渗透测试任务中,主机/服务/漏洞等信息如果手动维护,会带来巨大的工作量。
在metasploit中,这部分工作已经被封装的非常好,每次调用内部模块执行的任务结果都会自动存入DB.通过简单的指令即可以方便的查看。
metasploit 中的DB操作
msf > help databaseDatabase Backend Commands========================= Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces msf auxiliary(ssh_version) > show options Module options (auxiliary/scanner/ssh/ssh_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS file:/root/DailyPentest/IPSrc/example yes The target address range or CIDR identifier RPORT 22 yes The target port THREADS 1 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the SSH probe msf auxiliary(ssh_version) > set RHOSTS file:/root/DailyPentest/IPSrc/aa RHOSTS => file:/root/DailyPentest/IPSrc/aa msf auxiliary(ssh_version) > run [*] 124.127.106.5:22, SSH server version: SSH-1.99-OpenSSH_5.8p2 [*] Scanned 1 of 9 hosts (011% complete) [*] 124.127.106.3:22, SSH server version: SSH-1.99-OpenSSH_3.9p1 [*] Scanned 2 of 9 hosts (022% complete) [*] Scanned 3 of 9 hosts (033% complete) [*] Scanned 4 of 9 hosts (044% complete) [*] Scanned 5 of 9 hosts (055% complete) [*] Scanned 6 of 9 hosts (066% complete) [*] Scanned 7 of 9 hosts (077% complete) [*] 167.124.236.145:22, SSH server version: SSH-2.0-ArrayOS [*] Scanned 8 of 9 hosts (088% complete) [-] 167.124.236.184:22, SSH server version detection failed! [*] Scanned 9 of 9 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_version) > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 167.124.236.145 22 tcp ssh open SSH-2.0-ArrayOS 167.124.236.243 22 tcp ssh open SSH-2.0-ArrayOS 124.127.106.3 22 tcp ssh open SSH-1.99-OpenSSH_3.9p1 124.127.106.5 22 tcp ssh open SSH-1.99-OpenSSH_5.8p2 192.168.0.104 135 tcp msrpc open 192.168.0.104 554 tcp rtsp open 192.168.0.104 445 tcp microsoft-ds open Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:WIN-R2OU7BR820S) (domain:WORKGROUP) 192.168.0.104 139 tcp netbios-ssn open 192.168.0.105 21 tcp ftp open 220 (vsFTPd 2.0.6)\x0d\x0a 192.168.0.105 22 tcp ssh open SSH-2.0-OpenSSH_4.7p1 Debian-8 192.168.0.105 631 tcp ipp open msf auxiliary(ssh_version) > services -p 22 Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 167.124.236.145 22 tcp ssh open SSH-2.0-ArrayOS 167.124.236.243 22 tcp ssh open SSH-2.0-ArrayOS 124.127.106.3 22 tcp ssh open SSH-1.99-OpenSSH_3.9p1 124.127.106.5 22 tcp ssh open SSH-1.99-OpenSSH_5.8p2 192.168.0.105 22 tcp ssh open SSH-2.0-OpenSSH_4.7p1 Debian-8
可以用db_nmap 取代nmap, 因为其结果会直接导入DB, 可以及其方便的用指令查看
msf > services -R 192.168.0.105Services========host port proto name state info---- ---- ----- ---- ----- ----192.168.0.105 21 tcp ftp open 220 (vsFTPd 2.0.6)\x0d\x0a192.168.0.105 22 tcp ssh open SSH-2.0-OpenSSH_4.7p1 Debian-8192.168.0.105 631 tcp ipp open RHOSTS => 192.168.0.105msf > services -p 21Services========host port proto name state info---- ---- ----- ---- ----- ----192.168.0.105 21 tcp ftp open 220 (vsFTPd 2.0.6)\x0d\x0a
