基于Metasploit的软件渗透测试(二)

本文涉及的产品
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
容器服务 Serverless 版 ACK Serverless,952元额度 多规格
简介: 基于Metasploit的软件渗透测试(二)

Google Hacking

主动信息搜索

namp扫描

最基本的扫描

#nmap 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CST
Nmap scan report for 192.168.0.106
Host is up (0.0028s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds


扫描活跃的主机 -sn

#nmap -sn 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds


扫描多台机器

利用IP1IP2 … IPn
# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.0017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.158
Host is up (0.0087s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.160
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds


利用IP1-IP2
# nmap 192.168.0.100-160                                       
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CST
Nmap scan report for 192.168.0.106
Host is up (0.00058s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.016s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.012s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.150
Host is up (0.0000030s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds


利用IP/24
#nmap192.169.0.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CST
Nmap scan report for 192.168.0.1
Host is up (0.0086s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.017s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.021s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.013s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00029s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds


使用ICMP对设备进行扫描

使用ICMP类似Ping的请求响应扫描 -PE
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds


使用ICMP时间戳响应扫描 -PP
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CST
Nmap scan report for 192.168.0.106
Host is up (0.0021s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds


使用ICMP掩码扫描 -PM
#nmap -PM 192.168.0.106



使用TCP对设备进行扫描

使用TCP SYN对设备进行扫描 - PS
#nmap -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.0022s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds


使用TCP ACK对设备进行扫描 -PA
# nmap -PA 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CST
Nmap scan report for 192.168.0.106
Host is up (0.00017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds


使用UDP对设备进行扫描 -PU

UDP扫描更简单,但是不如TCP方便,且慢。

#nmap -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds


对端口进行扫描

端口种类

l公有端口(Well Know Port):0-1024

l注册端口(Registered Port):1025-49,151

l动态/私有端口(Dynamic/Private Port):49,152-65,535


端口状态

lOpen:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。

lClosed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed

lFiltered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答,由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。

lUnfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。

lopen|filtered:开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。

lclosed|filtered:关闭或者过滤状态。


扫描技术
不扫描端口 -sn
# nmap -sn 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds


# nmap -sn -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.00055s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds


# nmap -sn 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.00036s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.086s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00032s latency).
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 seconds


SYN 半开扫描 -sS

NMAP机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àRSTà机器(连接断开)

返回OpenClosedfiltered

#nmap -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds


Connect扫描 -sT

完成3次握手

NMAPà机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àACK机器(连接建立)

#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.0013s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds


UDP扫描 -sU

返回OpenOpen|filtered,速度很慢,filtered可能是Open,可能是Closed

#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CST
Stats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)
Nmap scan report for 192.168.0.106
Host is up (0.00064s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT     STATE         SERVICE
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds


扫描全部端口 -p "*"
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CST
Nmap scan report for 192.168.0.106
Host is up (0.0039s latency).
Not shown: 8319 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
105/tcp  open  csnet-ns
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
1536/tcp open  ampr-inter
1537/tcp open  sdsc-lm
1538/tcp open  3ds-lm
1539/tcp open  intellistor-lm
1540/tcp open  rds
1552/tcp open  pciarray
1639/tcp open  cert-initiator
2224/tcp open  efi-mg
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5040/tcp open  unknown
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds


扫描频率最高的n个端口 –top-ports n
#nmap -top-ports 10  192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CST
Nmap scan report for 192.168.0.106
Host is up (0.00039s latency).
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   open   smtp
80/tcp   open   http
110/tcp  open   pop3
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds


扫描指定端口 -p port

# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.00056s latency).
PORT     STATE SERVICE
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds


扫描操作系统

nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。


最基本的扫描 -O
# nmap -O 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)
Nmap scan report for 192.168.0.161
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds


尽对“具有OpenClosed的端口”进行扫描 -O --osscan-limit
nmap -O --osscan-limit 192.168.0.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CST
Nmap scan report for 192.168.0.158
Host is up (0.0068s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds


猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限

# nmap -O --osscan-guess 192.168.0.159
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CST
Nmap scan report for 192.168.0.159
Host is up (0.0092s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds


扫描目标服务

扫描技术

对端口扫描:默认用SYN进行扫描

对服务识别:发出探针报文,返回确认值,确认服务

对版本识别:发出探针报文,返回报文信息,分析出服务的版本

扫描服务 -sV
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269
2383/tcp open  ms-olap4?
3000/tcp open  ppp?
3306/tcp open  mysql   MariaDB (unauthorized)
5555/tcp open  freeciv?
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  httpApache Tomcat/Coyote JSP engine 1.1
8100/tcp open  httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds


nmap组合扫描

# nmap -Pn -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CST
Nmap scan report for 192.168.0.106
Host is up (0.00014s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds


# nmap -Pn -sS -A 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CST
Nmap scan report for 192.168.0.106
Host is up (0.00029s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.0.106/dashboard/
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM+
| ms-sql-ntlm-info: 
|   Target_Name: DESKTOP-9A8VFKB
|   NetBIOS_Domain_Name: DESKTOP-9A8VFKB
|   NetBIOS_Computer_Name: DESKTOP-9A8VFKB
|   DNS_Domain_Name: DESKTOP-9A8VFKB
|   DNS_Computer_Name: DESKTOP-9A8VFKB
|_  Product_Version: 10.0.17763
|_ssl-date: 2022-06-20T04:43:40+00:00; +10s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-20T02:24:59
|_Not valid after:  2052-06-20T02:24:59
2383/tcp open  ms-olap4?
3000/tcp open  ppp?


将扫描结果存为XML文件名和数据库

将扫描结果存为XML文件名
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
#cat nmap.xml 


将扫描结果存为metasploit数据库

1)先导入XML文件中

#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.0.106 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1   0.71 ms 192.168.0.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds


2)再导入数据库中

msf6 > db_import /home/jerry/nmap.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.13.1'
[*] Importing host 192.168.0.106
[*] Successfully imported /home/jerry/nmap.xml
msf6 > hosts -c address
Hosts
=====
address
-------
192.168.0.106
192.168.0.155


msf 也可以和mysql 一起工作,在bt5r1中msf 默认支持连接mysql:

msf> db_driver mysql
msf> db_connect root:123456@127.0.0.1/msf3 #连接本机mysql 的msf3 数据库

mysql 默认密码123456,使用db_connect 连接时会自动创建msf3 库


metasploit使用数据库扫描


简介

#/etc/init.d/postgresql start
Starting postgresql (via systemctl): postgresql.service.
# msfconsole
msf> db_connect postgres:123456@127.0.0.1/msf(初始化为postgres:toor)
[*] Connected to Postgres data service: 127.0.0.1/msf 
msf> db_status
[*] Connected to msf. Connection type: postgresql.


TCP空闲扫描

找到空闲机器,利用空闲机扫描,好像不在本机上执行

空闲机器IPID, 使用IP帧标识机制的空闲机器

msf6 > use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > options
Module options (auxiliary/scanner/ip/ipidseq):
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
INTERFACEno   The name of the interface
RHOSTS   yes   The target host(s), see https://github.com/rapid7/met
 asploit-framework/wiki/Using-Metasploit
RPORT  80 yes   The target port
SNAPLEN65535  yes   The number of bytes to capture
THREADS1 yes   The number of concurrent threads (max one per host)
TIMEOUT500   yes   The reply read timeout in milliseconds
msf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24
rhost => 192.168.0.0/24
可以设置
set rhost 192.168.0.0/24
set rhost 192.168.0.0-199
set rhost File://path/xxx.txt
msf6 auxiliary(scanner/ip/ipidseq) > set threads 50
threads => 50
windows:1-16
Unix:1-128
msf6 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.0.1's IPID sequence class: All zeros
[*] Scanned  82 of 256 hosts (32% complete)
[*] Scanned  83 of 256 hosts (32% complete)
[*] Scanned  98 of 256 hosts (38% complete)
[*] 192.168.0.106's IPID sequence class: Incremental!
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.161's IPID sequence class: All zeros
[*] 192.168.0.158's IPID sequence class: Incremental!
[*] 192.168.0.152's IPID sequence class: Randomized
[*] 192.168.0.151's IPID sequence class: Incremental!
[*] 192.168.0.159's IPID sequence class: All zeros
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 169 of 256 hosts (66% complete)
[*] Scanned 183 of 256 hosts (71% complete)
[*] Scanned 212 of 256 hosts (82% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed 
msf6 auxiliary(scanner/ip/ipidseq) >


扫描到状态为Incremental!

试图通过192.168.0.151192.168.0.161发包


msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CST
Idle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: Incremental
Even though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed.  This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them
QUITTING!


试图通过192.168.0.106向192.168.0.161发包

msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CST
Idle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!


不用自身IP地址项目表机器发送数据包,就可以获得目标主机的开放端口


在MSF终端中执行nmap

msf6 > db_connect postgres:123456@127.0.0.1/msf
msf6 > db_nmap -sS -A 192.168.0.106
msf6> services u #查看扫描结果
msf6 > services -u
Services
========
host           port  proto  name             state  info
----           ----  -----  ----             -----  ----
192.168.0.106  21    tcp    ftp              open   FileZilla ftpd 0.9.41 beta
192.168.0.106  25    tcp    smtp             open   Mercury/32 smtpd Mail server account Maiser
192.168.0.106  79    tcp    finger           open   Mercury/32 fingerd
192.168.0.106  80    tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  106   tcp    pop3pw           open   Mercury/32 poppass service
192.168.0.106  110   tcp    pop3             open   Mercury/32 pop3d
192.168.0.106  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.106  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.106  143   tcp    imap             open   Mercury/32 imapd 4.62
192.168.0.106  443   tcp    ssl/http         open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.106  445   tcp    microsoft-ds     open
192.168.0.106  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.106  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.106  1433  tcp    ms-sql-s         open   Microsoft SQL Server 2014 12.00.2269.00; RTM+
192.168.0.106  2383  tcp    ms-olap4         open
192.168.0.106  2869  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  3306  tcp    mysql            open   MariaDB unauthorized
192.168.0.106  5555  tcp    freeciv          open
192.168.0.106  8000  tcp    http-alt         open   WSGIServer/0.2 CPython/3.8.0
192.168.0.106  8009  tcp    ajp13            open   Apache Jserv Protocol v1.3
192.168.0.106  8080  tcp    http             open   Apache Tomcat/Coyote JSP engine 1.1
192.168.0.106  8100  tcp    http             open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.151  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.151  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.151  445   tcp    microsoft-ds     open
192.168.0.151  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.151  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.151  5357  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP


使用Metasploit进行端口扫描

查询端口扫描器

msf6 auxiliary(scanner/ip/ipidseq) > search portscan
Mathing Modules
================
#  NameDisclosure Date  RankCheck  Description
-  ----  ---------------  ---------  -----------
0 auxiliary/scanner/portscan/ftpbouncenormal  No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal  No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal  No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas  normal  No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack  normal  No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp  normal  No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal  No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal  No  Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf6 auxiliary(scanner/portscan/syn) > run
[+]  TCP OPEN 192.168.0.155:135
[+]  TCP OPEN 192.168.0.155:139
[+]  TCP OPEN 192.168.0.155:445

速度很慢,135139445…端口打开

相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
目录
相关文章
|
2月前
|
机器学习/深度学习 人工智能 自然语言处理
自动化测试的新篇章:利用AI提升软件质量
【8月更文挑战第27天】在软件开发的海洋中,自动化测试是确保航船不偏离航线的关键罗盘。随着人工智能(AI)技术的兴起,这艘航船正乘风破浪,以前所未有的速度前进。本文将探索如何通过AI技术优化自动化测试流程,不仅提高测试的效率和覆盖范围,而且增强测试用例的智能生成和结果分析能力。我们将从AI在自动化测试中的应用入手,深入探讨其对测试准确性和效率的影响,以及面临的挑战与未来的发展方向。
|
6天前
|
机器学习/深度学习 人工智能 安全
软件测试中的探索性测试:一种高效发现软件缺陷的方法
本文将深入探讨软件测试中的一种关键方法——探索性测试。探索性测试是一种动态的、探索性的软件测试方法,它依赖于测试人员的直觉和经验,通过实际操作软件来发现潜在的问题和缺陷。与传统的基于预定义用例的测试方法相比,探索性测试更加灵活,能够更全面地覆盖软件的各个方面,从而更有效地发现难以预见的错误和漏洞。
|
8天前
|
测试技术 持续交付 Python
自动化测试之美:打造高效的软件质量保障体系
【9月更文挑战第25天】在软件开发的海洋中,自动化测试是一艘能够引领我们高效航行的帆船。它不仅能帮助我们发现缺陷,更是一个持续集成和持续部署(CI/CD)过程中不可或缺的部分。本文将通过浅显易懂的语言和实际代码示例,引导读者理解自动化测试的价值,并学会如何实施它,从而提升软件的质量与开发效率。
27 4
|
8天前
|
敏捷开发 监控 测试技术
提升软件质量的利器:自动化测试的实践与反思
在软件开发的生命周期中,测试作为保障产品质量的重要环节,其重要性不言而喻。随着敏捷开发和持续集成等实践的普及,传统的手动测试方式已逐渐无法满足快速迭代的需求。因此,自动化测试作为一种提高测试效率和准确性的有效手段,正受到越来越多开发者的青睐。本文将深入探讨自动化测试的价值、实施步骤以及在实践中可能遇到的问题和解决方案,帮助读者更好地理解和应用自动化测试。
13 2
|
14天前
|
测试技术 持续交付 云计算
提升软件质量的关键路径:高效测试策略与实践
在当今数字化时代,软件已成为企业运营和产品服务的核心。随着软件开发周期的不断缩短和市场需求的迅速变化,确保软件质量成为开发过程中的首要任务。本文将探讨如何通过高效的测试策略和实践来提升软件质量,包括自动化测试、持续集成、代码审查等关键技术和方法。通过对这些技术的应用和整合,软件开发团队可以在竞争激烈的市场环境中保持领先地位,为用户提供高质量的产品和服务。
|
1月前
|
机器学习/深度学习 人工智能 自然语言处理
AI驱动的自动化测试:提升软件质量的未来之路
【9月更文挑战第3天】AI驱动的自动化测试是提升软件质量的未来之路。它借助AI技术的力量,实现了测试用例的智能生成、测试策略的优化、故障预测与定位等功能的自动化和智能化。随着技术的不断进步和应用场景的不断拓展,AI驱动的自动化测试将在未来发挥更加重要的作用,为软件开发和运维提供更加高效、准确和可靠的解决方案。
|
8天前
|
测试技术 UED 开发者
软件测试的艺术:从代码审查到用户反馈的全景探索在软件开发的宇宙中,测试是那颗确保星系正常运转的暗物质。它或许不总是站在聚光灯下,但无疑是支撑整个系统稳定性与可靠性的基石。《软件测试的艺术:从代码审查到用户反馈的全景探索》一文,旨在揭开软件测试这一神秘面纱,通过深入浅出的方式,引领读者穿梭于测试的各个环节,从细微处着眼,至宏观视角俯瞰,全方位解析如何打造无懈可击的软件产品。
本文以“软件测试的艺术”为核心,创新性地将技术深度与通俗易懂的语言风格相结合,绘制了一幅从代码审查到用户反馈全过程的测试蓝图。不同于常规摘要的枯燥概述,这里更像是一段旅程的预告片,承诺带领读者经历一场从微观世界到宏观视野的探索之旅,揭示每一个测试环节背后的哲学与实践智慧,让即便是非专业人士也能领略到软件测试的魅力所在,并从中获取实用的启示。
|
1月前
|
安全 测试技术 数据库
华测检测软件登记测试
软件产品登记测试由检测机构根据委托方提供的材料,验证软件功能是否正常运行。自2000年起,测试报告可用于增值税退税、双软认证评估及高新企业认定等。测试涵盖应用、嵌入式、数据库及系统软件等,依据GB/T 25000.51-2016标准,确保软件质量并提升产品销售力及企业信任度。由具备CNAS及CMA资质的CTI华测检测提供专业服务,涵盖通用应用软件测评、APP安全检测及信息安全服务等多个方向。
|
2月前
|
监控 数据管理 jenkins
深入理解与应用软件自动化测试框架
【8月更文挑战第30天】在现代软件开发周期中,自动化测试已成为提高测试效率、保证软件质量的关键步骤。本文将探讨自动化测试框架的设计与实现,重点放在如何根据不同项目需求选择合适的测试框架,以及如何有效地集成到现有的开发和测试流程中。通过分析几个流行的自动化测试工具,如Selenium、Appium和JUnit,我们将讨论它们的特点、优势以及可能面临的挑战。此外,文章还将介绍一些最佳实践,帮助读者构建稳定且易于维护的自动化测试环境。
|
18天前
|
敏捷开发 人工智能 测试技术
提升软件质量的关键——高效软件测试策略与实践
在软件开发过程中,测试是一个至关重要的环节。它不仅决定了产品的可靠性和用户体验,还直接影响到企业的声誉和市场竞争力。本文将详细探讨如何通过科学的测试策略和方法,确保软件质量达到高标准的要求。从测试流程的设计、自动化测试工具的应用,到持续集成和持续部署的实践,我们将全面解析如何在软件开发中实施有效的测试,以降低错误率,缩短上市时间,并提供优质的软件产品。
63 0
下一篇
无影云桌面