Kali Linux 快速上手
Kali Linux 是 Offensive Security 发布的渗透测试专用 Linux 发行版,预装数百款安全工具。本节涵盖系统配置、网络设置与常用工具链速查。
1. 系统配置
1.1 换源加速(国内)
# 备份官方源
cp /etc/apt/sources.list /etc/apt/sources.list.bak
# 替换为中科大源
echo 'deb https://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib' > /etc/apt/sources.list
apt update && apt upgrade -y
1.2 SSH 远程登录
# 启动 SSH 服务
systemctl start ssh
systemctl enable ssh
# 配置 SSH 允许 root 登录
sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
1.3 VPN 接入(WireGuard)
# 安装 WireGuard
apt install -y wireguard
# 生成密钥对
wg genkey | tee privatekey | wg pubkey > publickey
# 配置 /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/24
Peer = <server-public-key>
Endpoint = <vpn-server>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25
# 启动
wg-quick up wg0
wg show
2. 网络配置
2.1 静态 IP(NAT 模式)
cat > /etc/network/interfaces.d/eth0 << 'EOF'
auto eth0
iface eth0 inet static
address 192.168.56.101
netmask 255.255.255.0
gateway 192.168.56.1
dns-nameservers 8.8.8.8 114.114.114.114
EOF
systemctl restart networking
2.2 端口转发(构建跳板)
# 开启 IP 转发
echo 1 > /proc/sys/net/ipv4/ip_forward
# 端口转发:访问本机 8080 → 目标 80
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
iptables -t nat -A POSTROUTING -j MASQUERADE
3. 工具链速查
| 工具 | 用途 | 命令示例 |
|---|---|---|
| nmap | 端口/漏洞扫描 | nmap -sV -sC target |
| burpsuite | Web 代理/渗透 | burpsuite & |
| sqlmap | SQL 注入检测 | sqlmap -u "url" --batch |
| nikto | Web 服务器扫描 | nikto -h target |
| hydra | 暴力破解 | hydra -l admin -P pass.txt ssh://target |
| john | 密码哈希破解 | john --wordlist=rockyou.txt hash.txt |
| metasploit | 漏洞利用框架 | msfconsole |
| wireshark | 流量抓包分析 | wireshark & |
| aircrack-ng | WiFi 密码破解 | aircrack-ng -w wordlist.cap |
4. 搜指定位漏洞工具链
4.1 资产发现 → 端口扫描 → 漏洞检测
# ① 资产发现(masscan 快速全端口)
masscan -p1-65535 10.0.0.0/24 --rate=10000 -oJ masscan.json
# ② 端口指纹(nmap 服务识别)
nmap -sV -p22,80,443,3306,8080 10.0.0.1 -oN nmap_scan.txt
# ③ 漏洞检测(nmap NSE 脚本)
nmap --script=vuln -sV 10.0.0.1 -p- -oN vuln_scan.txt
# ④ Web 路径扫描(gobuster)
gobuster dir -u http://10.0.0.1 -w /usr/share/wordlists/dirb/common.txt
4.2 敏感信息搜集
# GitHub 敏感信息泄露(gitGraber)
python3 gitGraber.py -k "aws_key|private_key|DB_PASSWORD" -w wordlist.txt
# 子域名枚举(sublist3r)
sublist3r -d example.com -o subdomains.txt
# 备份文件扫描(dirb)
dirb http://target.com /usr/share/dirb/wordlists/common.txt -o dirb_result.txt
5. 下一步
- Nmap 漏洞扫描 — 深入端口扫描与 NSE 脚本
- Burp Suite 实战 — Web 渗透测试核心工具
- DVWA 靶场部署 — 常见 Web 漏洞练习