A. Said in front
First, it is important first authorized - authorized - it is important first of all it is important that the authorization -
"In order to influence the lives of his hometown," Man *** government website ... ( http://www.chinapeace.gov.cn/chinapeace/c53715/2019-08/20/content_12281927.shtml )
Prior to also read a lot of articles about testing, but because of some practical factors and so on, not (bu) have (gan) real practical operation
Due to a recent chance, nothing will, I received a shen tou test project
Then put something recently learned, and some small insights, tips recorded, due to some special reasons
Herein do not involve any sensitive information during shen tou
II. How the first time shen tou elegant "loaded" into a "veteran"
First, like me, of course, food is not the god of equipment, of course, to learn, accumulate the most important, but since have begun, it is not too much of the water
The following operations can not make you a great God, but you can make the entire process "busy" up
Those online shen tou very detailed hands-on teaching, this paper to write some kind of brief steps to xx company intranet shen tou direct comparison test
Therefore, this section is mainly addressed to those who have only been exposed security, or not really test it done shen tou
Gangster light spray, if the wrong place also welcome criticism ...
III. What is required?
The following tools can be used
Nessus
AWVS
Appscan
burpsuite
sqlmap
Github & Google search box
Hydra
CVE own collection of a lot of exp
Using various tools middleware vulnerability
Of course, the tool is better
Some useful dictionary
Weak passwords is a timeless problem, the company may get rid of the background of weak passwords, but so many employees a company, employees may not change their original weak passwords ...
Some devices or the company does not get rid of the default password ... so easy to use a password dictionary is especially critical
Use tools with the Hydra blasting or other useful points, often can have a good harvest
Offers several ways to generate dictionary
There are many on Github collect good dictionary
https://github.com/rootphantomer/Blasting_dictionary
more may find themselves on Github
You may need to generate some special custom-
generated online address a
generated online address two
The following py script you can also try
pydictor Download user guide
Dictionary somd5 provided:
https://www.somd5.com/download/dict/
Maybe you need to learn to configure IP
If you need to tap into your network tested, they usually require you to manually configure IP, if not configured to the site will be like me very ashamed ...
right click:
Right-click on your link current, select Properties:
They fill in the IP to provide you with:
IV. Shen tou open test novice way
But also the spirit of the water was a little draw reasonable attitude, if you are just the first time shen tou test, even if do not know exactly what to do, the process and do not look too doing nothing ...
The following actions apply to existing tools is vital in the middle of all the safety release device (various firewalls, etc. ...), so the technology is not very high as a novice ultra-rational use of hands
The nature of many chiefs have said shen tou test is to gather information, the information gathered in steps and tools prophet has a lot of special articles in detail over
collect message
(https://xz.aliyun.com/search?keyword=%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86)
Such companies generally to help make shen tou they will give you some assets (such as network IP, equipment type, etc.),
But generally it is not enough.
Therefore, complete the following steps can help you gather some information to some extent ...
All thrown into the running tool
First of all the assets in the IP thrown into Nessus
Nessus scanning process itself will also include a port, but if you are too slow you can use nmap scan ...
nmap -p 1-65535 -T4 -A -v <IP>
Then you too can use nmap slow ... masscan
masscan <IP> -p0-65535 - Rate 1000000
Web swept out of the port, such as 80,8080,443 like (see particular have specific), scanning analysis further thrown AWVS
Port containing ftp, ssh, mysql Blasting may be thrown hydra
1, crack ssh:
hydra -l username -p password dictionary -t -e ns ip SSH thread -vV
hydra -l username -p password dictionary -t thread -o save.log -vV ip ssh
2, crack ftp:
hydra ip ftp -l username -P password dictionary -t thread (default 16) -vV
hydra ip ftp -l username -P password dictionary -e ns -vV
3, submitted to get way, crack web login:
hydra -l username -p password dictionary -t -e ns ip-threaded HTTP--vV GET / ADMIN /
hydra -l username -p password dictionary -t thread -vV -e ns -f ip http-get / admin / index.php
4, submitted by post way, crack web login:
hydra -l username -P password dictionary ip HTTP-POST 80 -s-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password"
Hydra the -l -t 3 ADMIN -o -f 10.36.16.18 out.txt pass.txt -P HTTP-POST-form "the login.php: the USER ID = ^ = ^ & ^ the passwd the PASS ^: <title> Wrong username or password </ title>"
(parameter Description: -t while the number of threads 3, -l username is admin, dictionary pass.txt, save as out.txt, -f when to crack a code to stop, 10.36.16.18 target ip, http-post-form represents a break is the use of the form http password post submission crack, the contents of <title> is an error message is returned guess prompt solution.)
5, crack https:
hydra -m /index.php -l muts -P pass.txt 10.36.16.18 https
10, break rdp:
hydra ip rdp -l administrator -P pass.txt -V
If the sweep-out port 445 can try ms17-010, msf thrown in with the corresponding authentication module
If the 3389 sweep out can try the latest burst of CVE-2019-0708 (in fact really did a lot of patching) can also be used to scan msf
You can also use 360 of vulnerability scanning tools, or use the search on Github other poc be verified
CVE-2019-0708: Windows RDP remote vulnerability NDT Download ( https://cert.360.cn/warning/detail?id=1caed77a5620fc7da993fea91c237ed5 )
In his spare time then various scan time, you can carry conventional *** on a website, the first sweep directory (dirsearch and Sword will do)
Then the familiar web site each function point, then according to the function to test whether there are loopholes in the corresponding ... when necessary burpsuite packet capture, a packet of a package to see ...
PS: General Web sites when ready to start *** often turned into fighting and landing box, you can run up burpsuite a few weak password dictionary, and then further test the login box sql injection
Also: If you have a registered account or forget the password screen interface can try blasting verification code (4-digit code to try), SMS bombing, any account registration and so on back
Then remember to look at the URL, if the latter argument is? Returnurl = xxx.com, you can try url jump ...
(If you experienced a large number of projects, there is no way to login box, even the website did not go, you can not expand when the next test, a test account registered a pair of on their own account, or to find them ...
Then when you're busy above operations, it is not so in the water
As a kid should have a script kiddie script should look like
Make good use of search assisted verification
After a period of waiting, Nessus and AWVS might have swept almost the same ...
This time if they accumulated much everything you can find the search results of the scan were assisted verification ... (Baidu, Google, Github and so on ...
If it is analyzed CVE go msf search inside it, if not you can go to find exp wave can be used directly on Github, or you can look at the major forums there before ... Gangster
Then follow the manual reproduction, the way you may encounter a lot of strange not to reproduce the success of the issue can also be resolved through good use search
Then the major forum really have many, many instructors are very strong, not seen whenever you come across vulnerabilities, basically there will be master analyzed
Learn from their experience to complete your task is also a multiplier *** thing
V. Discussion encountered something interesting
Hindsight accumulation or too little -
NFS security risks
This is really the first encounter, and initially thought nothing, meal operation found that you can see almost all of the shared data (orz ...
Nessus is the cause of the explosion hole
Now and then I look for a very detailed article written were reproduce the vulnerability is
Shen tou testing for the NFS ( https://www.freebuf.com/articles/network/159468.html )
Is simply a two-step:
showmount -e <IP>
And mount to the local
mkdir <Create a directory>
Mount -t nfs <ip>: / <You want to hang directory> / <directory you just created> -o nolock
this could get really find many data points
Not map back up ...
Weak passwords ah weak password
Really many, many weak passwords!
Tips that
Verify the user name blasting method is to return the results to see the response of the bag ...
For example, the user name exists but the password is wrong, it will display the user name and password do not match, but if there is no user name will be displayed user name does not exist
According to then return the package to find the appropriate user name, then blast targeted the dictionary user name password.
If there is no echo can be further tested by a forgotten password and other options and find the right process if the user will enter the next step, such as sending SMS verification code
If no user will not enter the next step
First, the general weak passwords occur in the following places:
There is no limit to log the number of failed login box
Without a verification code or codes may be bypassed (for example using the front end of the check) login box
*** After testing and statistical analysis, weak passwords roughly divided into the following situation
js comment out there test account password
Various login screen, there is a variety of back-end test account, and you can see sensitive data (which may be the reason why the test test can go in it)
Changed all weak password management background pages, but in other places, such as office systems, there are no employees to change their password, after blasting can log employee account
The system is used in many companies externally developed, when there is an external development
Test account password is weak, but there may be some problems during the transition, resulting in the company do not know here have the account password
Many devices, such as network inside the firewall, the direct use of the factory default password
We are lazy, do not want to register a long password, then they might feel that this is inappropriate 11111, so there is a kind of keyboard with keys, such as qwe123 and the like, resulting in a dictionary to run a bunch account password
MS17-010 can not verify but rebounded session
Before the eternal blue along with this kind of thing too complex online now ... Online articles are usually reproduced then MSF also a shuttle in the C segment ...
So really when I met this vulnerability, after successful verification by the verification module (use auxiliary / scanner / smb / smb_ms17_010) on that success, but we did not take advantage of a rebound *** module session
Then he went for help t00ls made a post [[seek divine]] inquired about the internal network using the ms17-010 ( https://www.t00ls.net/thread-52382-1-1.html )
The following answers are to a large extent helped me ...
03 *** Use the eternal romantic, do not use the eternal blue, useless. Please use the original, do not use the msf.
Then I learned about the history of the Eternal Blue, and NSA original tool ***
Online reproduce a chef is really very detailed (film orz)
Eternal Blue, the eternal romantic, eternal champion reproduction ( http://note.cfyqy.com/posts/caffa366.html )
It is unfortunate that some time because of the last failed to successfully exploit, vulnerabilities are a lot of time with a pass from
Really is no way to sql injection yet?
The point to my feelings quite deep, time to learn sql injection sql injection point to know happens is: CRUD, where everything interacts with the database are likely to be sql injection
But when the real practice of mind is full login box username and password, even in pursuit of speed, to develop the specified parameters of this bad habit
So attached long time have not dug sql injection
Finally, due to the special nature of the site, the site needs to provide registration forgotten password screen interface of the phone number (emm convenient screenshots ...), and finally there is a discreet package inside the parameters in POST sql injection ...
To experience is the process do not be lazy ***
All get, post parameters of whatever you feel able to interact with the database and, on the other hand experts test measured, can not be measured on hand to run with sqlmap
Careful that, every place test
Sqlmap eventually ran out of use of the user name and password ...
There is little sentiment XFF injection head is really exist, the process itself is to test *** impossible becomes possible
Although I have always felt that before injecting speak XFF head gpc is to bypass the filter, it is required to complete coincidence
But in a test of office systems, developers need to record them with me when it comes to what everyone IP logged in.
So why this constitutes vulnerability is not surprising
This is really the first encounter, textbook-like flaw ...
First, with a weak password to enter the site (manual funny)
Then a test found other vulnerabilities when suddenly cookie using the username and password in clear text transmission
The first thought, of course, XSS, XSS cookie if you can hit it will be a very serious problem ...
One afternoon to find XSS
In an argument that finally looking into a reflective XSS, and there is no set httponly, finally successful hit after base64-bit encryption of user name and password
Redis unauthorized access
Redis due to improper configuration can lead to unauthorized access, malicious use by ***.
A new popular Redis against unauthorized access mode, under certain conditions, if Redis runs as root, you can write SSH public key file to the root account, log in directly to the victim server via SSH
It can cause the server to obtain permission and data deletion, disclosure or encryption extortion incident, serious harm to normal business services.
Redis part on the server binding 0.0.0.0:6379, and certification is not turned on (this is the default configuration of Redis)
This really find many companies there is no contact with the suggestion to add that my brother ...
There are articles on Freebuf very detailed ...
Detailed Redis unauthorized access ( https://www.freebuf.com/column/158065.html )
A shuttle into or root privileges ...
Since all sensitive data is not a map
A variety of middleware vulnerabilities
A variety of middleware vulnerabilities, then in various forums have a very detailed article you can own inspection
Sentiment is a little
Many companies use the version is really very, very old, and almost no patch ...
Although it may sometimes IIS, Nginx those parsing vulnerability can not use the (really quite hard experience upload points) ...
But if you see a little old version of JBoss, weblogic can use a lot of tools
Here are some useful tools
Java deserialization integration tools
[Technology] to share Java RMI deserialization vulnerability detection tool written ( https://www.freebuf.com/sectool/92011.html )
(https://www.anquanke.com/post/id/85681)
WeblogicScan(https://github.com/dr0op/WeblogicScan)
VI. Written in the last
*** test, tools, experience, and flexible thinking are very important things (although he has not the same) ...
Sometimes even after on the shell, then the robot as a general rebound in shell, execute whoami, found enough authority to check system information, and then try to mention a variety of operating rights.
In fact, these operations may sometimes not necessary, it may be the ultimate goal is to get some of the information or data.
Therefore, according to the actual situation need to mention the right to determine what is a good way to improve efficiency.
In addition, a cat ~ / .bash_history command can sometimes bring you some surprises
Finally, according to the history of the strongest Principal road network *** summarize knowledge complements the inside of something.
Share to you
*** network of frequently used commands Summary
Research and discussion paper only, is strictly prohibited for illegal purposes, or to bear all the consequences arising.