查看端口扫描模块
search portscan
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
tcp端口扫描
use auxiliary/scanner/portscan/tcp
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(scanner/portscan/tcp) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/portscan/tcp) > set threads 100
threads => 100
msf auxiliary(scanner/portscan/tcp) > run
tcp协议同步SYN扫描
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(scanner/portscan/syn) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/portscan/syn) > set threads 10
threads => 10
msf auxiliary(scanner/portscan/syn) > run
nmap扫描
arp sweep
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(scanner/discovery/arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/discovery/arp_sweep) > set threads 100
threads => 100
msf auxiliary(scanner/discovery/arp_sweep) > run
udp sweeper
msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(scanner/discovery/udp_sweep) > show options
Module options (auxiliary/scanner/discovery/udp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target address range or CIDR identifier
THREADS 10 yes The number of concurrent threads
msf auxiliary(scanner/discovery/udp_sweep) > set threads 100
threads => 100
msf auxiliary(scanner/discovery/udp_sweep) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/discovery/udp_sweep) > run
smb共享目录枚举
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(scanner/smb/smb_enumshares) > show options
Module options (auxiliary/scanner/smb/smb_enumshares):
Name Current Setting Required Description
---- --------------- -------- -----------
LogSpider 3 no 0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
MaxDepth 999 yes Max number of subdirectories to spider
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
ShowFiles false yes Show detailed information when spidering
SpiderProfiles true no Spider only user profiles when share = C$
SpiderShares false no Spider shares recursively
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/smb/smb_enumshares) > set threads 100
threads => 100
msf auxiliary(scanner/smb/smb_enumshares) > run
# 结果
[*] Scanned 101 of 256 hosts (39% complete)
[-] 192.168.10.122:139 - Login Failed: Unable to Negotiate with remote host
[-] 192.168.10.128:139 - Login Failed: Unable to Negotiate with remote host
[*] Scanned 105 of 256 hosts (41% complete)
[*] 192.168.10.122:445 - Windows 2003 (Unknown)
[+] 192.168.10.122:445 - IPC$ - (I) Remote IPC
[+] 192.168.10.122:445 - ADMIN$ - (DS) Remote Admin
[+] 192.168.10.122:445 - C$ - (DS) Default share
[*] Scanned 108 of 256 hosts (42% complete)
[*] Scanned 199 of 256 hosts (77% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
smb版本扫描
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_version) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/smb/smb_version) > set threads 100
threads => 100
msf auxiliary(scanner/smb/smb_version) > run
# 结果
[*] Scanned 101 of 256 hosts (39% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[+] 192.168.10.122:445 - Host is running Windows 2003 (build:3790) (name:ROOT-TVI862UBEH) (workgroup:WORKGROUP )
[+] 192.168.10.128:445 - Host is running Windows XP SP3 (language:English) (name:DH-CA8822AB9589) (workgroup:WORKGROUP )
[*] Scanned 204 of 256 hosts (79% complete)
[*] 192.168.10.254:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] Scanned 247 of 256 hosts (96% complete)
[*] Scanned 248 of 256 hosts (96% complete)
[*] Scanned 254 of 256 hosts (99% complete)
[*] Scanned 255 of 256 hosts (99% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
smb用户枚举
msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(scanner/smb/smb_enumusers) > show options
Module options (auxiliary/scanner/smb/smb_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_enumusers) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/smb/smb_enumusers) > set threads 100
threads => 100
msf auxiliary(scanner/smb/smb_enumusers) > run
# 结果
[*] Scanned 101 of 256 hosts (39% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 203 of 256 hosts (79% complete)
[*] Scanned 204 of 256 hosts (79% complete)
[+] 192.168.10.254:139 - METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
[*] Scanned 229 of 256 hosts (89% complete)
[*] Scanned 246 of 256 hosts (96% complete)
[*] Scanned 248 of 256 hosts (96% complete)
[*] Scanned 249 of 256 hosts (97% complete)
[*] Scanned 250 of 256 hosts (97% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
smb尝试登陆
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(scanner/smb/smb_login) > show missing
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
msf auxiliary(scanner/smb/smb_login) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/smb/smb_login) > set threads 100
threads => 100
msf auxiliary(scanner/smb/smb_login) > run
smb漏洞 ms17-010
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_ms17_010) > show missing
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/smb/smb_ms17_010) > set threads 100
threads => 100
msf auxiliary(scanner/smb/smb_ms17_010) > run
# 结果
[*] Scanned 101 of 256 hosts (39% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[+] 192.168.10.122:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 x86 (32-bit)
[+] 192.168.10.128:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] Scanned 163 of 256 hosts (63% complete)
[*] Scanned 178 of 256 hosts (69% complete)
[-] 192.168.10.254:445 - Host does NOT appear vulnerable.
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
ssh版本扫描
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf auxiliary(scanner/ssh/ssh_version) > set threads 100
threads => 100
msf auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/ssh/ssh_version) > run
# 结果
*] Scanned 101 of 256 hosts (39% complete)
[+] 192.168.10.115:22 - SSH server version: SSH-2.0-OpenSSH_7.8p1 Debian-1 ( service.version=7.8p1 openssh.comment=Debian-1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.8p1 os.vendor=Debian os.device=General os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )
[+] 192.168.10.123:22 - SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 ( service.version=5.3p1 openssh.comment=Debian-3ubuntu7 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:5.3p1 os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=10.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:10.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] Scanned 102 of 256 hosts (39% complete)
[*] Scanned 156 of 256 hosts (60% complete)
[+] 192.168.10.254:22 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:4.7p1 os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=8.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:8.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
ssh登陆爆破
msf auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 192.168.10.0/24 yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 100 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf auxiliary(scanner/ssh/ssh_login) > set user_file /root/user_list.txt
user_file => /root/user_list.txt
msf auxiliary(scanner/ssh/ssh_login) > set pass_file /roor/pass_list.txt
pass_file => /roor/pass_list.txt
msf auxiliary(scanner/ssh/ssh_login) > set threads 100
threads => 100
msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/ssh/ssh_login) > run
ftp版本扫描
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(scanner/ftp/ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/ftp/ftp_version) > set threads 100
threads => 100
msf auxiliary(scanner/ftp/ftp_version) > run
# 结果
[*] Scanned 101 of 256 hosts (39% complete)
[+] 192.168.10.122:21 - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] Scanned 105 of 256 hosts (41% complete)
[*] Scanned 135 of 256 hosts (52% complete)
[*] Scanned 140 of 256 hosts (54% complete)
[*] Scanned 184 of 256 hosts (71% complete)
[*] Scanned 255 of 256 hosts (99% complete)
[+] 192.168.10.254:21 - FTP Banner: '220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.10.254]\x0d\x0a'
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
SMTP枚举
msf > use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(scanner/smtp/smtp_enum) > show options
Module options (auxiliary/scanner/smtp/smtp_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts.
msf auxiliary(scanner/smtp/smtp_enum) > set threads 100
threads => 100
msf auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.10.0/24
rhosts => 192.168.10.0/24
msf auxiliary(scanner/smtp/smtp_enum) > run
SNMP
# snmp默认账号登陆
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
HTTP ssl证书扫描
use auxiliary/scanner/http/cert
set rhost 192.168.10.0/24
set rport 8383
run
http robots.txt文件内容获取
use auxiliary/scanner/http/robots_txt
set path /mutilidae
set rhost 192.168.10.10
run
http协议危险方法PUT/DELETE检查
use auxiliary/scanner/http/http_put
set path /uploads
set rhost 192.168.10.10
set rport 8585
run
web服务jenkins枚举
set rhost 192.168.10.10
set rport 8585
set targeturi /
run
windows远程管理认证
use auxiliary/scanner/winrm/winrm_auth_methods
set rhost 192.168.10.10
run
windows远程管理终端
user auxiliary/scanner/winrm/winrm_cmd
set cmd hostname
set rhosts 192.168.10.10
set username administrarot
set password 。。。
run
