AI 助理
备案控制台
开发者社区 数据库 文章 正文

基于Metasploit的软件渗透测试(二)

2023-02-15 1103
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
推荐场景:
学生管理系统数据库设计 搭建个人博客
云数据库 RDS MySQL,高可用系列 2核4GB
简介: 基于Metasploit的软件渗透测试(二)

Google Hacking

主动信息搜索

namp扫描

最基本的扫描

#nmap 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CST
Nmap scan report for 192.168.0.106
Host is up (0.0028s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds


扫描活跃的主机 -sn

#nmap -sn 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds


扫描多台机器

利用IP1IP2 … IPn
# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.0017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.158
Host is up (0.0087s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.160
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds


利用IP1-IP2
# nmap 192.168.0.100-160                                       
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CST
Nmap scan report for 192.168.0.106
Host is up (0.00058s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.016s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.012s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.150
Host is up (0.0000030s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds


利用IP/24
#nmap192.169.0.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CST
Nmap scan report for 192.168.0.1
Host is up (0.0086s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.017s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.021s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.013s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00029s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds


使用ICMP对设备进行扫描

使用ICMP类似Ping的请求响应扫描 -PE
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds


使用ICMP时间戳响应扫描 -PP
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CST
Nmap scan report for 192.168.0.106
Host is up (0.0021s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds


使用ICMP掩码扫描 -PM
#nmap -PM 192.168.0.106



使用TCP对设备进行扫描

使用TCP SYN对设备进行扫描 - PS
#nmap -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.0022s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds


使用TCP ACK对设备进行扫描 -PA
# nmap -PA 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CST
Nmap scan report for 192.168.0.106
Host is up (0.00017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds


使用UDP对设备进行扫描 -PU

UDP扫描更简单,但是不如TCP方便,且慢。

#nmap -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds


对端口进行扫描

端口种类

l公有端口(Well Know Port):0-1024

l注册端口(Registered Port):1025-49,151

l动态/私有端口(Dynamic/Private Port):49,152-65,535


端口状态

lOpen:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。

lClosed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed

lFiltered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答,由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。

lUnfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。

lopen|filtered:开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。

lclosed|filtered:关闭或者过滤状态。


扫描技术
不扫描端口 -sn
# nmap -sn 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds


# nmap -sn -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.00055s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds


# nmap -sn 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.00036s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.086s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00032s latency).
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 seconds


SYN 半开扫描 -sS

NMAP机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àRSTà机器(连接断开)

返回OpenClosedfiltered

#nmap -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds


Connect扫描 -sT

完成3次握手

NMAPà机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àACK机器(连接建立)

#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.0013s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds


UDP扫描 -sU

返回OpenOpen|filtered,速度很慢,filtered可能是Open,可能是Closed

#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CST
Stats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)
Nmap scan report for 192.168.0.106
Host is up (0.00064s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT     STATE         SERVICE
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds


扫描全部端口 -p "*"
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CST
Nmap scan report for 192.168.0.106
Host is up (0.0039s latency).
Not shown: 8319 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
105/tcp  open  csnet-ns
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
1536/tcp open  ampr-inter
1537/tcp open  sdsc-lm
1538/tcp open  3ds-lm
1539/tcp open  intellistor-lm
1540/tcp open  rds
1552/tcp open  pciarray
1639/tcp open  cert-initiator
2224/tcp open  efi-mg
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5040/tcp open  unknown
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds


扫描频率最高的n个端口 –top-ports n
#nmap -top-ports 10  192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CST
Nmap scan report for 192.168.0.106
Host is up (0.00039s latency).
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   open   smtp
80/tcp   open   http
110/tcp  open   pop3
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds


扫描指定端口 -p port

# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.00056s latency).
PORT     STATE SERVICE
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds


扫描操作系统

nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。


最基本的扫描 -O
# nmap -O 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)
Nmap scan report for 192.168.0.161
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds


尽对“具有OpenClosed的端口”进行扫描 -O --osscan-limit
nmap -O --osscan-limit 192.168.0.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CST
Nmap scan report for 192.168.0.158
Host is up (0.0068s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds


猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限

# nmap -O --osscan-guess 192.168.0.159
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CST
Nmap scan report for 192.168.0.159
Host is up (0.0092s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds


扫描目标服务

扫描技术

对端口扫描:默认用SYN进行扫描

对服务识别:发出探针报文,返回确认值,确认服务

对版本识别:发出探针报文,返回报文信息,分析出服务的版本

扫描服务 -sV
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269
2383/tcp open  ms-olap4?
3000/tcp open  ppp?
3306/tcp open  mysql   MariaDB (unauthorized)
5555/tcp open  freeciv?
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  httpApache Tomcat/Coyote JSP engine 1.1
8100/tcp open  httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds


nmap组合扫描

# nmap -Pn -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CST
Nmap scan report for 192.168.0.106
Host is up (0.00014s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds


# nmap -Pn -sS -A 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CST
Nmap scan report for 192.168.0.106
Host is up (0.00029s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.0.106/dashboard/
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM+
| ms-sql-ntlm-info: 
|   Target_Name: DESKTOP-9A8VFKB
|   NetBIOS_Domain_Name: DESKTOP-9A8VFKB
|   NetBIOS_Computer_Name: DESKTOP-9A8VFKB
|   DNS_Domain_Name: DESKTOP-9A8VFKB
|   DNS_Computer_Name: DESKTOP-9A8VFKB
|_  Product_Version: 10.0.17763
|_ssl-date: 2022-06-20T04:43:40+00:00; +10s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-20T02:24:59
|_Not valid after:  2052-06-20T02:24:59
2383/tcp open  ms-olap4?
3000/tcp open  ppp?


将扫描结果存为XML文件名和数据库

将扫描结果存为XML文件名
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
#cat nmap.xml


将扫描结果存为metasploit数据库

1)先导入XML文件中

#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.0.106 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1   0.71 ms 192.168.0.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds


2)再导入数据库中

msf6 > db_import /home/jerry/nmap.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.13.1'
[*] Importing host 192.168.0.106
[*] Successfully imported /home/jerry/nmap.xml
msf6 > hosts -c address
Hosts
=====
address
-------
192.168.0.106
192.168.0.155


msf 也可以和mysql 一起工作,在bt5r1中msf 默认支持连接mysql:

msf> db_driver mysql
msf> db_connect root:123456@127.0.0.1/msf3 #连接本机mysql 的msf3 数据库

mysql 默认密码123456,使用db_connect 连接时会自动创建msf3 库


metasploit使用数据库扫描

简介

#/etc/init.d/postgresql start
Starting postgresql (via systemctl): postgresql.service.
# msfconsole
msf> db_connect postgres:123456@127.0.0.1/msf(初始化为postgres:toor)
[*] Connected to Postgres data service: 127.0.0.1/msf 
msf> db_status
[*] Connected to msf. Connection type: postgresql.


TCP空闲扫描

找到空闲机器,利用空闲机扫描,好像不在本机上执行

空闲机器IPID, 使用IP帧标识机制的空闲机器

msf6 > use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > options
Module options (auxiliary/scanner/ip/ipidseq):
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
INTERFACEno   The name of the interface
RHOSTS   yes   The target host(s), see https://github.com/rapid7/met
 asploit-framework/wiki/Using-Metasploit
RPORT  80 yes   The target port
SNAPLEN65535  yes   The number of bytes to capture
THREADS1 yes   The number of concurrent threads (max one per host)
TIMEOUT500   yes   The reply read timeout in milliseconds
msf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24
rhost => 192.168.0.0/24
可以设置
set rhost 192.168.0.0/24
set rhost 192.168.0.0-199
set rhost File://path/xxx.txt
msf6 auxiliary(scanner/ip/ipidseq) > set threads 50
threads => 50
windows:1-16
Unix:1-128
msf6 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.0.1's IPID sequence class: All zeros
[*] Scanned  82 of 256 hosts (32% complete)
[*] Scanned  83 of 256 hosts (32% complete)
[*] Scanned  98 of 256 hosts (38% complete)
[*] 192.168.0.106's IPID sequence class: Incremental!
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.161's IPID sequence class: All zeros
[*] 192.168.0.158's IPID sequence class: Incremental!
[*] 192.168.0.152's IPID sequence class: Randomized
[*] 192.168.0.151's IPID sequence class: Incremental!
[*] 192.168.0.159's IPID sequence class: All zeros
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 169 of 256 hosts (66% complete)
[*] Scanned 183 of 256 hosts (71% complete)
[*] Scanned 212 of 256 hosts (82% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed 
msf6 auxiliary(scanner/ip/ipidseq) >


扫描到状态为Incremental!

试图通过192.168.0.151192.168.0.161发包


msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CST
Idle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: Incremental
Even though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed.  This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them
QUITTING!


试图通过192.168.0.106向192.168.0.161发包

msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CST
Idle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!


不用自身IP地址项目表机器发送数据包,就可以获得目标主机的开放端口


在MSF终端中执行nmap

msf6 > db_connect postgres:123456@127.0.0.1/msf
msf6 > db_nmap -sS -A 192.168.0.106
msf6> services u #查看扫描结果
msf6 > services -u
Services
========
host           port  proto  name             state  info
----           ----  -----  ----             -----  ----
192.168.0.106  21    tcp    ftp              open   FileZilla ftpd 0.9.41 beta
192.168.0.106  25    tcp    smtp             open   Mercury/32 smtpd Mail server account Maiser
192.168.0.106  79    tcp    finger           open   Mercury/32 fingerd
192.168.0.106  80    tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  106   tcp    pop3pw           open   Mercury/32 poppass service
192.168.0.106  110   tcp    pop3             open   Mercury/32 pop3d
192.168.0.106  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.106  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.106  143   tcp    imap             open   Mercury/32 imapd 4.62
192.168.0.106  443   tcp    ssl/http         open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.106  445   tcp    microsoft-ds     open
192.168.0.106  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.106  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.106  1433  tcp    ms-sql-s         open   Microsoft SQL Server 2014 12.00.2269.00; RTM+
192.168.0.106  2383  tcp    ms-olap4         open
192.168.0.106  2869  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  3306  tcp    mysql            open   MariaDB unauthorized
192.168.0.106  5555  tcp    freeciv          open
192.168.0.106  8000  tcp    http-alt         open   WSGIServer/0.2 CPython/3.8.0
192.168.0.106  8009  tcp    ajp13            open   Apache Jserv Protocol v1.3
192.168.0.106  8080  tcp    http             open   Apache Tomcat/Coyote JSP engine 1.1
192.168.0.106  8100  tcp    http             open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.151  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.151  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.151  445   tcp    microsoft-ds     open
192.168.0.151  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.151  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.151  5357  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP


使用Metasploit进行端口扫描

查询端口扫描器

msf6 auxiliary(scanner/ip/ipidseq) > search portscan
Mathing Modules
================
#  NameDisclosure Date  RankCheck  Description
-  ----  ---------------  ---------  -----------
0 auxiliary/scanner/portscan/ftpbouncenormal  No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal  No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal  No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas  normal  No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack  normal  No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp  normal  No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal  No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal  No  Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf6 auxiliary(scanner/portscan/syn) > run
[+]  TCP OPEN 192.168.0.155:135
[+]  TCP OPEN 192.168.0.155:139
[+]  TCP OPEN 192.168.0.155:445

速度很慢,135139445…端口打开

文章标签:
容器服务Kubernetes版
云数据库 RDS MySQL 版
云原生数据库 PolarDB
关系型数据库
网络安全
数据安全/隐私保护
网络协议
MySQL
数据格式
数据库
XML
关键词:
软件测试
渗透测试软件
渗透测试metasploit
软件渗透测试
metasploit软件渗透测试
相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
顾翔
目录
相关文章
游客5fdji2pvmf8888
|
27天前
|
机器学习/深度学习 人工智能 监控
提升软件质量的关键路径:高效测试策略与实践在软件开发的宇宙中,每一行代码都如同星辰般璀璨,而将这些星辰编织成星系的过程,则依赖于严谨而高效的测试策略。本文将引领读者探索软件测试的奥秘,揭示如何通过精心设计的测试方案,不仅提升软件的性能与稳定性,还能加速产品上市的步伐,最终实现质量与效率的双重飞跃。
在软件工程的浩瀚星海中,测试不仅是发现缺陷的放大镜,更是保障软件质量的坚固防线。本文旨在探讨一种高效且创新的软件测试策略框架,它融合了传统方法的精髓与现代技术的突破,旨在为软件开发团队提供一套系统化、可执行性强的测试指引。我们将从测试规划的起点出发,沿着测试设计、执行、反馈再到持续优化的轨迹,逐步展开论述。每一步都强调实用性与前瞻性相结合,确保测试活动能够紧跟软件开发的步伐,及时适应变化,有效应对各种挑战。
游客5fdji2pvmf8888
69 4
技术混子
|
13天前
|
敏捷开发 监控 jenkins
自动化测试之美:打造高效的软件质量保障体系
【10月更文挑战第20天】在软件开发的海洋中,自动化测试如同一艘精准的导航船,引领项目避开错误的礁石,驶向质量的彼岸。本文将扬帆起航,探索如何构建和实施一个高效的自动化测试体系,确保软件产品的稳定性和可靠性。我们将从测试策略的制定、工具的选择、脚本的编写,到持续集成的实施,一步步描绘出自动化测试的蓝图,让读者能够掌握这一技术的关键要素,并在自己的项目中加以应用。
技术混子
25 5
nanshaws
|
1月前
|
测试技术
软件质量保护与测试(第2版)学习总结第十三章 集成测试
本文是《软件质量保护与测试》(第2版)第十三章的学习总结,介绍了集成测试的概念、主要任务、测试层次与原则,以及集成测试的不同策略,包括非渐增式集成和渐增式集成(自顶向下和自底向上),并通过图示详细解释了集成测试的过程。
nanshaws
52 1
软件质量保护与测试(第2版)学习总结第十三章 集成测试
nanshaws
|
1月前
|
测试技术
软件质量保护与测试(第2版)学习总结第十章 黑盒测试
本文是《软件质量保护与测试》(第2版)第十章的学习总结,介绍了黑盒测试的基本概念和方法,包括等价类划分、边界值分析和因果图法,并通过具体例子展示了如何设计测试用例来验证软件的功能性需求。
nanshaws
61 1
软件质量保护与测试(第2版)学习总结第十章 黑盒测试
nanshaws
|
1月前
|
人工智能 人机交互 数据库
软件质量保护与测试(第2版)学习总结第一章
本文是《软件质量保护与测试》(第2版)第一章的学习总结,概述了软件的特征、分类、软件工程的层次化技术、现代软件开发的变化,以及软件质量的概念和评价体系,包括黑盒、白盒和灰盒测试方法。
nanshaws
31 1
软件质量保护与测试(第2版)学习总结第一章
131王
|
13天前
|
Java 测试技术 持续交付
探索自动化测试的奥秘:提升软件质量的关键
【10月更文挑战第20天】 在当今快速发展的软件行业中,自动化测试已成为确保产品质量和加速开发周期的重要工具。本文将深入探讨自动化测试的核心概念、实施策略及其对软件开发生命周期的影响,旨在为读者提供一种全面理解自动化测试的视角,并展示如何有效地将其应用于实际项目中以提高软件质量和效率。
131王
15 2
bruce刘晓伟-18435
|
1月前
|
安全 Linux Shell
Kali渗透测试:使用Metasploit对Web应用的攻击
Kali渗透测试:使用Metasploit对Web应用的攻击
bruce刘晓伟-18435
94 4
nanshaws
|
1月前
|
测试技术
软件质量保护与测试(第2版)学习总结第十一章 白盒测试
本文是《软件质量保护与测试》(第2版)第十一章的学习总结,详细讲解了白盒测试中的控制流测试技术,包括语句覆盖、判断覆盖、条件覆盖、判定-条件覆盖和路径覆盖等方法,并通过具体代码示例展示了如何设计测试用例来验证程序中的不同执行路径。
nanshaws
51 2
bruce刘晓伟-18435
|
1月前
|
安全 程序员 网络安全
Kali渗透测试:对软件的溢出漏洞进行测试
Kali渗透测试:对软件的溢出漏洞进行测试
bruce刘晓伟-18435
34 1
131王
|
1月前
|
安全 数据挖掘 测试技术
提升软件质量:探索高效测试策略
在软件开发过程中,测试是一个关键步骤,它决定了产品能否满足用户需求并保持高性能和安全性。本文将探讨几种有效的测试策略,包括自动化测试、性能测试和安全测试,以帮助开发团队提高软件质量。我们将分析每种方法的优势、实施步骤及面临的挑战,并提供实用的建议。
131王
22 1

热门文章

最新文章

  • 1
    测试开启MySQL performance_schema后对性能的影响
  • 2
    5G加速商业化 移动边缘计算测试年内完成
  • 3
    【转】Orion - oracle提供的测试io性能的工具
  • 4
    postgresql 9.6 建立多列索引测试
  • 5
    VSTS 通过生成中未通过的测试自动创建 Bug 工作项
  • 6
    云数据库(国产)测试结果总结
  • 7
    【29】知识蒸馏(knowledge distillation)测试以及利用可学习参数辅助知识蒸馏训练Student模型
  • 8
    Go语言之基准测试
  • 9
    c++工程包含测试
  • 10
    测试1——v$open_cursor视图和session_cached_cursors参数的关系
  • 1
    Python之SQLMap:自动SQL注入和渗透测试工具示例详解
    677
  • 2
    渗透测试基础之永恒之蓝漏洞复现
    321
  • 3
    记录VulnHub 靶场——Escalate_Linux渗透测试过程
    144
  • 4
    VulnHub 靶场--super-Mario-Host超级马里奥主机渗透测试过程
    119
  • 5
    基于Vulnhub—DC8靶场渗透测试过程
    68
  • 6
    基于Vulnhub靶场—DC4渗透测试过程
    240
  • 7
    基于Vulnhub靶场之DC-3渗透测试过程
    217
  • 8
    渗透测试工程师面试题大全
    139
  • 9
    API 渗透测试 4 个关键步骤
    229
  • 10
    图形化渗透测试工具 -- GUI_Tools
    212

    • 相关课程

    更多
  • MSE微服务测试最佳实践 - 自动化回归
  • 网络安全攻防 - Web渗透测试

    • 相关电子书

    更多
  • 移动互联网测试到质量的转变
  • 给ITer的技术实战进阶课-阿里CIO学院独家教材(四)
  • F2etest — 多浏览器兼容性测试整体解决方案

    • 相关实验场景

    更多
  • 快速上手并跑通AnalyticDB PostgreSQL版TPC-H测试
  • 灵活弹性的PolarDB Serverless确保数据业务持续在线
    • 下一篇
    DataWorks智能数据建模全面公测开始啦!