Kali Usage Tips and Tricks

Mr李 好物分享

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.

Download Kali: https://www.kali.org/downloads/

Basic Configuration Videos:

1. Use Proxychains and Tor to Visit Internet

1.1 Configure Proxychains

root@Kali:~# vi /etc/proxychains.conf

You can choose between dynamic_chain, stric_chain or random_chaim. Dynamic_chain will be preferred. 

# proxychains.conf VER 3.1 # # HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS. # # The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # dynamic_chain # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise EINTR is returned to the app # #strict_chain # # Strict - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # all proxies must be online to play in chain # otherwise EINTR is returned to the app # #random_chain # # Random - Each connection will be done via random proxy # (or proxy chain, see chain_len) from the list. # this option is good to test your IDS :)

You also can append some of your known proxy server list at the end of proxychains.conf file. 

# ProxyList format # type host port [user pass] # (values separated by 'tab' or 'blank') # # # Examples: # # socks5 192.168.67.78 1080 lamer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5 # ( auth types supported: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 socks5 98.26.2.3 1893 socks5 76.22.86.10 1658

1.2 Install Tor
You will need to add a correct version source into /etc/apt/sorces.list file. Else your installation will fail. 

echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && apt-get update && apt-get install tor -y && apt autoremove -y

1.3 Use Proxychains to access Internet

You can run a nmap scan using Proxychains which will force the scan to run through one of the proxies in your list by typing in the following command into terminal:

proxychains nmap scanme.nmap.org

You can also test Proxychains with Firefox:

proxychains firefox www.duckduckgo.com

proxychains curl icanhazip.com

YouTube Video:

Using proxychains to start msfconsole: 

root@kali:~# proxychains msfconsole  ProxyChains-3.1 (http://proxychains.sf.net) |DNS-request| 0.0.0.0 |S-chain|-<>-127.0.0.1:9050-<--timeout |DNS-response|: 0.0.0.0 is not exist , , / / ((__---,,,---__)) (_) O O (_)_________ / _ / |/ o_o / M S F | / / _____ | * ||| WW ||| ||| ||| Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro -- type 'go_pro' to launch it now. =[ metasploit v4.7.0-2013082802 [core:4.7 api:1.0] + -- --=[ 1161 exploits - 641 auxiliary - 180 post + -- --=[ 310 payloads - 30 encoders - 8 nops msf >

2. Discover alive machines in target network

 root@kali:~# fping -g -r 0 -s 192.168.2.0/24 | grep alive 192.168.2.1 is alive 192.168.2.2 is alive 192.168.2.4 is alive 192.168.2.31 is alive 192.168.2.50 is alive 192.168.2.200 is alive 254 targets 6 alive 248 unreachable 0 unknown addresses 248 timeouts (waiting for response) 254 ICMP Echos sent 6 ICMP Echo Replies received 0 other ICMP received 4.49 ms (min round trip time) 4.92 ms (avg round trip time) 5.14 ms (max round trip time) 3.288 sec (elapsed real time)

3. Use Nmap to scan targets

3.1 扫描单个目标地址
nmap 192.168.0.100
3.2 扫描多个目标地址
nmap 192.168.0.100 192.168.0.105
3.3 扫描一个范围内的目标地址
nmap 192.168.0.100-110
3.4 扫描目标地址所在的某个网段
nmap 192.168.0.0/24
3.5 扫描主机列表targets.txt中的所有目标地址
nmap -iL d:/targets.txt
3.6 扫描除某一个目标地址之外的所有目标地址
nmap 192.168.0.0/24 -exclude 192.168.109.105
3.7 扫描除某一文件中的目标地址之外的目标地址
nmap 192.168.0.0/24 -excludefile d:/targets.txt
3.8 扫描某一目标地址的21、22、23、80端口
nmap 192.168.0.100 -p 21,22,23,80
3.9 对目标地址进行路由跟踪
nmap --traceroute 192.168.0.105
3.10 扫描目标地址所在C段的在线情况
nmap -sP 192.168.0.0/24
3.11 目标地址的操作系统指纹识别
nmap -O 192.168.0.105
3.12 目标地址提供的服务版本检测
nmap -sV 192.168.0.105
3.13 探测防火墙状态
在实战中,可以利用FIN扫描的方式探测防火墙的状态。FIN扫描用于识别端口是否关闭,收到RST回复说明该端口关闭,否则就是open或filtered状态。
nmap -sF -T4 192.168.0.105
3.14 鉴权扫描: 使用--script=auth可以对目标主机或目标主机所在的网段进行应用弱口令检测
nmap --script=auth 192.168.0.105
3.15 暴力破解攻击: nmap具有暴力破解的功能,可对数据库、SMB、SNMP等进行简单密码的暴力猜解
nmap --script=brute 192.168.0.105
3.16 扫描常见的漏洞: nmap具有漏洞扫描的功能,可以检查目标主机或网段是否存在常见的漏洞
nmap --script=vuln 192.168.0.105
3.17 应用服务扫描: nmap具备很多常见应用服务的扫描脚本,例如VNC服务、MySQL服务、Telnet服务、Rsync服务等,以VNC服务为例
nmap --script=realvnc-auth-bypass 192.168.0.105
3.18 探测局域网内更多服务开启的情况:
nmap -n -p 445 --script=broadcast 192.168.0.105
3.19 whois解析: 利用第三方的数据库或资源查询目标地址的信息,例如进行whois解析
nmap -script external baidu.com

 root@kali:~# nmap -T4 -O 192.168.2.31 192.168.2.200 Starting Nmap 7.60 ( https://nmap.org ) at 2019-01-19 21:35 EST Nmap scan report for 192.168.2.31 Host is up (0.31s latency). Not shown: 990 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 514/tcp filtered shell 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 7070/tcp open realserver 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown Device type: general purpose Running: Microsoft Windows XP|7|2012 OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012  Nmap scan report for 192.168.2.200 Host is up (0.12s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (97%), Linux 4.4 (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 136.89 seconds root@kali:~#

4. MSF - Metaspoit

4.1 Basic Usage and Steps

  • search smb
  • use exploit/windows/smb/ms08_067_netapi
  • show options
  • set RHOST 192.168.230.145
  • set target 41
  •  exploit

4.2 YouTube - Kali Metasploit Exploit FTP Service on VSFTPD:

4.3 YouTube - Kali Metasploit Exploit Samba Service:

4.4. wpscan to attack WordPress

Use wpscan to start a simple attack WordPress site

root@localhost:~# wpscan -u 10.94.200.81

list wordpress user

root@localhost:~# wpscan -u 10.94.200.81 -e u vp

Use wordlist to brute force WordPress account

root@localhost:~# wpscan -u 10.94.200.81 -e u --wordlist /usr/share/wordlists/metasploit/common-roots.txt

Youtube Video:

4.5. Exploit Windows 7 or Windows 2008 Servers

YouTube video: Using EternalBlue Vulnerability to Exploit Windows 2008 Server

5. SGPT

Shell GPT (SGPT) is a command-line tool that integrates with OpenAI’s GPT-4 models to enable natural language processing (NLP) from your Linux shell. It’s designed to simplify repetitive tasks, generate scripts, and assist with coding, all from within the terminal environment. SGPT is a powerful tool that brings the capabilities of OpenAI’s GPT models directly into the Linux command line.

SGPT itself is free to install and use, but you will need an OpenAI API key, which may come with costs depending on your usage tier. SGPT requires an active internet connection as it relies on OpenAI’s cloud-based API to function.

Requirements:
  • Python Version: Python 3.6 or later
  • OpenAI API Key: You will need an API key from OpenAI to access GPT models.

5.1 Install SGPT

Step 1: Install Python

SGPT requires Python to run. Most Linux distributions come with Python pre-installed, but if not, you can install it using:

sudo apt install python3

Step 2: Install pip (Python Package Installer)

You’ll need a pip to install SGPT. Install it using the following command:

sudo apt install python3-pip

Step 3: Install SGPT

Now that Python and pip are installed, you can install SGPT using pip:

pip install shell-gpt

Step 4: Verify Installation

Once the installation is complete, verify that SGPT has been installed correctly by running:

sgpt --version

This should return the installed version of SGPT, confirming that it’s ready for use.

5.2 Setting up OpenAI API Key

Step 1: Get the OpenAI API Key

  • Go to the OpenAI API website.
  • Sign up or log in to your account.
  • Navigate to the API section and generate a new API key.

Step 2: Set API Key in Environment Variables

Once you have your API key, set it as an environment variable to allow SGPT to use it:

export OPENAI_API_KEY="your-api-key-here"

Alternatively, you can add this line to your ~/.bashrc or ~/.bash_profile to persist the key across sessions:

echo 'export OPENAI_API_KEY="your-api-key-here"' >> ~/.bashrc source ~/.bashrc
5.3 Configuring SGPT for Usage

Config File

SGPT creates a configuration file at ~/.config/shell_gpt/config.yaml where you can adjust default behaviour like:

  • Default model: Choose between GPT models.
  • Temperature: Control randomness in responses.

You can edit the configuration by running:

nano ~/.config/shell_gpt/config.yaml
5.4 Examples:
sgpt "Explain how HTTP works."
sgpt "Write a bash script to back up /home/user/documents to /backup."
sgpt "Explain this Python code: def factorial(n): return 1 if n == 0 else n * factorial(n-1)"
sgpt "Create a bash script to back up /var/log to /backup/log every night."
sgpt "Write a cron job script to run a database backup at midnight every day."
https://blog.51sec.org

版权声明:
作者:Mr李
链接:https://www.techfm.club/p/190697.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>