发现内网存活主机方法-简单整理

1
2

# -sU
nmap -sU -T5 -sV --max-retries 1 192.168.1.100 -p 500

1
2
3
4

use auxiliary/scanner/discovery/udp_probe

# 或这个模块
use auxiliary/scanner/discovery/udp_sweep

1

unicornscan -mU 192.168.1.100

1

nmap -sn -PR 192.168.1.1/24

1
2

use auxiliary/scanner/discovery/arp_sweep
...

1

netdiscover -r 192.168.1.0/24 -i wlan0

1
2
3

apt-get install arp-scan

arp-scan --interface=wlan0 --localnet

1

powershell.exe -exec bypass -Command "Import-Module .\arpscan.ps1;Invoke-ARPScan -CIDR 192.168.1.0/24"

1

arp-scan.exe -t 192.168.1.1/24

1

arp-ping.exe 192.168.1.100

1
2

# nbstat.nse
nmap -sU --script nbstat.nse -p137 192.168.1.0/24 -T4

1

use auxiliary/scanner/netbios/nbname

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

### Windows
nbtscan-1.0.35.exe -m 192.168.1.0/24

nbtscan -n    # 推荐


### Linux （推荐）
tar -zxvf ./nbtscan-source-1.0.35.tgz     # (其他版本自己寻找)
make
nbtscan -r 192.168.1.0/24
nbtscan -v -s: 192.168.1.0/24

1

nmap -sU --script snmp-brute 192.168.1.0/24 -T4

1

use auxiliary/scanner/snmp/snmp_enum

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumuse auxiliary/scanner/snmp/arris_dg950
use auxiliary/scanner/snmp/snmp_enum_hp_laserjet
use auxiliary/scanner/snmp/brocade_enumhash
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cambium_snmp_loot
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_set
use auxiliary/scanner/snmp/netopia_enum
use auxiliary/scanner/snmp/ubee_ddw3611
use auxiliary/scanner/snmp/sbg6580_enum
use auxiliary/scanner/snmp/xerox_workcentre_enumusers

1
2
3
4
5
6
7

wget http://www.cpan.org/modules/by-module/NetAddr/NetAddr-IP-4.078.tar.gz
tar xvzf ./NetAddr-IP-4.078.tar.gz
cd NetAddr-IP-4.078/
perl Makefile.PL
make
make install
./snmpbw.pl

1
2
3

nmap ‐sP ‐PI 192.168.1.0/24 ‐T4

nmap ‐sn ‐PE ‐T4 192.168.1.0/24

1

for /L %P in (1,1,254) DO @ping ‐w 1 ‐n 1 192.168.1.%P | findstr "TTL="

1
2
3
4
5
6
7
8

# powershell脚本  ./Invoke‐TSPingSweep.ps1
powershell.exe ‐exec bypass ‐Command "Import‐Module ./Invoke‐TSPingSwe
ep.ps1; Invoke‐TSPingSweep ‐StartAddress 192.168.1.1 ‐EndAddress 192.168.1.2
54 ‐ResolveHost ‐ScanPort ‐Port 445,135"


# 或
tcping.exe ‐n 1 192.168.1.0 80

1

# 模块 scanner/smb/smb_version

1

cme smb 192.168.1.0/24

1

nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p 445 192.168.119

1

for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445

1
2
3
4
5
6
7
8
9

## 一句话扫描:
#单IP:
445 | %{ echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.119",$_)) "$_ is open"} 2>$null

#多ip:
1..5 | % { $a = $_; 445 | % {echo ((new‐objectNet.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"}2>$null}

#多port,多IP:
118..119 | % { $a = $_; write‐host "‐‐‐‐‐‐"; write‐host "192.168.1.$a"; 80,445 | % {echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"} 2>$null}

1

search scanner type:auxiliary

1
2
3
4
5

auxiliary/scanner/discovery/arp_sweep    # 发现内网存活主机
auxiliary/scanner/discovery/udp_sweep    # 发现内网存活主机
auxiliary/scanner/ftp/ftp_version      # 发现FTP服务
auxiliary/scanner/http/http_version    # 发现HTTP服务
auxiliary/scanner/smb/smb_version      # 发现SMB服务

1
2
3
4
5

auxiliary/scanner/ssh/ssh_version        # 发现SSH服务
auxiliary/scanner/telnet/telnet_version    # 发现TELNET服务
auxiliary/scanner/discovery/udp_probe    # 发现内网存活主机
auxiliary/scanner/dns/dns_amp            # 发现内网存活主机
auxiliary/scanner/mysql/mysql_version    # 发现mysql服务

1
2
3
4
5

auxiliary/scanner/netbios/nbname    # 发现内网存活主机
auxiliary/scanner/http/title        # 发现内网存活主机
auxiliary/scanner/db2/db2_version    # 发现db2服务
auxiliary/scanner/portscan/ack    # 发现内网存活主机
auxiliary/scanner/portscan/tcp    # 发现内网存活主机

1
2
3
4
5

auxiliary/scanner/portscan/syn    # 发现内网存活主机
auxiliary/scanner/portscan/ftpbounce    # 发现内网存活主机
auxiliary/scanner/portscan/xmas        # 发现内网存活主机
auxiliary/scanner/rdp/rdp_scanner        # 发现内网存活主机
auxiliary/scanner/smtp/smtp_version        # 发现内网存活主机

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

auxiliary/scanner/pop3/pop3_version        # 发现内网存活主机
auxiliary/scanner/postgres/postgres_version    # 发现内网存活主机
auxiliary/scanner/ftp/anonymous            # 发现内网存活主机

db_nmap            # 发现内网存活主机(MSF内置强大的端口扫描工具Nmap,为了更好的区别,内置命令为:db_nmap, 使用方法与nmap一致)
#如：
db_nmap ‐p 445 ‐T4 ‐sT 192.168.1.115‐120 ‐‐open
hosts        # 查看数据库中已发现的内网存活主机
hosts ‐h     # hosts命令也支持数据库中查询与搜索,方便快速对应目标存活主机
hosts ‐S 192    # 搜索关键字

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

‐a,‐‐add Add the hosts instead of searching
‐d,‐‐delete Delete the hosts instead of searching
‐c <col1,col2> Only show the given columns (see list below)
‐C <col1,col2> Only show the given columns until the next restart (se
e list below)
‐h,‐‐help Show this help information
‐u,‐‐up Only show hosts which are up
‐o <file> Send output to a file in csv format
‐O <column> Order rows by specified column number
‐R,‐‐rhosts Set RHOSTS from the results of the search
‐S,‐‐search Search string to filter by
‐i,‐‐info Change the info of a host
‐n,‐‐name Change the name of a host
‐m,‐‐comment Change the comment of a host
‐t,‐‐tag Add or specify a tag to a range of hosts

1
2
3
4
5
6

windows/gather/arp_scanner
windows/gather/enum_ad_computers
windows/gather/enum_computers
windows/gather/enum_domain
windows/gather/enum_domains
windows/gather/enum_ad_user_comments

1

meterpreter > run windows/gather/arp_scanner RHOSTS=192.168.1.110‐120 THREADS=20

1

meterpreter > run windows/gather/enum_ad_computers

1

meterpreter > run windows/gather/enum_computers

1

meterpreter > run windows/gather/enum_domain

1

meterpreter > run windows/gather/enum_domains

1

meterpreter > run windows/gather/enum_ad_user_comments

1
2
3
4
5

linux/gather/enum_network
linux/busybox/enum_hosts
windows/gather/enum_ad_users
windows/gather/enum_domain_tokens
windows/gather/enum_snmp