《Metasploit 魔鬼训练营》03 情报搜集技术
2017-09-07 11:22
1916 查看
本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程
1. 外围信息搜集
2. 主机探测与端口扫描
3. 服务扫描与查点
4. 网络漏洞扫描
5. 渗透测试数据库与共享
1. 外围信息搜集
2. 主机探测与端口扫描
3. 服务扫描与查点
4. 网络漏洞扫描
5. 渗透测试数据库与共享
1. testfire.net
testfire.net 是一个包含很多典型 Web 漏洞的模拟银行网站,是 IBM 为了演示 Appscan 所建立的测试网站
2. 通过 DNS 和 IP 地址挖掘目标网络信息
1. whois 域名注册信息查询 包含域名所有者、服务商、管理员邮件地址、域名注册日期和国过期日期 msf > whois testfire.net [*] exec: whois testfire.net Domain Name: TESTFIRE.NET Registry Domain ID: 8363973_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.corporatedomains.com Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html Updated Date: 2017-07-19T05:16:54Z Creation Date: 1999-07-23T13:52:32Z Registry Expiry Date: 2018-07-23T13:52:32Z Registrar: CSC Corporate Domains, Inc. Registrar IANA ID: 299 Registrar Abuse Contact Email: domainabuse@cscglobal.com Registrar Abuse Contact Phone: 8887802723 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: ASIA3.AKAM.NET Name Server: EUR2.AKAM.NET Name Server: EUR5.AKAM.NET Name Server: NS1-206.AKAM.NET Name Server: NS1-99.AKAM.NET Name Server: USC2.AKAM.NET Name Server: USC3.AKAM.NET Name Server: USW2.AKAM.NET DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-08-28T07:19:35Z <<<
2. nslookup 域名解析 IP root@attacker:~# nslookup > set type=A #设置对IP地址进行解析 > testfire.net Server: 10.10.10.2 Address: 10.10.10.2#53 Non-authoritative answer: Name: testfire.net Address: 65.61.137.117 > exit root@attacker:~# nslookup > set type=MX > testfire.net Server: 10.10.10.2 Address: 10.10.10.2#53 Non-authoritative answer: *** Can't find testfire.net: No answer Authoritative answers can be found from: testfire.net origin = asia3.akam.net mail addr = hostmaster.akamai.com serial = 1366025603 refresh = 43200 retry = 7200 expire = 604800 minimum = 86400
3. dig 从官方 DNS 服务器上查询到精确的权威解答 root@attacker:~# dig @ns.watson.ibm.com testfire.net ; <<>> DiG 9.10.3-P4-Debian <<>> @ns.watson.ibm.com testfire.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35209 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;testfire.net. IN A ;; Query time: 302 msec ;; SERVER: 129.34.20.80#53(129.34.20.80) ;; WHEN: Mon Aug 28 03:32:52 EDT 2017 ;; MSG SIZE rcvd: 41
4. IP2Location 通过 IP 查询地理位置 查询国外的 IP 地址 https://www.maxmind.com/zh/home 使用其中的 GeoIP 查询国内的 IP 地址 www.cz88.net
5. netcraft 查询网站的子域名 http://searchdns.netcraft.com/ 获取网站更为详细的详细 http://toolbar.netcraft.com/site_report[/code]6. IP2Domain 反查域名 主要查询同一 IP 的不同虚拟主机 查询国外的 IP 地址 www.ip-address.com/reverse_ip/65.61.137.117 查询国内的 IP 地址 http://www.7c.com/[/code]3. 通过搜索引擎进行信息收集
1. Google Hacking 技术 查看 Google 黑客数据库 https://www.exploit-db.com/google-hacking-database/ 自动化工具 Sitedigger 下载链接 https://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx Search Diggity 下载链接2. 探索网站的目录结构 在 Google 中搜索 “parent directory site:testfire.net” ,结果显示 demo.testfire.net - /bank/ inc文件:网站的配置信息 bak:备份文件 sql或txt:SQL脚本 使用 msf 中的 brute_dirs、dir_listing、dir_scanner等辅助模块也可以完成 以 dir_scanner 为例: msf > use auxiliary/scanner/http/dir_scanner msf auxiliary(dir_scanner) > show options Module options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use PATH / yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_scanner) > set THREADS 50 THREADS => 50 msf auxiliary(dir_scanner) > set RHOSTS www.testfire.net RHOSTS => www.testfire.net msf auxiliary(dir_scanner) > exploit [*] Detecting error code [*] Using code '404' as not found for 65.61.137.117 [*] Found http://65.61.137.117:80/Admin/ 403 (65.61.137.117) [*] Found http://65.61.137.117:80/admin/ 403 (65.61.137.117) [*] Found http://65.61.137.117:80/bank/ 200 (65.61.137.117) [*] Found http://65.61.137.117:80/images/ 403 (65.61.137.117) [*] Found http://65.61.137.117:80/static/ 403 (65.61.137.117) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 发现了隐藏目录 Admin,因为服务器返回403,表示没有权限,而不是 404 未找到文件 如果在根目录发现 rebot.txt 文件,则应该重视,表示了爬虫在抓取网页时应该遵循的规则3. 检索天特定类型的文件 在 Google 中搜索 :site:testfire.net filetype:xls 显示一个文档 包含了详细的联系人信息4. 搜索网站中的 E-mail 地址 使用 msf 的模块: serch_email_clooector5. 搜索已存在 SQL 注入的页面 在 Google 中搜索 :site:testfire.net inurl:login 得到了后台 URL 在用户名输入 “ admin 'OR' 1 ”,即可登录 在用户名输入 “ test OR 1=1-- ”,任意输入密码,也可登录4. 主机探测与端口扫描
1. ICMP Ping 扫描 root@attacker:~# ping -c 5 www.dvssc.com PING www.dvssc.com (10.10.10.129) 56(84) bytes of data. 64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=1 ttl=64 time=0.322 ms 64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=2 ttl=64 time=0.211 ms 64 bytes from www.dvssc.com (10.10.10.129): icmp_seq=3 ttl=64 time=0.247 ms --- www.dvssc.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3055ms rtt min/avg/max/mdev = 0.211/0.253/0.322/0.045 ms2. msf 的主机发现模块 路径:/module/auxiliary/scanner/discovery/ 主要有以下几个:arp_sweep、empty_udp、ipv6_multicast_ping、ipv6_neighbor、ipv6_neighbor_router_advertisement、udp_probe、udp_sweep 常用的: arp_sweep 使用 ARP 请求美剧本地局域网中的所有活跃主机 udp_sweep 通过发送 UDP 数据包探查制定主机是否活跃,并发现主机上的 UDP 服务 msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(arp_sweep) > show options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address THREADS 1 yes The number of concurrent threads TIMEOUT 5 yes The number of seconds to wait for new data msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24 msf auxiliary(arp_sweep) > set THREADS 50 THREADS => 50 msf auxiliary(arp_sweep) > run [*] 10.10.10.1 appears to be up (VMware, Inc.). [*] 10.10.10.2 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] 10.10.10.129 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed3. 使用 Nmap 进行主机探测 -sn:使用 ICMP 的 Ping 扫描捕获网络中存活的主机 msf > nmap -sn 10.10.10.0/24 [*] exec: nmap -sn 10.10.10.0/24 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:43 EDT Nmap scan report for 10.10.10.1 Host is up (0.00026s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00048s latency). MAC Address: 00:50:56:F1:2E:08 (VMware) Nmap scan report for www.dvssc.com (10.10.10.129) Host is up (0.00019s latency). MAC Address: 00:0C:29:21:A3:A6 (VMware) Nmap scan report for gate.dvssc.com (10.10.10.254) Host is up (0.000076s latency). MAC Address: 00:0C:29:19:70:BF (VMware) Nmap scan report for attacker.dvssc.com (10.10.10.128) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds -Pn:不使用 Ping 扫描 -PU:通过对开放的 UDP 端口进行探测,默认会列出开放的 TCP 端口,在使用 -sn ,仅探测存活主机,不对开放的 TCP 端口进行扫描 msf > nmap -PU -sn 10.10.10.0/24 [*] exec: nmap -PU -sn 10.10.10.0/24 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:49 EDT Nmap scan report for 10.10.10.1 Host is up (0.00025s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.0013s latency). MAC Address: 00:50:56:F1:2E:08 (VMware) Nmap scan report for www.dvssc.com (10.10.10.129) Host is up (0.000073s latency). MAC Address: 00:0C:29:21:A3:A6 (VMware) Nmap scan report for gate.dvssc.com (10.10.10.254) Host is up (0.00017s latency). MAC Address: 00:50:56:E7:DA:ED (VMware) Nmap scan report for attacker.dvssc.com (10.10.10.128) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.00 seconds4. 操作系统辨识 -O:对目标操作系统进行识别 msf > nmap -O 10.10.10.0/24 [*] exec: nmap -O 10.10.10.0/24 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 21:51 EDT Nmap scan report for 10.10.10.1 Host is up (0.000081s latency). Not shown: 987 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 6000/tcp open X11 24800/tcp open unknown 49152/tcp open unknown 49153/tcp open unknown 49156/tcp open unknown 49161/tcp open unknown 49163/tcp open unknown MAC Address: 00:50:56:C0:00:08 (VMware) Device type: general purpose Running: Microsoft Windows Vista|7|8.1 OS CPE: cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1 OS details: Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1 Network Distance: 1 hop Nmap scan report for 10.10.10.2 Host is up (0.000086s latency). All 1000 scanned ports on 10.10.10.2 are closed MAC Address: 00:50:56:F1:2E:08 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized Running: VMware Player OS CPE: cpe:/a:vmware:player OS details: VMware Player virtual NAT device Network Distance: 1 hop Nmap scan report for www.dvssc.com (10.10.10.129) Host is up (0.00022s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 5001/tcp open commplex-link 8080/tcp open http-proxy 8081/tcp open blackice-icecap MAC Address: 00:0C:29:21:A3:A6 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.17 - 2.6.36 Network Distance: 1 hop Nmap scan report for gate.dvssc.com (10.10.10.254) Host is up (0.00021s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 00:50:56:E7:DA:ED (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Nmap scan report for attacker.dvssc.com (10.10.10.128) Host is up (0.000057s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.8 - 4.6 Network Distance: 0 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (5 hosts up) scanned in 7.17 seconds5. 端口扫描与服务类型探测 msf > search portscan Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner 几款扫描工具: natpmp_portscan ack:通过 ACK 方式对防火墙上未被屏蔽的端口进行探测 ftpbounce :通过 ftp bounce 攻击的原理对 TCP 服务进行枚举 syn:使用发送 TCP SYN 标志的方式探测开放的端口 tcp: 通过一次完整的 TCP 连接来判断端口是否开放 xmas:通过发送 FIN、PSH、URG 标识,较为隐蔽 msf > use auxiliary/scanner/portscan/syn msf auxiliary(syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(syn) > set RHOSTS 10.10.10.254 RHOSTS => 10.10.10.254 msf auxiliary(syn) > set THREADS 20 THREADS => 20 msf auxiliary(syn) > run [*] TCP OPEN 10.10.10.254:22 [*] TCP OPEN 10.10.10.254:23 [*] TCP OPEN 10.10.10.254:53 [*] TCP OPEN 10.10.10.254:513 [*] TCP OPEN 10.10.10.254:514 [*] TCP OPEN 10.10.10.254:10996. Nmap 的端口扫描功能 六个状态:open、closed、filter、unfilter、open|filter、closed|filter 扫描参数: -sT: TCP connect 扫描 -sS: TCP SYN 扫描 -sF\-sX\-sN:通过发送一些标志位以避开检测 -sP:发送 ICMP echo 请求探测主机是否存活,原理同 Ping -sU:探测开放了那些 UDP端口 -sA:TCP ACK 扫描 -sV:探测更详细的服务信息 扫描选项: -Pn:扫描之前,不发送 ICMP echo 请求测试目标是否活跃 -O:指纹特征扫描以获取远程主机的操作系统类型 -F:快速扫描,只列出 nmap-services 中列出的端口 -p <port>:制定端口或范围 msf > nmap -sS -Pn 10.10.10.129 [*] exec: nmap -sS -Pn 10.10.10.129 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:45 EDT Nmap scan report for www.dvssc.com (10.10.10.129) Host is up (0.00010s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 5001/tcp open commplex-link 8080/tcp open http-proxy 8081/tcp open blackice-icecap MAC Address: 00:0C:29:21:A3:A6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.20 second7. 使用 nmap 探测更详细的服务信息 msf > nmap -sV -Pn 10.10.10.129 [*] exec: nmap -sV -Pn 10.10.10.129 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 22:46 EDT Nmap scan report for www.dvssc.com (10.10.10.129) Host is up (0.000099s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Courier Imapd (released 2008) 443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 5001/tcp open java-rmi Java RMI 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8081/tcp open http Jetty 6.1.25 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port5001-TCP:V=7.40%I=7%D=8/28%Time=59A4D583%P=x86_64-pc-linux-gnu%r(NU SF:LL,4,"\xac\xed\0\x05"); MAC Address: 00:0C:29:21:A3:A6 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds msf > nmap -sV -Pn 10.10.10.130 [*] exec: nmap -sV -Pn 10.10.10.130 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:07 EDT Nmap scan report for service.dvssc.com (10.10.10.130) Host is up (0.00015s latency). Not shown: 985 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 6.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 777/tcp open multiling-http? 1025/tcp open msrpc Microsoft Windows RPC 1026/tcp open msrpc Microsoft Windows RPC 1030/tcp open msrpc Microsoft Windows RPC 1031/tcp open msrpc Microsoft Windows RPC 1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows) 6002/tcp open http SafeNet Sentinel Protection Server httpd 7.3 7001/tcp open afs3-callback? 7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console) 8099/tcp open http Microsoft IIS httpd 6.0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port777-TCP:V=7.40%I=7%D=8/28%Time=59A4DAC1%P=x86_64-pc-linux-gnu%r(Ker SF:beros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(Termin SF:alServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t SF:\xe0\x06"); MAC Address: 00:0C:29:DB:51:D2 (VMware) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 149.72 seconds msf > nmap -sV -Pn 10.10.10.254 [*] exec: nmap -sV -Pn 10.10.10.254 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-28 23:09 EDT Nmap scan report for gate.dvssc.com (10.10.10.254) Host is up (0.00024s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open ingreslock? 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1524-TCP:V=7.40%I=7%D=8/28%Time=59A4DAEE%P=x86_64-pc-linux-gnu%r(NU SF:LL,27,"\x1b\[01;31mroot@gate\x1b\[00m:\x1b\[01;34m/\x1b\[00m#\x20")%r(G MAC Address: 00:50:56:E7:DA:ED (VMware) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 162.99 seconds5. 探测扫描结果分析
主机 | 操作系统 | 主要的开放端口 | 对应服务版本 |
---|---|---|---|
网站服务器(10.10.10.129) | Linux | SSH (22) | OpenSSH 5.3.p1 |
.. | .. | HTTP(80) | Apache httpd 2.2.14 |
.. | .. | netbios-ssn(139) | Samba smbd 3.X - 4.X |
.. | .. | imap(143) | Courier Imapd (released 2008) |
.. | .. | ssl/http(443) | Apache httpd 2.2.14 |
.. | .. | 445/tcp open netbios-ssn (445) | Samba smbd 3.X - 4.X |
.. | .. | java-rmi(5001) | Java RMI |
.. | .. | ahttp(8080) | Apache Tomcat/Coyote JSP engine 1.1 |
后台服务器(10.10.10.130) | Windows | ftp(21) | Microsoft ftpd |
.. | .. | http(80) | Microsoft IIS httpd 6.0 |
.. | .. | msrpc(135) | Microsoft Windows RPC |
.. | .. | netbios-ssn(139) | Microsoft Windows netbios-ssn |
.. | .. | microsoft-ds (445) | Microsoft Windows 2003 or 2008 microsoft-ds |
.. | .. | msrpc (1025) | Microsoft Windows RPC |
.. | .. | msrpc (1026) | Microsoft Windows RPC |
.. | .. | msrpc (1030) | Microsoft Windows RPC |
.. | .. | msrpc (1031) | Microsoft Windows RPC |
.. | .. | oracle-tns(1521) | Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows) |
.. | .. | http(6002) | SafeNet Sentinel Protection Server httpd 7.3 |
.. | .. | http(7002) | SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console) |
.. | .. | http(8099) | Microsoft IIS httpd 6.0 |
网关服务器 | 10.10.10.254 | ftp(21) | vsftpd 2.3.4 |
.. | .. | ssh(22) | OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) |
.. | .. | telnet(23) | Linux telnetd |
.. | .. | smtp(25) | |
.. | .. | domain(53) | ISC BIND 9.4.2 |
.. | .. | http(80) | Apache httpd 2.2.8 ((Ubuntu) DAV/2) |
.. | .. | rpcbind(111) | 2 (RPC #100000) |
.. | .. | netbios-ssn (139) | netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
.. | .. | netbios-ssn (445) | netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
.. | .. | exec(512) | netkit-rsh rexecd |
.. | .. | rmiregistry(1099) | GNU Classpath grmiregistry |
.. | .. | nfs(2049) | 2-4 (RPC #100003) |
.. | .. | ftp(2121) | ProFTPD 1.3.1 |
.. | .. | mysql(3306) | MySQL 5.0.51a-3ubuntu5 |
.. | .. | postgresql(5432) | PostgreSQL DB 8.3.0 - 8.3.7 |
.. | .. | vnc(5900) VNC (protocol 3.3) | |
.. | .. | X11(6000) | (access denied) |
.. | .. | irc(6667) | UnrealIRCd |
.. | .. | ajp13(8009) | Apache Jserv (Protocol v1.3) |
.. | .. | http(8180) | Apache Tomcat/Coyote JSP engine 1.1 |
6. 可能的攻击路线
可能的攻击路线 | 攻击对象 |
---|---|
口令猜解 | 10.10.10.129:SSH\Samba |
10.10.10.130:SMB | |
10.10.10.254:FTP、SSH、Telnet、MySQL、PostreSQL | |
口令嗅探 | 10.10.10.254:FTP、Telnet |
系统漏洞深入扫描 | 全部存活主机的开放端口 |
系统漏洞利用 | 所有开放网络服务中存在的安全漏洞 |
Web 应用漏洞扫描 | 10.10.10.129:Apache、Apache Tomcat |
10.10.10.254: Apache、Apache Tomcat | |
Web 应用漏洞利用 | 10.10.10.129:Apache、Apache Tomcat |
10.10.10.254:Apache、Apache Tomcat |
7. 服务扫描与查点
确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入的挖掘,通常称为网络查点。 msf 中的 Scanner 辅助模块中,有很多服务扫描和查点工具。常以[service_name]_version 和 [service_name]_login [service_name]_version:遍历网络中包含了某种服务的主机,并进一步确定服务的版本 [service_name]_login:可对某种服务进行口令探测 msf > search name:_version Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/fuzzers/ssh/ssh_version_15 normal SSH 1.5 Version Fuzzer auxiliary/fuzzers/ssh/ssh_version_2 normal SSH 2.0 Version Fuzzer auxiliary/fuzzers/ssh/ssh_version_corrupt normal SSH Version Corruption auxiliary/gather/ibm_sametime_version 2013-12-27 normal IBM Lotus Sametime Version Enumeration auxiliary/scanner/db2/db2_version normal DB2 Probe Utility auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner auxiliary/scanner/h323/h323_version normal H.323 Version Scanner auxiliary/scanner/http/coldfusion_version normal ColdFusion Version Scanner auxiliary/scanner/http/http_version normal HTTP Version Detection auxiliary/scanner/http/joomla_version normal Joomla Version Scanner auxiliary/scanner/http/sap_businessobjects_version_enum normal SAP BusinessObjects Version Detection auxiliary/scanner/http/ssl_version 2014-10-14 normal HTTP SSL/TLS Version Detection (POODLE scanner) auxiliary/scanner/http/svn_scanner normal HTTP Subversion Scanner auxiliary/scanner/imap/imap_version normal IMAP4 Banner Grabber auxiliary/scanner/ipmi/ipmi_version normal IPMI Information Discovery auxiliary/scanner/lotus/lotus_domino_version normal Lotus Domino Version auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal Oracle TNS Listener Service Version Query auxiliary/scanner/pop3/pop3_version normal POP3 Banner Grabber auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe auxiliary/scanner/printer/printer_version_info normal Printer Version Information Scanner auxiliary/scanner/sap/sap_mgmt_con_version normal SAP Management Console Version Detection auxiliary/scanner/scada/digi_addp_version normal Digi ADDP Information Discovery auxiliary/scanner/scada/digi_realport_version normal Digi RealPort Serial Server Version auxiliary/scanner/scada/modbusdetect 2011-11-01 normal Modbus Version Scanner auxiliary/scanner/smb/smb_version normal SMB Version Detection auxiliary/scanner/smtp/smtp_version normal SMTP Banner Grabber auxiliary/scanner/snmp/aix_version normal AIX SNMP Scanner Auxiliary Module auxiliary/scanner/ssh/ssh_version normal SSH Version Scanner auxiliary/scanner/telnet/lantronix_telnet_version normal Lantronix Telnet Service Banner Detection auxiliary/scanner/telnet/telnet_version normal Telnet Service Banner Detection auxiliary/scanner/vmware/vmauthd_version normal VMWare Authentication Daemon Version Scanner auxiliary/scanner/vxworks/wdbrpc_version normal VxWorks WDB Agent Version Scanner exploit/multi/svn/svnserve_date 2004-05-19 average Subversion Date Svnserve exploit/windows/browser/crystal_reports_printcontrol 2010-12-14 normal Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow exploit/windows/fileformat/digital_music_pad_pls 2010-09-17 normal Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow exploit/windows/fileformat/orbit_download_failed_bof 2008-04-03 normal Orbit Downloader URL Unicode Conversion Overflow exploit/windows/fileformat/realplayer_ver_attribute_bof 2013-12-20 normal RealNetworks RealPlayer Version Attribute Buffer Overflow exploit/windows/ftp/filecopa_list_overflow 2006-07-19 average FileCopa FTP Server Pre 18 Jul Version exploit/windows/scada/iconics_genbroker 2011-03-21 good Iconics GENESIS32 Integer Overflow Version 9.21.201.01
1. 常见的网络服务扫描 Telnet 服务扫描 msf > use auxiliary/scanner/telnet/telnet_version msf auxiliary(telnet_version) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24 msf auxiliary(telnet_version) > set THREADS 100 THREADS => 100 msf auxiliary(telnet_version) > run [*] 10.10.10.254:23 gate.dvssc.com login: _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0agate.dvssc.com login: [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed 结果显示:10.10.10.254 开放了 Telnet 服务 SSH 服务扫描 msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(ssh_version) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24 msf auxiliary(ssh_version) > set THREADS 100 THREADS => 100 msf auxiliary(ssh_version) > run [*] 10.10.10.128:22 - SSH server version: SSH-2.0-OpenSSH_7.4p1 Debian-10 [*] 10.10.10.129:22 - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 service.protocol=ssh fingerprint_db=ssh.banner ) [*] 10.10.10.254:22 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 service.protocol=ssh fingerprint_db=ssh.banner ) [*] Auxiliary module execution completed 结果显示:10.10.10.254 和 10.10.10.129 开放了 SSH 服务
2. Oracle 数据库服务查点 msf > use auxiliary/scanner/oracle/tnslsnr_version msf auxiliary(tnslsnr_version) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24 msf auxiliary(tnslsnr_version) > set THREADS 50 THREADS => 50 msf auxiliary(tnslsnr_version) > run [*] Scanned 50 of 256 hosts (19% complete) [+] 10.10.10.130:1521 - 10.10.10.130:1521 Oracle - Version: 32-bit Windows: Version 10.2.0.1.0 - Production [*] Scanned 129 of 256 hosts (50% complete) [*] Scanned 167 of 256 hosts (65% complete) [*] Scanned 184 of 256 hosts (71% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed 结果显示:10.10.10.130 开放了 1521 端口(Oracle SQL) SQL Server 端口为 1433 Oracle SQL 端口为 1521
3. 开放代理探测与利用 open_proxy:方便地获取免费的 HTTP 代理服务器地址 msf > use auxiliary/scanner/http/open_proxy msf auxiliary(open_proxy) > show options Module options (auxiliary/scanner/http/open_proxy): Name Current Setting Required Description ---- --------------- -------- ----------- CHECKURL http://www.google.com yes The web site to test via alleged web proxy MULTIPORTS false no Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123 Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads VALIDCODES 200,302 yes Valid HTTP code for a successfully request VALIDPATTERN <TITLE>302 Moved</TITLE> yes Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request VERIFYCONNECT false no Enable CONNECT HTTP method check VHOST no HTTP server virtual host msf auxiliary(open_proxy) > set SITE www.google.com SITE => www.google.com msf auxiliary(open_proxy) > set RHOSTS 24.25.24.1-24.25.26.254 RHOSTS => 24.25.24.1-24.25.26.254 msf auxiliary(open_proxy) > set MULTIPORTS true MULTIPORTS => true msf auxiliary(open_proxy) > set THREADS 100 THREADS => 100 msf auxiliary(open_proxy) > run [*] Scanned 102 of 766 hosts (13% complete) [*] Scanned 397 of 766 hosts (51% complete) [*] Scanned 766 of 766 hosts (100% complete) [*] Auxiliary module execution completed
4. SSH 服务口令与嗅探 msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > set RHOSTS 10.10.10.254 RHOSTS => 10.10.10.254 msf auxiliary(ssh_login) > set USERNAME root USERNAME => root msf auxiliary(ssh_login) > set PASS_FILE /root/words.txt PASS_FILE => /root/words.txt msf auxiliary(ssh_login) > set THREADS 50 THREADS => 50 msf auxiliary(ssh_login) > run [*] SSH - Starting bruteforce [-] SSH - Failed: 'root:123456' [-] SSH - Failed: 'root:ubuntu' [+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root) Linux gate.dvssc.com 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 1 opened (10.10.10.128:42501 -> 10.10.10.254:22) at 2017-08-29 01:18:09 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
5. psnuffle 口令嗅探 msf > use auxiliary/sniffer/psnuffle msf auxiliary(psnuffle) > run [*] Auxiliary module execution completed [*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb... [*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb... [*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb... msf auxiliary(psnuffle) > [*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb... [*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb... [*] Sniffing traffic.....
6. 在 Metasploit 内部使用 OpenVAS 0. 开启 openvas 服务 root@attacker:~# openvas-start 1. 在 metasploit 中加载 openvas msf > load openvas [*] Welcome to OpenVAS integration by kost and averagesecurityguy. [*] Successfully loaded plugin: OpenVAS 2. 连接到 openvas ,用法:openvas_connect username password host port <ssl-confirm> msf > openvas_connect admin toor 127.0.0.1 9390 ok [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin... [+] OpenVAS list of targets ID Name Hosts Max Hosts In Use Comment -- ---- ----- --------- ------ ------- 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff test2 10.10.10.254 1 0 Metasploitable 971d579a-b65c-406c-9737-b4d946fb68b1 UUUU 10.10.10.254 1 1 Mwtasploitable 3. 列出 openvas 的配置选项 msf > openvas_config_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of configs ID Name -- ---- 085569ce-73ed-11df-83c3-002264764cea empty 2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery 698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate 708f25c4-7489-11df-8094-002264764cea Full and very deep 74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate 8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery daba56c8-73ec-11df-a475-002264764cea Full and fast 4. 创建扫描任务,Usage: openvas_task_create <name> <comment> <config_id> <target_id> msf > openvas_task_create test-scan "Scan of test2 Metasploitable" daba56c8-73ec-11df-a475-002264764cea 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1 b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable New -1 5. 开始扫描任务,用法:openvas_task_start <id> msf > openvas_task_start b4baa75d-9d51-4393-a8fd-66a0480bda28 [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1 b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Requested 1 6. 列出扫描任务 msf > openvas_task_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1 b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Running 1 7. 列出扫描任务 msf > openvas_task_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1 b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Done -1 8. 扫描完成后,列出扫描报告 msf > openvas_report_list ID Task Name Start Time Stop Time -- --------- ---------- --------- 752e8852-68f4-4bff-a23c-92767a6c9bd7 test-scan 2017-08-30T06:12:51Z 2017-08-30T06:13:06Z babf1f94-c1ca-4b4e-b678-a0cd355c6a72 UUOO 2017-08-30T00:42:12Z 2017-08-30T01:06:41Z 9. 列出报告支持的格式 msf > openvas_format_list /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of report formats ID Name Extension Summary -- ---- --------- ------- 5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report 50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1. 5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table. 6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report. 77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report. 9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary. 910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0. 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report. 9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image. a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report. a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file. a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report. c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0. c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list. c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report. 10. 下载扫描报告,Usage: openvas_report_download <report_id> <format_id> <path> <report_name> msf > openvas_report_download [*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name> msf > openvas_report_download 752e8852-68f4-4bff-a23c-92767a6c9bd7 c402cc3e-b531-11e1-9163-406186ea4fc5 /root/reports/ tast2_scan_report.pdf /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead. [*] Saving report to /root/reports/tast2_scan_report.pdf
7. 查找特定服务漏洞 nmap 脚本存放位置:/usr/share/nmap/scripts root@attacker:/usr/share/nmap/scripts# nmap --script=smb-check-vulns 10.10.10.130 错误信息:NSE: failed to initialize the script engine: /usr/bin/../share/nmap/nse_main.lua:801: ‘smb-check-vulns.nse’ did not match a category, filename, or directory 这是由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。 它被分为smb-vuln-conficker、?smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。 用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件。 root@attacker:/usr/share/nmap/scripts# nmap --script=smb-vuln-*.nes 10.10.10.130 Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-30 08:12 EDT mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for service.dvssc.com (10.10.10.130) Host is up (0.00022s latency). Not shown: 985 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 777/tcp open multiling-http 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1031/tcp open iad2 1521/tcp open oracle 6002/tcp open X11:2 7001/tcp open afs3-callback 7002/tcp open afs3-prserver 8099/tcp open unknown MAC Address: 00:0C:29:DB:51:D2 (VMware) Host script results: | smb-vuln-cve2009-3103: | VULNERABLE: | SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) | State: VULNERABLE | IDs: CVE:CVE-2009-3103 | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, | aka "SMBv2 Negotiation Vulnerability." | | Disclosure date: 2009-09-08 | References: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds
8. 漏洞扫描结果分析
服务器 | 操作系统 | 高危漏洞 | 参考 |
---|---|---|---|
后台服务器(10.10.10.130) | Windows | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service | CVE-2017-7269 |
.. | .. | IIS FTP Service RCE and DoS Vulnerability.” | CVE-2009-3023 |
.. | .. | IIS FTP Service RCE and DoS Vulnerability | CVE-2009-3023 |
.. | .. | Integer Overflow in IPP Service Vulnerability | CVE-2008-1446 |
.. | .. | Integer Overflow in IPP Service Vulnerability | CVE-2008-1446 |
.. | .. | IIS Authentication Memory Corruption Vulnerability. | CVE-2010-1256 |
.. | .. | “IIS Authentication Memory Corruption Vulnerability | CVE-2010-1256 |
.. | .. | The WebDAV extension in Microsoft Internet Information Services | CVE-2009-1535 |
.. | .. | IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability | CVE-2009-1535 |
.. | .. | Microsoft Internet Information Services | CVE-2009-4444 |
.. | .. | Microsoft Internet Information Services | CVE-2009-4444 |
.. | .. | IIS Repeated Parameter Request Denial of Service Vulnerability.” | CVE-2010-1899 |
.. | .. | IIS Repeated Parameter Request Denial of Service Vulnerability.” | CVE-2010-1899 |
.. | .. | Inverse Lookup Log Corruption (ILLC) | CVE-2003-1582 |
.. | .. | IIS FTP Service DoS Vulnerability | CVE-2009-2521 |
.. | .. | Inverse Lookup Log Corruption (ILLC) | CVE-2003-1582 |
.. | .. | IIS FTP Service DoS Vulnerability | CVE-2009-2521 |
服务器 | 操作系统 | 高危漏洞 | 参考 |
---|---|---|---|
网关服务器(10.10.10.254) | Linux | ProFTPD Server SQL Inj ection Vulnerability | CVE-2009-0542 |
.. | .. | ProFTPD Long Command Handling Security Vulnerability | CVE-2008-4242 |
.. | .. | PHP< 5.2.13 Multiple Vulnerabilities | CVE-2010-1128 |
.. | .. | PHP’sqlite_single_query()’ and ‘sqlite_array_query()’ Arbitrary Code Execution | |
.. | .. | PHP Multiple Information Disclosure Vulnerabilities | CVE-2010-2190 |
.. | .. | Heap-based buffer overflow in’mbstring’ extension for PHP | CVE-2008-5557 |
.. | .. | PHP Multiple Vulnerabilities Dec-09 | CVE-2009-4018 |
.. | .. | PHP ‘_gdGetColors()’ Buffer Overflow Vulnerability | CVE-2009-3546 |
.. | .. | http TRACE XSS attack | CVE-2004-2320 |
.. | .. | PHP Multiple Buffer Overflow Vulnerabilities | CVE-2008-3659 |
.. | .. | PHP Interruptions and Calltime Arbitrary Code Execution Vulnerability | |
.. | .. | PHP ‘SplObjectStorage’ Unserializer Arbitrary Code Execution Vulnerability | CVE-2010-2225 |
.. | .. | Samba SID Parsing Remote Buffer Overflow Vulnerability | CVE-2010-3069 |
.. | .. | Samba multiple vulnerabilities | CVE-2009-2813 |
.. | .. | Samba’mount.cifs’ Utility Local Privilege Escalation Vulnerability | CVE-2009-3297 |
.. | .. | Samba ‘SMB1Packet Chaining’ Unspecified Remote Memory Corruption Vulnerability | CVE-2010-2063 |
服务器 | 操作系统 | 高危漏洞 | 参考 |
---|---|---|---|
网站服务器(10.10.10.129) | Linux | Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba | CVE-2013-4408 |
.. | .. | Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body | CVE-2014-0230 |
.. | .. | Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests | CVE-2011-3190 |
.. | .. | an attacker can reach JMX ports | CVE-2016-8735 |
.. | .. | Stack-based buffer overflow in Samba | CVE-2010-3069 |
.. | .. | allows remote attackers to inject a request into a session by sending this request during completion of the login form, | CVE-2013-2067 |
.. | .. | apache:tomcat:6.0.24 the attacker could poison a web-cache | CVE-2016-6816 |
.. | .. | Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba | CVE-2011-2522 |
.. | .. | The MS-SAMR and MS-LSAD protocol implementations in Samba | CVE-2016-2118 |
.. | .. | The session-persistence implementation in Apache Tomcat | CVE-2016-0714 |
.. | .. | allows remote authenticated users to obtain the “take ownership” privilege via an LSA connection. | CVE-2012-2111 |
.. | .. | Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, | CVE-2010-2227 |
.. | .. | The default configuration of Apache Tomcat | CVE-2010-4312 |
.. | .. | allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. | CVE-2014-0227 |
9. 渗透测试信息数据库
db_nmap:将 namp 扫描结果直接存入数据库 db_import:将扫描器的扫描结果进行导入 msf > db_status [*] postgresql selected, no connection 连接数据库: root@attacker:~# systemctl start postgresql.service msf > db_status [*] postgresql connected to msf 1. db_nmap:是 nmap 的一个封装,不同的是其将结果自动输入到数据库中 msf > db_nmap -Pn -sV 10.10.10.0/24 [*] Nmap: Nmap done: 256 IP addresses (6 hosts up) scanned in 411.47 seconds 2. 也可以将数据库的结果导出为一个文件,并导入到渗透测试数据库中 msf > nmap -Pn -sV -oX dmz 10.10.10.0/24 root@attacker:~# ll dmz -rw-r--r-- 1 root root 18799 Sep 1 10:32 dmz msf > db_import /root/dmz [*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.8.0' [*] Importing host 10.10.10.1 [*] Importing host 10.10.10.2 [*] Importing host 10.10.10.129 [*] Importing host 10.10.10.130 [*] Importing host 10.10.10.128 [*] Successfully imported /root/dmz
10. Openvas 与渗透测试数据库
1. 连接 openvas root@attacker:~# openvas-start Starting OpenVas Services msf > openvas_connect admin toor 127.0.0.1 9390 ok [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin... /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS connection successful 2. 找到想要导入的数据库 msf > openvas_report_list [+] OpenVAS list of reports ID Task Name Start Time Stop Time -- --------- ---------- --------- 07b3eba7-a110-4117-b603-7e50de27759f Oswapbwa 2017-08-30T14:41:15Z 2017-08-31T03:02:28Z 6a0bbe85-3eeb-49e1-8440-32988f6079c8 WIndows 2K3 2017-08-31T01:07:01Z 2017-08-31T01:47:53Z d7d88501-fe7d-44d3-8b70-566d49758e3a Ubuntu-scan 2017-08-30T14:41:20Z eac5169e-290e-4be1-9adf-8a401d806fb2 Ubuntu-Scan 2017-08-31T01:12:44Z 2017-08-31T03:30:24Z 3. 列出报告支持的格式 msf > openvas_format_list [+] OpenVAS list of report formats ID Name Extension Summary -- ---- --------- ------- 5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report 50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1. 5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table. 6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report. 77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report. 9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary. 910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0. 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report. 9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image. a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report. a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file. a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report. c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0. c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list. c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report. 4. 导入数据库(将 opwaspbwa 扫描报告的 nbe 格式导入) msf > openvas_report_import 07b3eba7-a110-4117-b603-7e50de27759f 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 [*] Importing report to database. 5. 导入成功后,使用 vulns 查看导入的漏洞信息 msf > vulns [*] Time: 2017-09-01 14:51:32 UTC Vuln: host=10.10.10.129 name=ICMP Timestamp Detection refs=CVE-1999-0524
11. 共享你的渗透测试信息数据库
在Metasploit中,可以使用两种方法共享渗透测试数据库 -让多台运行 Metasploit 的计算机连接到同一个网络数据库 -使用 MSF RPC服务 -让多台运行 Metasploit 的计算机连接到同一个网络数据库 1. 查看 postgres 进程的运行情况 root@gate:~# netstat -tulnp | grep "postgres" tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 4907/postgres tcp6 0 0 :::5432 :::* LISTEN 4907/postgres 2. 修改数据库监听地址 root@attacker:~# vim /etc/postgresql/9.6/main/postgresql.conf listen_addresses = '0.0.0.0' #59行 password_encryption = on #88行 3. pg_hba.conf是客户端认证配置文件,定义如何认证客户端 root@attacker:~# vim /etc/postgresql/9.6/main/pg_hba.conf host all all 0.0.0.0/24 md5 #93行 4. 重启 postgres 数据库服务 root@attacker:~# systemctl restart postgresql.service 5. 再次查看 postgresql 服务运行是否正常 root@attacker:~# netstat -tulnp |grep "postgres" tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 7564/postgres 6. 查看 msf 中 postgres 数据库的信息 root@attacker:~# vim /usr/share/metasploit-framework/config/database.yml development: &pgsql adapter: postgresql database: msf username: msf password: admin host: localhost port: 5432 pool: 200 timeout: 5 7. 关于数据库的信息如下: postgres 地址:10.10.10.128 postgres 端口:5432 postgres 用户:msf postgres 口令:admin postgresql 数据库:msf 8. 在另一台计算机启动 msf 终端 msf > db_disconnect msf > db_status [*] postgresql selected, no connection msf > db_connect msf:admin@10.10.10.128:5432/msf [*] Rebuilding the module cache in the background... msf > db_status [*] postgresql connected to msf 9. 测试连接是否正常 msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.10.1 00:50:56:c0:00:08 Windows Vista client 10.10.10.2 00:50:56:f0:84:fe Unknown device 10.10.10.128 attacker.dvssc.com Unknown device 10.10.10.129 00:0c:29:19:70:bf www.dvssc.com Unknown device 10.10.10.130 00:0c:29:db:51:d2 service.dvssc.com Windows XP client 10.10.10.133 Linux 3.X server 10.10.10.254 00:0c:29:19:70:bf gate.dvssc.com Linux 2.6.X server -使用 MSF RPC服务 1. 首先启动新的 msf rpc 服务,-P指定连接所需要的口令,-U指定连接所需要的用户名,-a绑定网络地址,默认127.0.0.1 root@attacker:~# msfrpcd -P admin -U msf -a 0.0.0.0 [[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg... [*] MSGRPC backgrounding at 2017-09-06 21:38:09 -0400... root@attacker:~# netstat -tulnp| grep msfrpcd tcp 0 0 0.0.0.0:55553 0.0.0.0:* LISTEN 1794/msfrpcd 2. 在另一台安装 msf4(版本匹配)的计算机上启动 MSF GUI(最新版是armitage) root@attacker:~# armitage #会显示登录框 Host 10.10.10.128 Port 55553 User msf Pass admin 3. 这个登录框会连接到之前新建的 msfprcd 服务上,单击 Server,之前 10.10.10.128 主机上的渗透测试数据都在这里显示出来。 msfprcd 不仅可以共享渗透测试数据库,还可以共享所有的 msf 模块和攻击载荷
相关文章推荐
- metasploit 情报搜集技术【1】外围信息搜索
- metasploit 情报搜集技术【2】主机探测与端口扫描
- metasploit 情报搜集技术【4】网络漏洞扫描
- 【2】Kali之情报搜集技术
- (原创)c#学习笔记08--面向对象编程简介02--OOP技术03--多态性
- 【收藏】本周ASP.NET英文技术文章推荐[03/16 - 03/22]:MVC、LINQ、Blog、C#、RSS、ViewManager
- 视频: 千重浪Linux系统调试技术培训03-01-basic-cpu-task
- 03.openssl密码实现技术
- 【Java多线程与并发库】03 传统线程互斥技术 synchronized
- 【收藏】本周ASP.NET英文技术文章推荐[01/28 - 02/03]
- 【收藏】本周ASP.NET英文技术文章推荐[03/04 - 03/10]
- 微软技术支持信息搜集工具
- java学习笔记03——核心技术
- 《大型网站技术架构》阅读笔记03
- 笔记-Microsoft SQL Server 2008技术内幕:T-SQL语言基础-03 联接查询
- 视频: 千重浪Linux系统调试技术培训03-01_basic_cpu_protection-smp