針對(duì)性掃描是指尋找目標(biāo)網(wǎng)絡(luò)中存在的已知可利用漏洞或能夠輕松獲取后門的特定操作系統(tǒng)、服務(wù)、軟件以及配置缺陷。舉例來(lái)說(shuō)，在目標(biāo)網(wǎng)絡(luò)中快速地掃描存在MS08-067漏洞的主機(jī)是非常普遍的活動(dòng)，因?yàn)镸S08-067（仍然）是一個(gè)普遍存在的安全漏洞，并且能夠讓你很快地取得System的訪問(wèn)權(quán)限，比起掃描整個(gè)網(wǎng)絡(luò)中所有漏洞后再攻擊要容易的多。
1.服務(wù)器消息塊協(xié)議掃描
Metasploit可以利用他的smb_version模塊來(lái)遍歷一個(gè)網(wǎng)絡(luò)，并獲取Windows系統(tǒng)的版本號(hào)
執(zhí)行模塊、列出參數(shù)并對(duì)RHOSTS參數(shù)進(jìn)行設(shè)定后開(kāi)始掃描：

msf > use scanner/smb/smb_version msf auxiliary(smb_version) > show optionsModule options (auxiliary/scanner/smb/smb_version):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target address range or CIDR identifierSMBDomain WORKGROUP no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threadsmsf auxiliary(smb_version) > set RHOSTS 192.168.119.132 RHOSTS => 192.168.119.132 msf auxiliary(smb_version) > run[*] 192.168.119.132:139 is running Windows XP Service Pack 3 (language: Chinese - Traditional) (name:PC-201403241103) (domain:WORKGROUP) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

　　

2.搜索配置不當(dāng)?shù)腗icrosoft SQL Server
配置不當(dāng)?shù)腗icrosoft SQL Server（MS SQL）通常是竟如目標(biāo)系統(tǒng)的第一個(gè)后門
MS SQL安裝后，它默認(rèn)監(jiān)聽(tīng)在TCP端口1433上或使用隨機(jī)的動(dòng)態(tài)TCP端口。如果在隨機(jī)的TCP端口上進(jìn)行MS SQL監(jiān)聽(tīng)，只需要簡(jiǎn)單的對(duì)UDP端口１４３４進(jìn)行查詢，便能或缺這個(gè)隨機(jī)的TCP端口號(hào)。Metasploit有一個(gè)模塊mssql_ping可以實(shí)現(xiàn)該操作

msf > use scanner/mssql/mssql_ping msf auxiliary(mssql_ping) > show optionsModule options (auxiliary/scanner/mssql/mssql_ping):Name Current Setting Required Description---- --------------- -------- -----------PASSWORD no The password for the specified usernameRHOSTS yes The target address range or CIDR identifierTHREADS 1 yes The number of concurrent threadsUSERNAME sa no The username to authenticate asUSE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)msf auxiliary(mssql_ping) > set RHOSTS 192.168.119.132 RHOSTS => 192.168.119.132 msf auxiliary(mssql_ping) > set THREADS 255 THREADS => 255 msf auxiliary(mssql_ping) > run[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

　　

我安裝的是SQL Server版本如下： Microsoft SQL Server Management Studio 9.00.1399.00 Microsoft Analysis Services 客戶端工具 2005.090.1399.00 Microsoft 數(shù)據(jù)訪問(wèn)組件 (MDAC) 2000.085.1132.00 (xpsp.080413-0852) Microsoft MSXML 2.6 3.0 5.0 6.0 Microsoft Internet Explorer 8.0.6001.18702 Microsoft .NET Framework 2.0.50727.42 操作系統(tǒng) 5.1.2600

　　

3.SSH服務(wù)器掃描
如果在掃描過(guò)程中遇到一些主機(jī)運(yùn)行著SSH（安全 Shell），你應(yīng)該對(duì)SSH的版本進(jìn)行識(shí)別SSH是一種安全的協(xié)議，但是這里的安全僅數(shù)據(jù)傳輸?shù)募用?#xff0c;很多SSH的實(shí)現(xiàn)版本中均被發(fā)現(xiàn)了安全漏洞。不要認(rèn)為你永遠(yuǎn)不會(huì)遇到一臺(tái)沒(méi)喲安裝補(bǔ)丁的老機(jī)器，這種幸運(yùn)的事很喲可能就會(huì)落在你的頭上。可以用Metasploit框架的ssh_version模塊來(lái)識(shí)別目標(biāo)服務(wù)器上運(yùn)行的SSH版本。

msf > use scanner/ssh/ssh_version msf auxiliary(ssh_version) > show optionsModule options (auxiliary/scanner/ssh/ssh_version):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target address range or CIDR identifierRPORT 22 yes The target portTHREADS 1 yes The number of concurrent threadsTIMEOUT 30 yes Timeout for the SSH probemsf auxiliary(ssh_version) > set RHOSTS 192.168.119.144 RHOSTS => 192.168.119.144 msf auxiliary(ssh_version) > run[*] 192.168.119.144:22, SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_version) >

　４.FTP掃描

　　　FTP是一種復(fù)雜且缺乏安全性的應(yīng)用層協(xié)議，FTP服務(wù)器經(jīng)常是進(jìn)入一個(gè)目標(biāo)網(wǎng)絡(luò)最便捷的途徑

msf auxiliary(anonymous) > use scanner/ftp/ftp_version msf auxiliary(ftp_version) > show optionsModule options (auxiliary/scanner/ftp/ftp_version):Name Current Setting Required Description---- --------------- -------- -----------FTPPASS mozilla@example.com no The password for the specified usernameFTPUSER anonymous no The username to authenticate asRHOSTS 192.168.119.141 yes The target address range or CIDR identifierRPORT 21 yes The target portTHREADS 1 yes The number of concurrent threadsmsf auxiliary(ftp_version) > set RHOSTS 192.126.119.48 RHOSTS => 192.126.119.48 msf auxiliary(ftp_version) > run[*] 192.126.119.48:21 FTP Banner: '220 Microsoft FTP Service\x0d\x0a' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

　　

轉(zhuǎn)載于:https://www.cnblogs.com/evilxr/p/3840891.html

總結(jié)

以上是生活随笔為你收集整理的针对性扫描的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。