CSE450筆記 - HackMD

# CSE450筆記 ###### tags: `NSYSU` [TOC] ## Penetration testing ### Three model -White box model -Black box model -Gray box model ### process 1.Ground rules Establish the ground rules. 2.Passive scanning Gather as much information about the target as possible while maintaining zero contact between the penetration tester and the target. 3.Active scanning and enumeration Probe the target’s public exposure with scanning tools. 4.Fingerprinting Perform a thorough probe of the target systems to identify: operating system type and patch level, applications and patch level, open ports, running services and user accounts. 5.Selecting target system Identify the most useful target(s). 6.Exploiting the uncovered vulnerabilities Execute the appropriate attack tools targeted at the suspected exposures. 7.Escalating privilege Escalate the security context so the ethical hacker has more control. 8.Documenting and reporting Document everything found, how it was found, the tools that we are used, vulnerabilities that were exploited, the timeline of activities and successes, and so on. ## Stealthy scan ### def * Make session handshakes are never completed. * That keeps it out of some log files. ### operation * port opened ```sequence A->B:syn + port80 B->A:syn/ack A->B:rst ``` * port closed ```sequence A->B:syn + port80 B->A:rst ``` ## ARP cache poisioning ### reason ARP protocol would always trust that the reply is coming from the right device. Due to this flaw in its design, it can in no way verify that the ARP reply was sent from the correct device. ### method Attacker would send a spoofed ARP reply to any computer on a network to make it believe that a certain IP is associated with a certain MAC address , thereby poisoning its ARP cache that keeps track of IP to MAC addresses. ### Man-in-the-Middle(MITM) Attacks 1.Need to enable IP forwarding first. echo 1 > /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/ip_forward ```sequence Victim1->Attacker: Attacker->Victim1: Attacker->Victim2: Victim2->Attacker: ``` ### usage 單向: arpspoof -i eth0 -t <target Ip address> <host Ip address> 雙向: arpspoof -i eth0 -t <target Ip address> -r <host Ip address> ## tcpdump ### flag -A Print frame payload in ASCII -c <count> Exit after capturing count packets -D List available interfaces -e Print link-level headers -F <file> Use file as the filter expression -G <n> Rotate the dump file every n seconds -i <iface> Specifies the capture interface -K Don't verify TCP checksums -L List data link types for the interface -n Don't convert addresses to names -p Don't capture in promiscuous mode -q Quick output -r <file> Read packets from file -s <len> Capture up to len bytes per packet -S Print absolute TCP sequence numbers -t Don't print timestamps -v[v[v]] Print more verbose output -w <file> Write captured packets to file -x Print frame payload in hex -X Print frame payload in hex and ASCII -y <type> Specify the data link type -Z <user> Drop privileges from root to user ### Modifier ! or not && or and || or or ## wireshark dispaly filter ### Operators eq or == ne or != gt or > lt or < ge or >= le or <= ### Logic Logical AND and or && or or || Logical OR Logical XOR xor or ^^ not or ! Logical NOT Substring operator [n] […] ## difference between display and capture filter * display filter: + Display filter are used to change the view of a capture file. + They take advantage of the full dissection of all packets. + This makes it possible to do very complex and advanced filtering when analyzing a network tracefile. * capture filter: + capture filter is used to select which packets should be saved to disk while capturing. + For capture filters wireshark uses the BPF syntax. + BPF is module that runs in the kernel and can therefore maintain high rates of capturing because the packets do not have to move from kernel space to user space when filtering. + The things that can be filtered on are predefined and limited (compared to display filters) as full dissection has not been done on the packets. ## Metasploit framework ### start msfconsole ### libraries 1.REX Handles almost all core functions such as setting up sockets, connections, formatting, and all other raw functions. 2.MSF CORE Provides the basic API and the actual core that describes the framework. 3.MSF BASE Provides friendly API support to modules. ### Module list 1.Payloads Used to carry out operations such as connecting to or from the target system after exploitation, or performing a specific task such as installing a service and so on. 2.Auxiliary Special task such as information gathering, database fingerprinting, scanning the network in order to find a particular service and enumeration. 3.Encoders These are used to encrypt payloads and the attack vectors to avoid detection by antiviruses or firewalls. 4.NOPs NOPs' usage makes the payloads stable. 5.Exploits The actual code that triggers to take advantage of a vulnerable system. ### options LHOST Local Host, or our Kali System. RHOST Remote Host, or our target System. LPORT Port we want to use on our Kali System. RPORT Port we want to attack on our target. ### Setting exploit options set <variable name> <value> ## nmap & zenmap ### flag -A Perform an aggressive scan. Enable OS detection, version detection, script scanning, and traceroute. -usage nmap -A <target Ip> -b FTP bounce scanning. FTP bounce attack demonstrates an insidious method of laundering connections through an FTP server by abusing the support for “proxy” FTP connections. FTP bounce attacks “can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time.” Moreover, you can bounce port scans off the FTP server to hide your identity, or better yet, bypass access control mechanisms. -D Additional decoy capabilities designed to overwhelm a target site with superfluous information. -usage nmap -sS <target Ip Address> -D <Decoy Address> -Note Decoy Address should be alive or may SYN-flood the target system and cause a denial of service condition. -F Perform a Fast Scan -f Fragment the packets. Splits up the TCP headers over serveral packets, which make it harder for access control devices or intrusion detection systems(IDS) to detect the scan. -iL Scan a list of targets -usage namp -iL [listfile] -O Enable OS detection. -o Save the output to a separate file. -oN Save the results in human-readable format. -p Scan specified ports. -usage [port] Individual port number Ranges (e.g. 1-1023) [name] U:[UDP ports] T:[TCP ports] "*" Scan all ports. --top-ports[number] Scan top ports. -PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes. -PR ARP/Neighbor Discovery -Pn No ping. This is useful when scanning hosts that are protected by a firewall that blocks ping probes. Skip the default discovery check and perform a complete port scan on the target. -sS (TCP SYN scan) . SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection -sn No port scan -T? T0 Paranoid T1 Sneaky T2 Polite T3 Normal T4 Aggressive T5 Insane -usage nmap -T? <Target Ip> ### usage ACK scan (unit4 p11) nmap -sA <target Ip Address> FTP bounce scanning nmap -sb <target Ip Address> FIN scan (unit4 p11) nmap -sF <target Ip Address> null scan (unit4 p9) nmap -sN <target Ip Address> TCP ACK scan -def It is used to map out firewall rulesets ,determining whether they are stateful or not and which ports are filtered -unfiltered systems: open and closed ports will both return a RST packets. (Reachable by the ACK packets,but both are undetermined.) -filtered systems: Ports that don't respond ,or send certain ICMP error messages back. nmap -sA <target Ip Address> TCP connect scan -def Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. nmap -sT <target Ip Address> Open state: ![](https://i.imgur.com/iJgxQ9N.png) TCP SYN port scan nmap -sS <target Ip Address> Open state: ![SYN](https://i.imgur.com/fA4WzOt.png) Close state: ![](https://i.imgur.com/y75z3Y5.png) Filtered port: ![](https://i.imgur.com/SdiqJzC.png) UDP scan (unit4 p13) nmap -sU <target Ip Address> XMAS scan (unit4 p10) nmap -sX <target Ip Address> ## Netcat utility -e execute software or process -L restart Netcat with the same command line when the connection is terminated. This way you can connect over and over to the same Netcat process. -l listening model -p port number -u Use UDP -usage nc -l -p 4455 -e cmd.exe ## Vulnerabilities Scan-openvas ### def OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.