渗透测试任务中,主机/服务/漏洞等信息如果手动维护,会带来巨大的工作量。
在metasploit中,这部分工作已经被封装的非常好,每次调用内部模块执行的任务结果都会自动存入DB.通过简单的指令即可以方便的查看。
metasploit 中的DB操作
msf > help database Database Backend Commands ========================= Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS file:/root/DailyPentest/IPSrc/example yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf auxiliary(ssh_version) > set RHOSTS file:/root/DailyPentest/IPSrc/aa
RHOSTS => file:/root/DailyPentest/IPSrc/aa
msf auxiliary(ssh_version) > run
[*] 124.127.106.5:22, SSH server version: SSH-1.99-OpenSSH_5.8p2
[*] Scanned 1 of 9 hosts (011% complete)
[*] 124.127.106.3:22, SSH server version: SSH-1.99-OpenSSH_3.9p1
[*] Scanned 2 of 9 hosts (022% complete)
[*] Scanned 3 of 9 hosts (033% complete)
[*] Scanned 4 of 9 hosts (044% complete)
[*] Scanned 5 of 9 hosts (055% complete)
[*] Scanned 6 of 9 hosts (066% complete)
[*] Scanned 7 of 9 hosts (077% complete)
[*] 167.124.236.145:22, SSH server version: SSH-2.0-ArrayOS
[*] Scanned 8 of 9 hosts (088% complete)
[-] 167.124.236.184:22, SSH server version detection failed!
[*] Scanned 9 of 9 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
167.124.236.145 22 tcp ssh open SSH-2.0-ArrayOS
167.124.236.243 22 tcp ssh open SSH-2.0-ArrayOS
124.127.106.3 22 tcp ssh open SSH-1.99-OpenSSH_3.9p1
124.127.106.5 22 tcp ssh open SSH-1.99-OpenSSH_5.8p2
192.168.0.104 135 tcp msrpc open
192.168.0.104 554 tcp rtsp open
192.168.0.104 445 tcp microsoft-ds open Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:WIN-R2OU7BR820S) (domain:WORKGROUP)
192.168.0.104 139 tcp netbios-ssn open
192.168.0.105 21 tcp ftp open 220 (vsFTPd 2.0.6)x0dx0a
192.168.0.105 22 tcp ssh open SSH-2.0-OpenSSH_4.7p1 Debian-8
192.168.0.105 631 tcp ipp open
msf auxiliary(ssh_version) > services -p 22
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
167.124.236.145 22 tcp ssh open SSH-2.0-ArrayOS
167.124.236.243 22 tcp ssh open SSH-2.0-ArrayOS
124.127.106.3 22 tcp ssh open SSH-1.99-OpenSSH_3.9p1
124.127.106.5 22 tcp ssh open SSH-1.99-OpenSSH_5.8p2
192.168.0.105 22 tcp ssh open SSH-2.0-OpenSSH_4.7p1 Debian-8
可以用db_nmap 取代nmap, 因为其结果会直接导入DB, 可以及其方便的用指令查看
msf > services -R 192.168.0.105 Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.105 21 tcp ftp open 220 (vsFTPd 2.0.6)x0dx0a 192.168.0.105 22 tcp ssh open SSH-2.0-OpenSSH_4.7p1 Debian-8 192.168.0.105 631 tcp ipp open RHOSTS => 192.168.0.105 msf > services -p 21 Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.0.105 21 tcp ftp open 220 (vsFTPd 2.0.6)x0dx0a