先知社区投稿

先知社区投稿

先知社区投稿

先知社区投稿

先知社区投稿

先知社区投稿

先知社区投稿

关于DynELF的总结

Frida试用总结

工具试用

iterm2+sshpass实现远程ssh与文件传输

关于LD_PRELOAD对抗

threat hunting

wireshark,scapy

工具试用

STL监控

Domain Fronting

工具试用

unsortbin attack

unsortbin attack

heap off by one

house of force and unlink

fastbin attack

UAF的简单利用

linux系统编程

linux系统编程

kernel pwn

kernel pwn

kernel pwn

kernel pwn

kernel pwn

kernel pwn

漏洞复现

fuzz

内核Fuzz

kernel pwn

利用modprobe_path方法提权

kernel pwn

kernel pwn

alf-fuzz AddressSanitizer

简宏病毒提取姿势

简单的算法逆向

内核调试

跟着ATT&CK学安全之privilege-escalation

跟着ATT&CK学安全之lateral-movement

跟着ATT&CK学安全之exfiltration

layout: post title: 跟着ATT&CK学安全之discovery excerpt: “跟着ATT&CK学安全之discovery” categories: [ATT&CK] comments: true

T1087 - Account Discovery

对于windows,可使用net user,net group,net localgroup.使用Net工具集或者dsquery.提供所有者/用户的发现:红队想查看主要的用户,当前登陆的用户,通常红队使用Credential Dumping来检索用户名称

对于linux ,使用/etc/passwd来查看用户

测试1 linux上枚举所有账户

cat /etc/passwd

成功复现

测试2 查看sudoer权限账户

cat /etc/sudoers

成功复现

测试3 View accounts with UID 0

grep 'x:0:' /etc/passwd

成功复现

测试4 List opened files by user

lsof -u $username

成功复现

测试5 Show if a user account has ever logger in remotely

lastlog

成功复现

测试6 Enumerate users and groups

groups
id

成功复现

测试7 Enumerate all accounts

net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup

win10成功复现

测试8 Enumerate all accounts via PowerShell

net user
net user /domain
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup

win10成功复现

测试9 Enumerate logged on users

query user

win10成功复现

T1124 - System Time Discovery

net time \\#{computer_name}

例如

net time \\localhost

或者

w32tm /tz

或者在powershell中

Get-Date

T1010 - Application Window Discovery

红队可以使用如下进行应用程序列表的查看

测试1 List Process Main Windows - C# .NET

使用源码编译一个exe然后查看运行的process

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} T1010.cs
#{output_file_name}

还挺好用的

win10成功复现

T1217 - Browser Bookmark Discovery

测试1 List Mozilla Firefox Bookmark Database Files on Linux

find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;

回去用我的笔记本试一下

测试2 List Google Chrome Bookmarks on Windows with powershell

where.exe /R C:\Users\ Bookmarks

win10成功复现

测试3 List Google Chrome Bookmarks on Windows with command prompt

where /R C:\Users\ Bookmarks

win10成功复现

T1482 - Domain Trust Discovery

关于域信任关系：在同一个域内,成员服务器根据Active Directory中的用户账号,可以很容易地把资源分配给域内的用户.但一个域的作用范围毕竟有限,有些企业会用到多个域,那么在多域环境下,我们该如何进行资源的跨域分配呢？也就是说,我们该如何把A域的资源分配给B域的用户呢？一般来说,我们有两种选择,一种是使用镜像账户.也就是说,我们可以在A域和B域内各自创建一个用户名和口令都完全相同的用户账户,然后在B域把资源分配给这个账户后,A域内的镜像账户就可以访问B域内的资源了

红队通过收集域信任关系从而进行横向移动.通过调用DSEnumerateDomainTrusts() Win32 API,来进行枚举

测试1 Windows - Discover domain trusts with dsquery

dsquery * -filter "(objectClass=trustedDomain)" -attr *

制定的域不存在，应该可以复现

测试2 Windows - Discover domain trusts with nltest

使用nltest发现信任的域名,这个技术曾被Trickbot病毒家族使用

nltest /domain_trusts

win10成功复现

测试3 Powershell enumerate domains and forests

Get-NetDomainTrust
Get-NetForestTrust
Get-ADDomain
Get-ADGroupMember Administrators -Recursive

没有复现成功

T1083 - File and Directory Discovery

红队可以枚举文件和目录进行信息收集,通常用tree和dir命令,或者使用window的api,对于linux,使用lsfind和locate来收集

测试1 File and Directory Discovery

dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download

win10成功复现

测试2 File and Directory Discovery

在powershell中运行

ls -recurse
get-childitem -recurse
gci -recurse

win10成功复现

测试3 Nix File and Diectory Discovery

ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh

成功复现

测试4 Nix File and Directory Discovery

cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
find . -type f -name ".*"

成功复现

T1046 - Network Service Scanning

测试1 Port Scan

在linux中

for port in {1..65535};
do
  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done

成功复现

测试2 Port Scan Nmap

nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

成功复现

T1135 - Network Share Discovery

对于windows,通常使用SMB协议进行文件分享,net view \remotesystem可以用来查询远程及其是否开启了远程共享.也可以使用net share.查看本地开启的共享服务,红队可以根据这个进行更进一步的横向移动

测试1 Network Share Discovery

df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}

成功复现

测试2 Network Share Discovery command prompt

net view \\#{computer_name}
例如
net view localhost

win10成功复现

T1040 - Network Sniffing

这个没什么说的,就是抓流量

T1201 - Password Policy Discovery

红队根据获取企业网络中的密码规则,从而减小爆破的量.对于windows,可以使用net accounts和net accounts /domain,对于linux,使用chage -l和cat /etc/pam.d/common-password

测试1 Examine password complexity policy - Ubuntu

cat /etc/pam.d/common-password

应该可以

测试2 Examine password complexity policy - CentOS/RHEL 7.x

cat /etc/security/pwquality.conf

成功复现

测试3 Examine password complexity policy - CentOS/RHEL 6.x

cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf

成功复现

测试4 Examine password expiration policy - All Linux

cat /etc/login.defs

成功复现

测试5 Examine local password policy - Windows

net accounts

win10成功复现

测试6 Examine domain password policy - Windows

net accounts /domain

win10成功复现

T1069 - Permission Groups Discovery

红队通过查找本地或者远程的组来获取权限,对于windows,使用net group /domain和net localgroup来查看,对于linux,使用groups和ldapsearch

测试1 Permission Groups Discovery

dscacheutil -q group
dscl . -list /Groups
groups

成功复现

测试2 Basic Permission Groups Discovery Windows

net localgroup
net group /domain

成功复现

测试3 Permission Groups Discovery PowerShell

在powershell中运行

get-localgroup
get-ADPrincipalGroupMembership #{user} | select name

win10成功复现

测试4 Elevated group enumeration using net group

net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma

没有成功复现

T1057 - Process Discovery

测试1 Process Discovery - ps

linux中

ps >> #{output_file}
ps aux >> #{output_file}

成功复现

测试2 Process Discovery - tasklist

windows中

tasklist

win10成功复现

T1018 - Remote System Discovery

测试1 Remote System Discovery - net

net view /domain
net view

win10成功复现

测试2 Remote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

应该可以

测试3 Remote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

应该可以

测试4 Remote System Discovery - ping sweep

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i

win10成功复现

测试5 Remote System Discovery - arp

arp -a

win10成功复现

测试6 Remote System Discovery - arp nix

arp -a | grep -v '^?'

成功复现

测试7 Remote System Discovery - sweep

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

成功复现

测试8 Remote System Discovery - nslookup

powershell中运行

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

win10成功复现

T1518 - Software Discovery

测试1 Find and Display Internet Explorer Browser Version

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion

win10成功复现

测试2 Applications Installed

Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize

win10成功复现

T1082 - System Information Discovery

测试1 System Information Discovery

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

win10成功复现

测试2 System Information Discovery

systemsetup
system_profiler
ls -al /Applications

没有成功复现

测试3 List OS Information

uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt

成功复现

测试4 Linux VM Check via Hardware

cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"

成功复现

测试5 Linux VM Check via Kernel Modules

sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"

成功复现

测试6 Hostname Discovery (Windows and linux)

hostname

win10和linux成功复现

测试7 Windows MachineGUID Discovery

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

win10成功复现

T1016 - System Network Configuration Discovery

测试1 System Network Configuration Discovery

ipconfig /all
netsh interface show
arp -a
nbtstat -n
net config

win10成功复现

测试2 List Windows Firewall Rules

netsh advfirewall firewall show rule name=all

win10成功复现

测试3 System Network Configuration Discovery

arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig

成功复现

测试4 System Network Configuration Discovery (Trickbot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

win10成功复现

测试5 List Open Egress Ports

就是查看防火墙的出口过滤规则,在powershell中运行

1..1024 | % {$test= new-object system.Net.Sockets.TcpClient; $wait = $test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

或者

21,22,23,25,80,443,1337 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

或者

80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646,5000,5631,631,49153,8081,2049,88,79,5800,106,2121,1110,49155,6000,513,990,5357,427,49156,543,544,5101,144,7,389,8009,3128,444,9999,5009,7070,5190,3000,5432,3986,13,1029,9,6646,49157,1028,873,1755,2717,4899,9100,119,37,1000,3001,5001,82,10010,1030,9090,2107,1024,2103,6004,1801,19,8031,1041,255,3703,17,808,3689,1031,1071,5901,9102,9000,2105,636,1038,2601,7000 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

win10成功复现

T1049 - System Network Connections Discovery

这个就是网络状态的查看

测试1 System Network Connections Discovery

netstat
net use
net sessions

win10成功复现

测试2 System Network Connections Discovery with PowerShell

Get-NetTCPConnection

win10成功复现

测试3 System Network Connections Discovery Linux & MacOS

netstat
who -a

成功复现

T1033 - System Owner/User Discovery

测试1 System Owner/User Discovery

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe" /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

win10成功复现

测试2 System Owner/User Discovery

users
w
who

成功复现

macos

T1217 - Browser Bookmark Discovery

红队根据查找浏览器书签栏的内容，查找更多内容

Demo1 查找firefox书签栏的内容

find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

Demo2 查找chrome书签栏的内容

find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

T1087.001 - Local Account

一些查找本地用户的方法

cat /etc/passwd

查看suder

sudo cat /etc/sudoers

枚举用户名和用户组

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user

T1201 - Password Policy Discovery

红队可以根据查看密码策略做后续的爆破工作

pwpolicy getaccountpolicies

T1046 - Network Service Scanning

通过tcp连接来判断tcp连接

for port in {1..65535};
do
  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done

使用一些工具来判断端口开放情况

nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

T1069.001 - Local Groups

一些用户组的查询

if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;

跟着ATT&CK学安全之command-and-control

跟着ATT&CK学安全之persistence

跟着ATT&CK学安全之initial access

跟着ATT&CK学安全之execution

跟着ATT&CK学安全之defense-evasion

跟着ATT&CK学安全之credential-access

跟着ATT&CK学安全之collection

恶意程序分析

Windows核心编程入门笔记

通过ssh访问NAT网络模式下的Linux虚拟机

BCTF2017 babyuse writeup

ubuntu 18.04中的qemu环境搭建

httpd RCE

lctf2018 easy_heap writeup

BCTF2016 bcloud writeup

0ctf2017 babyheap writeup

plaidctf plaiddb writeup

heap教程之unlink和mmap

0ctf2015 freenote writeup

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/linux-kernel-rop-ropping-your-way-to-part-1/

Seccomp and Ptrace

heap教程之fastbin attack

HITBCTF2017 1000levels wirteup

SystemTap安装教程

DNSTracer 栈溢出漏洞

american fuzzy lop工具使用记录

wget 任意文件上传漏洞

wget skip_short_body 栈溢出漏洞

tcpdump sliplink_print 栈溢出漏洞复现

pwnable login wirteup

DefCampCTF2016 SMS wirteup

BCTF2017 100levels wirteup

360ichunqiu2017 smallest wirteup

pwnable login wirteup

Alictf2016 vss wirteup

prectf2015 xpl wirteup

LCTF2016 pwn100 wirteup

LCTF2016 pwn100 wirteup

pwn中使用的C语言总结

grehackctf2017 beerfighter writeup

精读1-27,粗读剩下的.先通读，再用作工具书

64位系统下的ROP

sploitfun系列教程之3.2 Heap overflow using Malloc Maleficarum

ASLR NX PIE StackGuard RELRO等

问题汇总

heap漏洞之unlink

64位的pwn

给libc添加debug symbol的操作方法

CVE-2015-0235漏洞复现

XDCTF2015 pwn200 wirteup

return to Dynamic Resolver

LCTF2016 pwn200 wirteup

BackdoorCTF2017 Fun-Signals writeup

sploitfun系列教程之1.3基于堆的Off-By-One漏洞

HCTF2016 brop wirteup

NJCTF2017 pingme wirteup

翻译文，原文来自https://uaf.io/exploitation/misc/2016/04/02/Finding-Functions.html

sploitfun系列教程之2.3.3 GOT overwrite 和GOT dereference

sploitfun系列教程之3.1 堆溢出之unlink

sploitfun系列教程之2.3.1 return_to_plt

sploitfun系列教程之2.1 return-to-libc

sploitfun系列教程之2.2 chained return-to-libc

sploitfun系列教程之2.3.2 brute_force

为什么gdb调试和直接运行程序会有不同的结果

sploitfun系列教程之1.2整数溢出

sploitfun系列教程之1.3基于栈的Off-By-One漏洞

sploitfun系列教程之1.1经典的栈溢出

完整代码地址： https://github.com/snappyJack/mitmdump_monitor/blob/master/mitmdump_monitor.py

Frog CMS 0.9.5 has a file upload Vulnerability in /admin/?/plugin/file_manager/save

PECSM-TEAM 2.2.2 has a file upload vulnerability

demo