注:请多喝点热水或者凉白开,可预防肾结石,通风等。
痛风可伴发肥胖症、高血压病、糖尿病、脂代谢紊乱等多种代谢性疾病。

攻击机:
192.168.1.5 Debian

靶机:
192.168.1.2 Windows 7
192.168.1.115 Windows 2003
192.168.1.119 Windows 2003

第一季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/discovery/arp_sweep
  • auxiliary/scanner/discovery/udp_sweep
  • auxiliary/scanner/ftp/ftp_version
  • auxiliary/scanner/http/http_version
  • auxiliary/scanner/smb/smb_version

第二季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/ssh/ssh_version
  • auxiliary/scanner/telnet/telnet_version
  • auxiliary/scanner/discovery/udp_probe
  • auxiliary/scanner/dns/dns_amp
  • auxiliary/scanner/mysql/mysql_version

六:基于auxiliary/scanner/ssh/ssh_version发现SSH服务

  1. msf auxiliary(scanner/ssh/ssh_version) > show options
  2. Module options (auxiliary/scanner/ssh/ssh_version):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
  6. RPORT 22 yes The target port (TCP)
  7. THREADS 50 yes The number of concurrent threads
  8. TIMEOUT 30 yes Timeout for the SSH probe
  9. msf auxiliary(scanner/ssh/ssh_version) > exploit
  10. [+] 192.168.1.5:22 SSH server version: SSH2.0OpenSSH_7.9p1 Debian5 ( service.version=7.9p1 openssh.comment=Debian5 service.vendor=OpenBSD
  11. service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openb
  12. sd:openssh:7.9p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe
  13. 23=cpe:/o:debian:debian_linux:‐ service.protocol=ssh fingerprint_db=ssh.banner )
  14. [*] Scanned 52 of 256 hosts (20% complete)
  15. [*] Scanned 95 of 256 hosts (37% complete)
  16. [*] Scanned 100 of 256 hosts (39% complete)
  17. [*] Scanned 103 of 256 hosts (40% complete)
  18. [*] Scanned 131 of 256 hosts (51% complete)
  19. [*] Scanned 154 of 256 hosts (60% complete)
  20. [*] Scanned 180 of 256 hosts (70% complete)
  21. [*] Scanned 206 of 256 hosts (80% complete)
  22. [*] Scanned 235 of 256 hosts (91% complete)
  23. [*] Scanned 256 of 256 hosts (100% complete)
  24. [*] Auxiliary module execution completed

第二十四课:基于MSF发现内网存活主机第二季 - 图1

七:基于auxiliary/scanner/telnet/telnet_version发现TELNET服务

  1. msf auxiliary(scanner/telnet/telnet_version) > show options
  2. Module options (auxiliary/scanner/telnet/telnet_version):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. PASSWORD no The password for the specified username
  6. RHOSTS 192.168.1.119 yes The target address range or CIDR identifier
  7. RPORT 23 yes The target port (TCP)
  8. THREADS 50 yes The number of concurrent threads
  9. TIMEOUT 30 yes Timeout for the Telnet probe
  10. USERNAME no The username to authenticate as
  11. msf auxiliary(scanner/telnet/telnet_version) > exploit
  12. [+] 192.168.1.119:23 192.168.1.119:23 TELNET Welcome to Microsoft Telnet Service \x0a\x0a\x0dlogin:
  13. [*] Scanned 1 of 1 hosts (100% complete)
  14. [*] Auxiliary module execution completed

第二十四课:基于MSF发现内网存活主机第二季 - 图2

八:基于scanner/discovery/udp_probe发现内网存活主机

  1. msf auxiliary(scanner/discovery/udp_probe) > show options
  2. Module options (auxiliary/scanner/discovery/udp_probe):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. CHOST no The local client address
  6. RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
  7. THREADS 50 yes The number of concurrent threads
  8. msf auxiliary(scanner/discovery/udp_probe) > exploit
  9. [+] Discovered NetBIOS on 192.168.1.2:137 (JOHNPC:<00>:U :WORKGROUP:
  10. <00>:G :JOHNPC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U
  11. :__MSBROWSE__ <01>:G :4c:cc:6a:e3:51:27)
  12. [+] Discovered DNS on 192.168.1.1:53 (de778500000100010000000007564552 53494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f7
  13. 5206d757374206265206a6f6b696e67)
  14. [*] Scanned 43 of 256 hosts (16% complete)
  15. [*] Scanned 52 of 256 hosts (20% complete)
  16. [*] Scanned 89 of 256 hosts (34% complete)
  17. [+] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U :WORKGROUP:<00>:G :WORKGROUP:<1e>:G :WIN03X64:<03>:U
  18. :ADMINISTRA TOR:<03>:U :WIN03X64:<01>:U :00:0c:29:85:d6:7d)
  19. [*] Scanned 103 of 256 hosts (40% complete)
  20. [*] Scanned 140 of 256 hosts (54% complete)
  21. [*] Scanned 163 of 256 hosts (63% complete)
  22. [*] Scanned 184 of 256 hosts (71% complete)
  23. [*] Scanned 212 of 256 hosts (82% complete)
  24. [*] Scanned 231 of 256 hosts (90% complete)
  25. [*] Scanned 256 of 256 hosts (100% complete)
  26. [*] Auxiliary module execution completed

第二十四课:基于MSF发现内网存活主机第二季 - 图3

九:基于auxiliary/scanner/dns/dns_amp发现内网存活主机

  1. msf auxiliary(scanner/dns/dns_amp) > show options
  2. Module options (auxiliary/scanner/dns/dns_amp):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. BATCHSIZE 256 yes The number of hosts to probe in each set
  6. DOMAINNAME isc.org yes Domain to use for the DNS request
  7. FILTER no The filter string for capturing traffic
  8. INTERFACE no The name of the interface
  9. PCAPFILE no The name of the PCAP capture file to process
  10. QUERYTYPE ANY yes Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY)
  11. RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier
  12. RPORT 53 yes The target port (UDP)
  13. SNAPLEN 65535 yes The number of bytes to capture
  14. THREADS 50 yes The number of concurrent threads
  15. TIMEOUT 500 yes The number of seconds to wait for new data
  16. msf auxiliary(scanner/dns/dns_amp) > exploit
  17. [*] Sending DNS probes to 192.168.1.0‐>192.168.1.255 (256 hosts)
  18. [*] Sending 67 bytes to each host using the IN ANY isc.org request
  19. [+] 192.168.1.1:53 Response is 530 bytes [7.91x Amplification]
  20. [*] Scanned 256 of 256 hosts (100% complete)
  21. [*] Auxiliary module execution completed

第二十四课:基于MSF发现内网存活主机第二季 - 图4

十:基于auxiliary/scanner/mysql/mysql_version发现mysql服务

  1. msf auxiliary(scanner/mysql/mysql_version) > show options
  2. Module options (auxiliary/scanner/mysql/mysql_version):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. RHOSTS 192.168.1.115 yes The target address range or CIDR identifier
  6. RPORT 3306 yes The target port (TCP)
  7. THREADS 50 yes The number of concurrent threads
  8. msf auxiliary(scanner/mysql/mysql_version) > exploit
  9. [+] 192.168.1.115:3306 192.168.1.115:3306 is running MySQL 5.1.52community (protocol 10)
  10. [*] Scanned 1 of 1 hosts (100% complete)
  11. [*] Auxiliary module execution completed

第二十四课:基于MSF发现内网存活主机第二季 - 图5

Micropoor