msfauxiliary(scanner/telnet/telnet_version) >showoptionsModuleoptions (auxiliary/scanner/telnet/telnet_version): NameCurrentSettingRequiredDescription‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐PASSWORDnoThepasswordforthespecifiedusernameRHOSTS192.168.1.119yesThetargetaddressrangeorCIDRidentifierRPORT23yesThetargetport (TCP)THREADS50yesThenumberofconcurrentthreadsTIMEOUT30yesTimeoutfortheTelnetprobeUSERNAMEnoTheusernametoauthenticateasmsfauxiliary(scanner/telnet/telnet_version) >exploit[+] 192.168.1.119:23 ‐ 192.168.1.119:23 TELNET Welcome to Microsoft Telnet Service \x0a\x0a\x0dlogin:[*] Scanned 1 of 1 hosts (100%complete)[*] Auxiliary module execution completed
八:基于scanner/discovery/udp_probe发现内网存活主机
msfauxiliary(scanner/discovery/udp_probe) >showoptionsModuleoptions (auxiliary/scanner/discovery/udp_probe): NameCurrentSettingRequiredDescription‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐CHOSTnoThelocalclientaddressRHOSTS192.168.1.0/24yesThetargetaddressrangeorCIDRidentifierTHREADS50yesThenumberofconcurrentthreadsmsfauxiliary(scanner/discovery/udp_probe) >exploit[+] Discovered NetBIOS on 192.168.1.2:137 (JOHN‐PC:<00>:U :WORKGROUP:<00>:G :JOHN‐PC:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U:__MSBROWSE__<01>:G:4c:cc:6a:e3:51:27)[+] Discovered DNS on 192.168.1.1:53 (de77850000010001000000000756455253494f4e0442494e440000100003c00c0010000300000001001a19737572656c7920796f75206d757374206265206a6f6b696e67)[*] Scanned 43 of 256 hosts (16%complete)[*] Scanned 52 of 256 hosts (20%complete)[*] Scanned 89 of 256 hosts (34%complete)[+] Discovered NetBIOS on 192.168.1.119:137 (WIN03X64:<00>:U :WIN03X64:<20>:U:WORKGROUP:<00>:G:WORKGROUP:<1e>:G:WIN03X64:<03>:U:ADMINISTRATOR:<03>:U:WIN03X64:<01>:U:00:0c:29:85:d6:7d)[*] Scanned 103 of 256 hosts (40%complete)[*] Scanned 140 of 256 hosts (54%complete)[*] Scanned 163 of 256 hosts (63%complete)[*] Scanned 184 of 256 hosts (71%complete)[*] Scanned 212 of 256 hosts (82%complete)[*] Scanned 231 of 256 hosts (90%complete)[*] Scanned 256 of 256 hosts (100%complete)[*] Auxiliary module execution completed
九:基于auxiliary/scanner/dns/dns_amp发现内网存活主机
msfauxiliary(scanner/dns/dns_amp) >showoptionsModuleoptions (auxiliary/scanner/dns/dns_amp): NameCurrentSettingRequiredDescription‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐BATCHSIZE256yesThenumberofhoststoprobeineachsetDOMAINNAMEisc.orgyesDomaintousefortheDNSrequestFILTERnoThefilterstringforcapturingtrafficINTERFACEnoThenameoftheinterfacePCAPFILEnoThenameofthePCAPcapturefiletoprocessQUERYTYPEANYyesQuerytype(A,NS,SOA,MX,TXT,AAAA,RRSIG,DNSKEY,ANY)RHOSTS192.168.1.0/24yesThetargetaddressrangeorCIDRidentifierRPORT53yesThetargetport (UDP)SNAPLEN65535yesThenumberofbytestocaptureTHREADS50yesThenumberofconcurrentthreadsTIMEOUT500yesThenumberofsecondstowaitfornewdatamsfauxiliary(scanner/dns/dns_amp) >exploit[*] Sending DNS probes to 192.168.1.0‐>192.168.1.255 (256hosts)[*] Sending 67 bytes to each host using the IN ANY isc.org request[+] 192.168.1.1:53 ‐ Response is 530 bytes [7.91x Amplification][*] Scanned 256 of 256 hosts (100%complete)[*] Auxiliary module execution completed