For example, the National Telecommunications and Information Administration (NTIA) requires all .us domains to publish their contact information.
kali@kali:~$ whois zoom.us
Maltego
Maltego allows hackers and security researchers to discover
connections between pieces of publicly available information on the
internet. These sources include forum posts, web pages, and
records from the whois database.
Maltego refers to programs like whois as transforms. By applying
a transform to a piece of data, a hacker can discover related
information. Some of Maltego’s transforms identify related
infrastructure such as DNS servers and web servers, whereas other
transforms search public forums to find usernames or email
addresses.
select Maltego CE free(IN Kali)
The website https://haveibeenpwned.com/ keeps track of these
leaks and stores a list of email addresses associated with leaked
passwords. Check the website directly to see if one of your
passwords has been leaked, or search the database in Maltego by
installing the haveibeenpwned transform and running it on the email
address you discovered.
Leaked Credential Databases(有一个磁力链接,见书中描述)
The rtorrent utility supports magnet links. 以下为Kali下载磁力链接方法
kali@kali:~$ sudo apt-get install rtorrent
kali@kali:~$ rtorrent <magnet link goes here>
Scanning the Entire Internet
two tools:Masscan and Shodan
Masscan is an internet-scale scanner that scans for open TCP and UDP ports.
The machine running Masscan must have a 10Gbps
Ethernet adapter and the PF_RING ZC driver installed.
Using an Exclusion List
For this reason, several groups have compiled lists of IP addresses that you should not scan, called exclusion lists. You can find such an exclusion list at https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf.
look something like this:
Performing a Masscan Scan
Now let’s use Masscan to execute a quick scan of our virtual
network. Open your preferred text editor and add the following:
➊ rate = 100000.00
output-format = xml
output-status = all
output-filename = scan.xml
➋ ports = 0-65535
➌ range = 192.168.1.0-192.168.1.255
➍ excludefile = exclude.txt
Save the file as scan.conf.
Open a terminal on your Kali Linux virtual machine and run the
scan by executing the following command:
kali@kali:~$ sudo masscan -c scan.conf
As the scan runs, you should see the following status screen:
kali@kali:~$ sudo masscan 192.168.1.0/24 -p443 --banners --heartbleed --
source-ip 192.168.1.200
inspect the banner (--banners) for the OpenSSL version
numbers associated with the Heartbleed (--heartbleed) vulnerability.
Simultaneously establishing multiple TCP connections can cause
conflicts between Masscan’s TCP/IP stack and that of the operating
system, so we label outgoing packets with a new source IP address (--source-ip) not used by other machines on the network to avoid conflicts
You’ll need to follow extra steps if you decide to run this scan
outside of your virtual test environment, especially if you’re running
the scan over Wi-Fi. In particular, you’ll need to prevent your
operating system from interfering by blocking the port that Masscan
uses with a firewall. On Linux, the iptables program allows editing of
firewall rules. Run the following command to create a new rule:
kali@kali:~$ iptables -A INPUT -p tcp --dport 3000 -j DROP
This rule drops (-j DROP) all incoming (-A INPUT) packets
associated with the TCP protocol (-p tcp) on port 3000 (--dport3000).
Shodan
Shodan searches for active IP addresses
find a list of Shodan filters at https://github.com/JavierOlmedo/shodan-filters/
The following search query returns Linux servers in Charlottesville, Virginia, that run Apache and support HTTPS:
os:linux city:Charlottesville apache 2.4.46 https
Vulnerability Databases
Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers
This database is synced with the Common Vulnerabilities and Exposures (CVE) database maintained by Mitre.
search these databases from the Kali Linux command line by running the following:
searchsploit <keywords>
view the exploitation script by using the -p flag followed by the unique number that identifies the exploit.
kali@kali:~$ searchsploit -p 29316
Exploit: Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner
URL: https://www.exploit-db.com/exploits/29316
➊ Path: /usr/share/exploitdb/exploits/php/remote/29316.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Vulnerability Scanners
Nessus
OpenVAS
Nexpose
Kali下的Web漏洞扫描工具汇总:OpenVAS、nessus、acunetix、w3af等_lm19770429的专栏-CSDN博客_kali 漏洞扫描工具
The Nessus Home scanner is free, but it is limited to 16 IP addresses.
kali@kali:~/Downloads$ sudo dpkg -i Nessus-<version number>-
debian6_amd64.deb
kali@kali:~/Downloads$ sudo systemctl enable nessusd
kali@kali:~/Downloads$ sudo systemctl start nessusd
You can access Nessus through your browser.