Shulou(Shulou.com)06/01 Report--

More and more websites and app mobile customers pay attention to security penetration testing service. Before launching, we must conduct a comprehensive pre-penetration test on the platform to find out security loopholes and BUG. Many customers come to us to do penetration testing service, and they may not know much about the specific process. Below, we will show you the specific penetration testing method and process.

Penetration test

I. infiltration process

Information collection vulnerability verification / vulnerability attack rights enhancement, permissions maintenance log cleanup

Information collection

Generally, port scanning and vulnerability scanning are run first to obtain exploitable vulnerabilities. Make more use of search engines

Port scan

If authorized, directly use port scanning tools such as nmap, masscan and writing py scripts to directly obtain the open port and the banner information of the server.

Vulnerability scanning

Using polar bear scanner, Nessus, awvs and other leak scanning tools to scan the target directly, you can directly see the vulnerabilities of the surviving host and the host.

Second, vulnerability attack

If you only use port scanning and only find open ports, you need to find the corresponding CVE in the vulnerability library (seebug,ExploitDB) after obtaining banner information, and then verify whether the vulnerability exists. Security check is generally to find all vulnerabilities as much as possible, and to evaluate and fix the risks of vulnerabilities. Intrusions only focus on vulnerabilities that can be directly exploited, such as high-risk remote code execution and sensitive information disclosure vulnerabilities. Vulnerability verification can find the corresponding CVE number of POC, EXP, use the code to check on ExploitDB, seebug or search on github to see if there are related vulnerability verification or exploitation tools.

2.1 Web applications

You can directly look for vulnerabilities such as injection, upload, code execution, file inclusion, cross-site scripting, and so on. You can generally use AWVS to scan for common vulnerabilities directly.

2.1.2 Web middleware

(1) Tomcat

Tomcat is a sub-project of Apache Jakarta software organization. Tomcat is a JSP/Servlet container. It is a standard implementation of JSP and Servlet specifications developed on the basis of SUN's JSWDK (Java Server Web Development Kit). Using Tomcat, you can experience the latest specifications of JSP and Servlet.

Port number: 8080 attack method: default password, weak password, tomcat5 has two roles by default: tomcat and role1. The default password for account both, tomcat and role1 is tomcat. Weak passwords generally exist in versions below 5. Remote code execution vulnerability in the deployment of war backdoor files in administrative background

(2) Jboss

Is a J2EE application server running EJB. It is an open source project that follows the latest J2EE specification. Since the beginning of the JBoss project, it has evolved from an EJB container to a J2EE-based Web operating system (operating system for web), which embodies the latest technology in the J2EE specification.

Port: 8080 attack method: weak password management backend deployment war backdoor deserialization remote code execution reference:

(3) WebLogic

WebLogic is an Application Server produced by American Oracle Company. Specifically, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. The dynamic function of Java and the security of Java Enterprise standard are introduced into the development, integration, deployment and management of large-scale network applications.

Port: 7001re7002 attack method: weak password, weak password generally deploy war backdoor SSRF deserialization vulnerability weblogic_uac for weblogic/Oracle@123 or weblogic management background

(4) WebSphere

IBM Company is a set of typical e-commerce application development tools and running environment.

Port: default port: 9080; the first application is 9080, the second is 9081; console 9090 attack method: console login many private network websphere console has a weak password / default password, you can use admin/admin and webshpere/webshpere this password to log in. After logging in to the console with this password, you can deploy the war package to get the WEBSHELL. Deserialize arbitrary file disclosure

(5) Glassfish

2.1.3 Web framework

(1) Struts2

Struts2 is an elegant, extensible framework for creating enterprise-ready Java Web applications. The emergence of loopholes is really more than each major loophole platform will be brushed screen.

Exploitable vulnerabilities S2-046 CVE-2017-5638 Struts 2.3.5-2.3.31 Magneto Struts 2.5-2.5.10S2-045 CVE-2017-5638 Struts 2.3.5-2.3.31 Struts 2. 5-2.5.10S2-037 CVE-2016-4438 Struts 2.3.20-2.3.28.1S2-032 CVE-2016-3081 Struts 2.3.18-2.3.28S2-020 CVE-2014-0094 Struts 2.0.0-2.3.16S2-019 CVE-2013-4316 Struts 2.0.0-2.3.15.1S2-016 CVE-2013-2251 Struts 2.0.0-2.3.15S2-013 CVE-2013-1966 Struts 2.0 .0-2.3.14S2-009 CVE-2011-3923 Struts 2.0.0-2.3.1.1S2-005 CVE-2010-1870 Struts 2.0.0-2.1.8.1

(2) Spring framework

Spring Framework is an open source Java/Java EE full-function stack (full-stack) application framework, released as an open source Apache License 2.0 license agreement, as well as a portable version on the .NET platform. Spring Framework provides an easy way to develop, which will avoid a large number of property files and helper classes that may cause the underlying code to become cluttered.

Exploitable vulnerability CVE-2010-1622CVE-2018-1274CVE-2018-1270CVE-2018-1273 deserialization directory traversal

2.1.4 Web server

IIS:Windows WWW server port: 80 attack method: IIS, open WebDAV, you can directly detail the server PUT file short file name enumeration vulnerability remote code execution vulnerability resolution vulnerability Apache port: 80 attack method: parsing vulnerability directory traversal Nginx port: 80 attack method: parsing vulnerability directory traversal CVE-2016-1247: need to obtain host operation rights, attackers can replace log files by soft link to any file Thus, the rights are raised to obtain the root permissions of the server. Lighttpd port: 80 attack method: directory traversal

2.2 Common operation and maintenance systems

Penetration testing operation and maintenance

Generally, there are tools related to automatic deployment and operation and maintenance monitoring. Vulnerabilities can be obtained through search engine search, github search, ExploitDB search, and security announcements on the official website. The common problem in the general application of intranet is weak password. If an administrator can log on to several systems, the account number and password of these systems are basically the same.

2.2.1 Gitlab

GitLab is an open source application developed using Ruby on Rails to implement a self-hosted project repository that can access public or private projects through the Web interface.

Exploitable vulnerabilities: arbitrary file reading vulnerabilities implying user token disclosure vulnerability command execution vulnerability

2.2.2 Jenkins

Jenkins is a cross-platform continuous integration and delivery application that facilitates the continuous and stable delivery of new software versions and improves your productivity. This development operations tool also makes it easier for developers to integrate changes to the project and use a large number of testing and deployment techniques.

Exploitable vulnerabilities: remote code execution vulnerability deserialization vulnerability unauthorized access vulnerability login entry

2.2.3 Puppet

Puppet Enterprise specializes in managing the infrastructure, code (IAC), and during this type of IT infrastructure configuration, the system automatically builds, manages, and configures with code rather than scripting processes. Because it is code, the whole process is easy to repeat. Puppet makes it easier to control versions, automate testing, and continuous delivery, and respond more quickly to problems or errors.

Exploitable vulnerabilities that rarely expose POC deserialization of remote command execution

2.2.4 Ansible

Ansible is a configuration and management tool for client-oriented software deployment and configuration, supporting Unix, Linux, and Windows. It makes it possible to install using JSON and YAML instead of IAC without requiring a node agent at all. It can be used on internal systems through OpenStack or on Amazon EC2.

Exploitable remote code execution

2.2.5 Nagios

Nagios is an open source computer system and network monitoring tool, which can effectively monitor the host status of Windows, Linux and Unix, network settings such as switches and routers, printers and so on. When the system or service status is abnormal, send an email or SMS alarm to notify the website operation and maintenance personnel as soon as possible, and send out a normal email or SMS notification after the status is restored.

Exploitable code execution SQLi

2.2.6 Zabbix

Zabbix is a powerful open source distributed monitoring system, which can display the data provided by SNMP, JMX and Zabbix Agent through WEB GUI.

Exploitable vulnerabilities (see ExploitDB): remote code executes SQLishell commands injection authentication bypasses default account and password, default password admin/zabbix, or guest/ null

2.2.7 Cacit

Cacti is a set of graphical analysis tools for network traffic monitoring based on PHP,MySQL,SNMP and RRDTool.

The vulnerability can be exploited by arbitrary code execution of SQLi login default password admin/admin

2.2.8 Splunk

Splunk Enterprise can monitor and analyze machine data from any source to provide operational intelligence to optimize your IT, security, and business performance. With intuitive analysis capabilities, machine learning, packaged applications, and open API, Splunk Enterprise is a flexible platform that extends from key use cases to an enterprise-wide analysis backbone.

Vulnerability information disclosure command injection server request forged reference ExploitDB search can be exploited.

2.3 Common Web applications

There are also common email applications and CMS applications that find corresponding vulnerabilities in search engines and exploit known vulnerabilities.

2.3.1 Mail system

Some of them use Tencent enterprise mailbox and Ali enterprise mailbox, so it is difficult to have loopholes that can be exploited. The other is a mail system that can be deployed independently and email applications commonly used by government and enterprises:

CoreMailOnline 35 connected TurboMailExchangeIBM Lotus

2.3.2 CMS application

2.4 Database / caching / message services

2.4.1 MySQL database

Default port: 3306 attack method: identity authentication vulnerability: CVE-2012-2122 denial of service attack Phpmyadmin Universal password Bypass: username: 'localhost'@'@ "password arbitrary lifting

2.4.2 MSSQL database

Default port: 1433 (Server database service), 1434 (Monitor database monitoring) attack method: weak password / use system user injection

2.4.3 Oracle database

Default port: 1521 (database port), 1158 (Oracle EMCTL port), 8080 (Oracle XDB database), 8080 (Oracle XDB FTP service) attack method: weak password injection attack; vulnerability attack

2.4.4 PostgreSQL database

PostgreSQL is a very complete object-relational database management system of free software. it can be said to be the most advanced and powerful free database management system in the world. Including msf in kali system also uses this database; talking about postgresql database attack technology most of the attacks about it are still sql injection, so injection is the constant topic of the database.

Default port: 5432 attack method: weak password: postgres postgres buffer overflow: CVE-2014-2669

2.4.5 MongoDB database

MongoDB,NoSQL database; attack method is similar to other databases. "

Default port: 27017 attack method: weak password does not authorize access; github has attack code; please click

2.4.6 Redis database

Redis is an open source log, key-value database that is written in C language, supports network, memory-based and persistent. This database has been very popular in the past two years, and a lot of problems have been exposed. Especially the unauthorized access exposed some time ago.

Attack method: weak password unauthorized access + ssh key lifting

2.4.7 SysBase database

Default port: service port 5000; listening port 4100; backup port: 4200 attack method: weak password command injection: reference

2.4.8 DB2 database

Default port: 5000 attack method: security limit bypass: unauthorized operation can be performed after success (CVE-2015-1922)

2.5 Common Services / protocols

2.5.1 FTP Service

FTP service: I have two cases of ftp service. The first is to use system software, such as FTP file sharing in IIS or the default service software in Linux; the second is to configure it through third-party software, such as Serv-U and some simple ftp servers written on the Internet; default port: 20 (data port); 21 (control port); 69 (tftp small file transfer protocol)

Attack methods: there are many tools for ftp. Here I recommend Bruter of owasp and ftp module in msf. Anonymous access: user name: anonymous password: empty or any mailbox sniffing: ftp uses plaintext transmission technology (but sniffing is given to the LAN and needs to cheat or monitor the gateway) backdoor vsftp remote overflow jump attack

2.5.2 NFS Services

NFS (Network File System), the network file system, is one of the file systems supported by FreeBSD, which allows computers in the network to share resources over the TCP/IP network. In the application of NFS, the client application of the local NFS can read and write files located on the remote NFS server transparently, just like accessing the local file. Today, NFS has the ability to prevent exported folders from being exploited, but NFS services in legacy systems can still be exploited by malicious attackers if they are misconfigured.

The attack method is not authorized to access

2.5.3 Samba Services

Samba is a free software that implements SMB/CIFS protocol on linux and unix systems, which is composed of server and client programs. SMB is a communication protocol that supports the sharing of files and printers in the local area network, which provides services for sharing resources such as files and printers between different computers in the local area network.

Attack method remote code execution weak password unauthorized access (public)

2.5.4 SSH Services

SSH is a protocol, which usually uses OpenSSH software to implement protocol applications. SSH is the abbreviation of Secure Shell and was developed by IETF's Network working Group (Network Working Group). SSH is a security protocol based on the application layer and the transport layer. SSH is currently a reliable protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent information leakage in the process of remote management.

Port: 22 attack method:

Backdoor vulnerabilities: 28 backspace vulnerabilities, OpenSSL vulnerabilities

2.5.5 Telnet Service

Telnet protocol is a member of TCP/IP protocol family, and it is the standard protocol and main way of Internet remote login service. It provides users with the ability to do remote host work on the local computer. Use the telnet program on the remote user's computer and use it to connect to the server. Remote users can enter commands in the telnet program, which will be run on the server as if they were entered directly on the server's console. You can control the server locally.

Default port: 21 attack method:

Sniffing

2.5.6 Windows remote connection

Default port: 3389 attack method

Shift sticky key backdoor: 5 times shift backdoor uses ms12-020 to attack port 3389

2.5.7 VNC Services

VNC (Virtual Network Computing) is a display screen sharing and remote operation software using RFB protocol. Through the network, this software can send the actions of keyboard and mouse and real-time display screen.

Default port: 5900 + Desktop ID (5901 * 5902) attack mode: weak password authentication password bypass: denial of service attack: (CVE-2015-5239) privilege enhancement: (CVE-2013-6886)

2.5.8 SMTP protocol

Smtp: email protocol. This service is enabled by default in linux, and you can send phishing emails to each other!

Default port: 25 (smtp), 465 (smtps) attack mode: weak password unauthorized access

2.5.9 POP3 protocol

Default port: 109 (POP2), 110 (POP3), 995 (POP3S) attacks: weak password unauthorized access

2.5.10 DNS Service

Default port: 53 attack mode: zone transmission vulnerability

2.5.11 IMAP protocol

Default port: 143,993 (imaps) attack mode: improper configuration of weak password

2.5.12 SNMP protocol

Default port: 161 attack mode: weak password

2.5.13 DHCP Service

Default port: 67x68,546 (DHCP Failover hot backup) attack method: DHCP hijacking

2.6 Cloud environment

2.6.1 VMware

Using VMware vCloud, virtual infrastructure resources within an existing data center can be pooled and delivered as directory-based services. In conjunction with VMware vSphere, the best platform for cloud computing infrastructure, VMware vCloud Director provides customers with the ability to build a secure private cloud, changing the way IT departments deliver and manage infrastructure services and how users access and consume them. In general, there are many independently installed private clouds in the form of Esxi or independently deployed virtualized systems in an organization.

Port (many) vulnerable host escapes CVE-2017-5638 reference:

2.6.2 OpenStack

OpenStack is infrastructure as a service (IaaS) software that allows anyone to create and provide cloud computing services on their own. In addition, OpenStack is also used to create a "private cloud" (Private Cloud) within a firewall, providing resources to be shared among departments within an organization or enterprise.

Loopholes, there are loopholes, but POC basically does not. You can refer to secure configuration practices when checking. Permission bypass vulnerability information disclosure code execution vulnerability reference:

2.6.3 Docker

Docker is an open source software project that automates application deployment under software containers, thus providing an additional layer of software abstraction and an automatic management mechanism for operating system layer virtualization on the Linux operating system. Docker uses resource sharing mechanisms in the Linux core, such as cgroups, and the Linux core namespace (name space) to create a separate software container (containers). This can operate under a single Linux entity, avoiding the additional burden of booting a virtual machine. The namespace support of the Linux core completely isolates the vision of the application in the work environment, including process tree, network, user ID and mounted file system, while the core cgroup provides resource isolation, including CPU, memory, block Imax O and the network. Starting from version 0.9, Dockers began to include the libcontainer function library as a way to directly use the virtualization facilities provided by the Linux core on the basis of using abstract virtual LXC via libvirt and systemd-nspawn to provide an interface.

Security issues (POC with few vulnerabilities Security checks are also based on best practices and official security recommendations): CVE-2015-3630 1.6.0 Docker Libcontainer security bypass vulnerability CVE-2015-3627 1.6.1 Libcontainer and Docker Engine permission permission and access control vulnerability CVE-2015-3630 1.6.1 Docker Engine security bypass vulnerability CVE-2014-9358 1.3.3 Docker directory traversal vulnerability CVE-2014-9357 1.3.2 Docker permission and access control Vulnerabilities CVE-2014-6408 1.3.1 Docker permissions and access control vulnerabilities CVE-2014-5277 1.3.0 Docker and docker-py code injection vulnerabilities Kernel vulnerabilities (Kernel exploits)   containers are kernel-based virtualization The host (host) and all containers on the host share a set of cores. If the operation of a container causes the kernel to crash, the containers on the entire machine will be affected in turn. Denial-of-service attacks attack   all containers share kernel resources. If a container monopolizes a resource (memory, CPU, various ID), it may cause other containers to fail to work due to lack of resources (resulting in DoS attacks). Container Container breakouts   Linux's namespace mechanism is one of the core of the container, which allows a PID=1 process inside the container and a different process number outside the container (for example, 1234). The problem now is that if a PID=1 process breaks the limits of namespace, it will gain root permissions on the host. Toxic image (Poisoned images)   is mainly concerned with the security of the image itself, there is not much to say.

2.7 big data

2.7.1 Elsaticsearch

Elasticsearch is a distributed search and analysis engine, which can be used for full-text retrieval, structured retrieval and analysis, and can combine the three. Elasticsearch is based on Lucene and is now one of the most widely used open source search engines. Wikipedia, Stack Overflow, GitHub and so on are all based on Elasticsearch to build their search engines.

Default port: 9200 (), 9300 () attack method: unauthorized access; remote command execution; file traversal; low version webshell implantation

2.7.2 hadoop

Hadoop is an open source framework that can write and run distributed applications to process large-scale data. It is designed for offline and large-scale data analysis, and is not suitable for online transaction processing mode that randomly reads and writes several records. Hadoop=HDFS (file system, data storage technology related) + Mapreduce (data processing), the data source of Hadoop can be any form, compared with relational database in dealing with semi-structured and unstructured data, Hadoop has better performance and more flexible processing ability, no matter any data form will eventually be transformed into key/value,key/value is the basic data unit. Replacing SQL,SQL with functional Mapreduce is a query statement, while Mapreduce uses scripts and code, and for relational databases, Hadoop, which is used to SQL, is replaced by an open source tool, hive. Hadoop is a distributed computing solution.

2.7.3 Hive

Hive is a data warehouse product in the Hadoop family. The most important feature of Hive is that it provides SQL-like syntax and encapsulates the underlying MapReduce process, so that business personnel with SQL foundation can also directly use Hadoop to operate big data.

2.7.4 Sqoop

The Apache Sqoop (SQL-to-Hadoop) project aims to facilitate efficient big data communication between RDBMS and Hadoop. With the help of Sqoop, users can easily import the data of relational database into the systems related to Hadoop (such as HBase and Hive); at the same time, they can also extract the data from Hadoop system and export it to relational database. In addition to these main functions, Sqoop also provides some useful gadgets such as viewing database tables.

2.7.5 HBase

HBase is based on HDFS and provides a database system with high reliability, high performance, column storage, scalability, real-time read and write. It is between NoSQL and RDBMS, can only retrieve data through row keys (row key) and row key sequences, and only supports single-row transactions (complex operations such as multi-table federation can be realized through Hive support). It is mainly used to store unstructured and semi-structured loose data. Like Hadoop, the HBase goal relies mainly on scale-out, increasing computing and storage capacity by increasing the number of cheap commercial servers.

2.7.6 Spark

Spark is a general parallel computing framework similar to Hadoop MapReduce opened by UC Berkeley AMP lab. Distributed computing based on map reduce algorithm in Spark has the advantages of Hadoop MapReduce, but unlike MapReduce, the intermediate output and results of Job can be saved in memory, so there is no need to read and write HDFS. Reference:

III. Maintenance of the authority to raise rights

3.1 raise the right

SecWiki summed up:

3.2 establish backdoor / port forwarding

Port forwarding and proxy tools

Port forwarding software under LCX:windows. Sockscap: mainly aimed at port forwarding and proxy forwarding on windows platform. Proxifier: cross-platform port forwarding and proxy tool, suitable for windows,linux, Macos platform, proxy forwarding sharp weapon Rsscoks:*nix platform port forwarding and proxy tool, it is easy to use with proxychains. Proxychains:*nix platform under the old socks agent tools, the general system will bring its own, who uses who knows. Ssh proxy: Port proxy and forwarding through ssh, which is generally included in * nix systems. Netcat:socat,hping, in many cases, can do port forwarding and data proxy forwarding. There are many proxy modules and port forwarding modules in the post-penetration module of metasploit:metasploit.

Download the port forwarding tool (encryption compression) on the transit server:

Can be connected to the Internet to download through the mstsc disk load through the portal server transfer through the remote control software upload

3.3 transfer Fil

3.3.1 File packaging

About packing

Package the Rar file and compress all the modified doc files after 2013-01-01 in the d:\ data\ directory. The password of the 100M/ package is Pass,-x to exclude the option rar.exe Amurr-v100m new.rar-ta20130101000000-n*.doc-n*.doc-x*.exe d:\ data\ 7z encryption, compress all files under d:\ data, and the password is Pass. Split 100M/ package 7z.exe a c:\ xx.7z-pPass-mhe d:\ data-v100mLinux use tar package file to add password, to be used in conjunction with openssl. Tar-zcvf-pma | openssl des3-salt-k password | dd of=pma.des3 uses tar to decompress encrypted files: dd if=pma.des3 | openssl des3-d-k password | tar zxf-# 3.4.2 File transfer ideas use port forwarding to transfer data directly; build FTP and HTTP protocols; upload to the cloud and then download

3.4 make a backdoor / Trojan program

Generally use msfvenom of Matisploit

SET can also generate backdoor programs, and you can also pay attention to the latest vulnerabilities in Office and PDF.

IV. Log cleaning

You need to know the following before doing log cleanup:

It is difficult to completely delete traces of attacks and intrusions, and the absence of logging itself is an intrusion feature; deleting or cleaning up the local logs of the intrusion system does not mean that the traces have been deleted, and records are still retained on network devices, security devices, and centralized logging systems; the retained backdoor itself will contain information about the attacker; the agents or springboards used may be invaded in reverse; check to see if any administrator is logged in before operation Delete the uploaded tool and delete it using the disk overwrite feature

Windows log type

Web logs: IIS, Apache and other web log operation logs: 3389 login list, recent access files, IE and other browsers access logs, file access logs login logs: system application logs-security logs and other attacks before and state recovery, try to be consistent

Linux operation log

Linux historical operation unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null;SSHD login record deletion ~ / .ssh/known_hosts record modification file timestamp touch-r original file to modify file delete temporary use file, especially tmp directory logtamper5 tool and other

Penetration testing tool

1. Some principles of tool infiltration in Intranet

Use your own tools, there is no need to collect too much, enough tools; can write appropriate tools according to the actual situation; can not ensure that the security of tools are run in the virtual machine (many bundled with Trojans); for security checks, try to use open source tools on GitHub. Tools introduction personal habits to use kali built-in tools, specific POC first search from Github. Penetration precautions check intranet monitoring and prevention system carefully use ARP software and large area scanning software to use no idle machines in the target network, as packaging objects use intranet high-traffic machines as transmission objects, such as wsus servers, video conference systems use temporary machines for packaging, data transmission, do not use controlled machines You can use wmi scripts or wmic remote operations to infiltrate considerations to prohibit the use of psexec.exe packaging to avoid user working time to control the package size.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.