1, penetration testing is a means and methods of attack by malicious hackers, a method to evaluate the network system security, vulnerability assessment emphasis on all security issues when checking systems and services, the main execution vulnerability penetration testing to verify the existence of loopholes in the system
The traditional penetration testing methods have serious impact on the industrial control systems infrastructure will, it should be noted use the appropriate method.
Industrial equipment testing: Industrial equipment assets include industrial equipment to collect vulnerability exploiting vulnerability analysis to verify the robustness of testing and multi-dimensional multi-layered security testing
Industrial control systems ICS system is a generic term of several types of control, monitoring and data collection system comprising a distributed control system DCS SCADA control systems and other services, and production applications, industrial equipment testing services are primarily core element and a control system for networking an examination
2, SCADA system:
Highly distributed systems, data acquisition and control systems, and to whom water distribution systems and other petroleum engineering power system grid system.
SCADA Risk Analysis: a large number of programmable control system PLC programmable logic controller, RTU (Remote Terminal Unit), and IED (Intelligent Electronic Device) or the presence of other bomb omission BAN part is foreign device operating system controls other components not implemented self-control, there may be a security vulnerability malicious hazardous terminal services data theft.
3, common industrial control system vulnerabilities:
SQL injection vulnerability weak passwords loopholes in the system operation and maintenance services misallocation
4, Java deserialization vulnerability
Converting application data to another format is called serialization, and the read data sequence is called deserialization
5, industrial safety risk assessment
Selection and Management of security software protection authentication: check whether the use of core equipment through an offline environment verification tests anti-virus software,
6, common protocol Modbus
Modbus protocol defines a simple protocol data unit (PDU) with a base layer does not communicate on a particular bus or network Modbus protocol mapping operator can introduce additional laundry on the application data unit (the ADU)
7、cookie
HTTP_referer is part of the head, ah when the browser sends a request to bring refer generally tell the server which page links are coming from, the server can get some information accordingly
Http_User-Agent used to detect the browser version number of the operating system using the user's personal preferences, etc.
remote_addr cookie corresponding to the user's IP address
8, get a site first thing to do
whois IP address to collect registration information site next to station C segment server system version version of the program version of the database container type secondary domain firewall maintainer information, mail, etc.
mysql site registered as of version 5.0 at no Information_schema the system tables can not list names and other violence stopwatch functions, what 5.0 is a multi-user operation but, more than a single multi-user operation.
Registered mail phone target station, social workers may be lost in the library see there is no disclosure of a password, you can try to disclose the password used to log the background, using the email as a keyword search site, use the search to find relevant information to find other related information set by the administrator used to generate a password dictionary using the field observation administrators often visit the site to get more information on his win
CMS determines that the target site can find the corresponding online vulnerability exposed, and if you can download the corresponding source code audit between open source
A mature and relatively safe CMS penetration when scanning compressed files directory should be noted that two sensitive files misuse scan directory webmaster of the site described txt two backup directory may be stored in other sites
Common web server IIS Apache Tomact nginx Lighttpd
mysql injection point is written directly to the target word with the tool, you need the absolute path root privileges and websites
Resolve existing vulnerabilities known version of the container are:
IIS6.0 /xx.asp/xx.jpg "xx.asp" is the file name
IIS 7.0 / 7.5 default Fast-CGI turn, directly on the surface of the machine URL and /1.php normal picture will resolve as php
Nginx version 0.8.37 using the method and less IIS7.0 / 7.5 Fast-CGI closed space is not available bytecodes xxx.jpg% 00.php
Test.php.x1.x2.x3 Apache Apache upload filename suffix to judge from the right to left side
Hand quickly determine case-sensitive case Linux but Windows is not case sensitive
SQL database on the station's only port 80 is open to change the port is not scanned or 3306 port is not open, do a cross-site separation
3389 What have open: Port Protection is modified or intercepted in the port forwarding within the network needs
Solution method such as spontaneous being escaped: hex using wide character encoding or bypassed
Find disclosed vulnerability in a convenient interface to see in the news when the edited version should look to find the corresponding vulnerability
Webshell get a hair root directory .htaccess I have inserted <FileMatch "xxx.jpg"> setHander application / x-https-php </ Filesmatch> .jpg files are parsed into the file .php
Security dog tracks variables, which found a word but as long as the Trojan to bypass the broad ideas about the joy
.access suffix for asp sweep out the garbage database access can use Thunder download directly into the .mdb extension to
Mention the right time to choose a readable and writable directory without spaces because exp perform most of the space is required to define parameters
After uploading Malaysia browser ah garbage can change your browser's encoding form of
Upload file types Upload a limiting sense elements of the review point of some sites is at the front end, as long as you can increase upload type to break out
If the target site prohibit the registration, login prompt the user when the user first name can re-use the username blasting blasting blasting there is no password to all local and database interaction is likely to have an injection
If you find a txt Download the target site is http:? //Www.kddf/down/down.php file = / 1.txt can enter = index.php file to download inside his home back in the file continue to look for other sites the profile database can identify and address of the site
Background modify the administrator's password, the password is displayed as * the hospital can be a password of password change text attributes by examining the elements on the display in plain text
The reason unprotected target site, upload pictures can access the upload script format is accessed 403 may be passed around it on the web server configuration upload directory does not execute the script file a response, try to modify the suffix
Content Advisor element that used for the site protection software after being intercepted page is not displayed when you can hold down F12 to view web pages View <hws> <hws> in
When SQL injection in URL-encoded space so do not write on behalf of +
Get an injection point when you can get webshell selection method:
Have write access to the construction union query using a query using Into outfile can redirect the output to a file system write webshell
The above principle of using the same principles and sqlmap-os-shell to achieve higher efficiency of such a shell
By constructing the SQL query will Webmaster joint account and password and then landing back then uploaded by Shell and other methods to change the bag in the background
CSRF and XSS and XXE difference:
XSS is a cross-site scripting attacks, data submitted by the user can construct code execution, information and other attacks to steal user a way to repair: the escape character to disable javascript to use Httponly read cookie values, input verification and web browser You should use the same character encoding
CSRF attacks are CSRF XSS is displayed in one of the many means CSRF is because there is no key operation is performed in a closed user to confirm the resource-initiated repair method: screen out the need to guard against CSRF page and embed TOKEN output password again inspection referer
XXE XML external entities in XML injection attacks can be protected by the entity requesting a local or remote content, and remote file similar, will lead to security problems, reading problems Ming sensitive documents, such as Ming Anna repair all file read XML parsing can be strict when calling exquisite resolve external entities.
CSRF is a cross-site request forgery attacks, initiated by the client server request forgery ,, SSRF is initiated by the server. The intercepted data packets reach replay authentication purposes when replay attacks.
SSRF: server-side request, the server has initiated.
Three common business logic vulnerabilities and repair methods:
Password allowed to exist back in the brute back there is universal voucher, you can skip verification step back voucher can intercept the packet acquisition
Authentication is the most common cookie session fixation and counterfeiting, so long as a Session and Cookie user memory can be forged identity information.
Presence verification code allows brute codes JavaScript, or may be bypassed by changing packet vulnerability verification method.
9, a word used in the implantation Trojan
The amount of common word Trojan <% execute request ( "a")%> where% number but it is difficult to circumvent
10, preparing for interviews
How do you give a site penetration testing
Fingerprint information gathering, collecting information related to the IP address of the server system type version of the open ports above WAF service and other sites including CMS CDN certificate DNS records, etc.
Collection subdomain phone next to the station can be authorized penetration