Textbook Content Summary
An overview of the basic framework of the Linux operating system
The development and status quo of Linux operating system
On the basis of the unified kernel code base, the Linux open source community has also developed a large number of operating system distributions according to the needs of different user groups. The popular ones include Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE and Slackware et al. The reason why the Linux operating system has become one of the most concerned systems is that it is open source and free.Advantages of Linux
(1) Cross-platform hardware support (most of the kernel of Linux operating system is written in C language, and adopts the portable UNIX standard application program interface)
(2) Rich software support
(3) Multi-user Multitasking (multiple users can use the computer system online at the same time)
(4) Reliable security (using Linux's built-in firewall, intrusion detection and security authentication tools, and timely patching the system's loopholes, can greatly Improve the security of the Linux system)
(5) Good stability (the Linux kernel source code is an optimized design for a standard 32-bit (64-bit on a 64-bit CPU) computer, which can ensure its system stability)
(6) perfect network function.Linux system structure
(1) Linux process and thread management mechanism
(2) Linux memory management mechanism
(3) Linux file system management mechanism
(4) Linux device control mechanism
(5) Linux network mechanism
(6) Linux system call mechanism
Second, Linux operating system security mechanism
The core security mechanisms of the Linux operating system include: identity authentication, authorization and access control, and security auditing
Linux authentication mechanism
(1) Linux user
(2) Linux user group
(3) Linux local login user authentication mechanism
(4) Linux remote login user authentication mechanism
(5) Linux unified authentication middleware-PAMLinux authorization and access control mechanism
(1) file owner
(2) file access authority
(3) special execution authority of file
(4) deficiencies and improvements of Linux access control mechanismSecurity Audit Mechanism
Three, Linux system remote attack and defense technology
- Main Methods of Invading Linux System on Remote Network
Linux remote password guessing attack
(1) Brutus: known as the fastest and most flexible remote password guessing and cracking tool
(2) THC Hydra: very fast network identity verification password guessing and cracking tool
(3) Cain and Abel: "Black World God" Bing", also has very good support for SSH under Linux and remote password guessing of various network application services.Linux network service remote penetration attack
(1) Remote penetration attack of Linux network service
(2) Implementation of network protocol stack in Linux kernel
(3) Network service in LAMP Web website construction solution
(4) FTP, Samba and other file sharing services
(5) Email sending and receiving services
(6) Other network services
(7) Security solutions for remote penetration attacks on network services- Attack Linux client programs and users
- Attacking Linux routers and listeners
Metasploit
- Security precautions against remote penetration attacks on network services
(1) Disable all unnecessary network services
(2) Try to choose more secure network protocols and service software, and deploy them using best security practices
(3) Update network service versions in a timely manner
(4) Use xinetd and firewall to add network access control mechanism for Linux network services
(5) Establish intrusion detection and emergency response planning process
Four, Linux system local security attack and defense technology
Linux local privilege escalation
(1) Linux user password cracking
(2) Privilege escalation using sudo flaws
(3) Privilege escalation using user mode SUID program vulnerabilities
(4) Local buffer overflow attack against SUID programs
(5) Targeting Symbolic link attack
of SUID program (6) Race condition attack
against SUID program (7) Shared function library attack against SUID program
(8) Exploiting kernel space code vulnerability for privilege escalation
(9) Exploiting system misconfiguration to implement local privilege escalation- Disappearance on Linux systems
System remote control backdoor program
kali video (31-35) learning
SET exploited by Kali
Social Engineering Toolkit (SET) is an open-source, Python-driven social engineering penetration testing tool that provides a very rich library of attack vectors. is an open source social engineering suite, usually used in conjunction with metasploit.
Enter: setoolkit, open the SET suite
menu options:
1 is social engineering attack
2 is Fast-Track penetration test
3 is 3rd party module
- Enter 1, press enter, there are 11 modules.
- spear phishing attack
- website attack
- Medium infection attack
- Create payload and listen
- mass mailing attack
- Arduino based attack
- SMS Spoofing Attack
- Wireless access point attack
- QR code attack
- powershell attack
- third-party modules
Option 1: Spear phishing attack
The corresponding payload can choose different vulnerabilities.
Option 2: Website Attack Framework. If the other party visits this page, if there is a vulnerability triggering condition in the system, a backdoor will be implanted. For example, the Java Applet Attack method requires the target to have a Java runtime environment. For simulation, you can choose to build your own version or clone a website.
You can copy a website and hijack the domain name with the help of intranet sniffing and deception
Option 3: Media Infection Attack
Option 4: Create a payload and listener, similar to the payload given by Metasploit
Option 5: SMS spoofing attack, sending fake SMS to others, disguising the source of the SMS
KaliSecurity - Sniffing spoofing and man-in-the-middle attacks
The man-in-the-middle attack routine under Linux is the same. Here are the methods for ARP spoofing, DNS spoofing and sniffing, and session hijacking.
1. Enable port forwarding for Kali settings
echo 1 > /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/ip_forward Change to 1
2. To set ssltrip
to hijack SSL data, https data needs to be changed to http: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8081 Let sslrtip listen on port 8081: sslstrip - l 8081
removes the comment ("#" sign) from the iptables line and enables forwarding.
3. Preparation of
ettercap ettercap is a set of tools for man-in-the-middle attacks. As famous as the dsniff suite. Support plug-ins and filtering scripts, directly display account and password without manual data extraction. If it is the first man-in-the-middle attack operation, then configure the etteracp under kali. The configuration file is /etc/ettercap/etter.conf. First, change both ec_uid and ec_gid to 0
and open the graphical interface ettercap -G to select the default eth0 for the sniffing network card.
4. Using Ettercap
Open ettercap, select sniff option-unified sniffing-select network card-hosts option, scan for hosts first, and select host list after scanning.
5. Dsniff suit introduction
Dsniff suit is mainly arpspoof and dsniff, the former is used for arp spoofing, the latter is used for sniffing. The attack steps are as follows: Perform arp spoofing: arpspoof [-i interface (network card)] [-c own|host|both (spoofing method, usually both)] [-t target (target)] [-r] host (gateway) ) to sniff: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[,...]] [-r|-w savefile] [expression ] -c opens a half-duplex TCP stream, allowing proper sniffing when using arpspoof; -d enables debug mode; -f loads triggers from a file in /etc/service format (that is, the service for password sniffing type); -I use a specific network interface; -m use the dsniff.magic file to try to automatically determine the protocol by the characteristics defined in the magic file; -n do not perform a host lookup; -r read from a previously saved session sniffed sniffed data; -s sniffs at most the first byte of the message, if the username and password information is included in the default 1024-byte boundary that follows; -t uses the format port/proto=servise; to load a file that starts with a comma A defined set of triggers;
6. Session hijacking
Here we mainly use cookies as an example to illustrate the usage of session hijacking. Start arp spoofing; arpspoof -i wlan0 -t 192.168.1.1 192.168.1.102 Capture datagrams: tcpdump -i wlan -w test.cap Wait for a while, it is estimated that the target will log in to the website, and we start to process the captured packets: forret - r test.cap If there is no problem with the captured packets, and it is determined that port forwarding is enabled, then the processed packets will automatically generate hamster.txt Next, run hamster hamster will prompt the browser to set the proxy to http://127.0.0.1 :1234 Then open hamster in the browser: http://hamster Select the target and the possible login authentication address, and then click the link to find that the hijacking is successful.
7. Picture interception
Using Driftnet, we can see pictures of victims visiting websites. First, still use arpspoof to start arp spoofing, and then start driftnet: driftent -i At this point, a small window pops up. When the target visits a website with pictures, the attacker can see it in this small window.
8. DNS Spoofing
Using the dnsspoof in the Dsniff package or the dnsspoof plugin of ettercap, we can complete the dns spoofing of the victim. Before we start cheating, first we need to edit a own hosts file and put it in a place that is easily accessible. The content is similar to the content of the hosts that come with the machine, just write the domain name you want to deceive and the address where you want to deceive (usually the server designated by the attacker to perform browser overflow or java applet attacks, to Gain access to the victim's computer) host file: 127.0.0.1 www.baidu.com The above is an example of a hosts file that directs Baidu to this machine. We save it as hosts, located in the /root directory. Then start dnsspoof: dnsspoof -i wlan0 -f /root/hosts and other victims visit Baidu to observe the effect.
9. URL monitoring
Using the urlsnarf tool in the Dsniff suite, we parse the HTTP communication of TCP80, 3128, and 8080 ports, and can dump all sniffed HTTP requests into a common log format (Common Log Format, CLF), This format is used by many web servers, such as IIS and Apache, and it is very convenient to use some log analysis tools to analyze and record the results afterwards. Usage: urlsnarf [-n] [-i interface | -p pcapfile] [[-v] pattern [expression]] 10. Download software monitoring Using the filesnarf tool in the Dsniff suite, we can sniff the NFS communication, Select a file and save it to the local current working directory. Ussage: filesnarf [-i interface | -p pcapfile] [[-v] pattern [expression]]
KaliSecurity - Permission Maintenance Backdoor
Permission maintenance includes three subclasses of Tunnel toolset, Web backdoor, and system backdoor. The system backdoor and the web backdoor are collectively referred to as backdoors, which are malicious programs left behind to facilitate re-entry into the system after penetration testing.
1. Weevely
is a webshell tool written in python (integrates webshell generation and connection, only for safe learning and teaching, and illegal use is prohibited), which can be regarded as a kitchen knife replacement tool under linux (limited to php) , some modules are not available on win.
** 2. WeBaCoo (Web Backdoor Cookie) **
script-kit is a small, covert php backdoor that provides a terminal that can connect to a remote web server and execute php code. WebaCoo uses HTTP response headers to transmit command results, and shell commands are base64 encoded and hidden in cookies.
Webacoo connection: webacoo -t -u http://192.168.75.132/2.php By adding: Execute local commands, if not, execute commands with webshell.
** 3. Cymothoa system backdoor**
cymothoa -run 10500 -s -0 -y 2333 (inject 2333 port), if successful, you can connect to 2333 port and return a shell
4. Intersect
List available modules
Create script
Execute the backdoor and execute 1.py -b on the target machine to generate a bind shell backdoor. If the remote host and remote port have been set before, they can also be set to reverse shell. At this time, the connection to the backdoor port is successful and the shell is returned.
Tunnel for Kali Privilege Maintenance
Permission maintenance includes three subclasses of Tunnel toolset, web backdoor, and system backdoor. The Tunnel toolset contains a series of tools for establishing communication tunnels and proxies:
- Everyone is familiar with CryptCat Netcat. It is known as the Swiss Army Knife in network tools, but the tunnel it establishes itself is not encrypted, so cryptcat is created. Similar to using dbd/sbd.
- DNS2TCP DNS tunnel is DNS tunnel. From the name point of view, it uses the DNS query process to establish a tunnel to transmit data. In public places such as hotels, there is usually a wifi signal, but when you visit the first website, a window may pop up, you need to enter the user name and password, and then you can continue to surf the Internet after logging in (this technology is generally a transparent http proxy). However, sometimes it is found that the obtained dns address is valid and can be used for dns query. At this time, DNS tunnel technology can be used to achieve free Internet access. The DNS tunnel principle allows the DNS server in the local area network to forward data for us through a specific server. There are many tools implemented by DNS tunnel, such as: OzymanDNS, tcp-over-dns, heyoks, iodine, dns2tcp
- Iodine
- Miredo Miredo is a network tool, mainly used for IPV6 Teredo tunnel conversion of BSD and Linux. It can convert network connections that do not support IPV6 to IPV6. The kernel needs to have IPV6 and TUN tunnel support.
- A tool is often used in Proxychains intranet penetration testing. For example, we use Meterpreter to open a Socks4a proxy service. By modifying the /etc/prosychains.conf configuration file and adding a proxy, other tools such as sqlmap and lamp can directly use proxy scanning. intranet. Such as proxychain namp 10.0.0.1/24
- Proxytunnel Proxytunnel can connect to a remote server through a standard Https proxy, which is a proxy that implements the function of bridging. Specifically for Http(s) transport over SSH Prosytunnel can be used to: Create a communication channel using an http(s) proxy (http connect command) Write a client driver for OpwnSSH and create an http(s) proxy over SSH connections as a Standalone application that can connect to remote servers
- Ptunnel establishes tunnel communication with ICMP packets
- Communication via UDP in Pwant intranet
- sslh An ssl/ssh port multiplexing tool, sslh can accept https, ssh and openvpn connections on the same port. This makes it possible to connect to ssh server or openvpn server through port 443 and provide https service on this port. sslh can be used as an example to study port multiplexing.
Kali reverse engineering tool
Reverse engineering is to deduce a specific implementation method through analysis based on existing things and results. For example, seeing someone else's exe program can make some kind of beautiful animation effect, you can analyze the realization process of its animation effect through methods such as disassembly, decompilation and dynamic tracking. This behavior is reverse engineering; not only Is to decompile, but also to pull out the design, and document, the purpose of reverse software engineering is to make the software maintainable.
1. Edb-Debugger EDB (Evan's Debugger)
is a binary debugging tool developed based on Qt4, mainly to be in line with the OllyDbg tool. The function can be expanded through the plug-in system. Currently, only Linux is supported.
2. Ollydbg
's classic Ring3-level debugger is a dynamic debugging tool that combines IDA with SoftICE. Under Kali is Ollydbg running in Wine mode.
3 jad
4 Redare2
5 Recstudio2
6 Apktool
7 Clang 、 Clang ++
8 D2j-des2jar
9 Flasm