This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom
1 Introduction
- Search for exploit modules based on information collection results
- Combined with an external vulnerability scanning system to scan a large number of IP address segments in batches
- Misjudgment rate, missed judgment rate
2. VNC password cracking
use auxiliary/scanner/vnc/vnc_login
msf > use auxiliary/scanner/vnc/vnc_login msf auxiliary(scanner/vnc/vnc_login) > set BLANK_PASSWORDS true msf auxiliary(scanner/vnc/vnc_login) > set THREADS 20 msf auxiliary(scanner/vnc/vnc_login) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/vnc/vnc_login) > run
3. VNC passwordless access (no password set)
- use auxiliary/scanner/vnc/vnc_none_auth
supported : None, free access!
msf > use auxiliary/scanner/vnc/vnc_none_auth msf auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 10.10.10.142 msf auxiliary(scanner/vnc/vnc_none_auth) > run
4. RDP Remote Desktop Vulnerability
- use auxiliary/scanner/rdp/ms12_020_check
Checking does not cause a DoS attack.
msf > use auxiliary/scanner/rdp/ms12_020_check msf auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 10.10.10.140-150 msf auxiliary(scanner/rdp/ms12_020_check) > run
Indicates that there is a vulnerability
5. Device backdoor
- use auxiliary/scanner/ssh/juniper_backdoor #juniper firewall
- use auxiliary/scanner/ssh/fortinet_backdoor # fortinet firewall
6. VMware ESXi password cracking
- use auxiliary/scanner/vmware/vmauthd_login
- use auxiliary/scanner/vmware/vmware_enum_vms
7. Use WEB API to remotely start the virtual machine
- use auxiliary/admin/vmware/poweron_vm
8. HTTP Vulnerability Scanning
Expired certificates: use auxiliary/scanner/http/cert
msf > use auxiliary/scanner/http/cert msf auxiliary(scanner/http/cert) > set RHOSTS 10.10.10.130-150 msf auxiliary(scanner/http/cert) > set THREADS 20 msf auxiliary(scanner/http/cert) > run
Display directories and files
use auxiliary/scanner/http/dir_listing
msf > use auxiliary/scanner/http/dir_listing msf auxiliary(scanner/http/dir_listing) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/dir_listing) > set PATH dav msf auxiliary(scanner/http/dir_listing) > run
use auxiliary/scanner/http/files_dir
msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/files_dir msf auxiliary(scanner/http/files_dir) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/files_dir) > run
WebDAV Unicode encoding authentication bypass
use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > set THREADS 20 msf auxiliary(scanner/http/dir_webdav_unicode_bypass) > run
Tomcat admin login page
use auxiliary/scanner/http/tomcat_mgr_login
msf > use auxiliary/scanner/http/tomcat_mgr_login msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/tomcat_mgr_login) > run
Authentication bypass based on HTTP methods
use auxiliary/scanner/http/verb_auth_bypass
msf > use auxiliary/scanner/http/verb_auth_bypass msf auxiliary(scanner/http/verb_auth_bypass) > set RHOSTS 10.10.10.132 msf auxiliary(scanner/http/verb_auth_bypass) > run
Wordpress password blasting
use auxiliary/scanner/http/wordpress_login_enum
msf > use auxiliary/scanner/http/wordpress_login_enum msf auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 10.10.10.151 msf auxiliary(scanner/http/wordpress_login_enum) > run
9. wmap
WMAP WEB APPLICATION SCANNER
- Developed according to how sqlmap works
- load wmap
- wmap_sites -a http://1.1.1.1
- wmap_targets -t http://1.1.1.1/mutillidae/index.php
- wmap_run -t # list all modules
- wmap_run -e # start scanning
- wmap_vulns -l # View scanned vulnerabilities
vulns
msf > load wmap msf > wmap_sites -h msf > wmap_sites -a http://10.10.10.132 msf > wmap_targets -t http://10.10.10.132/mutillidae/index.php msf > wmap_run -h msf > wmap_run -t msf > wmap_run -e msf > wmap_vulns -l
msf > vulns
10. openvas
load openvas
Command line mode, requires configuration, frequently used
msf > load openvas msf > openvas_help
Generate a report after scanning with the scanner
- msf import nbe format scan log
db_import openvas.nbe
msf > db_import 1.nbe msf > vulns
11. MSF directly calls nessus to scan
- load nessus
- nessus_help
- nessus_connect admin:[email protected]
- nessus_policy_list
- nessus_scan_new
- nessus_report_list