Mestasploit 弱点扫描

时间 2019-11-16

标签 mestasploit 弱点扫描繁體版

原文原文链接

1. 简介

根据信息收集结果搜索漏洞利用模块
结合外部漏洞扫描系统对大量IP地址段进行批量扫描
误判率、漏判率

2. VNC 密码破解

use auxiliary/scanner/vnc/vnc_loginphp

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true
msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20
msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/vnc/vnc_login) > run

3. VNC 无密码访问（未设置密码）

use auxiliary/scanner/vnc/vnc_none_auth

supported : None, free access!web

msf > use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 10.10.10.142
msf auxiliary(scanner/vnc/vnc_none_auth) > run

4. RDP 远程桌面漏洞

use auxiliary/scanner/rdp/ms12_020_check

检查不会形成 DoS 攻击.sql

msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 10.10.10.140-150
msf auxiliary(scanner/rdp/ms12_020_check) > run

说明存在漏洞api

5. 设备后门

use auxiliary/scanner/ssh/juniper_backdoor #juniper 防火墙
use auxiliary/scanner/ssh/fortinet_backdoor # fortinet 防火墙

6. VMware ESXi 密码爆破

use auxiliary/scanner/vmware/vmauthd_login
use auxiliary/scanner/vmware/vmware_enum_vms

7. 利用 WEB API 远程开启虚拟机

use auxiliary/admin/vmware/poweron_vm

8. HTTP 弱点扫描

过时证书：use auxiliary/scanner/http/certtomcat

msf > use auxiliary/scanner/http/cert
msf auxiliary(scanner/http/cert) > set RHOSTS 10.10.10.130-150
msf auxiliary(scanner/http/cert) > set THREADS 20
msf auxiliary(scanner/http/cert) > run

显示目录及文件ssh

use auxiliary/scanner/http/dir_listingwordpress

msf > use auxiliary/scanner/http/dir_listing
msf auxiliary(scanner/http/dir_listing) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/dir_listing) > set PATH dav
msf auxiliary(scanner/http/dir_listing) > run

use auxiliary/scanner/http/files_dir编码

msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir
msf auxiliary(scanner/http/files_dir) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/files_dir) > run

WebDAV Unicode 编码身份验证绕过命令行

use auxiliary/scanner/http/dir_webdav_unicode_bypass日志

msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20
msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run

Tomcat 管理登陆页面

use auxiliary/scanner/http/tomcat_mgr_login

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/tomcat_mgr_login) > run

基于 HTTP 方法的身份验证绕过

use auxiliary/scanner/http/verb_auth_bypass

msf > use auxiliary/scanner/http/verb_auth_bypass
msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 10.10.10.132
msf auxiliary(scanner/http/verb_auth_bypass) > run

Wordpress 密码爆破

use auxiliary/scanner/http/wordpress_login_enum

msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 10.10.10.151
msf auxiliary(scanner/http/wordpress_login_enum) > run

9. wmap

WMAP WEB 应用扫描器
- 根据 sqlmap 的工做方式开发
- load wmap
- wmap_sites -a http://1.1.1.1
- wmap_targets -t http://1.1.1.1/mutillidae/index.php
- wmap_run -t # 列出全部模块
- wmap_run -e # 开始扫描
- wmap_vulns -l # 查看扫描出的漏洞
- vulns
```
msf > load wmap
msf > wmap_sites -h
msf > wmap_sites -a http://10.10.10.132
msf > wmap_targets -t http://10.10.10.132/mutillidae/index.php
msf > wmap_run -h
msf > wmap_run -t
msf > wmap_run -e
msf > wmap_vulns -l
```
```
msf > vulns
```

10. openvas

load openvas
- 命令行模式，须要配置，使用频繁
```
msf > load openvas 
msf > openvas_help
```
使用扫描器扫描以后生成报告
- msf 导入 nbe 格式扫描日志
- db_import openvas.nbe
```
msf > db_import 1.nbe
msf > vulns
```

11. MSF 直接调用 nessus 执行扫描

load nessus
nessus_help
nessus_connect admin:toor@1.1.1.1
nessus_policy_list
nessus_scan_new
nessus_report_list