Linux禁Ping实现方案

更改文件方法

1
2
3
这个方法需要root权限
禁止'echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all'
恢复'echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all'

利用iptables方法

1
2
禁止'iptables -I INPUT -i eth0 -p icmp -s 0/0 -d 0/0 -j DROP'
恢复'iptables -I INPUT -i eth0 -p icmp -s 0/0 -d 0/0 -j ACCEPT'

Nmap初探

写在前面的话

1
2
3
4
5
6
7
  来这边信通工作了也快一个多月了,逐步习惯了工作的节奏,第一次从吉林出差回南京,
原计划休息一小段时间,但是同事那边(国网要准备突击检查)忙不过来,So...
周六周日也跟着加班了,和之前一样工作的内容很简单,主要是找人找设备比较麻烦,
还有领导指导的要求又随时会变,比如今天突然就要求整理出系统中所有存活主机的IP

我去,这么多IP怎么找...
于是想起来以前用过一点的神器Nmap

小插曲

1
2
3
4
  原本以为在OS X 系统中没有Nmap,于是我就搬到Kali Linux的生产环境中去搞,
Damn!,最后在网上找到了快捷安装的方法

具体'brew install nmap'就好了 - -!

今天的具体实战

1
2
3
4
其实真的很简单,寻找内网存活主机的数量和IP地址只需要一道命令即可
'nmap -sP 192.168.1.0-24' 举这个例子(扫描所有一网段存活主机)
拓展一下 nmap其实还支持文件输出 只需要在后面加参数 -oX 文件名.xml
注意:前面是字母的o不是数字0

拓展链接

Nmap

Metasploit01

before we use Metasploit

1
2
Use the following command to open the postgresql service
'service postgresql start'

Open the Metasploit software

1
2
3
Use the 'msfconsole' to open the software
The location of Metasploit is
 /usr/share/metasploit-framework/msfconsole

Help function in Metasploit

1
'msfconsole -h'

Find system hole by name

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
'search name:mysql'
msf > search name:mysql

Matching Modules
================

   Name                                               Disclosure Date  Rank       Description
   ----                                               ---------------  ----       -----------
   auxiliary/admin/mysql/mysql_enum                                    normal     MySQL Enumeration Module
   auxiliary/admin/mysql/mysql_sql                                     normal     MySQL SQL Generic Query
   auxiliary/analyze/jtr_mysql_fast                                    normal     John the Ripper MySQL Password Cracker (Fast Mode)
   auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal     MySQL Authentication Bypass Password Dump
   auxiliary/scanner/mysql/mysql_file_enum                             normal     MYSQL File/Directory Enumerator
   auxiliary/scanner/mysql/mysql_hashdump                              normal     MYSQL Password Hashdump
   auxiliary/scanner/mysql/mysql_login                                 normal     MySQL Login Utility
   auxiliary/scanner/mysql/mysql_schemadump                            normal     MYSQL Schema Dump
   auxiliary/scanner/mysql/mysql_version                               normal     MySQL Server Version Enumeration
   auxiliary/server/capture/mysql                                      normal     Authentication Capture: MySQL
   exploit/linux/mysql/mysql_yassl_getname            2010-01-25       good       MySQL yaSSL CertDecoder::GetName Buffer Overflow
   exploit/linux/mysql/mysql_yassl_hello              2008-01-04       good       MySQL yaSSL SSL Hello Message Buffer Overflow
   exploit/windows/mysql/mysql_mof                    2012-12-01       excellent  Oracle MySQL for Microsoft Windows MOF Execution
   exploit/windows/mysql/mysql_payload                2009-01-16       excellent  Oracle MySQL for Microsoft Windows Payload Execution
   exploit/windows/mysql/mysql_start_up               2012-12-01       excellent  Oracle MySQL for Microsoft Windows FILE Privilege Abuse
   exploit/windows/mysql/mysql_yassl_hello            2008-01-04       average    MySQL yaSSL SSL Hello Message Buffer Overflow
   exploit/windows/mysql/scrutinizer_upload_exec      2012-07-27       excellent  Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

Find system hole by platform

1
2
3
4
5
6
7
8
9
10
11
12
13
14
'search platform:mysql'
msf >search platform:mysql

Matching Modules
================

   Name                                          Disclosure Date  Rank       Description
   ----                                          ---------------  ----       -----------
   exploit/linux/mysql/mysql_yassl_getname       2010-01-25       good       MySQL yaSSL CertDecoder::GetName Buffer Overflow
   exploit/linux/mysql/mysql_yassl_hello         2008-01-04       good       MySQL yaSSL SSL Hello Message Buffer Overflow
   exploit/multi/http/manage_engine_dc_pmp_sqli  2014-06-08       excellent  ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
   exploit/windows/mysql/mysql_mof               2012-12-01       excellent  Oracle MySQL for Microsoft Windows MOF Execution
   exploit/windows/mysql/mysql_start_up          2012-12-01       excellent  Oracle MySQL for Microsoft Windows FILE Privilege Abuse
   exploit/windows/mysql/mysql_yassl_hello       2008-01-04       average    MySQL yaSSL SSL Hello Message Buffer Overflow

Search by type

1
'search type:post'

Search by author

1
'search author:dookie'

内网图片获取

环境搭建

1
2
攻击:VMware Fusion--虚拟机Kali Linux
受害机:本机 系统: OS X EI Capitan

攻击条件

1
Kali Linux必须和OS X 在同一网段内,虚拟机设置请自行Google

攻击所需工具

1
2
1.arpspoof
2.driftnet

实验步骤

1
2
3
4
5
6
7
8
9
1.获取必要IP地址
Kali Linux 使用ifconfig 命令查看本地IP以及网关地址
OS X 地址

2.使用Arpspoof -i eth0 -t 192.168.1.1 192.168.1.111
这边解释一下,eth0为Kali Linux本地网卡设备,192.168.1.1为我的网关地址, 192.168.1.111 为OS X(受害者地址)

3.driftnet -i eth0 用来获取受害者图片
这条命令执行完成后会弹出窗口,如果那时候受害者正在浏览图片,那么这个窗口就会显示相应图片,这样子 如果一个妹子和你正在同一个局域网内,而恰好她正在浏览自己的私密相册,那么嘿嘿嘿...至于嘿嘿嘿是什么我就不细说了,zzz

总结

1
这个测试还是可以自己动手玩玩的,其实其中的原理也相当简单,就是简单的ARP欺骗,但是还是挺好用的zz...

More info: Weibo

渗透测试流程

渗透流程

1
2
3
前期交互阶段(Pre-Engagement Interaction)
  1.渗透测试范围、目标、限制条件、服务合同
  2.收集客户需求、准备测试计划、定义测试范围、定义业务目标
1
2
3
4
5
6
7
8
情报搜集阶段(Information Gathering)
  1.公开信息查询
  2.Google Hacking
  3.社会工程学
  4.网络踩点
  5.扫描探测
  6.被动监听
  7.服务查点
1
2
威胁建模阶段(Threat Modeling)
  1.情报分析、攻击路径
1
2
3
漏洞分析阶段(Vulnerability Analysis)
  1.结合安全漏洞扫描结果和服务查看信息
    针对关键服务进行漏洞挖掘
1
2
渗透攻击阶段(Exploitation)
  1.利用目标漏洞、入侵系统、获取访问控制权
1
2
后渗透攻击阶段(Post Exploitation)
  1.根据目标业务经营情况,挖掘出最有价值的信息和资产
1
2
报告阶段(Reporting)
  1.向客户提交安全渗透报告
,