
ftpbounce :通过 ftp bounce 攻击的原理对 TCP 服务进行枚举
syn:使用发送 TCP SYN 标志的方式探测开放的端口
tcp: 通过一次完整的 TCP 连接来判断端口是否开放
xmas:通过发送 FIN、PSH、URG 标识,较为隐蔽
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set RHOSTS 10.10.10.254
RHOSTS => 10.10.10.254
msf auxiliary(syn) > set THREADS 20
THREADS => 20
msf auxiliary(syn) > run
[*] TCP OPEN 10.10.10.254:22
[*] TCP OPEN 10.10.10.254:23
[*] TCP OPEN 10.10.10.254:53
[*] TCP OPEN 10.10.10.254:513
[*] TCP OPEN 10.10.10.254:514
[*] TCP OPEN 10.10.10.254:1099
6. Nmap 的端口扫描功能
六个状态:open、closed、filter、unfilter、open|filter、closed|filter
扫描参数:
-sT: TCP connect 扫描
-sS: TCP SYN 扫描
-sF\-sX\-sN:通过发送一些标志位以避开检测
-sP:发送 ICMP echo 请求探测主机是否存活,原理同 Ping
-sU:探测开放了那些 UDP端口
-sA:TCP ACK 扫描
-sV:探测更详细的服务信息
扫描选项:
-Pn:扫描之前,不发送 ICMP echo 请求测试目标是否活跃
-O:指纹特征扫描以获取远程主机的操作系统类型
-F:快速扫描,只列出 nmap-services 中列出的端口
-p :制定端口或范围
msf > nmap -sS -Pn 10.10.10.129
[*] exec: nmap -sS -Pn 10.10.10.129
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:45 EDT
Nmap scan report for www.dvssc.com (10.10.10.129)
Host is up (0.00010s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
5001/tcp open commplex-link
8080/tcp open http-proxy
8081/tcp open blackice-icecap
MAC Address: 00:0C:29:21:A3:A6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 second
7. 使用 nmap 探测更详细的服务信息
msf > nmap -sV -Pn 10.10.10.129
[*] exec: nmap -sV -Pn 10.10.10.129
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:46 EDT
Nmap scan report for www.dvssc.com (10.10.10.129)
Host is up (0.000099s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Courier Imapd (released 2008)
443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open java-rmi Java RMI
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open http Jetty 6.1.25
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.40%I=7%D=8/28%Time=59A4D583%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
MAC Address: 00:0C:29:21:A3:A6 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
msf > nmap -sV -Pn 10.10.10.130
[*] exec: nmap -sV -Pn 10.10.10.130
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:07 EDT
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.00015s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 6.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
777/tcp open multiling-http?
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1030/tcp open msrpc Microsoft Windows RPC
1031/tcp open msrpc Microsoft Windows RPC
1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
6002/tcp open http SafeNet Sentinel Protection Server httpd 7.3
7001/tcp open afs3-callback?
7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
8099/tcp open http Microsoft IIS httpd 6.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port777-TCP:V=7.40%I=7%D=8/28%Time=59A4DAC1%P=x86_64-pc-linux-gnu%r(Ker
SF:beros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(Termin
SF:alServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t
SF:\xe0\x06");
MAC Address: 00:0C:29:DB:51:D2 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.72 seconds
msf > nmap -sV -Pn 10.10.10.254
[*] exec: nmap -sV -Pn 10.10.10.254
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:09 EDT
Nmap scan report for gate.dvssc.com (10.10.10.254)
Host is up (0.00024s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1524-TCP:V=7.40%I=7%D=8/28%Time=59A4DAEE%P=x86_64-pc-linux-gnu%r(NU
SF:LL,27,"\x1b\[01;31mroot@gate\x1b\[00m:\x1b\[01;34m/\x1b\[00m#\x20")%r(G
MAC Address: 00:50:56:E7:DA:ED (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.99 seconds
###5. 探测扫描结果分析###
| 主机 | 操作系统 | 主要的开放端口 | 对应服务版本 |
|---|---|---|---|
| 网站服务器(10.10.10.129) | Linux | SSH (22) | OpenSSH 5.3.p1 |
| … | … | HTTP(80) | Apache httpd 2.2.14 |
| … | … | netbios-ssn(139) | Samba smbd 3.X - 4.X |
| … | … | imap(143) | Courier Imapd (released 2008) |
| … | … | ssl/http(443) | Apache httpd 2.2.14 |
| … | … | 445/tcp open netbios-ssn (445) | Samba smbd 3.X - 4.X |
| … | … | java-rmi(5001) | Java RMI |
| … | … | ahttp(8080) | Apache Tomcat/Coyote JSP engine 1.1 |
| 后台服务器(10.10.10.130) | Windows | ftp(21) | Microsoft ftpd |
| … | … | http(80) | Microsoft IIS httpd 6.0 |
| … | … | msrpc(135) | Microsoft Windows RPC |
| … | … | netbios-ssn(139) | Microsoft Windows netbios-ssn |
| … | … | microsoft-ds (445) | Microsoft Windows 2003 or 2008 microsoft-ds |
| … | … | msrpc (1025) | Microsoft Windows RPC |
| … | … | msrpc (1026) | Microsoft Windows RPC |
| … | … | msrpc (1030) | Microsoft Windows RPC |
| … | … | msrpc (1031) | Microsoft Windows RPC |
| … | … | oracle-tns(1521) | Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows) |
| … | … | http(6002) | SafeNet Sentinel Protection Server httpd 7.3 |
| … | … | http(7002) | SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console) |
| … | … | http(8099) | Microsoft IIS httpd 6.0 |
| 网关服务器 | 10.10.10.254 | ftp(21) | vsftpd 2.3.4 |
| … | … | ssh(22) | OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) |
| … | … | telnet(23) | Linux telnetd |
| … | … | smtp(25) | |
| … | … | domain(53) | ISC BIND 9.4.2 |
| … | … | http(80) | Apache httpd 2.2.8 ((Ubuntu) DAV/2) |
| … | … | rpcbind(111) | 2 (RPC #100000) |
| … | … | netbios-ssn (139) | netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
| … | … | netbios-ssn (445) | netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
| … | … | exec(512) | netkit-rsh rexecd |
| … | … | rmiregistry(1099) | GNU Classpath grmiregistry |
| … | … | nfs(2049) | 2-4 (RPC #100003) |
| … | … | ftp(2121) | ProFTPD 1.3.1 |
| … | … | mysql(3306) | MySQL 5.0.51a-3ubuntu5 |
| … | … | postgresql(5432) | PostgreSQL DB 8.3.0 - 8.3.7 |
| … | … | vnc(5900) VNC (protocol 3.3) | |
| … | … | X11(6000) | (access denied) |
| … | … | irc(6667) | UnrealIRCd |
| … | … | ajp13(8009) | Apache Jserv (Protocol v1.3) |
| … | … | http(8180) | Apache Tomcat/Coyote JSP engine 1.1 |
###6. 可能的攻击路线###
| 可能的攻击路线 | 攻击对象 |
|---|---|
| 口令猜解 | 10.10.10.129:SSH\Samba |
| 10.10.10.130:SMB | |
| 10.10.10.254:FTP、SSH、Telnet、MySQL、PostreSQL | |
| 口令嗅探 | 10.10.10.254:FTP、Telnet |
| 系统漏洞深入扫描 | 全部存活主机的开放端口 |
| 系统漏洞利用 | 所有开放网络服务中存在的安全漏洞 |
| Web 应用漏洞扫描 | 10.10.10.129:Apache、Apache Tomcat |
| 10.10.10.254: Apache、Apache Tomcat | |
| Web 应用漏洞利用 | 10.10.10.129:Apache、Apache Tomcat |
| 10.10.10.254:Apache、Apache Tomcat |
###7. 服务扫描与查点###
确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入的挖掘,通常称为网络查点。
msf 中的 Scanner 辅助模块中,有很多服务扫描和查点工具。常以[service_name]_version 和 [service_name]_login
[service_name]_version:遍历网络中包含了某种服务的主机,并进一步确定服务的版本
[service_name]_login:可对某种服务进行口令探测
msf > search name:_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/fuzzers/ssh/ssh_version_15 normal SSH 1.5 Version Fuzzer
auxiliary/fuzzers/ssh/ssh_version_2 normal SSH 2.0 Version Fuzzer
auxiliary/fuzzers/ssh/ssh_version_corrupt normal SSH Version Corruption
auxiliary/gather/ibm_sametime_version 2013-12-27 normal IBM Lotus Sametime Version Enumeration
auxiliary/scanner/db2/db2_version normal DB2 Probe Utility
auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner
auxiliary/scanner/h323/h323_version normal H.323 Version Scanner
auxiliary/scanner/http/coldfusion_version normal ColdFusion Version Scanner
auxiliary/scanner/http/http_version normal HTTP Version Detection
auxiliary/scanner/http/joomla_version normal Joomla Version Scanner
auxiliary/scanner/http/sap_businessobjects_version_enum normal SAP BusinessObjects Version Detection
auxiliary/scanner/http/ssl_version 2014-10-14 normal HTTP SSL/TLS Version Detection (POODLE scanner)
auxiliary/scanner/http/svn_scanner normal HTTP Subversion Scanner
auxiliary/scanner/imap/imap_version normal IMAP4 Banner Grabber
auxiliary/scanner/ipmi/ipmi_version normal IPMI Information Discovery
auxiliary/scanner/lotus/lotus_domino_version normal Lotus Domino Version
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal Oracle TNS Listener Service Version Query
auxiliary/scanner/pop3/pop3_version normal POP3 Banner Grabber
auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe
auxiliary/scanner/printer/printer_version_info normal Printer Version Information Scanner
auxiliary/scanner/sap/sap_mgmt_con_version normal SAP Management Console Version Detection
auxiliary/scanner/scada/digi_addp_version normal Digi ADDP Information Discovery
auxiliary/scanner/scada/digi_realport_version normal Digi RealPort Serial Server Version
auxiliary/scanner/scada/modbusdetect 2011-11-01 normal Modbus Version Scanner
auxiliary/scanner/smb/smb_version normal SMB Version Detection
auxiliary/scanner/smtp/smtp_version normal SMTP Banner Grabber
auxiliary/scanner/snmp/aix_version normal AIX SNMP Scanner Auxiliary Module
auxiliary/scanner/ssh/ssh_version normal SSH Version Scanner
auxiliary/scanner/telnet/lantronix_telnet_version normal Lantronix Telnet Service Banner Detection
auxiliary/scanner/telnet/telnet_version normal Telnet Service Banner Detection
auxiliary/scanner/vmware/vmauthd_version normal VMWare Authentication Daemon Version Scanner
auxiliary/scanner/vxworks/wdbrpc_version normal VxWorks WDB Agent Version Scanner
exploit/multi/svn/svnserve_date 2004-05-19 average Subversion Date Svnserve
exploit/windows/browser/crystal_reports_printcontrol 2010-12-14 normal Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
exploit/windows/fileformat/digital_music_pad_pls 2010-09-17 normal Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow
exploit/windows/fileformat/orbit_download_failed_bof 2008-04-03 normal Orbit Downloader URL Unicode Conversion Overflow
exploit/windows/fileformat/realplayer_ver_attribute_bof 2013-12-20 normal RealNetworks RealPlayer Version Attribute Buffer Overflow
exploit/windows/ftp/filecopa_list_overflow 2006-07-19 average FileCopa FTP Server Pre 18 Jul Version
exploit/windows/scada/iconics_genbroker 2011-03-21 good Iconics GENESIS32 Integer Overflow Version 9.21.201.01
1. 常见的网络服务扫描
Telnet 服务扫描
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(telnet_version) > set THREADS 100
THREADS => 100
msf auxiliary(telnet_version) > run
[*] 10.10.10.254:23 gate.dvssc.com login: _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0agate.dvssc.com login:
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
结果显示:10.10.10.254 开放了 Telnet 服务
SSH 服务扫描
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(ssh_version) > set THREADS 100
THREADS => 100
msf auxiliary(ssh_version) > run
[*] 10.10.10.128:22 - SSH server version: SSH-2.0-OpenSSH_7.4p1 Debian-10
[*] 10.10.10.129:22 - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 10.10.10.254:22 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] Auxiliary module execution completed
结果显示:10.10.10.254 和 10.10.10.129 开放了 SSH 服务
2. Oracle 数据库服务查点
msf > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > set RHOSTS 10.10.10.0/24
RHOSTS => 10.10.10.0/24
msf auxiliary(tnslsnr_version) > set THREADS 50
THREADS => 50
msf auxiliary(tnslsnr_version) > run
[*] Scanned 50 of 256 hosts (19% complete)
[+] 10.10.10.130:1521 - 10.10.10.130:1521 Oracle - Version: 32-bit Windows: Version 10.2.0.1.0 - Production
[*] Scanned 129 of 256 hosts (50% complete)
[*] Scanned 167 of 256 hosts (65% complete)
[*] Scanned 184 of 256 hosts (71% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
结果显示:10.10.10.130 开放了 1521 端口(Oracle SQL)
SQL Server 端口为 1433
Oracle SQL 端口为 1521
3. 开放代理探测与利用
open_proxy:方便地获取免费的 HTTP 代理服务器地址
msf > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > show options
Module options (auxiliary/scanner/http/open_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECKURL http://www.google.com yes The web site to test via alleged web proxy
MULTIPORTS false no Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VALIDCODES 200,302 yes Valid HTTP code for a successfully request
VALIDPATTERN 302 Moved yes Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request
VERIFYCONNECT false no Enable CONNECT HTTP method check
VHOST no HTTP server virtual host
msf auxiliary(open_proxy) > set SITE www.google.com
SITE => www.google.com
msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254
RHOSTS => 24.25.24.1-24.25.26.254
msf auxiliary(open_proxy) > set MULTIPORTS true
MULTIPORTS => true
msf auxiliary(open_proxy) > set THREADS 100
THREADS => 100
msf auxiliary(open_proxy) > run
[*] Scanned 102 of 766 hosts (13% complete)
[*] Scanned 397 of 766 hosts (51% complete)
[*] Scanned 766 of 766 hosts (100% complete)
[*] Auxiliary module execution completed
4. SSH 服务口令与嗅探
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS 10.10.10.254
RHOSTS => 10.10.10.254
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt
PASS_FILE => /root/words.txt
msf auxiliary(ssh_login) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_login) > run
[*] SSH - Starting bruteforce
[-] SSH - Failed: 'root:123456'
[-] SSH - Failed: 'root:ubuntu'
[+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root) Linux gate.dvssc.com 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.10.10.128:42501 -> 10.10.10.254:22) at 2017-08-29 01:18:09 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
5. psnuffle 口令嗅探
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
msf auxiliary(psnuffle) > [*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
6. 在 Metasploit 内部使用 OpenVAS
0. 开启 openvas 服务
root@attacker:~# openvas-start
1. 在 metasploit 中加载 openvas
msf > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*] Successfully loaded plugin: OpenVAS
2. 连接到 openvas ,用法:openvas_connect username password host port
msf > openvas_connect admin toor 127.0.0.1 9390 ok
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
5e78a0e1-6569-45d9-8474-d7c83d0ea8ff test2 10.10.10.254 1 0 Metasploitable
971d579a-b65c-406c-9737-b4d946fb68b1 UUUU 10.10.10.254 1 1 Mwtasploitable
3. 列出 openvas 的配置选项
msf > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs
ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast
4. 创建扫描任务,Usage: openvas_task_create
msf > openvas_task_create test-scan "Scan of test2 Metasploitable" daba56c8-73ec-11df-a475-002264764cea 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable New -1
5. 开始扫描任务,用法:openvas_task_start
msf > openvas_task_start b4baa75d-9d51-4393-a8fd-66a0480bda28
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Requested 1
6. 列出扫描任务
msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Running 1
7. 列出扫描任务
msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Done -1
8. 扫描完成后,列出扫描报告
msf > openvas_report_list
ID Task Name Start Time Stop Time
-- --------- ---------- ---------
752e8852-68f4-4bff-a23c-92767a6c9bd7 test-scan 2017-08-30T06:12:51Z 2017-08-30T06:13:06Z
babf1f94-c1ca-4b4e-b678-a0cd355c6a72 UUOO 2017-08-30T00:42:12Z 2017-08-30T01:06:41Z
9. 列出报告支持的格式
msf > openvas_format_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of report formats
ID Name Extension Summary
-- ---- --------- -------
5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.
10. 下载扫描报告,Usage: openvas_report_download
msf > openvas_report_download
[*] Usage: openvas_report_download
msf > openvas_report_download 752e8852-68f4-4bff-a23c-92767a6c9bd7 c402cc3e-b531-11e1-9163-406186ea4fc5 /root/reports/ tast2_scan_report.pdf
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[*] Saving report to /root/reports/tast2_scan_report.pdf
7. 查找特定服务漏洞
nmap 脚本存放位置:/usr/share/nmap/scripts
root@attacker:/usr/share/nmap/scripts# nmap --script=smb-check-vulns 10.10.10.130
错误信息:NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:801: ‘smb-check-vulns.nse’ did not match a category, filename, or directory
这是由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。
它被分为smb-vuln-conficker、?smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。
用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件。
root@attacker:/usr/share/nmap/scripts# nmap --script=smb-vuln-*.nes 10.10.10.130
Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-30 08:12 EDT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.00022s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
777/tcp open multiling-http
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1031/tcp open iad2
1521/tcp open oracle
6002/tcp open X11:2
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
8099/tcp open unknown
MAC Address: 00:0C:29:DB:51:D2 (VMware)
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds
###8. 漏洞扫描结果分析###
| 服务器 | 操作系统 | 高危漏洞 | 参考 |
|---|---|---|---|
| 后台服务器(10.10.10.130) | Windows | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service | CVE-2017-7269 |
| … | … | IIS FTP Service RCE and DoS Vulnerability." | CVE-2009-3023 |
| … | … | IIS FTP Service RCE and DoS Vulnerability | CVE-2009-3023 |
| … | … | Integer Overflow in IPP Service Vulnerability | CVE-2008-1446 |
| … | … | Integer Overflow in IPP Service Vulnerability | CVE-2008-1446 |
| … | … | IIS Authentication Memory Corruption Vulnerability. | CVE-2010-1256 |
| … | … | "IIS Authentication Memory Corruption Vulnerability | CVE-2010-1256 |
| … | … | The WebDAV extension in Microsoft Internet Information Services | CVE-2009-1535 |
| … | … | IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability | CVE-2009-1535 |
| … | … | Microsoft Internet Information Services | CVE-2009-4444 |
| … | … | Microsoft Internet Information Services | CVE-2009-4444 |
| … | … | IIS Repeated Parameter Request Denial of Service Vulnerability." | CVE-2010-1899 |
| … | … | IIS Repeated Parameter Request Denial of Service Vulnerability." | CVE-2010-1899 |
| … | … | Inverse Lookup Log Corruption (ILLC) | CVE-2003-1582 |
| … | … | IIS FTP Service DoS Vulnerability | CVE-2009-2521 |
| … | … | Inverse Lookup Log Corruption (ILLC) | CVE-2003-1582 |
| … | … | IIS FTP Service DoS Vulnerability | CVE-2009-2521 |
| 服务器 | 操作系统 | 高危漏洞 | 参考 |
|---|---|---|---|
| 网关服务器(10.10.10.254) | Linux | ProFTPD Server SQL Inj ection Vulnerability | CVE-2009-0542 |
| … | … | ProFTPD Long Command Handling Security Vulnerability | CVE-2008-4242 |
| … | … | PHP< 5.2.13 Multiple Vulnerabilities | CVE-2010-1128 |
| … | … | PHP’sqlite_single_query()’ and ‘sqlite_array_query()’ Arbitrary Code Execution | |
| … | … | PHP Multiple Information Disclosure Vulnerabilities | CVE-2010-2190 |
| … | … | Heap-based buffer overflow in’mbstring’ extension for PHP | CVE-2008-5557 |
| … | … | PHP Multiple Vulnerabilities Dec-09 | CVE-2009-4018 |
| … | … | PHP ‘_gdGetColors()’ Buffer Overflow Vulnerability | CVE-2009-3546 |
| … | … | http TRACE XSS attack | CVE-2004-2320 |
| … | … | PHP Multiple Buffer Overflow Vulnerabilities | CVE-2008-3659 |
| … | … | PHP Interruptions and Calltime Arbitrary Code Execution Vulnerability | |
| … | … | PHP ‘SplObjectStorage’ Unserializer Arbitrary Code Execution Vulnerability | CVE-2010-2225 |
| … | … | Samba SID Parsing Remote Buffer Overflow Vulnerability | CVE-2010-3069 |
| … | … | Samba multiple vulnerabilities | CVE-2009-2813 |
| … | … | Samba’mount.cifs’ Utility Local Privilege Escalation Vulnerability | CVE-2009-3297 |
| … | … | Samba ‘SMB1Packet Chaining’ Unspecified Remote Memory Corruption Vulnerability | CVE-2010-2063 |
| 服务器 | 操作系统 | 高危漏洞 | 参考 |
|---|---|---|---|
| 网站服务器(10.10.10.129) | Linux | Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba | CVE-2013-4408 |
| … | … | Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body | CVE-2014-0230 |
| … | … | Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests | CVE-2011-3190 |
| … | … | an attacker can reach JMX ports | CVE-2016-8735 |
| … | … | Stack-based buffer overflow in Samba | CVE-2010-3069 |
| … | … | allows remote attackers to inject a request into a session by sending this request during completion of the login form, | CVE-2013-2067 |
| … | … | apache:tomcat:6.0.24 the attacker could poison a web-cache | CVE-2016-6816 |
| … | … | Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba | CVE-2011-2522 |
| … | … | The MS-SAMR and MS-LSAD protocol implementations in Samba | CVE-2016-2118 |
| … | … | The session-persistence implementation in Apache Tomcat | CVE-2016-0714 |
| … | … | allows remote authenticated users to obtain the “take ownership” privilege via an LSA connection. | CVE-2012-2111 |
| … | … | Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, | CVE-2010-2227 |
| … | … | The default configuration of Apache Tomcat | CVE-2010-4312 |
| … | … | allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. | CVE-2014-0227 |
###9. 渗透测试信息数据库 ###
db_nmap:将 namp 扫描结果直接存入数据库
db_import:将扫描器的扫描结果进行导入
msf > db_status
[*] postgresql selected, no connection
连接数据库:
root@attacker:~# systemctl start postgresql.service
msf > db_status
[*] postgresql connected to msf
1. db_nmap:是 nmap 的一个封装,不同的是其将结果自动输入到数据库中
msf > db_nmap -Pn -sV 10.10.10.0/24
[*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 411.47 seconds
2. 也可以将数据库的结果导出为一个文件,并导入到渗透测试数据库中
msf > nmap -Pn -sV -oX dmz 10.10.10.0/24
root@attacker:~# ll dmz
-rw-r--r-- 1 root root 18799 Sep 1 10:32 dmz
msf > db_import /root/dmz
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.8.0'
[*] Importing host 10.10.10.1
[*] Importing host 10.10.10.2
[*] Importing host 10.10.10.129
[*] Importing host 10.10.10.130
[*] Importing host 10.10.10.128
[*] Successfully imported /root/dmz
###10. Openvas 与渗透测试数据库###
1. 连接 openvas
root@attacker:~# openvas-start
Starting OpenVas Services
msf > openvas_connect admin toor 127.0.0.1 9390 ok
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
2. 找到想要导入的数据库
msf > openvas_report_list
[+] OpenVAS list of reports
ID Task Name Start Time Stop Time
-- --------- ---------- ---------
07b3eba7-a110-4117-b603-7e50de27759f Oswapbwa 2017-08-30T14:41:15Z 2017-08-31T03:02:28Z
6a0bbe85-3eeb-49e1-8440-32988f6079c8 WIndows 2K3 2017-08-31T01:07:01Z 2017-08-31T01:47:53Z
d7d88501-fe7d-44d3-8b70-566d49758e3a Ubuntu-scan 2017-08-30T14:41:20Z
eac5169e-290e-4be1-9adf-8a401d806fb2 Ubuntu-Scan 2017-08-31T01:12:44Z 2017-08-31T03:30:24Z
3. 列出报告支持的格式
msf > openvas_format_list
[+] OpenVAS list of report formats
ID Name Extension Summary
-- ---- --------- -------
5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.
4. 导入数据库(将 opwaspbwa 扫描报告的 nbe 格式导入)
msf > openvas_report_import 07b3eba7-a110-4117-b603-7e50de27759f 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
[*] Importing report to database.
5. 导入成功后,使用 vulns 查看导入的漏洞信息
msf > vulns
[*] Time: 2017-09-01 14:51:32 UTC Vuln: host=10.10.10.129 name=ICMP Timestamp Detection refs=CVE-1999-0524
###11. 共享你的渗透测试信息数据库###
在Metasploit中,可以使用两种方法共享渗透测试数据库
-让多台运行 Metasploit 的计算机连接到同一个网络数据库
-使用 MSF RPC服务
-让多台运行 Metasploit 的计算机连接到同一个网络数据库
1. 查看 postgres 进程的运行情况
root@gate:~# netstat -tulnp | grep "postgres"
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 4907/postgres
tcp6 0 0 :::5432 :::* LISTEN 4907/postgres
2. 修改数据库监听地址
root@attacker:~# vim /etc/postgresql/9.6/main/postgresql.conf
listen_addresses = '0.0.0.0' #59行
password_encryption = on #88行
3. pg_hba.conf是客户端认证配置文件,定义如何认证客户端
root@attacker:~# vim /etc/postgresql/9.6/main/pg_hba.conf
host all all 0.0.0.0/24 md5 #93行
4. 重启 postgres 数据库服务
root@attacker:~# systemctl restart postgresql.service
5. 再次查看 postgresql 服务运行是否正常
root@attacker:~# netstat -tulnp |grep "postgres"
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 7564/postgres
6. 查看 msf 中 postgres 数据库的信息
root@attacker:~# vim /usr/share/metasploit-framework/config/database.yml
development: &pgsql
adapter: postgresql
database: msf
username: msf
password: admin
host: localhost
port: 5432
pool: 200
timeout: 5
7. 关于数据库的信息如下:
postgres 地址:10.10.10.128
postgres 端口:5432
postgres 用户:msf
postgres 口令:admin
postgresql 数据库:msf
8. 在另一台计算机启动 msf 终端
msf > db_disconnect
msf > db_status
[*] postgresql selected, no connection
msf > db_connect msf:[email protected]:5432/msf
[*] Rebuilding the module cache in the background...
msf > db_status
[*] postgresql connected to msf
9. 测试连接是否正常
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.10.10.1 00:50:56:c0:00:08 Windows Vista client
10.10.10.2 00:50:56:f0:84:fe Unknown device
10.10.10.128 attacker.dvssc.com Unknown device
10.10.10.129 00:0c:29:19:70:bf www.dvssc.com Unknown device
10.10.10.130 00:0c:29:db:51:d2 service.dvssc.com Windows XP client
10.10.10.133 Linux 3.X server
10.10.10.254 00:0c:29:19:70:bf gate.dvssc.com Linux 2.6.X server
-使用 MSF RPC服务
1. 首先启动新的 msf rpc 服务,-P指定连接所需要的口令,-U指定连接所需要的用户名,-a绑定网络地址,默认127.0.0.1
root@attacker:~# msfrpcd -P admin -U msf -a 0.0.0.0
[[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
[*] MSGRPC backgrounding at 2017-09-06 21:38:09 -0400...
root@attacker:~# netstat -tulnp| grep msfrpcd
tcp 0 0 0.0.0.0:55553 0.0.0.0:* LISTEN 1794/msfrpcd
2. 在另一台安装 msf4(版本匹配)的计算机上启动 MSF GUI(最新版是armitage)
root@attacker:~# armitage #会显示登录框
Host 10.10.10.128
Port 55553
User msf
Pass admin
3. 这个登录框会连接到之前新建的 msfprcd 服务上,单击 Server,之前 10.10.10.128 主机上的渗透测试数据都在这里显示出来。
msfprcd 不仅可以共享渗透测试数据库,还可以共享所有的 msf 模块和攻击载荷