> For the complete documentation index, see [llms.txt](https://micro8.gitbook.io/micro8/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://micro8.gitbook.io/micro8/contents-1/21-30/28-ji-yu-msf-fa-xian-nei-wang-cun-huo-zhu-ji-di-liu-ji.md).

# 第二十八课：基于MSF发现内网存活主机第六季

**注：**&#x8BF7;多喝点热水或者凉白开，可预防**肾结石，通风**等。如有肾囊肿，请定期检查肾囊肿的大小变化。

**攻击机：**\
192.168.1.102 Debian

**靶机：**\
192.168.1.2 Windows 7\
192.168.1.115 Windows 2003\
192.168.1.119 Windows 2003

**第一季主要介绍scanner下的五个模块，辅助发现内网存活主机，分别为：**

* auxiliary/scanner/discovery/arp\_sweep&#x20;
* auxiliary/scanner/discovery/udp\_sweep
* auxiliary/scanner/ftp/ftp\_version&#x20;
* auxiliary/scanner/http/http\_version
* auxiliary/scanner/smb/smb\_version

**第二季主要介绍scanner下的五个模块，辅助发现内网存活主机，分别为：**

* auxiliary/scanner/ssh/ssh\_version&#x20;
* auxiliary/scanner/telnet/telnet\_version
* auxiliary/scanner/discovery/udp\_probe&#x20;
* auxiliary/scanner/dns/dns\_amp
* auxiliary/scanner/mysql/mysql\_version

**第三季主要介绍scanner下的五个模块，辅助发现内网存活主机，分别为：**

* auxiliary/scanner/netbios/nbname&#x20;
* auxiliary/scanner/http/title
* auxiliary/scanner/db2/db2\_version&#x20;
* auxiliary/scanner/portscan/ack
* auxiliary/scanner/portscan/tcp

**第四季主要介绍scanner下的五个模块，辅助发现内网存活主机，分别为：**

* auxiliary/scanner/portscan/syn&#x20;
* auxiliary/scanner/portscan/ftpbounce
* auxiliary/scanner/portscan/xmas&#x20;
* auxiliary/scanner/rdp/rdp\_scanner
* auxiliary/scanner/smtp/smtp\_version

**第五季主要介绍scanner下的三个模块，以及db\_nmap辅助发现内网存活主机，分别为：**

* auxiliary/scanner/pop3/pop3\_version
* auxiliary/scanner/postgres/postgres\_version&#x20;
* auxiliary/scanner/ftp/anonymous
* db\_nmap

**第六季主要介绍post下的六个模块，辅助发现内网存活主机，分别为：**

* windows/gather/arp\_scanner&#x20;
* windows/gather/enum\_ad\_computers
* windows/gather/enum\_computers&#x20;
* windows/gather/enum\_domain
* windows/gather/enum\_domains&#x20;
* windows/gather/enum\_ad\_user\_comments

在实战过程中，许多特殊环境下scanner，db\_nmap不能快速符合实战渗透诉求，尤其在域中的主机存活发现，而post下的模块，弥补了该诉求，以便快速了解域中存活主机。

## 二十五：基于windows/gather/arp\_scanner发现内网存活主机

```bash
meterpreter > run windows/gather/arp_scanner RHOSTS=192.168.1.110‐120 THREADS=20

[*] Running module against VM_2003X86
[*] ARP Scanning 192.168.1.110‐120
[+] IP: 192.168.1.115 MAC 00:0c:29:af:ce:cc (VMware, Inc.)
[+] IP: 192.168.1.119 MAC 00:0c:29:85:d6:7d (VMware, Inc.)
```

![](/files/-LZJx4baQpSEPyS6HtkB)

## 二十六：基于windows/gather/enum\_ad\_computers发现域中存活主机

```bash
meterpreter > run windows/gather/enum_ad_computers
```

![](/files/-LZJx4bdyz4Pf57RIaJE)

## 二十七：基于windows/gather/enum\_computers发现域中存活主机

```bash
meterpreter > run windows/gather/enum_computers 

[*] Running module against VM_2003X86
[‐] This host is not part of a domain.
```

![](/files/-LZJx4bfHdUX22DgKqsa)

## 二十八：基于windows/gather/enum\_domain发现域中存活主机

```bash
meterpreter > run windows/gather/enum_domain
```

![](/files/-LZJx4bjBeEPDAxKdgAM)

## 二十九：基于windows/gather/enum\_domains 发现域中存活主机

```bash
meterpreter > run windows/gather/enum_domains 

[*] Enumerating DCs for WORKGROUP
[‐] No Domain Controllers found...
```

![](/files/-LZJx4bljws-N6X-fztf)

## 三十：基于windows/gather/enum\_ad\_user\_comments发现域中存活主机

```bash
meterpreter > run windows/gather/enum_ad_user_comments
```

![](/files/-LZJx4bon54HCX8oE5VJ)

**POST下相关模块如：（列举）不一一介绍**

* linux/gather/enum\_network
* linux/busybox/enum\_hosts
* windows/gather/enum\_ad\_users
* windows/gather/enum\_domain\_tokens
* windows/gather/enum\_snmp

至此，MSF发现内网存活主机主要模块介绍与使用完毕。

> Micropoor
