Shulou(Shulou.com)06/01 Report--

The weather has become cold, but the heat of the penetration testing industry is higher than the temperature of the weather, indicating that the importance of the national Internet for website security issues is getting higher and higher. Our professional website security company Sine Security must know the details of the penetration testing knowledge to explain to you that it will play a particularly great role in improving the security of the website or APP in the future. Only in this way can the website and app go for a more long-term and stable development.

5.2. Persistence-Windows

5.2.1. Hide Fil

Create system hidden files attrib + s + a + r + h filename / attrib + s + h filename create hidden files using NTFS ADS (Alternate Data Streams) to create hidden files using Windows reserved words aux | prn | con | nul | com1 | com3 | com4 | com6 | com7 | com8 | lpt1 | lpt2 | lpt3 | lpt4 | lpt5 | lpt6 | lpt7 | lpt8 | lpt9

5.2.2. UAC

5.2.2.1. Brief introduction

UAC (User Account Control) is a security mechanism of Windows, when some sensitive operations occur, it will jump out of the prompt to explicitly ask for system permissions.

When a user logs in to Windows, each user is granted an access token, and the token contains the information of security identifier (SID), which determines the user's permissions.

5.2.2.2. Will trigger the operation of UAC

Start the application modification system with administrator privileges, modify UAC settings to modify files or directories without permission (% SystemRoot% /% ProgramFiles%, etc.) modify ACL (access control list) installation driver to add and delete accounts, modify account types, activate guest accounts

5.2.3. Privilege promotion

There are multiple ways to enhance permissions, including the use of binary vulnerabilities, logic vulnerabilities and other techniques. The way to gain permissions by exploiting binary vulnerabilities is to execute code by exploiting vulnerabilities in the running kernel state. Such as the kernel, UAF in the driver, or other similar vulnerabilities to gain higher privileges.

Logic vulnerabilities mainly take advantage of some problematic logic mechanisms of the system, such as some folder users can write, but will start with administrator privileges.

5.2.3.1. Arbitrarily write files to use

The main sensitive locations that users can write in Windows are as follows

Users' own files and directories, including AppData TempC:\, can be written to the subdirectory of C:\ ProgramData by default. By default, users can create folders and write to the subdirectories of the file C:\ Windows\ Temp. By default, users can create folders and write files

The specific ACL information can be viewed with AccessChk or the Get-Acl command of PowerShell.

You can use write permissions on these folders and their subdirectories to write some dll that may be loaded, and use the load execution of dll to obtain permissions.

5.2.3.2. MOF

MOF is a c:/windows/system32/wbem/mof/nullevt.mof of the Windows system called the managed object format, which monitors process creation and death every five seconds.

When you have permission to upload files but do not have Shell, you can upload customized mof files to the appropriate location, and the mof will be executed after a certain period of time.

It is common to use a vbs script that adds a command to add an administrator user to the mof, and when executed, you have a new administrator account.

5.2.3.3. Sethc

Sethc.exe is a sticky key handler called by the Windows system after the user presses shift five times. When you have write files but do not have the permission to execute, you can leave the back door by replacing sethc.exe and enter shift five times in the password input page to get the permission.

5.2.3.4. Certificate theft

Windows local password hash export tool mimikatzwcegsecdumpcopypwdPwdumpWindows local password cracking tool L0phtCrackSAMInsideOphcrack rainbow table cracking native hash+ plaintext crawl win8+win2012 plaintext crawl ntds.dit export + QuarkPwDump read analysis vssown.vbs + libesedb + NtdsXtractntdsdump using powershell (DSInternals) analysis hash use net use\% computername% / u hash+% username% reset password attempts

5.2.3.5. Other

Group policy preference vulnerability DLL hijack replacement system tool to implement backdoor

Linux information collection

5.3. Information gathering-Linux

5.3.1. Get kernel, operating system and device information

Version information uname-an all versions uname-r kernel version information uname-n system hostname uname-m Linux kernel architecture information cat / proc/versionCPU information cat / proc/cpuinfo release information cat / etc/*-releasecat / etc/issue hostname hostname file system df-a

5.3.2. Users and groups

List all users cat / etc/passwd list all groups cat / etc/group list all users hash (root) "cat / etc/shadow" user query basic information finger currently logged in user users who-a currently logged in user w logged in user information last displays the last login information of all users in the system lastlog

5.3.3. User and permission information

Current user whoami

Current user information id can use sudo to upgrade to root user (root) cat / etc/sudoers to list current user executable and unexecutable instructions sudo-l

5.3.4. Environmental information

Print system environment information env print system environment information path information in set environment variables echo $PATH print history command history display current path pwd display default system traversal cat / etc/profile display available shell cat / etc/shells

5.3.5. Service information

View process information ps aux list of services managed by inetd cat / etc/inetd.conf list of services managed by xinetd configuration of cat / etc/xinetd.confnfs server cat / etc/exports

5.3.6. Assignments and tasks

Show scheduled jobs for the specified user (root) crontab-l-u% user% scheduled tasks ls-la / etc/cron*

5.3.7. Network, routing, and Communication

List network interface information / sbin/ifconfig-a list network interface information cat / etc/network/interfaces view system arp table arp-a print routing information route view dns configuration information cat / etc/resolv.conf print local port open information netstat-an list iptable configuration rules iptables-L View port service mapping cat / etc/services these are some knowledge points needed to know in penetration testing According to these points, you can analyze and retrieve information by yourself. if you need security penetration testing, you can contact a professional website security company to deal with it. Domestic recommendations such as Sinesafe, Green League, Kai Ming Star and so on are all quite good. Penetration testing service must have a formal authorization to test, not illegal testing!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.