3.1.被动信息搜集
whois查询
Netcraft

nslookup
>set type=mx
>testfire.net

Google Hacking

3.2 主动信息搜集
使用nmap进行端口扫描
-sS 隐秘的TCP扫描 ，以确定某个TCP端口是否开放
-Pn 不使用ping命令，默认所有主机都存活。适用于外网，内网不用
-A 深入的服务枚举和旗标获取

在msf中使用数据库
将nmap结果导入metasploit
/home/output# nmap -Pn -Ss -A -oX Subnet1.xml 192.168.1.0/24
db_import /home/output/Subnet1.xml

Hosts -c address

TCP空闲扫描

msf> use auxiliary/scanner/ip/ipidseq
Show options
set RHOSTS => ip
Set THREADS 50
run

Nmap -Pn -sI 192.168.1.131 132.168.1.201

在msf中运行nmap
db_nmap -sS -A 192.168.1.201

Services -u

使用msf进行端口扫描
msf> search portscan
Use auxiliary/scanner/portscan/syn
set RHOSTS
set THREADS 50
run
3 .3针对性扫描
331. 服务器消息块协议扫描
use auxiliary/scanner/smb/smb_version
show options
set RHOSTS
run
332.搜索配置不当的mssql

use auxiliary/scanner/mssql/mssql_ping
show options
set RHOSTS
set THREADS 255
run
333. SSH服务器扫描
use auxiliary/scanner/ssh/ssh_version
set RHOSTS
set THREADS 50
run
334.FTP扫描

use auxiliary/scanner/ftp/ftp_version
set RHOSTS
set THREADS 255
run
335.简单网管协议snmp扫描

msf auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.1.111
RHOSTS => 192.168.1.111
msf auxiliary(scanner/snmp/snmp_login) > set THREADS 50
THREADS => 50
msf auxiliary(scanner/snmp/snmp_login) > run