准备用于端口扫描的METASPLOIT
扫描仪和大多数其他辅助模块使用“ RHOSTS”选项代替“ RHOST”。RHOSTS可以采用IP范围(192.168.1.20-192.168.1.30),CIDR范围(192.168.1.0/24),多个用逗号分隔的范围(192.168.1.0/24、192.168.3.0/24)和以行分隔的主机列表文件(文件:/tmp/hostlist.txt)。这是可复制Nmap输出文件的另一种用法。
默认情况下,所有扫描仪模块的“ THREADS”值都设置为“ 1”。“ THREADS”值设置扫描时要使用的并发线程数。将此值设置为较高的值可加快扫描速度,或将其降低以减少网络流量,但请务必遵循以下准则:
-
- 在本地Win32系统上,将THREADS值保持在16以下
- 在Cygwin下运行MSF时,将线程数保持在200以下
- 在类似Unix的操作系统上,THREADS可以设置为256。
NMAP和DB_NMAP
我们可以使用db_nmap命令对目标运行Nmap,然后扫描结果将自动存储在数据库中。但是,如果以后还希望将扫描结果导入到另一个应用程序或框架中,则可能要以XML格式导出扫描结果。具有所有三个Nmap输出(xml,grepable和normal)总是很不错的。因此,我们可以使用-oA标志以及所需的文件名来运行Nmap扫描,以生成三个输出文件,然后发出db_import命令来填充Metasploit数据库。
使用通常在命令行中使用的选项运行Nmap。如果希望将扫描结果保存到数据库中,则可以省略输出标志并使用db_nmap。然后,下面的示例为db_nmap -v -sV 192.168.1.0/24。
msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1 [*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1 Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT NSE: Loaded 3 scripts for scanning. Initiating ARP Ping Scan at 19:29 Scanning 101 hosts [1 port/host] ... Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)
端口扫描
除了运行Nmap之外,框架内还有许多其他端口扫描程序可供我们使用。
msf > search portscan Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
为了进行比较,我们将端口80的Nmap扫描结果与Metasploit扫描模块进行比较。首先,让我们根据Nmap确定哪些主机打开了端口80。
msf > cat subnet_1.gnmap | grep 80/open | awk '{print $2}' [*] exec: cat subnet_1.gnmap | grep 80/open | awk '{print $2}' 192.168.1.1 192.168.1.2 192.168.1.10 192.168.1.109 192.168.1.116 192.168.1.150
我们之前运行的Nmap扫描是SYN扫描,因此我们将使用Metasploit通过eth0接口在子网中运行相同的扫描,以寻找端口80。
msf > use auxiliary/scanner/portscan/syn msf auxiliary(syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(syn) > set INTERFACE eth0 INTERFACE => eth0 msf auxiliary(syn) > set PORTS 80 PORTS => 80 msf auxiliary(syn) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(syn) > set THREADS 50 THREADS => 50 msf auxiliary(syn) > run [*] TCP OPEN 192.168.1.1:80 [*] TCP OPEN 192.168.1.2:80 [*] TCP OPEN 192.168.1.10:80 [*] TCP OPEN 192.168.1.109:80 [*] TCP OPEN 192.168.1.116:80 [*] TCP OPEN 192.168.1.150:80 [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
在这里,我们将加载“ tcp”扫描程序,并将其用于另一个目标。与所有前面提到的插件一样,它使用“ RHOSTS”选项。请记住,我们可以发出hosts -R命令,以使用在数据库中找到的主机自动设置此选项。
msf > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host DELAY 0 yes The delay between connections, per thread, in milliseconds JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds msf auxiliary(tcp) > hosts -R Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server RHOSTS => 172.16.194.172 msf auxiliary(tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host FILTER no The filter string for capturing traffic INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 172.16.194.172 yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 10 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds msf auxiliary(tcp) > run [*] 172.16.194.172:25 - TCP OPEN [*] 172.16.194.172:23 - TCP OPEN [*] 172.16.194.172:22 - TCP OPEN [*] 172.16.194.172:21 - TCP OPEN [*] 172.16.194.172:53 - TCP OPEN [*] 172.16.194.172:80 - TCP OPEN [*] 172.16.194.172:111 - TCP OPEN [*] 172.16.194.172:139 - TCP OPEN [*] 172.16.194.172:445 - TCP OPEN [*] 172.16.194.172:514 - TCP OPEN [*] 172.16.194.172:513 - TCP OPEN [*] 172.16.194.172:512 - TCP OPEN [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) >
我们可以看到,Metasploit的内置扫描仪模块不但能够为我们找到系统和开放端口。如果您碰巧在未安装Nmap的系统上运行Metasploit,则这是您的工具库中另一个出色的工具。
SMB版本扫描
现在我们确定了网络上可用的主机,我们可以尝试确定它们正在运行的操作系统。这将有助于我们缩小针对特定系统的攻击范围,并防止我们将时间浪费在那些不容易受到特定漏洞利用的攻击上。
由于扫描中有很多系统都打开了端口445,因此我们将使用scanner/ smb /version模块确定目标上正在运行的Windows版本以及Linux主机上的Samba版本。
msf > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > set RHOSTS 192.168.1.200-210 RHOSTS => 192.168.1.200-210 msf auxiliary(smb_version) > set THREADS 11 THREADS => 11 msf auxiliary(smb_version) > run [*] 192.168.1.209:445 is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:XEN-2K3-FUZZ) (domain:WORKGROUP) [*] 192.168.1.201:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-EXPLOIT) (domain:WORKGROUP) [*] 192.168.1.202:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-DEBUG) (domain:WORKGROUP) [*] Scanned 04 of 11 hosts (036% complete) [*] Scanned 09 of 11 hosts (081% complete) [*] Scanned 11 of 11 hosts (100% complete) [*] Auxiliary module execution completed
还要注意,如果我们现在发出hosts命令,则新获取的信息将存储在Metasploit的数据库中。
msf auxiliary(smb_version) > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.1.201 Microsoft Windows XP SP3 client 192.168.1.202 Microsoft Windows XP SP3 client 192.168.1.209 Microsoft Windows 2003 R2 SP2 server
空闲扫描
Nmap的IPID空闲扫描使我们可以隐蔽地扫描目标,同时欺骗网络上另一台主机的IP地址。为了使这种类型的扫描有效,我们需要找到一个主机,该主机在网络上处于空闲状态,并使用增量或中断的Little-Endian增量的IPID序列。Metasploit包含模块scanner / ip / ipidseq,以进行扫描并查找符合要求的主机。
msf > use auxiliary/scanner/ip/ipidseq msf auxiliary(ipidseq) > show options Module options (auxiliary/scanner/ip/ipidseq): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(ipidseq) > set THREADS 50 THREADS => 50 msf auxiliary(ipidseq) > run [*] 192.168.1.1's IPID sequence class: All zeros [*] 192.168.1.2's IPID sequence class: Incremental! [*] 192.168.1.10's IPID sequence class: Incremental! [*] 192.168.1.104's IPID sequence class: Randomized [*] 192.168.1.109's IPID sequence class: Incremental! [*] 192.168.1.111's IPID sequence class: Incremental! [*] 192.168.1.114's IPID sequence class: Incremental! [*] 192.168.1.116's IPID sequence class: All zeros [*] 192.168.1.124's IPID sequence class: Incremental! [*] 192.168.1.123's IPID sequence class: Incremental! [*] 192.168.1.137's IPID sequence class: All zeros [*] 192.168.1.150's IPID sequence class: All zeros [*] 192.168.1.151's IPID sequence class: Incremental! [*] Auxiliary module execution completed
从扫描结果来看,我们有许多潜在的僵尸可用于执行空闲扫描。我们将尝试使用位于192.168.1.109的僵尸扫描主机,以查看是否获得与之前相同的结果。
msf auxiliary(ipidseq) > nmap -Pn -sI 192.168.1.109 192.168.1.114 [*] exec: nmap -Pn -sI 192.168.1.109 192.168.1.114 Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-14 05:51 MDT Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental Interesting ports on 192.168.1.114: Not shown: 996 closed|filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 00:0C:29:41:F2:E8 (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds