learning materials
Kali Video Learning
Vulnerability detection and exploitation tool
1. searchsploitl vulnerability retrieval tool 
2. pattern creat
can use this command when the buffer overflows, for example; pattern create 1000 ait can output 1000 a
3. ikat
network vulnerability scanning tool can open a port and IP address, once A vulnerable host scans it through this port and will be attacked.
4. Metasploit
Metasploit is often used in penetration. In fact, this software includes many tools, which constitute a complete attack framework. When starting the service, you need to start the postgresql database and metasploit service first, and then you can fully use the msf database to query exploits and records.
If service postgresql startservice metasploit start
you don't want to manually start the service every time you boot, you can configure it with the system startup update-rc.d postgresql enableupdate-rc.d metasploit enable
path: the path of msf in kali is /usr/share/metaspioit-framework 
Auiliary: auxiliary module
encoders: for msfencode encoding tools, you can use msfencode specifically -1.
exploits: attack module
payloads: Listed here is the attack payload, that is, the code executed after the attack is successful.
post: The post-penetration stage module, the attack code that can be used after obtaining the shell of the meterpreter.
5. Meterpreter
is an extension module in the metasploit framework. It is used as an attack payload after the overflow is successful. The attack payload returns a control channel to us after the overflow is successful. Using it as an attack payload can get a meterpretershell of the target system.
There are many types of meterpreter as a post-penetration module, and the commands are composed of core commands and extended library commands, which greatly enriches the attack method. It has many useful functions, such as adding a user, hiding some things, opening a shell, and getting users. Password, upload and download the file of the remote host, run cmd.exe, capture the screen, get the remote control, capture the key information, clear the application, display the system information of the remote host, display the remote and its network interface and IP address and other information.
Common commands:
background: put the current session in the background
load/use: load the module
interact: switch into a channel
migrate: migrate the process
run: execute an existing module List all existing scripts.
Next, I will implant a backdoor on the target host and then monitor it. Since I can't copy it, I put this backdoor on my own 
host
. The development of network host permissions, obtaining specific target information, and exploring system vulnerabilities, with the help of the meterpreter backdoor that MSF has obtained, can make the series of operations easier.
First check the current network card and network segment information, but it is inaccessible, so you need to add a routing table, run autoroute -s 内网IP地址
which is the most commonly used method in metasploit, after adding the relationship between the routing table and the session. You can use the modules in msf to scan or attack across network segments. There are many ways. Then by using the auxiliary/server/socks4a module, a socks proxy is created, which can be used by browsers, sqlmap, Nmap, etc. You can see the modules of the post penetration test by running post/. run arp_scanner -r 网段地址You can view the intranet address through it. You can also view other hosts on the intranet, upload files, and perform subsequent tests after port forwarding.
7. Beef
XSS vulnerabilities often require a strong framework support, such as the XSS platform on the Internet. Under kali, Beef is a tool that is not inferior to the XSS platform. Beef is the abbreviation of browser attack framework, which is a browser-focused tool. Penetration testing tool on the side. Enter beef-xss
the interface to enter beef. You can enter a demo website with a lot of information about this website. The duration of HOOK is until the test page is closed. During this period, it is equivalent to being controlled, and an attack command can be sent to implement an XSS attack. Also has proxy function.
Beef does not load metasploit by default. If you want to use metasploit's rich attack modules, you need to do some configuration.
First, modify the metasploit line in /usr/share/beef-xss/config.yaml to be true. Also ensure that the IP and other information are set correctly, you need to use the IP of the machine, and modify the custom path. After configuration, open msfconsole, Run the command load msgrpc ServerHost=主机IP Pass=密码, and then execute the ./Beef -x command. Restart Beef and find that the metasploit attack module has been loaded.
learning materials
Basic Framework of Windows Operating System
1. The basic structure of windows is divided into the operating system kernel running in the privileged mode of the processor and the user running in the unprivileged mode of the processor, namely kernel mode and user mode.
2. Kernel mode: windows executive body, windows kernel body, device driver, hardware abstraction layer, windows window and graphical interface interface.
3. User mode: system support process, environment subsystem service process, service process, user application software, core subsystem DLL.
4, the core mechanism: process and thread management mechanism, memory management mechanism, file management mechanism, registry management mechanism, network management mechanism.
5. Network management mechanism: network card hardware driver (physical layer), NDIS library and miniport driver (link layer), TDI transport layer (network protocol driver) (network layer and transport layer), network APID and TDI client ( session layer and presentation layer), network applications and service processes (application layer).
Security Architecture and Mechanisms
1. Monitor model: The access from the subject to the object is mediated by the monitor, and the reference monitor conducts authorized access according to the security access control policy, and all access records are generated by the monitor to generate audit logs.
2. Core: SRM security reference monitor (in the kernel), LSASS security service (user mode), winlogon/netlogn, and Eventlog
3. Identity authentication mechanism:
Security principals: user, user group, computer
Authentication: local authentication (winlogon process, GINA graphical login window and LSASS service), network authentication (NTLM, Lanman, kerberos)
4. Authorization and access control mechanism:
Objects: files, directories, registry keys, kernel objects, synchronization objects, private objects, pipes, memory, communication interfaces.
Attribute composition: Owner SID, Group SID, DACL autonomous access control list, SACL system audit access control list.
5. Security Audit Mechanism
6. Other security mechanisms: Security Center (firewall, automatic patch update, virus protection), IPsec loading and verification mechanism, EPS encrypted file system, Windows file protection mechanism, privacy protection and browser security protection provided by the bundled IE browser mechanism.
Remote security attack and defense technology
1. Including remote password guessing attack, windows network service attack, windows client and user attack.
2. Life cycle:
Windows Security Vulnerability Discovery, Exploitation and Patching Process
Security Vulnerability Public Disclosure Repository: CVE, NVD, SecyrityFocus, OSVDB
Target-specific penetration testing attack process: vulnerability scanning testing, finding penetration code for discovered vulnerabilities, conducting penetration testing
Penetration testing with metasploit software: user interface (CLI, Console, web, GUI)
3. Remote password guessing attack:
Remote password guessing: SMB protocol (tcp445, tcp139), others include WMI service, TS remote desktop terminal service, MY SQL database service, SharePoint. Tools include: Legion, enum, smbgrind, NTScan, XScan, streamer
Eavesdropping and Cracking of Remote Password Exchange Communications: Weaknesses of NTLM, Lanman, NTLMV2, and Kerberos Network Authentication Protocols.
Prevention of remote password guessing: Turn off unnecessary vulnerable network services, configure host firewalls to restrict certain port services, network firewalls restrict access to these services, disable outdated and flawed Lanman and NTLM, specify strong passwords Strategy.
4. Remote penetration attacks on network services: well-known vulnerabilities and attacks on NETBIOS services, well-known vulnerabilities and attacks on SMB services, well-known vulnerabilities and attacks on MSRPC services, remote penetration attacks on Microsoft networks on Windows systems, on Windows systems Remote penetration attacks of third-party services.
Preventive measures: The most basic thing is to try to avoid and eliminate the security vulnerabilities of the service software that these penetration attacks rely on.
Local security attack and defense technology
1. Local privilege escalation attack: Exploiting security flaws and vulnerabilities in the operating system kernel and privileged user startup programs, because the server and desktop systems are not immediately patched.
2. Sensitive information theft:
Windows system password ciphertext extraction technology (copy password ciphertext file, rdisk tool backup, pwdumpx extract password ciphertext from SAM file or active directory)
Windows system password cracking technology (L0phtCrack, John the Ripper, Cain)
User sensitive data theft: find, findstr, grep, meterpreter
Local sensitive information theft prevention: choose high-strength, high-defense passwords, use more secure encrypted plaintext algorithms, and configure policies securely.
windows kill trail
1. Eliminate traces: turn off the audit function and clear the event log.
Preventive measures: Set up system auditing and network service auditing in advance, and log records on non-erasable CDROM.
2. Remote control and backdoor program:
Remote control: command line remote control tools (Netcat, psexec, meterpreter), graphical remote control tools (VNC, RemoteAdmin, PCanyware)
Backdoor programs: foreign (BO, BO2K), domestic (Glacier, Grey Pigeon, Guangzhou Foreign Girls, PCshare, Disk Drive, Robot Dog, etc.)
Preventive measures: backdoor detection software, anti-software, rootkitrerealer, IcSword.