learning materials
The basic framework of windows operating system
The basic modules of the Windows operating system kernel:
- Windows executive
- Windows Kernel
- device driver
- hardware abstraction layer
- Windows window and GUI interface kernel implementation code
- system support process
- Environment Subsystem Service Process
- service process
- User application software
- core subsystem DLL
Process thread management mechanism
Windows treats a process as a container for the runtime of an executable program, including:
- A private virtual memory space descriptor
- List of system resource object handles
- Security access token with execute user account permissions (records process ID and parent process ID information)
- At least one thread of execution is included as the execution body of the in-process instruction
The thread control block TCB includes context information for program execution:
- CPU processor status and register contents
- Save both kernel-mode and user-mode stacks
- Thread local storage and thread ID
- And at the same time share the virtual address space, resource list and security access token of the owning process
PE file framework:
- DoS header
- PE head
- segment table
- specific code segment
- data segment
Windows Network Mechanism
The device driver of the network card hardware corresponds to the OSI physical layer;
the NDIS library and miniport driver correspond to the OSI data link layer; the
TDI transport layer (network protocol driver) corresponds to the OSI network layer and transport layer;
the network APIDLL and TDI client correspond to the OSI session layer And the presentation layer;
the network application layer program and service process correspond to the OSI application layer.
Security Architecture and Mechanism of Windows Operating System
Security Architecture
Based on the classic security model of the reference monitor, the core of which is the SRM security reference monitor located in the kernel. And the LSASS security service located in the user mode, together with services such as Winlogon/Netlogon and Eventlog, they implement the authentication mechanism for the main user, the access control mechanism for all resource objects, and the security audit for access.
- Authentication
- Authorization and Access Control
- security audit
- Windows Security Center
security principal
- user
- user group
- computer
Each principal is identified by a security identifier - the SID
SAM is located in %systemroot%\system32\config\sam and a copy is stored in the registry HKEY_LOCAL_MACHINE\SAM.
The authorization and access control mechanism of Windows is based on the reference monitor model. It is implemented by the SRM module in the kernel and the LSASS service in the user mode. The SRM acts as the intermediary when the security subject accesses the object resources, and performs the operation according to the set access control list. Authorized access.
The main attributes of the object security descriptor (SD) consist of:
- Owner SID
- Group SID
- DACL discretionary access control list
- SACL System Audit Access Control List
Windows Remote Security Attack and Defense Technology
Classification of remote attack techniques
- Remote password guessing and cracking attacks
- Attack Windows Network Services
- Attack Windows clients and users
Windows system security vulnerability life cycle:
- Vulnerability discovery and disclosure
- Penetration Testing and Exploitation Attacks
- Bugfix
Microsoft Patch Day - Second Tuesday of every month.
Well-known Vulnerability Repository:
- CVE
- NVD
- SecurityFocus
- OSVDB
Penetration testing attack process for a specific target
- Vulnerability Scanning Test
- Find exploit code for discovered vulnerabilities
- Conduct penetration testing
Metasploit adopts an extensible model of development framework and modular components, and the MSF library written in Ruby language serves as the basic core of the entire software.
Remote password guessing
The most common remote password guessing tools include:
- Legion
- enum
- SMBGend
- NTScan
- XScan
- Xiaorong Software Streamer
- NTScan
Automated Terminal Services Password Guessing Tool:
- TSGrinder
- Brutik
- FastRDP Brute
- DUBrute
sqlbf and Auto-SQL guess MSSQL for 1433 and 1434.
THC's Hydra and Brutus support password guessing for services such as SharePoint based on HTTP and HTTPS protocols.
Windows network authentication uses LanMan, NTLM and Kerberos these three protocols.
Cain and Abel are currently the most comprehensive password cracking tools - known as the "Black Realm God Soldier".
Remote password guessing precautions
- Try to close unnecessary open network services that are vulnerable to remote password guessing attacks. (SMB service on port 139/145, WMI service on port 135, TS terminal service on port 3389, MSSQL service on port 1433)
- Configure the host firewall to restrict services to the above ports
- Utilize network firewalls to restrict access to these services
- Disable obsolete but intrinsically flawed LanMan and NTLM
- strong password
Network service remote penetration attack prevention measures
- Minimize the occurrence of security vulnerabilities from the root cause of software design and development
- Update and apply software security patches as quickly as possible
- Preventing "zero days"
- Safety Checklist
- Intrusion Detection and Prevention Mechanisms
Windows local security attack and defense technology
The attack methods for privilege escalation on Windows systems mainly include DLL injection (GetAdmin) and cracking of local program security vulnerabilities.
The main ways to pass the password ciphertext locally include:
- Copy the password ciphertext file in the file system after booting from another operating system
- Create a copy of the SAM backup file
- Extract password ciphertext directly from SAM file or Active Directory using pwdumpX series tools
LSA Secrets located under the subkey of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets contains a lot of sensitive information about login passwords. Tools such as Lsadump2 (using the same DLL injection technique as pwdump2), Cachedump, and LSASecretsDump (integrated password cracking technology) can help attackers read passwords.
L0phtCrack is a very classic Windows password cracking software, which integrates password cracking technologies such as dictionary, brute force cracking, combination cracking, rainbow table and so on. The following password ciphertext data formats are supported:
- local registry
- original SAM file
- SAM backup file
- Network monitoring password ciphertext
- L0phtcrack Autonomous Format
- pwdumpX series
John the Ripper is mainly used to crack the passwords of UNIX/LINUX systems, and also supports password cracking on Windows, but its defect is that it can only crack the password encrypted by the LanMan protocol hash, and does not support cracking the NTLM protocol encryption.
Windows disappears
- Turn off the audit function
The auditpol program in the Windows Resource Kit toolkit can turn off the audit function. - Clearing Event Logs
Use the Event Viewer to open, read, and clear logs. IRB shell scripts in metasploit can also clear logs. And elsave.
Meterpreter design goals include:
- concealment
- Powerful design
- Flexible and scalable
video learning
Metasploit basics of exploit
Metasploit is often used in penetration testing. In fact, this software includes many tools, which constitute a complete attack mining machine. They may not be the best tool in every aspect of penetration testing, but the combined framework makes it powerful.
Module introduction:
- Auxiliary: auxiliary module
- encoders: used by msfencode encoding tools
- exploits: attack modules
- Payloads: Listed here are the attack payloads, that is, the code executed after the attack is successful
- post: post-penetration stage module, attack code that can be used after obtaining the meterpreter shell
Basic commands:
- msfpayload: used to generate payload or shellcode.
- msfencode: Encoder, asked to encode to bypass AV early, and now commonly use msfpayload to encode with it to avoid bad strings of exploit.
- msfconsole: Open the console of metasploit.
Introduction to Meterpreter for Vulnerability Exploitation
Meterpreter is an extension module in the metasploit framework. It is used as an attack payload after a successful overflow. The attack payload returns us a control channel after a successful overflow attack. Using it as an attack payload can obtain a link to a meterpretershell of the target system.
As a post-penetration module, Meterpreter has many types, and the commands are composed of core commands and extended library commands, which greatly enriches the attack methods. It has many useful functions, such as adding a user, hiding some things, opening a shell, and getting user passwords , Upload and download remote host files, run cmd.exe, capture screen, get remote control, capture keystroke information, clear applications, display system information of the remote host, display the network interface and IP address information of the remote machine.
Common commands:
- background: put the current session in the background
- load/use: load the module
- inreract: switch into a channel
- migrate: Migration process
- run: execute an existing module
- resource: Execute an existing RC script
Metasploit post-penetration testing of exploits
After the springboard has obtained a certain authority, it is necessary to actively develop the authority of the intranet host, obtain the specified target information, and explore the loopholes of the system. With the help of the Meterpreter backdoor that Msf already got, the operation of the series can be made easier.
BeeF exploit
The BeeF browser attack framework often requires a strong framework support for XSS vulnerabilities, such as the XSS platform on the Internet. Under Kali, BeeF is a tool that is in no way inferior to the XSS platform. It focuses on penetration testing on the browser side.
