Kali是世界安全及渗透行业公认的网络安全审计工具集合,被广泛用来进行设备、系统及网络的安全性测试和审计。其所包含的测试工具之多、功能只强大,几乎可以用来进行各种安全升级工作。对于目前网络及系统产生或存在的安全问题,如查找系统弱点、安全漏洞、技术缺陷等,都可以完美胜任。

2025.02 广东·东莞·三丫坡·华为员工培训中心

渗透测试概述

渗透测试

渗透一般是指网络渗透。网络渗透是攻击者常用的一种攻击手段,也是一种综合的高级攻击技术,是对网络主机或网络服务器群组采用的一种迂回渐进的攻击方式,通过长期而有计划的逐步渗透攻击进入网络,最终完全控制整个网络。整个过程包括对系统的弱点、技术缺陷或漏洞的主动分析。渗透测试与其他评估方法不同。通常的评估方法是根据已知信息资源或者其他被评估对象去发现所有相关的安全问题。渗透测试是根据已知可利用的安全漏洞,去发现是否存在相应的信息资源。渗透测试更注重安全漏洞的严重性。

常见工具类型

  1. 网络渗透测试工具
  2. Web应用程序渗透测试工具
  3. 数据库渗透测试工具
  4. 自动化渗透测试工具

常见工具

  1. NAMP
  2. Metasloit
  3. Wireshark
  4. Burp Suite
  5. SQLmap
  6. Aircrack-ng

测试执行标准

  1. 前期交互阶段
    1. 确定渗透测试的范围、目标、限制条件以及服务合同细节
    2. 取得客户书面委托和授权
  2. 情报搜集阶段
  3. 威胁建模阶段
  4. 漏洞分析阶段
  5. 渗透攻击阶段
  6. 后渗透攻击阶段
    1. 权限维持
    2. 内网渗透
  7. 撰写报告阶段
    1. 执行概要
    2. 测试背景和结果

Kali的安装

配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 切换root
sudo su -
# 更换软件源
sed -i "s@http://http.kali.org/kali@https://mirrors.tuna.tsinghua.edu.cn/kali@g" /etc/apt/sources.list
# 更新系统
apt update 
apt upgrade -y
apt autoremove -y
# 安装工具
apt install -y curl wget net-tools git vim
# 启动ssh服务
apt install -y openssh-server
systemctl enable --now sshd.service
# 使用chrony管理时间
apt install -y chrony
systemctl enable chrony --now
# 使用北京时间
timedatectl set-timezone Asia/Shanghai
# 使用24小时制
echo 'LC_TIME=en_US.UTF-8' >> /etc/default/locale
echo 'LC_ALL=en_US.UTF-8' >> /etc/default/locale

# 配置默认编辑器使用vim,使用第3项 vim.basic 
update-alternatives --config editor
# 配置IP地址
nmcli c m Wired\ connection\ 1 ipv4.method man ipv4.addr 192.168.24.83/24 ipv4.dns 192.168.24.2 ipv4.gateway 192.168.24.2
systemctl daemon-reload
systemctl restart networking.service

信息收集

信息收集是网络攻击的第一步,是最关键的阶段,也是耗时最长的阶段。对于一些非常棘手的目标,信息收集可能会在渗透测试的不同阶段持续进行。

信息收集的主要内容

  1. 网络参数
  2. 端口
  3. 网页信息
  4. 域名信息
  5. 目录信息
  6. 其他可能获取的所有信息

综合型工具

网络扫描工具nmap

  1. 探测主机是否在线
  2. 扫描主机端口,嗅探所提供网络服务
  3. 推断主机所用操作系统
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# 查看版本信息
$ nmap --version
Nmap version 7.95 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.4.7 openssl-3.4.0 libssh2-1.11.1 libz-1.3.1 libpcre2-10.44 libpcap-1.10.5 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
# 扫描局域网内存活主机
$ nmap -sn 192.168.24.1-255
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 17:37 CST
Nmap scan report for 192.168.24.1
Host is up (0.00038s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.24.2
Host is up (0.00025s latency).
MAC Address: 00:50:56:E9:06:E0 (VMware)
Nmap scan report for 192.168.24.82
Host is up (0.00030s latency).
MAC Address: 00:0C:29:B2:5B:3E (VMware)
Nmap scan report for 192.168.24.99
Host is up (0.00020s latency).
MAC Address: 00:50:56:FC:C9:BF (VMware)
Nmap scan report for 192.168.24.83
Host is up.
Nmap done: 255 IP addresses (5 hosts up) scanned in 2.21 seconds
# 探测主机操作系统
$ nmap -O 192.168.24.82    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 17:38 CST
Nmap scan report for 192.168.24.82
Host is up (0.0010s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
9090/tcp open  zeus-admin
MAC Address: 00:0C:29:B2:5B:3E (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
# 对主机进行详细探测
$ nmap -A 192.168.24.82
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 17:40 CST
Nmap scan report for 192.168.24.82
Host is up (0.00070s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.6 (protocol 2.0)
| ssh-hostkey: 
|   256 e8:51:03:73:4a:95:61:5d:1c:80:a0:8d:ef:2f:b0:f4 (ECDSA)
|_  256 48:f6:b9:9f:60:2b:bc:aa:db:18:58:3b:79:13:d0:b8 (ED25519)
9090/tcp open  ssl/http Cockpit web service
| ssl-cert: Subject: commonName=docker/organizationName=4d291dc545804923939908878491bfe1
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2025-02-21T12:54:30
|_Not valid after:  2026-03-23T12:54:30
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     X-Frame-Options: sameorigin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|_    font-weight: 300;
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Loading...
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
MAC Address: 00:0C:29:B2:5B:3E (VMware)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.24.82

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.91 seconds
# 对主机进行路由追踪
$ nmap -traceroute www.sujx.net
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 17:46 CST
Nmap scan report for www.sujx.net (39.101.1.251)
Host is up (0.0033s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.10 ms 192.168.24.2
2   0.12 ms 39.101.1.251

Nmap done: 1 IP address (1 host up) scanned in 53.96 seconds
# 扫描指定端口
$ nmap -p 443 www.sujx.net  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 18:26 CST
Nmap scan report for www.sujx.net (39.101.1.251)
Host is up (0.0039s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

专项型工具

DNS枚举

dnsenum
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 以cctv为例,进行域名枚举
$ dnsenum --enum cctv.com 
dnsenum VERSION:1.3.1

-----   cctv.com   -----


Host's addresses:
__________________

cctv.com.                                5        IN    A        39.107.241.57


Name Servers:
______________

ns6.cctv.com.                            5        IN    A        118.178.171.142
ns5.cctv.com.                            5        IN    A        182.92.20.91
ns1.cctv.com.                            5        IN    A        203.93.27.6
ns4.cctv.com.                            5        IN    A        219.141.244.3


Mail (MX) Servers:
___________________

smtp1.cctv.com.                          5        IN    A        101.129.1.156
fierce
1
2
3
4
5
6
7
8
9
10
11
# 进行子域名搜集
$ fierce --domain cctv.com
NS: ns6.cctv.com. ns5.cctv.com. ns1.cctv.com. ns4.cctv.com.
SOA: ns1.cctv.com. (203.93.27.6)
Zone: failure
Wildcard: failure
Found: ad.cctv.com. (42.81.144.96)
Found: ads.cctv.com. (59.151.104.246)
Found: ai.cctv.com. (115.238.237.13)
Found: app.cctv.com. (106.63.19.14)
Found: apps.cctv.com. (202.108.8.53)

其他工具

主机存活检测fping
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ fping -s -g 172.16.10.1 172.16.10.254
172.16.10.100 is alive
172.16.10.102 is alive
172.16.10.103 is alive
172.16.10.119 is alive
172.16.10.109 is alive
172.16.10.105 is alive
ICMP Host Unreachable from 172.16.10.119 for ICMP Echo sent to 172.16.10.1
ICMP Host Unreachable from 172.16.10.119 for ICMP Echo sent to 172.16.10.1
ICMP Host Unreachable from 172.16.10.119 for ICMP Echo sent to 172.16.10.1
ICMP Host Unreachable from 172.16.10.119 for ICMP Echo sent to 172.16.10.1
ICMP Host Unreachable from 172.16.10.119 for ICMP Echo sent to 172.16.10.4
172.16.10.254 is alive

     254 targets
       9 alive
     245 unreachable
       0 unknown addresses

     983 timeouts (waiting for response)
     992 ICMP Echos sent
      12 ICMP Echo Replies received
     972 other ICMP received

 0.028 ms (min round trip time)
 267 ms (avg round trip time)
 1124 ms (max round trip time)
        9.890 sec (elapsed real time)
路由分析工具netdiscover
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo netdiscover -r 172.16.10.1/24
[sudo] password for sujx: 
 Currently scanning: Finished!   |   Screen View: Unique Hosts                            
                                                                                          
 13 Captured ARP Req/Rep packets, from 10 hosts.   Total size: 780                        
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.16.10.101   88:f2:bd:95:e4:e7      2     120  GD Midea Air-Conditioning Equipment Co.
 172.16.10.101   b4:6d:c2:cc:a5:37      1      60  SHENZHEN BILIAN ELECTRONIC CO.,LTD   
 172.16.10.100   f4:84:8d:6b:22:d4      1      60  TP-LINK TECHNOLOGIES CO.,LTD.          
 172.16.10.115   d4:e9:8a:07:a8:1e      1      60  Intel Corporate                        
 172.16.10.106   22:fe:d8:33:c2:39      1      60  Unknown vendor                         
 172.16.10.102   88:f2:bd:91:e6:07      2     120  GD Midea Air-Conditioning Equipment Co.
 172.16.10.103   b4:6d:c2:cc:a5:37      1      60  SHENZHEN BILIAN ELECTRONIC CO.,LTD   
 172.16.10.109   be:eb:9f:53:26:59      2     120  Unknown vendor                         
 172.16.10.105   46:cd:5c:5a:04:66      1      60  Unknown vendor                         
 172.16.10.254   ec:60:73:89:a3:df      1      60  TP-LINK TECHNOLOGIES CO.,LTD.
负载均衡检测工具
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ lbd baidu.com

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (http://ge.mine.nu)
                                    Proof-of-concept! Might give false positives.
# 检查DNS负载平衡
Checking for DNS-Loadbalancing: FOUND
baidu.com has address 110.242.68.66
baidu.com has address 39.156.66.10
# 检查到HTTP服务器的信息
Checking for HTTP-Loadbalancing [Server]: 
 Apache
 NOT FOUND
# 检查HTTP负载平衡,通过返回时间
Checking for HTTP-Loadbalancing [Date]: 14:19:21, 14:19:21, 14:19:21, 14:19:21, 14:19:21, 14:19:22, 14:19:22, 14:19:22, 14:19:22, 14:19:22, 14:19:22, 14:19:22, 14:19:22, 14:19:23, 14:19:23, 14:19:23, 14:19:23, 14:19:23, 14:19:23, 14:19:23, 14:19:23, 14:19:24, 14:19:24, 14:19:24, 14:19:24, 14:19:24, 14:19:24, 14:19:24, 14:19:24, 14:19:25, 14:19:25, 14:19:25, 14:19:25, 14:19:25, 14:19:25, 14:19:25, 14:19:25, 14:19:26, 14:19:26, 14:19:26, 14:19:26, 14:19:26, 14:19:26, 14:19:26, 14:19:27, 14:19:27, 14:19:27, 14:19:27, 14:19:27, 14:19:28, NOT FOUND
# 找到负载平衡
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Expires: Fri, 28 Feb 2025 14:19:28 GMT
> Expires: Fri, 28 Feb 2025 14:19:29 GMT
# 确认使用了负载均衡,负载均衡的方式是DNS和HTTP
baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]

SMTP邮件分析工具
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 swaks --to sujx@live.cn           
=== Trying apc.olc.protection.outlook.com:25...
=== Connected to apc.olc.protection.outlook.com.
<-  220 DB1PEPF000509FB.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 27 Feb 2025 14:23:42 +0000 [08DD54AD81BEBF2F]
 -> EHLO kali
<-  250-DB1PEPF000509FB.mail.protection.outlook.com Hello [36.106.89.29]
<-  250-SIZE 49283072
<-  250-PIPELINING
<-  250-DSN
<-  250-ENHANCEDSTATUSCODES
<-  250-STARTTLS
<-  250-8BITMIME
<-  250-BINARYMIME
<-  250-CHUNKING
<-  250 SMTPUTF8
 -> MAIL FROM:<sujx@kali>
<-  250 2.1.0 Sender OK
 -> RCPT TO:<sujx@live.cn>
<-  250 2.1.5 Recipient OK
 -> DATA
<-  354 Start mail input; end with <CRLF>.<CRLF>
 -> Date: Thu, 27 Feb 2025 22:23:41 +0800
 -> To: sujx@live.cn
 -> From: sujx@kali
 -> Subject: test Thu, 27 Feb 2025 22:23:41 +0800
 -> Message-Id: <20250227222341.007900@kali>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 2.6.0 <20250227222341.007900@kali> [InternalId=205690278778921, Hostname=ME4P282MB0742.AUSP282.PROD.OUTLOOK.COM] 7085 bytes in 0.322, 21.455 KB/sec Queued mail for delivery -> 250 2.1.5
 -> QUIT
<-  221 2.0.0 Service closing transmission channel
=== Connection closed with remote host.
# 然后就可以从sujx@live.cn的邮箱中检查是否能够收到测试邮件
SSL分析工具
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ swaks --to sujx@live.cn           
=== Trying apc.olc.protection.outlook.com:25...
=== Connected to apc.olc.protection.outlook.com.
<-  220 DB1PEPF000509FB.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 27 Feb 2025 14:23:42 +0000 [08DD54AD81BEBF2F]
 -> EHLO kali
<-  250-DB1PEPF000509FB.mail.protection.outlook.com Hello [36.106.89.29]
<-  250-SIZE 49283072
<-  250-PIPELINING
<-  250-DSN
<-  250-ENHANCEDSTATUSCODES
<-  250-STARTTLS
<-  250-8BITMIME
<-  250-BINARYMIME
<-  250-CHUNKING
<-  250 SMTPUTF8
 -> MAIL FROM:<sujx@kali>
<-  250 2.1.0 Sender OK
 -> RCPT TO:<sujx@live.cn>
<-  250 2.1.5 Recipient OK
 -> DATA
<-  354 Start mail input; end with <CRLF>.<CRLF>
 -> Date: Thu, 27 Feb 2025 22:23:41 +0800
 -> To: sujx@live.cn
 -> From: sujx@kali
 -> Subject: test Thu, 27 Feb 2025 22:23:41 +0800
 -> Message-Id: <20250227222341.007900@kali>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 2.6.0 <20250227222341.007900@kali> [InternalId=205690278778921, Hostname=ME4P282MB0742.AUSP282.PROD.OUTLOOK.COM] 7085 bytes in 0.322, 21.455 KB/sec Queued mail for delivery -> 250 2.1.5
 -> QUIT
<-  221 2.0.0 Service closing transmission channel
=== Connection closed with remote host.

whois查询
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ dmitry -w sujx.net
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:39.101.1.251
HostName:sujx.net

Gathered Inic-whois information for sujx.net
---------------------------------
   Domain Name: SUJX.NET
   Registry Domain ID: 1555647537_DOMAIN_NET-VRSN
   Registrar WHOIS Server: grs-whois.hichina.com
   Registrar URL: http://www.net.cn
   Updated Date: 2024-10-24T02:21:32Z
   Creation Date: 2009-05-14T12:09:43Z
   Registry Expiry Date: 2025-05-14T12:09:43Z
   Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.

嗅探与欺骗

基本概念

嗅探就是通过嗅探工具获取网络上流经的数据包,通常被叫做抓包。通过读取数据包中的相关信息,获取源IP和目标IP、源MAC和下一跳的MAC地址、数据包的大小、TCP、数据协议等信息。

网络欺骗则是伪装成另一个设备或者用户以骗取对方的信任,获取非法访问权限或窃取数据的行为。常见的欺骗类型包括IP欺骗、邮箱欺骗、ARP欺骗、DHCP欺骗、DNS欺骗、交换机生成树欺骗等。

Wireshark抓包

使用wireshark抓取的某PC版APP登录过程

tcpdump抓取数据包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# tcpdump抓取eth0网卡上的所有数据,并保存为zb文件
$ sudo tcpdump -v -i eth0 -w zb
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
53 packets captured
56 packets received by filter
0 packets dropped by kernel
# 从zb文件中读取数据并筛选出22端口上的数据流
$ tcpdump -n port 22 -r zb
reading from file zb, link-type EN10MB (Ethernet), snapshot length 262144
23:24:58.177743 IP 172.16.10.119.22 > 172.16.10.115.1917: Flags [P.], seq 506114419:506114543, ack 395347968, win 547, length 124
23:24:58.220877 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 124, win 4100, length 0
23:24:59.178943 IP 172.16.10.119.22 > 172.16.10.115.1917: Flags [P.], seq 124:168, ack 1, win 547, length 44
23:24:59.220038 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 168, win 4100, length 0
# 从zb文件中读取数据并筛选出源IP为172.16.10.115的数据流
$ tcpdump -n src 172.16.10.115 -r zb 
reading from file zb, link-type EN10MB (Ethernet), snapshot length 262144
23:24:58.220877 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 506114543, win 4100, length 0
23:24:59.220038 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 45, win 4100, length 0
23:25:00.234550 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 89, win 4106, length 0
23:25:02.223568 ARP, Request who-has 172.16.10.119 tell 172.16.10.115, length 46
23:25:02.224130 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 133, win 4106, length 0
# 从zb文件中读取数据并筛选出所有TCP包
$ tcpdump -n tcp -r zb      
reading from file zb, link-type EN10MB (Ethernet), snapshot length 262144
23:24:58.177743 IP 172.16.10.119.22 > 172.16.10.115.1917: Flags [P.], seq 506114419:506114543, ack 395347968, win 547, length 124
23:24:58.220877 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 124, win 4100, length 0
23:24:59.178943 IP 172.16.10.119.22 > 172.16.10.115.1917: Flags [P.], seq 124:168, ack 1, win 547, length 44
23:24:59.220038 IP 172.16.10.115.1917 > 172.16.10.119.22: Flags [.], ack 168, win 4100, length 0

ARP欺骗

1
2
3
4
5
6
7
8
9
10
11
12
13
# 将网关172.16.10.254的mac地址重新定义为172.16.10.100的mac地址,并广播出去
$ arp -a                                         
? (172.16.10.100) at f4:84:8d:6b:22:d4 [ether] on eth0
_gateway (172.16.10.254) at ec:60:73:89:a3:df [ether] on eth0
                                                       
$ sudo arpspoof -i eth0 -t 172.16.10.100 172.16.10.254
[sudo] password for sujx: 
0:c:29:10:e2:13 f4:84:8d:6b:22:d4 0806 42: arp reply 172.16.10.254 is-at 0:c:29:10:e2:13
0:c:29:10:e2:13 f4:84:8d:6b:22:d4 0806 42: arp reply 172.16.10.254 is-at 0:c:29:10:e2:13
0:c:29:10:e2:13 f4:84:8d:6b:22:d4 0806 42: arp reply 172.16.10.254 is-at 0:c:29:10:e2:13
0:c:29:10:e2:13 f4:84:8d:6b:22:d4 0806 42: arp reply 172.16.10.254 is-at 0:c:29:10:e2:13
0:c:29:10:e2:13 f4:84:8d:6b:22:d4 0806 42: arp reply 172.16.10.254 is-at 0:c:29:10:e2:13
0:c:29:10:e2:13 f4:84:8d:6b:22:d4 0806 42: arp reply 172.16.10.254 is-at 0:c:29:10:e2:13

漏洞的扫描

什么是漏洞

漏洞是在硬件、软件、协议的具体实现或者系统安全策略上存在的缺陷,可以让攻击者能够在未获取合法授权的情况下访问各种资源,进行各种管理操作乃至破坏系统。其产生的原因如下:

  1. 软件设计
  2. 编程水平
  3. 技术发展
  4. 认为因素

漏洞扫描的原理

漏洞扫描技术的原理是通过远程检测目标主机使用了那些协议、开启了那些端口并记录目标的回复,通过这种方法搜集各种相关信息后,与漏扫系统的漏洞库进行匹配,如果满足条件则视为漏洞存在。常见漏洞的扫描技术有以下几种:

  1. 基于应用的检测技术
  2. 基于主机的检测技术
  3. 基于目标的检测技术
  4. 基于网络的检测技术

当前主要的漏洞统计、共享平台包括国家信息安全漏洞共享平台CNVD、美国国家计算机通用漏洞数据库NVD以及由麻省理工维护的CVE数据库。

漏扫工具

NMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
sudo nmap -sV --script=vulners www.dssf007.com
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 23:40 CST
Nmap scan report for www.dssf007.com (39.97.111.87)
Host is up (0.028s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     OpenResty web app server
|_http-server-header: openresty
443/tcp open  ssl/http OpenResty web app server
|_http-server-header: openresty

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.53 seconds
nikto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ nikto -h www.dssf007.com              
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          39.97.111.87
+ Target Hostname:    www.dssf007.com
+ Target Port:        80
+ Start Time:         2025-02-27 23:42:02 (GMT8)
---------------------------------------------------------------------------
+ Server: openresty
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /SCZPxMUi.pt: Cookie website_user_user_new created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /SCZPxMUi.pt: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /SCZPxMUi.pt: Cookie 1697588 created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/self_define/TJStyle.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 6 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Multiple index files found: /default.htm, /index.htm, /index.php, /index.shtml.
+ /vchat/msg.txt: VChat allows user information to be retrieved. See: https://www.securityfocus.com/bid/7186/info
+ /webcart-lite/config/import.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html
+ /webcart-lite/orders/import.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html
+ /webcart/config/clients.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html
+ /webcart/orders/import.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web. See: https://packetstormsecurity.com/files/32406/xmas.txt.html

漏洞的利用

密码攻击

简单的网络服务密码攻击

常见攻击模式

  1. 纯字典攻击
  2. 混合攻击
  3. 纯暴力攻击

Hydra工具

使用密码字典进行密码破解

1
2
# 通过用户名字典和密码字典破解192.168.1.124这个HTTP站点的用户名和密码
$ hydra -V -L /home/kali/user.txt -P /home/kali/passwd.txt -e s -f 192.168.1.124 https-head

Medusa工具

通过并行登录暴力破解的方法,尝试获取远程验证服务访问权限

常见密码的破解

破解Hash密码

破解Windows系统密码

minikatz工具
离线破解SAM文件

破解Linux系统密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 新增测试用户test
$ sudo useradd test              
# test用户的密码设置为test
$ sudo passwd test  
New password: 
Retype new password: 
passwd: password updated successfully
                                                                                           #
# 将密码影子表导出为hast文本,并将其他非目标用户内容删除
$ sudo cat /etc/shadow > hash.txt
# 执行破解                                                                                           
┌──(sujx㉿kali)-[~]
└─$ vim hash.txt 
$ john --format=crypt hash.txt   
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
test             (test)     # 取得test用户密码test
1g 0:00:00:00 DONE 1/3 (2025-02-28 17:12) 4.000g/s 384.0p/s 384.0c/s 384.0C/s test..t999995
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

密码字典的生成

密码字典也叫做密码字典表。KALI的密码字典表有三种获得方式:

  1. 系统自带 “/usr/share/wordlists”
  2. 网络下载
  3. 手动生成

生成工具

  1. Crunch
  2. Cewl
  3. Cupp

无线网络渗透

无线局域网式以IEEE 802.11技术标准为基础的,该标准定义了物理层和MAC层规范。具体由21个标准,其中包括802.11a/b/g/n/ac/ax。

无线网络的安全技术

  1. WAP/WAP2
  2. WAP-PSK/WAP2-PSK
  3. WPA3

无线网络与嗅探

使用Aircrack-ng

攻击模式

  1. 冲突模式
  2. 伪装客户端模式
  3. 交互模式
  4. 注入模式
  5. chop攻击模式
  6. 碎片包攻击模式

破解原理

  1. 基于握手包的暴力破解。握手包就是终端与无线设备之间进行连接和验证所使用的数据包
  2. 在线暴力破解

无线网络钓鱼攻击

无线网络钓鱼是指诱使用户使用伪造的钓鱼无线接入点连接,并通过各种钓鱼页面诱使用户填写正常接入点的无线接入密码,从而获取该接入点的连接密码,也被称为AP钓鱼、热点寻找器或者蜜罐AP等。

Fluxion

Fluxion是一种安全审计和社会工程研究工具,主要是通过社会工程攻击,从目标接入点检索WPA/WPA2密钥。该工具的使用过程:

  1. 通过监听抓取握手包,然后伪造一个和对方名称完全一致的无密码Wi-Fi信号
  2. 发起持续攻击,强制让连接该热点的所有终端掉线
  3. 重新连接时,就会发现一个无密码的原WiFi网络
  4. 连接后,会打开一个页面以官方名义要求重新输入Wi-Fi密码
  5. 根据已经抓取的握手包,校验密码,直到对方输入真实密码
  6. 伪造Wi-Fi关闭,终端连接真正的无线网络