注:请多喝点热水或者凉白开,可预防肾结石,通风等。
痛风可伴发肥胖症、高血压病、糖尿病、脂代谢紊乱等多种代谢性疾病。

攻击机:
192.168.1.102 Debian
靶机:
192.168.1.2 Windows 7
192.168.1.115 Windows 2003
192.168.1.119 Windows 2003

第一季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/discovery/arp_sweep
  • auxiliary/scanner/discovery/udp_sweep
  • auxiliary/scanner/ftp/ftp_version
  • auxiliary/scanner/http/http_version
  • auxiliary/scanner/smb/smb_version

第二季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/ssh/ssh_version
  • auxiliary/scanner/telnet/telnet_version
  • auxiliary/scanner/discovery/udp_probe
  • auxiliary/scanner/dns/dns_amp
  • auxiliary/scanner/mysql/mysql_version

第三季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/netbios/nbname
  • auxiliary/scanner/http/title
  • auxiliary/scanner/db2/db2_version
  • auxiliary/scanner/portscan/ack
  • auxiliary/scanner/portscan/tcp

第四季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:

  • auxiliary/scanner/portscan/syn
  • auxiliary/scanner/portscan/ftpbounce
  • auxiliary/scanner/portscan/xmas
  • auxiliary/scanner/rdp/rdp_scanner
  • auxiliary/scanner/smtp/smtp_version

第五季主要介绍scanner下的三个模块,以及db_nmap辅助发现内网存活主机,分别为:

  • auxiliary/scanner/pop3/pop3_version
  • auxiliary/scanner/postgres/postgres_version
  • auxiliary/scanner/ftp/anonymous
  • db_nmap

二十一:基于auxiliary/scanner/pop3/pop3_version发现内网存活主机

  1. msf auxiliary(scanner/pop3/pop3_version) > show options
  2. Module options (auxiliary/scanner/pop3/pop3_version):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. RHOSTS 192.168.1.110120 yes The target address range or CIDR identifier
  6. RPORT 110 yes The target port (TCP)
  7. THREADS 50 yes The number of concurrent threads
  8. msf auxiliary(scanner/pop3/pop3_version) > exploit
  9. [*] Scanned 5 of 11 hosts (45% complete)
  10. [*] Scanned 11 of 11 hosts (100% complete)
  11. [*] Auxiliary module execution completed

第二十七课:基于MSF发现内网存活主机第五季  - 图1

二十二:基于auxiliary/scanner/postgres/postgres_version发现内网存活主机

  1. msf auxiliary(scanner/postgres/postgres_version) > show options
  2. Module options (auxiliary/scanner/postgres/postgres_version):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. DATABASE template1 yes The database to authenticate against
  6. PASSWORD msf no The password for the specified username. Leave blank for a random password.
  7. RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
  8. RPORT 5432 yes The target port
  9. THREADS 50 yes The number of concurrent threads
  10. USERNAME msf yes The username to authenticate as
  11. VERBOSE false no Enable verbose output
  12. msf auxiliary(scanner/postgres/postgres_version) > exploit
  13. [*] 127.0.0.1:5432 Postgres Version PostgreSQL 9.6.6 on x86_64pcli
  14. nuxgnu, compiled by gcc (Debian 4.9.210) 4.9.2, 64bit (PostAuth)
  15. [*] Scanned 1 of 1 hosts (100% complete)
  16. [*] Auxiliary module execution completed

第二十七课:基于MSF发现内网存活主机第五季  - 图2

二十三:基于auxiliary/scanner/ftp/anonymous发现内网存活主机

  1. msf auxiliary(scanner/ftp/anonymous) > show options
  2. Module options (auxiliary/scanner/ftp/anonymous):
  3. Name Current Setting Required Description
  4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  5. FTPPASS mozilla@example.com no The password for the specified username
  6. FTPUSER anonymous no The username to authenticate as
  7. RHOSTS 192.168.1.100120 yes The target address range or CIDR identifier
  8. RPORT 21 yes The target port (TCP)
  9. THREADS 50 yes The number of concurrent threads
  10. msf auxiliary(scanner/ftp/anonymous) > exploit
  11. [+] 192.168.1.115:21 192.168.1.115:21 Anonymous READ (220 Slyar Ftpserver)
  12. [+] 192.168.1.119:21 192.168.1.119:21 Anonymous READ (220 FTPserver)
  13. [*] Scanned 3 of 21 hosts (14% complete)
  14. [*] Scanned 6 of 21 hosts (28% complete)
  15. [*] Scanned 17 of 21 hosts (80% complete)
  16. [*] Scanned 21 of 21 hosts (100% complete)
  17. [*] Auxiliary module execution completed

第二十七课:基于MSF发现内网存活主机第五季  - 图3

二十四:基于db_nmap发现内网存活主机

MSF内置强大的端口扫描工具Nmap,为了更好的区别,内置命令为:db_nmap,并且会自动存储nmap扫描结果到数据库中,方便快速查询已知存活主机,以及更快捷的进行团队协同作战,使用方法与nmap一致。也是在实战中最常用到的发现内网存活主机方式之一。

例:

  1. msf exploit(multi/handler) > db_nmap p 445 T4 sT 192.168.1.115120
  2. ‐‐open
  3. [*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 20190217 15:17 EST
  4. [*] Nmap: Nmap scan report for 192.168.1.115
  5. [*] Nmap: Host is up (0.0025s latency).
  6. [*] Nmap: PORT STATE SERVICE
  7. [*] Nmap: 445/tcp open microsoftds
  8. [*] Nmap: MAC Address: 00:0C:29:AF:CE:CC (VMware)
  9. [*] Nmap: Nmap scan report for 192.168.1.119
  10. [*] Nmap: Host is up (0.0026s latency).
  11. [*] Nmap: PORT STATE SERVICE
  12. [*] Nmap: 445/tcp open microsoftds
  13. [*] Nmap: MAC Address: 00:0C:29:85:D6:7D (VMware)
  14. [*] Nmap: Nmap done: 6 IP addresses (2 hosts up) scanned in 13.35 seconds

第二十七课:基于MSF发现内网存活主机第五季  - 图4

命令hosts查看数据库中已发现的内网存活主机

  1. msf exploit(multi/handler) > hosts
  2. Hosts
  3. =====
  4. address mac name os_name os_flavor os_sp purpose info comments
  5. ‐‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐‐
  6. 1.34.37.188 firewall
  7. 10.0.0.2 00:24:1d:dc:3b:16
  8. 10.0.0.3 00:e0:81:bf:b9:7b
  9. 10.0.0.4 00:30:6e:ca:10:b8
  10. 10.0.0.5 9c:8e:99:c4:63:74 2013XXXXX Windows 2008 SP1 client
  11. ...
  12. 10.0.0.242 00:13:57:01:d4:71
  13. 10.0.0.243 00:13:57:01:d4:73
  14. ....
  15. 10.162.110.30 firewall
  16. 59.125.110.178 firewall
  17. 127.0.0.1 Unknown device
  18. 172.16.204.8 WIN6FEAACQJ691 Windows 2012 server
  19. 172.16.204.9 WIN6FEAACQJ691 Windows 2012 server
  20. 172.16.204.21 IDS Windows 2003 SP2 server
  21. 192.168.1.5 JOHNPC Windows 7 SP1 client
  22. 192.168.1.101 JOHNPC Windows 7 Ultimate SP1 client
  23. 192.168.1.103 LAPTOP9994K8RP Windows 10 client
  24. 192.168.1.115 00:0c:29:af:ce:cc VM_2003X86 Windows 2003 SP2 server
  25. 192.168.1.116 WINS4H51RDJQ3M Windows 2012 server
  26. 192.168.1.119 00:0c:29:85:d6:7d WIN03X64 Windows 2003 SP2 server
  27. 192.168.1.254 Unknown device
  28. 192.168.50.30 WINDOWSG4MMTV8 Windows 7 SP1 client
  29. 192.168.100.2 Unknown device
  30. 192.168.100.10

同样hosts命令也支持数据库中查询与搜索,方便快速对应目标存活主机。

  1. msf exploit(multi/handler) > hosts h
  2. Usage: hosts [ options ] [addr1 addr2 ...]
  3. OPTIONS:
  4. a,‐‐add Add the hosts instead of searching
  5. d,‐‐delete Delete the hosts instead of searching
  6. c <col1,col2> Only show the given columns (see list below)
  7. C <col1,col2> Only show the given columns until the next restart (see list below)
  8. h,‐‐help Show this help information
  9. u,‐‐up Only show hosts which are up
  10. o <file> Send output to a file in csv format
  11. O <column> Order rows by specified column number
  12. R,‐‐rhosts Set RHOSTS from the results of the search
  13. S,‐‐search Search string to filter by
  14. i,‐‐info Change the info of a host
  15. n,‐‐name Change the name of a host
  16. m,‐‐comment Change the comment of a host
  17. t,‐‐tag Add or specify a tag to a range of hosts

第二十七课:基于MSF发现内网存活主机第五季  - 图5

  1. msf exploit(multi/handler) > hosts S 192
  2. Hosts
  3. =====
  4. address mac name os_name os_flavor os_sp purpose info comments
  5. ‐‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐‐
  6. 192.168.1.5 JOHNPC Windows 7 SP1 client
  7. 192.168.1.101 JOHNPC Windows 7 Ultimate SP1 client
  8. 192.168.1.103 LAPTOP9994K8RP Windows 10 client
  9. 192.168.1.115 00:0c:29:af:ce:cc VM_2003X86 Windows 2003 SP2 server
  10. 192.168.1.116 WINS4H51RDJQ3M Windows 2012 server
  11. 192.168.1.119 00:0c:29:85:d6:7d WIN03X64 Windows 2003 SP2 server
  12. 192.168.1.254 Unknown device
  13. 192.168.50.30 WINDOWSG4MMTV8 Windows 7 SP1 client
  14. 192.168.100.2 Unknown device
  15. 192.168.100.10

第二十七课:基于MSF发现内网存活主机第五季  - 图6

Micropoor