扫描工具
uniscan
-h help // 显示帮助信息
-u <url> example: https://www.example.com/ //后接域名
-f <file> list of url's //url列表
-b Uniscan go to background //调到后台运行
-q Enable Directory checks //启用目录检查
-w Enable File checks //启用文件检查
-e Enable robots.txt and sitemap.xml check //启用robots.txt和sitemap.xml检查
-d Enable Dynamic checks //启用动态检查
-s Enable Static checks //启用静态检查
-r Enable Stress checks //启用压力检查
-i <dork> Bing search //Bing搜索
-o <dork> Google search //google搜索
-g Web fingerprint //Web指纹
-j Server fingerprint //服务器指纹
dirsearch
-u URL, --url=URL URL target。
-L URLLIST, --url-list=URLLIST。
目标URL列表
-e EXTENSIONS, --extensions=EXTENSIONS。
扩展名列表用逗号隔开(例如:php,asp)
-E, --extensions-list
使用预定义的通用扩展列表
词典设置。
-w WORDLIST,--wordlist=WORDLIST。
-l, -小写
-f, --Force-extensions(强制扩展)
强制扩展每个词表条目(比如在
DirBuster)
一般设置。
-s DELAY, --delay=DELAY。
请求之间的延迟(浮点数)
-r,--递归式
-R RECURSIVE_LEVEL_MAX, --递归级别-max=RECURSIVE_LEVEL_MAX。
最大递归级别(子目录)(默认:1 [仅适用于
rootdir + 1 dir])
--压制-空,--压制-空。
--扫描-子目录=SCANSUBDIRS, --扫描-子目录=SCANSUBDIRS。
扫描给定的-u|--url的子目录(以-u|--url分隔)。
逗号)
--exclud-subdir=EXCLUDESUBDIRS, --exclud-subdirs=EXCLUDESUBDIRS。
在递归过程中排除以下子目录。
扫描
-t THREADSCOUNT, --threads=THREADSCOUNT。
线程数
-x EXCLUDESTATUSCODES,--exclud-status=EXCLUDESTATUSCODES。
排除状态代码,用逗号隔开(例如。301,
500)
--exclud-texts=EXCLUDETEXTS。
以文本排除答复,用逗号隔开。
(例如:"找不到"、"错误")
--exclud-regexps=EXCLUDEREGEXPS。
通过regexps排除响应,用逗号隔开。
(例如:"Not foun[a-z]{1}", "^Error$")
-c COOKIE, --cookie=COOKIE。
--ua=USERAGENT,--user-agent=USERAGENT。
-F, --follow-redirects.
-H HEADERS, --header=HEADERS。
要添加的头信息(例如:--header "Referer:
example.com" --header "User-Agent: IE"
--随机代理,--随机用户代理。
连接设置:
--timeout=TIMEOUT 连接超时。
--ip=IP 将名称解析为IP地址。
--proxy=HTTPPROXY, --http-proxy=HTTPPROXY。
Http代理(例如:localhost:8080)
--http-method=HTTPMETHOD
使用的方法,默认。GET,也可以是: HEAD;POST
--max-retries=MAXRRETIES
-b, --request by hostname(按主机名请求)
默认情况下,dirsearch会以IP为单位进行请求以提高速度。
这就强制按主机名请求
输出报告:
--simple-report=SIMPLEOUTPUTFILE。
只找到路径
-纯文本-报告=PLAINTEXTOUTPUTFILE。
找到状态码的路径
--json-report=JSONOUTPUTFILE。
sql注入工具
sqlmap
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
暴力破解工具
fcrackzip
-b 指定为暴力破解
-D 指定字典来暴力破解
-c 指定字符集,字符集 格式只能为 -c 'aA1!:'
a 表示小写字母[a-z]
A 表示大写字母[A-Z]
1 表示阿拉伯数字[0-9]
! 感叹号表示特殊字符[!:$%&/()=?{[]}+*~#]
: 表示包含冒号之后的字符(不能为二进制的空字符),例如 a1:$% 表示 字符集包含小写字母、数字、$字符和%百分号
-l 指定密码长度,如:-l 1-5
-u 只显示破解出来的密码,其他错误的密码不显示出
fcrackzip -D -p passwd passwd.zip
-D 使用一个字典
-p 初始化password字符串
fcrackzip -b -l 6-6 -c 1 -p 000000 passwd.zip
-b 暴力破解
-l 6-6 限制密码长度为6
-c 1 限制密码是数字
-p 000000 初始化破解起点
fcrackzip -b -l 3-3 -c 1 -v flag.zip
-b 暴力破解
-l 3-3 限制密码长度为3
-c 1 限制密码是数字
-v 显示每一步
rarcrack
rarcrack 文件名 -threads 线程数 -type 文件类型
取证工具
volatility
基本用法
volatility -f [image] --profile=[profile] [plugin]
volatility -f [文件名] imageinfo ----判断系统
查看用户名密码信息
volatility -f 1.vmem --profile=Win7SP1x64 hashdump
查看进程
volatility -f 1.vmem --profile=Win7SP1x64 pslist
查看服务
volatility -f 1.vmem --profile=Win7SP1x64 svcscan
查看网络连接
volatility -f 1.vmem --profile=Win7SP1x64 netscan
查看命令行操作
volatility -f 1.vmem --profile=Win7SP1x64 cmdscan
查看文件
volatility -f 1.vmem --profile=Win7SP1x64 filescan
查看文件内容
volatility -f 1.vmem --profile=Win7SP1x64 dumpfiles -Q 0xxxxxxxx -D ./
查看当前展示的notepad内容
volatility -f 1.vmem --profile=Win7SP1x64 notepad
提取进程
volatility -f 1.vmem --profile=Win7SP1x64 memdump -p xxx --dump-dir=./
屏幕截图
volatility -f 1.vmem --profile=Win7SP1x64 screenshot --dump-dir=./
查看注册表配置单元
volatility -f 1.vmem --profile=Win7SP1x64 hivelist
查看注册表键名/键值
volatility -f 1.vmem --profile=Win7SP1x64 hivedump -o 0xfffff8a001032410
volatility -f 1.vmem --profile=Win7SP1x64 printkey -K "xxxxxxx"
查看运行程序相关的记录,比如最后一次更新时间,运行过的次数等。
volatility -f 1.vmem --profile=Win7SP1x64 userassist
最大程序提取信息
volatility -f 1.vmem --profile=Win7SP1x64 timeliner
LSB隐写神器 zsteg
zsteg 文件名
图片隐写工具 binwalk
Binwalk v2.1.2b
Craig Heffner, http://www.binwalk.org
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Disassembly Scan Options:
-Y, --disasm Identify the CPU architecture of a file using the capstone disassembler
-T, --minsn=<int> Minimum number of consecutive instructions to be considered valid (default: 500)
-k, --continue Don't stop at the first match
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don't execute extraction utilities
Entropy Analysis Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-w, --terse Diff all files, but only display a hex dump of the first file
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified port