基于Metasploit的软件渗透测试(二)

简介: 基于Metasploit的软件渗透测试(二)
+关注继续查看

Google Hacking

主动信息搜索

namp扫描

最基本的扫描

#nmap 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:09 CST
Nmap scan report for 192.168.0.106
Host is up (0.0028s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds


扫描活跃的主机 -sn

#nmap -sn 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:13 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds


扫描多台机器

利用IP1IP2 … IPn
# nmap 192.168.0.106 192.168.0.150 192.168.0.158 192.168.0.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.0017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.158
Host is up (0.0087s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.160
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)


Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 4 IP addresses (4 hosts up) scanned in 1.08 seconds


利用IP1-IP2

# nmap 192.168.0.100-160                                       
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:39 CST
Nmap scan report for 192.168.0.106
Host is up (0.00058s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.151
Host is up (0.016s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.158
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.159
Host is up (0.012s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.150
Host is up (0.0000030s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http


Nmap done: 61 IP addresses (5 hosts up) scanned in 4.12 seconds


利用IP/24

#nmap192.169.0.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:34 CST
Nmap scan report for 192.168.0.1
Host is up (0.0086s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)


Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.151
Host is up (0.017s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.158
Host is up (0.021s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.159
Host is up (0.013s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)


Nmap scan report for 192.168.0.161
Host is up (0.00029s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)


Nmap scan report for 192.168.0.150
Host is up (0.0000040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 256 IP addresses (7 hosts up) scanned in 5.18 seconds


使用ICMP对设备进行扫描

使用ICMP类似Ping的请求响应扫描 -PE
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds


使用ICMP时间戳响应扫描 -PP
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 11:55 CST
Nmap scan report for 192.168.0.106
Host is up (0.0021s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds


使用ICMP掩码扫描 -PM
#nmap -PM 192.168.0.106



使用TCP对设备进行扫描

使用TCP SYN对设备进行扫描 - PS
#nmap -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.0022s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds


使用TCP ACK对设备进行扫描 -PA
# nmap -PA 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:05 CST
Nmap scan report for 192.168.0.106
Host is up (0.00017s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds


使用UDP对设备进行扫描 -PU

UDP扫描更简单,但是不如TCP方便,且慢。


#nmap -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds


对端口进行扫描

端口种类

l公有端口(Well Know Port):0-1024

l注册端口(Registered Port):1025-49,151

l动态/私有端口(Dynamic/Private Port):49,152-65,535


端口状态

lOpen:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。

lClosed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。

lFiltered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答,由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。

lUnfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。

lopen|filtered:开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。

lclosed|filtered:关闭或者过滤状态。


扫描技术
不扫描端口 -sn

# nmap -sn 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:26 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds



# nmap -sn -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:27 CST
Nmap scan report for 192.168.0.106
Host is up (0.00055s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds



# nmap -sn 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:30 CST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
MAC Address: F4:83:CD:A6:DE:E3 (Tp-link Technologies)
Nmap scan report for 192.168.0.106
Host is up (0.00036s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.151
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.158
Host is up (0.12s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.159
Host is up (0.086s latency).
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Nmap scan report for 192.168.0.161
Host is up (0.00032s latency).
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.0.150
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.40 seconds


SYN 半开扫描 -sS

NMAP机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àRSTà机器(连接断开)

返回Open、Closed、filtered


#nmap -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:33 CST
Nmap scan report for 192.168.0.106
Host is up (0.0011s latency).
Not shown: 978 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds


Connect扫描 -sT

完成3次握手

NMAPà机器àSYNà机器

机器àSYN+ACKàNMAP机器

NMAP机器àACK机器(连接建立)


#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:44 CST
Nmap scan report for 192.168.0.106
Host is up (0.0013s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds


UDP扫描 -sU

返回Open、Open|filtered,速度很慢,filtered可能是Open,可能是Closed


#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:47 CST
Stats: 0:17:39 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.44% done; ETC: 13:05 (0:00:06 remaining)
Nmap scan report for 192.168.0.106
Host is up (0.00064s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT     STATE         SERVICE
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1080.72 seconds


扫描全部端口 -p "*"

#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:49 CST
Nmap scan report for 192.168.0.106
Host is up (0.0039s latency).
Not shown: 8319 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
79/tcp   open  finger
80/tcp   open  http
105/tcp  open  csnet-ns
106/tcp  open  pop3pw
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
1536/tcp open  ampr-inter
1537/tcp open  sdsc-lm
1538/tcp open  3ds-lm
1539/tcp open  intellistor-lm
1540/tcp open  rds
1552/tcp open  pciarray
1639/tcp open  cert-initiator
2224/tcp open  efi-mg
2383/tcp open  ms-olap4
2869/tcp open  icslap
3306/tcp open  mysql
5040/tcp open  unknown
5555/tcp open  freeciv
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds


扫描频率最高的n个端口 –top-ports n

#nmap -top-ports 10  192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 12:54 CST
Nmap scan report for 192.168.0.106
Host is up (0.00039s latency).
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   open   smtp
80/tcp   open   http
110/tcp  open   pop3
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds


扫描指定端口 -p port


# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:02 CST
Nmap scan report for 192.168.0.106
Host is up (0.00056s latency).
PORT     STATE SERVICE
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds


扫描操作系统

nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。


最基本的扫描 -O

# nmap -O 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:05 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 13:05 (0:00:00 remaining)
Nmap scan report for 192.168.0.161
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds


尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit

nmap -O --osscan-limit 192.168.0.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:37 CST
Nmap scan report for 192.168.0.158
Host is up (0.0068s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.98 seconds


猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限


# nmap -O --osscan-guess 192.168.0.159
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 14:42 CST
Nmap scan report for 192.168.0.159
Host is up (0.0092s latency).
All 1000 scanned ports on 192.168.0.159 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 38:00:25:34:7E:7F (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds


扫描目标服务

扫描技术

对端口扫描:默认用SYN进行扫描

对服务识别:发出探针报文,返回确认值,确认服务

对版本识别:发出探针报文,返回报文信息,分析出服务的版本

扫描服务 -sV

# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269
2383/tcp open  ms-olap4?
3000/tcp open  ppp?
3306/tcp open  mysql   MariaDB (unauthorized)
5555/tcp open  freeciv?
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  httpApache Tomcat/Coyote JSP engine 1.1
8100/tcp open  httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds


nmap组合扫描


# nmap -Pn -sS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:35 CST
Nmap scan report for 192.168.0.106
Host is up (0.00014s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds



# nmap -Pn -sS -A 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 12:40 CST
Nmap scan report for 192.168.0.106
Host is up (0.00029s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp   open  httpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn Microsoft Windows netbios-ssn
443/tcp  open  ssl/httpApache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.0.106/dashboard/
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-sMicrosoft SQL Server 2014 12.00.2269.00; RTM+
| ms-sql-ntlm-info: 
|   Target_Name: DESKTOP-9A8VFKB
|   NetBIOS_Domain_Name: DESKTOP-9A8VFKB
|   NetBIOS_Computer_Name: DESKTOP-9A8VFKB
|   DNS_Domain_Name: DESKTOP-9A8VFKB
|   DNS_Computer_Name: DESKTOP-9A8VFKB
|_  Product_Version: 10.0.17763
|_ssl-date: 2022-06-20T04:43:40+00:00; +10s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-20T02:24:59
|_Not valid after:  2052-06-20T02:24:59
2383/tcp open  ms-olap4?
3000/tcp open  ppp?


将扫描结果存为XML文件名和数据库

将扫描结果存为XML文件名

#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
#cat nmap.xml 





将扫描结果存为metasploit数据库

1)先导入XML文件中


#nmap -Pn -sS -A -oX nmap.xml 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 13:30 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.0.106 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1   0.71 ms 192.168.0.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.18 seconds


2)再导入数据库中

msf6 > db_import /home/jerry/nmap.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.13.1'
[*] Importing host 192.168.0.106
[*] Successfully imported /home/jerry/nmap.xml
msf6 > hosts -c address
Hosts
=====
address
-------
192.168.0.106
192.168.0.155


msf 也可以和mysql 一起工作,在bt5r1中msf 默认支持连接mysql:


msf> db_driver mysql
msf> db_connect root:123456@127.0.0.1/msf3 #连接本机mysql 的msf3 数据库

mysql 默认密码123456,使用db_connect 连接时会自动创建msf3 库


metasploit使用数据库扫描


简介


#/etc/init.d/postgresql start
Starting postgresql (via systemctl): postgresql.service.
# msfconsole
msf> db_connect postgres:123456@127.0.0.1/msf(初始化为postgres:toor)
[*] Connected to Postgres data service: 127.0.0.1/msf 
msf> db_status
[*] Connected to msf. Connection type: postgresql.


TCP空闲扫描

找到空闲机器,利用空闲机扫描,好像不在本机上执行

空闲机器IPID, 使用IP帧标识机制的空闲机器


msf6 > use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > options
Module options (auxiliary/scanner/ip/ipidseq):
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
INTERFACEno   The name of the interface
RHOSTS   yes   The target host(s), see https://github.com/rapid7/met
 asploit-framework/wiki/Using-Metasploit
RPORT  80 yes   The target port
SNAPLEN65535  yes   The number of bytes to capture
THREADS1 yes   The number of concurrent threads (max one per host)
TIMEOUT500   yes   The reply read timeout in milliseconds
msf6 auxiliary(scanner/ip/ipidseq) > set rhost 192.168.0.0/24
rhost => 192.168.0.0/24
可以设置
set rhost 192.168.0.0/24
set rhost 192.168.0.0-199
set rhost File://path/xxx.txt
msf6 auxiliary(scanner/ip/ipidseq) > set threads 50
threads => 50
windows:1-16
Unix:1-128
msf6 auxiliary(scanner/ip/ipidseq) > run
[*] 192.168.0.1's IPID sequence class: All zeros
[*] Scanned  82 of 256 hosts (32% complete)
[*] Scanned  83 of 256 hosts (32% complete)
[*] Scanned  98 of 256 hosts (38% complete)
[*] 192.168.0.106's IPID sequence class: Incremental!
[*] Scanned 103 of 256 hosts (40% complete)
[*] 192.168.0.161's IPID sequence class: All zeros
[*] 192.168.0.158's IPID sequence class: Incremental!
[*] 192.168.0.152's IPID sequence class: Randomized
[*] 192.168.0.151's IPID sequence class: Incremental!
[*] 192.168.0.159's IPID sequence class: All zeros
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 169 of 256 hosts (66% complete)
[*] Scanned 183 of 256 hosts (71% complete)
[*] Scanned 212 of 256 hosts (82% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed 
msf6 auxiliary(scanner/ip/ipidseq) >


扫描到状态为Incremental!

试图通过192.168.0.151192.168.0.161发包



msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.151 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.151 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:18 CST
Idle scan using zombie 192.168.0.151 (192.168.0.151:80); Class: Incremental
Even though your Zombie (192.168.0.151; 192.168.0.151) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed.  This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them
QUITTING!


试图通过192.168.0.106向192.168.0.161发包


msf6 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.0.106 192.168.0.161
[*] exec: nmap -PN -sI 192.168.0.106 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 16:20 CST
Idle scan zombie 192.168.0.106 (192.168.0.106) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING!


不用自身IP地址项目表机器发送数据包,就可以获得目标主机的开放端口


在MSF终端中执行nmap


msf6 > db_connect postgres:123456@127.0.0.1/msf
msf6 > db_nmap -sS -A 192.168.0.106
msf6> services u #查看扫描结果
msf6 > services -u
Services
========


host           port  proto  name             state  info
----           ----  -----  ----             -----  ----
192.168.0.106  21    tcp    ftp              open   FileZilla ftpd 0.9.41 beta
192.168.0.106  25    tcp    smtp             open   Mercury/32 smtpd Mail server account Maiser
192.168.0.106  79    tcp    finger           open   Mercury/32 fingerd
192.168.0.106  80    tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  106   tcp    pop3pw           open   Mercury/32 poppass service
192.168.0.106  110   tcp    pop3             open   Mercury/32 pop3d
192.168.0.106  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.106  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.106  143   tcp    imap             open   Mercury/32 imapd 4.62
192.168.0.106  443   tcp    ssl/http         open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.106  445   tcp    microsoft-ds     open
192.168.0.106  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.106  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.106  1433  tcp    ms-sql-s         open   Microsoft SQL Server 2014 12.00.2269.00; RTM+
192.168.0.106  2383  tcp    ms-olap4         open
192.168.0.106  2869  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.0.106  3306  tcp    mysql            open   MariaDB unauthorized
192.168.0.106  5555  tcp    freeciv          open
192.168.0.106  8000  tcp    http-alt         open   WSGIServer/0.2 CPython/3.8.0
192.168.0.106  8009  tcp    ajp13            open   Apache Jserv Protocol v1.3
192.168.0.106  8080  tcp    http             open   Apache Tomcat/Coyote JSP engine 1.1
192.168.0.106  8100  tcp    http             open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
192.168.0.151  135   tcp    msrpc            open   Microsoft Windows RPC
192.168.0.151  139   tcp    netbios-ssn      open   Microsoft Windows netbios-ssn
192.168.0.151  445   tcp    microsoft-ds     open
192.168.0.151  902   tcp    ssl/vmware-auth  open   VMware Authentication Daemon 1.10 Uses VNC, SOAP
192.168.0.151  912   tcp    vmware-auth      open   VMware Authentication Daemon 1.0 Uses VNC, SOAP
192.168.0.151  5357  tcp    http             open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP


使用Metasploit进行端口扫描

查询端口扫描器


msf6 auxiliary(scanner/ip/ipidseq) > search portscan
Mathing Modules
================
#  NameDisclosure Date  RankCheck  Description
-  ----  ---------------  ---------  -----------
0 auxiliary/scanner/portscan/ftpbouncenormal  No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal  No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal  No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas  normal  No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack  normal  No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp  normal  No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal  No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal  No  Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > set rhost 192.168.0.106
rhost => 192.168.0.106
msf6 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf6 auxiliary(scanner/portscan/syn) > run
[+]  TCP OPEN 192.168.0.155:135
[+]  TCP OPEN 192.168.0.155:139
[+]  TCP OPEN 192.168.0.155:445

速度很慢,135、139、445…端口打开

相关实践学习
容器服务Serverless版ACK Serverless 快速入门:在线魔方应用部署和监控
通过本实验,您将了解到容器服务Serverless版ACK Serverless 的基本产品能力,即可以实现快速部署一个在线魔方应用,并借助阿里云容器服务成熟的产品生态,实现在线应用的企业级监控,提升应用稳定性。
云原生实践公开课
课程大纲 开篇:如何学习并实践云原生技术 基础篇: 5 步上手 Kubernetes 进阶篇:生产环境下的 K8s 实践 相关的阿里云产品:容器服务 ACK 容器服务 Kubernetes 版(简称 ACK)提供高性能可伸缩的容器应用管理能力,支持企业级容器化应用的全生命周期管理。整合阿里云虚拟化、存储、网络和安全能力,打造云端最佳容器化应用运行环境。 了解产品详情: https://www.aliyun.com/product/kubernetes
目录
相关文章
|
7月前
|
安全 Java Linux
基于Metasploit的软件渗透测试(五)
基于Metasploit的软件渗透测试(五)
380 0
基于Metasploit的软件渗透测试(五)
|
7月前
|
安全 Linux 测试技术
基于Metasploit的软件渗透测试(四)
基于Metasploit的软件渗透测试(四)
648 0
基于Metasploit的软件渗透测试(四)
|
7月前
|
SQL 安全 网络协议
基于Metasploit的软件渗透测试(三)
基于Metasploit的软件渗透测试(三)
144 0
基于Metasploit的软件渗透测试(三)
|
7月前
|
网络协议 关系型数据库 Unix
基于Metasploit的软件渗透测试(一)
基于Metasploit的软件渗透测试(一)
83 0
基于Metasploit的软件渗透测试(一)
|
9月前
|
Linux 网络安全 数据安全/隐私保护
Metasploit渗透测试(双脉冲星)
Metasploit渗透测试(双脉冲星)
138 0
Metasploit渗透测试(双脉冲星)
|
10月前
|
安全 网络安全 Windows
渗透测试-使用metasploit的evasion模块生成后门木马
渗透测试-使用metasploit的evasion模块生成后门木马
渗透测试-使用metasploit的evasion模块生成后门木马
|
10月前
|
网络安全
2022-渗透测试-信息收集-Metasploit(基于FTP协议)
2022-渗透测试-信息收集-Metasploit(基于FTP协议)
2022-渗透测试-信息收集-Metasploit(基于FTP协议)
|
10月前
|
网络安全 数据库 数据安全/隐私保护
2022-渗透测试-信息收集-Metasploit(基于SSH协议)
2022-渗透测试-信息收集-Metasploit(基于SSH协议)
2022-渗透测试-信息收集-Metasploit(基于SSH协议)
|
10月前
|
网络安全 数据安全/隐私保护
2022-渗透测试-信息收集-Metasploit(基于SMB协议)
2022-渗透测试-信息收集-Metasploit(基于SMB协议)
2022-渗透测试-信息收集-Metasploit(基于SMB协议)
|
10月前
|
存储 网络安全 开发工具
2022-渗透测试-信息收集-Metasploit(基于SNMP协议)
2022-渗透测试-信息收集-Metasploit(基于SNMP协议)
2022-渗透测试-信息收集-Metasploit(基于SNMP协议)