20179214 2017-2018 2 "Network Attack and Defense Practice" Week 7 Learning Summary

video learning

Retrieval and Exploitation of Vulnerabilities

There is an exploit kit

• Exploit Databse

1. Searchsploit
   can use keywords to search for information about vulnerabilities.
   
   
2. ikat automatically opens different exploits. Waiting for the target to visit.
3. termineter aims to assess the security of smart meters

4. pattern creat
   can use this command when the buffer overflows, for example, pattern create 1000 a can output 1000 a

   Metasploit basics of exploit

   Metasploit is often used in penetration testing. This software includes many tools that form a complete attack framework
5. The startup service
   metasploit is often used in penetration. In fact, this software includes many tools, which constitute a complete attack framework. When starting the service, you need to start the postgresql database and metasploit service first, and then you can fully use the msf database to query exploits and records.
   Use the command service postgresql start
6. Path introduction
   The msf path is /usr/share/metaspioit-framework, which lists all the files below.
7. Auiliary: Auxiliary module
   encoders: for msfencode encoding tools, you can use msfencode -1.
   exploits: attack module
   payloads: Listed here is the attack payload, that is, the code executed after the attack is successful.
   post: The post-penetration stage module, the attack code that can be used after obtaining the shell of the meterpreter.

8. msfpayload: used to generate payload or shellcode. The search can be queried with msfpayload -l |gre[ "windows"; the -o option can list the parameters required by the payload.
   msfencode: The encoder in msf, which was used to bypass AV (antivirus software) in the early days, and is now commonly used to encode msfpayload with it to avoid bad strings of exploits.
   msfconsole: Open the console of metasploit.
   Enter msfconsole to open msf
   
   
   
   

Introduction to Meterpreter for Vulnerability Exploitation

meterpreter is an extension module in the metasploit framework. It is used as the attack payload after the overflow is successful. The attack payload returns a control channel to us after the overflow is successful. Using it as an attack payload can obtain a meterpretershell of the target system.
There are many types of meterpreter as a post-penetration module, and the commands are composed of core commands and extension library commands, which greatly enriches the attack methods. It has many useful functions, such as, Add a user, hide something, open shell, get user password, upload and download files from remote host, run cmd.exe, capture screen, get remote control, capture keystroke information, clear application, display system information of remote host, Display remote and its network interface and IP address and other information.

1. Common commands:

• background: put the current session in the background
• load/use: load the module
• interact: switch to a channel
• migrate: Migration process
• run: Execute an existing module. What I want to say here is to press the tab twice after entering run, and all existing scripts will be listed.

1. Attack steps:

• Generate Meterpreter backdoor
• Open MSF, enable monitoring, select exploit/multi/handler* * Execute door.exe on the target machine
• View executable commands through the help command
• Common command usage, including system information, grabbing screenshots and grabbing HASH, etc.
• Directory browsing
• keyboard monitor
• Expand the tool, enter help after load/use, and you can see the instructions about the commands of this module.

• Minikatz extension tool, grab local password plaintext

  Metasploit Post-Exploitation Penetration Testing

  After the springboard has obtained certain permissions, it is necessary to actively develop the permissions of the intranet host, obtain the specified target information, and probe for system vulnerabilities. With the help of the Meterpreter backdoor that msf has obtained, the series of operations can be easier.

1. View the current network card and network segment information (using ifconfig). You can see three network cards, one is the local network card, the other is the network card we can access, and the other network card has an internal network IP (can not access, you can try ping below).
2. Adding routing table run autoroute -s 10.0.0.1 can use the module in msf to attack or scan across network segments. Quickly added via script autoroute.
3. Open socket proxy, create a socks proxy by using auxiliary/server/socks4a module, which can be used for browser, sqlmap, nmap. You can access intranet computers through a proxy.
4. You can freely switch to session through background and session -i.
5. Type run to see many commands that can be done on the meterpreter.
6. The post penetration test module can be seen by run post/
7. Get intranet information run arp_scanner -r 10.0.0.1/24

8. You can also upload files, do port forwarding and perform subsequent tests, such as upload lcx.exe c:\ to transfer files to the root directory of the c drive.

   Exploiting BeEF

   
   
   
   
   

   study notes

   Windows operating system security attack and defense

   An overview of the basic framework of the windows operating system

9. The development and current situation of windows operating system

2. The basic structure of the operating system

It is divided into the operating system kernel in the privileged mode of the processor, and the user space code running in the unprivileged mode of the processor.
Basic modules include the following:

• windows executable
• Windows Kernel
• device driver
• hardware abstraction layer
• Windows window and GUI interface kernel implementation code
• system support process
• Environment Subsystem Service Process
• service process
• User application software
• service process
• User application software
• core subsystem DLL
• Windows process and thread management mechanism
• memory management mechanism
• file management mechanism
• Registry Management Mechanism

• Windows network mechanism

  Security Architecture and Mechanism of Windows Operating System

1. The security design goal of windows security architecture
   adopts a consistent, robust, object-based security model, and supports the safe sharing of various types of system resources such as processes, memory, device files and networks among multiple users on a machine. Meet the security needs of business users.
   A basic object security model is implemented based on the reference monitor model.
   The core is the SRM security reference monitor located in the kernel, and the LSASS security service located in the user mode.
2. Windows Authentication Mechanism
   An entity object that requests system resource access as a security entity. There are three categories of users, user groups, and computers. Windows user passwords are encrypted and stored in the SAM or Active Directory AD. The local user account password information is encrypted with an irreversible 128-bit random key Hash and stored in the SAM file.
   The Windows process, the GINA graphical login window, and the LSASS service cooperate to complete the local authentication process.
3. The Windows authorization and access control mechanism is
   based on the reference monitor model and is implemented by the SRM module in the kernel and the LSASS service in user mode.
   The object security descriptor consists of the following main attributes.

• Owner SID
• Group SID
• DACL discretionary access control list
• SACL System Audit Access Control List

1. Windows security audit mechanism
   The system audit policy is defined by the system administrator in the local security policy to determine which events the system records.

2. Other Windows Security Mechanisms
   Windows Security Center, which integrates a firewall, automatic patch updates, and virus protection

   Windows remote security attack and defense technology

• Remote Password Guessing and Cracking Attacks
• attack windows network service

• Attack Windows clients and users

  Security Vulnerability Lifecycle of Windows Systems

• Windows Security Vulnerability Discovery, Exploitation and Patching Process
• Security Vulnerability Public Vulnerability Repository
• Penetration testing attack process for a specific target

• Penetration testing with metasploit software

  Windows remote password guessing and cracking attacks

• Remote password guessing
• Remote Password Exchange Communication Eavesdropping and Cracking
• Remote password guessing and cracking prevention measures
• Windows network service remote penetration attack
• Notable Vulnerabilities and Attacks Against NetBIOS Network Services
• Notable Vulnerabilities and Attacks Against SMB Network Services
• Famous Vulnerabilities and Attacks Against MSRPC Network Services
• Remote Penetration Attack Against Microsoft Network Services on Windows Systems
• Remote penetration attacks against third-party network services on Windows systems

• Network service remote penetration attack prevention measures

  Windows local security attack and defense technology

1. Windows local privilege escalation
   Ultimate privilege: Administrator or Local System account. The attack technique of attempting to gain privileged accounts from restricted user rights is also known as privilege escalation.
2. Windows sensitive information theft
   Windows system password ciphertext extraction technology
   Windows system password cracking technology
   User sensitive data theft
   Local sensitive information theft prevention measures
3. Windows Disappearance
   Turn Off Auditing
   Clear Event Logs
   Precautions Against Disappearance
4. Windows remote control and backdoor programs
   Command line remote control tools
   Graphical remote control tools
   Preventive measures against backdoor programs