A, description,
Books such as Metasploit Penetration Testing Devil Boot Camp have been reasonably thorough in the process of penetration testing, but I still feel lost after reading through the books for many times —- to penetrate a given host and still don’t know exactly how to go about it. There are mainly two problems.
The first is that when infiltrating an operating system, the critical step from vulnerability analysis to infiltration is difficult to cross. According to the book, only openVAS and other vulnerability scanners are available for vulnerability analysis, and only Metasploit search is available for exploit. And there are even fewer exploit modules in Metasploit that vulnerability scanners scan.
The second is that when it comes to penetrating web systems, like many other books, it is only about vulnerabilities, and it is not very clear how I know where I should detect which vulnerabilities in a Web system.
This paper first affirmes and summarizes the steps of the current mainstream penetration test, second expands the way from vulnerability analysis to penetration attack in the penetration operating system, third points out that the penetration web system can adopt the “function-function-corresponding detection point” trigger penetration mode.
Ii. Penetration of the operating system (Service version number vulnerability detection method)
Operating system vulnerabilities are generally mined by the gods through code audit/reverse analysis, which requires a deep knowledge reserve. For general penetration, it is enough to use known vulnerabilities, and it is not necessary or necessary to dig such vulnerabilities. The key operation to find operating system vulnerabilities is to determine the software and software version behind the port, and then use the obtained software name + software version to find the vulnerabilities or even EXP in each vulnerability database. Call it “service version Vulnerability detection.”
1, electronic books (white hat) 2, security factory internal video 3, 100 SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route
2.1 Obtaining the software listening to the port and the version number of the software
For example, suppose we detect that port 8080 is a Tomcat listener with version 8.5.14
2.2 Search the existing vulnerability database to obtain the vulnerability list of the software and corresponding versions
2.2.1 Search the CVE vulnerability database and obtain the vulnerability list of the software and corresponding versions
Cve-2017-12617 is an example of tomcat 8.5.14 vulnerabilities
2.3 Viewing CVE Information
2.3.1 Viewing CVE information in CVEDetails
2.3.2 Viewing CVE Information in MITRE
2.4 Searching for EXP using the CVE
2.4.1 References in the above CVEDetails or MITRE results are pulled to the back For there may be exp links in the CVE-XXX reference area
You can already see the exploit-DB and EXP link in Metasploit corresponding to CVE-2017-12617 above
2.4.2 Click on Twitter/YouTube/Google directly in cveDetails above
2.4.3 Find exp in metasploit database (search may need to be updated in MSfConsole)
2.4.4 Search exp in the Exploit database (the verification code without wall climbing generally cannot be found, so it can only be found in Searchsploit in Kali)
2.4.5 Searching for exp on Github
2.4.6 OpenVAS and other system vulnerability scanners
Iii. Penetration of Web system (function-triggered detection method)
Web systems can also exploit existing vulnerabilities, such as CMS vulnerabilities (such as ECShop), plugins (such as wordpress plugins), framework vulnerabilities (such as Struts deserialization), middleware vulnerabilities (such as WebLogic deserialization), After confirming that the CMS, plug-in, framework and middleware are used by the Web system, this kind of vulnerability can be found in various vulnerability libraries just like operating system vulnerabilities. Web penetration is more about digging up its own vulnerabilities.
I like to divide web vulnerabilities into business logic vulnerabilities and technical vulnerabilities. The qualitative nature of business logic vulnerabilities is that each system has its own implementation of vulnerabilities that cannot be discovered by universal scanners without a unified vulnerability signature. Technical vulnerabilities are defined as vulnerabilities that can be found by universal scanners due to consistent implementation or the use of consistent third-party components resulting in relatively uniform signature of vulnerabilities.
A lot of tutorials are very clear about all kinds of vulnerabilities, but when it comes to penetration, there is always a feeling that one is given a kind of vulnerability and you don’t know where to find it and the other is given a location and you don’t know what vulnerabilities might exist. Combined with my own experience, I think I can build a table of “function —- function corresponding detection points”. In the future, I can infiltrate the Web system as long as I see a certain function to detect its corresponding detection points. Call it “functional trigger detection.”
3.1 Information collection (the purpose of letter collection is to lock down the range of available means)
Site real IP- webmaster, NSlookup, dig, www.cz88.net, tcroute
Operating system –TTL, index.php, access page does not exist
Website language -index and other suffixes, respone header
Server – Access non-existent pages, Respone headers, WhatWeb
Database – Injection error, Telnet port
Host ports: Nmap, arp_SWWEp, portSCAN
Subdomain query –subdomain.chaxun.la
CMS–Power By, site+ “CMS”; Baidu “XXX CMS Vulnerability”
Attack surface parsing — crawler discovery page such as AWVS, royal Sword/DIRb and other burst discovery hidden page, if it is a standard protocol, check the protocol to find hidden interfaces or hidden parameters
3.2 Service Vulnerability Detection (All services can be attacked)
phase | function | Function Corresponding to the check point |
---|---|---|
The identity authentication | User registration | Whether registration can be repeated |
The identity authentication | Password change | Check whether there is a problem in changing the password logic |
The identity authentication | Password reset | Whether there is a problem with the reset password logic |
The identity authentication | SMS verification code | SMS bomb |
The identity authentication | SMS verification code | Whether the SMS verification code can be burst |
The identity authentication | Image verification code | Whether the verification code can be reused |
The identity authentication | The login | Is there a problem with the logon logic |
The identity authentication | User credential store | Check whether the login credentials exist in localStore or sessionStore |
Session management | The login | Check whether the session ID generation mechanism is abnormal |
Session management | The login | Whether there is a timeout automatic exit mechanism |
Session management | exit | Whether the session ID is invalid after you exit |
Access control | Viewing User Information | Whether you can access other users’ pages horizontally |
Access control | Administrator interface | Whether the administrator page can be accessed vertically without permission |
Access control | Administrator interface | Whether common users respond when they send packets directly |
The business logic | buy | Modify price whether the backend will be checked again |
The business logic | Multi-step function | Can we skip some of these steps |
The business logic | Request times limit | How does the server limit whether it can be bypassed |
The business logic | Friend query class | Check whether your friends return your friends’ passwords and so on |
3.3 Technical vulnerability detection
function | Function Corresponding to the check point | Testing basic code | Related tools |
---|---|---|---|
Read data from the database | Whether SQL injection exists | and ‘1’ =’1 | sqlmap |
User input is returned to the front-end page | Whether XSS exists | Awvs etc. | |
The functionality uses a request/response pattern | Check whether CSRF exists | Awvs etc. | |
File upload | Whether there are file type and size limits | ||
File download | Whether directory traversal exists | ../etc/passwd | |
File browsing | Whether directory traversal exists | ../etc/passwd | |
Calling system commands | Whether command injection exists | ; cat /etc/passwd | |
redirect | Whether redirected injection exists | ||
parameter | Whether excessive parameter length causes overflow | 01234567890123456789 | |
parameter | Whether special characters in parameters can cause program errors | ||
parameter | Whether missing parameters can cause program errors |
Other types of penetration
4.1 Client Attacks
Principle: Use software parsing error overflow to execute exp installed in the file
The browser_autopwd module constructs a web page self-advisory overflow attack browser
Ms10_087 module configuration generates deformed files to get the target open
Adobe_cooltype_sing generates deformed PDF attacks against Adobe
4.2 Social Engineering
Generate Trojan horses containing payload from each platform using MSfvenom
Use SEToolkit to make hookfish websites or mail with malformed files
UitraISO+Hacksaw make the Trojan boot disk
Take your name/phone/email address and wait for the website to search for registration information
4.5 Wireless Security
Aircrack-ng cracking wifi passwords
Airmom-ng impersonates AP and uses Karma to set up impersonation service
4.6 Post penetration Attack
The so-called post-penetration is to get the host shell, lift the rights/clear logs/add more stable backdoor/Intranet penetration and other work
Meterpreter can be understood as Windows CMD and Linux shell
Log --C:\Windows\System32\winevt\Logs, /var/log