- 根据信息收集结果搜索漏洞利用模块
- 结合外部漏洞扫描系统对大量IP地址段进行批量扫描
- 肯定有误判和漏判,可以验证
攻击机:kali
靶机:metasploitable2
#vnc密码破解msf > use auxiliary/scanner/vnc/vnc_login#VNC 无密码访问(未设置密码)use auxiliary/scanner/vnc/vnc_none_auth#RDP 远程桌面漏洞use auxiliary/scanner/rdp/ms12_020_check #检查不会造成 DoS 攻击use auxiliary/dos/windows/rdp/ms12_020_maxchannelids #这个会造成DoS攻击#设备后门use auxiliary/scanner/ssh/juniper_backdooruse auxiliary/scanner/ssh/fortinet_backdoor#VMwareuse auxiliary/scanner/vmware/vmauthd_login/usr/share/metasploit-framework/data/wordlists/vmworks_common_20.txt(自创字典文件)#得到权限后枚举所有虚拟机use auxiliary/scanner/vmware/vmware_enum_vms#利用 WEB API 远程开启虚拟机msf > use auxiliary/admin/vmware/poweron_vm#HTTP 弱点扫描#过期证书use auxiliary/scanner/http/cert#显示目录及文件use auxiliary/scanner/http/dir_listing#WebDAV Unicode 编码身份验证绕过use auxiliary/scanner/http/dir_webdav_unicode_bypass#Tomcat 管理登录页面use auxiliary/scanner/http/tomcat_mgr_login#基于 HTTP 方法的身份验证绕过use auxiliary/scanner/http/verb_auth_bypass#Wordpress 密码爆破use auxiliary/scanner/http/wordpress_login_enum
WMAP WEB 应用扫描器
load wmapwmap_sites -hwmap_sites -a http://192.168.1.120wmap_targets -t http://192.168.1.120/mutillidae/index.phpwmap_run -hwmap_run -t #列出所有模块wmap_run -e #开始扫描wmap_vulns -l #查看扫描出的漏洞vulns
MSF 直接调用 nessus 执行扫描
load nessusnessus_helpnessus_connect admin:toor@192.168.1.120nessus_policy_listnessus_scan_newnessus_report_list
若有收获,就点个赞吧
0 人点赞
