Izixhobo zewebhu, okanye uqala phi njengepentester?

Qhubeka Thetha ngezixhobo eziluncedo kwi pentesters. Kwinqaku elitsha siza kujonga izixhobo zokuhlalutya ukhuseleko lwezicelo zewebhu.

Umlingane wethu BeLove Sele ndiyenzile into enje ukuhlanganiswa malunga neminyaka esixhenxe eyadlulayo. Kuyathakazelisa ukubona ukuba zeziphi izixhobo eziye zagcina kwaye zomeleza izikhundla zabo, kwaye zeziphi eziye zaphelelwa ngasemva kwaye ngoku azifane zisetyenziswe.


Qaphela ukuba oku kuquka iBurp Suite, kodwa kuya kubakho upapasho olwahlukileyo malunga nayo kunye neeplagi zayo eziluncedo.

Iziqulatho:

• qokelela
• Altdns
• iaquatone
• IMassDNS
• nsec3maphu
• I-Acunetix
• Uphando
• wfuzz
• phuf
• gobuster
• Arjun
• IkhonkcoFinder
• JSParser
• sqlmap
• NoSQLMap
• oxml_xxe
• tplmap
• CeWL
• I-Weakpass
• AEM_hacker
• JoomScan
• WPScan

qokelela

qokelela -Isixhobo sokuHamba sokukhangela kunye nokubala ii-subdomains ze-DNS kunye nokwenza imephu yenethiwekhi yangaphandle. I-Amass yiprojekthi ye-OWASP eyilelwe ukubonisa ukuba injani na imibutho kwi-Intanethi kumntu wangaphandle. I-Amass ifumana amagama e-subdomain ngeendlela ezahlukeneyo; isixhobo sisebenzisa ukuphinda kuphindwe ukubalwa kwe-subdomain kunye nokukhangela kwemithombo evulekileyo.

Ukufumana iisegmenti zenethiwekhi ezidityanisiweyo kunye neenombolo zenkqubo ezizimeleyo, i-Amass isebenzisa iidilesi ze-IP ezifunyenwe ngexesha lokusebenza. Lonke ulwazi olufunyenweyo lusetyenziselwa ukwakha imephu yenethiwekhi.

Iinkonzo:

• Ubuchule bokuqokelela ulwazi bubandakanya:
  * I-DNS - ukukhangela kwesichazi-magama se-subdomains, i-bruteforce subdomains, ukukhangela ngobuchule usebenzisa iinguqu ezisekelwe kwi-subdomains efunyenweyo, ukubuyisela umva imibuzo ye-DNS kunye nokukhangela iiseva ze-DNS apho kunokwenzeka ukwenza isicelo sokudlulisa indawo (AXFR);

  * Ukukhangela umthombo ovulekileyo - Buza, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo;

  * Khangela ugcino lwedatha yesatifikethi se-TLS - Censys, CertDB, CertSpotter, Crtsh, Entrust;

  * Ukusebenzisa ii-APIs zenjini yokukhangela-BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;

  * Khangela oovimba bewebhu kwi-Intanethi: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback;

• Ukudityaniswa noMaltego;
• Ibonelela ngowona msebenzi ugqibeleleyo wokukhangela i-DNS subdomains.

Umgcini:

• Qaphela nge-amass.netdomains - iya kuzama ukuqhagamshelana nedilesi nganye ye-IP kwisiseko esichongiweyo kwaye ifumane amagama e-domain ukusuka kwi-reverse DNS lookups kunye nezatifikethi ze-TLS. Le yindlela "yomgangatho ophezulu", inokutyhila imisebenzi yakho yobuntlola kumbutho ophantsi kophando.
• Ukusetyenziswa kwememori ephezulu, kunokutya ukuya kwi-2 GB ye-RAM kwizicwangciso ezahlukeneyo, ezingayi kukuvumela ukuba usebenzise esi sixhobo efini kwi-VDS encinci.

Altdns

Altdns -Isixhobo sePython sokuqulunqa izichazi-magama zokubala ii-subdomains ze-DNS. Ikuvumela ukuba uvelise iindidi ezininzi zesubdomains usebenzisa utshintsho kunye noguqulo. Kule nto, amagama ahlala efunyenwe kwii-subdomains asetyenziswa (umzekelo: uvavanyo, i-dev, i-staging), zonke iinguqu kunye neemvume zisetyenziswa kwii-subdomains ezaziwayo, ezinokungeniswa kwi-Altdns input. Imveliso luluhlu lweenguquko zesubdomains ezinokubakho, kwaye olu luhlu lungasetyenziselwa kamva iDNS brute force.

Iinkonzo:

• Isebenza kakuhle kunye neeseti ezinkulu zedatha.

iaquatone

iaquatone -Ibikade yaziwa ngcono njengenye isixhobo sokukhangela i-subdomains, kodwa umbhali uye wayishiya le nto ethanda iAmass ekhankanywe ngasentla. Ngoku i-aquatone iphinde yabhalwa kwi-Go kwaye ilungele ngakumbi ukujongwa kwakhona kwiiwebhusayithi. Ukwenza oku, i-aquatone idlula kwiindawo ezichaziweyo kwaye ikhangele iiwebhusayithi kwiichweba ezahlukeneyo, emva koko iqokelela lonke ulwazi malunga nesayithi kwaye ithatha umfanekiso weskrini. Ilungele ukuphinda uqwalaselwe ngokukhawuleza kwewebhusayithi, emva koko unokukhetha iithagethi eziphambili zokuhlaselwa.

Iinkonzo:

• Imveliso yenza iqela leefayile kunye neefolda ezilungele ukuzisebenzisa xa usebenza ngakumbi nezinye izixhobo:
  * Ingxelo ye-HTML enezithombe zesikrini eziqokelelweyo kunye nezihloko zeempendulo ezihlanganiswe ngokufana;

  * Ifayile enazo zonke ii-URL apho iiwebhusayithi zifunyenwe;

  * Ifayile enamanani kunye nedatha yephepha;

  * Ifolda eneefayile eziqulethe iiheda zempendulo ezivela kwiithagethi ezifunyenweyo;

  * Ifolda eneefayile eziqulethe umzimba wempendulo kwiithagethi ezifunyenweyo;

  * Imifanekiso-skrini yeewebhusayithi ezifunyenweyo;

• Ixhasa ukusebenza ngeengxelo ze-XML ezivela kwi-Nmap kunye ne-Masscan;
• Isebenzisa iChrome/Chromium engenantloko ukwenza umfanekiso weskrini.

Umgcini:

• Inokutsala ingqalelo yeenkqubo zokubona ukungena, ngoko ke ifuna uqwalaselo.

Umfanekiso weskrini uthathwe kwenye yeenguqulelo ezindala ze-aquatone (v0.5.0), apho uphando lwe-DNS subdomain luphunyeziwe. Iinguqulelo ezindala zinokufumaneka apha iphepha lokukhupha.

IMassDNS

IMassDNS sesinye isixhobo sokufumana i-DNS subdomains. Umahluko wayo ophambili kukuba yenza imibuzo ye-DNS ngokuthe ngqo kwizisombululi ezininzi ezahlukeneyo ze-DNS kwaye ikwenza oko ngesantya esiphezulu.

Iinkonzo:

• Ngokukhawuleza - ekwazi ukusombulula amagama angaphezu kwamawaka angama-350 ngomzuzwana.

Umgcini:

• I-MassDNS inokubangela umthwalo obalulekileyo kwizisombululi ze-DNS ezisetyenziswayo, ezinokukhokelela ekuvinjweni kwezo seva okanye izikhalazo kwi-ISP yakho. Ukongeza, iya kubeka umthwalo omkhulu kwiiseva ze-DNS zenkampani, ukuba banazo kwaye ukuba banoxanduva lwemimandla ozama ukuyicombulula.
• Uluhlu lwabasombululi luphelelwe lixesha, kodwa ukuba ukhetha izisombululi zeDNS ezaphukileyo kwaye wongeze ezintsha ezaziwayo, yonke into iya kulunga.

Umfanekiso weskrini we-aquatone v0.5.0

nsec3maphu

nsec3maphu sisixhobo sePython sokufumana uluhlu olupheleleyo lwemimandla ekhuselweyo ye-DNSSEC.

Iinkonzo:

• Ngokukhawuleza ufumanisa iinginginya kwiindawo ze-DNS ezinenani elincinci lemibuzo ukuba inkxaso ye-DNSSEC yenziwe kwindawo;
• Ibandakanya iplagin kaJohn iRipper enokusetyenziswa ukuqhekeza isiphumo se-NSEC3 hashes.

Umgcini:

• Iimpazamo ezininzi ze-DNS aziphathwa ngokuchanekileyo;
• Akukho lungelelwaniso oluzenzekelayo lokusetyenzwa kweerekhodi ze-NSEC - kufuneka wahlule isithuba samagama ngesandla;
• Ukusetyenziswa kwememori ephezulu.

I-Acunetix

I-Acunetix -Iskena somngcipheko wewebhu esenza inkqubo yokujonga ukhuseleko lwezicelo zewebhu. Ivavanya usetyenziso lweenaliti ze-SQL, i-XSS, i-XXE, i-SSRF kunye nezinye izinto ezininzi ezibuthathaka kwiwebhu. Nangona kunjalo, njengaso nasiphi na esinye iskena, ubuthathaka bewebhu obahlukeneyo abuyithathi indawo yepentester, kuba ayinakufumana amatyathanga antsonkothileyo okuba sesichengeni okanye ubuthathaka kwingqiqo. Kodwa igubungela ubuthathaka obuninzi obahlukeneyo, kubandakanya ii-CVE ezahlukeneyo, anokuthi i-pentester ilibale ngayo, ngoko ke ikulungele kakhulu ukukukhulula kwiitshekhi zesiqhelo.

Iinkonzo:

• Inqanaba eliphantsi lezinto ezintle zobuxoki;
• Iziphumo zinokuthunyelwa njengeengxelo;
• Yenza inani elikhulu lokuhlola ubuthathaka obahlukeneyo;
• Ukuskena okunxuseneyo kweenginginya ezininzi.

Umgcini:

• Ayikho i-algorithm yokunciphisa (i-Acunetix iya kuqwalasela amaphepha afanayo ekusebenzeni ukuba ahluke, ekubeni akhokelela kwii-URL ezahlukeneyo), kodwa abaphuhlisi basebenza kuyo;
• Ifuna ukufakwa kwi-server yewebhu eyahlukileyo, eyenza nzima iinkqubo zokuvavanya umxhasi kunye noqhagamshelo lwe-VPN kunye nokusebenzisa iskena kwicandelo elizimeleyo lomnatha womxhasi wendawo;
• Inkonzo ephantsi kophando ingenza ingxolo, umzekelo, ngokuthumela ii-vectors ezininzi zokuhlaselwa kwifom yoqhagamshelwano kwisayithi, ngaloo ndlela inzima kakhulu iinkqubo zoshishino;
• Lubunikazi kwaye, ngokufanelekileyo, ayisosisombululo sasimahla.

Uphando

Uphando -Isixhobo sePython sokunyanzeliswa kwezalathisi kunye neefayile kwiiwebhusayithi.

Iinkonzo:

• Uyakwazi ukwahlula amaphepha okwenene "ama-200 KULUNGILE" ukusuka kumaphepha "200 OK", kodwa ngombhalo "iphepha alifumanekanga";
• Iza nesichazi-magama esiluncedo esinolungelelwano olulungileyo phakathi kobukhulu kunye nempumelelo yokukhangela. Iqulethe iindlela ezisemgangathweni eziqhelekileyo kwiiCMS ezininzi kunye nezitaki zeteknoloji;
• Ifomathi yaso yesichazi-magama, ekuvumela ukuba ufezekise ukusebenza kakuhle kunye nokuguquguquka ekubaleni iifayile kunye nabalawuli;
• Imveliso efanelekileyo - umbhalo ocacileyo, JSON;
• Inokwenza i-throttling - ikhefu phakathi kwezicelo, into ebalulekileyo kuyo nayiphi na inkonzo ebuthathaka.

Umgcini:

• Izandiso kufuneka zigqithiswe njengentambo, engafanelekanga ukuba ufuna ukudlula ezininzi izandiso kanye;
• Ukuze usebenzise isichazi-magama sakho, kuya kufuneka ukuba siguqulwe kancinane kwifomathi yeDirsearch yesichazi-magama ukuze usebenze kakhulu.

wfuzz

wfuzz -Python web application fuzzer. Mhlawumbi ungomnye wabadlali bewebhu abadumileyo. Umgaqo ulula: i-wfuzz ikuvumela ukuba ufake isigaba nayiphi na indawo kwisicelo se-HTTP, esenza ukuba kube lula ukulinganisa i-GET / POST parameters, ii-headers ze-HTTP, kuquka i-Cookie kunye nezinye ii-header zokuqinisekisa. Kwangaxeshanye, kukwasebenziseka kumandla akhohlakeleyo alula abalawuli kunye neefayile, apho udinga isichazi-magama esilungileyo. Ikwanayo nenkqubo yokucoca eguquguqukayo, apho unokucoca iimpendulo ezivela kwiwebhusayithi ngokweeparamitha ezahlukeneyo, ezikuvumela ukuba ufezekise iziphumo ezisebenzayo.

Iinkonzo:

• I-Multifunctional - isakhiwo semodyuli, indibano ithatha imizuzu embalwa;
• Uhluzo olululo kunye nomatshini wokudibanisa;
• Unokwenza isigaba nayiphi na indlela ye-HTTP, kunye nayo nayiphi na indawo kwisicelo se-HTTP.

Umgcini:

• Phantsi kophuhliso.

phuf

phuf - i-web fuzzer kwi-Go, eyenziwe "kumfanekiso kunye nokufana" kwe-wfuzz, ikuvumela ukuba utyumze iifayile, abalawuli, iindlela ze-URL, amagama kunye namaxabiso e-GET / POST parameters, iiheader ze-HTTP, kuquka ne-Host header yamandla akhohlakeleyo. yenginginya ebonakalayo. I-wfuzz iyahluka kumzalwana wayo ngesantya esiphezulu kunye nezinye iimpawu ezintsha, umzekelo, ixhasa iifomathi zeDirsearch izichazi-magama.

Iinkonzo:

• Izihluzi ziyafana nezihluzo ze-wfuzz, zikuvumela ukuba uqwalasele ngokuguquguqukayo amandla akhohlakeleyo;
• Ikuvumela ukuba udibanise amaxabiso eheader ye-HTTP, idatha yesicelo se-POST kunye neendawo ezahlukeneyo ze-URL, kuquka amagama kunye namaxabiso e-GET parameters;
• Ungakhankanya nayiphi na indlela ye-HTTP.

Umgcini:

• Phantsi kophuhliso.

gobuster

gobuster - isixhobo sokuGosa uqwalaselo, sineendlela ezimbini zokusebenza. Eyokuqala isetyenziselwa ukutyumza iifayile kunye nabalawuli kwiwebhusayithi, eyesibini isetyenziselwa ukunyanzelisa i-DNS subdomains. Isixhobo asikuxhasi ekuqaleni ukubhaliswa kwakhona kweefayili kunye nabalawuli, oko, ngokuqinisekileyo, konga ixesha, kodwa kwelinye icala, i-brute force yesiphelo esitsha ngasinye kwiwebhusayithi kufuneka iqaliswe ngokwahlukileyo.

Iinkonzo:

• Isantya esiphezulu sokusebenza kokubini kukhangelo lwamandla akhohlakeleyo kwi-DNS subdomains kunye namandla akhohlakeleyo efayile kunye nabalawuli.

Umgcini:

• Uguqulelo lwangoku aluxhasi ukusetwa kwezihloko zeHTTP;
• Ngokungagqibekanga, kuphela ezinye iikhowudi zesimo se-HTTP (200,204,301,302,307) zithathwa njengezisebenzayo.

Arjun

Arjun -isixhobo samandla akhohlakeleyo eeparamitha zeHTTP ezifihliweyo kwi-GET/POST iparamitha, kunye nakwi-JSON. Isichazi-magama esakhelwe ngaphakathi sinamagama angama-25, athi uAjrun ayijonge kwimizuzwana engama-980. Iqhinga kukuba i-Ajrun ayijongi iparamitha nganye ngokwahlukileyo, kodwa ijonga iiparamitha eziyi-30 ngexesha kwaye ibone ukuba impendulo itshintshile. Ukuba impendulo itshintshile, yahlula ezi parameters eziyi-1000 zibe ngamacandelo amabini kwaye ijonga ukuba yeyiphi kwezi ndawo ezichaphazela impendulo. Ngaloo ndlela, usebenzisa uphendlo olulula lokubini, iparameter okanye iiparamitha ezininzi ezifihliweyo zifunyenwe eziphembelele impendulo kwaye, ngoko, zinokuba khona.

Iinkonzo:

• Isantya esiphezulu ngenxa yokukhangela kokubini;
• Inkxaso ye-GET / POST iiparamitha, kunye neeparameters ngendlela ye-JSON;

Iplagin yeBurp Suite isebenza kumgaqo ofanayo - param-mgodini, ekwalungile kakhulu ekufumaneni iiparamitha zeHTTP ezifihliweyo. Siza kukuxelela ngakumbi malunga nayo kwinqaku elizayo malunga neBurp kunye neeplagi zayo.

IkhonkcoFinder

IkhonkcoFinder -Iskripthi sePython sokukhangela amakhonkco kwiifayile zeJavaScript. Iluncedo ekufumaneni iindawo ezifihliweyo okanye ezilityelweyo/ii-URL kwisicelo sewebhu.

Iinkonzo:

• Ukukhawuleza;
• Kukho iplagin ekhethekileyo yeChrome esekwe kwi-LinkFinder.

.

Umgcini:

• Isiphelo sokugqibela esingathandekiyo;
• Ayihlalutyi iJavaScript ekuhambeni kwexesha;
• Ingqiqo elula yokukhangela amakhonkco - ukuba iJavaScript ibonakaliswe ngandlela ithile, okanye amakhonkco alahlekile ekuqaleni kwaye enziwe ngamandla, ngoko ayizukwazi ukufumana nantoni na.

JSParser

JSParser siscript sePython esisebenzisayo Inkqantosi и JSBeautifier Ukwahlulahlula ii-URL ezizalanayo kwiifayile zeJavaScript. Iluncedo kakhulu ekuboneni izicelo ze-AJAX kunye nokuqulunqa uluhlu lweendlela ze-API isicelo esidibana nazo. Isebenza ngokufanelekileyo ngokubambisana ne-LinkFinder.

Iinkonzo:

• Ukwahlulahlula ngokukhawuleza kweefayile zeJavaScript.

sqlmap

sqlmap mhlawumbi sesinye sezona zixhobo zidumileyo zokuhlalutya izicelo zewebhu. I-Sqlmap yenza ngokuzenzekelayo ukukhangela kunye nokusebenza kweenaliti ze-SQL, isebenza ngeelwimi ezininzi ze-SQL, kwaye inenani elikhulu leendlela ezahlukeneyo kwi-arsenal yayo, ukusuka kwiingcaphuno ezithe ngqo ukuya kwii-vectors ezinzima ze-SQL ezisekelwe kwixesha. Ukongeza, ineendlela ezininzi zokuxhaphaza ngakumbi kwii-DBMS ezahlukeneyo, ngoko ayiloncedo nje ngokuba sisikena seenaliti zeSQL, kodwa nanjengesixhobo esinamandla sokuxhaphaza esele ifunyenwe iinaliti zeSQL.

Iinkonzo:

• Inani elikhulu leendlela ezahlukeneyo zobuchule kunye neevektha;
• Inani eliphantsi leempembelelo zobuxoki;
• Ukhetho oluninzi lokulungisa kakuhle, ubuchule obahlukeneyo, ugcino lwedatha ekujoliswe kuyo, izikripthi eziphazamisayo zokudlula i-WAF;
• Ukukwazi ukwenza imveliso yokulahla;
• Izakhono ezininzi zokusebenza ezahlukeneyo, umzekelo, kwezinye iindawo zolwazi - ukulayisha ngokuzenzekelayo / ukukhulula iifayile, ukufumana amandla okuphumeza imiyalelo (RCE) kunye nabanye;
• Inkxaso yoqhagamshelwano oluthe ngqo kwisiseko sedatha usebenzisa idatha efunyenwe ngexesha lokuhlaselwa;
• Ungangenisa ifayile yokubhaliweyo eneziphumo ze Burp njengegalelo - akukho mfuneko yokuqamba ngesandla zonke iimpawu zomgca womyalelo.

Umgcini:

• Kunzima ukwenza, umzekelo, ukubhala ezinye iitshekhi zakho ngenxa yokunqaba kwamaxwebhu oku;
• Ngaphandle kwezicwangciso ezifanelekileyo, yenza isethi engaphelelanga yeetshekhi, ezinokulahlekisa.

NoSQLMap

NoSQLMap -Isixhobo sePython sokwenza ngokuzenzekelayo ukukhangela kunye nokusetyenziswa kweenaliti zeNoSQL. Kukulungele ukusebenzisa kungekuphela kwi-database ye-NoSQL, kodwa ngokuthe ngqo xa uphicotha izicelo zewebhu ezisebenzisa i-NoSQL.

Iinkonzo:

• Njenge-sqlmap, ayifumani kuphela ubuthathaka obunokwenzeka, kodwa iphinda ijonge ukuba nokwenzeka kokuxhatshazwa kwayo kwi-MongoDB kunye ne-CouchDB.

Umgcini:

• Ayixhasi i-NoSQL yeRedis, iCassandra, uphuhliso luyaqhubeka kweli cala.

oxml_xxe

oxml_xxe - isixhobo sokuzinzisa i-XXE XML isetyenziswa kwiintlobo ezahlukeneyo zeefayile ezisebenzisa ifomathi ye-XML ngenye indlela.

Iinkonzo:

• Ixhasa iifomati ezininzi eziqhelekileyo ezinje ngeDOCX, ODT, SVG, XML.

Umgcini:

• Inkxaso ye-PDF, i-JPEG, i-GIF ayiphunyezwanga ngokupheleleyo;
• Yenza ifayile enye kuphela. Ukusombulula le ngxaki ungasebenzisa isixhobo docem, enokudala inani elikhulu leefayile zokuhlawula kwiindawo ezahlukeneyo.

Ezi zinto zingentla zenza umsebenzi omhle wokuvavanya i-XXE xa ulayisha amaxwebhu aqulethe i-XML. Kodwa kwakhona khumbula ukuba abaphathi befomathi ye-XML banokufumaneka kwezinye iimeko ezininzi, umzekelo, i-XML ingasetyenziswa njengefomati yedatha endaweni ye-JSON.

Ke ngoko, sicebisa ukuba ubeke ingqalelo kolu vimba ulandelayo, oqulethe inani elikhulu leentlawulo ezahlukeneyo: PayloadsAllTheThings.

tplmap

tplmap -Isixhobo sePython sokuchonga ngokuzenzekelayo kunye nokuxhaphaza ubuthathaka beSiteyiphu seSiteyiphu seSidekethi; inesetingi kunye neeflegi ezifanayo ne-sqlmap. Isebenzisa iindlela ezininzi ezahlukeneyo zobuchule kunye neevektha, kubandakanya inaliti eyimfama, kwaye inobuchule bokwenza ikhowudi kunye nokulayisha / ukulayisha iifayile ezingafunekiyo. Ukongeza, uneendlela zakhe ze-arsenal kwiinjini zeetemplate ezahlukeneyo kunye neendlela ezithile zokukhangela i-eval () -njenge-injection yekhowudi ePython, Ruby, PHP, JavaScript. Ukuba iphumelele, ivula i-console esebenzayo.

Iinkonzo:

• Inani elikhulu leendlela ezahlukeneyo zobuchule kunye neevektha;
• Ixhasa iinjini ezininzi ezinikezela ngetemplate;
• Uninzi lweendlela zokusebenza.

CeWL

CeWL - i-generator yesichazi-magama kwi-Ruby, eyenzelwe ukukhupha amagama akhethekileyo kwiwebhusayithi echaziweyo, ilandela izixhumanisi kwisayithi ukuya kubunzulu obuchaziweyo. Isichazi-magama esihlanganisiweyo samagama awodwa singasetyenziswa kamva ukucinezela amagama agqithisiweyo kwiinkonzo okanye kunyanzeliswe ngenkohlakalo iifayile kunye nabalawuli kwiwebhusayithi enye, okanye ukuhlasela i-hashes enesiphumo usebenzisa i-hashcat okanye i-John the Ripper. Iluncedo xa uqulunqa uluhlu "olujoliswe kuko" lwamagama ayimfihlo anokubakho.

Iinkonzo:

• Kulula ukuyisebenzisa.

Umgcini:

• Kufuneka uqaphele ngobunzulu bokukhangela ukuze ungabambi i-domain eyongezelelweyo.

I-Weakpass

I-Weakpass -inkonzo equlathe izichazi-magama ezininzi ezinamagama ayimfihlo awodwa. Iluncedo kakhulu kwimisebenzi eyahlukeneyo enxulumene nokuqhekeka kwegama lokugqitha, ukusukela kumandla akhohlakeleyo e-intanethi kwiinkonzo ekujoliswe kuzo, ukuya kwi-off-line brute force ye-hashes efunyenweyo kusetyenziswa. ihashcat okanye John The Ripper. Iqulethe malunga ne-8 yeebhiliyoni zeephasiwedi ukusuka kwi-4 ukuya kwi-25 yoonobumba ubude.

Iinkonzo:

• Iqulathe zombini izichazi-magama ezikhethekileyo kunye nezichazi-magama ezinamagama ayimfihlo aqhelekileyo - ungakhetha isichazi-magama esikhethekileyo kwiimfuno zakho;
• Izichazi-magama zihlaziywa kwaye zandiswa ngeephasiwedi ezintsha;
• Izichazi-magama zihlelwa ngokobuchule. Ungakhetha ukhetho lwazo zombini amandla akhohlakeleyo e-intanethi kunye nokhetho oluneenkcukacha lwamagama agqithisiweyo ukusuka kwisichazi-magama esinamandla ngokuvuza kwamva nje;
• Kukho isixhobo sokubala esibonisa ixesha elithathwayo ukukrazula amagama ayimfihlo kwisixhobo sakho.

Singathanda ukubandakanya izixhobo zokutshekishwa kweCMS kwiqela elahlukileyo: WPScan, JoomScan kunye ne-AEM hacker.

AEM_hacker

AEM hacker sisixhobo sokuchonga ubuthathaka kwi-Adobe Experience Manager (AEM) izicelo.

Iinkonzo:

• Inokuchonga izicelo ze-AEM kuluhlu lwee-URL ezingeniswe kwigalelo layo;
• Iqulethe imibhalo yokufumana i-RCE ngokulayisha iqokobhe le-JSP okanye ngokuxhaphaza i-SSRF.

JoomScan

JoomScan -Isixhobo sePerl sokuzenzekelayo ukuchongwa kobuthathaka xa uhambisa iJoomla CMS.

Iinkonzo:

• Iyakwazi ukufumana iziphene zoqwalaselo kunye neengxaki ngezicwangciso zolawulo;
• Udwelisa iinguqulelo zeJoomla kunye nobuthathaka obunxulumeneyo, ngokufanayo kumacandelo ngamanye;
• Iqulathe ngaphezulu kwe-1000 yezenzo zeJoomla;
• Isiphumo seengxelo zokugqibela kwisicatshulwa kunye neefomathi zeHTML.

WPScan

WPScan - isixhobo sokuskena iisayithi ze-WordPress, sinobuthathaka kwi-arsenal yayo zombini kwi-injini ye-WordPress ngokwayo kunye nezinye iiplagi.

Iinkonzo:

• Iyakwazi ukudwelisa kungekuphela nje iiplagi ze-WordPress ezingakhuselekanga kunye nemixholo, kodwa nokufumana uluhlu lwabasebenzisi kunye neefayile zeTimThumb;
• Unokwenza uhlaselo lwamandla akhohlakeleyo kwiindawo ze-WordPress.

Umgcini:

• Ngaphandle kwezicwangciso ezifanelekileyo, yenza isethi engaphelelanga yeetshekhi, ezinokulahlekisa.

Ngokubanzi, abantu abahlukeneyo bakhetha izixhobo ezahlukeneyo zomsebenzi: zonke zilungile ngendlela yazo, kwaye oko umntu akuthandayo kunokungahambelani nomnye kwaphela. Ukuba ucinga ukuba asiyihoyanga into eluncedo, bhala ngayo kumagqabantshintshi!

umthombo: www.habr.com