Nmap扫描
db_nmap -sV 192.168.1.0/24
Auxiliary 扫描模块
192.168.1.20-192.168.1.30 、 192.168.1.0/24,192.168.11.0/24(扫描两个网段)
file:/root/host.txt (将需要扫描的主机访问文本中)
use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > set interface eth0
msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.168.0.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 20
msf6 auxiliary(scanner/discovery/arp_sweep) > run
use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > set rhosts 114.115.165.18
msf6 auxiliary(scanner/portscan/syn) > set threads 50
run
Nmap IPID IdIe 扫描
use auxiliary/scanner/ip/ipidseq
msf6 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.0.0/24
msf6 auxiliary(scanner/ip/ipidseq) > run
nmap -PN -sl 1.1.1.2 1.1.1.3
UDP扫描
use auxiliary/scanner/discovery/udp_sweep
use auxiliary/scanner/discovery/udp_probe
密码嗅探
use auxiliary/sniffer/psnuffle
- 支持从pcap抓包文件中提取密码
- 功能类似于dsniff
- 支持POP3、imap、ftp、HTTP GET协议
SNMP扫描
vi /etc/default/snmpd #在测试机侦听地址修改为0.0.0.0
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/snmp_enumshares
SMB服务扫描
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/pipe_dcerpc_auditor
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_lookupsid
SSH服务扫描
use auxiliary/scanner/ssh/ssh_version
use auxiliary/scanner/ssh/ssh_login
set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
use auxiliary/scanner/ssh/ssh_login_pubkey
系统补丁
use post/windows/gather/enum_patches
#这个要通过已经获得session去利用
sql_server
-
- TCP 1433 (动态端口) / UDP 1434 (查询TCP端口号)
use auxiliary/scanner/mssql/mssql_ping
use auxiliary/scanner/mssql/mssql_login
use auxiliary/admin/mssql/mssql_exec
set CMD.NET user user pass /ADD
FTP
use auxiliary/scanner/ftp/ftp_version
#查看是否可以匿名登录
use auxiliary/scanner/ftp/anonymous
#密码破解
use auxiliary/scanner/ftp/ftp_login
