内网主机探测
在获取目标权限之后,尤其目标所在的网络环境存在内网环境,且非云环境,则往往需要进行内网渗透,内网渗透的关键在于信息收集,信息收集越丰富,渗透成功的机率就会越高,带来更多的可能性,内网信息收集的一个必不可少的环节就是发现内网存活主机,存活主机越多,渗透的对象越多,可能性就越高
基于netbios发现内网存活主机
nmap扫描
msf扫描
nbtscan扫描(推荐)
- windows
- linux
基于SNMP发现内网存活主机
nmap扫描
msf扫描
基于ICMP发现内网存活主机
nmap扫描
cmd扫描
powershell扫描
powershell.exe -exec bypass -Command "Import-Module ./Invoke-TSPingSweep.ps1; Invoke-TSPingSweep -StartAddress 192.168.1.1 -EndAddress 192.168.1.254 -ResolveHost -ScanPort -Port 445,135"
附加Invoke-TSPingSweep.ps1脚本:
function Invoke-TSPingSweep {
<#
.SYNOPSIS
Scan IP-Addresses, Ports and HostNames
.DESCRIPTION
Scan for IP-Addresses, HostNames and open Ports in your Network.
.PARAMETER StartAddress
StartAddress Range
.PARAMETER EndAddress
EndAddress Range
.PARAMETER ResolveHost
Resolve HostName
.PARAMETER ScanPort
Perform a PortScan
.PARAMETER Ports
Ports That should be scanned, default values are: 21,22,23,53,69,71,80,98,110,139,111,
389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,
5801,5900,5555,5901
.PARAMETER TimeOut
Time (in MilliSeconds) before TimeOut, Default set to 100
.EXAMPLE
Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.0.254
.EXAMPLE
Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost
.EXAMPLE
Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort
.EXAMPLE
Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500
.EXAMPLE
Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80
.LINK
http://www.truesec.com
.NOTES
Goude 2012, TrueSec
#>
Param(
[parameter(Mandatory = $true,
Position = 0)]
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
[string]$StartAddress,
[parameter(Mandatory = $true,
Position = 1)]
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
[string]$EndAddress,
[switch]$ResolveHost,
[switch]$ScanPort,
[int[]]$Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),
[int]$TimeOut = 100
)
Begin {
$ping = New-Object System.Net.Networkinformation.Ping
}
Process {
foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {
foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {
foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {
foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {
write-progress -activity PingSweep -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100)
$pingStatus = $ping.Send("$a.$b.$c.$d",$TimeOut)
if($pingStatus.Status -eq "Success") {
if($ResolveHost) {
write-progress -activity ResolveHost -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100) -Id 1
$getHostEntry = [Net.DNS]::BeginGetHostEntry($pingStatus.Address, $null, $null)
}
if($ScanPort) {
$openPorts = @()
for($i = 1; $i -le $ports.Count;$i++) {
$port = $Ports[($i-1)]
write-progress -activity PortScan -status "$a.$b.$c.$d" -percentcomplete (($i/($Ports.Count)) * 100) -Id 2
$client = New-Object System.Net.Sockets.TcpClient
$beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)
if($client.Connected) {
$openPorts += $port
} else {
# Wait
Start-Sleep -Milli $TimeOut
if($client.Connected) {
$openPorts += $port
}
}
$client.Close()
}
}
if($ResolveHost) {
$hostName = ([Net.DNS]::EndGetHostEntry([IAsyncResult]$getHostEntry)).HostName
}
# Return Object
New-Object PSObject -Property @{
IPAddress = "$a.$b.$c.$d";
HostName = $hostName;
Ports = $openPorts
} | Select-Object IPAddress, HostName, Ports
}
}
}
}
}
}
End {
}
}
基于smb发现内网存活主机
msf扫描
cme扫描
nmap扫描
基于cmd
需要cmd下可以使用telnet
基于powershell
1..5 | % { $a = $_; 445 | % {echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"} 2>$null}
基于MSF发现存活主机
基于auxiliary/scanner/http/http_version发现HTTP服务
use auxiliary/scanner/http/http_version
set RHOSTS 192.168.1.0/24
set RPORT 80
set THREADS 20
exploit
基于auxiliary/scanner/smb/smb_version发现SMB服务
基于auxiliary/scanner/ftp/ftp_version发现FTP服务
基于auxiliary/scanner/ssh/ssh_version发现SSH服务
基于auxiliary/scanner/telnet/telnet_version发现telnet服务
基于auxiliary/scanner/mysql/mysql_version发现mysql服务
通过发现mysql服务的方式判断主机是否存活
基于auxiliary/scanner/db2/db2_version发现db2服务
通过发现DB2服务的方式判断主机是否存活
基于auxiliary/scanner/discovery/arp_sweep发现内网存活主机
基于auxiliary/scanner/discovery/udp_sweep发现内网存活主机
基于scanner/discovery/udp_probe发现内网存活主机
基于auxiliary/scanner/dns/dns_amp发现内网存活主机
基于auxiliary/scanner/netbios/nbname发现内网存活主机
通过扫描netbios的方式判断主机是否存活
基于auxiliary/scanner/http/title发现内网存活主机
通过扫描网站标题的方式判断主机是否存活
基于auxiliary/scanner/portscan/ack发现内网存活主机
通过扫描指定端口的方式判断主机是否存活,端口可多选
基于auxiliary/scanner/portscan/tcp发现内网存活主机
通过扫描指定端口的方式判断主机是否存活,端口可多选
基于auxiliary/scanner/portscan/syn发现内网存活主机
通过扫描指定的端口判断主机是否存活,端口可多选
基于auxiliary/scanner/portscan/ftpbounce发现内网存活主机
use auxiliary/scanner/portscan/ftpbounce
set RHOSTS 192.168.1.0/24
set PORTS 22,80,137,139,3389
set THREADS 20
exploit
基于auxiliary/scanner/portscan/xmas发现内网存活主机
use auxiliary/scanner/portscan/xmas
set RHOSTS 192.168.1.0/24
set PORTS 22,25,80,110-900
set THREADS 20
exploit
基于auxiliary/scanner/rdp/rdp_scanner发现内网存活主机
基于auxiliary/scanner/smtp/smtp_version发现内网存活主机
基于auxiliary/scanner/pop3/pop3_version发现内网存活主机
基于auxiliary/scanner/postgres/postgres_version发现内网存活主机
基于auxiliary/scanner/ftp/anonymous发现内网存活主机
基于db_namp发现内网存活主机
db_nmap其实就是nmap,不过就是换个名字,命令和nmap一致,不过貌似需要连接数据库
查看数据库中已发现的内网存活主机
基于post/windows/gather/arp_scanner发现内网存活主机
基于post/windows/gather/enum_computers发现域中存活主机
基于post/windows/gather/enum_domain发现域中存活主机
主要还是判断主机是否在windows域中,域名是什么
基于post/windows/gather/enum_ad_user_comments发现域中存活主机
其他post模块
- post/linux/gather/enum_network
- post/linux/busybox/enum_hosts
- post/windows/gather/enum_ad_users
- post/windows/gather/enum_domain_tokens
- post/windows/gather/enum_snmp
- search enum_ad