[toc]

0x01 发现内网存活主机

1.1 基于ARP发现内网主机

nmap

1
nmap -sn -PR 10.253.6.0/24

powershell

1
C:\Users\Patrilic\Desktop>powershell -exec bypass -Command "Import-Module ./Invoke-ARPScan.ps1;Invoke-ARPScan -CIDR 192.168.121.1/24"

b535427cfa8bff645f941c761de208ee

Invoke-ARPScan 是Empire中的模块

arp-scan.exe

1
C:\Users\Patrilic\Desktop>arp-scan.exe -t 192.168.121.0/24

1f8e2f46692be0db78c4aa872061312c

arp-ping.exe

1
C:\Users\Patrilic\Desktop>arp-ping.exe 192.168.121.1

017bf04412ca847df46101caadf1c928

Empire

netdiscover

1
netdiscover -r 192.168.3.0/24 -i eth0

f40948147bbe5919da12d82a559b56d9

meterpreter

1
2
meterpreter > getsystem
meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.253.6.1/24

6189badfb2a72fed6459edba892064ba

Cain等

1.2 基于icmp发现主机

cmd

1
C:\Users\Patrilic\Desktop>for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.121.%I | findstr "TTL="

96cb8bb61bf9e88c2a3a7bda7547807d

nmap

1
nmap -sn -PE 192.168.3.0/24

89c3bc440d2446f15121c4bcce576ca9

powershell

1
powershell.exe -exec bypass -Command "Import-Module C:\Invoke-TSPingSweep.ps1;Invoke-TSPingSweep -StartAddress 192.168.3.1 -EndAddress 192.168.3.254 -ResolveHost -ScanPort -Port 21,22,23,25,53,80,81,82,83,84,85,86,87,88,89,110,111,143,389,443,445,873,1025,1433,1521,2601,3306,3389,3690,5432,5900,7001,8000,8080,8081,8082,8083,8084,8085,8086,8087,8089,9090,10000"

cf17177493ff1f7678825dca8a46b76c

bash

1
2
3
4
5
6
7
for ip in 10.131.36.{1..254} 
do
ping $ip -c 1 &> /dev/null
if [ $? -eq 0 ];then
echo $ip is alive ....
fi
done

573f9b41753a8eb36b56b062c2aa1fab

1.3 基于netbios协议发现主机

cmd

1
nbtstat -n

ae9d6dd415b464302a342a0e9b30c5c4

nbtscan

1
nbtscan-1.0.35.exe -m 192.168.121.0/24

6a39cc10cd8c0f7b2a96d570c03d811a

nmap

1
nmap -sU --script nbstat.nse -p137 192.168.1.0/24 -T4

b7d36bfa324e4c6fecc134c750ec6f82

1.4 基于smb协议发现主机

nmap

1
nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p445 192.168.1.119/24

856a0cc32348f1b49cb80a4a98303498

cmd

1
for /l %a in(1,1,254) do start /min /low telnet 192.168.1.%a 445

powershell

1
2

445|%{echo((new‐objectNet.Sockets.TcpClient).Connect("10.253.6",$_)) "$_ is open"} 2>$null
1
1..5|%{$a=$_;445|%{echo((new‐object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"} 2>$null}
1
118..119|%{$a=$_;write‐host"‐‐‐‐‐‐";write‐host "192.168.1.$a"; 80,445 | % {echo ((new‐object Net.Sockets.TcpClient).Con ect("192.168.1.$a",$_)) "Port $_ is open"} 2>$null}

1.5 基于snmp发现主机

nmap

1
nmap -sU --script snmp-brute 192.168.1.0/24 -T4

54f953ba0bf35bbe34623e0138e3f017

perl

https://github.com/dheiland-r7/snmp
7f535a08c8897275f57fb979975b1b8c

1.6 基于udp发现主机

nmap

1
nmap -sU -T5 -sV --max-retries 1 192.168.1.100 -p 500

unicornscan

1
unicornscan -mU 192.168.1.100

1.7 基于SqlDataSourceEnumerator

1
PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()"

db8c4d18ffad131d9641044e575fc820

1.8 基于msf发现主机

http服务

1
auxiliary/scanner/http/http_version
1
auxiliary/scanner/http/title

smb服务

1
auxiliary/scanner/smb/smb_version

ftp服务

1
auxiliary/scanner/ftp/ftp_version
1
auxiliary/scanner/ftp/anonymous

arp服务

1
auxiliary/scanner/discovery/arp_sweep

udp服务

1
auxiliary/scanner/discovery/udp_sweep
1
auxiliary/scanner/discovery/udp_probe

ssh服务

1
auxiliary/scanner/ssh/ssh_version

telnet服务

1
auxiliary/scanner/telnet/telnet_version

dns服务

1
auxiliary/scanner/dns/dns_amp

mysql服务

1
auxiliary/scanner/mysql/mysql_version

netbios服务

1
auxiliary/scanner/netbios/nbname

db2服务

1
auxiliary/scanner/db2/db2_version

端口发现

1
auxiliary/scanner/portscan/ack
1
auxiliary/scanner/portscan/tcp
1
auxiliary/scanner/portscan/syn
1
auxiliary/scanner/portscan/syn
1
auxiliary/scanner/portscan/ftpbounce
1
auxiliary/scanner/portscan/xmas

rdp服务

1
auxiliary/scanner/rdp/rdp_scanner

smtp服务

1
auxiliary/scanner/smtp/smtp_version

pop3服务

1
auxiliary/scanner/pop3/pop3_version

posgres服务

1
auxiliary/scanner/postgres/postgres_version

调用nmap

1
db_nmap

post组件

1
2
3
4
5
6
7
8
9
10
11
windows/gather/arp_scanner 
windows/gather/enum_ad_computers
windows/gather/enum_computers
windows/gather/enum_domain
windows/gather/enum_domains
windows/gather/enum_ad_user_comments
linux/gather/enum_network
linux/busybox/enum_hosts
windows/gather/enum_ad_users
windows/gather/enum_domain_tokens
windows/gather/enum_snmp