首页 > 代码库 > 针对性扫描

针对性扫描

2024-07-11 21:16:34   216人阅读

针对性扫描是指寻找目标网络中存在的已知可利用漏洞或能够轻松获取后门的特定操作系统、服务、软件以及配置缺陷。举例来说,在目标网络中快速地扫描存在MS08-067漏洞的主机是非常普遍的活动,因为MS08-067(仍然)是一个普遍存在的安全漏洞,并且能够让你很快地取得System的访问权限,比起扫描整个网络中所有漏洞后再攻击要容易的多。
1.服务器消息块协议扫描
Metasploit可以利用他的smb_version模块来遍历一个网络,并获取Windows系统的版本号
执行模块、列出参数并对RHOSTS参数进行设定后开始扫描:

msf > use scanner/smb/smb_versionmsf  auxiliary(smb_version) > show optionsModule options (auxiliary/scanner/smb/smb_version):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   RHOSTS                      yes       The target address range or CIDR identifier   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication   SMBPass                     no        The password for the specified username   SMBUser                     no        The username to authenticate as   THREADS    1                yes       The number of concurrent threadsmsf  auxiliary(smb_version) > set RHOSTS 192.168.119.132RHOSTS => 192.168.119.132msf  auxiliary(smb_version) > run[*] 192.168.119.132:139 is running Windows XP Service Pack 3 (language: Chinese - Traditional) (name:PC-201403241103) (domain:WORKGROUP)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

  

2.搜索配置不当的Microsoft SQL Server
配置不当的Microsoft SQL Server(MS SQL)通常是竟如目标系统的第一个后门
MS SQL安装后,它默认监听在TCP端口1433上或使用随机的动态TCP端口。如果在随机的TCP端口上进行MS SQL监听,只需要简单的对UDP端口1434进行查询,便能或缺这个随机的TCP端口号。Metasploit有一个模块mssql_ping可以实现该操作

msf > use scanner/mssql/mssql_pingmsf  auxiliary(mssql_ping) > show optionsModule options (auxiliary/scanner/mssql/mssql_ping):   Name                 Current Setting  Required  Description   ----                 ---------------  --------  -----------   PASSWORD                              no        The password for the specified username   RHOSTS                                yes       The target address range or CIDR identifier   THREADS              1                yes       The number of concurrent threads   USERNAME             sa               no        The username to authenticate as   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)msf  auxiliary(mssql_ping) > set RHOSTS 192.168.119.132RHOSTS => 192.168.119.132msf  auxiliary(mssql_ping) > set THREADS 255THREADS => 255msf  auxiliary(mssql_ping) > run[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

  

我安装的是SQL Server版本如下:Microsoft SQL Server Management Studio						9.00.1399.00Microsoft Analysis Services 客户端工具						2005.090.1399.00Microsoft 数据访问组件 (MDAC)						2000.085.1132.00 (xpsp.080413-0852)Microsoft MSXML						2.6 3.0 5.0 6.0 Microsoft Internet Explorer						8.0.6001.18702Microsoft .NET Framework						2.0.50727.42操作系统						5.1.2600

  

3.SSH服务器扫描
如果在扫描过程中遇到一些主机运行着SSH(安全 Shell),你应该对SSH的版本进行识别SSH是一种安全的协议,但是这里的安全仅数据传输的加密,很多SSH的实现版本中均被发现了安全漏洞。不要认为你永远不会遇到一台没哟安装补丁的老机器,这种幸运的事很哟可能就会落在你的头上。可以用Metasploit框架的ssh_version模块来识别目标服务器上运行的SSH版本。

msf > use scanner/ssh/ssh_versionmsf  auxiliary(ssh_version) > show optionsModule options (auxiliary/scanner/ssh/ssh_version):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   RHOSTS                    yes       The target address range or CIDR identifier   RPORT    22               yes       The target port   THREADS  1                yes       The number of concurrent threads   TIMEOUT  30               yes       Timeout for the SSH probemsf  auxiliary(ssh_version) > set RHOSTS 192.168.119.144RHOSTS => 192.168.119.144msf  auxiliary(ssh_version) > run[*] 192.168.119.144:22, SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf  auxiliary(ssh_version) >

 4.FTP扫描

   FTP是一种复杂且缺乏安全性的应用层协议,FTP服务器经常是进入一个目标网络最便捷的途径

msf  auxiliary(anonymous) > use scanner/ftp/ftp_versionmsf  auxiliary(ftp_version) > show optionsModule options (auxiliary/scanner/ftp/ftp_version):   Name     Current Setting      Required  Description   ----     ---------------      --------  -----------   FTPPASS  mozilla@example.com  no        The password for the specified username   FTPUSER  anonymous            no        The username to authenticate as   RHOSTS   192.168.119.141      yes       The target address range or CIDR identifier   RPORT    21                   yes       The target port   THREADS  1                    yes       The number of concurrent threadsmsf  auxiliary(ftp_version) > set RHOSTS 192.126.119.48RHOSTS => 192.126.119.48msf  auxiliary(ftp_version) > run[*] 192.126.119.48:21 FTP Banner: ‘220 Microsoft FTP Service\x0d\x0a‘[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

  


联系
我们