端口扫描

ACK : 通过ACK扫描的方式对防火墙上未屏蔽的端口进行探测

ftpbounce:通过FTPbounce攻击的原理对TCP服务进行枚举,一些新的FTP服务器软件能够很好的防范FTPbounce攻击,但在一些旧的Solaris及FreeBSD系统的FTP服务中此类工具方法仍能够被利用

syn:使用发送TCP SYN标志的方式探测开放的端口

tcp:通过一次完整的TCP连接来判断端口是否开放,这种扫描方式最准确,但扫描速度较慢

xmas:一种更为隐秘的扫描方式,通过发送FIN,PSH,和URG标志,能够躲避一些高级的TCP标记检测器的过滤

1
2
3
4
5
auxiliary/scanner/portscan/tcp //TCP端⼝扫描
auxiliary/scanner/portscan/ack //ACK防⽕墙扫描
auxiliary/scanner/portscan/ftpbounce //FTP跳端⼝扫描
auxiliary/scanner/portscan/syn //SYN端⼝扫描
auxiliary/scanner/portscan/xmas //TCP-XMas端⼝扫描

auxiliary/scanner/portscan/tcp //TCP端⼝扫描

图片

1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 auxiliary(scanner/portscan/tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.119.139 yes The target address range or CIDR identifier
THREADS 100 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds

扫描结束!192.168.119.139开放了以下端口:

图片

1
2
3
4
5
6
7
8
9
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.119.139: - 192.168.119.139:80 - TCP OPEN
[+] 192.168.119.139: - 192.168.119.139:135 - TCP OPEN
[+] 192.168.119.139: - 192.168.119.139:139 - TCP OPEN
[+] 192.168.119.139: - 192.168.119.139:445 - TCP OPEN
[+] 192.168.119.139: - 192.168.119.139:5357 - TCP OPEN
[*] 192.168.119.139: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

auxiliary/scanner/portscan/ack //ACK防⽕墙扫描

图片

ACK扫描会分段去发送数据包扫描,才能够绕过一些防火墙设备,而不是Windows防火墙!Windows自带的防火墙是阻断一切进入的连接!

因为虚拟机Windwos 7是吧防火墙关闭了的,如果打开那么防火墙是会阻断连接的!

经过测试,Windows防火墙开启,使用ACK是扫描不出来的!

图片

剩余几个端口扫描,和上面的例子是一样的用法,只是模式不同!

版本扫描

use auxiliary/scanner/smb/smb_version //探测对方操作系统信息

图片

图片

1
2
3
4
5
msf5 auxiliary(scanner/smb/smb_version) > run

[+] 192.168.119.139:445 - Host is running Windows 7 Ultimate SP1 (build:7601) (name:LIUWX-PC) (workgroup:WORKGROUP )
[*] 192.168.119.139:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可以看到,操作系统是Windows 7,主机名是:LIUWX-PC,不在域内!

其他

MS-17-010 //永恒之蓝

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_ms17_010 
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.119.139
rhosts => 192.168.119.139
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.119.139 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

图片

1
2
3
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Host is likely VULNERABLE to MS17-010!

说明是存在永恒之蓝这个漏洞的!

存在的话,就可以利用:

图片

可以看到,虚拟机Win7已经蓝屏!

图片

小技巧

我首先是在/root目录下建立了一个ips.txt文本,里面是我要扫描的IP:

图片

一般正常的设置RHOSTS就是:

set rhosts 192.168.119.139

因为我们刚刚创建了个ips.txt,那么就可以这样设置:

set rhosts file:/root/ips.txt

图片

这样的话就会非常方便!

具体就auxiliary到此为止!