Step1:啟動postsql數據庫
root@kali:~# service postgresql start
Step2:初始化msf數據庫
root@kali:~# msfdb init
[i] Database already started
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
Step3:進入msf控制台
root@kali:~# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v5.0.71-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 >
Step4:進行主機掃描
msf5 > db_nmap -sV 192.168.1.2
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-30 05:18 EST
[*] Nmap: Nmap scan report for 192.168.1.2
[*] Nmap: Host is up (0.00024s latency).
[*] Nmap: All 1000 scanned ports on 192.168.1.2 are filtered
[*] Nmap: MAC Address: 98:3B:8F:18:C9:8C (Intel Corporate)
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 22.60 seconds
Step5:進行smb掃描測試
use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) >
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.2
RHOSTS => 192.168.1.2
msf5 auxiliary(scanner/smb/smb_version) > set THREADS 100
THREADS => 100
msf5 auxiliary(scanner/smb/smb_version) > run
use auxiliary/scanner/smb/smb_version(smb版本掃描)
use auxiliary/scanner/smb/pipe_auditor(掃描命名管道,判斷smb服務類型,帳號,密碼)
use auxiliary/scanner/smb/pipe_dcerpc_auditor(掃描通過smb管道可以訪問的RCERPC服務)
use auxiliary/scanner/smb/smb_enumshares(smb共享枚舉---帳號,密碼)
use auxiliary/scanner/smb/smb_enumusers(smb用戶枚舉----帳號密碼)
use auxiliary/scanner/smb/smb_lookupsid(sid枚舉--帳號,密碼)
use auxiliary/scanner/ssh/ssh_version(ssh版本掃描)
use auxiliary/scanner/ssh/ssh_login (ssh密碼爆破)
use auxiliary/scanner/ssh/ssh_login_pubkey(ssh公鑰登錄---set KEY_FILE id_rsa set USERNAME root)
use post/windows/gather/enum_patches(基於已經獲取了session進行檢測windows缺少的補丁)
use auxiliary/scanner/mssql/mssql_ping(mssql端口掃描)
use auxiliary/scanner/mssql/mssql_login(爆破mssql密碼)
use auxiliary/admin/mssql/mssql_exec(遠程執行代碼--set CMD net user user pass /ADD)
use auxiliary/scanner/ftp/ftp_version(FTP版本掃描)
use auxiliary/scanner/ftp/anonymous(FTP匿名登錄)
use auxiliary/scanner/ftp/ftp_login(FTP暴力破解)
use auxiliary/scanner/vnc/vnc_login(vnc密碼破解)
use auxiliary/scanner/vnc/vnc_none_auth(vnc無密碼訪問---supported:None, free access!)
use auxiliary/scanner/rdp/ms12_020_check(RDP遠程桌面漏洞---檢查會不會造成DoS攻擊)
use auxiliary/scanner/ssh/juniper_backdoor(設備后門)
use auxiliary/scanner/ssh/fortinet_backdoor(設備后門)
use auxiliary/scanner/vmware/vmauthd_login(VMWare ESXi密碼破解)
use auxiliary/scanner/vmware/vmware_enum_vms(VMWare ESXi密碼破解)
use auxiliary/admin/vmware/poweron_vm(利用web api遠程開啟虛擬機)
HTTP 弱點掃描
use auxiliary/scanner/http/cert(過期證書掃描)
use auxiliary/scanner/http/dir_listing(顯示目錄及文件)
use auxiliary/scanner/http/files_dir顯示目錄及文件)
use auxiliary/scanner/http/dir_webdav_unicode_bypass(WebDAV Unicode 編碼身份驗證繞過)
use auxiliary/scanner/http/tomcat_mgr_login(Tomcat 管理登錄頁面)
use auxiliary/scanner/http/verb_auth_bypass(基於HTTP方法的身份驗證繞過)
use auxiliary/scanner/http/wordpress_login_enum(Wordpress 密碼爆破--- set URI /wordpress/wp-login.php
mysql相關
use auxiliary/scanner/mysql/mysql_login
auxiliary/admin/http/manageengine_pmp_privesc
auxiliary/scanner/mysql/mysql_version
auxiliary/server/capture/mysql
post/multi/manage/dbvis_add_db_admin