afl+preeny实现对交互应用的fuzz
先知社区投稿
先知社区投稿
先知社区投稿
先知社区投稿
先知社区投稿
先知社区投稿
先知社区投稿
先知社区投稿
关于DynELF的总结
Frida试用总结
工具试用
iterm2+sshpass实现远程ssh与文件传输
关于LD_PRELOAD对抗
threat hunting
wireshark,scapy
工具试用
STL监控
Domain Fronting
工具试用
unsortbin attack
unsortbin attack
heap off by one
house of force and unlink
fastbin attack
UAF的简单利用
linux系统编程
linux系统编程
kernel pwn
kernel pwn
kernel pwn
kernel pwn
kernel pwn
kernel pwn
漏洞复现
fuzz
内核Fuzz
kernel pwn
利用modprobe_path方法提权
kernel pwn
kernel pwn
alf-fuzz AddressSanitizer
简宏病毒提取姿势
简单的算法逆向
内核调试
跟着ATT&CK学安全之privilege-escalation
跟着ATT&CK学安全之lateral-movement
跟着ATT&CK学安全之exfiltration
layout: post title: 跟着ATT&CK学安全之discovery excerpt: “跟着ATT&CK学安全之discovery” categories: [ATT&CK] comments: true
对于windows,可使用net user
,net group
,net localgroup
.使用Net工具集或者dsquery.提供所有者/用户的发现:红队想查看主要的用户,当前登陆的用户,通常红队使用Credential Dumping来检索用户名称
对于linux ,使用/etc/passwd
来查看用户
cat /etc/passwd
成功复现
cat /etc/sudoers
成功复现
grep 'x:0:' /etc/passwd
成功复现
lsof -u $username
成功复现
lastlog
成功复现
groups
id
成功复现
net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup
win10成功复现
net user
net user /domain
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup
win10成功复现
query user
win10成功复现
net time \\#{computer_name}
例如
net time \\localhost
或者
w32tm /tz
或者在powershell中
Get-Date
红队可以使用如下进行应用程序列表的查看
使用源码编译一个exe然后查看运行的process
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} T1010.cs
#{output_file_name}
还挺好用的
win10成功复现
find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
回去用我的笔记本试一下
where.exe /R C:\Users\ Bookmarks
win10成功复现
where /R C:\Users\ Bookmarks
win10成功复现
关于域信任关系:在同一个域内,成员服务器根据Active Directory中的用户账号,可以很容易地把资源分配给域内的用户.但一个域的作用范围毕竟有限,有些企业会用到多个域,那么在多域环境下,我们该如何进行资源的跨域分配呢?也就是说,我们该如何把A域的资源分配给B域的用户呢?一般来说,我们有两种选择,一种是使用镜像账户.也就是说,我们可以在A域和B域内各自创建一个用户名和口令都完全相同的用户账户,然后在B域把资源分配给这个账户后,A域内的镜像账户就可以访问B域内的资源了
红队通过收集域信任关系从而进行横向移动.通过调用DSEnumerateDomainTrusts() Win32 API,来进行枚举
dsquery * -filter "(objectClass=trustedDomain)" -attr *
制定的域不存在,应该可以复现
使用nltest发现信任的域名,这个技术曾被Trickbot病毒家族使用
nltest /domain_trusts
win10成功复现
Get-NetDomainTrust
Get-NetForestTrust
Get-ADDomain
Get-ADGroupMember Administrators -Recursive
没有复现成功
红队可以枚举文件和目录进行信息收集,通常用tree
和dir
命令,或者使用window的api,对于linux,使用ls
find
和locate
来收集
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download
win10成功复现
在powershell中运行
ls -recurse
get-childitem -recurse
gci -recurse
win10成功复现
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh
成功复现
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
find . -type f -name ".*"
成功复现
在linux中
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done
成功复现
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
成功复现
对于windows,通常使用SMB协议进行文件分享,net view \remotesystem
可以用来查询远程及其是否开启了远程共享.也可以使用net share
.查看本地开启的共享服务,红队可以根据这个进行更进一步的横向移动
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
成功复现
net view \\#{computer_name}
例如
net view localhost
win10成功复现
这个没什么说的,就是抓流量
红队根据获取企业网络中的密码规则,从而减小爆破的量.对于windows,可以使用net accounts
和net accounts /domain
,对于linux,使用chage -l
和cat /etc/pam.d/common-password
cat /etc/pam.d/common-password
应该可以
cat /etc/security/pwquality.conf
成功复现
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf
成功复现
cat /etc/login.defs
成功复现
net accounts
win10成功复现
net accounts /domain
win10成功复现
红队通过查找本地或者远程的组来获取权限,对于windows,使用net group /domain
和net localgroup
来查看,对于linux,使用groups
和ldapsearch
dscacheutil -q group
dscl . -list /Groups
groups
成功复现
net localgroup
net group /domain
成功复现
在powershell中运行
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
win10成功复现
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma
没有成功复现
linux中
ps >> #{output_file}
ps aux >> #{output_file}
成功复现
windows中
tasklist
win10成功复现
net view /domain
net view
win10成功复现
net group "Domain Computers" /domain
应该可以
nltest.exe /dclist:#{target_domain}
应该可以
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
win10成功复现
arp -a
win10成功复现
arp -a | grep -v '^?'
成功复现
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
成功复现
powershell中运行
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
win10成功复现
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
win10成功复现
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
win10成功复现
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
win10成功复现
systemsetup
system_profiler
ls -al /Applications
没有成功复现
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
成功复现
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
成功复现
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
成功复现
hostname
win10和linux成功复现
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
win10成功复现
ipconfig /all
netsh interface show
arp -a
nbtstat -n
net config
win10成功复现
netsh advfirewall firewall show rule name=all
win10成功复现
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
成功复现
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
win10成功复现
就是查看防火墙的出口过滤规则,在powershell中运行
1..1024 | % {$test= new-object system.Net.Sockets.TcpClient; $wait = $test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "
或者
21,22,23,25,80,443,1337 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "
或者
80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646,5000,5631,631,49153,8081,2049,88,79,5800,106,2121,1110,49155,6000,513,990,5357,427,49156,543,544,5101,144,7,389,8009,3128,444,9999,5009,7070,5190,3000,5432,3986,13,1029,9,6646,49157,1028,873,1755,2717,4899,9100,119,37,1000,3001,5001,82,10010,1030,9090,2107,1024,2103,6004,1801,19,8031,1041,255,3703,17,808,3689,1031,1071,5901,9102,9000,2105,636,1038,2601,7000 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "
win10成功复现
这个就是网络状态的查看
netstat
net use
net sessions
win10成功复现
Get-NetTCPConnection
win10成功复现
netstat
who -a
成功复现
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe" /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
win10成功复现
users
w
who
成功复现
红队根据查找浏览器书签栏的内容,查找更多内容
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
一些查找本地用户的方法
cat /etc/passwd
查看suder
sudo cat /etc/sudoers
枚举用户名和用户组
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
红队可以根据查看密码策略做后续的爆破工作
pwpolicy getaccountpolicies
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
一些用户组的查询
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
跟着ATT&CK学安全之command-and-control
跟着ATT&CK学安全之persistence
跟着ATT&CK学安全之initial access
跟着ATT&CK学安全之execution
跟着ATT&CK学安全之defense-evasion
跟着ATT&CK学安全之credential-access
跟着ATT&CK学安全之collection
恶意程序分析
Windows核心编程入门笔记
通过ssh访问NAT网络模式下的Linux虚拟机
BCTF2017 babyuse writeup
ubuntu 18.04中的qemu环境搭建
httpd RCE
lctf2018 easy_heap writeup
BCTF2016 bcloud writeup
0ctf2017 babyheap writeup
plaidctf plaiddb writeup
heap教程之unlink和mmap
0ctf2015 freenote writeup
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/linux-kernel-rop-ropping-your-way-to-part-1/
Seccomp and Ptrace
heap教程之fastbin attack
HITBCTF2017 1000levels wirteup
SystemTap安装教程
DNSTracer 栈溢出漏洞
american fuzzy lop工具使用记录
wget 任意文件上传漏洞
wget skip_short_body 栈溢出漏洞
tcpdump sliplink_print 栈溢出漏洞复现
pwnable login wirteup
DefCampCTF2016 SMS wirteup
BCTF2017 100levels wirteup
360ichunqiu2017 smallest wirteup
pwnable login wirteup
Alictf2016 vss wirteup
prectf2015 xpl wirteup
LCTF2016 pwn100 wirteup
LCTF2016 pwn100 wirteup
pwn中使用的C语言总结
grehackctf2017 beerfighter writeup
精读1-27,粗读剩下的.先通读,再用作工具书
64位系统下的ROP
sploitfun系列教程之3.2 Heap overflow using Malloc Maleficarum
ASLR NX PIE StackGuard RELRO等
问题汇总
heap漏洞之unlink
64位的pwn
给libc添加debug symbol的操作方法
CVE-2015-0235漏洞复现
XDCTF2015 pwn200 wirteup
return to Dynamic Resolver
LCTF2016 pwn200 wirteup
BackdoorCTF2017 Fun-Signals writeup
sploitfun系列教程之1.3基于堆的Off-By-One漏洞
HCTF2016 brop wirteup
NJCTF2017 pingme wirteup
翻译文,原文来自https://uaf.io/exploitation/misc/2016/04/02/Finding-Functions.html
sploitfun系列教程之2.3.3 GOT overwrite 和GOT dereference
sploitfun系列教程之3.1 堆溢出之unlink
sploitfun系列教程之2.3.1 return_to_plt
sploitfun系列教程之2.1 return-to-libc
sploitfun系列教程之2.2 chained return-to-libc
sploitfun系列教程之2.3.2 brute_force
为什么gdb调试和直接运行程序会有不同的结果
sploitfun系列教程之1.2整数溢出
sploitfun系列教程之1.3基于栈的Off-By-One漏洞
sploitfun系列教程之1.1经典的栈溢出
完整代码地址: https://github.com/snappyJack/mitmdump_monitor/blob/master/mitmdump_monitor.py
Frog CMS 0.9.5 has a file upload Vulnerability in /admin/?/plugin/file_manager/save
PECSM-TEAM 2.2.2 has a file upload vulnerability
demo