Kali Linux渗透测试(苑房弘)w3af
来源:互联网 发布:淘宝买的鞋子味道很大 编辑:程序博客网 时间:2024/06/10 16:35
本文记录 Kali Linux 2017.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
1. w3af 使用简介
2. w3af-身份认证
3. 截断代理
4. output 插件
5. exploit
1.w3af 使用简介
1.pluginaudit(审计):该类插件会向Crawl插件爬取出的注入点发送特制的POC数据以确认漏洞是否存在。infrastructure(基础):这类插件用来标识有关目标系统的信息,如安装的WAF,操作系统和HTTP守护进程等。grep(检索):这类插件会分析其他插件发送的HTTP请求和相应并识别漏洞。evasion(绕过):通过修改由其他插件生成的HTTP请求来绕过简单的入侵检测规则。mangle:允许修改基于正则表达式的请求和响应auth:Mangle:允许修改基于正则表达式的请求和响应。bruteforce:在爬取阶段进行暴力登陆output(输出):这类插件会将插件的数据保存到文本,xml或者是html文件中。调试的信息也会发送到输出Output插件并可保存和分析。如果启用了text_file和xml_file这两个Output插件,则这两个都会记录有Audit插件发现的任何漏洞。crawl(爬取):通过爬取网站站点来获得新的URL地址。如果用户启用了Crawl类型的多个插件,此时将产生一个循环: A插件在第一次运行时发现了一个新的url,w3af会将其发送到插件B。如果插件B发现一个新的url则会发送到插件A。这个过程持续进行直到所有插件都已运行且无法找到更多的新信息。Attack(攻击):如果Audit插件发现了漏洞,Attack将会进行攻击和利用,通常会在远程服务器上返回一个shell或者比如SQL注入则会获取数据库的数据。```
2. kali 2.0 中的 w3af 的安装与配置 1. 安装 cd ~ apt-get update apt-get install -y python-pip w3af pip install --upgrade pip git clone https://github.com/andresriancho/w3af.git cd w3af ./w3af_console 乮./w3af_gui乯 apt-get build-dep python-lxml . /tmp/w3af_dependency_install.sh 2. 升级 git pull 3. kali linux 2017.1 安装 w3af 链接:http://blog.csdn.net/ycl146/article/details/75041527
3. 快速启动 w3af 1.创建桌面快捷方式(复制或者手动创建 w3af.desktop 文件) root@attacker:~# cp /usr/share/applications/kali-aircrack-ng.desktop /root/Desktop/ root@attacker:~# cd Desktop/ root@attacker:~/Desktop# vim kali-aircrack-ng.desktop [Desktop Entry] Name=w3af Encoding=UTF-8 #编码格式 Exec=sh -c "/usr/local/src/w3af_gui" #执行命令 Icon=/usr/local/src/w3af/core/ui/gui/data/w3af_logo.png #图标路径 Terminal=false #是否显示命令行启动界面,可以自行测试一下结果为 true 的区别 Type=Application Categories=03-webapp-analysis; #分类 StartupNotify=false NoDisplay=true root@attacker:~/Desktop# chmod +x kali-aircrack-ng.desktop #变成可执行文件 root@attacker:~/Desktop# mv kali-aircrack-ng.desktop w3af.desktop #重命名 2. 创建命令行快速启动(使用命令别名) root@attacker:~# vim .bashrc alias w3afconsole='sh -c "/usr/local/src/w3af_console"' alias w3afgui='sh -c "/usr/local/src/w3af_gui"' root@attacker:~# source .bashrc #重新加载配置文件 root@attacker:~# w3af w3af>>>
4. W3af_consolehelp #显示可用指令plugin #进入 plugin 子命令 Help #显示可用指令 list audit #列出 audit 类所有插件 audit sqli xss #选择使用的 audit 插件http-settings / misc-settings #全局配置 help #显示可用指令 view #查看可配置的参数 set #设置参数 back #回到上一级命令Profiles save_as self-contained #保存为完全独立的配置文件,避免配置文件和别人交换时出现字典等文件的缺失 save_as test self-containedTarget set target http://1.1.1.1/ Start Script script/*.w3af
5. 命令行操作root@attacker:~# w3afconsole w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|w3af>>> plugins w3af/plugins>>> help |-----------------------------------------------------------------------------------------------------------------------------------| | list | List available plugins. | |-----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |-----------------------------------------------------------------------------------------------------------------------------------| | evasion | View, configure and enable evasion plugins | | auth | View, configure and enable auth plugins | | grep | View, configure and enable grep plugins | | audit | View, configure and enable audit plugins | | bruteforce | View, configure and enable bruteforce plugins | | output | View, configure and enable output plugins | | crawl | View, configure and enable crawl plugins | | infrastructure | View, configure and enable infrastructure plugins | | mangle | View, configure and enable mangle plugins | |-----------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> list auth |---------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |---------------------------------------------------------------------------------------------------------------------------------| | detailed | | Yes | Detailed authentication plugin. | | generic | | Yes | Generic authentication plugin. | |---------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> list audit |---------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |---------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent | | | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | | | Verify if the WebDAV module is properly configured. | | eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed error database. | | global_redirect | | | Find scripts that redirect the browser to any site. | | htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | | | Find LDAP injection bugs. | | lfi | | | Find local file inclusion vulnerabilities. | | memcachei | | | No description available for this plugin. | | mx_injection | | | Find MX injection vulnerabilities. | | os_commanding | | | Find OS Commanding vulnerabilities. | | phishing_vector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs preg_replace. | | redos | | | Find ReDoS vulnerabilities. | | response_splitting | | | Find response splitting vulnerabilities. | | rfd | | | Identify reflected file download vulnerabilities. | | rfi | | Yes | Find remote file inclusion vulnerabilities. | | rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints | | shell_shock | | | Find shell shock vulnerabilities. | | sqli | | | Find SQL injection bugs. | | ssi | | | Find server side inclusion vulnerabilities. | | ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | | | Find out if secure content can also be fetched using http. | | websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | | | Find XPATH injection vulnerabilities. | | xss | | Yes | Identify cross site scripting vulnerabilities. | | xst | | | Find Cross Site Tracing vulnerabilities. | |---------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> audit xss sqli lfi (开启使用三个插件模块)w3af/plugins>>> list audit (这时候的插件模块状态变为 enabled ) |----------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |----------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent | | | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | | | Verify if the WebDAV module is properly configured. | | eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed error database. | | global_redirect | | | Find scripts that redirect the browser to any site. | | htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | | | Find LDAP injection bugs. | | lfi | Enabled | | Find local file inclusion vulnerabilities. | | memcachei | | | No description available for this plugin. | | mx_injection | | | Find MX injection vulnerabilities. | | os_commanding | | | Find OS Commanding vulnerabilities. | | phishing_vector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs preg_replace. | | redos | | | Find ReDoS vulnerabilities. | | response_splitting | | | Find response splitting vulnerabilities. | | rfd | | | Identify reflected file download vulnerabilities. | | rfi | | Yes | Find remote file inclusion vulnerabilities. | | rosetta_flash | | | Find Rosetta Flash vulnerabilities in JSONP endpoints | | shell_shock | | | Find shell shock vulnerabilities. | | sqli | Enabled | | Find SQL injection bugs. | | ssi | | | Find server side inclusion vulnerabilities. | | ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | | | Find out if secure content can also be fetched using http. | | websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | | | Find XPATH injection vulnerabilities. | | xss | Enabled | Yes | Identify cross site scripting vulnerabilities. | | xst | | | Find Cross Site Tracing vulnerabilities. | |----------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> audit all (扫描所有插件模块)w3af/plugins>>> list audit |----------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |----------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | Enabled | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | Enabled | | Find buffer overflow vulnerabilities. | | cors_origin | Enabled | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent | | | | | with the value of the remote IP address/Host of the sender ofthe incoming HTTP request. | | csrf | Enabled | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | Enabled | | Verify if the WebDAV module is properly configured. | | eval | Enabled | Yes | Find insecure eval() usage. | | file_upload | Enabled | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | Enabled | | Find format string vulnerabilities. | | frontpage | Enabled | | Tries to upload a file using frontpage extensions (author.dll). | | generic | Enabled | Yes | Find all kind of bugs without using a fixed error database. | | global_redirect | Enabled | | Find scripts that redirect the browser to any site. | | htaccess_methods | Enabled | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | Enabled | | Find LDAP injection bugs. | | lfi | Enabled | | Find local file inclusion vulnerabilities. | | memcachei | Enabled | | No description available for this plugin. | | mx_injection | Enabled | | Find MX injection vulnerabilities. | | os_commanding | Enabled | | Find OS Commanding vulnerabilities. | | phishing_vector | Enabled | | Find phishing vectors. | | preg_replace | Enabled | | Find unsafe usage of PHPs preg_replace. | | redos | Enabled | | Find ReDoS vulnerabilities. | | response_splitting | Enabled | | Find response splitting vulnerabilities. | | rfd | Enabled | | Identify reflected file download vulnerabilities. | | rfi | Enabled | Yes | Find remote file inclusion vulnerabilities. | | rosetta_flash | Enabled | | Find Rosetta Flash vulnerabilities in JSONP endpoints | | shell_shock | Enabled | | Find shell shock vulnerabilities. | | sqli | Enabled | | Find SQL injection bugs. | | ssi | Enabled | | Find server side inclusion vulnerabilities. | | ssl_certificate | Enabled | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | Enabled | | Find out if secure content can also be fetched using http. | | websocket_hijacking | Enabled | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | Enabled | | Find XPATH injection vulnerabilities. | | xss | Enabled | Yes | Identify cross site scripting vulnerabilities. | | xst | Enabled | | Find Cross Site Tracing vulnerabilities. | |----------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> grep allw3af/plugins>>> crawl web_spider w3af/plugins>>> list crawl |---------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |---------------------------------------------------------------------------------------------------------------------------------| | archive_dot_org | | Yes | Search archive.org to find new pages in the target site. | | bing_spider | | Yes | Search Bing to get a list of new URLs | | content_negotiation | | Yes | Use content negotiation to find new resources. | | digit_sum | | Yes | Take an URL with a number (index2.asp) and try to find related | | | | | files(index1.asp, index3.asp). | | dir_file_bruter | | Yes | Finds Web server directories and files by bruteforcing. | | dot_listing | | | Search for .listing files and extracts new filenames from it. | | dwsync_xml | | | Search Dream Waver Sync file (dwsync.xml) and extract referenced files. | | find_backdoors | | | Find web backdoors and web shells. | | find_captchas | | | Identify captcha images on web pages. | | find_dvcs | | | Search Git, Mercurial (HG), Bazaar (BZR), Subversion (SVN) and CVSrepositories | | | | | and checks for files containing | | genexus_xml | | | Analyze the execute.xml and DeveloperMenu.xml files and find new URLs | | ghdb | | Yes | Search Google for vulnerabilities in the target site. | | google_spider | | Yes | Search google using google API to get new URLs | | import_results | | Yes | Import HTTP requests found by output.export_requests and Burp | | oracle_discovery | | | Find Oracle applications on the remote web server. | | phishtank | | | Search the phishtank.com database to determine if your server is (or was)being | | | | | used in phishing scams. | | phpinfo | | | Search PHP Info file and if it finds it will determine the version of PHP. | | pykto | | Yes | A nikto port to python. | | ria_enumerator | | Yes | Fingerprint Rich Internet Apps - Google Gears Manifest files, Silverlight and | | | | | Flash. | | robots_txt | | | Analyze the robots.txt file and find new URLs | | sitemap_xml | | | Analyze the sitemap.xml file and find new URLs | | spider_man | | Yes | SpiderMan is a local proxy that will collect new URLs. | | url_fuzzer | | Yes | Try to find backups, and other related files. | | urllist_txt | | | Analyze the urllist.txt file and find new URLs | | user_dir | | | Identify user directories like "http://test/~user/" and infer the remote OS. | | web_diff | | Yes | Compare a local directory with a remote URL path. | | web_spider | Enabled | Yes | Crawl the web application. | | wordnet | | Yes | Use the wordnet lexical database to find new URLs. | | wordpress_enumerate_users | | | Finds users in a WordPress installation. | | wordpress_fingerprint | | | Finds the version of a WordPress installation. | | wordpress_fullpathdisclosure | | | Try to find the path where the WordPress is installed | | wsdl_finder | | | Find web service definitions files. | |---------------------------------------------------------------------------------------------------------------------------------|w3af/plugins>>> back (插件选好之后,回到第一级目录)
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|w3af>>> profiles (预定义扫描文件)w3af/profiles>>> list (显示当前可用扫描配置文件) |----------------------------------------------------------------------------------------------------------------------------------| | Profile | Description | |----------------------------------------------------------------------------------------------------------------------------------| | bruteforce | Bruteforce form or basic authentication access controls using default credentials. To run this profile, | | | set the target URL to the resource where the access control is, and then click on Start. | | audit_high_risk | Perform a scan to only identify the vulnerabilities with higher risk, like SQL Injection, OS Commanding, | | | Insecure File Uploads, etc. | | full_audit | This profile performs a full audit of the target website, using only the web_spider plugin for crawling. | | OWASP_TOP10 | The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on | | | improving the security of application software. OWASP searched for and published the ten most common | | | security flaws. This profile search for this top 10 security flaws. For more information about the | | | security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project . | | fast_scan | Perform a fast scan of the target site, using only a few discovery plugins and the fastest audit | | | plugins. | | empty_profile | This is an empty profile that you can use to start a new configuration from. | | web_infrastructure | Use all the available techniques in w3af to fingerprint the remote Web infrastructure. | | full_audit_spider_man | Perform a manual discovery using the spider_man plugin, and afterwards scan the site for any known | | | vulnerabilities. | | sitemap | Use different online techniques to create a fast sitemap of the target web application. This plugin will | | | only work if you've got Internet access and the target web application is being spidered by Yahoo! | |----------------------------------------------------------------------------------------------------------------------------------|w3af/profiles>>> help |----------------------------------------------------------------------------------------------------------------------------------| | use | Use a profile. | | list | List available profiles. | | save_as | Save the current configuration to a profile. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------|w3af/profiles>>> save_as (先选择 plugin ,然后选择 grep、crawl等,然后在 profiles 里面 save_as 保存) 比如:w3af/profiles>>> save_as test01 Parameter missing, please see the help: Save the current configuration to a profile. Syntax: save_as PROFILE_NAME Example: save_as fast_scan Example: save_as fast_scan self-contained Please note that the save_as command will overwrite existing profiles with the same name. When the "self-contained" flag is set the profile will bundle all files referenced by the plugin configurations. This is useful for sharing custom profiles between different workstations. Disabled by default.w3af/profiles>>> use fast_scan The plugins configured by the scan profile have been enabled, and their options configured. Please set the target URL(s) and start the scan.w3af/profiles>>> back
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|w3af>>> http-settings (扫描 http 的配置选项)w3af/config:http-settings>>> help |----------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------|w3af/config:http-settings>>> view |--------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |--------------------------------------------------------------------------------------------------------------------------------| | url_parameter | | | URL parameter (http://host.tld/path;<parameter>) | | timeout | 0 | | HTTP connection timeout | | headers_file | | | HTTP headers filename which contains additional headers to be added in each | | | | | request | |--------------------------------------------------------------------------------------------------------------------------------| | cookie_jar_file | | | Cookie Jar file holding HTTP cookies | | ignore_session_cookies | False | | Ignore session cookies | |--------------------------------------------------------------------------------------------------------------------------------| | ntlm_auth_url | | | NTLM authentication domain (target domain name) | | ntlm_auth_user | | | NTLM authentication username | | ntlm_auth_passwd | | | NTLM authentication password | | ntlm_auth_domain | | | NTLM authentication domain (windows domain name) | |--------------------------------------------------------------------------------------------------------------------------------| | rand_user_agent | False | | Use random User-Agent header | | max_file_size | 400000 | | Maximum file size | | max_http_retries | 2 | | Maximum number of HTTP request retries | | user_agent | w3af.org | | User Agent header | | max_requests_per_second | 0 | | Maximum HTTP requests per second | |--------------------------------------------------------------------------------------------------------------------------------| | string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body | | always_404 | | | Comma separated list of URLs which will always be detected as 404 pages | | never_404 | | | Comma separated list of URLs which will never be detected as 404 pages | |--------------------------------------------------------------------------------------------------------------------------------| | proxy_port | 8080 | | Proxy TCP port | | proxy_address | | | Proxy IP address | |--------------------------------------------------------------------------------------------------------------------------------| | basic_auth_user | | | Basic authentication username | | basic_auth_passwd | | | Basic authentication password | | basic_auth_domain | | | Basic authentication domain | |--------------------------------------------------------------------------------------------------------------------------------|w3af/config:http-settings>>> set rand_user_agent True (启动随机用户代理)w3af/config:http-settings>>> view |--------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |--------------------------------------------------------------------------------------------------------------------------------| | url_parameter | | | URL parameter (http://host.tld/path;<parameter>) | | timeout | 0 | | HTTP connection timeout | | headers_file | | | HTTP headers filename which contains additional headers to be added in each | | | | | request | |--------------------------------------------------------------------------------------------------------------------------------| | cookie_jar_file | | | Cookie Jar file holding HTTP cookies | | ignore_session_cookies | False | | Ignore session cookies | |--------------------------------------------------------------------------------------------------------------------------------| | ntlm_auth_url | | | NTLM authentication domain (target domain name) | | ntlm_auth_user | | | NTLM authentication username | | ntlm_auth_passwd | | | NTLM authentication password | | ntlm_auth_domain | | | NTLM authentication domain (windows domain name) | |--------------------------------------------------------------------------------------------------------------------------------| | rand_user_agent | True | Yes | Use random User-Agent header | | max_file_size | 400000 | | Maximum file size | | max_http_retries | 2 | | Maximum number of HTTP request retries | | user_agent | w3af.org | | User Agent header | | max_requests_per_second | 0 | | Maximum HTTP requests per second | |--------------------------------------------------------------------------------------------------------------------------------| | string_match_404 | | | Tag HTTP response as 404 if the string is found in it's body | | always_404 | | | Comma separated list of URLs which will always be detected as 404 pages | | never_404 | | | Comma separated list of URLs which will never be detected as 404 pages | |--------------------------------------------------------------------------------------------------------------------------------| | proxy_port | 8080 | | Proxy TCP port | | proxy_address | | | Proxy IP address | |--------------------------------------------------------------------------------------------------------------------------------| | basic_auth_user | | | Basic authentication username | | basic_auth_passwd | | | Basic authentication password | | basic_auth_domain | | | Basic authentication domain | |--------------------------------------------------------------------------------------------------------------------------------|w3af/config:http-settings>>> back The configuration has been saved.
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|w3af>>> misc-settings (杂项设置)w3af/config:misc-settings>>> view |---------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |---------------------------------------------------------------------------------------------------------------------------------| | msf_location | /opt/metasploit3/bin/ | | Full path of Metasploit framework binary directory | | | | | (/opt/metasploit3/bin/ in most linux installs) | |---------------------------------------------------------------------------------------------------------------------------------| | interface | ppp0 | | Local interface name to use when sniffing, doing reverse | | | | | connections, etc. | | local_ip_address | 10.10.10.128 | | Local IP address to use when doing reverse connections | |---------------------------------------------------------------------------------------------------------------------------------| | max_discovery_time | 120 | | Maximum crawl time (minutes) | | stop_on_first_exception | False | | Stop scan after first unhandled exception | |---------------------------------------------------------------------------------------------------------------------------------| | form_id_action | exclude | | Define the form_id_list filter behaviour | | non_targets | | | A comma separated list of URLs that w3af should ignore | | form_id_list | [] | | Filter forms to scan using form IDs | |---------------------------------------------------------------------------------------------------------------------------------| | fuzz_url_filenames | False | | Indicates if w3af plugins will send fuzzed file names in order to | | | | | find vulnerabilities | | fuzz_url_parts | False | | Indicates if w3af plugins will send fuzzed URL parts in order to | | | | | find vulnerabilities | | fuzzable_headers | | | A list with all fuzzable header names | | fuzzed_files_extension | gif | | Indicates the extension to use when fuzzing file content | | form_fuzzing_mode | tmb | | Indicates what HTML form combo values w3af plugins will use: all, | | | | | tb, tmb, t, b | | fuzz_form_files | True | | Indicates if w3af plugins will send payloads in the content of | | | | | multipart/post form files. | | fuzz_cookies | False | | Indicates if w3af plugins will use cookies as a fuzzable parameter | |---------------------------------------------------------------------------------------------------------------------------------|w3af/config:misc-settings>>> help |----------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------|w3af/config:misc-settings>>> back The configuration has been saved.
w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|w3af>>> target w3af/config:target>>> help |----------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------|w3af/config:target>>> set target http://10.10.10.129w3af/config:target>>> view |-----------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |-----------------------------------------------------------------------------------------------------------------------------------| | target_framework | unknown | | Target programming framework (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) | | target | http://10.10.10.129 | Yes | A comma separated list of URLs | | target_os | unknown | | Target operating system (unknown/unix/windows) | |-----------------------------------------------------------------------------------------------------------------------------------|w3af/config:target>>> back The configuration has been saved.配置完成,可以保存为配置文件w3af>>> profiles w3af/profiles>>> save_as test01 Profile saved.w3af/profiles>>> back
配置完成就可以启动扫描了w3af>>> help |----------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |----------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |----------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |----------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |----------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |----------------------------------------------------------------------------------------------------------------------------------|w3af>>> start
6. 脚本文件root@attacker:~# cd /usr/local/src/root@attacker:/usr/local/src# ls circle.yml libjavascriptcoregtk-1.0-0_2.4.11-3_amd64.deb python-support_1.0.15_all.deb scripts w3af_api w3afgui doc libwebkitgtk-1.0-0_2.4.11-3_amd64.deb python-webkit_1.1.8-3_amd64.deb tools w3afconsole w3af_gui extras profiles README.md w3af w3af_console wXf-masterroot@attacker:/usr/local/src# cd scripts/root@attacker:/usr/local/src/scripts# ls allowed_methods.w3af file_upload_shell.w3af profile-fast_scan.w3af all.w3af frontpage_version.w3af remote_file_include_local_ws.w3af auth_detailed.w3af header_fuzzing.w3af remote_file_include_proxy.w3af bing_spider.w3af html_output.w3af remote_file_include_shell.w3af blind_sqli_detection.w3af list_all_plugins.w3af remote_file_include_shell-xss.w3af cookie_fuzzing.w3af local_file_include-payload.w3af remote_file_include_w3af_site.w3af cross_domain.w3af local_file_include.w3af spider_man.w3af csrf.w3af login_brute_form_GET.w3af sqli.w3af dav_shell.w3af login_brute_password_only.w3af sqlmap_exploit_int.w3af detect_transparent_proxy.w3af mangle_request.w3af targets_from_file.w3af digit_sum.w3af mangle_response.w3af web_spider-ignore_regex.w3af eval_shell.w3af os_commanding-lnx-vdaemon.w3af web_spider-only_forward.w3af eval.w3af os_commanding-lnx-w3afAgent.w3af web_spider.w3af exploit_all.w3af os_commanding_shell.w3af xss_simple.w3af exploit_fast.w3af os_commanding.w3af xss_stored.w3af filename_xss.w3af php_sca-payload.w3afroot@attacker:/usr/local/src/scripts# cat sqli.w3af # This is a demo of the attack plugin sql_shell plugins output console,text_file output config text_file set output_file output-w3af.txt set verbose True back output config console set verbose False back audit sqli crawl web_spider crawl config web_spider set only_forward True back grep path_disclosure back target set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres back start bug-report details 0 back exitroot@attacker:/usr/local/src# ./w3afconsole -s ./scripts/sqli.w3af w3af>>> plugins w3af/plugins>>> output console,text_file w3af/plugins>>> output config text_file w3af/plugins/output/config:text_file>>> set output_file output-w3af.txt w3af/plugins/output/config:text_file>>> set verbose True w3af/plugins/output/config:text_file>>> back The configuration has been saved. w3af/plugins>>> output config console w3af/plugins/output/config:console>>> set verbose False w3af/plugins/output/config:console>>> back The configuration has been saved. w3af/plugins>>> audit sqli w3af/plugins>>> crawl web_spider w3af/plugins>>> crawl config web_spider w3af/plugins/crawl/config:web_spider>>> set only_forward True w3af/plugins/crawl/config:web_spider>>> back The configuration has been saved. w3af/plugins>>> grep path_disclosure w3af/plugins>>> back w3af>>> target w3af/config:target>>> set target http://moth/w3af/audit/sql_injection/select/sql_injection_string.php?name=andres w3af/config:target>>> back The configuration has been saved. w3af>>> start
2. w3af-身份认证
1. HTTP Basic 1. 打开 windows server 2003 ,安装 IIS 服务 在默认网站右键属性 --> 取消匿名访问、勾选基本身份认证 --> 站点重启 基本身份认证加密方式:明文传输 设置系统账号及密码 cmd 下: C:\Documents and Settings\Administrator>net user \\JOHN-QVW644XAJC 的用户帐户 ----------------------------------------------------------------------------- Administrator Guest IUSR_JOHN-QVW644XAJC IWAM_JOHN-QVW644XAJC SUPPORT_388945a0 命令成功完成。 C:\Documents and Settings\Administrator>net user administrator * 请键入用户的密码: jlcssadmin 请再键入一次密码以便确认: jlcssadmin 命令成功完成。 2. 验证密码登录过程中使用 wireshark 抓包,找到 “GET / HTTP/1.1” 开头的包,右键 follow TCP stream, 打开可以看到 Authorization: Basic YWRtaW5pc3RyYXRvcjpqbGNzc2FkbWlu 3. w3af 中有解码工具 Tools --> Encode/Decode --> 放在下面 --> 使用 Base64 解码方式 可得到用户名和密码 administrator:jlcssadmin 或使用 kali 自带工具,命令行输入 : root@attacker:~# echo -n "administrator:jlcssadmin" | base64 YWRtaW5pc3RyYXRvcjpqbGNzc2FkbWlu #算出的结果一样 4. w3af 中配置(图形化界面) configuration --> http config --> basic http authentication --> 输入用户名/密码和网址 --> 选择插件,输入目标 --> 开始扫描 --> 抓包发现可以验证登录并开始扫描
2. NTLM 1. 打开 windows server 2003 ,安装 IIS 服务 在默认网站右键属性 --> 取消匿名访问、勾选集成 windows 身份认证 --> 站点重启 2. 集成 windows 身份认证认证方式:先提交一个随机数,并用这个随机数加密。等收到密文并解开,对比这个随机数是否一样。 3. 验证密码登录过程中使用 wireshark 抓包,找到 “200 OK” 开头的包,右键 follow TCP stream, 打开可以看到有提交认证的过程 Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== 4. w3af 中配置(图形化界面) configuration --> http config --> NTLM authentication --> 输入用户名/密码和网址 --> 选择插件,输入目标 --> 开始扫描 --> 抓包发现可以验证登录并开始扫描 抓包结果:找到 “GET / HTTP/1.1” 开头的包,右键 follow TCP stream 打开可以看到认证方式 WWW-Authenticate: NTLM
3. Form 1. 打开 metasploitable 的dvwa 2. 打开 w3af ,选择插件 audit 中的sqli auth 中的detailed,并配置 username:用户名admin password:密码password username_field:查看源代码中的变量名为Username password_field:查看源代码中的变量名为Password auth_url:填用户名密码的页面的url:http://10.10.10.254/dvwa/login.php check_url:http://10.10.10.254/dvwa/index.php check_string:页面里能代表以后登录成功的字符串 data_format:%u=%U&%p=%P&Login=Login follow_redirects:重定向到index.php页面的开关:勾选 crawl中的web_spider:设置扫描子目录开关:勾选only_forward 扫描目标:http://10.10.10.254/dvwa 开始扫描
4. Cookie #双因素身份认证、anti-CSRF tokens 火狐 安装 firebug 插件,然后用 F12 调出页面 导出cookie到 /root 目录 使用 w3af 中的 configuration 中的 Cookies 选项卡,查看帮助,获知w3af可以识别的 cookie 格式要求 修改 cookie 文件格式: # Netscape HTTP Cookie File 10.10.10.254 FALSE / FALSE 173151000100 PHPSESSID 8beaf5a6a968863112673b9965f747cr 10.10.10.254 FALSE /dvwa/ FALSE 173151000100 security high #域名 是否这个域内所有机器都可以访问这个变量 路径 访问变量是否需要安全链接 过期时间 名称 值 使用 w3af 中的 configuration 中的 Cookies 选项卡中填写路径:/root/cookies.txt,格式对的话则保存成功 选择插件,audit的sqli和xss,crawl的web_spider并勾选only_forward 目标:http://10.10.10.254/dvwa/
3.截断代理
1. 设置代理 1. 打开 w3af-proxy 页面等待 2. 打开kali火狐浏览器,安装 Auto Proxy mod 插件 设置默认代理:Your Freedom 登录 dvwa 3. 查看 w3af-proxy ,history 中 有记录,其中包含cookie 保存除前两行外的代码到一个文本文档(前两行每次都会变化) root@attacker:~# vim proxy Accept-language: en-US,en;q=0.5 Accept-encoding: gzip, deflate Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Host: 10.10.10.254 Referer: http://10.10.10.254/dvwa/login.php Cookie: security=low; PHPSESSID=232da8c448936de48edef865be14b4ef Content-type: application/x-www-form-urlencoded 4. configration --> HTTP config --> General --> 头文件路径则为刚才的文件路径 /root/proxy 5. w3af 会使用这个头文件的cookie扫描目标 6. 选择插件 audit的csrf和sqli,crawl的web_spider 7. 设置目标 10.10.10.254/dvwa/,开始扫描
2. 查看 w3af-proxy ,history 中 有记录,此页面可对目标站点进行手工注入。
3. 也可以使用crawl 的 spider man 插件进行设置代理,可以手动指定端口,浏览器设置默认代理为spider man,没有的话就新增一个。和w3af中设置的填写一样。 日志中有结束这个插件的链接
4.output 插件
1. 选择插件:export_requests 设置输出路径及文件名 选择crawl 的import_requests 可以重新使用这个输入文件
5.exploit
1. 在扫描完成之后,在 result 里可以看到漏洞列表,在exploit里面可以利用漏洞获取 webshell
阅读全文
0 0
- Kali Linux渗透测试(苑房弘)w3af
- Kali Linux渗透测试(苑房弘)Sqlmap
- Kali Linux渗透测试(苑房弘)博客记录
- Kali Linux渗透测试(苑房弘)001 安装环境
- Kali linux渗透测试(一)
- Kali linux渗透测试(二)
- Kali linux渗透测试(三)
- Kali linux渗透测试(四)
- Kali linux渗透测试(五)
- Kali linux渗透测试(六)
- Kali linux渗透测试(七)
- kali Linux渗透测试介绍
- Kali Linux渗透测试方法
- kali渗透测试(一)
- kali linux渗透测试(一) --- set社工攻击
- 渗透测试(1):Virtualbox 安装kali Linux
- kali linux metasploit的web渗透测试(一)
- Kali Linux渗透测试实战 1.4 小试牛刀
- linux sed编辑器
- Kali Linux渗透测试(苑房弘)Sqlmap
- python中的not具体使用及意思(关键词:Python/not)
- cmake源码编译安装jsoncpp
- Android开发之网络操作(下)
- Kali Linux渗透测试(苑房弘)w3af
- [log]logstash添加字段.geoip展示
- 9.11~9.16训练----重要!动规dp
- linux下mysql的root密码忘记解决方
- tensorflow实战1:lstm实现mnist分类
- wind and sun
- Kotlin一步一个脚印学习基础二
- LAN、WAN、WLAN、wifi、VLAN、VPN、以太网(即ethernet)、Internet、万维网(即www)的意思,和区别
- 仿某直播平台的点赞效果