本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
1. 简介
2. 具体使用
3. 模块使用
1. 简介
-
简介
- web 信息搜索框架
- 命令格式与 msf 一致
- 基于 python 开发
-
使用方法
- 模块
- 数据库
- 报告
-
全局选项
- USER-AGENT
- Proxy
- Workspace
- Snapshot
-
命令
- Show schema
- Help
- Query 数据库
- Select * from hosts where host like ‘%baidu.com%’ order by ip_address
-
DBS 查询
- Baidu
- Bing
- Yahoo
- Brute force
-
使用
- 解析IP地址(查询数据库)
- 联系⼈人
- 报告
- API
2. 具体使用
-
help
[recon-ng][default] > help Commands (type [help|?] <topic>): --------------------------------- add Adds records to the database back Exits the current context delete Deletes records from the database exit Exits the framework help Displays this menu keys Manages framework API keys load Loads specified module pdb Starts a Python Debugger session query Queries the database record Records commands to a resource file reload Reloads all modules resource Executes commands from a resource file search Searches available modules set Sets module options shell Executes shell commands show Shows various framework items snapshots Manages workspace snapshots spool Spools output to a file unset Unsets module options use Loads specified module workspaces Manages workspaces
-
添加 keys
[recon-ng][default] > keys add keys add <name> <value> ![在这里插入图片描述](https://img-blog.csdnimg.cn/20190413164336934.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0tldmluaGFuc2Vy,size_16,color_FFFFFF,t_70) [recon-ng][default] > keys add shodan_api LvjCo1SPybDDVs8NSxvm8KZv98ii883d [recon-ng][sina] > keys list +-----------------------------------------------------+ | Name | Value | +-----------------------------------------------------+ | bing_api | | | builtwith_api | | | censysio_id | | | censysio_secret | | | flickr_api | | | fullcontact_api | | | github_api | | | google_api | | | google_cse | | | hashes_api | | | instagram_api | | | instagram_secret | | | ipinfodb_api | | | jigsaw_api | | | jigsaw_password | | | jigsaw_username | | | linkedin_api | | | linkedin_secret | | | pwnedlist_api | | | pwnedlist_iv | | | pwnedlist_secret | | | shodan_api | LvjCo1SPybDDVs8NSxvm8KZv98ii883d | | twitter_api | | | twitter_secret | | +-----------------------------------------------------+
root@kali:~# recon-ng -w sina
[recon-ng][sina] > help
[recon-ng][sina] > workspaces list
[recon-ng][sina] > shell pwd
[*] Command: pwd
/usr/share/recon-ng
[recon-ng][sina] > show options
Name Current Value Required Description
---------- ------------- -------- -----------
NAMESERVER 8.8.8.8 yes nameserver for DNS interrogation
PROXY no proxy server (address:port)
THREADS 10 yes number of threads (where applicable)
TIMEOUT 10 yes socket timeout (seconds)
USER-AGENT Recon-ng/v4 yes user-agent string
VERBOSITY 1 yes verbosity level (0 = minimal, 1 = verbose, 2 = debug)
[recon-ng][sina] > set PROXY 127.0.0.1:8087
3. 模块使用
-
搜索模块
[recon-ng][sina] > search google [*] Searching for 'google'... Recon ----- recon/domains-hosts/google_site_api recon/domains-hosts/google_site_web
-
使用模块
[recon-ng][sina] > use recon/domains-hosts/google_site_web [recon-ng][sina][google_site_web] >
-
查看选项
[recon-ng][sina][google_site_web] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details)
-
显示信息
[recon-ng][sina][google_site_web] > show info Name: Google Hostname Enumerator Path: modules/recon/domains-hosts/google_site_web.py Author: Tim Tomes (@LaNMaSteR53) Description: Harvests hosts from Google.com by using the 'site' search operator. Updates the 'hosts' table with the results. Options: Name Current Value Required Description ------ ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) Source Options: default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL <string> string representing a single input <path> path to a file containing a list of inputs query <sql> database query returning one column of inputs
-
设置网站名
[recon-ng][sina][google_site_web] > set SOURCE sina.com SOURCE => sina.com [recon-ng][sina][google_site_web] > show options Name Current Value Required Description ------ ------------- -------- ----------- SOURCE sina.com yes source of input (see 'show info' for details)
-
执行
[recon-ng][sina][google_site_web] > run
-
查询数据库记录
select * from hosts where host like ‘%baidu.com%’ order by ip_address query select * from hosts where host like '%www%'
-
暴力破解
[recon-ng][sina] > use recon/domains-hosts/brute_hosts [recon-ng][sina][brute_hosts] > show options Name Current Value Required Description -------- ------------- -------- ----------- SOURCE default yes source of input (see 'show info' for details) WORDLIST /usr/share/recon-ng/data/hostnames.txt yes path to hostname wordlist [recon-ng][sina][brute_hosts] > set SOURCE sina.com SOURCE => sina.com [recon-ng][sina][brute_hosts] > run
-
查询记录
[recon-ng][sina][brute_hosts] > query select * from hosts where host like '%sina.com.cn%' +------------------------------------------------------------------------------------------------+ | host | ip_address | region | country | latitude | longitude | module | +------------------------------------------------------------------------------------------------+ | blog.sina.com.cn | | | | | | brute_hosts | | blogx.sina.com.cn | | | | | | brute_hosts | | theone.sina.com.cn | | | | | | brute_hosts | | gd.sina.com.cn | | | | | | brute_hosts | | imap.sina.com.cn | | | | | | brute_hosts | | mail.sina.com.cn | | | | | | brute_hosts | | common7.dpool.sina.com.cn | | | | | | brute_hosts | | music.dpool.sina.com.cn | | | | | | brute_hosts | | common6.dpool.sina.com.cn | | | | | | brute_hosts | | pop3.sina.com.cn | | | | | | brute_hosts | | smtp.sina.com.cn | | | | | | brute_hosts | | xcz.sina.com.cn | | | | | | brute_hosts | | ara.sina.com.cn | | | | | | brute_hosts | | wap.sina.com.cn | | | | | | brute_hosts | | us.sina.com.cn | | | | | | brute_hosts | +------------------------------------------------------------------------------------------------+ [*] 15 rows returned
-
将查询出的域名解析成IP
[recon-ng][sina][brute_hosts] > search resolv [*] Searching for 'resolv'... Recon ----- recon/hosts-hosts/resolve recon/hosts-hosts/reverse_resolve recon/netblocks-hosts/reverse_resolve [recon-ng][sina][brute_hosts] > use recon/hosts-hosts/resolve [recon-ng][sina][resolve] > set SOURCE query select host from hosts where host like '%sina.com.cn%' [recon-ng][sina][resolve] > run [recon-ng][sina][resolve] > show hosts
-
生成报告
[recon-ng][sina][resolve] > search reporting [*] Searching for 'reporting'... Reporting --------- reporting/csv reporting/html reporting/json reporting/list reporting/proxifier reporting/pushpin reporting/xlsx reporting/xml [recon-ng][sina][resolve] > use reporting/html [recon-ng][sina][html] > show options Name Current Value Required Description -------- ------------- -------- ----------- CREATOR yes creator name for the report footer CUSTOMER yes customer name for the report header FILENAME /root/.recon-ng/workspaces/sina/results.html yes path and filename for report output SANITIZE True yes mask sensitive data in the report [recon-ng][sina][html] > set CREATOR AAAA CREATOR => AAAA [recon-ng][sina][html] > set CUSTOMER BBBB CUSTOMER => BBBB [recon-ng][sina][html] > run [*] Report generated at '/root/.recon-ng/workspaces/sina/results.html'.