google Search Console
1. 透過 google 搜尋能力, 來觀察你的網站 是否有被洩漏的資料 https://www.google.com/webmasters/tools/removals?hl=cn&pli=1 2. 刪除 google 移除過舊的內容 https://www.google.com/webmasters/tools/removals?hl=zh-TW
發表文章
wpscan 說明
這是針對 wordpress偵測 wpscan _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.1 Sponsored by Sucuri - https://sucuri.net @ _ WPScan _ , @ethicalhack3r, @erwan_lr, pvdl, @ _ FireFart _ _______________________________________________________________ Examples : -Further help ... ruby ./wpscan.rb --help -Do 'non-intrusive' checks ... ruby ./wpscan.rb --url www.example.com -Do wordlist password brute force on enumerated users using 50 threads ... ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50 -Do wordl
joomscan說明
CMS( C ontent M anagement S ystem ) 說明: 共用與修改與版本規畫 但這也最常見用於 wordpress 透過這樣去偵測漏洞,...這就是 joomscan ,... 指令: joomscan -u http://www.xxxx.com.tw 說明: joomscan ..|''|| '|| '||' '|' | .|'''.| '||''|. .|' || '|. '|. .' ||| ||.. ' || || || || || || | | || ''|||. ||...|' '|. || ||| ||| .''''|. . '|| || ''|...|' | | .|. .||. |'....|' .||. ================================================================= OWASP Joomla! Vulnerability Scanner v0.0.4 (c) Aung Khant, aungkhant]at[yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab Update by: Web-Center, http://web-center.si (2011) ================================================================= Vulnerability Entries: 611 Last update: February 2, 2012 Usage: ./joomscan.pl -u <strin
skipfish 說明
用來偵測 網站漏洞,... 並非使用常見漏洞偵測方式 sudo apt autoremove sudo apt-get install skipfish 例如: skipfish -o /usr/bin/temp/ https://tw.yahoo.com https://code.google.com/p/skipfish/ sudo skipfish -h 1 ⨯ skipfish web application scanner - version 2.10b Usage: skipfish [ options ... ] -W wordlist -o output_dir start_url [ start_url2 ... ] Authentication and access options: -A user:pass - use specified HTTP authentication credentials -F host=IP - pretend that 'host' resolves to 'IP' -C name=val - append a custom cookie to all requests -H name=val - append a custom HTTP header to all requests -b (i|f|p) - use headers consistent with MSIE / Firefox / iPhone -N - do not accept any new cookies --auth-form url - form authentication URL --auth-user user - form authentication user --auth-pass pass - form authentication password --auth-verify-url - URL for in-session dete
nikto 說明
這是用來 針對網站(http) 去查看數百個漏洞或CGI問題... 因為 更新慢, 且指令 -update 無效 建議到官網 下載新版 說明: root@kali-shan:~# nikto - Nikto v2.1.6 --------------------------------------------------------------------------- + ERROR: No host specified -config+ Use this config file -Display+ Turn on/off display outputs -dbcheck check database and other key files for syntax errors -Format+ save file (-o) format -Help Extended help information -host+ target host -id+ Host authentication to use, format is id:pass or id:pass:realm -list-plugins List all available plugins -output+ Write output to this file -nossl Disables using SSL -no404 Disables 404 checks -Plugins+ List of plugins to run (default: ALL) -port+ Port to use (default 80) -root+ Prepend root value to
Easy-Creds 製作一個假AP
有時要使用一個新AP...來做假的AP, 收集每個連線進來資料 1. 先到 https://github.com/brav0hax/easy-creds 下載 easy-creds-master.zip 2. 執行 unzip easy-creds-master.zip cd easy-creds-master ./installer.sh >>>選1 (安裝系統) 3. ./easy-creds.sh 1. FakeAP Attack Static 2. FakeAP Attack EvilTwin 3. Karmetasploit Attack 4. FreeRadius Attack 5. DoS AP Options 6. Previous Menu Choice: 1 (製作一個假AP) 4. 接著跑... ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ||e |||a |||s |||y |||- |||c |||r |||e |||d |||s || ||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\| Version 3.8-dev - Garden of New Jersey At any time, ctrl+c to cancel and return to the main menu Would you like to include a sidejacking attack? [y/N]: y Network Interfaces: Interface connected to the internet (ex. eth0): Interface connected to the internet (ex. eth0): eth0 PHY Interface Driver Chipset phy0 wlan0 rtl8187 Realtek Semiconductor Corp. RTL8187 Wireless interface name (ex. wlan0):
fimap說明
此是一種收集網址(IP)資訊,並攻擊的指令 針對LFI/RFI(local File Inclusion/Remote File Inclusion)特性去掃描跟攻擊 可叁考: https://www.youtube.com/watch?v=ODMHucZNQ9k ============================ 看看 help fimap -h fimap v.1.00_svn (My life for Aiur) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com) Usage: ./fimap.py [options] ## Operating Modes: -s , --single Mode to scan a single URL for FI errors. Needs URL (-u). This mode is the default. -m , --mass Mode for mass scanning. Will check every URL from a given list (-l) for FI errors. -g , --google Mode to use Google to aquire URLs. Needs a query (-q) as google search query. -B , --bing Use bing to get URLs. Needs a query (-q) as bing search query. Also needs a Bing APIKey (--bingkey)
nbtscan 說明
****** nbtscan(查詢LAN裏頭使用smb協定的設備) ****** 透過IP掃描方式找LAN裏頭 NetBIOS設備相關資料 ——————— 掃描192.168.8.***所有設備 指令: sudo nbtscan -r 192.168.8.0/24 ——————— 掃描192.168.8.***所有設備且MAC address 00:00:00:00:00:00(可自設定) 指令: sudo nbtscan -r 192.168.8.0/24 |grep "00:00:00:00:00:00" ——————— 用來檢查網路window電腦基本資料 例如: 電腦名稱, 使用者, IP, Mac address, services(服務) nbtscan -h "Human-readable service names" (-h) option cannot be used without verbose (-v) option. Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>) -v verbose output. Print all names received from each host -d dump packets. Print whole packet contents. -e Format output in /etc/hosts format. -l Format output in lmhosts format. Cannot be used with -v, -s or -h options. -t timeout wait timeout milliseconds for response. Default 1000. -b bandwidth Output throttling. Slow down output so that it uses no more that bandwidth bps. Use
amap 說明
這是針對 目標IP 的port 掃描 並依其回應到自己的appdefs.resp 查詢對應可能的服務 說明: amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] Modes: -A Map applications: send triggers and analyse responses (default) -B Just grab banners, do not send triggers -P No banner or application stuff - be a (full connect) port scanner Options: -1 Only send triggers to a port until 1st identification. Speeeeed! -6 Use IPv6 instead of IPv4 -b Print ascii banner of responses -i FILE Nmap machine readable outputfile to read ports from -u Ports specified on commandline are UDP (default is TCP) -R Do NOT identify RPC service -H Do NOT send application triggers marked as potentially harmful -U Do NOT dump unrecognised responses (better
onesixtyone 查看 SNMP訊息
用來查看 SNMP 設備的訊息(public/private) onesixtyone 0.3.2 [options] <host> <community> -c <communityfile> file with community names to try -i <inputfile> file with target hosts -o <outputfile> output log -d debug mode, use twice for more information -w n wait n milliseconds (1/1000 of a second) between sending packets (default 10) -q quiet mode, do not print log to stdout, use with -l examples: ./s -c dict.txt 192.168.4.1 public ./s -c dict.txt -i hosts -o my.log -w 100
unicornscan說明
針對 訊息收集 及網路分析 例如: 設定UDP網路掃描, IP:192.168.8.200 unicornscan -m U -Iv 192.168.8.200 :1-65535 首先要先安裝: apt-get install unicornscan 看一下help : unicornscan -h unicornscan (version 0.4.7) usage: unicornscan [options `b:B:cd:De:EFG:hHi:Ij:l:L:m:M:o:p:P:q:Qr:R:s:St:T:u:Uw:W:vVzZ:' ] X.X.X.X/YY:S-E -b, --broken-crc *set broken crc sums on [T]ransport layer, [N]etwork layer, or both[TN] -B, --source-port *set source port? or whatever the scan module expects as a number -c, --proc-duplicates process duplicate replies -d, --delay-type *set delay type (numeric value, valid options are `1:tsc 2:gtod 3:sleep') -D, --no-defpayload no default Payload, only probe known protocols -e, --enable-module *enable modules listed as arguments (output and report currently) -E, --proc-errors for processing `non-open' responses (icmp errors, tcp rsts...) -F, --try-frags -G, --payload-group *payload group (numeric) for tcp/udp type payload selection (default all)
metagoofil 使用說明
這是透過 google 搜尋指定目錄下, 所有指定檔案格式(例如: doc, pdf) 裡頭看是否存在帳號密碼相關資料 Kali 內已經沒有這指令集,... 請先執行 apt-get install metagoofil -d 要搜尋的網域或IP -t 要查詢文件類型, 例如: pdf, doc 等... -l 蒐尋最大數量, 內定最小200。 -n 設定下載檔案數量 -o 抓下來存放目錄 -f 產生結果檔案
使用 wireshark(已知AP key) 查看解譯封包
若你知道AP key, 你可以透過wireshark (WEP, WPA) 抓取封包, 這樣解譯後,... 就可讀取 原始封包內容 那如何知道 AP key??? 這就有意思..., 問 或 查 或 破解 或 偽裝成AP 或 自行設一個, 哈哈 首先設定 無線網卡成為 Monitor模式 airmon-ng start wlan0 選 mon 那片網卡 Edit>Perferences IEEE802.11> Edit 選定 加密方式 這邊要輸入key 是16進制, 若密碼 是 123456789 對應的是字元(不是數字), 所以是 31:32:33:34:35:36:37:38:39 然後回到wireshark 就可以讀取解譯原始封包
wafw00f 使用
這是用來查看 是否有防火牆 及訊息 當然並不是很精準 指令: WAFW00F - Web Application Firewall Detection Tool By Sandro Gauci && Wendel G. Henrique Usage: wafw00f url1 [url2 [url3 ... ]] example: wafw00f http://www.victim.org/ Options: -h, --help show this help message and exit -v, --verbose enable verbosity - multiple -v options increase verbosity -a, --findall Find all WAFs, do not stop testing on the first one -r, --disableredirect Do not follow redirections given by 3xx responses -t TEST, --test=TEST Test for one specific WAF -l, --list List all WAFs that we are able to detect --xmlrpc Switch on the XML-RPC interface instead of CUI --xmlrpcport=XMLRPCPORT Specify an alternative port to listen on, default 8001 -V, --version Print out the version 参考影片: https://www.youtube.com/watch?v=Yj0TxWLjhX4
