本文介绍了多种网络漏洞扫描工具,包括Cisco Auditing Tool、SNMP暴力破解工具ADMsnmp、Web安全工具BurpSuite及Nikto2等。文章还提到了SMB工具如samrdump.py以及综合漏洞发现工具Nessus的功能与使用方法。
1. Cisco工具
2. SNMP工具
3. HTTP工具
4.SMB工具
5. 综合漏洞发现工具Nessus
Cisco Auditing Tool
很小的安全审计工具,它扫描CISCO路由器的一般漏洞,例如默认密码,SNMP community字串和一些老的IOS BUG
=>./CAT -h 192.168.1.1 -w lists/community -a lists/passwords -i (我没测试出来 没有CISCO路由) 23端口没有开
ciscos (快速发现默认密码的路由 'cisco')
=>./ciscos 192.168.1 3 -t 4 -C 10 (3表示第三个 是255 Scanning: 192.168.1.*)
ADMsnmp
暴力破解SNMP community字串,使用一个预先定义的 wordlist (我的是tp-link的 没有猜出来)
root@bt:/pentest/enumeration/snmp/admsnmp# ./ADMsnmp 192.168.1.100 -wordfile snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=router id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=all private id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 44 >>>>>>>>>>>
<!ADM!> snmp check on 192.168.1.100 <!ADM!>
admsnmp
在得到 cmmunity后,进步获取有用的信息
HTTP工具
Burp Suite( 是一个功能强大的web运用安全工具,它能够扫描,分析和攻击WEB运用,通过手动和自动的技术)
==>root@bt:/pentest/web/burpsuite# java -jar burpsuite_v1.4.01.jar (代理截取HTTP明文数据, 可以修改,探测 发送)
grendel.sh (grendel-scan)
一个自动WEB运用安全评估工具,它扫描,检测,攻击普通的WEB 运用的脆弱性,并且把扫描结果生成一个报告
如果网站支持目录列出 那么都会列出目录来很危险
nikto2
是一个高级web服务器安全扫描工具,他扫描并且检查由于服务器配置不合理而造成的安全隐患
==>./nikto.pl -h www.i201314.net -C -p 80 -T 3478b -t 3 -D \ V -o aa.html -F htm
w3af
是一个特性丰富的WEB运用攻击和审计的框架,他协助检测和攻击WEB的脆弱性
wafw00f
用来测试应用层有没有HHTP级防火墙
测试结果好像发现有防火墙了
root@bt:/pentest/web/waffit# ./wafw00f.py http://www.finderbao.com
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://www.finderbao.com
Generic Detection results:
The site http://www.finderbao.com seems to be behind a WAF
Reason: The server header is different when an attack is detected.
The server header for a normal response is "Microsoft-IIS/7.0", while the server header a response to an attack is "Microsoft-HTTPAPI/2.0.",
Number of requests: 10SMB工具
只要有普通的一个用户 就可以获取管理员的密码了
root@bt:/pentest/python/impacket-examples# ./samrdump.py a:a@192.168.1.104 445/SMB
Retrieving endpoint list from 192.168.1.104
Trying protocol 445/SMB...
Found domain(s):
. CAPTURE-D4015CD
. Builtin
Looking up users in domain CAPTURE-D4015CD
Found user: a, uid = 1004
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: RubberDuck, uid = 1003
Found user: SUPPORT_388945a0, uid = 1001
a (1004)/Enabled: true
a (1004)/Last Logon: Mon, 09 Jul 2012 13:46:05
a (1004)/Last Logoff:
Traceback (most recent call last):
File "./samrdump.py", line 182, in <module>
dumper.dump(address)
File "./samrdump.py", line 82, in dump
print base + '/Last Logoff:', user.get_logoff_time()
File "/usr/lib/pymodules/python2.6/impacket/dcerpc/samr.py", line 130, in get_logoff_time
return display_time(self._logoff_time_high, self._logoff_time_low)
File "/usr/lib/pymodules/python2.6/impacket/dcerpc/samr.py", line 33, in display_time
r = (strftime("%a, %d %b %Y %H:%M:%S",gmtime(d)), minutes_utc/60)[0]
ValueError: timestamp out of range for platform time_t综合漏洞发现
nessus
扫一扫
1131
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
