这几天又学习了下神器,做了下笔记。

Kali linux 下
启动 msfconsole

启动数据库
Service postgresql start
查看
Service postgresql status

msf > service postgressql start
[*] exec: service postgressql start

Help帮助

创建一个工作台
Workspace -a 名

在msf中查看是否连接

msf > db_status
[*] postgresql connected to msf
msf > workspace -a test
[*] Added workspace: test
msf > 

进入工作台

Workspqce 工作台名称

删除工作台

Workspqce 工作台名 -d

使用nmap扫描主机

msf > workspace test
[*] Workspace: test
msf > db_nmap -sS 100.78.205.58

结果

msf > workspace test
[*] Workspace: test
msf > db_nmap -sS 100.78.205.58
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-13 16:20 CST
[*] Nmap: Nmap scan report for 100.78.205.58
[*] Nmap: Host is up (0.030s latency).
[*] Nmap: Not shown: 996 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 5357/tcp open wsdapi
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 63.74 seconds

导出

msf > db_export 1.xml

导入
Db_import 名
导出位置在。。
可以输入pwd看当前位置就会导到哪个位置

查看扫描的主机

hosts

查看扫描结果

Db_services

信息收集模块

可以进行whois查询的

msf > whois baidu.com
[*] exec: whois baidu.com


Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Server Name: BAIDU.COM.CN
   Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
   Whois Server: whois.dns.com.cn
   Referral URL: http://www.dns.com.cn


   Server Name: BAIDU.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
   IP Address: 203.36.226.2
   Registrar: INSTRA CORPORATION PTY, LTD.
   Whois Server: whois.instra.net
   Referral URL: http://www.instra.com


   Server Name: BAIDU.COM.S18.4BO.CN
   Registrar: XIN NET TECHNOLOGY CORPORATION
   Whois Server: whois.paycenter.com.cn
   Referral URL: http://www.xinnet.com


   Server Name: BAIDU.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
   IP Address: 69.41.185.203
   Registrar: TUCOWS DOMAINS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://www.tucowsdomains.com


   Server Name: BAIDU.COM.ZZZZZZ.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
   IP Address: 203.36.226.2
   Registrar: INSTRA CORPORATION PTY, LTD.
   Whois Server: whois.instra.net
   Referral URL: http://www.instra.com

………………….

**Nslookup
查DNS也可以**

Nmap 后面加-O就可以看操作系统

启动postgresql后,在打开msf就自动连接了。
也可以手动连接
db_connect postgres:toor@127.0.0.1/msf

也可以连接mysql,当然这个就一定要手动了
db_connectroot:toor@127.0.0.1/msf3
连接本机mysql的msf3数据库
Mysql的默认密码toor,使用db_conner连接时会自动创建msf3库

扫描网段中的存活ip

Msf> use auxiliary/scanner/ip/ipidseq
IP序号ID扫描器。与nmap的 -sI -O选项类似


msf > use auxiliary/scanner/ip/ipidseq 
msf auxiliary(ipidseq) > show options

Module options (auxiliary/scanner/ip/ipidseq):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds



msf auxiliary(ipidseq) > set RHOSTS 192.168.20/42
RHOSTS => 192.168.20/42
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50

msf auxiliary(ipidseq) > run  启动

清除那个设置

Unset 参数名

使用portscan模块
扫描端口

msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(syn) > set RHOSTS  192.168.1.1
RHOSTS => 192.168.1.1
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > 

特定扫描

Smb_version模块

msf > use auxiliary/scanner/smb/smb_version 
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_version) > 

服务器信息块(SMB)是一个网络文件共享协议,它允许应用程序和终端用户从远端的文件服务器访问文件资源

找mssql主机 也就是sqlserver

msf > use auxiliary/scanner/mssql/mssql_ping 
msf auxiliary(mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(mssql_ping) > 

写着可以用TAB补全建看看是否能补全,也是看看写没写错,或者补全

SSH 服务器扫描

msf auxiliary(mssql_ping) > use auxiliary/scanner/ssh/ssh_version 
msf auxiliary(ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    22               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   TIMEOUT  30               yes       Timeout for the SSH probe

msf auxiliary(ssh_version) > 

我直接从一个模块进入到另一个模块了

基本都是设置目标主机和线程

Telnet服务器扫描

msf > use auxiliary/scanner/telnet/telnet_version 
msf auxiliary(telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     23               yes       The target port
   THREADS   1                yes       The number of concurrent threads
   TIMEOUT   30               yes       Timeout for the Telnet probe
   USERNAME                   no        The username to authenticate as

msf auxiliary(telnet_version) > 

FTP主机扫描

msf > use auxiliary/scanner/ftp/ftp_version 
msf auxiliary(ftp_version) > show options

Module options (auxiliary/scanner/ftp/ftp_version):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port
   THREADS  1                    yes       The number of concurrent threads

msf auxiliary(ftp_version) > 

这些用法基本一样

扫描 FTP匿名登陆

*msf auxiliary(ftp_version) > use auxiliary/scanner/ftp/anonymous 
msf auxiliary(anonymous) > show options 
Module options (auxiliary/scanner/ftp/anonymous):
   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port
   THREADS  1                    yes       The number of concurrent threads*

扫描到后,在开一个窗口直接 ftp IP 就可以进入,用户名 anonymous 密码为空 就可以进入了。

有的都不用输入用户名

扫描局域网中有哪些主机存活

msf > use auxiliary/scanner/discovery/arp_sweep 
msf auxiliary(arp_sweep) > show options 

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier

扫描网站目录

msf > use auxiliary/scanner/http/dir_scanner 
msf auxiliary(dir_scanner) > show options 

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                               yes       The target address range or CIDR identifier
   RPORT       80                                                       yes       The target port
   THREADS     1                                                        yes       The number of concurrent threads
   VHOST                                                                no        HTTP server virtual host

扫描SNMP主机

msf > use auxiliary/scanner/snmp/snmp_login 
msf auxiliary(snmp_login) > show options 

Module options (auxiliary/scanner/snmp/snmp_login):

   Name              Current Setting                                                       Required  Description
   ----              ---------------                                                       --------  -----------
   BLANK_PASSWORDS   false                                                                 no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                     yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                 no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                 no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                 no        Add all users in the current database to the list
   PASSWORD                                                                                no        The password to test
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt  no        File containing communities, one per line
   RHOSTS                                                                                  yes       The target address range or CIDR identifier
   RPORT             161                                                                   yes       The target port
   STOP_ON_SUCCESS   false                                                                 yes       Stop guessing when a credential works for a host
   THREADS           1                                                                     yes       The number of concurrent threads
   USER_AS_PASS      false                                                                 no        Try the username as the password for all users
   VERBOSE           true                                                                  yes       Whether to print output for all attempts
   VERSION           1                                                                     yes       The SNMP version to scan (Accepted: 1, 2c, all)

简单网络管理协议(SNMP),由一组网络管理的标准组成,包含一个应用层协议(application layer protocol)、数据库模型(database schema)和一组资源对象。该协议能够支持网络管理系统,用以监测连接到网络上的设备是否有任何引起管理上关注的情况。

搜索网站中的E-mail地址

msf > use auxiliary/gather/search_email_collector 

DOMAIN设置域名

没有线程设置

这个用的是Google的~~

嗅探抓包

msf > use auxiliary/sniffer/psnuffle 
msf auxiliary(psnuffle) > run

直接run就可以

但是只能抓FTP

Logo

更多推荐