Penetration test classification:
Black box testing (external testing): Designed to simulate an infiltration attack by an attacker who knows nothing about the client organization. Advantages: can simulate a real attack process more realistically; Disadvantages: time-consuming and laborious, penetration testers need to have higher technical capabilities.
White box testing (internal testing): A penetration attack conducted when the penetration tester has all the knowledge of the client organization. Advantages: No need to locate and collect intelligence, it can eliminate some possible security problems earlier, and it costs less than a black box; Disadvantages: Can not effectively test the emergency response procedures of the customer organization, and cannot judge their The efficiency of the security protection plan for detecting specific attacks.
Gray box testing: a combination of white + black testing can provide a more in-depth and comprehensive security review of the target system.
Penetration testing method system:
Open Source Manual of Security Testing Methodology (OSSTMM)
NIST SP 800-42 Cyber Security Testing Guide
OWASP Top Ten Web Application Security Threat Projects (OWASP Top Ten)
Web Security Threat Classification Standard (WASC-TC)
PTES penetration test implementation standard
Links in the penetration testing process:
Early interaction stage: This stage usually involves activities such as collecting customer requirements, preparing test plans, defining test scope and boundaries, defining business objectives, project management and planning.
Intelligence gathering stage: In this stage, the penetration testing team can use various information sources and gathering techniques to try to obtain more information about the target organization’s network topology, system configuration, and security defense measures.
Threat modeling stage: clarify the information and intelligence obtained from the intelligence gathering stage and determine the most feasible (not necessarily successful) attack channel.
Vulnerability analysis stage: consider how to obtain access control rights to the target system. According to the obtained vulnerability scanning results, service checkpoint information, etc., penetration testers search for available penetration code resources to find out the attack points that can be used for penetration attacks, and verify them in the experimental environment.
Penetration attack stage: Use the found system security loopholes to actually invade the system and gain access control rights.
Post-penetration attack stage: the link that best reflects the creativity and technical capabilities of the penetration testing team. The penetration testing team needs to independently design the attack target, identify the key infrastructure, and find the most valuable information and assets of the client organization and try to secure protection according to the different characteristics of the target organization’s business operation model, asset protection form and security defense plan. The ultimate goal is to reach the attack vector that can have the most important business impact on the client organization.
Reporting stage: Provide a penetration test report to the client organization. The report includes the key intelligence information obtained by the penetration test team in all stages, system security vulnerabilities detected and unearthed, the process of successful penetration attacks, and the attack paths that cause business consequences , And at the same time, from the perspective of the defender, help customers analyze the weak links and existing problems in the security defense system, as well as repair and upgrade technical solutions.
Security vulnerability life cycle:
Research and mining of security vulnerabilities (0day)
Exploit development and testing
Security vulnerabilities and exploit codes are circulating in closed teams
Security vulnerabilities and exploit code began to spread
Malicious programs appeared and began to spread
Exploit/malicious programs spread on a large scale and harm the Internet
Exploit/attack tools/malicious programs are gradually disappearing
Ways of security vulnerabilities:
Full public disclosure: regardless of the manufacturer directly and completely disclose the technical details of the vulnerability
Public disclosure of the person in charge: notify the manufacturer first, and provide a reasonable period of time for patch development and testing
Entering the underground economic chain: security breach trading, black production
Small-scale utilization until passive disclosure: Firstly, use it in a small-scale area until the impact expands and the malicious code is widely used.
Security vulnerability public resource library:
Six Metasploit modules:
Auxiliary module (Aux)
Post penetration attack module (Post)
Attack load module (Payloads)
Null instruction module (Nops)
Encoder module (Encoders)
It is mainly used to support the information gathering link and help penetration testers to obtain rich intelligence information of the target system before conducting penetration attacks. Including the scanning and checking of various network services, building false services to collect login passwords, password guessing and cracking, sensitive information sniffing, detecting sensitive information leakage, Fuzz testing vulnerability mining, implementing network protocol deception and other modules.
Penetration attack module:
It is the core functional component of the Metasploit framework. It is a code component that uses discovered security vulnerabilities or configuration weaknesses to attack remote target systems to implant and run attack payloads to gain access to remote target systems. According to the location of the exploited security vulnerabilities, it can be divided into active penetration attacks and passive penetration attacks.
Active penetration attack: by connecting to the network service of the target system, injecting some specially constructed network request content containing “evil” attack data, triggering security vulnerabilities, and causing the remote service process to execute the attack payload contained in the “evil” data to obtain The control session of the target system. (PS: similar to diaosi actively chasing the goddess)
Passive penetration attacks: use security vulnerabilities in the client software to construct “evil” web pages, emails, or document files, and set up servers that contain such malicious content, send email attachments, and distribute them in combination with social engineering attacks. Trick the target user to open, combine network deception and hijacking techniques, etc., and wait for the user on the target system to access these evil content, thereby triggering a security vulnerability in the client software, and giving a shell response to control the target system.
Attack load module
A piece of embedded code that prompts the target system to run after a successful penetration attack is usually used to open a control session connection on the target system for the penetration attacker. The attack load module is divided into three types: independent (Singles) attack load, transmitter (Stager) load, and transmission body (Stage) load.
Independent attack payload: It can be directly and independently implanted into the target system for execution. Ex: window/shellbindtcp is the attack payload that binds the shell control session to the specified TCP port.
Transmitter load & transmission body load: The target system has restrictions on the size of the attack load and operating conditions. It is necessary to implant the compact and short transmitter load first, and then run the transmitter load to further download the transmission body load and execute it. The payload of the transport body that is further downloaded and executed by the transport payload is not limited by the size and security defense mechanism.
Ext: window/shell/bind tcp bind tcp is the transmitter payload, and shell is the transport body payload
Empty instruction module
No instruction (NOP): No operation or irrelevant operation that will not cause any substantial impact on the running state of the program. When an infiltration attack constructs the evil data buffer, it may encounter problems such as randomization of the memory address and deviation of the return address calculation, which may cause Shellcode execution to fail. The solution is to add an empty command area before the shellcode to be executed. When the shellcode is executed after the penetration attack is triggered, there is a larger safe landing area. The empty command module can add an empty command area to the attack payload to improve the attack. Reliability.
Ensure that no “bad characters” will appear in the attack payload. “Bad characters” will cause the specially constructed evil data buffer to be unable to be completely input into the vulnerable software routines as expected. After the penetration attack triggers the vulnerability, the attack payload cannot be executed correctly.
The attack payload is treated with “anti-kill”, and different forms of encoding are used to avoid signatures that can be identified by security detection and defense mechanisms in the payload.
Post-penetration attack module
After an infiltration attack obtains remote control of the target system, various post-infiltration attacks are performed in the controlled system, such as obtaining sensitive information, further expansion, and real-time springboard attacks.
msfconsole use (personally feel this is the most commonly used)
Start msf terminal: msfconsole
View msf help: help [COMMAND]
Search the penetration attack module of the specified service: search samba
Use penetration attack module: use multi/samba/usermap_script
Show attack payload: show payloads
Select the attack payload: set payload cmd/unix/bind_netcat
Display attack payload configuration items: show options
Set the target address: set RHOST xxx.xxx.xxx.xxx
Execution attack: exploit
To sum up
This chapter mainly introduces some theoretical knowledge related to penetration testing and the basic structure and use of metasploit. As for the installation of metasploit, should you use kali directly now?