基础环境
下载链接
https://www.kali.org/get-kali/#kali-virtual-machines
以root用户登录
Kali Linux虚拟机官方提供了一个默认账号:kali/kali,但是并没有提供root账号.
- 先用kali/kali进入虚拟机,执行以下命令设置root账号密码.
- 重置完root密码后,切换用户或重启系统,用刚设置的密码登录root账号.
设置时区
1
|
dpkg-reconfigure tzdata
|
在弹出窗口选择 Asia->shanghai
字体安装
- 在/usr/share/fonts目录下,创建一个文件夹my_fonts
- 将ttf格式字体复制到/usr/share/fonts/my_fonts目录下.
Shell查看和切换
1
2
3
4
5
|
# 这里我们要切换到bash,目前Kali默认是zsh
# 切换bash
chsh -s /bin/bash
# 切换zsh
chsh -s /bin/zsh
|
注意:重启后生效.
关闭息屏和休眠
文件传输
Kali Linux支持直接将文件拖拽进虚拟机,但是会在下述目录进行缓存文件.
1
|
/root/.cache/vmware/drag_and_drop
|
推荐使用SSH服务来传输文件,可使用下述步骤开启SSH服务.
- 修改SSH配置
1
2
3
4
5
|
vim /etc/ssh/sshd_config
# 配置下面两个选项
PermitRootLogin yes
PasswordAuthentication yes
|
- 重启SSH服务
1
|
sudo service ssh restart
|
- 查看SSH状态
- 启动SSH
1
2
3
|
/etc/init.d/ssh start
# or
systemctl start ssh
|
- 开机自启SSH
启动错误
如果Kali在启动时出现上述错误,输入下述命令,重启即可.
1
|
echo "blacklist i2c_piix4" >> /etc/modprobe.d/blacklist.conf
|
实用库
1
2
3
4
5
6
7
8
9
10
11
|
# Frida
pip install frida
pip install frida-tools
pip install objection
# Pwntools
pip install -i https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple pwntools
apt install binutils-*
# 32位程序编译
apt install gcc-multilib g++-multilib
|
实用工具
ProxyChains
1
2
3
4
|
apt install proxychains
gedit /etc/proxychains.conf
# 找到[ProxyList]删除原来的socks4,然后加上
[socks5 IP 端口]
|
pyenv
Python版本管理软件.
- 配置构建环境.
https://github.com/pyenv/pyenv/wiki#suggested-build-environment
1
2
3
|
sudo apt-get update; sudo apt-get install make build-essential libssl-dev zlib1g-dev \
libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm \
libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev
|
- 安装pyenv.
https://github.com/pyenv/pyenv#basic-github-checkout
1
2
3
4
5
6
7
8
9
10
11
|
proxychains git clone https://github.com/yyuu/pyenv.git ~/.pyenv
//zsh
echo 'export PYENV_ROOT="$HOME/.pyenv"' >>~/.zshrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >>~/.zshrc
echo -e 'if command -v pyenv 1>/dev/null 2>&1; then\n eval "$(pyenv init --path)"\nfi'>>~/.zshrc
//bash
echo 'export PYENV_ROOT="$HOME/.pyenv"' >>~/.bashrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >>~/.bashrc
echo -e 'if command -v pyenv 1>/dev/null 2>&1; then\n eval "$(pyenv init --path)"\nfi'>>~/.bashrc
|
- 安装python版本.
1
2
3
4
|
# 无代理
pyenv install 3.8.0
# 有代理
PYTHON_CONFIGURE_OPTS="--disable-ipv6" proxychains pyenv install 3.8.0
|
- 常用命令:
1
2
3
4
5
6
7
8
9
10
11
12
|
# 列出可供安装的python版本
pyenv install --list
# 安装指定版本的
pyenv install <version>
# 在当前目录下设置python版本
pyenv local <version>
# 全局设置python版本
pyenv global <version>
# 列出系统中安装的python版本
pyenv versions
# 显示当前目录下采用的python
pyenv version
|
htop
加强版的top工具,可以动态查看当前活跃的、系统占用率高的进程.
jnettop
用来实时查看系统网络负载.
tree
文件名搜索工具,在解包apk后,搜索文件的名字非常好用.
必备工具
AndroidStudio
- 下载AndroidStudio
https://developer.android.google.cn/studio
- 解压并运行.
切换到android-studio/bin目录下,运行当前目录的studio.sh即可启动AndroidStudio.
- 创建程序桌面图标.
1
2
3
4
5
6
7
8
9
10
11
12
|
# 创建桌面图标
vim /usr/share/applications/android-studio.desktop
# 添加以下内容
[Desktop Entry]
Name=AndroidStudio
Encoding=UTF-8
Exec=sh -c "/software/android-studio/bin/studio.sh"
Icon=/software/android-studio/bin/studio.png
StartupNotify=false
Terminal=false
Type=Application
|
执行完上述操作后,即可在菜单中找到AndroidStudio的桌面程序图标,右键可以添加到桌面.其它应用程序雷同.
- 将adb工具添加到环境变量.
默认安装的话,adb所在目录为/root/Android/Sdk/platform-tools
1
2
|
echo "export PATH=$PATH:/root/Android/Sdk/platform-tools" >> ~/.zshrc
source ~/.zshrc
|
VSCode
https://code.visualstudio.com/
以root用户启动VSCode,无法启动问题解决:
1
2
3
4
5
6
|
# 修改Command为
/usr/share/code/code --no-sandbox --user-data-dir=/root/.vscode-root %F
gedit ~/.zshrc
alias code='/usr/share/code/code --no-sandbox --user-data-dir=/root/.vscode-root'
source ~/.zshrc
|
VSCode 配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
|
{
"editor.fontFamily": "monaco,'微软雅黑'",
"editor.fontSize": 20,
"terminal.integrated.cursorStyle": "line",
"terminal.integrated.cwd": "${fileDirname}",
"terminal.integrated.fontSize": 18,
"terminal.integrated.fontFamily": "monaco",
"extensions.autoCheckUpdates": false,
"update.showReleaseNotes": false,
"update.mode": "none",
}
|
GDB
1
|
apt install gdb-multiarch
|
Pwndbg
1
2
3
4
|
pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
proxychains git clone https://github.com/pwndbg/pwndbg /root/luoPwn/pwndbg
cd /root/luoPwn/pwndbg
./setup.sh
|
tmux
可以在一个屏幕上创建、访问以及控制多个终端.
1
2
3
4
5
|
apt install tmux
# 使用鼠标切换光标
vim ~/.tmux.conf
set -g mouse on
|
常用快捷键如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# 划分左右两个窗口
Ctrl + b %
# 划分上下两个窗口
Ctrl + b "
# 光标切换到其他窗格
# <arrow key>是指向要切换到的窗格的方向键.比如切换到下方窗格,就按方向键↓
Ctrl+b <arrow key>
# 窗口重命名
Ctrl + b ,
# 关闭当前窗口
Ctrl + b x
|
会话操作如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# 新建会话
tmux new -s [session name]
# 分离会话
tmux detach
# 查看所有会话
tmux ls
# 恢复会话
tmux attach -t [session name]
# 重命名会话
tmux rename-session -t [old session name] [new session name]
# 关闭会话
tmux kill-session -t [session name]
# 关闭所有会话
tmux kill-server
|
Pwndbg + tmux
- 下载插件到指定目录
1
|
proxychains git clone https://github.com/XiaLuoHun/splitmind ~/.splitmind
|
- 修改gdb配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
gedit ~/.gdbinit
# .gdbinit
source ~/.pwndbg/gdbinit.py
source ~/.splitmind/gdbinit.py
set context-clear-screen off
set debug-events off
python
sections = "regs"
#mode = input("source/disasm/mixed mode:?(s/d/m)") or "d"
mode = "d"
import splitmind
spliter = splitmind.Mind()
spliter.select("main").right(display="regs", size="50%")
gdb.execute("set context-stack-lines 10")
legend_on = "code"
if mode == "d":
legend_on = "disasm"
sections += " disasm"
spliter.select("main").above(display="disasm", size="70%", banner="none")
gdb.execute("set context-code-lines 30")
elif mode == "s":
sections += " code"
spliter.select("main").above(display="code", size="70%", banner="none")
gdb.execute("set context-source-code-lines 30")
else:
sections += " disasm code"
spliter.select("main").above(display="code", size="70%")
spliter.select("code").below(display="disasm", size="40%")
gdb.execute("set context-code-lines 8")
gdb.execute("set context-source-code-lines 20")
sections += " args stack backtrace expressions"
spliter.show("legend", on=legend_on)
spliter.show("stack", on="regs")
spliter.show("backtrace", on="regs")
spliter.show("args", on="regs")
spliter.show("expressions", on="args")
gdb.execute("set context-sections \"%s\"" % sections)
gdb.execute("set show-retaddr-reg on")
spliter.build()
end
|
- 运行tmux,然后运行gdb附加进程
Hyperpwn
- 配置Hyper
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
# hyper 3.1.0
proxychains wget https://github.com/vercel/Hyper/releases/download/v3.1.0-canary.4/Hyper-3.1.0-canary.4.AppImage -P /root/luoPwn/hyper
cd /root/luoPwn/hyper
chmod 777 ./Hyper-3.1.0-canary.4.AppImage
gedit ~/.zshrc
alias hyper='/root/luoPwn/hyper/Hyper-3.1.0-canary.4.AppImage --no-sandbox'
source ~/.zshrc
# hyper 3.4.1
proxychains wget https://github.com/vercel/hyper/releases/download/v3.4.1/hyper_3.4.1_amd64.deb
dpkg -i ./hyper_3.4.1_amd64.deb
gedit ~/.zshrc
alias hyper='/opt/Hyper/hyper --no-sandbox'
source ~/.zshrc
|
- 退出Hyper,安装插件
1
2
3
4
|
cd /root/luoPwn/hyper
apt install nodejs npm
proxychains npm install hyperinator
proxychains npm install hyperpwn
|
- 安装pwndbg
1
2
3
4
|
pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
proxychains git clone https://github.com/pwndbg/pwndbg /root/luoPwn/pwndbg
cd /root/luoPwn/pwndbg
./setup.sh
|
- 修改Hyper配置文件(~/.hyper.js)
1
|
plugins: ["hyperinator","hyperpwn"]
|
- 启动Hyper,更新插件
依次点击Plugins->Update,然后再依次点击View->Reload
- 重启Hyper,运行gdb-multiarch,当出现下面的界面表示配置成功
相关命令如下:
- 步进:F7
- 步过:F8
- 查看上一个调试状态:Ctrl+Shift+PageUp
- 查看下一个调试状态:Ctrl+Shift+PageDown