利用Metasploit进行信息收集与扫描

news2024/11/13 12:45:38

Metasploit之信息收集和扫描

在本文中,我们将学习以下内容

使用Metasploit被动收集信息

使用Metasploit主动收集信息

使用Nmap进行端口扫描

使用db_nmap方式进行端口扫描

使用ARP进行主机发现

UDP服务探测

SMB扫描和枚举

SSH版本扫描

FTP扫描

SMTP枚举

SNMP枚举

HTTP扫描

WinRM扫描和爆破

Nessus结合使用

NeXpose结合使用

OpenVAS结合使用

# 简介

信息收集是渗透测试中首先要做的重要事项之一,目的是尽可能多的查找关于目标的信息,我们掌握的信息越多,渗透成功的机会越大。在信息收集阶段,我们主要任务是收集关于目标机器的一切信息,比如IP地址,开放的服务,开放的端口。这些信息在渗透测试过程中启到了至关重要的作用。为了实现这一目的,我们将在本章学习各种扫描技术、如SMB扫描、SSH服务扫描,FTP扫描、SNMP枚举、HTTP扫描以及WinRM扫描和暴力破解。

收集信息的方式主要有三种:

1、被动信息收集:这种方式是指在不物理连接或访问目标的时候,获取目标的相关信息,这意味着我们需要使用其他信息来源获得目标信息。比如查询whois信息。假设我们的目标是一个在线的Web服务,那么通过whois查询可以获得它的ip地址,域名信息,子域信息,服务器位置信息等。

2、主动信息收集:这种方式是指与目标建立逻辑连接获取信息,这种方式可以进一步的为我们提供目标信息,让我们对目标的安全性进一步理解。在端口扫描中,使用最常用的主动扫描技术,探测目标开放的端口和服务。

3、社会工程学:这种方式类似于被动信息收集,主要是针对人为错误,信息以打印输出、电话交谈、电子邮件等形式泄露。使用这种方法的技术有很多,收集信息的方式也不尽相同,因此,社会工程学本身就是一个技术范畴。

社会工程的受害者被诱骗发布他们没有意识到会被用来攻击企业网络的信息。例如,企业中的员工可能会被骗向假装是她信任的人透露员工的身份号码。尽管该员工编号对员工来说似乎没有价值,这使得他在一开始就更容易泄露信息,但社会工程师可以将该员工编号与收集到的其他信息一起使用,以便更快的找到进入企业网络的方法。

# 1、使用Metasploit进行被动信息收集

在本章中,我们将详细学习信息收集的各种被动和主动技术。首先,我们将学习分析最常用和最容易被忽视的被动信息收集技术,然后,我们将重点关注通过端口扫描获取信息。Metasploit 具有多种内置扫描功能,以及一些与之集成的第三方工具,以进一步增强端口扫描功能。我们将学习使用内置的扫描仪,以及一些与Metasploit 框架结合使用的第三方扫描工具。让我们开始吧。

我们将从公司域名开始收集信息,获取公司有关信息,收集子域名,检测蜜罐、收集电子邮件地址等。

Metasploit中有好几个信息收集模块,在本节中,我们将学习使用其中的一些模块,建议你自行探索学习所有的信息收集模块。

# DNS记录扫描和枚举

DNS扫描和枚举模块可用于从给定的DNS服务器收集有关域名的信息,执行各种DNS查询(如域传送,反向查询,SRV记录等)

1、程序位于auxiliary模块中,进入msfconsole后,我们可以使用use命令调用我们想要的模块,我们要使用的 auxiliary/gather/enum_dns模块。使用use auxiliary/gather/enum_dns 进入模块,输入info可以查看模块的信息,包括作者,描述,基本配置信息等。

msf5 > use auxiliary/gather/enum_dns //切换到 enum_dns模块
msf5 auxiliary(gather/enum_dns) > info //查看模块信息

       Name: DNS Record Scanner and Enumerator
     Module: auxiliary/gather/enum_dns
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>
  Nixawk

Check supported:
  No

Basic options:
  Name         Current Setting                                              Required  Description
  ----         ---------------                                              --------  -----------
  DOMAIN                                                                    yes       The target domain
  ENUM_A       true                                                         yes       Enumerate DNS A record
  ENUM_AXFR    true                                                         yes       Initiate a zone transfer against each NS record
  ENUM_BRT     false                                                        yes       Brute force subdomains and hostnames via the supplied wordlist
  ENUM_CNAME   true                                                         yes       Enumerate DNS CNAME record
  ENUM_MX      true                                                         yes       Enumerate DNS MX record
  ENUM_NS      true                                                         yes       Enumerate DNS NS record
  ENUM_RVL     false                                                        yes       Reverse lookup a range of IP addresses
  ENUM_SOA     true                                                         yes       Enumerate DNS SOA record
  ENUM_SRV     true                                                         yes       Enumerate the most common SRV records
  ENUM_TLD     false                                                        yes       Perform a TLD expansion by replacing the TLD with the IANA TLD list
  ENUM_TXT     true                                                         yes       Enumerate DNS TXT record
  IPRANGE                                                                   no        The target address range or CIDR identifier
  NS                                                                        no        Specify the nameserver to use for queries (default is system DNS)
  STOP_WLDCRD  false                                                        yes       Stops bruteforce enumeration if wildcard resolution is detected
  THREADS      1                                                            no        Threads for ENUM_BRT
  WORDLIST     /usr/share/metasploit-framework/data/wordlists/namelist.txt  no        Wordlist of subdomains

Description:
  This module can be used to gather information about a domain from a
  given DNS server by performing various DNS queries such as zone
  transfers, reverse lookups, SRV record brute forcing, and other
  techniques.

References:
  https://cvedetails.com/cve/CVE-1999-0532/
  OSVDB (492)

msf5 auxiliary(gather/enum_dns) >

2、设置需要查询的域名,设置线程数量,然后运行它

msf5 auxiliary(gather/enum_dns) > set DOMAIN packtpub.com  //设置需要查询的域名
DOMAIN => packtpub.com
msf5 auxiliary(gather/enum_dns) > set THREADS 10 //设置线程数
THREADS => 10
msf5 auxiliary(gather/enum_dns) > run

[*] querying DNS NS records for packtpub.com                                                       
[+] packtpub.com NS: dns3.easydns.org.                                                             
[+] packtpub.com NS: dns4.easydns.info.                                                          
[+] packtpub.com NS: dns1.easydns.com.  
[+] packtpub.com NS: dns2.easydns.net.                
...                                                         
[*] Auxiliary module execution completed                                                                                                                 
msf5 auxiliary(gather/enum_dns) >                  

从输出信息中可以看到获取的DNS记录

dns扫描和枚举模块也可以用于主动信息收集,通过爆破的方式,设置 ENUM_BRTtrue,可以通过字典暴力枚举子域名和主机名。 WORDLIST选项可以设置字典文件。

# CorpWatch公司名称信息收集

收集公司信息也是必不可少的,我们可以使用 CorpWatch公司名称信息搜索模块:auxiliary/gather/corpwatch_lookup_name,通过该模块可以收集公司的名称,地址,部门和行业信息。该模块与CorpWatch API连接,以获取给定公司名称的公开可用信息。

API申请:http://api.corpwatch.org

切换到auxiliary/gather/corpwatch_lookup_name模块,设置好公司名字,设置信息显示的数量

msf5 > use auxiliary/gather/corpwatch_lookup_name 
msf5 auxiliary(gather/corpwatch_lookup_name) > set COMPANY_NAME Microsoft
COMPANY_NAME => Microsoft
msf5 auxiliary(gather/corpwatch_lookup_name) > set LIMIT 1
LIMIT => 1
msf5 auxiliary(gather/corpwatch_lookup_name) > run

[*] Company Information
---------------------------------
[*] CorpWatch (cw) ID): cw_4803
[*] Company Name: MICROSOFT CORP
[*] Address: ONE MICROSOFT WAY, REDMOND WA 98052-6399
[*] Sector: Business services
[*] Industry: Services-prepackaged software
[*] Auxiliary module execution completed
msf5 auxiliary(gather/corpwatch_lookup_name) > 

Tip:此网站被Q,需要配置代理才能使用这个服务。

# 搜索引擎子域名搜集器

收集子域名是寻找新目标的好办法,我们可以使用搜索引擎子域名收集模块。

模块名:auxiliary/gather/searchengine_subdomains_collector

YahooBing收集域名的子域信息

切换到这个模块,设置好要要查询的域名,然后运行

msf5 > use auxiliary/gather/searchengine_subdomains_collector
msf5 auxiliary(gather/searchengine_subdomains_collector) > set TARGET packtpub.com
TARGET => packtpub.com
msf5 auxiliary(gather/searchengine_subdomains_collector) > run

[*] Searching Bing for subdomains from domain:packtpub.com
[*] Searching Yahoo for subdomains from domain:packtpub.com
[+] domain:packtpub.com subdomain: subscription.packtpub.com
[*] Searching Bing for subdomains from ip:54.171.32.62
[*] Searching Yahoo for subdomains from ip:54.171.32.62
[+] ip:54.171.32.62 subdomain: niobase.com
[+] ip:54.171.32.62 subdomain: demandpeoples.vote
[*] Searching Bing for subdomains from ip:34.240.217.226
[-] ip:34.240.217.226 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.240.217.226
[+] ip:34.240.217.226 subdomain: www.snp.org
[+] ip:34.240.217.226 subdomain: answerthepublic.com
[*] Searching Bing for subdomains from ip:34.243.45.171
[-] ip:34.243.45.171 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.243.45.171
[*] Searching Bing for subdomains from ip:34.248.41.77
[*] Searching Yahoo for subdomains from ip:34.248.41.77
[+] ip:34.248.41.77 subdomain: www.buzzi.space
[+] ip:34.248.41.77 subdomain: www.bookishfirst.com
[+] ip:34.248.41.77 subdomain: www.vizlib.com
[+] ip:34.248.41.77 subdomain: www.alphacodeincubate.club
[+] ip:34.248.41.77 subdomain: www.appliedmldays.org
[+] ip:34.248.41.77 subdomain: www.accessable.co.uk
[*] Searching Bing for subdomains from ip:34.254.137.88
[-] ip:34.254.137.88 - getaddrinfo: Name or service not known
[*] Searching Yahoo for subdomains from ip:34.254.137.88

通过这个模块,我们收集到了一些新的目标。

我们已经学习了一些基础模块的使用,让我们来学习使用一些更强大的工具吧。

# Censys 搜索

Censys是一个互联网设备搜索引擎,Censys每日通过ZMapZGrab扫描互联网上的主机和网站,持续监控互联网上所有可访问的服务器和设备。

我们可以使用Censys搜索模块,通过Censys REST API进行信息查询。可以检索超过100W的网站和设备信息。

Tip:如果需要使用Censys搜索模块,需要去https://censys.io注册获得API和密钥

msf5 > use auxiliary/gather/censys_search
msf5 auxiliary(gather/censys_search) > set CENSYS_DORK packtpub.com //设置目标站点
CENSYS_DORK => packtpub.com
msf5 auxiliary(gather/censys_search) > set CENSYS_SEARCHTYPE ipv4 //设置搜索类型
CENSYS_SEARCHTYPE => ipv4
msf5 auxiliary(gather/censys_search) > set CENSYS_SECRET l5xZ******Z4xzVmIPZ0P //设置censys密钥
CENSYS_SECRET => l5xZa0zJ*******VlCZ4xzVmIPZ0P
msf5 auxiliary(gather/censys_search) > set CENSYS_UID 24d813a********c1b3e80c9e //设置 API_ID
CENSYS_UID => 24d813a******2-89c1b3e80c9e
msf5 auxiliary(gather/censys_search) > run

[+] 109.234.207.108 - 443/https,80/http
[+] 109.234.207.108 - 443/https,80/http
[+] 34.253.81.66 - 443/https,80/http
[+] 34.253.81.66 - 443/https,80/http
[+] 123.252.235.122 - 443/https
[+] 109.234.200.116 - 443/https
[+] 83.166.169.240 - 443/https,22/ssh,80/http
......
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 67.198.37.17 - 443/https,80/http,25/smtp,53/dns
[+] 172.104.243.217 - 80/http
[+] 66.42.34.69 - 443/https,80/http
[+] 66.42.34.69 - 443/https,80/http
[*] Auxiliary module execution completed
msf5 auxiliary(gather/censys_search) > 

收集到了非常多的IP信息和端口信息

# Shodan 搜索引擎

Shodan搜索引擎是一个付费的互联网设备搜索引擎,Shodan运行你搜索网站的Banners信息,设备的元数据,比如设备的位置,主机名,操作系统等。

Tip:同样要使用Shodan搜索模块,需要先去Shodan官网( https://www.shodan.io)注册获取API Key。

msf5 > use auxiliary/gather/shodan_search 
msf5 auxiliary(gather/shodan_search) > set QUERY hostname:packtpub.com //设置目标机器
QUERY => hostname:packtpub.com
msf5 auxiliary(gather/shodan_search) > set SHODAN_APIKEY SDaE*******ABKTxJ3 //设置shodan api key
SHODAN_APIKEY => SDaEijF******dudxCABKTxJ3
msf5 auxiliary(gather/shodan_search) > run

[*] Total: 3 on 1 pages. Showing: 1 page(s)
[*] Collecting data, please wait...

Search Results
==============

 IP:Port             City        Country         Hostname
 -------             ----        -------         --------
 83.166.169.228:80   Nottingham  United Kingdom  packtpub.com
 83.166.169.248:443  Nottingham  United Kingdom  imap.packtpub.com
 83.166.169.248:80   Nottingham  United Kingdom  imap.packtpub.com

[*] Auxiliary module execution completed

通过Shodan搜索模块可以找到更多目标的信息,比如 IP 地址,开放的端口,位置信息等。

# Shodan 蜜罐检查

检测目标是否为蜜罐,避免浪费时间或因为试图攻击蜜罐而被封锁。使用Shodan Honeyscore Client模块,可以利用Shodan搜索引擎检测目标是否为蜜罐。结果返回为01的评级分数,如果是1,则是一个蜜罐。

msf5 > use auxiliary/gather/shodan_honeyscore 
msf5 auxiliary(gather/shodan_honeyscore) > set SHODAN_APIKEY SDa******CABKTxJ3
SHODAN_APIKEY => SDaEij*****xCABKTxJ3
msf5 auxiliary(gather/shodan_honeyscore) > set TARGET 83.166.169.248
TARGET => 83.166.169.248
msf5 auxiliary(gather/shodan_honeyscore) > run

[*] Scanning 83.166.169.248
[-] 83.166.169.248 is not a honeypot
[*] 83.166.169.248 honeyscore: 0.0/1.0
[*] Auxiliary module execution completed
msf5 auxiliary(gather/shodan_honeyscore) > 
# 邮箱信息收集

收集邮箱信息是渗透测试中常见的部分,它可以让我们了解互联网上目标的痕迹,以便用于后续的暴力攻击以及网络钓鱼等活动。

我们可以使用auxiliary/gather/search_email_collector模块,该模块是利用搜索引擎获取与目标有关的电子邮件信息。

msf5 > use auxiliary/gather/search_email_collector 
msf5 auxiliary(gather/search_email_collector) > set DOMAIN packtpub.com
DOMAIN => packtpub.com
msf5 auxiliary(gather/search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from packtpub.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from packtpub.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from packtpub.com
[*] Extracting emails from Yahoo search results...
[*] Located 3 email addresses for packtpub.com
....
[*] Auxiliary module execution completed

从输出信息来看,可以看到该模块利用GoogleBingYohoo搜索目标有关的电子邮件地址。

# 2、使用Metasploit进行主动信息收集

通常来说,通过扫描进行主动信息收集,从这一步开始,我们将直接与目标进行逻辑连接。

端口扫描是一个有趣的信息收集过程,它涉及对目标系统更深入的搜索,但是由于主动端口扫描涉及对目标系统直接访问,可能会被防火墙和入侵检测系统检测到。

Metasploit框架中,有各种各样的端口扫描模块可供我们使用,从而允许我们准确的对目标系统进行探测。我们可以通过search portscan 命令查看这些模块。

msf5 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   1  auxiliary/scanner/http/wordpress_pingback_access                   normal  Yes    Wordpress Pingback Locator
   2  auxiliary/scanner/natpmp/natpmp_portscan                           normal  Yes    NAT-PMP External Port Scanner
   3  auxiliary/scanner/portscan/ack                                     normal  Yes    TCP ACK Firewall Scanner
   4  auxiliary/scanner/portscan/ftpbounce                               normal  Yes    FTP Bounce Port Scanner
   5  auxiliary/scanner/portscan/syn                                     normal  Yes    TCP SYN Port Scanner
   6  auxiliary/scanner/portscan/tcp                                     normal  Yes    TCP Port Scanner
   7  auxiliary/scanner/portscan/xmas                                    normal  Yes    TCP "XMas" Port Scanner
   8  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner
# TCP 端口扫描

让我们从TCP端口扫描模块开始,看看我们能获取目标的哪些信息?

我们要使用的模块是use auxiliary/scanner/portscan/tcp

Tip:我们将利用此模块扫描渗透测试实验环境的网络,请遵守当地法律法规,请勿直接扫描互联网设备。

msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.177.0/24 //设置目标网络
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/portscan/tcp) > set THREADS 100 //设置线程数
THREADS => 100
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.177.1:        - 192.168.177.1:22 - TCP OPEN
[+] 192.168.177.1:        - 192.168.177.1:21 - TCP OPEN

Tip:扫描器模块一般使用RHOSTS,表示扫描整个网络,而不是RHOST(单机)

当我们使用Metasploit模块的时候,可以使用show options查看所有可配置的选项,使用show missing查看必须要配置的选项。

msf5 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > show missing

Module options (auxiliary/scanner/portscan/tcp):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier

msf5 auxiliary(scanner/portscan/tcp) > 
# TCP SYN 扫描

相对普通的TCP扫描来说,SYN扫描速度更快,因为它不会完成TCP三次握手,而且可以在一定程度上躲避防火墙和入侵检测系统的检测。

使用的模块是auxiliary/scanner/portscan/syn,使用该模块,需要指定端口范围。

msf5 > use auxiliary/scanner/portscan/syn
msf5 auxiliary(scanner/portscan/syn) > set INTERFACE eth0 //设置网卡
INTERFACE => eth0
msf5 auxiliary(scanner/portscan/syn) > set PORTS 1-10000 //设置端口范围
PORTS => 1-10000
msf5 auxiliary(scanner/portscan/syn) > set THREADS 256 //设置线程数
THREADS => 256
msf5 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.177.0/24 //设置目标网络
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/portscan/syn) > run
# 3、使用Nmap进行端口扫描

Nmap是安全人员首选的强大网络扫描工具,我们将从初级到高级,详细分析Nmap的各种扫描技术。

你可以直接在msfconsole中运行Nmap,但是如果要将结果导入到Metasploit数据库中,需要使用-oX选项导出XML格式的报告文件,然后使用db_import命令将结果导入进来。

1、启动msfconsole,然后输入nmap

msf5 > nmap
[*] exec: nmap

Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping

2、进行TCP扫描,使用-sT 参数,这是默认和最基本的扫描方式,它会完成TCP三次握手来检测目标机器上的端口。

msf5 > nmap -sT 192.168.177.144                                              
[*] exec: nmap -sT 192.168.177.144                                           
                                                                             
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:20 CST              
Nmap scan report for 192.168.177.144                                         
Host is up (0.00044s latency).                                               
Not shown: 990 filtered ports                                                
PORT      STATE SERVICE                                                      
21/tcp    open  ftp                                                          
22/tcp    open  ssh                                                          
80/tcp    open  http                                                         
4848/tcp  open  appserv-http                                                 
8022/tcp  open  oa-system                                                    
8080/tcp  open  http-proxy                                                   
8383/tcp  open  m2mservices                                                  
9200/tcp  open  wap-wsp                                                      
49153/tcp open  unknown                                                      
49154/tcp open  unknown                                                      
MAC Address: 00:0C:29:D7:02:F6 (VMware)                                      
                                                                             
Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds                  
msf5 >                                                                       

Tip:当未指定端口范围的时候,nmap默认扫描常见的1000个端口。

3、进行TCP SYN扫描,使用-sS参数,SYN扫描不会建立完整的TCP三次握手过程,也称半开连接扫描,SYN扫描被认为是一种比较隐蔽的扫描技术。

msf5 > nmap -sS 192.168.177.144 -p 22-5000
[*] exec: nmap -sS 192.168.177.144 -p 22-5000

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:29 CST
Nmap scan report for 192.168.177.144
Host is up (0.00037s latency).
Not shown: 4975 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1617/tcp open  nimrod-agent
4848/tcp open  appserv-http
MAC Address: 00:0C:29:D7:02:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds
msf5 >

大多数情况下,TCP连接扫描和SYN扫描输出结果是相似的,唯一的区别是,SYN更难被防火墙和IDS检测到。当然现代的防火墙几乎都能捕获SYN扫描,-p参数设置我们想要扫描的端口范围。

4、UDP扫描使用-sU参数,用于识别目标机器上开放的UDP端口扫描技术,UDP扫描会发送空的(没有数据)UDP报头到目标端口,仅通过ICMP消息来判断目标端口是否开放。

msf5 > nmap -sU 192.168.177.144
[*] exec: nmap -sU 192.168.177.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 12:36 CST
Nmap scan report for 192.168.177.144
Host is up (0.00035s latency).
Not shown: 999 open|filtered ports
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 00:0C:29:D7:02:F6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.36 seconds
msf5 >

TIp:不指定端口范围的情况下,默认扫描常见的1000个UDP端口

我们分析了三种不同类型的nmap扫描,它们在渗透测试中非常有用。Nmap提供了许多种不同的扫描方是,这里我们只重点讨论这三种,即TCP连接扫描、SYN隐蔽扫描和UDP扫描。可以将Nmap的不同扫描选项组合到一起使用,已便对目标进行更高级和更复杂的扫描。

在渗透测试中,扫描过程可以提供很多有用的结果。扫描中收集的信息构成了后续渗透测试的基础,因此强烈建议你掌握扫描类型的相关知识,让我们更深入了解下我们刚刚学习的这些扫描技术。

TCP连接扫描是最基本的扫描技术,此扫描过程会与目标建立完整的TCP连接。它使用操作系统网络功能建立连接,扫描程序向目标发送SYN数据包,如果端口开放,目标会返回ACK消息。然后扫描程序向目标发送ACK报文,成功建立连接,这就是所谓的三次握手过程。连接打开后立即终止,这种技术有它的优点,但很容易被防火墙和IDS检测到。

SYN扫描是另一种类型的TCP扫描,但它不会与目标建立完整的连接。 它不使用操作系统的网络功能,而上生成原始IP包并监视响应报文。如果目标端口是开放的,目标会响应ACK消息,然后扫描程序会发送RST结束连接。因此又称为半开扫描。这也被认为是一种隐蔽扫描技术,可以避免被一些防火墙和IDS检测到。

UDP扫描是一种无连接扫描技术,因此,无论目标是否收到数据包,都不会返回信息给扫描程序。如果目标端口关闭,则扫描程序会收到ICMP端口不可达的消息。如果没有消息,扫描器会认为端口是开放的。由于防火墙会阻止数据包,此方法会返回错误结果,因此不会生成响应消息,扫描器会报告端口为打开状态。

让我们进一步探索Nmap扫描,学习如何将不同扫描类型组合到一起

# 操作系统和版本检测

除了端口扫描之外,Nmap还提供一些高级的选项,这些选项可以帮助我们获取目标的更多信息。其他使用最广泛的选项之一是操作系统识别选项:-O。可以帮助我们识别目标计算机的操作系统类型。

以下是操作系统识别扫描结果:

msf5 > nmap -O 192.168.177.144
[*] exec: nmap -O 192.168.177.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:12 CST
Nmap scan report for 192.168.177.144
Host is up (0.00035s latency).
Not shown: 990 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
4848/tcp  open  appserv-http
8022/tcp  open  oa-system
8080/tcp  open  http-proxy
8383/tcp  open  m2mservices
9200/tcp  open  wap-wsp
49153/tcp open  unknown
49154/tcp open  unknown
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.51 seconds

如你所见,Nmap成功识别了目标机器的操作系统类型。

另外一种广泛使用的高级选项是对开放端口服务的版本检测,参数是-sV。它可以与之前的扫描参数结合使用。

msf5 > nmap -sV 192.168.177.144
[*] exec: nmap -sV 192.168.177.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:17 CST
Nmap scan report for 192.168.177.144
Host is up (0.00043s latency).
Not shown: 990 filtered ports
PORT      STATE SERVICE           VERSION
21/tcp    open  ftp               Microsoft ftpd
22/tcp    open  ssh               OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http              Microsoft IIS httpd 7.5
4848/tcp  open  ssl/appserv-http?
8022/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
8080/tcp  open  http              Sun GlassFish Open Source Edition  4.0
8383/tcp  open  ssl/http          Apache httpd
9200/tcp  open  http              Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7)
49153/tcp open  msrpc             Microsoft Windows RPC
49154/tcp open  msrpc             Microsoft Windows RPC
MAC Address: 00:0C:29:D7:02:F6 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.54 seconds
msf5 >
# 隐蔽扫描

有时候必须以隐蔽方式进行扫描,默认情况下,防火墙和IDS日志会记录你的IP,nmap中提供了-D选项来增加迷惑性。

此选项并不能阻止防火墙和IDS记录你的IP,只是增加迷惑性,它会通过添加其他IP地址,让目标以为是多个IP在攻击。比如,你添加了两个诱导IP,防火墙或IDS日志会显示数据包是从三个不同的IP地址发送的,一个是你的,其他两个是你添加的虚假地址。

msf5 > nmap -sT 192.168.177.144 -D 192.168.177.34,192.168.177.56

这个例子中-D后面的IP地址是虚假的IP地址,它会和原始IP地址一同出现在目标机器的网络日志文件中,这会迷惑对方的网络管理员,让他们以为这三个IP都是伪造的。但不能添加太多虚假IP地址,不然会影响扫描结果。因此,只要使用一定数量的地址就行。

# 4、使用db_nmap方式进行端口扫描

使用db_nmap的好处在于可以将结果直接存储到Metasploit数据库中,而不再需要db_import进行导入。

db_nmap命令是msfconsole中的一部分,所以只需要启动msfconsole并使用就好了。参数就和在命令行中单独使用nmap一样。

在第一章中,我们已经学习了db_nmap的一些基本用法,所以现在我们将了解一些更高级的特性。在下面的例子中,你将学习如何使用其中的一些特性。

msf5 > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -

-Pn:跳过主机发现过程

-sTV:TCP扫描和检测开放端口服务版本信息

-T4:设置时间模板,加速扫描

--open:只显示开放端口

--min-parallelism:探测报文的并发数

--version-all:尝试每个探测,保证对每个端口尝试每个探测报文,获取服务更具体的版本

-p -:表示扫描所有的端口(1-65535)

输出结果如下:

msf5 > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.177.144 -p -
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 13:41 CST
[*] Nmap: Nmap scan report for 192.168.177.144
[*] Nmap: Host is up (0.00059s latency).
[*] Nmap: Not shown: 65516 filtered ports
[*] Nmap: Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
[*] Nmap: PORT      STATE SERVICE           VERSION
[*] Nmap: 21/tcp    open  ftp               Microsoft ftpd
[*] Nmap: 22/tcp    open  ssh               OpenSSH 7.1 (protocol 2.0)
[*] Nmap: 80/tcp    open  http              Microsoft IIS httpd 7.5
[*] Nmap: 1617/tcp  open  rmiregistry       Java RMI
[*] Nmap: 4848/tcp  open  ssl/appserv-http?
[*] Nmap: 5985/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 8020/tcp  open  http              Apache httpd
[*] Nmap: 8022/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: 8027/tcp  open  unknown
[*] Nmap: 8080/tcp  open  http              Sun GlassFish Open Source Edition  4.0
[*] Nmap: 8282/tcp  open  http              Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: 8383/tcp  open  ssl/http          Apache httpd
[*] Nmap: 8484/tcp  open  http              Jetty winstone-2.8
[*] Nmap: 8585/tcp  open  http              Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
[*] Nmap: 9200/tcp  open  http              Elasticsearch REST API 1.1.1 (name: Turac; Lucene 4.7)
[*] Nmap: 49153/tcp open  msrpc             Microsoft Windows RPC
[*] Nmap: 49154/tcp open  msrpc             Microsoft Windows RPC
[*] Nmap: 49207/tcp open  rmiregistry       Java RMI
[*] Nmap: 49209/tcp open  tcpwrapped
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 593.00 seconds
msf5 >
# Nmap 脚本引擎

Nmap脚本引擎(NSE)是Nmap最强大和最灵活的特性之一,它可以将Nmap转为漏洞扫描器使用。NSE有超过600个脚本,分为好几类,有非侵入式的,也有侵入式的,比如暴力破解,漏洞利用和拒绝服务攻击。你可以在Kali/user/share/nmap/scripts目录中找到这些脚本。或者用locate搜索*.nse也可以找到。

root@osboxes:~# locate *.nse
/usr/share/nmap/scripts/targets-xml.nse
/usr/share/nmap/scripts/teamspeak2-version.nse
/usr/share/nmap/scripts/telnet-brute.nse
/usr/share/nmap/scripts/telnet-encryption.nse
/usr/share/nmap/scripts/telnet-ntlm-info.nse
/usr/share/nmap/scripts/tftp-enum.nse
/usr/share/nmap/scripts/tls-alpn.nse
/usr/share/nmap/scripts/tls-nextprotoneg.nse
/usr/share/nmap/scripts/tls-ticketbleed.nse
/usr/share/nmap/scripts/tn3270-screen.nse
/usr/share/nmap/scripts/tor-consensus-checker.nse
/usr/share/nmap/scripts/traceroute-geolocation.nse
/usr/share/nmap/scripts/tso-brute.nse
/usr/share/nmap/scripts/tso-enum.nse
/usr/share/nmap/scripts/unittest.nse
/usr/share/nmap/scripts/unusual-port.nse

它的用法如下:

nmap --script <scriptname> <host ip>

db_nmap中同样可以使用,我们试试用NSE脚本来查找目标的HTTP/HTTPS漏洞

msf5 > db_nmap --open -sTV -Pn -p 80,8020,8022,8080,8282,8383,8484,8585,9200 --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup- 
finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,ssl-poodle,ssl-heartbleed,http-webdav-scan,h 
ttp-iis-webdav-vuln 192.168.177.144           
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-12 14:03 CST                           
[*] Nmap: Nmap scan report for 192.168.177.144
[*] Nmap: Host is up (0.00052s latency).  
[*] Nmap: PORT     STATE SERVICE  VERSION  
[*] Nmap: 80/tcp   open  http     Microsoft IIS httpd 7.5 
[*] Nmap: | http-methods:   
[*] Nmap: |   Supported Methods: OPTIONS TRACE GET HEAD POST                                        [*] Nmap: |_  Potentially risky methods: TRACE                                                      [*] Nmap: |_http-server-header: Microsoft-IIS/7.5                                                    [*] Nmap: | http-vhosts:                                                                            [*] Nmap: |_127 names had status 200                                                                [*] Nmap: 8020/tcp open  http     Apache httpd                                                     
[*] Nmap: |_http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.           
[*] Nmap: | http-methods:                                                                            [*] Nmap: |   Supported Methods: GET HEAD POST PUT DELETE OPTIONS                                   
[*] Nmap: |_  Potentially risky methods: PUT DELETE                                                 
[*] Nmap: |_http-server-header: Apache                                                             
[*] Nmap: | http-vhosts:                       

从输出结果看到,目标主机的HTTP/HTTPS服务启用了一些危险的方法,比如DELETE/PUT等。

# 5、基于ARP的主机发现

通过ARP请求可以枚举本地网络中的存活主机,为我们提供了一种简单而快速识别目标方法。

当攻击者和目标机器处于同一个局域网时,可以通过执行ARP扫描发现主机

1、使用ARP扫描模块( auxiliary/scanner/discovery/arp_sweep),设置目标地址范围和并发线程,然后运行。

msf5 > use auxiliary/scanner/discovery/arp_sweep
msf5 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/discovery/arp_sweep) > run

[+] 192.168.177.1 appears to be up (VMware, Inc.).
[+] 192.168.177.2 appears to be up (VMware, Inc.).
[+] 192.168.177.144 appears to be up (VMware, Inc.).
[+] 192.168.177.254 appears to be up (VMware, Inc.).
[+] 192.168.177.2 appears to be up (VMware, Inc.).
[+] 192.168.177.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/arp_sweep) >

2、如果启动了数据库,结果将存储在Metasploit数据库中,可以使用hosts显示已经发现的主机。

msf5 auxiliary(scanner/discovery/arp_sweep) > hosts

Hosts
=====

address          mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---                ----  -------  ---------  -----  -------  ----  --------
34.240.217.226
34.248.41.77
54.171.32.62
192.168.177.1    00:50:56:c0:00:08        Unknown                    device
192.168.177.2    00:50:56:fa:c4:65
192.168.177.139  00:0c:29:c6:a9:e5        Unknown                    device
192.168.177.142  00:0c:29:92:63:8c        Linux               2.6.X  server
192.168.177.144  00:0c:29:d7:02:f6        Unknown                    device
192.168.177.254  00:50:56:ec:3c:cf

# 6、UDP 服务识别

UDP服务扫描模块运行我们检测模板系统的UDP服务。由于UDP是一个无连接协议(不面向连接),所以探测比TCP困难。使用UDP服务探测模块可以帮助我们找到一些有用的信息。

选择 auxiliary/scanner/discovery/udp_sweep模块,设置目标范围,然后运行扫描即可

msf5 > use auxiliary/scanner/discovery/udp_sweep
msf5 auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.144/24
msf5 auxiliary(scanner/discovery/udp_sweep) > run

[*] Sending 13 probes to 192.168.177.0->192.168.177.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.177.144:137 (METASPLOITABLE3:<20>:U :METASPLOITABLE3:<00>:U :WORKGROUP:<00>:G :00:0c:29:d7:02:f6)
[*] Discovered SNMP on 192.168.177.144:161 (Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free))
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/udp_sweep) >
# 7、SMB扫描和枚举

多年来,SMB协议(一种在 Microsoft Windows系统中使用网络文件共享的协议)已被证明是最容易被攻击的协议之一,它允许攻击者枚举目标文件和用户,甚至远程代码执行。

使用无需身份验证的SMB共享枚举模块,可以帮助我们收集一些有价值的信息,比如共享名称,操作系统版本等。

模块名:auxiliary/scanner/smb/smb_enumshares

msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 192.168.177.144:139   - Login Failed: Unable to Negotiate with remote host
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SMB共享枚举模块在后续的攻击阶段也非常有用,通过提供凭据,可以轻松的枚举共享和文件列表

msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumshares) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumshares) > set ShowFiles true
ShowFiles => true
msf5 auxiliary(scanner/smb/smb_enumshares) > set SpiderShares true
SpiderShares => true
msf5 auxiliary(scanner/smb/smb_enumshares) > run

[-] 192.168.177.144:139   - Login Failed: Unable to Negotiate with remote host
[+] 192.168.177.144:445   - ADMIN$ - (DS) Remote Admin
[+] 192.168.177.144:445   - C$ - (DS) Default share
[+] 192.168.177.144:445   - IPC$ - (I) Remote IPC
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumshares) >

Metasploit还提供其他的一些SMB扫描模块,让我们看看其他模块的用法。

3、SMB版本检测模块可以检测SMB的版本

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_version) > run

[+] 192.168.177.144:445   - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:METASPLOITABLE3) (workgroup:WORKGROUP )
[*] 192.168.177.144:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

4、用户枚举模块可以通过SAM RPC服务枚举哪些用户存在

msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set SMBPASS vagrant
SMBPASS => vagrant
msf5 auxiliary(scanner/smb/smb_enumusers) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.177.144:445   - METASPLOITABLE3 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leah_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )
[*] 192.168.177.144:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

5、SMB登录检测模块可以测试SMB登录

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_login) > set SMBUSER vagrant
SMBUSER => vagrant
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.177.144:445   - 192.168.177.144:445 - Starting SMB login bruteforce
[-] 192.168.177.144:445   - 192.168.177.144:445 - Failed: '.\vagrant:admin',
[-] 192.168.177.144:445   - 192.168.177.144:445 - Failed: '.\vagrant:admin123',
[+] 192.168.177.144:445   - 192.168.177.144:445 - Success: '.\vagrant:vagrant' Administrator
[*] 192.168.177.144:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >

6、MS17-0101永恒之蓝漏洞检测模块

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.177.144:445   - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.177.144:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

7、其他的模块,都在 auxiliary/scanner/smb/中,可以敲 TAB键查看,你可以一个个学习,这里就不一一举例讲解。

msf5 > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/impacket/dcomexec      
use auxiliary/scanner/smb/smb1                   
use auxiliary/scanner/smb/smb_login
.....         
# 8、SSH 版本扫描和检测

SSH是一个广泛使用的远程登录程序。它使用强大的加密提供身份认证和保证机密性。在本节中,我们将通过SSH版本扫描模块,确定目标使用的SSH版本,确定是否为易受攻击的SSH版本,如果是,我们可以利用它。

在之前的扫描中,我们发现目标机器开放了TCP 22端口,这也是SSH的默认端口,我们用SSH版本探测模块来获取目标系统上运行的SSH版本信息。

1、模块名称:auxiliary/scanner/ssh/ssh_version 

msf5 > use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/ssh/ssh_version) > run

[+] 192.168.177.144:22    - SSH server version: SSH-2.0-OpenSSH_7.1 ( service.version=7.1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.1 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.177.144:22    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_version) >

当然这里的RHOSTS 选项也可以指定为网络地址,从而扫描整个网段。

获取版本信息之后,我们就可以搜索该版本的漏洞。

2、测试常用口令登录SSH,可以使用SSH登录测试模块

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/ssh/ssh_login) > set USERNAME user
USERNAME => user
msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf5 auxiliary(scanner/ssh/ssh_login) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

3、如果登录成功了,可以用sessions 查看会话和与目标进行会话交互

msf5 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

No active sessions.

# 9、FTP扫描

使用FTP扫描模块对网络中所有的FTP服务进行版本扫描

FTP版本扫描模块运行我们检测正在运行的FTP版本

1、使用 auxiliary/scanner/ftp/ftp_version模块,设置好扫描范围和线程,就可以运行扫描了。

msf5 > use auxiliary/scanner/ftp/ftp_version
msf5 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.177.0/24
RHOSTS => 192.168.177.0/24
msf5 auxiliary(scanner/ftp/ftp_version) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/ftp/ftp_version) > run

[+] 192.168.177.1:21      - FTP Banner: '220 Serv-U FTP Server v15.0 ready...\x0d\x0a'
[+] 192.168.177.144:21    - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] 192.168.177.0/24:21   - Scanned  78 of 256 hosts (30% complete)
[*] 192.168.177.0/24:21   - Scanned 123 of 256 hosts (48% complete)
[*] 192.168.177.0/24:21   - Scanned 125 of 256 hosts (48% complete)
[*] 192.168.177.0/24:21   - Scanned 129 of 256 hosts (50% complete)
[*] 192.168.177.0/24:21   - Scanned 130 of 256 hosts (50% complete)
[*] 192.168.177.0/24:21   - Scanned 255 of 256 hosts (99% complete)
[*] 192.168.177.0/24:21   - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ftp/ftp_version) >

2、与之前的扫描一样,扫描结果会保存到数据库中,可以使用services命令查看已经检测的服务信息。

msf5 auxiliary(scanner/ftp/ftp_version) > services                                                     
Services                                                                                               
========                                                                                           
host             port   proto  name              state  info                                           
----             ----   -----  ----              -----  ----                                           
192.168.177.1    21     tcp    ftp               open   220 Serv-U FTP Server v15.0 ready...\x0d\x0a   
192.168.177.144  21     tcp    ftp               open   220 Microsoft FTP Service\x0d\x0a           
192.168.177.144  22     tcp    ssh               open   SSH-2.0-OpenSSH_7.1                         
192.168.177.144  80     tcp    http              open   Microsoft IIS httpd 7.5                     
# 10、SMTP枚举

SMTP服务偶两个允许枚举用户的内部命令:VRFY(确认有效用户名)和EXPN(显示用户的实际地址,别名和邮件列表)

SMTP用户枚举模块通过实现这些SMTP命令从而枚举有效的用户列表

默认情况下,SMTP枚举模块使用unix_users.txt(文件位于: /usr/share/metasploit- framework/data/wordlists/)文件作为字典,你也可以指定自己的字典文件。切换到auxiliary/scanner/smtp/smtp_enum模块,设置好目标和线程,然后开始。

msf5 > use auxiliary/scanner/smtp/smtp_enum                                                        
msf5 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.177.145                               
RHOSTS => 192.168.177.145                         
msf5 auxiliary(scanner/smtp/smtp_enum) > set THREADS 256  
THREADS => 256                                      
msf5 auxiliary(scanner/smtp/smtp_enum) > run        
[*] 192.168.177.145:25    - 192.168.177.145:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)                                             
[+] 192.168.177.145:25    - 192.168.177.145:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data   
[*] 192.168.177.145:25    - Scanned 1 of 1 hosts (100% complete)       
[*] Auxiliary module execution completed             
msf5 auxiliary(scanner/smtp/smtp_enum) >  

输出结果中显示了目标Metasploitable 2 中有效的SMTP用户

# 11、SNMP枚举

简单网络管理协议(SNMP)是用于管理网络设备的协议,比如监控设备的状态信息,接口信息,网络接口的数据吞吐量等。通过SNMP扫描器可以找到特定系统的大量信息。本节中,我们将学习如何使用它。

Metasploit 有一个专门用于扫描 SNMP 设备的内置辅助模块。在进行攻击之前必须先了解它。首先,团体字符串(只读/读写)在可以在设备本身上挖掘或修改的信息类型中起着重要作用。管理信息库 (MIB) 接口允许我们查询设备和提取信息。

Tip:如果目标系统为Windows且配置了SNMP(通常是RO/RW团体字符串),我们可以提取系统重启时间,系统上的用户名,系统网络信息,运行的服务等各种有价值的信息。

当通过SNMP查询时候,可以通过MIB API进行设备信息提取。Metasploit在其数据库中加载默认MIB列表,它们用于查询设备获取更多信息。

1、通过SNMP登录模块可以通过公共团体名登录到目标系统。

msf5 > use auxiliary/scanner/snmp/snmp_login
msf5 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.177.144,145
RHOSTS => 192.168.177.144,145
msf5 auxiliary(scanner/snmp/snmp_login) > run

[+] 192.168.177.144:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/snmp/snmp_login) >

2、通过SNMP扫描模块收集信息,比如端口,服务,主机名,进程等信息。

msf5 > use auxiliary/scanner/snmp/snmp_enum                                                                                                             
msf5 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.177.144                                                                                     
RHOSTS => 192.168.177.144                                                                                                                               
msf5 auxiliary(scanner/snmp/snmp_enum) > run                                                                                                            
[+] 192.168.177.144, Connected.                                                                                                                         
[*] System information:                                                                                                                                 
Host IP                       : 192.168.177.144     
Hostname                      : metasploitable3     
Description                   : Hardware: Intel64 Family 6 Model 94 Stepping 3 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocess
r Free)                                                                                                                                                
Contact                       : -                  
Location                      : -                   
Uptime snmp                   : 01:18:04.40         
Uptime system                 : 01:16:09.69         
System date                   : 2019-4-12 16:44:05.7                                                                                                    
[*] User accounts:                                                                                                                                     
["sshd"]                                             
["Guest"]                                         
["greedo"]                                           
["vagrant"]                                         
["han_solo"]                                         
["kylo_ren"]                                         
["boba_fett"]                                     
["chewbacca"]                                       
["ben_kenobi"]                                                                                     .....                                               
[*] Network information:                            
IP forwarding enabled         : no                   
Default TTL                   : 128                
TCP segments received         : 70121              
TCP segments sent             : 70024               
TCP segments retrans          : 23                   
Input datagrams               : 634                
Delivered datagrams           : 825   
....
[*] Network interfaces:

Interface                     : [ up ] Software Loopback Interface 1
Id                            : 1
Mac Address                   : :::::
....
# 12、HTTP扫描

超文本传输协议(HTTP)是一个应用层协议,它是万维网通信的基础。它被众多的应用程序使用,从物联网(IoT)设备到移动应用程序。它也是搜索漏洞的好地方。

HTTP SSL证书检测模块可以检测Web服务器的证书。

Robots.txt内容检测模块可以搜索robots.txt文件并分析里面的内容。

如果服务端允许未授权的PUT请求方法,则可以将任意的Web页面插入到网站目录中,从而导致执行破坏性的代码或者往服务器填充垃圾数据,从而造成拒绝服务攻击。

Jenkins-CI HTTP扫描模块可以枚举未授权的Jenkins-CI服务。

1、检测目标的HTTP SSL证书

msf5 > use auxiliary/scanner/http/cert
msf5 auxiliary(scanner/http/cert) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/cert) > set RPORT 8383
RPORT => 8383
msf5 auxiliary(scanner/http/cert) > run

[*] 192.168.177.144:8383  - 192.168.177.144 - 'Desktop Central' : '2010-09-08 12:24:44 UTC' - '2020-09-05 12:24:44 UTC'
[*] 192.168.177.144:8383  - Scanned 1 of 1 hosts (100% complete)

2、检测robots.txt文件

msf5 > use auxiliary/scanner/http/robots_txt
msf5 auxiliary(scanner/http/robots_txt) > set PATH /mutillidae
PATH => /mutillidae
msf5 auxiliary(scanner/http/robots_txt) > set RHOSTS 192.168.177.145
RHOSTS => 192.168.177.145
msf5 auxiliary(scanner/http/robots_txt) > run

[*] [192.168.177.145] /mutillidae/robots.txt found
[+] Contents of Robots.txt:
User-agent: *
Disallow: ./passwords/
Disallow: ./config.inc
Disallow: ./classes/
Disallow: ./javascript/
Disallow: ./owasp-esapi-php/
Disallow: ./documentation/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/robots_txt) >

3、HTTP可写路径 PUT/DELETE 文件访问模块可以通过PUTDELETE请求上传和删除Web服务器上的内容。

msf5 > use auxiliary/scanner/http/http_put
msf5 auxiliary(scanner/http/http_put) > set PATH /uploads
PATH => /uploads
msf5 auxiliary(scanner/http/http_put) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/http_put) > set RPORT 8585
RPORT => 8585
msf5 auxiliary(scanner/http/http_put) > run

[+] File uploaded: http://192.168.177.144:8585/uploads/msf_http_put_test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_put) >

4、Jenkins-CI扫描模块

msf5 > use auxiliary/scanner/http/jenkins_enum
msf5 auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/http/jenkins_enum) > set RPORT 8484
RPORT => 8484
msf5 auxiliary(scanner/http/jenkins_enum) > set TARGETURI /
TARGETURI => /
msf5 auxiliary(scanner/http/jenkins_enum) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
# 13、WinRM扫描和爆破

Windows远程管理(WinRM)是WS-Management协议的Microsoft实现。该协议是基于简单对象访问协议(SOAP)的、防火墙友好的标准协议,使来自不同供应商的硬件和操作系统能够互相交互。

WinRM身份认证方法检测模块通过向目标发现HTTP/HTTPS请求,检测是否为WinRM服务,如果是,将会检测支持的身份认证方法。

通过SMB_login模块可以检索目标的登录凭证。我们可以用WinRM命令运行模块测试是否可以通过WinRM服务运行Windows命令。

1、WinRM身份认证检测

msf5 > use auxiliary/scanner/winrm/winrm_auth_methods
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > run

[+] 192.168.177.144:5985: Negotiate protocol supported
[+] 192.168.177.144:5985: Basic protocol supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_auth_methods) >

2、使用WinRM命令运行模块

msf5 > use auxiliary/scanner/winrm/winrm_cmd
msf5 auxiliary(scanner/winrm/winrm_cmd) > set CMD hostname
CMD => hostname
msf5 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator
USER => Administrator
msf5 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD vagrant
PASSWORD => vagrant
msf5 auxiliary(scanner/winrm/winrm_cmd) > run

[+] 192.168.177.144:5985 : metasploitable3

[+] Results saved to /root/.msf4/loot/20190412172543_default_192.168.177.144_winrm.cmd_result_858044.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_cmd) >

可以看到,我们成功在目标机上执行了命令。

# 14、与Nessus结合使用

到目前为止,我们已经了解了端口扫描的基础知识,以及学会了Nmap的使用。通过其他一些工具的学习,进一步提高了扫描和信息收集的技术。接下来将介绍其他几种扫描目标可用服务和端口的工具,这些工具还可以帮助我们确定特定服务和端口可能存在的漏洞类型。

Nessus是使用最广泛的漏洞扫描器之一,它可用通过扫描目标发现漏洞并生成详细的报告。Nessus是渗透测试中非常有用的工具。你可用使用它的GUI版本,也可以在Metasploit控制台中使用它。本书主要介绍在msfconsole中使用它。

要使用Nessus需要先去Nessus官网注册并取得Licenses。你可以使用Nessus家庭版,此授权是免费的,它允许你扫描个人家庭网络(小于16个IP地址)。然后下载软件安装包进行安装。在Kali中需要下载.deb格式的包,然后使用dpkg -i 进行安装。

家庭版密钥申请地址:https://www.tenable.com/products/nessus-home

填写注册信息,完成注册,然后会跳转到下载页面

根据自己的系统版本,下载32bit或者64bit版本

激活密钥会发到你的邮箱里面,请保存下来。

下载完成之后进行安装:

root@osboxes:~# cd ~/Downloads/
root@osboxes:~/Downloads# ls
bettercap  bettercap_linux_amd64_2.2.zip  libpcap-1.8.1  libpcap-1.8.1.tar.gz  Nessus-8.3.1-debian6_amd64.deb
root@osboxes:~/Downloads# dpkg -i Nessus-8.3.1-debian6_amd64.deb //安装
Selecting previously unselected package nessus.
(Reading database ... 435326 files and directories currently installed.)
Preparing to unpack Nessus-8.3.1-debian6_amd64.deb ...
Unpacking nessus (8.3.1) ...
Setting up nessus (8.3.1) ...
Unpacking Nessus Scanner Core Components...

 - You can start Nessus Scanner by typing /etc/init.d/nessusd start
 - Then go to https://osboxes:8834/ to configure your scanner

Processing triggers for systemd (241-1) ...
root@osboxes:~/Downloads#

安装完成之后,启动Nessus服务

root@osboxes:~/Downloads# systemctl start nessusd.service

根据提示,使用浏览器打开网址https://osboxes:8834/或者https://127.0.0.1:8834进行配置

1、设置用户名和密码:

2、选择Home,Professional or Manager,填写激活密钥进行授权激活。

3、激活完成后,Nessus还会安装一系列组件,等待安装完成(需要一段时间,请耐心等待)

安装完成后,就可以进行下一步操作了。

1、在msfconsole里面载入nessus组件。

msf5 > load nessus //载入nessus组件
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf5 >

2、输入nessus_help命令,可以查看可用参数和帮助信息

msf5 > nessus_help

Command                     Help Text
-------                     ---------
Generic Commands
-----------------           -----------------
nessus_connect              Connect to a Nessus server
nessus_logout               Logout from the Nessus server
nessus_login                Login into the connected Nesssus server with a different username and password
nessus_save                 Save credentials of the logged in user to nessus.yml
nessus_help                 Listing of available nessus commands
nessus_server_properties    Nessus server properties such as feed type, version, plugin set and server UUID.
nessus_server_status        Check the status of your Nessus Server
nessus_admin                Checks if user is an admin
nessus_template_list        List scan or policy templates
nessus_folder_list          List all configured folders on the Nessus server
nessus_scanner_list         List all the scanners configured on the Nessus server
Nessus Database Commands

3、连接到Nessus服务,使用nessus_connect NessusUser:NessusPassword@127.0.0.1命令。

msf5 > nessus_connect nessusroot:Passw0rd@127.0.0.1 //连接到 Nessus 服务
[*] Connecting to https://127.0.0.1:8834/ as nessusroot
[*] User nessusroot authenticated successfully.
msf5 >

4、使用 nessus_policy_list可用列出Nessus服务上的所有扫描策略。如果没有,需要先在WebUI界面中创建策略。

msf5 > nessus_policy_list
[-] No policies found
msf5 >

提示没有策略,我们去创建一个

我们选择新建一个Basic Network Scan策略

配置好相关的参数,然后点保存

回到msfconsole里面再次执行nessus_policy_list就看看到了

msf5 > nessus_policy_list
Policy ID  Name       Policy UUID
---------  ----       -----------
4          PenTest01  731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65

msf5 >

5、创建nessus扫描,使用nessus_scan_new --help查看命令帮助信息:

msf5 > nessus_scan_new --help                                                             
[*] Usage:                                                                                
[*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>                  
[*] Use nessus_policy_list to list all available policies with their corresponding UUIDs  
msf5 >                                                                                    

6、创建扫描

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 Metasploitable3 Windows_Machine 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called Metasploitable3 - Windows_Machine and scanning 192.168.177.144
[*] New scan added
[-] Error while running command nessus_scan_new: undefined method `[]' for nil:NilClass

Call stack:
/usr/share/metasploit-framework/plugins/nessus.rb:979:in `cmd_nessus_scan_new'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:49:in `<main>'
msf5 >

此次会报错: Error while running command nessus_scan_new: undefined method []' for nil:NilClass。这是由于Nessus 7开始对远程调用进行认证,从而导致Metasploit调用失败。现在正在等待修复。

解决办法:Nessus Plugin unable to create new scan · Issue #11117 · rapid7/metasploit-framework · GitHub https://github.com/rapid7/metasploit-framework/issues/11117

成功创建扫描:

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 test test 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called test - test and scanning 192.168.177.144
[*] New scan added
[*] Use nessus_scan_launch 6 to launch the scan
Scan ID  Scanner ID  Policy ID  Targets          Owner
-------  ----------  ---------  -------          -----
6        1           5          192.168.177.144  nessusroot

msf5 >

7、使用nessus_scan_list可用查看扫描列表,以及它们的状态

msf5 > nessus_scan_list                             
Scan ID  Name  Owner       Started  Status  Folder  
-------  ----  -----       -------  ------  ------  
6        test  nessusroot           empty   3       
                                                    
msf5 >                                              

8、启动扫描,使用 nessus_scan_launch <Scan ID>启动扫描

msf5 > nessus_scan_launch 6
[+] Scan ID 6 successfully launched. The Scan UUID is 67d8e87c-17a6-7693-0b41-666f40291e1464ae15bc02832ca3
msf5 >

再次查看状态:

msf5 > nessus_scan_list
Scan ID  Name  Owner       Started  Status   Folder
-------  ----  -----       -------  ------   ------
6        test  nessusroot           running  3

msf5 >

9、查看扫描的详细信息,使用nessus_scan_details <Scan ID> <info/hosts/vulnerabilities/history>

msf5 > nessus_scan_details 6 info  //查看扫描状态
Status   Policy              Scan Name  Scan Targets     Scan Start Time  Scan End Time
------   ------              ---------  ------------     ---------------  -------------
running  Basic Network Scan  test       192.168.177.144  1555301230

msf5 > nessus_scan_details 6 hosts //查看主机
Host ID  Hostname         % of Critical Findings  % of High Findings  % of Medium Findings  % of Low Findings
-------  --------         ----------------------  ------------------  --------------------  -----------------
2        192.168.177.144  1                       0                   0                     0

msf5 > nessus_scan_details 6 vulnerabilities //查看漏洞信息
Plugin ID  Plugin Name	Plugin Family      Count
---------  -----------	-------------      -----
10114      ICMP Timestamp Request Remote Date Disclosure	General            1
10150      Windows NetBIOS / SMB Remote Host Information Disclosure	Windows            1
10287      Traceroute Information	General            1
10394      Microsoft Windows SMB Log In Possible	Windows            1
10736      DCE Services Enumeration	Windows            8
10785      Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
.....
msf5 > nessus_scan_details 6 history //查看扫描历史
History ID  Status   Creation Date  Last Modification Date
----------  ------   -------------  ----------------------
7           running  1555301230

msf5 >

WebUI上也可以看到我们创建的扫描

10、当完成扫描后,使用nessus_db_import <Scan ID>将扫描结果导入到Metasploit中。

msf5 > nessus_scan_details 6 info                                                            
Status     Policy              Scan Name  Scan Targets     Scan Start Time  Scan End Time    
------     ------              ---------  ------------     ---------------  -------------    
completed  Basic Network Scan  test       192.168.177.144  1555301230       1555302154       
                                                                                             
msf5 > nessus_db_import 6                                                                    
[*] Exporting scan ID 6 is Nessus format...                                                  
[+] The export file ID for scan ID 6 is 2110513949                                           
[*] Checking export status...                                                                
[*] Export status: loading                                                                   
[*] Export status: ready                                                                     
[*] The status of scan ID 6 export is ready                                                  
[*] Importing scan results to the database...                                                
[*] Importing data of 192.168.177.144                                                        
[+] Done                                                                                     
msf5 >                                                                                       

导入进去之后,我们就能使用hostsservices命令查看主机和目标服务的信息了。

msf5 > hosts   
Hosts                                                                                                              
=====                                                                                                              
address          mac                name             os_name       os_flavor  os_sp  purpose  info  comments       
-------          ---                ----             -------       ---------  -----  -------  ----  --------       
192.168.177.1                                        Unknown                         device                        
192.168.177.144  00:0c:29:41:d2:48  METASPLOITABLE3  Windows 2008  Standard   SP1    server                        
192.168.177.145                                      Unknown                         device                   
msf5 > services     
Services       
========                                                                                                                                                                                                              
host             port   proto  name              state  info      
----             ----   -----  ----              -----  ----      
192.168.177.1    21     tcp    ftp               open   220 Serv-U FTP Server v15.0 ready...\x0d\x0a               
192.168.177.144  21     tcp    ftp               open   220 Microsoft FTP Service\x0d\x0a   
192.168.177.144  22     tcp    ssh               open   SSH-2.0-OpenSSH_7.1     
192.168.177.144  80     tcp    www               open   Microsoft IIS httpd 7.5    
192.168.177.144  135    tcp    epmap             open                   
192.168.177.144  137    udp    netbios-ns        open 
.....

查看扫描结果中的漏洞信息,使用vulns指令

msf5 > vulns                                                    
Vulnerabilities                                                
===============                                               
Timestamp                Host             Name         References                                                                                   
---------                ----             ----           ----------                                                                                   
2019-04-12 07:52:51 UTC  192.168.177.144  MS17-010 SMB RCE Detection                                CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17-
010,URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/countercept/doublepulsar-detection-script,URL-htt
ps://technet.microsoft.com/en-us/library/security/ms17-010.aspx            
2019-04-12 09:08:20 UTC  192.168.177.144  HTTP Writable Path PUT/DELETE File Access    
                                                                       OSVDB-397       
2019-04-15 04:25:24 UTC  192.168.177.144  Elasticsearch Transport Protocol Unspecified Remote Code Execution  CVE-2015-5377,NSS-105752,NSS-119499                                                          
2019-04-15 04:25:25 UTC  192.168.177.144  MySQL Server Detection      NSS-10719                                                                                    
2019-04-15 04:25:25 UTC  192.168.177.144  Elasticsearch Detection     NSS-109941                                                                                   
2019-04-15 04:25:25 UTC  192.168.177.144  ManageEngine Desktop Central 9 < Build 92027 Multiple Vulnerabilities  CVE-2018-8722,NSS-108752                                                                     
2019-04-15 04:25:25 UTC  192.168.177.144  Elasticsearch Unrestricted Access Information Disclosure  NSS-101025  
....
# 15、与NeXpose结合

在本节,我们将介绍另一个极佳的漏洞扫描器:NeXposeNexPose是领先的漏洞评估工具之一。NeXpose 是 Rapid7 常用的工具,它执行漏洞扫描并将结果导入到 Metasploit 数据库中。NeXpose 的用法与 Nessus 类似,让我们快速了解一下如何使用 NeXpose。至于深入探究就留给大家来完成了。

NeXpose社区版,可申请免费试用1年:https://www.rapid7.com/info/nexpose-community/

邮箱必须是独立的个人、学校、企业、机构等域名邮箱;第三方邮箱均无效!(如:gmail、新浪、网易、126、腾讯等都视为无效)。

注册,然后下载安装程序进行安装。

注册完成,然后下载安装程序

安装:安装询问过程,直接敲回车即可,然后填写一个用户信息,设置密码等

root@osboxes:~# chmod +x Rapid7Setup-Linux64.bin
root@osboxes:~# ./Rapid7Setup-Linux64.bin
....
Do you want to continue?                                                                                                                      
Yes [y, Enter], No [n]                                                                                    
Gathering system information....                                                                    
Security Console with local Scan Engine                                                                                                       
If you do not have a console installed yet, this option is recommended. The console manages scan engines and all administrative operations. 
Scan Engine only                          
This distributed engine can start scanning after being paired with a Security Console.   
Select only the set of components you want to install:                                                                                        
Security Console with local Scan Engine [1, Enter]    
Scan Engine only [2]                     
1                                                                                                                                            
Where should Rapid7 Vulnerability Management be installed?                                                                                    
[/opt/rapid7/nexpose]
....
Select any additional installation tasks.    
Initialize and start after installation?     
Yes [y], No [n, Enter]                       
y 
...
If you chose to start the Security Console as part of the installation, then it will be started upon installer completion.
Using the credentials you created during installation, log onto Nexpose at https://localhost:3780.

To start the service run: sudo systemctl start nexposeconsole.service

To start the service run: sudo systemctl start nexposeconsole.service
The Security Console is configured to automatically run at startup. See the
installation guide if you wish to modify start modes.

[Enter]

Finishing installation...

我们设置的用户名:nexpose 密码:Faq3wANIK0 (根据自己喜好设置)

启动脚本,执行/opt/rapid7/nexpose/nsc/nsc.sh 或者 systemctl start nexposeconsole,启动需要一段时间,请耐心等待。

然后访问https://localhost:3780配置,等待启动完成,使用用户名和密码登录,然后输入我们申请的Key激活产品

msfconsole中载入nexpose组件,然后连接到nexpose服务

msf5 > load nexpose                                                        
                                                                           
 ▄▄▄   ▄▄            ▄▄▄  ▄▄▄                                              
 ███   ██             ██ ▄██                                               
 ██▀█  ██   ▄████▄     ████    ██▄███▄    ▄████▄   ▄▄█████▄   ▄████▄       
 ██ ██ ██  ██▄▄▄▄██     ██     ██▀  ▀██  ██▀  ▀██  ██▄▄▄▄ ▀  ██▄▄▄▄██      
 ██  █▄██  ██▀▀▀▀▀▀    ████    ██    ██  ██    ██   ▀▀▀▀██▄  ██▀▀▀▀▀▀      
 ██   ███  ▀██▄▄▄▄█   ██  ██   ███▄▄██▀  ▀██▄▄██▀  █▄▄▄▄▄██  ▀██▄▄▄▄█      
 ▀▀   ▀▀▀    ▀▀▀▀▀   ▀▀▀  ▀▀▀  ██ ▀▀▀      ▀▀▀▀     ▀▀▀▀▀▀     ▀▀▀▀▀       
                               ██                                          
                                                                           
[*] Nexpose integration has been activated                                 
[*] Successfully loaded plugin: nexpose                                    
msf5 > nexpose_connect nexpose:Faq3wANIK0@127.0.0.1:3780
[*] Connecting to Nexpose instance at 127.0.0.1:3780 with username nexpose...
msf5 >

NeXpose服务连接后,我们就可以扫描目标生成报告。NeXpose支持两个扫描命令,一个是nexpose_scan,此命令会扫描目标然后导入结果到metasploit数据库中,另外一个是nexpose_discover,此命令仅发现主机和服务,不导入结果。

1、对目标进行快速扫描(执行最小服务发现扫描)

msf5 > nexpose_discover 192.168.177.144
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf5 >

2、查看nexpose_scan帮助

msf5 > nexpose_scan -h
Usage: nexpose_scan [options] <Target IP Ranges>

OPTIONS:

    -E <opt>  Exclude hosts in the specified range from the scan
    -I <opt>  Only scan systems with an address within the specified range
    -P        Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
    -c <opt>  Specify credentials to use against these targets (format is type:user:pass
    -d        Scan hosts based on the contents of the existing database
    -h        This help menu
    -n <opt>  The maximum number of IPs to scan at a time (default is 32)
    -s <opt>  The directory to store the raw XML files from the Nexpose instance (optional)
    -t <opt>  The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
    -v        Display diagnostic information about the scanning process

msf5 >

3、要扫描目标,使用nexpose_scan -t <template> <target_id>

msf5 > nexpose_scan -t full-audit 192.168.177.144
[*] Scanning 1 addresses with template full-audit in sets of 32
[*] Completed the scan of 1 addresses
msf5 >

4、扫描完成后,导入结果到数据库中,使用nexpose_site_import <site_id>

msf5 > nexpose_site_import 7
[*] Generating the export data file...
[*] Downloading the export data...
[*] Importing Nexpose data...
# 16、与OpenVAS结合

OpenVAS( Open Vulnerability Assessment System)是Nessus项目的分支。是一个免费开源的漏洞扫描和漏洞管理工具。也是当前使用最为广泛的漏洞扫描和管理开源解决方案。

1、在Kali上安装 OpenVAS

root@osboxes:~# apt install openvas -y

2、设置openvas,包括下载规则,创建管理员用户和服务。

root@osboxes:~# openvas-setup //这一步会下载很多东西,请耐心等待

[>] Updating OpenVAS feeds
[*] [1/3] Updating: NVT
--2019-04-15 13:54:37--  http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
Connecting to 192.168.1.91:1080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 22288483 (21M) [application/octet-stream]
....    
经过漫长的等待...
[*] Opening Web UI (https://127.0.0.1:9392) in: 5... 4... 3... 2... 1...

[>] Checking for admin user
[*] Creating admin user
User created with password 'dc63c468-3780-4e3c-b30c-1597f4b91623'.

[+] Done

3、配置完成后,启动openvas ,其实在上一步中已经启动了。也可以用下面的命令启动

root@osboxes:~# openvas-start

访问https://127.0.0.1:9392可登录WebUI

4、在msfconsole中载入openvas组件

msf5 > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
msf5 >

5、查看帮助信息

msf5 > help openvas

OpenVAS Commands
================

    Command                       Description
    -------                       -----------
    openvas_config_list           Quickly display list of configs
    openvas_connect               Connect to an OpenVAS manager using OMP
    openvas_debug                 Enable/Disable debugging
    openvas_disconnect            Disconnect from OpenVAS manager
    openvas_format_list           Display list of available report formats
    openvas_help                  Displays help
    openvas_report_delete         Delete a report specified by ID
    openvas_report_download       Save a report to disk
    openvas_report_import         Import report specified by ID into framework
    openvas_report_list           Display a list of available report formats
    openvas_target_create         Create target (name, hosts, comment)
    openvas_target_delete         Delete target by ID
    openvas_target_list           Display list of targets
    openvas_task_create           Create a task (name, comment, target, config)
    openvas_task_delete           Delete task by ID
    openvas_task_list             Display list of tasks
    openvas_task_pause            Pause task by ID
    openvas_task_resume           Resume task by ID
    openvas_task_resume_or_start  Resume task or start task by ID
    openvas_task_start            Start task by ID
    openvas_task_stop             Stop task by ID
    openvas_version               Display the version of the OpenVAS server


msf5 >

6、使用 openvas_connect <username> <password> <host> <port> 连接到OpenVAS服务

msf5 > openvas_connect admin dc63c468-3780-4e3c-b30c-1597f4b91623 127.0.0.1 9390
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
msf5 >

7、添加扫描目标,使用 openvas_target_create <Name> <Hosts> <Comment>指令,参数包括描述信息,目标的IP

msf5 > openvas_target_create "Metasploitable3" 192.168.177.144 "Windows Target"
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name             Hosts            Max Hosts  In Use  Comment
--                                    ----             -----            ---------  ------  -------
6455a780-092a-40dd-8c01-191a7612505a  Metasploitable3  192.168.177.144  1          0       Windows Target


msf5 >

8、列出配置列表: openvas_config_list

msf5 > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs

ID                                    Name
--                                    ----
085569ce-73ed-11df-83c3-002264764cea  empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea  Full and very deep
74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
daba56c8-73ec-11df-a475-002264764cea  Full and fast


msf5 >

9、创建任务,使用如下指令

 openvas_task_create <name> <Comment> <config_id> <target_id>
msf5 > openvas_task_create  "Metasploitable3" "Windows" 698f691e-7489-11df-9d8c-002264764cea 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name             Comment  Status  Progress
--                                    ----             -------  ------  --------
fb18cf93-a94b-4c9b-aadf-9408bd9a9186  Metasploitable3  Windows  New     -1


msf5 >

10、启动任务,使用openvas_task_start <task_id>

msf5 > openvas_task_start fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>7993d76a-43b3-48c6-ac94-ca630e20db68</report_id></start_task_response></X>msf5 >

11、查看进度,使用openvas_task_list

msf5 > openvas_task_list                                                                                                                                 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeou
t.timeout instead.                                                                                                                                       
[+] OpenVAS list of tasks                                                                                                                                
ID                                    Name             Comment  Status     Progress                                                                      
--                                    ----             -------  ------     --------                                                                      
fb18cf93-a94b-4c9b-aadf-9408bd9a9186  Metasploitable3  Windows  Requested  1      
msf5 >                                               

12、使用openvas_format_list 可以查看OpenVAS支持的报告格式。

msf5 > openvas_format_list                                                                                                                                          
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout i
nstead.                                                                                                                                                             
[+] OpenVAS list of report formats                                                                                                                                  
ID                                    Name           Extension  Summary                                                                                             
--                                    ----           ---------  -------                                                                                             
5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report                                                             
50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.                                                              
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.                                                               
6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.    
77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.                                                            
9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.     
910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.   
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.     
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.   
a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.   
a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.   
a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.  
c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.                                                              
c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.  
c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.  
msf5 >   

13、在WebUI同样可以看到我们创建的任务状态信息

14、任务完成后,使用 openvas_report_list 查看报告列表。

msf5 > openvas_report_list
[+] OpenVAS list of reports

ID                                    Task Name        Start Time            Stop Time
--                                    ---------        ----------            ---------
4ee7b572-a470-484c-962e-773d3a7eb7b1  Metasploitable3  2019-04-16T02:40:24Z  2019-04-16T03:07:15Z
7993d76a-43b3-48c6-ac94-ca630e20db68  Metasploitable3  2019-04-16T01:15:44Z

15、使用openvas_report_import 命令将报告导入到Metasploit中,仅支持NBE(legacy OpenVAS report)和XML格式导入。

msf5 > openvas_report_import 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
[*] Importing report to database.

但是这里我们使用的 Metasploit-5.0直接这么导入会报错,无法导入,我们先导出为文件再用db_import导入就可以了。

msf5 > openvas_report_download
[*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf5 > openvas_report_download 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 /tmp/ Metasploitable3
[*] Saving report to /tmp/Metasploitable3
msf5 > db_import /tmp/Metasploitable3
[*] Importing 'OpenVAS XML' data
[*] Successfully imported /tmp/Metasploitable3
msf5 >

16、查看OpenVAS扫描的漏洞信息

msf5 > vulns

Vulnerabilities
===============

Timestamp                Host             Name 		References
---------                ----             ----                                                                    ----------
2019-04-16 08:15:22 UTC  192.168.177.144  ICMP Timestamp Detection    CVE-1999-0524
2019-04-16 08:15:23 UTC  192.168.177.144  Microsoft Windows IIS   CVE-2010-3972,BID-45542
2019-04-16 08:15:23 UTC  192.168.177.144  Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)  CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-96704,BID-96705,BID-96706,BID-96707,BID-96709
2019-04-16 08:15:23 UTC  192.168.177.144  MS15-034 HTTP.sys Remote Code  CVE-2015-1635
2019-04-16 08:15:23 UTC  192.168.177.144  Oracle Glass Fish Server CVE-2017-1000028
2019-04-16 08:15:23 UTC  192.168.177.144  SSL/TLS: Report 'Anonymous' Cipher Suites                 .....

# 说明

本文由笔者编译,转载请注明来源。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2150126.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【计算机网络 - 基础问题】每日 3 题(十三)

✍个人博客&#xff1a;Pandaconda-CSDN博客 &#x1f4e3;专栏地址&#xff1a;http://t.csdnimg.cn/fYaBd &#x1f4da;专栏简介&#xff1a;在这个专栏中&#xff0c;我将会分享 C 面试中常见的面试题给大家~ ❤️如果有收获的话&#xff0c;欢迎点赞&#x1f44d;收藏&…

关于安卓App自动化测试的一些想法

安卓App自动化一般使用PythonAppium。页面元素通常是使用AndroidStudio中的UI Automator Viewer工具来进行页面元素的追踪。但是这里涉及到一个问题就是&#xff0c;安卓apk在每次打包的时候&#xff0c;会进行页面的混淆以及加固&#xff0c;所以导致每次apk打包之后会出现页面…

Java客户端SpringDataRedis(RedisTemplate使用)

文章目录 ⛄概述⛄快速入门❄️❄️导入依赖❄️❄️配置文件❄️❄️测试代码 ⛄数据化序列器⛄StringRedisTemplate⛄RedisTemplate的两种序列化实践方案总结 ⛄概述 SpringData是Spring中数据操作的模块&#xff0c;包含对各种数据库的集成&#xff0c;其中对Redis的集成模…

python获取滑块验证码需要滑动的距离

我们以这个网站为例: http://120.86.191.138/hbgs/zwgk/dirData.do?dirId402881204e959150014e959f42f30014&subjectId93e889f2501d3fe8015024305bdf0efc 往后点到第四页后会出现验证码 一.获取到背景图片和缺口图片 我们发现图片是base64格式通过API直接发送 二.识别缺…

铲屎官进!宠物空气净化器真的有用吗?哪款去浮毛效果好

国庆小长假就要来了&#xff0c;别人都在苦恼抢票问题&#xff0c;而我在想会不会被我妈赶出家门... 毕业后我就留在了广州上班&#xff0c;独自一人租房难免会感觉孤独&#xff0c;就养了一只小猫和我作伴。这次放假这么久&#xff0c;我不放心留它一个人在家&#xff0c;也没…

vulhub搭建漏洞环境docker-compose up -d命令执行报错以及解决方法汇总

在利用vulhub靶场搭建环境进行漏洞复现时&#xff0c;我们通常要使用这一步命令&#xff1a; docker-compose up -d 但是经常报错&#xff0c;今天我们来说几个常见的报错以及解决方法&#xff1a; 1.报错提示&#xff1a; ERROR: Couldnt connect to Docker daemon at httpdoc…

基于atlas环境下YOLOV7的睡岗识别

做到这里&#xff0c;其实只是想探索下新的检测框架、探索下atlas下ACL的推理方式。整个过程持续了3-4周把&#xff0c;回顾一下&#xff0c;感觉还是需要一些技巧才能拿下&#xff0c;如果没有任何经验的是断难搞定此代码的。主要基于华为的官方例子&#xff0c;里面修改了原始…

ApplicationEvent 事件泛型封装记录

一、一个事件的封装、发布以及监听 事件类封装 把需要的信息封装到一个事件类中 Data public class Person {private String name; }Data public class PersonEvent {private Person person;private String addOrUpdate;public PersonEvent(Person person, String addOrUpda…

【云安全】云服务安全攻防

一、云服务安全事件 1、CVE-2021-44228&#xff1a; AWS Log4Shell热补丁漏洞&#xff0c;用来进行容器逃逸和权限提升 2、CVE-2022-30137&#xff1a; Microsoft Azure Service Fabic权限提升漏洞&#xff0c;允许攻击者在容器内提升权限至主机节点root权限 FabricScape: Esca…

神奇的css动画:animation、transform、transition

前言 动画包括两个部分&#xff1a;描述动画的样式和用于指定动画开始、结束以及中间点样式的关键帧。 相比较于传统的脚本实现动画技术&#xff0c;使用css动画三个主要优点: 1.能够非常容易创建简单动画&#xff0c;甚至不需要了解JavaScript就能创建动画 2.动画运行效果…

Trainer API训练属于自己行业的本地大语言模型 医疗本地问答大模型示例

Trainer API 是 Hugging Face transformers 库中强大而灵活的工具&#xff0c;简化了深度学习模型的训练和评估过程。通过提供高层次的接口和多种功能&#xff0c;Trainer API 使研究人员和开发者能够更快地构建和优化自然语言处理模型 文章目录 前言一、Trainer API它能做什么…

Machine Learning Specialization 学习笔记(3)

文章目录 前言一、神经网络基本概念基本组成工作流程训练过程类型应用举例不同层次特征的学习 为什么从基础特征到复杂特征逐渐推进什么是感受野更简单的解释具体示例总结 二、TensorFlow实现简单神经网络安装及环境配置数据预处理标准化 Dense层Convolutional Layer训练DEBUG …

独立站技能树/工具箱1.0 总纲篇丨出海笔记

正所谓要把一件事做到90分很难&#xff0c;但做到60分基本上照着SOP做到位都没问题&#xff0c;如果我们能把每件事都做到60分&#xff0c;那绝对比至少60%的人都强&#xff0c;除非你的对手不讲武德——那就是他很可能看了我这篇文章&#xff0c;不但每方面都超过及格线&#…

MySQL高阶1853-转换日期格式

目录 题目 准备数据 分析数据 总结 题目 给定一个Days表&#xff0c;请你编写SQL查询语句&#xff0c;将Days表中的每一个日期转化为"day_name, month_name day, year"格式的字符串。 返回的结果表 不计顺序 。 准备数据 Create table If Not Exists Days (d…

Arthas 全攻略:让调试变得简单

文章目录 一、简介二、命令列表 一、简介 Arthas 是一款线上监控诊断产品&#xff0c;通过全局视角实时查看应用 load、内存、gc、线程的状态信息&#xff0c;并能在不修改应用代码的情况下&#xff0c;对业务问题进行诊断&#xff0c;包括查看方法调用的出入参、异常&#xff…

排序---冒泡排序、堆排序

一、冒泡排序 相邻两个位置交换&#xff0c;假设排升序&#xff0c;就不断把最大的往后拿&#xff0c;所以这段序列从后往前变得有序。 //flag为0&#xff0c;即这个数组已经是有序的了&#xff0c;节省循环次数 二、堆排序&#xff08;数组实现&#xff09; 具体原理介绍看这…

jetcache-阿里多级缓存框架神器一定要掌握

文章目录 1. 简介2. springboot集成jetcache2.1 引入依赖2.2 配置文件2.3 高级API模式&#xff1a;通过CacheManager使用缓存&#xff0c;2.7 版本才可使用2.4 &#xff08;推荐&#xff09;AOP模式&#xff1a;通过Cached,CacheUpdate,CacheInvalidate注解 1. 简介 JetCache是…

局部整体(六)利用python绘制树状图

局部整体&#xff08;六&#xff09;利用python绘制树状图 树状图&#xff08; Dendrogram&#xff09;简介 由一个根节点组成&#xff0c;根节点产生多个通过分支连接的子节点。常用于表示层次结构或显示聚类算法的结果。树状图既可以看明白数据的层次结构&#xff0c;也能明…

兴业小知识|法拍房你不知道的省钱小技巧~划走可就亏大了

如果说二手房市场是买卖双方之间的博弈&#xff0c;那法拍房市场则是纯买方的心理游戏。 在法拍房竞拍过程中&#xff0c;有人稳如泰山&#xff0c;有人坐立不安&#xff0c;每一次的出价都是对相互底线的一番试探。 有激进竞拍&#xff0c;拍出天价的&#xff0c;有一举夺魁…

2024.9.20营养小题【2】(动态分配二维数组)

这道题里边涉及到了动态分配二维数组的知识点&#xff0c;不刷这道题我也不知道这个知识点&#xff0c;算是一个比较进阶一点的知识点了。 参考&#xff1a;C语言程序设计_动态分配二维数组_哔哩哔哩_bilibili【C/C 数据结构 】二维数组结构解析 - 知乎 (zhihu.com)