Python滲透測試編程技術(shù)：方法與實踐（第2版）

目錄

第1章 概述·············································1
1.1 網(wǎng)絡(luò)安全滲透測試······················1
1.2 開展網(wǎng)絡(luò)安全滲透測試················3
1.2.1 前期與客戶的交流··································4
1.2.2 收集情報······························································5
1.2.3 威脅建模······························································5
1.2.4 漏洞分析······························································6
1.2.5 漏洞利用······························································6
1.2.6 后滲透攻擊·························································································6
1.2.7 報告··································································································7
1.3 網(wǎng)絡(luò)安全滲透測試需要掌握的技能·················································7
1.4 小結(jié)········································8

第2章 Kali Linux 2使用基礎(chǔ)··············9
2.1 簡介········································9
2.2 安裝Kali Linux 2······················10
2.2.1 在VMware虛擬機(jī)中安裝Kali Linux 2···············10
2.2.2 在樹莓派中安裝Kali Linux 2···12
2.3 Kali Linux 2的常用操作·············15
2.3.1 文件系統(tǒng)····························17
2.3.2 常用命令····························19
2.3.3 對Kali Linux 2的網(wǎng)絡(luò)進(jìn)行配置·················21
2.3.4 在Kali Linux 2中安裝第三方應(yīng)用程序·················25
2.3.5 對Kali Linux 2網(wǎng)絡(luò)進(jìn)行SSH遠(yuǎn)程控制····················25
2.3.6 Kali Linux 2的更新操作········29
2.4 VMware的高級操作··················29
2.4.1 在VMware中安裝其他操作系統(tǒng)···············29
2.4.2 VMware中的網(wǎng)絡(luò)連接··········30
2.4.3 VMware中的快照與克隆功能···················32
2.5 小結(jié)······································33

第3章 Python語言基礎(chǔ)部分·············34
3.1 Python語言基礎(chǔ)·······················35
3.2 在Kali Linux 2系統(tǒng)中安裝Python編程環(huán)境 ································ 35
3.3 編寫第一個 Python程序 ············· 43
3.4 選擇結(jié)構(gòu) ································ 44
3.5 循環(huán)結(jié)構(gòu) ································ 45
3.6 數(shù)字和字符串 ·························· 47
3.7 列表、元組和字典 ···················· 49
3.7.1 列表 ·································· 49
3.7.2 元組 ·································· 50
3.7.3 字典 ·································· 50
3.8 函數(shù)與模塊 ····························· 51
3.9 文件處理 ································ 53
3.10 小結(jié) ····································· 54

第 4章 安全滲透測試的常見模塊·······55
4.1 Socket模塊文件 ······················· 55
4.1.1 簡介 ·································· 56
4.1.2 基本用法 ···························· 57
4.2 python-nmap模塊文件 ················ 60
4.2.1 簡介 ·································· 61
4.2.2 基本用法 ···························· 62
4.3 Scapy模塊文件 ························ 66
4.3.1 簡介 ·································· 66
4.3.2 基本用法 ···························· 67
4.4 小結(jié) ······································ 76

第 5章 信息收集···································77
5.1 信息收集基礎(chǔ) ·························· 78
5.2 主機(jī)狀態(tài)掃描 ·························· 79
5.2.1 基于 ARP的活躍主機(jī)發(fā)現(xiàn)技術(shù) ·································· 80
5.2.2 基于 ICMP的活躍主機(jī)發(fā)現(xiàn)技術(shù) ·································· 85
5.2.3 基于 TCP的活躍主機(jī)發(fā)現(xiàn)技術(shù) ·································· 90
5.2.4 基于 UDP的活躍主機(jī)發(fā)現(xiàn)技術(shù) ·································· 93
5.3 端口掃描 ································ 94
5.3.1 基于 TCP全開的端口掃描技術(shù) ·································· 95
5.3.2 基于 TCP半開的端口掃描技術(shù) ·································· 98
5.4 服務(wù)掃描 ·······························101
5.5 操作系統(tǒng)掃描 ·························105
5.6 小結(jié) ·····································108

第 6章 對漏洞進(jìn)行滲透（基礎(chǔ)部分）······························110
6.1 測試軟件的溢出漏洞 ················ 110
6.2 計算軟件溢出的偏移地址 ·········· 114
6.3 查找JMP ESP指令··················· 117
6.4 編寫滲透程序 ·························120
6.5 壞字符的確定 ·························123
6.6 使用Metasploit生成 shellcode ·····126
6.7 小結(jié)·····································130

第 7章 對漏洞進(jìn)行滲透（高級部分） ······························131
7.1 SEH溢出簡介 ·························132
7.2 編寫基于 SEH溢出滲透模塊的要點······································134
7.2.1 計算到 catch位置的偏移量····135
7.2.2 查找 POP/POP/RET地址·······141
7.3 編寫滲透模塊 ·························142
7.4 小結(jié) ·····································145

第8章 網(wǎng)絡(luò)嗅探與欺騙 ··············· 146
8.1 網(wǎng)絡(luò)數(shù)據(jù)嗅探 ·························147
8.1.1 編寫一個網(wǎng)絡(luò)嗅探工具 ·········147
8.1.2 調(diào)用 Wireshark 查看數(shù)據(jù)包 ······························150
8.2 ARP的原理與缺陷 ···················152
8.3 ARP欺騙的原理 ······················153
8.4 中間人欺騙 ····························156
8.5 小結(jié) ·····································164

第9章 拒絕服務(wù)攻擊 ·················· 165
9.1 數(shù)據(jù)鏈路層的拒絕服務(wù)攻擊 ·······166
9.2 網(wǎng)絡(luò)層的拒絕服務(wù)攻擊 ·············169
9.3 傳輸層的拒絕服務(wù)攻擊 ·············171
9.4 基于應(yīng)用層的拒絕服務(wù)攻擊 ·······173
9.5 小結(jié) ·····································179

第10章 身份認(rèn)證攻擊 ················ 181
10.1 簡單網(wǎng)絡(luò)服務(wù)認(rèn)證的攻擊 ·········182
10.2 編寫破解密碼字典 ··················183
10.3 FTP暴力破解模塊 ··················187
10.4 SSH暴力破解模塊 ··················191
10.5 Web暴力破解模塊 ··················194
10.6 使用BurpSuite對網(wǎng)絡(luò)認(rèn)證服務(wù)的攻擊 ····································201
10.6.1 基于表單的暴力破解 ··········202
10.6.2 繞過驗證碼（客戶端） ·········212
10.6.3 繞過驗證碼（服務(wù)器端） ······214
10.7 小結(jié) ····································215

第11章 編寫遠(yuǎn)程控制工具 ·········· 216
11.1 遠(yuǎn)程控制工具簡介 ··················216
11.2 遠(yuǎn)程控制程序的服務(wù)器端和客戶端 ·································217
11.2.1 執(zhí)行系統(tǒng)命令（subprocess模塊） ···············217
11.2.2 遠(yuǎn)程控制的服務(wù)器端與客戶端（socket模塊實現(xiàn)） ···············221
11.3 將 Python 腳本轉(zhuǎn)換為exe 文件 ·······························224
11.4 小結(jié) ····································226

第12章 無線網(wǎng)絡(luò)滲透（基礎(chǔ)部分） ···················· 227
12.1 無線網(wǎng)絡(luò)基礎(chǔ) ························228
12.2 Kali Linux 2 中的無線功能 ········229
12.2.1 無線網(wǎng)絡(luò)嗅探的硬件需求和軟件設(shè)置 ·························229
12.2.2 無線網(wǎng)絡(luò)滲透使用的庫文件 ····························231
12.3 AP掃描器 ····························231
12.4 無線網(wǎng)絡(luò)數(shù)據(jù)嗅探器 ···············233
12.5 無線網(wǎng)絡(luò)的客戶端掃描器 ·········234
12.6 掃描隱藏的 SSID ····················235
12.7 繞過目標(biāo)的 MAC 過濾機(jī)制 ······236
12.8 捕獲加密的數(shù)據(jù)包 ··················238
12.8.1 捕獲 WEP 數(shù)據(jù)包 ··············238
12.8.2 捕獲 WPA 類型數(shù)據(jù)包 ········239
12.9 小結(jié) ····································240

第13章 無線網(wǎng)絡(luò)滲透（高級部分） ···················· 241
13.1 模擬無線客戶端的連接過程 ······241
13.2 模擬 AP 的連接行為················245
13.3 編寫 Deauth 攻擊程序 ··············247
13.4 無線網(wǎng)絡(luò)入侵檢測 ··················248
13.5 小結(jié) ····································248

第14章 對 Web 應(yīng)用進(jìn)行滲透測試 ······················ 249
14.1 滲透測試所需模塊 ··················251
14.1.1 requests 庫的使用 ··············252
14.1.2 其他常用模塊文件 ·············253
14.2 處理 HTTP 頭部 ·····················254
14.3 處理 Cookie ··························254
14.4 捕獲 HTTP 基本認(rèn)證數(shù)據(jù)包 ·································256
14.5 編寫 Web 服務(wù)器掃描程序 ········257
14.6 暴力掃描出目標(biāo)服務(wù)器上的所有頁面 ······························259
14.7 驗證碼安全 ···························260
14.8 小結(jié) ····································266

第15章 生成滲透測試報告 ·········· 267
15.1 滲透測試報告的相關(guān)理論 ·········268
15.1.1 目的 ·······························268
15.1.2 內(nèi)容摘要 ·························268
15.1.3 包含的范圍 ······················268
15.1.4 安全地交付滲透測試報告 ····269
15.1.5 滲透測試報告應(yīng)包含的內(nèi)容 ································269
15.2 處理 XML 文件 ······················269
15.3 生成 Excel 格式的滲透報告·······271
15.4 小結(jié) ····································278

第16章 Python 取證相關(guān)模塊 ······ 279
16.1 MD5值的計算 ·······················279
16.1.1 MD5的相關(guān)知識 ···············279
16.1.2 在Python中計算MD5 ········280
16.1.3 為文件計算MD5 ···············280
16.2 對IP地址進(jìn)行地理定位 ···········281
16.3 時間取證 ······························282
16.4 注冊表取證 ···························283
16.5 圖像取證 ······························284
16.6 小結(jié) ····································285