Kali渗透教程笔记

2018/04/01 posted in  Kali渗透测试
  1. 全新安装的Metasploitable2 系统需要修改/var/www/mutillidae/config.inc文件,将其中的$dbname修改为owasp10,否则会导致任意模拟渗透测试无效

    $dbhost = 'localhost';
    $dbuser = 'root';
    $dbpass = '';
    $dbname = 'owasp10'; #原本的值为metasploitable
  2. nc 命令可以用于电子取证的过程中在不修改目标主机的情况下将一些信息传递给取证机器,首先需要在取证机器上用nc监听某个端口

    #取证机器(10.1.1.12)
    nc -l -p 3000  #监听3000端口
    #目标机器
    ls -al | nc -nv 10.1.1.12 3000 #将ls -al 获取到的信息直接传递给取证机器
    ps aux | nv -nv 10.1.1.12 3000 -q 1 #参数-q 1的作用是当命令执行完成1秒后自动退出nc
  3. nc 传输文件

    #接受从目标机器传回的文件
    nc -l -p 3000 > a.txt #监听端口,将收到的信息写入a.txt
    nc -nv 10.1.1.12 3000 -q 1 < a.txt #利用管道命令将a.txt传输给取证机器
    #发送文件给目标机器
    nc -q 1 -lp 3000 < a.txt
    nc -nv 10.1.1.12 3000 > a.txt
  4. nc 传输目录

    传入目录文件其实就是先将目录打包成文件,然后利用文件传输给目标机器

    tar -cvf - music | nc -lp 3000 -q 1
    nc -nv 10.1.12 3000 | tar -xvf -
    
  5. 加密文件传输也是类似,先用加密指令将文件加密,然后目标机器接收到之后再解密即可

  6. nslookup 用法

    #基本用法
    root@kali:~# nslookup
    > www.sina.com
    Server: 192.168.31.1
    Address: 192.168.31.1#53
    Non-authoritative answer:
    www.sina.com canonical name = us.sina.com.cn.
    us.sina.com.cn canonical name = spool.grid.sinaedge.com.
    Name: spool.grid.sinaedge.com
    Address: 202.102.94.124
    #只查询A记录  (还有个AAAA记录,为IPv6地址)
    Address: 202.102.94.124
    > set type=a
    > sina.com
    Server: 192.168.31.1
    Address: 192.168.31.1#53
    Non-authoritative answer:
    Name: sina.com
    Address: 66.102.251.33
    # 查询邮件MX记录
    Address: 66.102.251.33
    > set type=mx
    > sina.com
    Server: 192.168.31.1
    Address: 192.168.31.1#53
    Non-authoritative answer:
    sina.com mail exchanger = 5 freemx1.sinamail.sina.com.cn.
    sina.com mail exchanger = 10 freemx3.sinamail.sina.com.cn.
    sina.com mail exchanger = 10 freemx2.sinamail.sina.com.cn.
    Authoritative answers can be found from:
    #反向查询
    > set type=ptr
    > 106.14.114.55
    Server: 114.114.114.114
    Address: 114.114.114.114#53
    ** server can't find 55.114.14.106.in-addr.arpa: NXDOMAIN

    由于反向域名解析要ISP完成,但是国内的ISP基本上没有对外开放这个功能,所以如果要验证反向域名解析,可以使用国外的DNS Server解析国外的网址IP

    Address: 8.8.8.8#53
    > set type=ptr
    > set type=any
    > google.com
    Server: 8.8.8.8
    Address: 8.8.8.8#53
    Non-authoritative answer:
    Name: google.com
    Address: 216.58.200.238
    Name: google.com
    Address: 2404:6800:4008:802::200e
    google.com nameserver = ns3.google.com.
    google.com text = "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
    google.com mail exchanger = 30 alt2.aspmx.l.google.com.
    google.com nameserver = ns2.google.com.
    google.com text = "v=spf1 include:_spf.google.com ~all"
    google.com mail exchanger = 50 alt4.aspmx.l.google.com.
    google.com rdata_257 = 0 issue "pki.goog"
    google.com mail exchanger = 10 aspmx.l.google.com.
    google.com mail exchanger = 20 alt1.aspmx.l.google.com.
    google.com
    origin = ns1.google.com
    mail addr = dns-admin.google.com
    serial = 191277663
    refresh = 900
    retry = 900
    expire = 1800
    minimum = 60
    google.com mail exchanger = 40 alt3.aspmx.l.google.com.
    google.com nameserver = ns4.google.com.
    google.com nameserver = ns1.google.com.