[翻译]端口内置扫描器

发表于: 2019-2-15 19:41 2003

[翻译]端口内置扫描器

士有百行

2019-2-15 19:41

2003

如何使用Metasploit发现开放端口的内置端口扫描器。
第一步是确定系统上的开放端口。端口扫描最有用的工具是Nmap，但在某些情况下需要不同的工具。比如用Metasploit直接从框架内部进行端口扫描就变得很容易，再次将向您展示三种端口扫描:TCP、SYN和XMAS。
端口扫描是探测一系列端口的过程，以确定这些端口的状态——通常是打开或关闭。主机上有65 536个可用端口，前1024个端口留给well-known services。端口可以使用TCP协议、UDP或两者都用，进行联络。
Metasploit黑客的Meterpreter最终列表
此处介绍的第一种扫描类型是TCP扫描，也称为TCP connect。这种类型的扫描利用system call建立连接，就像web浏览器或其他联网应用程序一样。当端口打开时，TCP扫描将启动并完成完整的三方握手，然后关闭连接。这种类型的扫描非常有效，但因为IP地址被记录而有噪声。
第二种类型的扫描是SYN扫描。是默认的Nmap扫描，被认为是最流行的端口扫描类型。与TCP连接扫描不同，SYN扫描使用原始数据包连接端口，而不是system call。因为连接从未完全完成，是有利方面，其相对隐秘，还有可能躲避防火墙，，由于可以访问原始网络，因此对执行和响应有更多限制。
第三种扫描是XMAS扫描。该扫描设置了FIN、PSH和URG标记，据说这些标记会像圣诞树一样点亮封包(因此得名)。XMAS扫描甚至比SYN扫描更隐蔽，尽管现代入侵检测系统仍然可以检测到它们。如果其他扫描方法失败，该方法值得一试。

选择：1 tcp扫描
在执行任何扫描之前，需要做的第一件事是通过在终端中输入msfconsole来启动Metasploit。此时会显示随机的标识，版本信息和当前加载的模块数量。
msfconsole

, ,
/ \
((---,,,---))
() O O ()_
\ _ / |\
oo \ M S F | \
\ __ | *
||| WW|||
||| |||

   =[ metasploit v4.17.8-dev                          ]

-- --=[ 1803 exploits - 1027 auxiliary - 311 post ]
-- --=[ 538 payloads - 41 encoders - 10 nops ]
-- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >
扫描器是Metasploit中的一种辅助模块，要定位端口扫描器，可以在提示符下输入search portscan。
msf > search portscan
[!] Module database cache not built yet, using slow search

Matching Modules

Name Disclosure Date Rank Description

auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
该执行将反馈几种结果，包括将看到的三种端口扫描。从简单的TCP扫描开始。使用辅助/扫描仪/端口扫描/tcp来加载模块。现在可以通过输入选项来查看模块设置:
msf auxiliary(scanner/portscan/tcp) > options

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description

CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent th
在这里，可以看到当前设置和相关描述。与许多模块不同的是，这个扫描器除了可以获取单个IP地址外，还可以获取一系列目标地址。在这种情况下，由于我们只有一台目标机器，一个地址就足够了。
还可以增加线程数以帮助扫描更快地运行。对于Unix系统，建议将该值保持在256以下，对于本机Win32系统，建议将该值保持在16以下。为了安全起见，可以把它设为8。所有其他选项都保留为默认值。
msf auxiliary(scanner/portscan/tcp) > set rhosts 172.16.1.102
rhosts => 172.16.1.102
msf auxiliary(scanner/portscan/tcp) > set threads 8
threads => 8
现在开始扫描。在Metasploit中，它将执行完全相同的操作，所以run指令只是个名称。考虑到只是在进行相同的扫描，尽管名字不重要，但run 的名称很合适。
msf auxiliary(scanner/portscan/tcp) > run

[+] 172.16.1.102: - 172.16.1.102:21 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:23 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:22 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:25 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:53 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:80 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:111 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:139 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:445 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:513 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:514 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:512 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:1099 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:1524 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:2049 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:2121 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:3306 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:3632 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:5432 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:5900 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:6000 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:6667 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:6697 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:8009 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:8180 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:8787 - TCP OPEN
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
TCP扫描将快速运行，一旦完成，我们可以看到目标上有许多打开的端口。

选项2: SYN扫描
接下来，我们将进行SYN扫描。键入back返回主提示符，然后使用assistant /scanner/portscan/syn加载模块。同样，可以输入选项来查看这个模块的当前设置:
msf auxiliary(scanner/portscan/syn) > options

Module options (auxiliary/scanner/portscan/syn):

Name Current Setting Required Description

BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseco
与TCP扫描相比，这里有一些不同的选项，但在大多数情况下，它们非常相似，包括接受目标地址范围和要设置的线程数的选项。

当对单个目标执行多次扫描或采用时，不需重复设置每一个选项，使用setg设置全选项就可以在使用其他模块时不必重新输入该选项。
msf auxiliary(scanner/portscan/syn) > setg rhosts 172.16.1.102
rhosts => 172.16.1.102
msf auxiliary(scanner/portscan/syn) > setg threads 8
threads => 8

输入“Run”启动扫描
msf auxiliary(scanner/portscan/syn) > run

[+] TCP OPEN 172.16.1.102:21
[+] TCP OPEN 172.16.1.102:22
[+] TCP OPEN 172.16.1.102:23
[+] TCP OPEN 172.16.1.102:25
[+] TCP OPEN 172.16.1.102:53
[+] TCP OPEN 172.16.1.102:80
[+] TCP OPEN 172.16.1.102:111
[+] TCP OPEN 172.16.1.102:139
[+] TCP OPEN 172.16.1.102:445
[+] TCP OPEN 172.16.1.102:512
[+] TCP OPEN 172.16.1.102:513
[+] TCP OPEN 172.16.1.102:514
[+] TCP OPEN 172.16.1.102:1099
[+] TCP OPEN 172.16.1.102:1524
[+] TCP OPEN 172.16.1.102:2049
[+] TCP OPEN 172.16.1.102:2121
[+] TCP OPEN 172.16.1.102:3306
[+] TCP OPEN 172.16.1.102:3632
[+] TCP OPEN 172.16.1.102:5432
[+] TCP OPEN 172.16.1.102:5900
[+] TCP OPEN 172.16.1.102:6000
[+] TCP OPEN 172.16.1.102:6667
[+] TCP OPEN 172.16.1.102:6697
[+] TCP OPEN 172.16.1.102:8009
[+] TCP OPEN 172.16.1.102:8180
[+] TCP OPEN 172.16.1.102:8787
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
与TCP扫描相比，SYN扫描完成的时间要长一些，但是一旦完成，可以看到，与之前的扫描相比，我们得到了相类似结果。

选项3：XMAS扫描
第三种扫描是XMAS扫描。同样，键入back退出当前模块，然后使用assistant /scanner/portscan/xmas加载模块。由于我们以前为远程主机和线程设置了全选，所以现在在查看选项时应该会看到这些设置已经完成。
msf auxiliary(scanner/portscan/xmas) > options

Module options (auxiliary/scanner/portscan/xmas):

Name Current Setting Required Description

BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 172.16.1.102 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 8 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in millisecond
其他选项与SYN扫描几乎相同，可以将它们保留为默认值。当然也可以使用其他设置，看看计时和准确性。开始运行扫描。
msf auxiliary(scanner/portscan/xmas) > run

[] TCP OPEN|FILTERED 172.16.1.102:21
[] TCP OPEN|FILTERED 172.16.1.102:22
[] TCP OPEN|FILTERED 172.16.1.102:23
[] TCP OPEN|FILTERED 172.16.1.102:25
[] TCP OPEN|FILTERED 172.16.1.102:53
[] TCP OPEN|FILTERED 172.16.1.102:80
[] TCP OPEN|FILTERED 172.16.1.102:111
[] TCP OPEN|FILTERED 172.16.1.102:139
[] TCP OPEN|FILTERED 172.16.1.102:445
[] TCP OPEN|FILTERED 172.16.1.102:512
[] TCP OPEN|FILTERED 172.16.1.102:513
[] TCP OPEN|FILTERED 172.16.1.102:514
[] TCP OPEN|FILTERED 172.16.1.102:1099
[] TCP OPEN|FILTERED 172.16.1.102:1524
[] TCP OPEN|FILTERED 172.16.1.102:2049
[] TCP OPEN|FILTERED 172.16.1.102:2121
[] TCP OPEN|FILTERED 172.16.1.102:3306
[] TCP OPEN|FILTERED 172.16.1.102:3632
[] TCP OPEN|FILTERED 172.16.1.102:5432
[] TCP OPEN|FILTERED 172.16.1.102:5900
[] TCP OPEN|FILTERED 172.16.1.102:6000
[] TCP OPEN|FILTERED 172.16.1.102:6667
[] TCP OPEN|FILTERED 172.16.1.102:6697
[] TCP OPEN|FILTERED 172.16.1.102:8009
[] TCP OPEN|FILTERED 172.16.1.102:8180
[] TCP OPEN|FILTERED 172.16.1.102:8787
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
同样，得到了与其他扫描类似的结果，并提供了关于端口是否被过滤的额外信息。根据目标任务(或多个目标)和不同的类型，上述扫描会产生不同的结果，因此采用多类型扫描是必要的。