紅藍對抗 - 藍隊手冊（BTFM）(轉載)

本文已發表在嘶吼RoarTalk，未經受權，請勿轉載！ http://www.4hou.com/technology/10173.html 
最佳閱讀體驗版：https://stackedit.io/viewer#!url=https://raw.github.com/Zer0d0y/BTFM/master/README.md

前言

  紅藍對抗的思想最先可追溯到我國現存最先的一部兵書《孫子兵法》，孫子·謀攻篇：「知彼知己，百戰不殆；」，意爲若是對敵我雙方的狀況都能瞭解透徹，打多少次仗都不會失敗。在信息安全領域目前你們都有一個共識：「未知攻，焉知防」，攻防對抗自己是一個持續的過程，在具體的對抗中，對對手瞭解越多就會佔據主導地位。

  紅藍對抗的主要目的在於，提升公司安全成熟度及其檢測和響應攻擊的能力。

  Red Teams attack, and Blue Teams defend, but the primary goal is shared between them: improve the security posture of the organization.

0. ) 準備工做

1 ) 組織結構圖 
2 ) 全網拓撲圖 
3 ) 各系統邏輯結構圖 
4 ) 各系統之間的調用關係 
5 ) 數據流關係 
6 ) 核心資產清單 
7 ) 應急響應計劃 
8 ) 業務連續性計劃 
9 ) 災難恢復計劃

1. ) 簡單安全評估

1.1 ) 端口掃描和漏洞檢測

主機發現（Ping探測）： 
# nmap -sn -PE IP地址或地址段

端口掃描： 
# nmap –open IP地址或地址段

服務版本檢測： 
# nmap -sV IP地址或地址段

掃描多個端口： 
# nmap -p 80,443 IP地址或地址段

UDP端口掃描： 
# nmap -sU -p 53 IP地址或地址段

TCP/UDP端口掃描（-Pn 跳過主機發現）： 
# nmap -v -Pn -SU -ST -p U:53,111,137,T:21- 
25,80,139,8080 IP地址或地址段

Nessus漏洞檢測： 
# nessus -q -x -T html 服務器IP 服務器端口 管理員賬號 密碼 目標.txt 輸出報告.html

OPENVAS漏洞檢測： 
# apt -y install pcregrep 
# wget https://goo.gl/TYbLwE 
# chmod +x openvas-automate.sh && ./openvas-automate.sh 目標IP

1.2 ) WINDOWS系統篇

1.2.1 網絡發現

基本網絡發現 
# C:> net view /all 
# C:> net view \\主機名

Ping探測 
# C:> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find 「回覆」 >> 輸出.txt

1.2.2 DHCP

啓用DHCP服務器日誌功能： 
# C:> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1 
默認日誌文件路徑： 
C:> %windir%\System32\Dhcp

1.2.3 DNS

啓用DNS服務器日誌功能： 
# C:> DNSCmd DNS服務器名 /config /logLevel 0x8100F331 
# 配置日誌文件路徑: 
C:> DNSCmd DNS服務器名 /config /LogFilePath C:\dns.log 
# 配置日誌文件大小: 
C:> DNSCmd DNS服務器名 /config /logfilemaxsize 0xffffffff

1.2.4 哈希值

文件校驗和完整性驗證（FCIV）： 
Ref：http://support2.microsoft.com/kb/841290 
# 計算單個文件hash值: 
C:> fciv.exe 文件名 
# 計算C盤全部文件的哈市值並把結果保存到文件中: 
C:> fciv.exe c:\ -r -sha1 -xml 結果.xml 
# 列出全部hash值: 
C:> fciv.exe -list -sha1 -xml 結果.xml 
# certutil & PowerShell方法 
# certutil -hashfile 文件名 SHA1 
# PS C:> Get-FileHash 文件名 | Format-List 
# PS C:> Get-FileHash -algorithm md5 文件名

1.2.5 NETBIOS

nbtstat 掃描 
# C:> nbtstat -A 目標IP地址 
NetBIOS緩存 
# C:> nbtstat -c 
批量掃描 
# C:> for /L %I in (1,1,254) do nbtstat -An 192.168.1.%I

1.2.6 微軟基線安全分析器(MBSA)

掃描單個IP 
# C:> mbsacli.exe /target IP地址 /n os+iis+sql+password 
掃描IP地址段 
# C:> mbsacli.exe /r IP地址段 /n os+iis+sql+password

1.3 ) LINUX系統篇

1.3.1 網絡發現

查看開放的SMB共享 
# smbclient -L 目標主機名

Ping探測 

\# for ip in $(seq 1 254); do ping -c1 -w2 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done 


1.3.2 DHCP

DHCP日誌查詢 
RHEL/CentOS 
# cat /var/lib/dhcpd/dhcpd. leases 
Debian/Ubuntu 
# grep -Ei ‘dhcp’ /var/log/syslog.1

1.3.3 DNS

DNS日誌查詢 
# rndc querylog && tail -f /var/log/messages | grep named

1.3.4 哈希值

計算/sbin目錄下全部可執行文件的HASH值 
# find /sbin -type f -exec md5sum {} >> md5sums.txt \; 
# md5deep -rs /sbin > md5sums.txt

1.3.5 NETBIOS

nbtstat 掃描 
# nbtscan 目標IP地址或IP地址段 
舉例：nbtscan 192.168.1.2-100

2. ) 安全加固

2.1 ) WINDOWS系統篇

2.1.1 禁用/中止服務 
# C:> sc query 
# C:> sc config 「服務名」 start= disabled 
# C:> sc stop 「服務名」 
# C:> wmic service where name=」服務名」 call ChangeStartmode Disabled

2.1.2 防火牆管理 
# 列出全部規則: 
# C:> netsh advfirewall firewall show rule name=all 
# 啓用或禁用防火牆: 
C:> netsh advfirewall set currentprofile state on 
C:> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound 
C:> netsh advfirewall set publicprofile state on 
C:> netsh advfirewall set privateprofile state on 
C:> netsh advfirewall set domainprofile state on 
C:> netsh advfirewall set allprofile state on 
C:> netsh advfirewall set allprof ile state off 
# 配置舉例： 

netsh advfirewall firewall add rule name="開放TCP:80端口" dir=in action=allow protocol=TCP localport=80 
netsh advfirewall firewall add rule name="開放TCP:443端口" dir=in action=allow protocol=TCP localport=443 
netsh advfirewall firewall add rule name="屏蔽TCP:445端口" dir=in action=block protocol=TCP localport=445 
netsh advfirewall firewall add rule name="容許MyApp" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes 


2.1.3 清除DNS緩存和Netios緩存 
# C:> ipconfig /flushdns 
# C:> nbtstat -R

2.1.4 應用控制 
# AppLocker配置 

\# 導入Applocker模塊 
PS C:\> import-module Applocker 
\# 查看system32目錄下全部exe文件的Applocker信息 
PS C:\> Get-ApplockerFileinformation -Directory C:\Windows\System32\ -Recurse -FileType Exe 
\# 增長一條針對system32目錄下全部的exe文件的容許規則 
PS C:\> Get-Childitem C:\Windows\System32\*,exe | Get-ApplockerFileinformation | New-ApplockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32 


2.1.5 IPSEC 
# 1.）使用預共享密鑰的方式新建一條IPSEC本地安全策略，應用到全部鏈接和協議 

C:\> netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY 
C:\> netsh ipsec static add filteraction name=MyIPsecAction action=negotiate 
C:\> netsh ipsec static add policy name=MyIPsecPolicy assign=yes 
C:\> netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=密碼

# 2.）新建一條容許訪問外網TCP 80和443端口的IPSEC策略 

C:\> netsh ipsec static add filteraction name=Allow action=permit 
C:\> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80 
C:\> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443 
C:\> netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=密碼 

# 3.）查看和禁用某條IPSEC本地安全策略 

C:\> netsh ipsec static show policy name=MyIPsecPolicy 
C:\> netsh ipsec static set policy name=MyIPsecPolicy assign=no 

# 新建一條IPSEC對應的防火牆規則，源地址和目的地址爲any 

C:\> netsh advfirewall consec add rule name="IPSEC" endpointl=any endpoint2=any action=requireinrequireout qmsecmethods=default 

# 新建一條IPSEC對應的防火牆規則，全部出站請求必須提供預共享密鑰 

C:\> netsh advfirewall firewall add rule name="IPSEC_Out" dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate 


2.1.6 其餘安全策略 
# 禁用遠程桌面鏈接 

C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer" /f /v fDenyTSConnections /t REG_DWORD /d 1 

# 只發送NTLMv2響應（防止「永恆之藍」漏洞攻擊） 

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f 

# 禁用IPV6 

C:\> reg add HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f 

# 禁用sticky鍵 

C:\> reg add "HKCU\ControlPanel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f 

# 禁用管理共享（Servers/Workstations） 

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareServer /t REG_DWORD /d 0 
C:\> reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareWks /t REG_DWORD /d 0 

# 禁用註冊表編輯器和CMD命令提示符 

C:\> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f 
C:\> reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f 

# 啓用UAC 

C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f 

# 啓用防火牆日誌功能 

C:\> netsh firewall set logging droppedpackets = enable 
C:\> netsh firewall set logging connections = enable 


2.2 ) LINUX系統篇

2.2.1 服務管理 
# 查看服務狀態 

service --status-all 
ps -ef OR ps -aux 
initctl list 
systemctl list-unit-files 

# 啓動，中止和禁用服務 

\# For Upstart services: 
/etc/init.d/apache2 start | stop | status 
service apache2 start | stop | status 
update-rc.d apache2 disable 
\# For Systemd services: 
systemctl start | stop | status ntp.service 
systemctl disable sshd.service 

2.2.2 防火牆管理 
# iptables 經常使用操做： 

iptables-save > filewall_rules.bak \# 導出當前規則 
iptables -vnL --line \# 列出全部規則 
iptables -S \# 同上 
iptables -P INPUT DROP \# 默認策略，禁止全部鏈接 
iptables -A INPUT -s 10.10.10.10 -j DROP \# 禁止單個IP 
iptables -A INPUT -s 10,10.10.0/24 -j DROP \# 禁止一個網段 
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP \# 禁止某IP訪問本機SSH服務 
iptables -A INPUT -p tcp --dport ssh -j DROP \# 禁止訪問本機SSH服務 
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 \# 啓用日誌記錄 
iptables -F \# 清除當前已加載的規則 

2.2.3 DNS緩存 
# Unix/Linux系統沒有系統級別DNS緩存

2.2.4 配置IPSEC 
# 在兩臺服務器之間創建IPSEC通道 

\# 1.）添加防火牆規則容許IPSEC協議 
iptables -A INPUT -p esp -j ACCEPT 
iptables -A INPUT -p ah -j ACCEPT 
iptables -A INPUT -p udp --dport 500 -j ACCEPT 
iptables -A INPUT -p udp --dport 4500 -j ACCEPT 
\# 安裝Racoon 
apt -y install racoon 
\# 2.）編輯配置文件：/etc/ipsec-tools.conf 
flush; 
spdflush; 
spdadd 主機A的IP地址 主機B的IP地址 any -P out ipsec 
esp/transport//require; 
spdadd 主機B的IP地址 主機A的IP地址 any -P in ipsec 
esp/transport//require; 
\# 3.）編輯配置文件：/etc/racoon/racoon.conf 
log notify; 
path pre_shared_key "/etc/racoon/psk.txt"; 
path certificate "/etc/racoon/certs"; 
remote anonymous { 
exchange_mode main,aggressive; 
proposal { 
encryption_algorithm aes_256; 
hash_algorithm sha256; 
authentication_method 
pre_shared_key; 
dh_group modp1024; 
} 
generate_policy off; 
} 
sainfo anonymous{ 
pfs_group 2; 
encryption_algorithm aes_256; 
authentication_algorithm hmac_sha256; 
compression_algorithm deflate; 
} 
\# 4.）添加預共享密鑰 
主機A：echo 主機B 123 >> /etc/racoon/psk.txt 
主機B：echo 主機A 123 >> /etc/racoon/psk.txt 
\# 5.）重啓服務，檢查協商及配置策略 
service setkey restart 
setkey -D 
setkey -DP 


3. ) 檢測（Visibility）

3.1 ) 網絡安全監控

3.1.1 數據包捕捉與分析 

1.）TCPDUMP 
tcpdump -tttt -n -vv \# 打印時戳，禁用名稱解析並以verbose方式顯示 
tcpdump -nn -c 1000 | awk '{print $3}' | cut -d. -f1-4 | sort -n | uniq -c | sort -nr \# 捕捉1000個數據包，找出Top talkers 
tcpdump -w target.pcap -i any dst targetIP and port 80 \# 在全部接口上捕捉目標IP爲：targetIP且端口爲80的數據包並寫入target.pcap文件 
tcpdump host 10.0.0.1 && host 10.0.0.2 \# 捕捉兩個主機之間的數據包 
tcpdump not net 10.10 && not host 192.168.1.2 \#捕捉非10.10網段及非192.168.1.2主機的數據包
tcpdump host 10.10.10.10 && \(10.10.10.20 or 10.10.10.30\) \# 捕捉主機A與主機B或C的數據包
tcpdump -n -s0 -C 100 -w 001.pcap \# 輪詢，文件大小超過100M後自動建立新文件 
tcpdump -w - | ssh ServerIP -p 50005 "cat - > /tmp/remotecapture.pcap" \# 經過SSH保存數據包到遠程服務器上的/tmp/remotecapture.pcap文件 
tcpdump -n -A -s0 port http or port ftp or port smtp or port imap or port pop3 | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|P 
asswd=|password=|pass:|user:|username:|password:|login:|pass|user' --color=auto --line-buffered -B20 \# 抓取明文密碼 
tcpdump -s 1500 -A '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' \#查找自簽名證書 
2.）TSHARK 
tshark -nr 001.pcap -Y "ssl.handshake.ciphersuites" -Vx | grep "ServerName:" | sort | uniq -c | sort -r \# 提取證書Server Name字段 
tshark -D \# 列出全部可用接口 
tshark -i eth0 -i eth1 \# 監聽多個接口 
tshark -nn -w 001.pcap \# 禁用名稱解析並保存到文件 
tshark arp or icmp \# 捕捉arp或者icmp 
tshark "host 主機A && host 主機B" \# 捕捉兩個主機之間的數據包 
tshark -r 001.pcap \# 讀取數據包 
tshark -n -e ip.src -e ip.dst -T fields -E separator=, -2 -R ip -r 001.pcap \# 提取源/目的IP地址 
tshark -n -e ip.src -e dns,qry.name -E separator=';' -T fields port 53 \# 提取DNS查詢的源IP及DNS查詢的域名 
tshark -2 -R http.request -T fields -E separator=';' -e http.host -e http.request.uri -r 001.pcap \# 提取HTTP請求中的host參數和請求uri 
tshark -n -c 150 I awk '{print $4}' I sort -n | uniq -c | sort -nr \# 提取top talkers 
tshark -q -z io,phs -r 001.pcap \# 協議統計 
tshark -n -c 100 -e ip.src -Y "dns.flags.response eq 1" -T fields port 53 \# 提取DNS響應數據包的DNS服務器地址 
tshark -n -e http.request.uri -Y http.request -T fields | grep exe \# 提取經過http請求方式下載exe可執行文件的數據包 
3.）SNORT 
snort -T -c /etc/snort/snort.conf \# 配置文件測試 
snort -dv -r 001.log \# 讀取數據包 
snort -dvr 001.log icmp \# 提取icmp數據包 
snort -K ascii -l 001 \# 以ASCII格式顯示 
snort -q -A console -i eth0 -c /etc/snort/snort.conf \# 在終端上顯示snort events 
echo 'log tcp 192.168.1.0/24 any -> 192.168.1.95 22 ( msg: "ssh access" ; sid:1618008; )' > 001.rule && snort -T -c 001.rule \# 規則測試 
mkdir logs && snort -vd -c 001.rule -r 001.pcap -A console -l logs \# 執行規則 
4.）Bro NSM 
安裝及下載相關軟件包和數據包 
apt -y install bro bro-aux 
pip install bro-pkg 
bro-pkg install bro/hosom/file-extraction 
wget https://www.malware-traffic-analysis.net/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zip 
wget https://www.bro.org/static/exchange-2013/faf-exercise.pcap 
bro -r 2018-01-12-NanoCore-RAT-traffic.pcap \# 從pcap文件中讀取並建立相關日誌文件 
bro -r faf-exercise.pcap /root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro && ls -lhct ./extract_files/ \# 提取出exe文件
bro -r faf-exercise.pcap /usr/share/bro/policy/frameworks/files/extract-all-files.bro \# 提取多個類型的文件 
bro -C -r faf-exercise.pcap && cat ssl.log | bro-cut server_name , subject , issuer \# 提取證書中的server_name,issuer和subjects字段 
cat conn.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , proto , conn_state \# 提取源IP，源端口，目的IP，目的端口，協議類型，tcp標記 
cat dns.log | bro-cut query | sort -u \# 提取DNS查詢name 
cat http.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , host , uri , referrer \# 提取源IP，源端口，目的IP，目的端口，host，uri，referrer字段 
cat http.log | bro-cut user_agent | sort -u \# 提取user_agent字段 
5.）EDITCAP 
editcap -F pcap -c 1000 orignal.pcap out_split.pcap \# 以1000爲單位進行分割 
editcap -F pcap -t+3600 orignal.pcap out_split.pcap \# 以1小時爲單位進行分割 
6.）MERGECAP 
mergecap -w merged_cap.pcap capl.pcap cap2.pcap cap3.pcap \# 合併多個文件 
7.）PacketTotal 
https://www.packettotal.com/app/analysis?id=c8c11b792272ac19a49299a3687466be&name=files 
8.）NetworkMiner 
http://netres.ec/?b=173588E 

3.2 ) 蜜罐技術 
3.2.1 WINDOWS系統篇 

1.） 端口蜜罐 
\# 原理：監聽端口，當客戶端成功創建TCP（3次握手）鏈接後，記錄訪問日誌，而後添加防火牆規則封禁此IP 
PS C:\> certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Pwdrkeg/honeyport/master/honeyport.ps1 
PS C:\> .\honeyport.ps1 -Ports 4444,22,21,23 -WhiteList 192.168.10.1,192.168.10.2 -Block $true -Verbose 
PS C:\> Get-EventLog HoneyPort \# 查看日誌記錄信息 
PS C:\> stop-job -name HoneyPort \# 中止任務 
PS C:\> remove-job -name HoneyPort \# 移除任務 


3.2.2 LINUX系統篇 

1.） 端口蜜罐 
\# 原理同上 
wget https://raw.githubusercontent.com/gchetrick/honeyports/master/honeyports-0.5.py 
python honeyports-0.5.py -p 1234 -h 192.168.1.100 -D 

3.3 ) (PASSIVE)監控DNS解析 

apt -y install dnstop 
dnstop -l 3 eth0 
dnstop -l 3 001.pcap | out.txt 

3.4 ) 日誌審計 

1.）WINDOWS 
\# 增長日誌文件大小進行日誌審計 
C:\> reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Application /v MaxSize /t REG_DWORD /d 0x19000 
C:\> reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Security /v MaxSize /t REG_DWORD /d 0x64000 
C:\> reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\System /v MaxSize /t REG_DWORD /d 0x19000 
\# 查看Windows事件日誌-安全日誌的配置 
C:\> wevtutil gl Security 
\# 檢查審覈策略 
auditpol /get /category:* 
\# 對全部項啓用成功和失敗的審覈策略 
C:\> auditpol /set /category:* /success:enable /failure:enable 
\# 查看已配置的事件日誌的概要信息 
PS C:\> Get-Eventlog -list 
\# 取最近5條應用程序日誌 
PS C:\> Get-Eventlog -newest 5 -logname application | Format-List 
\# 取Eent ID：4672的全部日誌 
PS C:\> Get-Eventlog Security | ? { $_.Eventid -eq 4672} 
\# 登陸與註銷事件 
PS C:\> Get-Eventlog Security 4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964 -after ((get-date).addDays(-1)) 
\# DPAPI行爲，進程終止，RPC事件 
PS C:\> Get-EventLog Security 4692,4693,4694,4695,4689,5712 -after ((get-date).addDays(-1)) 
\# 文件共享，文件系統，SAM，註冊表，證書時間 
PS C:\ Get-EventLog Security 4671,4691,4698,4699,4700,4701,4702,5148,5149,5888,5889,5890,4657,5039,4659,4660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 -after ((get-date).addDays(-1)) 
\# 查看Eent ID：4672的詳細信息 
Get-Eventlog Security | ? { $_.Eventid -eq 4672} | Format-List 
2.）LINUX 
\# 認證日誌 
tail /var/log/auth. log 
grep -i "fail" /var/log/auth. log 
tail /var/log/secure 
grep -i "fail" /var/log/secure 
\# samba，cron,sudo相關日誌 
grep -i samba /var/log/syslog 
grep -i samba /var/log/messages 
grep -i cron /var/log/syslog 
grep -i sudo /var/log/auth. log 
grep -i sudo /var/log/secure 
\# Apache 404錯誤日誌 
grep 404 apache.log | grep -v -E "favicon.ico|robots.txt" 
\# 監控新文件，5分鐘刷新一次 
watch -n 300 -d ls -lR /web_root 


4. ) 響應（取證）

4.1 ) LIVE TRIAGE（收集運行時系統信息）

4.1.1 WINDOWS系統篇 

1.）系統信息 
C:\> echo %DATE% %TIME% 
C:\> hostname 
C:\> systeminfo 
C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 
C:\> wmic csproduct get name 
C:\> wmic bios get serialnumber 
C:\> wmic computersystem list brief 
C:\> psinfo -accepteula -s -h -d 
2.）用戶信息 
C:\> whoami 
C:\> net users 
C:\> net localgroup administrators 
C:\> net group administrators 
C:\> wmic rdtoggle list 
C:\> wmic useraccount list 
C:\> wmic group list 
C:\> wmic netlogin get name,lastlogon,badpasswordcount 
C:\> wmic netclient list brief 
C:\> doskey /history > history.txt 
3.）網絡信息 
C:\> netstat -e 
C:\> netstat -naob 
C:\> netstat -nr 
C:\> netstat -vb 
C:\> nbtstat -s 
C:\> route print 
C:\> arp -a 
C:\> ipconfig /displaydns 
C:\> netsh winhttp show proxy 
C:\> ipconfig /allcompartments /all 
C:\> netsh wlan show interfaces 
C:\> netsh wlan show all 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings" 
C:\> type %SYSTEMROOT%\system32\drivers\etc\hosts 
C:\> wmic nicconfig get descriptions,IPaddress,MACaddress 
C:\> wmic netuse get name,username,connectiontype, localname 
4.）服務信息 
C:\> at 
C:\> tasklist 
C:\> tasklist /svc 
C:\> tasklist /SVC /fi "imagename eq svchost.exe" 
C:\> tasklist /SVC /fi "imagename eq svchost.exe" 
C:\> schtasks 
C:\> net start 
C:\> sc query 
C:\> wmic service list brief | findstr "Running" 
C:\> wmic service list conf ig 
C:\> wmic process list brief 
C:\> wmic process list status 
C:\> wmic process list memory 
C:\> wmic job list brief 
PS C:\> Get-Service | Where-Object { $_.Status -eq "running" } 
5.）策略、補丁、環境變量信息 
C:\> set 
C:\> gpresult /r 
C:\> gpresult /z > output.txt 
C:\> gpresult /H report.html /F 
C:\> wmic qfe 
6.）自啓動信息 
C:\> wmic startup list full 
C:\> wmic ntdomain list brief 
6.1）檢查自啓動文件目錄 
C:\> dir "%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" 
C:\> dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup"
C:\> dir %userprofile%\Start Menu\Programs\Startup 
C:\> %ProgramFiles%\Startup\ 
C:\> dir C:\Windows\Start Menu\Programs\startup 
C:\> dir "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" 
C:\> dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" 
C:\> dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" 
C:\> dir "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup" 
C:\> dir "%ALLUSERSPROFILE%\Start Menu\Programs\Startup" 
C:\> type C:\Windows\winstart.bat 
C:\> type %windir%\wininit.ini 
C:\> type %windir%\win.ini 
C:\> type C:\Autoexec.bat" 
6.2）使用autoruns 
C:\> autorunsc -accepteula -m 
6.3）自啓動註冊表位置 
HKEY_CLASSES_ROOT: 
C:\> reg query HKCR\Comfile\Shell\Open\Command 
C:\> reg query HKCR\Batfile\Shell\Open\Command 
C:\> reg query HKCR\htafile\Shell\Open\Command 
C:\> reg query HKCR\Exefile\Shell\Open\Command 
C:\> reg query HKCR\Exefiles\Shell\Open\Command 
C:\> reg query HKCR\piffile\shell\open\command 
HKEY_CURRENT_USERS: 
C:\> reg query "HKCU\Control Panel\Desktop" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Load" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Scripts" 
C:\> reg query "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f run 
C:\> reg query "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f load 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComD1g32\OpenSaveMRU" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU"
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComD1g32\OpenSavePidlMRU" /s
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit" /v LastKey 
C:\> reg query "HKCU\Software\Microsoft\InternetExplorer\" TypedURLs 
C:\> reg query "HKCU\Software\Policies\Microsoft\Windows\ControlPanel\Desktop" 
HKEY_LOCAL_MACHINE: 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell Folders" 
C:\> reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\Userinit" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\shellServiceObjectDelayLoad" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks" /s 
C:\> reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows" 
C:\> reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows" /f Appinit_DLLs 
C:\> reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon" /f Shell 
C:\> reg query "HKLM\SOFTWARE\Mic rosoft\WindowsNT\CurrentVersion\Winlogon" /f Userinit 
C:\> reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Systern\Scripts" 
C:\> reg query "HKLM\SOFTWARE\Classes\batfile\shell\open\cornrnand" 
C:\> reg query "HKLM\SOFTWARE\Classes\cornfile\shell\open\cornrnand" 
C:\> reg query "HKLM\SOFTWARE\Classes\exefile\shell\open\command" 
C:\> reg query "HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command" 
C:\> reg query "HKLM\SOFTWARE\Classes\piffile\shell\open\command" 
C:\> reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s 
C:\> reg query "HKLM\SYSTEM\CurrentControlSet\Control\SessionManager" 
C:\> reg query "HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs" 
C:\> reg query "HKLM\SYSTEM\ControlSet001\Control\SessionManager\KnownDLLs" 
7.）取日誌文件 
C:\> wevtutil epl Security C:\bak\Security-logs.evtx 
C:\> wevtutil epl System C:\bak\System-logs.evtx 
C:\> wevtutil epl Application C:\bak\Application-logs.evtx 
8.）文件、目錄、共享信息 
C:\> net use \\目標IP 
C:\> net share 
C:\> net session 
C:\> wmic volume list brief 
C:\> wmic logicaldisk get description,filesystem,name,size 
C:\> wmic share get name,path 
\# 查找多個類型的文件或某個文件 
C:\> dir /A /S /T:A *.exe *.dll *.bat *.PS1 *.zip 
C:\> dir /A /S /T:A evil.exe 
\# 查找2017/1/1以後建立的文件 
C:\> forfiles /p C:\ /M *.exe /S /D +2017/1/1 /C "cmd /c echo @fdate @ftime @path" 
C:\> for %G in (.exe, .dll, .bat, .ps) do forfiles -p "C:" -m *%G -s -d +2017/1/1 -c "cmd /c echo @fdate @ftime @path" 
\# 查找文件大小>20MB的文件 
forfiles /S /M * /C "cmd /c if @fsize GEQ 2097152 echo @path @fsize" 
\# 在Alternate Data Streams中查找文件 
C:\> streams -s 文件或目錄 
\# 檢查數字簽名，vt掃描 
C:\> sigcheck -e -u -vr -s C:\ 
C:\> listdlls.exe -u 
\# 掃描病毒 
C:\> "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate 
C:\> "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan 


4.2 ) LIVE TRIAGE（收集運行時系統信息）

4.2.1 LINUX篇 

1.）系統信息 
uname -a 
uptime 
timedatectl 
mount 
2.）用戶信息 
w 
lastlog 
last 
faillog -a 
cat /etc/passwd 
cat /etc/shadow 
cat /etc/group 
cat /etc/sudoers 
\# 查找UID爲0的用戶 
awk -F: '($3 == "0") {print}' /etc/passwd 
egrep ':0+' /etc/passwd 
cat /root/.ssh/authorized_keys 
lsof -u root 
cat /root/.bash_history 
3.）網絡信息 
\# 查看網絡接口 
ifconfig OR ip a l 
\# 查看監聽端口 
netstat -tupnl 
\# 查看網絡鏈接 
netstat -tupnla 
netstat -tupnlax 
\# 路由信息 
route OR netstat -r OR ip r l 
\# ARP表 
arp -ne 
\# 監聽端口的進程 
lsof -i 
4.）服務信息 
\# 列出全部進程 
ps aux OR ps -ef 
\# 已加載內核模塊 
lsmod 
\# 打開的文件 
lsof 
lsof -c sshd 
lsof -p PID 
lsof -nPi | cut -f1 -d" " | uniq | tail -n +2 
\# 監控日誌 
less +F /var/log/messages 
tail -F /var/log/messages 
journalctl -u ssh.service -f 
\# 列出全部服務 
chkconfig --list 
systemctl list-units 
5.）策略、補丁、環境變量信息 
\# 檢查pam.d目錄相關文件 
cat /etc/pam.d/common* 
\# 自啓動信息 - 計劃任務 
crontab -l 
crontab -u root -l 
cat /etc/crontab 
ls /etc/cron,* 
6.）命令歷史 
cat /root/.*history 
7.）文件、目錄、共享信息 
df -ah 
ls -lhcta /etc/init.d/ 
stat -x filename 
file filename 
\# 特殊屬性文件 
lsattr -R / | grep "\-i-" 
\# 全局可寫文件 
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 
\# 某時間點以後新建的文件 
find / -newermt 2018-01-22q 
\# 打印文件的全部屬性信息 
find /labs -printf "%m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%p\n" 
\# 查看文件的元數據 
stat 文件名 
8.) 簡單基線檢查 
wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/1_x/unix-privesc-check && ./unix-privesc-check > output.txt 
9.) 檢測rootkit 
chkrootkit 
rkhunter --update && rkhunter -check 
tiger && less /var/log/tiger/security.report.* 
lynis && lynis audit system && more /var/logs/lynis. log 
10.) Fastir Collector Linux，收集artefacts，包括：內核版本、內核模塊、網卡、系統版本、主機名、登陸、網絡鏈接、SSH know_host、日誌文件、進程數據、自啓動等信息 
wget https://raw.githubusercontent.com/SekoiaLab/Fastir_Collector_Linux/master/fastIR_collector_linux.py
python fastIR_collector_linux.py --debug --output_dir output 
11.) Sysdig and Sysdig Falco 行爲監控 
\# 觀察root用戶查看過的目錄 
sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root" 
\# 觀察SSHD行爲 
sysdig -A -c echo_fds fd.name=/dev/ptmx and proc.name=sshd 
\# id爲5459的登陸shell執行過的全部命令 
sysdig -r trace.scap.gz -c spy_users proc.loginshellid=5459 
\# 安裝，啓動falco 
curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - 
curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list 
sudo apt update 
apt -y install falco 
modprobe sysdig-probe 
service falco start 
falco 


4.3 ) 病毒樣本分析 

\# 靜態分析 
\# 掛載Sysinternals工具集 
\\live.sysinternals.com\tools 
\# 檢查數字簽名 
C:\> sigcheck.exe -u -e C:\malware 
C:\> sigcheck.exe -vt malware.exe 
\# 16機制和ASCII方式查看PE文件 
hexdump -C -n 500 malware.exe 
od -x mailware.exe 
xxd malware.exe 
strings -a malware.exe | more 
\# 內存鏡像分析 
python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 malfind -D /output 
python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 malfind -p PID -D /output 
python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 pslist 
python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 pstree 
python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 dlllist 
python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 dlldump -D /output 
\# HASH分析 
curl -v --request POST --url https://www.virustotal.com/vtapi/v2/file/report' -d apikey=VT API KEY -d 'resource=樣本文件hash' 
curl -v -F 'file=malware.exe' -F apikey=VT API KEY>https://www.virustotal.com/vtapi/v2/file/scan 
whois -h hash,cymru.com 樣本文件hash 
\# 獲取磁盤和內存鏡像 
\# WINDOWS 
C:\> psexec.exe \\IP -u <DOMAIN>\administrator -p 123 -c mdd_l.3.exe --o C:\memory.dmp 
C:\> dc3dd.exe if=\\.\c: of=d:\diskiamge.dd hash=md5 log=d:\output.log 
\# LINUX 
dd if=/dev/fmem of=/tmp/mem_dump.dd 
\# 使用LiME 
get https://github.com/504ensicslabs/LiME/archive/master.zip 
unzip master.zip 
cd LiME-master/src 
make 
cp lime-*.ko /media/USB/ 
insmod lime-3.13.0-79-generic.ko "path=/media/USB/mem_dump.lime format= raw" 
\# 從內存中拷貝PE文件 
cp /proc/進程ID/exe /output 
\# 建立進程core dump 
gcore 進程ID 
strings -a gcore.* | more 
dd if=/dev/sda of=/root/sda.dd 
dd if=/dev/sda | ssh root@RemoteIP "dd of=/root/sda.dd" 
\# 經過netcat傳送接收鏡像文件 
bzip2 -c /dev/sda | nc 8.8.8.8 53 
nc -p 53 -l | bzip2 -d | dd of=/root/sda.dd 


5. ) 經常使用技巧（TIPS & TRICKS）

5.1 ) 技巧

5.1.1 WINDOWS系統篇 

\# 將命令結果經過管道輸出到粘帖板，而後將粘帖板的內容重定向到文件 
C:\> some_command.exe | clip 
PS C:\> Get-Clipboard > clip.txt 
\# 檢查註冊表某路徑是否存在 
PS C:\> Test-Path "HKCU:\Software\Microsoft\123" 
\# 可靠文件複製 
robocopy c:\src \\目標計算機\dst /E 
\# 檢查某目錄是否存在ps1,vbs擴展的文件 
PS C:\> Test-Path C:\Scripts\Archive\* -include *.ps1, *.vbs 
\# 合併多個文件 
C:\> type 1.txt 2.txt > output.txt 
\# 多個桌面窗口（Desktops） 
C:\>"%ProgramFiles%\Internet Explorer\iexplore.exe" https://live.sysinternals.com/desktops.exe 
\# 在遠程計算機執行命令 
C:\> psexec.exe \\遠程計算機 -u admin -p 123 /c c:\123.exe 
PS C:\> Invoke-Command -遠程計算機 { ls } 
\# 比較兩個文件的差別 
PS C:\> Compare-Object (-Content 1.log) -DifferenceObject (Get-Content 2.log) 
\# 進制轉換與編碼 
C:\> set /a 0xff 
PS C:\> 0xff 
C:\> certutil -decode BASE64編碼文件 output.file 
\# 解碼XOR，搜索關鍵字：http 
C:\> xorsearch.exe -i -s input.file http 


5.1.2 LINUX系統篇 

\# 經過ssh在遠程服務器上抓包 
ssh root@8.8.8.8 tcpdump -i any -U -s 0 -w - 'not port 22' 


5.2 ) SNORT 
# SNORT規則檢測Meterpreter 

\# Snort rules by Didier Stevens (http://DidierStevens.com) 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit Meterpreter"; flow:to_server,established; content:"RECV"; http_client_body; depth:4; fast_pattern; isdataat:!0,relative; urilen:23<>24,norm; content:"POST"; pcre:"/^\/[a-z0-9]{4,5}_[a-z0-9]{16}\/$/Ui"; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/; sid:1618008; rev:1;) 
https://didierstevens.com/files/software/snort-rules-V0_0_1.zip 
\# SNORT規則檢測PSEXEC 
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|p|00|s|00|e|00|x|00|e|00|c|00|s|00|v|00|c"; nocase; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:24008; rev:1;) 
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S||E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:30281; rev:1;) 

5.3 ) Bro NSM 
# 檢測橫向滲透 

wget https://raw.githubusercontent.com/richiercyrus/Bro-Scripts/master/detect-mal-smb-files.bro 
bro -r faf-exercise.pcap detect-mal-smb-files.bro 
less notice.log 
\# 檢測勒索軟件 
wget https://raw.githubusercontent.com/fox-it/bro-scripts/master/smb-ransomware/smb-ransomware.bro 
bro -r faf-exercise.pcap smb-ransomware.bro 


5.4 ) 檢測DOS/DDOS 
# 檢測攻擊類型SYN Flood，ICMP Flood，UDP Flood 

tshark -r 001.pcap -q -z io,phs 
tshark -c 1000 - -z io,phs 
tcpdump -tnr $ | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail 
tcpdump -qnn "tcp[tcpflags] & (tcp-syn) != 0" 
netstat -s 
tcpdump -nn not arp and not icmp and not udp 
netstat -n | awk '{print $6}' | sort | uniq -c | sort -nr | head 
\# 應用層 
tshark -c 10000 -T fields -e http.host | sort | uniq -c | sort -r | head -n 10 
tshark -r capture6 -T fields -e http.request.full\_uri | sort | uniq -c | sort -r | head -n 10c 
tcpdump -n 'tcp[32:4] = 0x47455420' | cut -f 7- -d":" 
\# 查找http請求中包含：GIF,ZIP,JPEG,PDF,PNG擴展的數據包 
tshark -Y "http contains "ff:d8"" || "http contains "GIF89a"" || "http contains "\x50\x4B\x03\x04"" || "http contains "\xff\xd8"" || "http contains "%PDF"" || "http contains "\x89\x50\x4E\x47"" 
取'user-agent'和refer字段 
tcpdump -c 1000 -Ann I grep -Ei 'user-agent' | sort | uniq -c | sort -nr | head -10 
tcpdump -i en0 -A -s 500 | grep -i refer 
\# 第二層攻擊 
tcpdump 'arp or icmp' 
tcpdump -tnr 001.pcap ARP | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail 
tshark -r 001.pcap -q -z io,phs | grep arp.duplicate-address-detected 


5.5 ) 藍隊兵器譜 

6.4.1） KALI 滲透測試發行版 
https://www.kali.org 
6.4.2）SIFT SANS 取證工具箱 
http://sift.readthedocs.org/ 
6.4.3）REMNUX 軟件逆向和病毒分析發行版 
https://remnux.org 
6.4.4）OPENVAS 
http://www.openvas.org 
6.4.5）Security Onion 入侵檢測、網絡安全監控、日誌分析發行版 
https://securityonion.net 
6.4.6）OSSEC 開源主機入侵檢測系統 
http://ossec.github.io 


文檔維護

項目地址：https://github.com/Zer0d0y/BTFM，歡迎有經驗的朋友一塊兒維護！