metasploit常用辅助工具最近在写教程,记录一下root@bt:~# msfpro[*] Starting Metasploit Console...MMMMMMMMMMMMMMMMMMMMMM
.
metasploit常用辅助工具
最近在写教程,记录一下
root@bt:~# msfpro[*] Starting Metasploit Console...MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMN$ vMMMMMMMNl MMMMM MMMMM JMMMMMMMNl MMMMMMMN NMMMMMMM JMMMMMMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMMMMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMMMMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMMMMMNI MMMMM MMMMMMM MMMMM jMMMMMMMNI MMMMM MMMMMMM MMMMM jMMMMMMMNI MMMNM MMMMMMM MMMMM jMMMMMMMNI WMMMM MMMMMMM MMMM# JMMMMMMMMR ?MMNM MMMMM .dMMMMMMMMNm `?MMM MMMM` dMMMMMMMMMMMN ?MM MM? NMMMMMNMMMMMMMMNe JMMMMMNMMMMMMMMMMMMMNm, eMMMMMNMMNMMMMMMNNMNMMMMMNx MMMMMMNMMNMMNMMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMMhttp://metasploit.pro=[ metasploit v4.6.2-1 [core:4.6 api:1.0]+ -- --=[ 1138 exploits - 718 auxiliary - 194 post+ -- --=[ 309 payloads - 30 encoders - 8 nops[*] Successfully loaded plugin: promsf > use auxiliary/scanner/portscan/synmsf auxiliary(syn) > infoName: TCP SYN Port ScannerModule: auxiliary/scanner/portscan/synVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:kris katterjohn <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------BATCHSIZE 256 yes The number of hosts to scan per setINTERFACE no The name of the interfacePORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)RHOSTS yes The target address range or CIDR identifierSNAPLEN 65535 yes The number of bytes to captureTHREADS 1 yes The number of concurrent threadsTIMEOUT 500 yes The reply read timeout in millisecondsDescription:Enumerate open TCP services using a raw SYN scan.msf auxiliary(syn) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(syn) > set THREADS 100THREADS => 100msf auxiliary(syn) > run[*] TCP OPEN 172.16.1.105:21[*] TCP OPEN 172.16.1.105:22[*] TCP OPEN 172.16.1.105:23[*] TCP OPEN 172.16.1.105:25[*] TCP OPEN 172.16.1.105:53[*] TCP OPEN 172.16.1.105:80[*] TCP OPEN 172.16.1.105:111[*] TCP OPEN 172.16.1.105:139[*] TCP OPEN 172.16.1.105:445[*] TCP OPEN 172.16.1.105:512[*] TCP OPEN 172.16.1.105:513[*] TCP OPEN 172.16.1.105:514[*] TCP OPEN 172.16.1.105:1099[*] TCP OPEN 172.16.1.105:1524[*] TCP OPEN 172.16.1.105:2049[*] TCP OPEN 172.16.1.105:2121[*] TCP OPEN 172.16.1.105:3306[*] TCP OPEN 172.16.1.105:3632[*] TCP OPEN 172.16.1.105:5432[*] TCP OPEN 172.16.1.105:5900[*] TCP OPEN 172.16.1.105:6000[*] TCP OPEN 172.16.1.105:6667[*] TCP OPEN 172.16.1.105:6697[*] TCP OPEN 172.16.1.105:8009[*] TCP OPEN 172.16.1.105:8180[*] TCP OPEN 172.16.1.105:8787[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(syn) > use auxiliary/scanner/smb/smb_versionmsf auxiliary(smb_version) > infoName: SMB Version DetectionModule: auxiliary/scanner/smb/smb_versionVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:hdm <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target address range or CIDR identifierSMBDomain WORKGROUP no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threadsDescription:Display version information about each systemmsf auxiliary(smb_version) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(smb_version) > run[*] 172.16.1.105:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smb_version) > use auxiliary/scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) > infoName: MSSQL Ping UtilityModule: auxiliary/scanner/mssql/mssql_pingVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:MC <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------PASSWORD no The password for the specified usernameRHOSTS yes The target address range or CIDR identifierTHREADS 1 yes The number of concurrent threadsUSERNAME sa no The username to authenticate asUSE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)Description:This module simply queries the MSSQL instance for information.msf auxiliary(mssql_ping) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(mssql_ping) > run[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(mssql_ping) > use auxiliary/scanner/ssh/ssh_versionmsf auxiliary(ssh_version) > iffo[-] Unknown command: iffo.msf auxiliary(ssh_version) > infoName: SSH Version ScannerModule: auxiliary/scanner/ssh/ssh_versionVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:Daniel van Eeden <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target address range or CIDR identifierRPORT 22 yes The target portTHREADS 1 yes The number of concurrent threadsTIMEOUT 30 yes Timeout for the SSH probeDescription:Detect SSH Version.References:http://en.wikipedia.org/wiki/SecureShellmsf auxiliary(ssh_version) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(ssh_version) > run[*] 172.16.1.105:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(ssh_version) > use auxiliary/scanner/ftp/ftp_versionmsf auxiliary(ftp_version) > infoName: FTP Version ScannerModule: auxiliary/scanner/ftp/ftp_versionVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:hdm <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------FTPPASS [email protected] no The password for the specified usernameFTPUSER anonymous no The username to authenticate asRHOSTS yes The target address range or CIDR identifierRPORT 21 yes The target portTHREADS 1 yes The number of concurrent threadsDescription:Detect FTP Version.msf auxiliary(ftp_version) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(ftp_version) > run[*] 172.16.1.105:21 FTP Banner: '220 (vsFTPd 2.3.4)/x0d/x0a'[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(ftp_version) > use auxiliary/scanner/snmp/snmp_loginmsf auxiliary(snmp_login) > infoName: SNMP Community ScannerModule: auxiliary/scanner/snmp/snmp_loginVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:hdm <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------BATCHSIZE 256 yes The number of hosts to probe in each setBLANK_PASSWORDS true no Try blank passwords for all usersBRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5CHOST no The local client addressPASSWORD no The password to testPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/snmp_default_pass.txt no File containing communities, one per lineRHOSTS yes The target address range or CIDR identifierRPORT 161 yes The target portSTOP_ON_SUCCESS false yes Stop guessing when a credential works for a hostTHREADS 1 yes The number of concurrent threadsUSER_AS_PASS true no Try the username as the password for all usersVERBOSE true yes Whether to print output for all attemptsDescription:Scan for SNMP devices using common community namesReferences:http://cvedetails.com/cve/1999-0508/msf auxiliary(snmp_login) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(snmp_login) > run[*] :161SNMP - [001/118] - 172.16.1.105:161 - SNMP - Trying public...[*] :161SNMP - [002/118] - 172.16.1.105:161 - SNMP - Trying private...[*] :161SNMP - [003/118] - 172.16.1.105:161 - SNMP - Trying 0...[*] :161SNMP - [004/118] - 172.16.1.105:161 - SNMP - Trying 0392a0...[*] :161SNMP - [005/118] - 172.16.1.105:161 - SNMP - Trying 1234...[*] :161SNMP - [006/118] - 172.16.1.105:161 - SNMP - Trying 2read...[*] :161SNMP - [007/118] - 172.16.1.105:161 - SNMP - Trying 4changes...[*] :161SNMP - [008/118] - 172.16.1.105:161 - SNMP - Trying ANYCOM...[*] :161SNMP - [009/118] - 172.16.1.105:161 - SNMP - Trying Admin...[*] :161SNMP - [010/118] - 172.16.1.105:161 - SNMP - Trying C0de...[*] :161SNMP - [011/118] - 172.16.1.105:161 - SNMP - Trying CISCO...[*] :161SNMP - [012/118] - 172.16.1.105:161 - SNMP - Trying CR52401...[*] :161SNMP - [013/118] - 172.16.1.105:161 - SNMP - Trying IBM...[*] :161SNMP - [014/118] - 172.16.1.105:161 - SNMP - Trying ILMI...[*] :161SNMP - [015/118] - 172.16.1.105:161 - SNMP - Trying Intermec...[*] :161SNMP - [016/118] - 172.16.1.105:161 - SNMP - Trying NoGaH$@!...[*] :161SNMP - [017/118] - 172.16.1.105:161 - SNMP - Trying OrigEquipMfr...[*] :161SNMP - [018/118] - 172.16.1.105:161 - SNMP - Trying PRIVATE...[*] :161SNMP - [019/118] - 172.16.1.105:161 - SNMP - Trying PUBLIC...[*] :161SNMP - [020/118] - 172.16.1.105:161 - SNMP - Trying Private...[*] :161SNMP - [021/118] - 172.16.1.105:161 - SNMP - Trying Public...[*] :161SNMP - [022/118] - 172.16.1.105:161 - SNMP - Trying SECRET...[*] :161SNMP - [023/118] - 172.16.1.105:161 - SNMP - Trying SECURITY...[*] :161SNMP - [024/118] - 172.16.1.105:161 - SNMP - Trying SNMP...[*] :161SNMP - [025/118] - 172.16.1.105:161 - SNMP - Trying SNMP_trap...[*] :161SNMP - [026/118] - 172.16.1.105:161 - SNMP - Trying SUN...[*] :161SNMP - [027/118] - 172.16.1.105:161 - SNMP - Trying SWITCH...[*] :161SNMP - [028/118] - 172.16.1.105:161 - SNMP - Trying SYSTEM...[*] :161SNMP - [029/118] - 172.16.1.105:161 - SNMP - Trying Secret...[*] :161SNMP - [030/118] - 172.16.1.105:161 - SNMP - Trying Security...[*] :161SNMP - [031/118] - 172.16.1.105:161 - SNMP - Trying Switch...[*] :161SNMP - [032/118] - 172.16.1.105:161 - SNMP - Trying System...[*] :161SNMP - [033/118] - 172.16.1.105:161 - SNMP - Trying TENmanUFactOryPOWER...[*] :161SNMP - [034/118] - 172.16.1.105:161 - SNMP - Trying TEST...[*] :161SNMP - [035/118] - 172.16.1.105:161 - SNMP - Trying access...[*] :161SNMP - [036/118] - 172.16.1.105:161 - SNMP - Trying adm...[*] :161SNMP - [037/118] - 172.16.1.105:161 - SNMP - Trying admin...[*] :161SNMP - [038/118] - 172.16.1.105:161 - SNMP - Trying agent...[*] :161SNMP - [039/118] - 172.16.1.105:161 - SNMP - Trying agent_steal...[*] :161SNMP - [040/118] - 172.16.1.105:161 - SNMP - Trying all...[*] :161SNMP - [041/118] - 172.16.1.105:161 - SNMP - Trying all private...[*] :161SNMP - [042/118] - 172.16.1.105:161 - SNMP - Trying all public...[*] :161SNMP - [043/118] - 172.16.1.105:161 - SNMP - Trying apc...[*] :161SNMP - [044/118] - 172.16.1.105:161 - SNMP - Trying bintec...[*] :161SNMP - [045/118] - 172.16.1.105:161 - SNMP - Trying blue...[*] :161SNMP - [046/118] - 172.16.1.105:161 - SNMP - Trying c...[*] :161SNMP - [047/118] - 172.16.1.105:161 - SNMP - Trying cable-d...[*] :161SNMP - [048/118] - 172.16.1.105:161 - SNMP - Trying canon_admin...[*] :161SNMP - [049/118] - 172.16.1.105:161 - SNMP - Trying cc...[*] :161SNMP - [050/118] - 172.16.1.105:161 - SNMP - Trying cisco...[*] :161SNMP - [051/118] - 172.16.1.105:161 - SNMP - Trying community...[*] :161SNMP - [052/118] - 172.16.1.105:161 - SNMP - Trying core...[*] :161SNMP - [053/118] - 172.16.1.105:161 - SNMP - Trying debug...[*] :161SNMP - [054/118] - 172.16.1.105:161 - SNMP - Trying default...[*] :161SNMP - [055/118] - 172.16.1.105:161 - SNMP - Trying dilbert...[*] :161SNMP - [056/118] - 172.16.1.105:161 - SNMP - Trying enable...[*] :161SNMP - [057/118] - 172.16.1.105:161 - SNMP - Trying field...[*] :161SNMP - [058/118] - 172.16.1.105:161 - SNMP - Trying field-service...[*] :161SNMP - [059/118] - 172.16.1.105:161 - SNMP - Trying freekevin...[*] :161SNMP - [060/118] - 172.16.1.105:161 - SNMP - Trying fubar...[*] :161SNMP - [061/118] - 172.16.1.105:161 - SNMP - Trying guest...[*] :161SNMP - [062/118] - 172.16.1.105:161 - SNMP - Trying hello...[*] :161SNMP - [063/118] - 172.16.1.105:161 - SNMP - Trying hp_admin...[*] :161SNMP - [064/118] - 172.16.1.105:161 - SNMP - Trying ibm...[*] :161SNMP - [065/118] - 172.16.1.105:161 - SNMP - Trying ilmi...[*] :161SNMP - [066/118] - 172.16.1.105:161 - SNMP - Trying intermec...[*] :161SNMP - [067/118] - 172.16.1.105:161 - SNMP - Trying internal...[*] :161SNMP - [068/118] - 172.16.1.105:161 - SNMP - Trying l2...[*] :161SNMP - [069/118] - 172.16.1.105:161 - SNMP - Trying l3...[*] :161SNMP - [070/118] - 172.16.1.105:161 - SNMP - Trying manager...[*] :161SNMP - [071/118] - 172.16.1.105:161 - SNMP - Trying mngt...[*] :161SNMP - [072/118] - 172.16.1.105:161 - SNMP - Trying monitor...[*] :161SNMP - [073/118] - 172.16.1.105:161 - SNMP - Trying netman...[*] :161SNMP - [074/118] - 172.16.1.105:161 - SNMP - Trying network...[*] :161SNMP - [075/118] - 172.16.1.105:161 - SNMP - Trying none...[*] :161SNMP - [076/118] - 172.16.1.105:161 - SNMP - Trying openview...[*] :161SNMP - [077/118] - 172.16.1.105:161 - SNMP - Trying pass...[*] :161SNMP - [078/118] - 172.16.1.105:161 - SNMP - Trying password...[*] :161SNMP - [079/118] - 172.16.1.105:161 - SNMP - Trying pr1v4t3...[*] :161SNMP - [080/118] - 172.16.1.105:161 - SNMP - Trying proxy...[*] :161SNMP - [081/118] - 172.16.1.105:161 - SNMP - Trying publ1c...[*] :161SNMP - [082/118] - 172.16.1.105:161 - SNMP - Trying read...[*] :161SNMP - [083/118] - 172.16.1.105:161 - SNMP - Trying read-only...[*] :161SNMP - [084/118] - 172.16.1.105:161 - SNMP - Trying read-write...[*] :161SNMP - [085/118] - 172.16.1.105:161 - SNMP - Trying readwrite...[*] :161SNMP - [086/118] - 172.16.1.105:161 - SNMP - Trying red...[*] :161SNMP - [087/118] - 172.16.1.105:161 - SNMP - Trying regional...[*] :161SNMP - [088/118] - 172.16.1.105:161 - SNMP - Trying rmon...[*] :161SNMP - [089/118] - 172.16.1.105:161 - SNMP - Trying rmon_admin...[*] :161SNMP - [090/118] - 172.16.1.105:161 - SNMP - Trying ro...[*] :161SNMP - [091/118] - 172.16.1.105:161 - SNMP - Trying root...[*] :161SNMP - [092/118] - 172.16.1.105:161 - SNMP - Trying router...[*] :161SNMP - [093/118] - 172.16.1.105:161 - SNMP - Trying rw...[*] :161SNMP - [094/118] - 172.16.1.105:161 - SNMP - Trying rwa...[*] :161SNMP - [095/118] - 172.16.1.105:161 - SNMP - Trying san-fran...[*] :161SNMP - [096/118] - 172.16.1.105:161 - SNMP - Trying sanfran...[*] :161SNMP - [097/118] - 172.16.1.105:161 - SNMP - Trying scotty...[*] :161SNMP - [098/118] - 172.16.1.105:161 - SNMP - Trying secret...[*] :161SNMP - [099/118] - 172.16.1.105:161 - SNMP - Trying security...[*] :161SNMP - [100/118] - 172.16.1.105:161 - SNMP - Trying seri...[*] :161SNMP - [101/118] - 172.16.1.105:161 - SNMP - Trying snmp...[*] :161SNMP - [102/118] - 172.16.1.105:161 - SNMP - Trying snmpd...[*] :161SNMP - [103/118] - 172.16.1.105:161 - SNMP - Trying snmptrap...[*] :161SNMP - [104/118] - 172.16.1.105:161 - SNMP - Trying solaris...[*] :161SNMP - [105/118] - 172.16.1.105:161 - SNMP - Trying sun...[*] :161SNMP - [106/118] - 172.16.1.105:161 - SNMP - Trying superuser...[*] :161SNMP - [107/118] - 172.16.1.105:161 - SNMP - Trying switch...[*] :161SNMP - [108/118] - 172.16.1.105:161 - SNMP - Trying system...[*] :161SNMP - [109/118] - 172.16.1.105:161 - SNMP - Trying tech...[*] :161SNMP - [110/118] - 172.16.1.105:161 - SNMP - Trying test...[*] :161SNMP - [111/118] - 172.16.1.105:161 - SNMP - Trying test2...[*] :161SNMP - [112/118] - 172.16.1.105:161 - SNMP - Trying tiv0li...[*] :161SNMP - [113/118] - 172.16.1.105:161 - SNMP - Trying tivoli...[*] :161SNMP - [114/118] - 172.16.1.105:161 - SNMP - Trying trap...[*] :161SNMP - [115/118] - 172.16.1.105:161 - SNMP - Trying world...[*] :161SNMP - [116/118] - 172.16.1.105:161 - SNMP - Trying write...[*] :161SNMP - [117/118] - 172.16.1.105:161 - SNMP - Trying xyzzy...[*] :161SNMP - [118/118] - 172.16.1.105:161 - SNMP - Trying yellow...[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(snmp_login) > use auxiliary/scanner/http/webdav_scannerimsf auxiliary(webdav_scanner) > infoName: HTTP WebDAV ScannerModule: auxiliary/scanner/http/webdav_scannerVersion: 0License: Metasploit Framework License (BSD)Rank: NormalProvided by:et <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------PATH / yes Path to useProxies no Use a proxy chainRHOSTS yes The target address range or CIDR identifierRPORT 80 yes The target portTHREADS 1 yes The number of concurrent threadsVHOST no HTTP server virtual hostDescription:Detect webservers with WebDAV enabledmsf auxiliary(webdav_scanner) > set RHOSTS 172.16.1.105RHOSTS => 172.16.1.105msf auxiliary(webdav_scanner) > run[*] 172.16.1.105 (Apache/2.2.8 (Ubuntu) DAV/2) WebDAV disabled.[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
.
