Академический Документы
Профессиональный Документы
Культура Документы
Capítulo 14
14.1. Objetivos
● Exploração de serviços que não são executados como root ou tem seu
privilégio “dropado”
14.5. Laboratório
14.5.1. Desafio 1
1. Através do PHP Shell, existente em uma das máquinas da rede de teste,
descobrir qual a versão do kernel da máquina alvo.
14.5.2. Desafio 2
1. A outra tarefa, é explorar o arquivo com SUID root que se encontra em uma
das máquinas da rede de teste.
2. Crie um trojan local no sistema que permitirá com que o atacante obtenha
privilégios de root após executar um interpretador de comando.
14.6. Contramedidas
Capítulo 20
Apagando Rastros
20.1. Objetivos
Não há necessidade desse tipo de ação por parte de um pentester, caso queira
deixar as evidências de exploração para posterior análise por parte da equipe de Ti
da empresa contratante. No entanto, caso tenha como objetivo testar, também, a
capacidade da equipe de perícia forense em investigar um caso de invasão, é
interessante implementar os passos estudados nesse capítulo.
● Logs de IDS
● Logs de Firewall
➢ Qualquer arquivo que tenha sido copiado para o sistema, mesmo que
posteriormente seja apagado, deixa rastros que podem ser recuperados
com ferramentas específicas.
Capítulo 20 Apagando Rastros - 264
● Logs de comandos
● Logs de sessão
20.4. Técnicas
● Sobreescrita de dados
● Encriptação de dados
20.5. Ferramentas
● Wipe
● Scrub
● Steghide
20.6. Contramedidas
Invasão
21.1. Objetivo
21.2. Desafio 1
Esse desafio pretende simular a aplicação WEB de uma empresa real, que
tenha contratado você para realizar um teste de invasão em seu sistema, entregando
um relatório final, completo, com todos os passos do processo.
21.3. Desafio 2
Nesse desafio final, na rede alvo, que pertence à empresa que lhe contratou
para realizar o teste de invasão, você precisa encontrar um arquivo chamado
you_got_the_flag.txt.
Nesse arquivo, encontra-se o hash MD5 de um outro arquivo, que pode estar
em qualquer outra máquina da rede. Se tal arquivo for encontrado (verificando seu
hash), você precisa descobrir qual a senha que está nesse arquivo (ele cópia de um
shadow).
Após descobrir a senha, é necessário que acesse uma das outras máquinas,
descobrindo a qual usuário a senha descoberta pertence.
Happy hacking!
Capítulo 21 Desafios: Testes de Invasão - 269
ANEXOS
Capítulo 21 Desafios: Testes de Invasão - 270
Primeiro anexo
Opções do Nmap
Can pass hostnames, IP addresses, networks, etc. -sS: TCP SYN Scan
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; -sT: Connect Scan
10.0.0-255.1-254 -sA: ACK Scan
-sW: Windows Scan
-iL <inputfilename>: -sM: Maimon scan
Input from list of hosts/networks -sN: TCP Null, scan
-iR <num hosts>:
-sF: FIN Scan
Choose random targets
--exclude <host1[,host2][,host3],...>: -sX: Xmas Scan
Exclude hosts/networks --scanflags <flags>: Customize TCP scan flags
--excludefile <exclude_file>: -sI <zombie host[:probeport]>: Idlescan
Exclude list from file -sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
HOST DISCOVERY
PORT SPECIFICATION AND SCAN ORDER
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - determining if host is online -p <port ranges>: Only scan specified ports
-P0: Treat all hosts as online -- skip host discovery -F: Fast - Scan only ports listed in nmap-services file)
-PS[portlist]: TCP SYN discovery to given ports -r: Scan ports consecutively - don't randomize
-PA[portlist]: TCP ACK discovery to given ports
-PU[portlist]: UDP discovery to given ports
-PE: ICMP echo request discovery probes SERVICE/VERSION DETECTION
-PP: timestamp request discovery probes
-sV: Probe open ports determine service/version info
-PM: netmask request discovery probes
--version-intensity <level>:
-n/-R: Never/Always resolve DNS -default sometimes
--dns-servers <serv1[,serv2],...>: Set from 0 (light) to 9 (try all probes)
--version-light:
Specify custom DNS servers
--system-dns: Limit to most likely probes (intensity 2)
Use OS's DNS resolver --version-all: Try every single probe (intensity 9)
--version-trace:
Show detailed version scan activity (for debugging)
Capítulo 21 Desafios: Testes de Invasão - 271
OS DETECTION once
-v: Increase verbosity level (use twice for more effect)
-O: Enable OS detection -d[level]: Set or increase debugging level (Up to 9)
--osscan-limit: --packet-trace:
Limit OS detection to promising targets Show all packets sent and received
--osscan-guess: --iflist:
Guess OS more aggressively Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format
output file
TIMING AND PERFORMANCE --append-output:
Append to rather than clobber specified output files
Options which take <time> are in milliseconds, unless you
--resume <filename>: Resume an aborted scan
append 's' (seconds), 'm' (minutes), or 'h' (hours) to the
--stylesheet <path/URL>:
value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster) XSL stylesheet to transform XML output to HTML
--webxml:
--min-hostgroup/max-hostgroup <size>:
Reference stylesheet from Insecure.Org
Parallel host scan group sizes
for more portable XML
--min-parallelism/max-parallelism <time>:
--no-stylesheet: Prevent associating of XSL
Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial- stylesheet w/XML output
rtt-timeout <time>:
Specifies probe round trip time.
MISC
--max-retries <tries>:
Caps number of port scan probe retransmissions. -6: Enable IPv6 scanning
--host-timeout <time>:
-A: Enables OS detection and Version detection
Give up on target after this long
--datadir <dirname>:
--scan-delay/--max-scan-delay <time>:
Specify custom Nmap data file location
Adjust delay between probes
--send-eth/--send-ip:
Send using raw ethernet frames or IP packets
--privileged:
FIREWALL/IDS EVASION AND SPOOFING
Assume that the user is fully privileged
-f; --mtu <val>: -V: Print version number
fragment packets (optionally w/given MTU) -h: Print this help summary page.
-D <decoy1,decoy2[,ME],...>:
Cloak a scan with decoys
-S <IP_Address>: EXAMPLES
Spoof source address
Simple
-e <iface>:
nmap -v -A scanme.nmap.org
Use specified interface nmap -v -sP 192.168.0.0/16 10.0.0.0/8
-g/--source-port <portnum>: nmap -v -iR 10000 -P0 -p 80
Use given port number nmap -v –sS scanme.nmap.org > file.txt
--data-length <num>:
Append random data to sent packets Popular / Published syntax
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac add/prefix/vendor name>: NMAP -vv -A -sS -O -p- -P0 -oX target.xml
Spoof your MAC address www.xxx.yyy.zzz
--badsum:
Send packets with a bogus TCP/UDP checksum nmap -vv -sS -P0 –p- -n --min_hostgroup 100
--max_retries 3
--max_rtt_timeout 1250 --min_parallelism
OUTPUT 100 -oA <output_file> <net_block>
-oN <file>: Output scan in normal format nmap -vv -p <open_port_list> -sT -A -P0 -n
-oX <file>: Output scan in XML format --min_hostgroup 100
-oS <file>: Output scan in s|<rIpt kIddi3 format --max_rtt_timeout 1250 --min_parallelism
100 -oA <output_file> -iL
-oG <file>: Output scan in Grepable format
liveIPList
-oA <basename>: Output in the three major formats at
Capítulo 21 Desafios: Testes de Invasão - 272
Segundo Anexo
Opções do NetCat
Fundamentals
File Transfer
Attempt to connect to each port in a range from [end_port] to [start_port] on IP Address [TargetIPaddr] running
verbosely (-v on Linux, - vv on Windows), not resolving names (-n), without sending any data (-z), and waiting no more
Capítulo 21 Desafios: Testes de Invasão - 273
Grab the banner of any TCP service running on an IP Address from Linux:
$ echo "" | nc –v –n –w1 [TargetIPaddr] [start_port]-[end_port]
Attempt to connect to each port in a range from [end_port] to [start_port] on IP Address [TargetIPaddr] running
verbosely (-v), not resolving names (-n), and waiting no more than 1 second for a connection to occur (-w1). Then
send a blank string to the open port and print out any banner received in response
Backdoor Shells
Create a shell on local port [LocalPort] that can then be accessed using a fundamental Netcat client
Create a reverse shell that will attempt to connect to [YourIPaddr] on local port [port]. This shell can then be captured
using a fundamental nc listener
Listener-to-Client Relay:
$ nc –l –p [LocalPort] 0<backpipe | nc [TargetIPaddr] [port] | tee backpipe
Create a relay that sends packets from the local port [LocalPort] to a Netcat client connected to
[TargetIPaddr] on port [port]
Listener-to-Listener Relay:
$ nc –l –p [LocalPort_1] 0<backpipe | nc –l –p [LocalPort_2] | tee backpipe
Create a relay that sends packets from any connection on [LocalPort_1] to any connection on [LocalPort_2]
Client-to-Client Relay:
$ nc [PreviousHopIPaddr] [port] 0<backpipe | nc [NextHopIPaddr] [port2] | tee backpipe
Create a relay that sends packets from the connection to [PreviousHopIPaddr] on port [port] to a Netcat client
connected to [NextHopIPaddr] on port [port2]
Listener-to-Client Relay:
C:\> echo nc [TargetIPaddr] [port] > relay.bat
C:\> nc –l –p [LocalPort] –e relay.bat
Create a relay that sends packets from the local port [LocalPort] to a Netcat Client connected to [TargetIPaddr] on port
[port]
Listener-to-Listener Relay:
C:\> echo nc –l –p [LocalPort_2] > relay.bat
C:\> nc –l –p [LocalPort_1] –e relay.bat
Create a relay that will send packets from any connection on [LocalPort_1] to any connection on [LocalPort_2]
Client-to-Client Relay:
C:\> echo nc [NextHopIPaddr] [port2] > relay.bat
C:\> nc [PreviousHopIPaddr] [port] –e relay.bat
Create a relay that will send packets from the connection to [PreviousHopIPaddr] on port [port] to a Netcat Client
connected to [NextHopIPaddr] on port [port2]
The [TargetIPaddr] is simply the other side’s IP address or domain name. It is required in client mode of course
(because we have to tell the client where to connect), and is optional in listen mode.
-L: Listen harder (supported only on Windows version of Netcat). This option makes Netcat a persistent listener which
starts listening again after a client disconnects
-p: Local port (In listen mode, this is port listened on. In client mode, this is source port for all packets sent)
-e: Program to execute after connection occurs, connecting STDIN and STDOUT to the program
-n: Don’t perform DNS lookups on names of machines on the other side
-z: Zero-I/O mode (Don’t send any data, just emit a packet without payload)
-wN: Timeout for connects, waits for N seconds after closure of STDIN. A Netcat client or listener with this option will
wait for N seconds to make a connection. If the connection doesn’t happen in that time, Netcat stops running.
-v: Be verbose, printing out messages on Standard Error, such as when a connection occurs