网络空间安全之一个WH的超前沿全栈技术深入学习之路(14)h红队/白帽必经之路——如何用Metasploit 渗透测试之信息收集篇[竟然是红队,那就对自己狠一点]
网络空间安全之一个WH的超前沿全栈技术深入学习之路(14)h红队/白帽必经之路——如何用Metasploit 渗透测试之信息收集篇[竟然是红队,那就对自己狠一点]
盛透侧视攻城狮
发布于 2024-12-25 09:07:03
发布于 2024-12-25 09:07:03
代码可运行
运行总次数:0
代码可运行
Metasploit 渗透测试之信息收集
1.基于 tcp 协议收集主机信息
- 使用 Metasploit 中的 nmap 和 arp_sweep 收集主机信息
- Metasploit 中也有 NMAP 工具
msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > ARP 扫描
msf5 > use auxiliary/scanner/discovery/arp_sweep查看一下模块需要配置哪些参数
msf6 auxiliary(scanner/discovery/arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), see https://docs.metasploit.com/d
ocs/using-metasploit/basics/using-metasploit.html
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The number of seconds to wait for new data
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/discovery/arp_sweep) > 
配置 RHOSTS(扫描的目标网络)即可
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > 补充:
- SHOST 和 SMAC 是伪造源 IP 和 MAC 地址使用的。
配置线程数
RHOSTS => 192.168.1.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 30
THREADS => 30
msf6 auxiliary(scanner/discovery/arp_sweep) > run
退出一下
msf6 auxiliary(scanner/discovery/arp_sweep) > back2.使用半连接方式扫描 TCP 端口
msf6 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access 
- 紫色部分TCP 扫描相关内容,其他的是一些应用的扫描。
查看配置项
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in millise
conds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/
- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), see https://docs.metasploit.com/d
ocs/using-metasploit/basics/using-metasploit.html
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 500 yes The reply read timeout in milliseconds
View the full module info with the info, or info -d command.
设置扫描的目标
msf6 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf6 auxiliary(scanner/portscan/syn) > 
设置端口范围使用逗号隔开
msf6 auxiliary(scanner/portscan/syn) > et RHOSTS 192.168.1.1
[-] Unknown command: et
msf6 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf6 auxiliary(scanner/portscan/syn) > set PORTS 80
PORTS => 80设置线程数
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > et RHOSTS 192.168.1.1
[-] Unknown command: et
msf6 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf6 auxiliary(scanner/portscan/syn) > set PORTS 80
PORTS => 80
msf6 auxiliary(scanner/portscan/syn) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/syn) > set THREADS 20
THREADS => 20
msf6 auxiliary(scanner/portscan/syn) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/syn) > 
3 使用 auxiliary /sniffer 下的 psnuffle 模块进行密码嗅探
查看有哪些模块可以使用
msf6 > search psnuffle
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/sniffer/psnuffle normal No pSnuffle Packet Sniffer
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/sniffer/psnuffle查看 psnuffle 的模块作用:
msf6 > use auxiliary/sniffer/psnuffle
msf6 auxiliary(sniffer/psnuffle) > info
Name: pSnuffle Packet Sniffer
Module: auxiliary/sniffer/psnuffle
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Max Moser <mmo@remote-exploit.org>
Available actions:
Name Description
---- -----------
List List protocols
=> Sniffer Run sniffer
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLS all yes A comma-delimited list of protocols to sniff or "all".
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 500 yes The number of seconds to wait for new data
Description:
This module sniffs passwords like dsniff did in the past
View the full module info with the info -d command.
msf6 auxiliary(sniffer/psnuffle) > 
补充:
- This module sniffs passwords like dsniff did in the past
- 这个 psnuffle 模块可以像以前的 dsniff 命令一样,去嗅探密码,只支持 pop3、imap、ftp、HTTP GET 协议。
msf6 auxiliary(sniffer/psnuffle) > show options
Module options (auxiliary/sniffer/psnuffle):
Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLS all yes A comma-delimited list of protocols to sniff or "all".
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 500 yes The number of seconds to wait for new data
Auxiliary action:
Name Description
---- -----------
Sniffer Run sniffer
View the full module info with the info, or info -d command.
msf6 auxiliary(sniffer/psnuffle) > 
- 新建一个终端窗口登录 ftp,Metasploitable2-Linux 靶机中已经开启了 ftp 服务可以直接登录。
安装 lftp 命令
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# apt install lftp -y
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
下列软件包是自动安装的并且现在不需要了:
cpp-13 fonts-noto-color-emoji ibverbs-providers libboost-iostreams1.74.0
libboost-thread1.74.0 libcephfs2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libibverbs1
libnsl-dev libpython3.11-dev librados2 librdmacm1 libtirpc-dev python3-lib2to3
python3.11-dev samba-ad-provision samba-dsdb-modules samba-vfs-modules
使用'apt autoremove'来卸载它(它们)。
下列【新】软件包将被安装:
lftp
升级了 0 个软件包,新安装了 1 个软件包,要卸载 0 个软件包,有 1798 个软件包未被升级。
需要下载 768 kB 的归档。
解压缩后会消耗 2,434 kB 的额外空间。
获取:1 http://http.kali.org/kali kali-rolling/main amd64 lftp amd64 4.9.2-3+b1 [768 kB]
已下载 768 kB,耗时 3秒 (269 kB/s)
正在选中未选择的软件包 lftp。
(正在读取数据库 ... 系统当前共安装有 406287 个文件和目录。)
准备解压 .../lftp_4.9.2-3+b1_amd64.deb ...
正在解压 lftp (4.9.2-3+b1) ...
正在设置 lftp (4.9.2-3+b1) ...
正在处理用于 kali-menu (2023.4.7) 的触发器 ...
正在处理用于 desktop-file-utils (0.27-1) 的触发器 ...
正在处理用于 hicolor-icon-theme (0.17-2) 的触发器 ...
正在处理用于 man-db (2.12.0-3) 的触发器 ...
lftp -u msfadmin 192.168.1.180
#密码:msfadmin连接成功后,进行下数据交互,查看 ftp 目录下的文件
lftp msfadmin@192.168.1.180:~> ls
drwxr-xr-x 6 1000 1000 4096 Apr 28 2010 vulnerable
回到 MSF 终端可以看到用户名密码信息已经被获取。
嗅探完成后记得把后台任务关闭
查看后台运行的任务
msf5 auxiliary(sniffer/psnuffle) > jobs 
kill job 的 ID,关闭 job
msf5 auxiliary(sniffer/psnuffle) > kill 0 本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2024-11-30,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
