近期,阿里云安全中心监测到互联网上存在利用Memcached服务漏洞进行的恶意攻击如果客户默认开放UDP协议且未做访问控制,在运行Memcached服务时可能会被黑客利用,导致出方向的带宽消耗或CPU资源消耗,今天小编就来说说关于kali虚拟机免安装?下面更多详细答案一起来看看吧!

kali虚拟机免安装(隽永东方教你如何通过VirtualBox搭建Kali)

kali虚拟机免安装

近期,阿里云安全中心监测到互联网上存在利用Memcached服务漏洞进行的恶意攻击。如果客户默认开放UDP协议且未做访问控制,在运行Memcached服务时可能会被黑客利用,导致出方向的带宽消耗或CPU资源消耗。

加上360借壳上市当天,股票下跌,360前身大家肯定听过,没错就是当初的“流氓软件”通用网址3721,所以说360的前身可不是那么的光彩,而且一直有一种说法就是,安全公司自己制造病毒,然后再提供专杀,从而吸引大量的粉丝的信任,当然这种说法真假不得而知,我们权当消遣。

我们也一直非常关注网站的安全问题,尤其是WordPress的安全,之前也撰写过系列WordPress安全方面的文章,比如服务器层面的安全防护,加载SSL证书,隐藏后台登陆路径等等,这些措施采取以后,的确可以屏蔽绝大部分的安全漏洞,但是话说回来,这个世界上没有绝对安全的网站,只要放置在互联网上对外公开访问,就一定有漏洞存在,因此,我们只有自己掌握了一定的黑客攻击方法和漏洞查找方法,才能有效的针对性的去防止黑客攻击,做到防患于未然。

今天我们就来玩玩大名鼎鼎的黑客神器--Kali Linux,相信绝大部分了解安全信息的都听说或者用过这个神器:

Kali Linux是基于Debian的Linux发行版, 设计用于数字取证操作系统。由Offensive Security Ltd维护和资助。最先由Offensive Security的Mati Aharoni和Devon Kearns通过重写BackTrack来完成,BackTrack是他们之前写的用于取证的Linux发行版 。

Kali Linux预装了许多渗透测试软件,包括nmap 、Wireshark 、John the Ripper ,以及Aircrack-ng.[2] 用户可通过硬盘、live CD或live USB运行Kali Linux。Kali Linux既有32位和64位的镜像。可用于x86 指令集。同时还有基于ARM架构的镜像,可用于树莓派和三星的ARM Chromebook。

通过以上百度百科的简单信息看得出来这款工具的厉害之处,对于我们这种菜鸟级别的“黑客”,通过类似的专业工具来学习一些必要的黑客知识还是非常方便的。

Kali Linux是一个基于Debian的Linux发新版,相信用过Ubuntu的用户,不会对这个版本陌生,命令行几乎一样,当然既然是一个独立的Linux版本,自然安装过程有一定的难度,直接找一立的电脑来安装肯定没问题,但是为了学习这个系统就单独购买一台电脑来安装显然有点浪费,因此我们就采用虚拟机的方式来安装,这里我们采用VirtualBox的方式来装。

下载VirtualBox很容易,通过以下链接即可找到官方版本:

http://www.virtualbox.org/wiki/Downloads

安装过程非常简单,不在此赘述,接下来就是下载Kali Linux的Vbox版本:

http://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/

在Mac OS上推荐使用Flox下载工具来下载Torrent文件,速度非常快。

下载好以后,可以用VirtualBox直接打开这个镜像文件:

顺利启动后如下:

界面非常的干净清爽,而且完全可视化操作,当然绝大部分工具打开运行的时候都还是命令行操作的,因此需要你具备一定的Linux命令行基础知识。

默认安装成功以后的账号密码是:root toor 密码可以自己修改为任何其他密码。

这里我们重点针对WordPress的安全来做讲解,Kali Linux里边内置了一款Sucuri开发的wpscan工具,可以检测任意一个网站的所有漏洞,并且详细的给予解决方案:

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.3

Sponsored by Sucuri - http://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

我们随意选择一个正在运行的WordPress网站用来检测这款工具的强大之处,我们随便拿一个互联网的知名WordPress网站,比如 cpanel Blog http://blog.cpanel.com/ 作为检测对象,检测结果如下:

root@kali:~# wpscan --url blog.cpanel.com

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.3

Sponsored by Sucuri - http://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________

[i] The remote host tried to redirect to: http://blog.cpanel.com/

[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]Y

[ ] URL: http://blog.cpanel.com/

[ ] Started: Mon Mar 12 04:29:09 2018

[ ] robots.txt available under: 'http://blog.cpanel.com/robots.txt'

[ ] Interesting entry from robots.txt: http://blog.cpanel.com/xmlrpc.php

[ ] Interesting header: LINK: <http://blog.cpanel.com/wp-json/>; rel="http://api.w.org/"

[ ] Interesting header: SERVER: Apache

[ ] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff

[ ] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN

[ ] Interesting header: X-XSS-PROTECTION: 1; mode=block

[i] WordPress version can not be detected

[ ] WordPress theme in use: cpBlog15 - v3.3.4

[ ] Name: cpBlog15 - v3.3.4

| Location: http://blog.cpanel.com/wp-content/themes/cpBlog15/

| Style URL: http://blog.cpanel.com/wp-content/themes/cpBlog15/style.css

| Theme Name: cPBlog15

| Theme URI: http://blog.cpanel.com/

| Description: A versatile HTML5 responsive WordPress framework based on Bootstrap.

| Author: cPanel Madmen

| Author URI: http://lduong.com/

[ ] Enumerating plugins from passive detection ...

| 5 plugins found:

[ ] Name: add-to-any - v1.7.23

| Last updated: 2018-02-16T04:44:00.000Z

| Location: http://blog.cpanel.com/wp-content/plugins/add-to-any/

| Readme: http://blog.cpanel.com/wp-content/plugins/add-to-any/README.txt

[!] The version is out of date, the latest version is 1.7.25

[ ] Name: disqus-comment-system

| Latest version: 3.0.15

| Last updated: 2018-03-02T22:23:00.000Z

| Location: http://blog.cpanel.com/wp-content/plugins/disqus-comment-system/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Disqus <= 2.75 - Remote Code Execution (RCE)

Reference: http://wpvulndb.com/vulnerabilities/6357

Reference: http://blog.sucuri.net/2014/06/anatomy-of-a-remote-code-execution-bug-on-disqus.html

[i] Fixed in: 2.76

[!] Title: Disqus Comment System <= 2.68 - Reflected Cross-Site Scripting (XSS)

Reference: http://wpvulndb.com/vulnerabilities/6358

Reference: http://blog.dewhurstsecurity.com/2011/12/11/wordpress-plugin-disqus-comment-system-xss.html

[i] Fixed in: 2.69

[!] Title: Disqus Blog Comments <= 2.77 - Blind SQL Injection

Reference: http://wpvulndb.com/vulnerabilities/6359

Reference: http://www.exploit-db.com/exploits/20913/

[i] Fixed in: 2.7.8

[!] Title: Disqus <= 2.77 - Cross-Site Request Forgery (CSRF)

Reference: http://wpvulndb.com/vulnerabilities/7537

Reference: http://vexatioustendencies.com/csrf-in-disqus-wordpress-plugin-v2-77/

Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5346

[i] Fixed in: 2.79

[!] Title: Disqus <= 2.75 - Cross-Site Scripting (XSS) & CSRF

Reference: http://wpvulndb.com/vulnerabilities/7538

Reference: http://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/

Reference: http://gist.github.com/nikcub/cb5dc7a5464276c8424a

Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5345

Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5347

[i] Fixed in: 2.76

[ ] Name: stop-user-enumeration

| Latest version: 1.3.15

| Last updated: 2018-01-23T09:50:00.000Z

| Location: http://blog.cpanel.com/wp-content/plugins/stop-user-enumeration/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Stop User Enumeration 1.2.4 - POST Request Protection Bypass

Reference: http://wpvulndb.com/vulnerabilities/7125

Reference: http://packetstormsecurity.com/files/125035/

Reference: http://seclists.org/fulldisclosure/2014/Feb/3

Reference: http://secunia.com/advisories/56643/

[i] Fixed in: 1.2.5

[!] Title: Stop User Enumeration <= 1.3.3 - username Enumeration Bypass

Reference: http://wpvulndb.com/vulnerabilities/8436

Reference: http://wordpress.org/plugins/stop-user-enumeration/changelog/

Reference: http://plugins.trac.wordpress.org/changeset/1390935/stop-user-enumeration

[i] Fixed in: 1.3.4

[!] Title: Stop User Enumeration <= 1.3.4 - Username Enumeration Bypasses

Reference: http://wpvulndb.com/vulnerabilities/8712

Reference: http://seclists.org/fulldisclosure/2017/Jan/10

Reference: http://security.dxw.com/advisories/stop-user-enumeration-does-not-stop-user-enumeration/

[i] Fixed in: 1.3.5

[!] Title: Stop User Enumeration 1.3.5-1.3.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Reference: http://wpvulndb.com/vulnerabilities/8723

Reference: http://plugins.trac.wordpress.org/changeset/1575129/stop-user-enumeration

[i] Fixed in: 1.3.8

[!] Title: Stop User Enumeration <= 1.3.8 - REST API Bypass

Reference: http://wpvulndb.com/vulnerabilities/8874

Reference: http://security.dxw.com/advisories/stop-user-enumeration-rest-api/

Reference: http://seclists.org/fulldisclosure/2017/Jul/67

[i] Fixed in: 1.3.9

[ ] Name: wp-jquery-lightbox

| Latest version: 1.4.8

| Last updated: 2016-03-15T16:02:00.000Z

| Location: http://blog.cpanel.com/wp-content/plugins/wp-jquery-lightbox/

[ ] Name: wp-pagenavi

| Latest version: 2.92

| Last updated: 2017-06-30T08:12:00.000Z

| Location: http://blog.cpanel.com/wp-content/plugins/wp-pagenavi/

[ ] Finished: Mon Mar 12 04:40:58 2018

[ ] Requests Done: 396

[ ] Memory used: 145.371 MB

[ ] Elapsed time: 00:11:48

通过以上检测结果,我们可以看到很多有关这个网站的技术信息,如果我想攻击这个网站,再借助一些其他工具,相信很容易就可以获取到这个网站的控制权,当然我们是好人,不会去做违法的事情,使用这些工具的目的也不是去做坏事,而是为了提升网络安全。

以下为最新版Wpscan的使用方法:

root@kali:~# wpscan -h

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.3

Sponsored by Sucuri - http://sucuri.net

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________

Help :

Some values are settable in a config file, see the example.conf.json

--update Update the database to the latest version.

--url | -u <target url> The WordPress URL/domain to scan.

--force | -f Forces WPScan to not check if the remote site is running WordPress.

--enumerate | -e [option(s)] Enumeration.

option :

u usernames from id 1 to 10

u[10-20] usernames from id 10 to 20 (you must write [] chars)

p plugins

vp only vulnerable plugins

ap all plugins (can take a long time)

tt timthumbs

t themes

vt only vulnerable themes

at all themes (can take a long time)

Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins

If no option is supplied, the default is "vt,tt,u,vp"

--exclude-content-based "<regexp or string>"

Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.

You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).

--config-file | -c <config file> Use the specified config file, see the example.conf.json.

--user-agent | -a <User-Agent> Use the specified User-Agent.

--cookie <string> String to read cookies from.

--random-agent | -r Use a random User-Agent.

--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not

--batch Never ask for user input, use the default behaviour.

--no-color Do not use colors in the output.

--log [filename] Creates a log.txt file with WPScan's output if no filename is supplied. Otherwise the filename is used for logging.

--no-banner Prevents the WPScan banner from being displayed.

--disable-accept-header Prevents WPScan sending the Accept HTTP header.

--disable-referer Prevents setting the Referer header.

--disable-tls-checks Disables SSL/TLS certificate verification.

--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specify it.

Subdirectories are allowed.

--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory.

If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed

--proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.

If no protocol is given (format host:port), HTTP will be used.

--proxy-auth <username:password> Supply the proxy login credentials.

--basic-auth <username:password> Set the HTTP Basic authentication.

--wordlist | -w <wordlist> Supply a wordlist for the password brute forcer.

--username | -U <username> Only brute force the supplied username.

--usernames <path-to-file> Only brute force the usernames from the file.

--cache-dir <cache-directory> Set the cache directory.

--cache-ttl <cache-ttl> Typhoeus cache TTL.

--request-timeout <request-timeout> Request Timeout.

--connect-timeout <connect-timeout> Connect Timeout.

--threads | -t <number of threads> The number of threads to use when multi-threading requests.

--max-threads <max-threads> Maximum Threads.

--throttle <milliseconds> Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.

--help | -h This help screen.

--verbose | -v Verbose output.

--version Output the current version and exit.

Examples :

-Further help ...

ruby /wpscan.rb --help

-Do 'non-intrusive' checks ...

ruby /wpscan.rb --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...

ruby /wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the 'admin' username only ...

ruby /wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...

ruby /wpscan.rb --url www.example.com --enumerate p

-Enumerate installed themes ...

ruby /wpscan.rb --url www.example.com --enumerate t

-Enumerate users ...

ruby /wpscan.rb --url www.example.com --enumerate u

-Enumerate installed timthumbs ...

ruby /wpscan.rb --url www.example.com --enumerate tt

-Use a HTTP proxy ...

ruby /wpscan.rb --url www.example.com --proxy 127.0.0.1:8118

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)

ruby /wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000

-Use custom content directory ...

ruby /wpscan.rb -u www.example.com --wp-content-dir custom-content

-Use custom plugins directory ...

ruby /wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update the DB ...

ruby /wpscan.rb --update

-Debug output ...

ruby /wpscan.rb --url www.example.com --debug-output 2>debug.log

See README for further information.

另外深入一步来说,Wpscan还可以针对WordPress进行一些暴力攻击:

1、先执行命令,进行简单的初步攻击:

Wpscan –url 192.*.*.*

以上初步列举出WordPress相关信息以及存在哪些漏洞信息以及对应的CVE信息;

2、攻击WordPress,列举出存在的用户名列表:

原始命令:

wpscan –url [wordpress url]–wordlist [path to wordlist]–username [username to brute force//可以指定用户名或者空]–threads [number of threads to use//攻击次数]

执行以下命令:

wpscan –u 192.*.*.* -e u vp

通过利用现有的漏洞,获取到WordPress数据库的用户表信息,查到有一个用户admin;

3、利用字典进行暴力破解:

这一步有一点要注意的是,字典是小编提前做好,放在当前目录下,所以下面命令执行的时候直接是当前目录查询txt文件;

命令如下:

Wpscan –url 192.*.*.* -e u --wordlist /root/abcwordlist.txt

综上所述,这个Wpscan只是Kali Linux所带的300多款黑客工具中的一款很入门的工具,如果大家有兴趣完全可以深入研究学习一下这个神器里边其他工具,当然还是那句话,黑客工具就像菜刀,好人拿他来做菜,坏人拿他来杀人,因此工具不分好坏,人心分好坏,学习好的工具用于提升网络安全,为何不可。