# 第二十八课:基于MSF发现内网存活主机第六季 **注:**请多喝点热水或者凉白开,可预防**肾结石,通风**等。如有肾囊肿,请定期检查肾囊肿的大小变化。 **攻击机:**\ 192.168.1.102 Debian **靶机:**\ 192.168.1.2 Windows 7\ 192.168.1.115 Windows 2003\ 192.168.1.119 Windows 2003 **第一季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:** * auxiliary/scanner/discovery/arp\_sweep * auxiliary/scanner/discovery/udp\_sweep * auxiliary/scanner/ftp/ftp\_version * auxiliary/scanner/http/http\_version * auxiliary/scanner/smb/smb\_version **第二季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:** * auxiliary/scanner/ssh/ssh\_version * auxiliary/scanner/telnet/telnet\_version * auxiliary/scanner/discovery/udp\_probe * auxiliary/scanner/dns/dns\_amp * auxiliary/scanner/mysql/mysql\_version **第三季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:** * auxiliary/scanner/netbios/nbname * auxiliary/scanner/http/title * auxiliary/scanner/db2/db2\_version * auxiliary/scanner/portscan/ack * auxiliary/scanner/portscan/tcp **第四季主要介绍scanner下的五个模块,辅助发现内网存活主机,分别为:** * auxiliary/scanner/portscan/syn * auxiliary/scanner/portscan/ftpbounce * auxiliary/scanner/portscan/xmas * auxiliary/scanner/rdp/rdp\_scanner * auxiliary/scanner/smtp/smtp\_version **第五季主要介绍scanner下的三个模块,以及db\_nmap辅助发现内网存活主机,分别为:** * auxiliary/scanner/pop3/pop3\_version * auxiliary/scanner/postgres/postgres\_version * auxiliary/scanner/ftp/anonymous * db\_nmap **第六季主要介绍post下的六个模块,辅助发现内网存活主机,分别为:** * windows/gather/arp\_scanner * windows/gather/enum\_ad\_computers * windows/gather/enum\_computers * windows/gather/enum\_domain * windows/gather/enum\_domains * windows/gather/enum\_ad\_user\_comments 在实战过程中,许多特殊环境下scanner,db\_nmap不能快速符合实战渗透诉求,尤其在域中的主机存活发现,而post下的模块,弥补了该诉求,以便快速了解域中存活主机。 ## 二十五:基于windows/gather/arp\_scanner发现内网存活主机 ```bash meterpreter > run windows/gather/arp_scanner RHOSTS=192.168.1.110‐120 THREADS=20 [*] Running module against VM_2003X86 [*] ARP Scanning 192.168.1.110‐120 [+] IP: 192.168.1.115 MAC 00:0c:29:af:ce:cc (VMware, Inc.) [+] IP: 192.168.1.119 MAC 00:0c:29:85:d6:7d (VMware, Inc.) ``` ![](/files/-LZJx4baQpSEPyS6HtkB) ## 二十六:基于windows/gather/enum\_ad\_computers发现域中存活主机 ```bash meterpreter > run windows/gather/enum_ad_computers ``` ![](/files/-LZJx4bdyz4Pf57RIaJE) ## 二十七:基于windows/gather/enum\_computers发现域中存活主机 ```bash meterpreter > run windows/gather/enum_computers [*] Running module against VM_2003X86 [‐] This host is not part of a domain. ``` ![](/files/-LZJx4bfHdUX22DgKqsa) ## 二十八:基于windows/gather/enum\_domain发现域中存活主机 ```bash meterpreter > run windows/gather/enum_domain ``` ![](/files/-LZJx4bjBeEPDAxKdgAM) ## 二十九:基于windows/gather/enum\_domains 发现域中存活主机 ```bash meterpreter > run windows/gather/enum_domains [*] Enumerating DCs for WORKGROUP [‐] No Domain Controllers found... ``` ![](/files/-LZJx4bljws-N6X-fztf) ## 三十:基于windows/gather/enum\_ad\_user\_comments发现域中存活主机 ```bash meterpreter > run windows/gather/enum_ad_user_comments ``` ![](/files/-LZJx4bon54HCX8oE5VJ) **POST下相关模块如:(列举)不一一介绍** * linux/gather/enum\_network * linux/busybox/enum\_hosts * windows/gather/enum\_ad\_users * windows/gather/enum\_domain\_tokens * windows/gather/enum\_snmp 至此,MSF发现内网存活主机主要模块介绍与使用完毕。 > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/21-30/28-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-liu-ji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.