Shulou(Shulou.com)06/01 Report--

An open source host by YSRC * detects the system project address https://github.com/ysrc/yulong-hids0x00 and prepares for installation

1. Server: 192.168.89.180 (4GB memory, need to install mongodb,elasticsearch, download Yulong's compiled package upload / home and run web, then initialize, finally run server, and then check whether all port numbers are enabled: 9200, 9300, 443, 443, 27017, 33433) (suggestion: configure yum source for server, install wget, unzip, install ntpdate if the system time is not right)

2. Client 192.168.89.185

Once the server is configured, the client only needs to follow the agent installation process to install it.

0x01, deploy mongodb

1. Install mongodb and start it

# mkdir / var/lib/mongodb/ & & mkdir / var/log/mongodb & & wget https://sec.ly.com/mirror/mongodb-linux-x86_64-3.6.3.tgz & & tar-xvzf mongodb-linux-x86_64-3.6.3.tgz & & mongodb-linux-x86_64-3.6.3/bin/mongod-- dbpath / var/lib/mongodb/-- logpath / var/log/mongodb.log-- fork-- bind_ip 192.168.89.180

# yum install-y mongodb-org

Check to see if port number 27017 is enabled.

# ss-antpl

0x02, deploy es

Install jre:

# wget https://sec.ly.com/mirror/jre-8u161-linux-x64.rpm & & yum-y localinstall jre-8u161-linux-x64.rpm

Due to the slow speed of downloading the es installation package with wget on Linux systems, it is recommended that you upload this file to the / home directory after a separate download

# cd / home

# tar xf elasticsearch-5.6.8.tar.gz-C / opt

Or download and install officially.

# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.8.tar.gz & & tar-zxvf elasticsearch-5.6.8.tar.gz-C / opt

Elasticsearch is not recommended to run with root permissions. Create a new user with non-root permissions, followed by a self-set password.

# groupadd elasticsearch & & useradd elasticsearch-g elasticsearch-p 123qwe..

Modify the users and groups of folders and internal files to elasticsearch:elasticsearch

# chown-R elasticsearch:elasticsearch / opt/elasticsearch-5.6.8

Be sure to edit / opt/elasticsearch-5.6.8/config/elasticsearch.yml for the following centos7 systems:

Network.host: 192.168.89.180

Discovery.type: single-node

Bootstrap.system_call_filter: false

Start the service

# su-elasticsearch- c'/ opt/elasticsearch-5.6.8/bin/elasticsearch-d'

Check whether port 9200509300 is started. If the memory is small, you can wait a little longer (about 2 minutes for 2GB memory startup, about 1 minute for 4GB).

Ss-antpl

Confirm that the ES starts successfully under the curl request

Curl-XGET-s "http://localhost:9200/_cluster/health?pretty"

Curl-XGET-s "http://127.0.0.1:9200/_cluster/health?pretty"

Curl-XGET-s "http://192.168.89.180:9200/_cluster/health?pretty"

0x03, upload the compiled package of Yulong to / home, and decompress it to / home/yulong-hids

# chmod 755 server web/web

# vi / root/yulong-hids/web/conf/app.conf

Change the password to log in to the web management interface. The password is set to the encrypted information of MD5.

Md5 (123qwe.. 2.32) = 6c2084f62b844a511cb9e72597e4ffe4

Continue to modify the configuration file after setting the password

Whether to enable secondary verification. Here, secondary verification needs to be used by the APP configuration of Google. Mainly carries on the authority management to the sensitive operation

Secondary verification is not enabled because of the test phase

Change the address of mongodb and es to the installation address

Start web:

Cd web/

. / web

Or start it in the background:

Nohup. / web &

Ss-antpl

Check if port 80443 is open

0x04, Web installation wizard guide step.1

After the installation is complete, access the address of the installation server and use the https protocol

Click initialize to initialize the database.

Step.2

Initialize the rules, which can be written by yourself or use the default rules. The default rules can be found in rules.json in the release package, or you can copy the contents of the rules.json.

Begin to copy in the following colors:

Step.3

The third step is to upload the file package, which contains three files: agent, daemon and data. The corresponding compression package can be found in release to upload. It is best to upload all three system versions, otherwise you will not be able to add new system versions.

The package can be generated using / build/build.py under the corresponding system.

Step.4

Please pay attention to check the prompts in the edit box and fill in the corresponding contents.

Click the generate "generate Certificate" button, if web is running under linux, you should be able to generate the certificate directly, if it is not linux, you can download the private key file and use the prompt command to generate the certificate, and then place the certificate contents in the edit box.

0x05, start server

. / server-db 192.168.89.180 Frey 27017-es 192.168.89.180 Frey 9200

The background starts nohup. / server-db 192.168.89.180 db 27017-es 192.168.89.180 db 9200 &

Ss-antpl

Check to see if port 33433 is open

0x06, agent installation

# you can view the automatically generated installation commands at the addition of the host list (libpcap is required for linux; winpcap is required for Windows)

# the address of the web is http://192.168.89.180, and the ip followed by Netloc is the ip of web.

Summary of installation commands:

Linux-64: wget-O / tmp/daemon http://192.168.89.180:80/json/download?type=daemon\&system=linux\&platform=64\&action=download;chmod + x / tmp/daemon;/tmp/daemon-install-netloc 192.168.89.180

Windows-64: cd% SystemDrive% & certutil-urlcache-split-f http://192.168.89.180:80/json/download?type=daemon^&system=windows^&platform=64^&action=download daemon.exe & daemon.exe-install-netloc 192.168.89.180

Windows-32: cd% SystemDrive% & certutil-urlcache-split-f http://192.168.89.180:80/json/download?type=daemon^&system=windows^&platform=32^&action=download daemon.exe & daemon.exe-install-netloc 192.168.89.180

Windows-32-powershell: [System.Net.ServicePointManager]:: ServerCertificateValidationCallback= {$true}; (New-Object System.Net.WebClient) .DownloadFile ("https://192.168.89.180/json/download?type=daemon&system=windows&platform=32&action=download"," C:\ daemon.exe "); C:\ daemon.exe-install-netloc 192.168.89.180

Windows-64-powershell: [System.Net.ServicePointManager]:: ServerCertificateValidationCallback= {$true}; (New-Object System.Net.WebClient) .DownloadFile ("https://192.168.89.180/json/download?type=daemon&system=windows&platform=64&action=download"," C:\ daemon.exe "); C:\ daemon.exe-install-netloc 192.168.89.180

The client has come online:

Test webshell executes system commands and can successfully detect

Test the bounce meterpreter/reverse_tcp, and the system also successfully detected × ×.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.