3.1.被动信息搜集
whois查询
Netcraft
nslookup
>set type=mx
>testfire.net
Google Hacking
3.2 主动信息搜集
使用nmap进行端口扫描
-sS 隐秘的TCP扫描 ,以确定某个TCP端口是否开放
-Pn 不使用ping命令,默认所有主机都存活。适用于外网,内网不用
-A 深入的服务枚举和旗标获取
在msf中使用数据库
将nmap结果导入metasploit
/home/output# nmap -Pn -Ss -A -oX Subnet1.xml 192.168.1.0/24
db_import /home/output/Subnet1.xml
Hosts -c address
TCP空闲扫描
msf> use auxiliary/scanner/ip/ipidseq
Show options
set RHOSTS => ip
Set THREADS 50
run
Nmap -Pn -sI 192.168.1.131 132.168.1.201
在msf中运行nmap
db_nmap -sS -A 192.168.1.201
Services -u
使用msf进行端口扫描
msf> search portscan
Use auxiliary/scanner/portscan/syn
set RHOSTS
set THREADS 50
run
3 .3针对性扫描
331. 服务器消息块协议扫描
use auxiliary/scanner/smb/smb_version
show options
set RHOSTS
run
332.搜索配置不当的mssql
use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS
set THREADS 255
run
333. SSH服务器扫描
use auxiliary/scanner/ssh/ssh_version
set RHOSTS
set THREADS 50
run
334.FTP扫描
use auxiliary/scanner/ftp/ftp_version
set RHOSTS
set THREADS 255
run
335.简单网管协议snmp扫描
msf auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.1.111
RHOSTS => 192.168.1.111
msf auxiliary(scanner/snmp/snmp_login) > set THREADS 50
THREADS => 50
msf auxiliary(scanner/snmp/snmp_login) > run
原文:https://www.cnblogs.com/ly584521/p/10688278.html