渗透杂记-2013-07-21

更新时间：2022-10-02 21:04:45
metasploit常用辅助工具
最近在写教程，记录一下
root@bt:~# msfpro
[*] Starting Metasploit Console...
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
http://metasploit.pro
=[ metasploit v4.6.2-1 [core:4.6 api:1.0]
+ -- --=[ 1138 exploits - 718 auxiliary - 194 post
+ -- --=[ 309 payloads - 30 encoders - 8 nops
[*] Successfully loaded plugin: pro
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > info
Name: TCP SYN Port Scanner
Module: auxiliary/scanner/portscan/syn
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

kris katterjohn <katterjohn@gmail.com>
Basic options:
Name       Current Setting  Required  Description
----       ---------------  --------  -----------
BATCHSIZE  256              yes       The number of hosts to scan per set
INTERFACE                   no        The name of the interface
PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
RHOSTS                      yes       The target address range or CIDR identifier
SNAPLEN    65535            yes       The number of bytes to capture
THREADS    1                yes       The number of concurrent threads
TIMEOUT    500              yes       The reply read timeout in milliseconds
Description:
Enumerate open TCP services using a raw SYN scan.
msf auxiliary(syn) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(syn) > set THREADS 100
THREADS => 100
msf auxiliary(syn) > run
[*]  TCP OPEN 172.16.1.105:21
[*]  TCP OPEN 172.16.1.105:22
[*]  TCP OPEN 172.16.1.105:23
[*]  TCP OPEN 172.16.1.105:25
[*]  TCP OPEN 172.16.1.105:53
[*]  TCP OPEN 172.16.1.105:80
[*]  TCP OPEN 172.16.1.105:111
[*]  TCP OPEN 172.16.1.105:139
[*]  TCP OPEN 172.16.1.105:445
[*]  TCP OPEN 172.16.1.105:512
[*]  TCP OPEN 172.16.1.105:513
[*]  TCP OPEN 172.16.1.105:514
[*]  TCP OPEN 172.16.1.105:1099
[*]  TCP OPEN 172.16.1.105:1524
[*]  TCP OPEN 172.16.1.105:2049
[*]  TCP OPEN 172.16.1.105:2121
[*]  TCP OPEN 172.16.1.105:3306
[*]  TCP OPEN 172.16.1.105:3632
[*]  TCP OPEN 172.16.1.105:5432
[*]  TCP OPEN 172.16.1.105:5900
[*]  TCP OPEN 172.16.1.105:6000
[*]  TCP OPEN 172.16.1.105:6667
[*]  TCP OPEN 172.16.1.105:6697
[*]  TCP OPEN 172.16.1.105:8009
[*]  TCP OPEN 172.16.1.105:8180
[*]  TCP OPEN 172.16.1.105:8787
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > info
Name: SMB Version Detection
Module: auxiliary/scanner/smb/smb_version
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

hdm <hdm@metasploit.com>
Basic options:
Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOSTS                      yes       The target address range or CIDR identifier
SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
SMBPass                     no        The password for the specified username
SMBUser                     no        The username to authenticate as
THREADS    1                yes       The number of concurrent threads
Description:
Display version information about each system
msf auxiliary(smb_version) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(smb_version) > run
[*] 172.16.1.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_version) > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info
Name: MSSQL Ping Utility
Module: auxiliary/scanner/mssql/mssql_ping
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

MC <mc@metasploit.com>
Basic options:
Name                 Current Setting  Required  Description
----                 ---------------  --------  -----------
PASSWORD                              no        The password for the specified username
RHOSTS                                yes       The target address range or CIDR identifier
THREADS              1                yes       The number of concurrent threads
USERNAME             sa               no        The username to authenticate as
USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)
Description:
This module simply queries the MSSQL instance for information.
msf auxiliary(mssql_ping) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(mssql_ping) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > iffo
[-] Unknown command: iffo.
msf auxiliary(ssh_version) > info
Name: SSH Version Scanner
Module: auxiliary/scanner/ssh/ssh_version
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

Daniel van Eeden <metasploit@myname.nl>
Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOSTS                    yes       The target address range or CIDR identifier
RPORT    22               yes       The target port
THREADS  1                yes       The number of concurrent threads
TIMEOUT  30               yes       Timeout for the SSH probe
Description:
Detect SSH Version.
References:
http://en.wikipedia.org/wiki/SecureShell
msf auxiliary(ssh_version) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(ssh_version) > run
[*] 172.16.1.105:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > info
Name: FTP Version Scanner
Module: auxiliary/scanner/ftp/ftp_version
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

hdm <hdm@metasploit.com>
Basic options:
Name     Current Setting      Required  Description
----     ---------------      --------  -----------
FTPPASS  mozilla@example.com  no        The password for the specified username
FTPUSER  anonymous            no        The username to authenticate as
RHOSTS                        yes       The target address range or CIDR identifier
RPORT    21                   yes       The target port
THREADS  1                    yes       The number of concurrent threads
Description:
Detect FTP Version.
msf auxiliary(ftp_version) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(ftp_version) > run
[*] 172.16.1.105:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > info
Name: SNMP Community Scanner
Module: auxiliary/scanner/snmp/snmp_login
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

hdm <hdm@metasploit.com>
Basic options:
Name              Current Setting                                                     Required  Description
----              ---------------                                                     --------  -----------
BATCHSIZE         256                                                                 yes       The number of hosts to probe in each set
BLANK_PASSWORDS   true                                                                no        Try blank passwords for all users
BRUTEFORCE_SPEED  5                                                                   yes       How fast to bruteforce, from 0 to 5
CHOST                                                                                 no        The local client address
PASSWORD                                                                              no        The password to test
PASS_FILE         /opt/metasploit/apps/pro/msf3/data/wordlists/snmp_default_pass.txt  no        File containing communities, one per line
RHOSTS                                                                                yes       The target address range or CIDR identifier
RPORT             161                                                                 yes       The target port
STOP_ON_SUCCESS   false                                                               yes       Stop guessing when a credential works for a host
THREADS           1                                                                   yes       The number of concurrent threads
USER_AS_PASS      true                                                                no        Try the username as the password for all users
VERBOSE           true                                                                yes       Whether to print output for all attempts
Description:
Scan for SNMP devices using common community names
References:
http://cvedetails.com/cve/1999-0508/
msf auxiliary(snmp_login) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(snmp_login) > run
[*] :161SNMP - [001/118] - 172.16.1.105:161 - SNMP - Trying public...
[*] :161SNMP - [002/118] - 172.16.1.105:161 - SNMP - Trying private...
[*] :161SNMP - [003/118] - 172.16.1.105:161 - SNMP - Trying 0...
[*] :161SNMP - [004/118] - 172.16.1.105:161 - SNMP - Trying 0392a0...
[*] :161SNMP - [005/118] - 172.16.1.105:161 - SNMP - Trying 1234...
[*] :161SNMP - [006/118] - 172.16.1.105:161 - SNMP - Trying 2read...
[*] :161SNMP - [007/118] - 172.16.1.105:161 - SNMP - Trying 4changes...
[*] :161SNMP - [008/118] - 172.16.1.105:161 - SNMP - Trying ANYCOM...
[*] :161SNMP - [009/118] - 172.16.1.105:161 - SNMP - Trying Admin...
[*] :161SNMP - [010/118] - 172.16.1.105:161 - SNMP - Trying C0de...
[*] :161SNMP - [011/118] - 172.16.1.105:161 - SNMP - Trying CISCO...
[*] :161SNMP - [012/118] - 172.16.1.105:161 - SNMP - Trying CR52401...
[*] :161SNMP - [013/118] - 172.16.1.105:161 - SNMP - Trying IBM...
[*] :161SNMP - [014/118] - 172.16.1.105:161 - SNMP - Trying ILMI...
[*] :161SNMP - [015/118] - 172.16.1.105:161 - SNMP - Trying Intermec...
[*] :161SNMP - [016/118] - 172.16.1.105:161 - SNMP - Trying NoGaH$@!...
[*] :161SNMP - [017/118] - 172.16.1.105:161 - SNMP - Trying OrigEquipMfr...
[*] :161SNMP - [018/118] - 172.16.1.105:161 - SNMP - Trying PRIVATE...
[*] :161SNMP - [019/118] - 172.16.1.105:161 - SNMP - Trying PUBLIC...
[*] :161SNMP - [020/118] - 172.16.1.105:161 - SNMP - Trying Private...
[*] :161SNMP - [021/118] - 172.16.1.105:161 - SNMP - Trying Public...
[*] :161SNMP - [022/118] - 172.16.1.105:161 - SNMP - Trying SECRET...
[*] :161SNMP - [023/118] - 172.16.1.105:161 - SNMP - Trying SECURITY...
[*] :161SNMP - [024/118] - 172.16.1.105:161 - SNMP - Trying SNMP...
[*] :161SNMP - [025/118] - 172.16.1.105:161 - SNMP - Trying SNMP_trap...
[*] :161SNMP - [026/118] - 172.16.1.105:161 - SNMP - Trying SUN...
[*] :161SNMP - [027/118] - 172.16.1.105:161 - SNMP - Trying SWITCH...
[*] :161SNMP - [028/118] - 172.16.1.105:161 - SNMP - Trying SYSTEM...
[*] :161SNMP - [029/118] - 172.16.1.105:161 - SNMP - Trying Secret...
[*] :161SNMP - [030/118] - 172.16.1.105:161 - SNMP - Trying Security...
[*] :161SNMP - [031/118] - 172.16.1.105:161 - SNMP - Trying Switch...
[*] :161SNMP - [032/118] - 172.16.1.105:161 - SNMP - Trying System...
[*] :161SNMP - [033/118] - 172.16.1.105:161 - SNMP - Trying TENmanUFactOryPOWER...
[*] :161SNMP - [034/118] - 172.16.1.105:161 - SNMP - Trying TEST...
[*] :161SNMP - [035/118] - 172.16.1.105:161 - SNMP - Trying access...
[*] :161SNMP - [036/118] - 172.16.1.105:161 - SNMP - Trying adm...
[*] :161SNMP - [037/118] - 172.16.1.105:161 - SNMP - Trying admin...
[*] :161SNMP - [038/118] - 172.16.1.105:161 - SNMP - Trying agent...
[*] :161SNMP - [039/118] - 172.16.1.105:161 - SNMP - Trying agent_steal...
[*] :161SNMP - [040/118] - 172.16.1.105:161 - SNMP - Trying all...
[*] :161SNMP - [041/118] - 172.16.1.105:161 - SNMP - Trying all private...
[*] :161SNMP - [042/118] - 172.16.1.105:161 - SNMP - Trying all public...
[*] :161SNMP - [043/118] - 172.16.1.105:161 - SNMP - Trying apc...
[*] :161SNMP - [044/118] - 172.16.1.105:161 - SNMP - Trying bintec...
[*] :161SNMP - [045/118] - 172.16.1.105:161 - SNMP - Trying blue...
[*] :161SNMP - [046/118] - 172.16.1.105:161 - SNMP - Trying c...
[*] :161SNMP - [047/118] - 172.16.1.105:161 - SNMP - Trying cable-d...
[*] :161SNMP - [048/118] - 172.16.1.105:161 - SNMP - Trying canon_admin...
[*] :161SNMP - [049/118] - 172.16.1.105:161 - SNMP - Trying cc...
[*] :161SNMP - [050/118] - 172.16.1.105:161 - SNMP - Trying cisco...
[*] :161SNMP - [051/118] - 172.16.1.105:161 - SNMP - Trying community...
[*] :161SNMP - [052/118] - 172.16.1.105:161 - SNMP - Trying core...
[*] :161SNMP - [053/118] - 172.16.1.105:161 - SNMP - Trying debug...
[*] :161SNMP - [054/118] - 172.16.1.105:161 - SNMP - Trying default...
[*] :161SNMP - [055/118] - 172.16.1.105:161 - SNMP - Trying dilbert...
[*] :161SNMP - [056/118] - 172.16.1.105:161 - SNMP - Trying enable...
[*] :161SNMP - [057/118] - 172.16.1.105:161 - SNMP - Trying field...
[*] :161SNMP - [058/118] - 172.16.1.105:161 - SNMP - Trying field-service...
[*] :161SNMP - [059/118] - 172.16.1.105:161 - SNMP - Trying freekevin...
[*] :161SNMP - [060/118] - 172.16.1.105:161 - SNMP - Trying fubar...
[*] :161SNMP - [061/118] - 172.16.1.105:161 - SNMP - Trying guest...
[*] :161SNMP - [062/118] - 172.16.1.105:161 - SNMP - Trying hello...
[*] :161SNMP - [063/118] - 172.16.1.105:161 - SNMP - Trying hp_admin...
[*] :161SNMP - [064/118] - 172.16.1.105:161 - SNMP - Trying ibm...
[*] :161SNMP - [065/118] - 172.16.1.105:161 - SNMP - Trying ilmi...
[*] :161SNMP - [066/118] - 172.16.1.105:161 - SNMP - Trying intermec...
[*] :161SNMP - [067/118] - 172.16.1.105:161 - SNMP - Trying internal...
[*] :161SNMP - [068/118] - 172.16.1.105:161 - SNMP - Trying l2...
[*] :161SNMP - [069/118] - 172.16.1.105:161 - SNMP - Trying l3...
[*] :161SNMP - [070/118] - 172.16.1.105:161 - SNMP - Trying manager...
[*] :161SNMP - [071/118] - 172.16.1.105:161 - SNMP - Trying mngt...
[*] :161SNMP - [072/118] - 172.16.1.105:161 - SNMP - Trying monitor...
[*] :161SNMP - [073/118] - 172.16.1.105:161 - SNMP - Trying netman...
[*] :161SNMP - [074/118] - 172.16.1.105:161 - SNMP - Trying network...
[*] :161SNMP - [075/118] - 172.16.1.105:161 - SNMP - Trying none...
[*] :161SNMP - [076/118] - 172.16.1.105:161 - SNMP - Trying openview...
[*] :161SNMP - [077/118] - 172.16.1.105:161 - SNMP - Trying pass...
[*] :161SNMP - [078/118] - 172.16.1.105:161 - SNMP - Trying password...
[*] :161SNMP - [079/118] - 172.16.1.105:161 - SNMP - Trying pr1v4t3...
[*] :161SNMP - [080/118] - 172.16.1.105:161 - SNMP - Trying proxy...
[*] :161SNMP - [081/118] - 172.16.1.105:161 - SNMP - Trying publ1c...
[*] :161SNMP - [082/118] - 172.16.1.105:161 - SNMP - Trying read...
[*] :161SNMP - [083/118] - 172.16.1.105:161 - SNMP - Trying read-only...
[*] :161SNMP - [084/118] - 172.16.1.105:161 - SNMP - Trying read-write...
[*] :161SNMP - [085/118] - 172.16.1.105:161 - SNMP - Trying readwrite...
[*] :161SNMP - [086/118] - 172.16.1.105:161 - SNMP - Trying red...
[*] :161SNMP - [087/118] - 172.16.1.105:161 - SNMP - Trying regional...
[*] :161SNMP - [088/118] - 172.16.1.105:161 - SNMP - Trying rmon...
[*] :161SNMP - [089/118] - 172.16.1.105:161 - SNMP - Trying rmon_admin...
[*] :161SNMP - [090/118] - 172.16.1.105:161 - SNMP - Trying ro...
[*] :161SNMP - [091/118] - 172.16.1.105:161 - SNMP - Trying root...
[*] :161SNMP - [092/118] - 172.16.1.105:161 - SNMP - Trying router...
[*] :161SNMP - [093/118] - 172.16.1.105:161 - SNMP - Trying rw...
[*] :161SNMP - [094/118] - 172.16.1.105:161 - SNMP - Trying rwa...
[*] :161SNMP - [095/118] - 172.16.1.105:161 - SNMP - Trying san-fran...
[*] :161SNMP - [096/118] - 172.16.1.105:161 - SNMP - Trying sanfran...
[*] :161SNMP - [097/118] - 172.16.1.105:161 - SNMP - Trying scotty...
[*] :161SNMP - [098/118] - 172.16.1.105:161 - SNMP - Trying secret...
[*] :161SNMP - [099/118] - 172.16.1.105:161 - SNMP - Trying security...
[*] :161SNMP - [100/118] - 172.16.1.105:161 - SNMP - Trying seri...
[*] :161SNMP - [101/118] - 172.16.1.105:161 - SNMP - Trying snmp...
[*] :161SNMP - [102/118] - 172.16.1.105:161 - SNMP - Trying snmpd...
[*] :161SNMP - [103/118] - 172.16.1.105:161 - SNMP - Trying snmptrap...
[*] :161SNMP - [104/118] - 172.16.1.105:161 - SNMP - Trying solaris...
[*] :161SNMP - [105/118] - 172.16.1.105:161 - SNMP - Trying sun...
[*] :161SNMP - [106/118] - 172.16.1.105:161 - SNMP - Trying superuser...
[*] :161SNMP - [107/118] - 172.16.1.105:161 - SNMP - Trying switch...
[*] :161SNMP - [108/118] - 172.16.1.105:161 - SNMP - Trying system...
[*] :161SNMP - [109/118] - 172.16.1.105:161 - SNMP - Trying tech...
[*] :161SNMP - [110/118] - 172.16.1.105:161 - SNMP - Trying test...
[*] :161SNMP - [111/118] - 172.16.1.105:161 - SNMP - Trying test2...
[*] :161SNMP - [112/118] - 172.16.1.105:161 - SNMP - Trying tiv0li...
[*] :161SNMP - [113/118] - 172.16.1.105:161 - SNMP - Trying tivoli...
[*] :161SNMP - [114/118] - 172.16.1.105:161 - SNMP - Trying trap...
[*] :161SNMP - [115/118] - 172.16.1.105:161 - SNMP - Trying world...
[*] :161SNMP - [116/118] - 172.16.1.105:161 - SNMP - Trying write...
[*] :161SNMP - [117/118] - 172.16.1.105:161 - SNMP - Trying xyzzy...
[*] :161SNMP - [118/118] - 172.16.1.105:161 - SNMP - Trying yellow...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) > use auxiliary/scanner/http/webdav_scanner
imsf auxiliary(webdav_scanner) > info
Name: HTTP WebDAV Scanner
Module: auxiliary/scanner/http/webdav_scanner
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:

et <et@metasploit.com>
Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
PATH     /                yes       Path to use
Proxies                   no        Use a proxy chain
RHOSTS                    yes       The target address range or CIDR identifier
RPORT    80               yes       The target port
THREADS  1                yes       The number of concurrent threads
VHOST                     no        HTTP server virtual host
Description:
Detect webservers with WebDAV enabled
msf auxiliary(webdav_scanner) > set RHOSTS 172.16.1.105
RHOSTS => 172.16.1.105
msf auxiliary(webdav_scanner) > run
[*] 172.16.1.105 (Apache/2.2.8 (Ubuntu) DAV/2) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
本文转自文东会博客51CTO博客，原文链接http://blog.51cto.com/hackerwang/1253537如需转载请自行联系原作者
谢文东666
上一篇 : ：Linux之使用MogileFS分布式文件系统并使用nginx实现反向代理下一篇 : Chrome扩展入门开发
渗透杂记-2013-07-21

相关阅读

推荐文章
