紅藍對抗——藍隊手冊

時間 2019-11-10

標籤紅藍對抗手冊简体版

原文原文鏈接

0x01 前言

紅藍對抗的思想最先可追溯到我國現存最先的一部兵書《孫子兵法》，在孫子·謀攻篇有這麼一句話：「知彼知己，百戰不殆；」，意爲若是對敵我雙方的狀況都能瞭解透徹，打多少次仗都不會失敗。在信息安全領域目前你們都有一個共識：「未知攻，焉知防」，攻防對抗自己是一個持續的過程，在具體的對抗中，對對手瞭解越多就會佔據主導地位。紅藍對抗的主要目的在於，提升公司安全成熟度及其檢測和響應攻擊的能力。Red Teams attack, and Blue Teams defend, but the primary goal is shared between them: improve the security posture of the organization.html

0x02 準備工做

1 ) 組織結構圖python

2 ) 全網拓撲圖linux

3 ) 各系統邏輯結構圖ios

4 ) 各系統之間的調用關係git

5 ) 數據流關係github

6 ) 核心資產清單web

7 ) 應急響應計劃sql

8 ) 業務連續性計劃shell

9 ) 災難恢復計劃apache

0x03 簡單安全評估

1.端口掃描和漏洞檢測

1.1主機發現（Ping探測）

# nmap -sn -PE IP地址或地址段

1.2端口掃描

# nmap –open IP地址或地址段

1.3服務版本檢測

# nmap -sV IP地址或地址段

1.4掃描多個端口

# nmap -p 80,443 IP地址或地址段

1.5 UDP掃描

# nmap -sU -p 53 IP地址或地址段

1.6 TCP/UDP掃描（-Pn 跳過主機發現）

# nmap -v -Pn -SU -ST -p U:53,111,137,T:21-25,80,139,8080 IP地址或地址段

1.7 Nessus掃描

# nessus -q -x -T html 服務器IP 服務器端口管理員賬號密碼目標.txt 輸出報告.html

1.8 OPENVAS掃描

# apt -y install pcregrep

# wget https://goo.gl/TYbLwE

# chmod +x openvas-automate.sh && ./openvas-automate.sh 目標IP

2. WINDOWS系統篇

2.1 網絡發現

基本網絡發現：

# C:> net view /all

# C:> net view 主機名

Ping探測：

# C:> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "回覆" >> 輸出.txt

2.2 DHCP

啓用DHCP服務器日誌功能：

# C:> reg add HKLMSystemCurrentControlSetServicesDhcpServerParameters /v ActivityLogFlag /t REG_DWORD /d 1

默認日誌文件目錄：

C:> %windir%System32Dhcp

2.3 DNS

啓用DNS服務器日誌功能：

# C:> DNSCmd DNS服務器名 /config /logLevel 0x8100F331

# 配置日誌文件目錄:

C:> DNSCmd DNS服務器名 /config /LogFilePath C:dns.log

# 配置日誌文件大小:

C:> DNSCmd DNS服務器名 /config /logfilemaxsize 0xffffffff

2.4 哈希值

文件校驗和完整性驗證（FCIV）：

Ref：http://support2.microsoft.com/kb/841290

# 單個文件:

C:> fciv.exe 文件名

# 計算C盤全部文件並把結果保存到文件中:

C:> fciv.exe c: -r -sha1 -xml 結果.xml

# 列出全部hash值:

C:> fciv.exe -list -sha1 -xml 結果.xml

# certutil & PowerShell

# certutil -hashfile 文件名 SHA1

# PS C:> Get-FileHash 文件名 | Format-List

# PS C:> Get-FileHash -algorithm md5 文件名

2.5 NETBIOS

nbtstat 掃描

# C:> nbtstat -A 目標IP地址

NetBIOS緩存

# C:> nbtstat -c

批量掃描

# C:> for /L %I in (1,1,254) do nbtstat -An 192.168.1.%I

2.6 微軟基線安全分析器(MBSA)

掃描單個IP

# C:> mbsacli.exe /target IP地址 /n os+iis+sql+password

掃描IP地址段

# C:> mbsacli.exe /r IP地址段 /n os+iis+sql+password

3. LINUX系統篇

3.1 網絡發現

查看開放的SMB共享

# smbclient -L 目標主機名

Ping探測

# for ip in ip>/dev/null; [ Misplaced &ip UP" || : ; done

3.2 DHCP

DHCP日誌

RHEL/CentOS

# cat /var/lib/dhcpd/dhcpd. leases

Debian/Ubuntu

# grep -Ei 'dhcp' /var/log/syslog.1

3.3 DNS

DNS日誌

# rndc querylog && tail -f /var/log/messages | grep named

3.4 哈希值

計算某目錄下全部可執行文件的HASH值

# find /sbin -type f -exec md5sum {} >> md5sums.txt ;

# md5deep -rs /sbin > md5sums.txt

3.5 NETBIOS

nbtstat 掃描

# nbtscan 目標IP地址或IP地址段

舉例：nbtscan 192.168.1.2-100

4. 安全加固

4.1 WINDOWS系統篇

4.1.1 禁用/中止服務

# C:> sc query

# C:> sc config "服務名" start= disabled

# C:> sc stop "服務名"

# C:> wmic service where name="服務名" call ChangeStartmode Disabled

4.1.2 防火牆管理

# 列出全部規則:

# C:> netsh advfirewall firewall show rule name=all

# 啓用或禁用防火牆:

C:> netsh advfirewall set currentprofile state on

C:> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound

C:> netsh advfirewall set publicprofile state on

C:> netsh advfirewall set privateprofile state on

C:> netsh advfirewall set domainprofile state on

C:> netsh advfirewall set allprofile state on

C:> netsh advfirewall set allprof ile state off

# 配置舉例：

netsh advfirewall firewall add rule name="開放TCP:80端口" dir=in action=allow protocol=TCP localport=80

netsh advfirewall firewall add rule name="開放TCP:443端口" dir=in action=allow protocol=TCP localport=443

netsh advfirewall firewall add rule name="屏蔽TCP:445端口" dir=in action=block protocol=TCP localport=445

netsh advfirewall firewall add rule name="容許MyApp" dir=in action=allow program="C:MyAppMyApp.exe" enable=yes

4.1.3 清除DNS緩存和Netios緩存

# C:> ipconfig /flushdns

# C:> nbtstat -R

4.1.4 應用控制

# AppLocker配置

# 導入Applocker模塊

PS C:> import-module Applocker

# 查看system32目錄下全部exe文件的Applocker信息

PS C:> Get-ApplockerFileinformation -Directory C:WindowsSystem32 -Recurse -FileType Exe

# 增長一條針對system32目錄下全部的exe文件的容許規則

PS C:> Get-Childitem C:WindowsSystem32*,exe | Get-ApplockerFileinformation | New-ApplockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32

4.1.5 IPSEC

#使用預共享密鑰的方式新建一條IPSEC本地安全策略，應用到全部鏈接和協議

C:> netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY

C:> netsh ipsec static add filteraction name=MyIPsecAction action=negotiate

C:> netsh ipsec static add policy name=MyIPsecPolicy assign=yes

C:> netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=密碼

#新建一條容許訪問外網TCP 80和443端口的IPSEC策略

C:> netsh ipsec static add filteraction name=Allow action=permit

C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80

C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443

C:> netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=密碼

#查看和禁用某條IPSEC本地安全策略

C:> netsh ipsec static show policy name=MyIPsecPolicy

C:> netsh ipsec static set policy name=MyIPsecPolicy assign=no

# 新建一條IPSEC對應的防火牆規則，源地址和目的地址爲any

C:> netsh advfirewall consec add rule name="IPSEC" endpointl=any endpoint2=any action=requireinrequireout qmsecmethods=default

# 新建一條IPSEC對應的防火牆規則，全部出站請求必須提供預共享密鑰

C:> netsh advfirewall firewall add rule name="IPSEC_Out" dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate

4.1.6 其餘安全策略

# 禁用遠程桌面鏈接

C:> reg add "HKLMSYSTEMCurrentControlSetControlTerminalServer" /f /v fDenyTSConnections /t REG_DWORD /d 1

# 只發送NTLMv2響應（防止「永恆之藍」漏洞攻擊）

C:> reg add HKLMSYSTEMCurrentControlSetControlLsa /v lmcompatibilitylevel /t REG_DWORD /d 5 /f

# 禁用IPV6

C:> reg add HKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters /v DisabledComponents /t REG_DWORD /d 255 /f

# 禁用sticky鍵

C:> reg add "HKCUControlPanelAccessibilityStickyKeys" /v Flags /t REG_SZ /d 506 /f

# 禁用管理共享（Servers/Workstations）

C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareServer /t REG_DWORD /d 0

C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareWks /t REG_DWORD /d 0

# 禁用註冊表編輯器和CMD命令提示符

C:> reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:> reg add HKCUSoftwarePoliciesMicrosoftWindowsSystem /v DisableCMD /t REG_DWORD /d 1 /f

# 啓用UAC

C:> reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f

# 啓用防火牆日誌

C:> netsh firewall set logging droppedpackets = enable

C:> netsh firewall set logging connections = enable

4.2 LINUX系統篇

4.2.1 服務管理

# 查看服務狀態

service –status-all

ps -ef OR ps -aux

initctl list

systemctl list-unit-files

# 啓動，中止和禁用服務

# For Upstart services:

/etc/init.d/apache2 start | stop | status

service apache2 start | stop | status

update-rc.d apache2 disable

# For Systemd services:

systemctl start | stop | status ntp.service

systemctl disable sshd.service

4.2.2 防火牆管理

# iptables 經常使用操做：

iptables-save > filewall_rules.bak # 導出當前規則

iptables -vnL –line # 列出全部規則

iptables -S # 同上

iptables -P INPUT DROP # 默認策略，禁止全部鏈接

iptables -A INPUT -s 10.10.10.10 -j DROP # 禁止單個IP

iptables -A INPUT -s 10,10.10.0/24 -j DROP # 禁止一個網段

iptables -A INPUT -p tcp –dport ssh -s 10.10.10.10 -j DROP # 禁止某IP訪問本機SSH服務

iptables -A INPUT -p tcp –dport ssh -j DROP # 禁止訪問本機SSH服務

iptables -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix "

iptables denied: " –log-level 7 # 啓用日誌

iptables -F # 清除全部已加載的工做

4.2.3 DNS緩存

# Unix/Linux系統沒有系統級別DNS緩存

4.2.4 配置IPSEC

# 在兩臺服務器之間創建IPSEC通道

1.）添加防火牆規則容許IPSEC協議

iptables -A INPUT -p esp -j ACCEPT

iptables -A INPUT -p ah -j ACCEPT

iptables -A INPUT -p udp –dport 500 -j ACCEPT

iptables -A INPUT -p udp –dport 4500 -j ACCEPT

2.）安裝Racoon

apt -y install racoon

3.）編輯配置文件：/etc/ipsec-tools.conf

flush;

spdflush;

spdadd 主機A的IP地址主機B的IP地址 any -P out ipsec

esp/transport//require;

spdadd 主機B的IP地址主機A的IP地址 any -P in ipsec

esp/transport//require;

4.）編輯配置文件：/etc/racoon/racoon.conf

log notify;

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

remote anonymous {

exchange_mode main,aggressive;proposal { encryption_algorithm aes_256; hash_algorithm sha256; authentication_method

pre_shared_key;

dh_group modp1024;

}

generate_policy off;

}

sainfo anonymous{

pfs_group 2;encryption_algorithm aes_256;authentication_algorithm hmac_sha256;compression_algorithm deflate;

}

5.）添加預共享密鑰

主機A：echo 主機B 123 >> /etc/racoon/psk.txt

主機B：echo 主機A 123 >> /etc/racoon/psk.txt

6.)重啓服務，檢查協商及配置策略

service setkey restart

setkey -D

setkey -DP

5. 檢測（Visibility）

5.1 網絡安全監控

5.1.1 數據包捕捉與分析

1.）TCPDUMP

tcpdump -tttt -n -vv # 打印時戳、不進行名稱解析及verbose方式顯示

tcpdump -nn -c 1000 | awk '{print $3}' | cut -d. -f1-4 | sort -n | uniq -c | sort -nr # 捕捉1000個數據包，找出Top talkers

tcpdump -w target.pcap -i any dst targetIP and port 80 # 在全部接口上捕捉目標IP爲：targetIP且端口爲80的數據包並寫入target.pcap文件

tcpdump host 10.0.0.1 && host 10.0.0.2 # 捕捉兩個主機之間的數據包

tcpdump not net 10.10 && not host 192.168.1.2 #檢視非10.10網段及非192.168.1.2主機的數據包

tcpdump host 10.10.10.10 && (10.10.10.20 or 10.10.10.30) # 檢視主機A和主機B或C的數據包

tcpdump -n -s0 -C 100 -w 001.pcap # 輪詢，文件大小超過100M後自動建立新文件

tcpdump -w – | ssh ServerIP -p 50005 "cat – > /tmp/remotecapture.pcap" # 保存捕獲的數據包到遠程服務器上的/tmp/remotecapture.pcap文件

tcpdump -s 1500 -A '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' #查找自簽名證書

2.）TSHARK

tshark -nr 001.pcap -Y "ssl.handshake.ciphersuites" -Vx | grep "ServerName:" | sort | uniq -c | sort -r # 提取證書Server Name字段

tshark -D # 列出全部接口

tshark -i eth0 -i eth1 # 監聽多個接口

tshark -nn -w 001.pcap # 禁用名稱解析並保存到文件

tshark arp or icmp # 捕捉arp或者icmp

tshark "host 主機A && host 主機B" # 捕捉兩個主機之間的數據包

tshark -r 001.pcap # 對已保存的數據包進行分析

tshark -n -e ip.src -e ip.dst -T fields -E separator=, -2 -R ip -r 001.pcap # 提取源/目的IP地址

tshark -n -e ip.src -e dns,qry.name -E separator=';' -T fields port 53 # 提取DNS查詢的源IP及DNS查詢的域名

tshark -2 -R http.request -T fields -E separator=';' -e http.host -e http.request.uri -r 001.pcap # 提取HTTP請求中的host參數和請求uri

tshark -n -c 150 I awk '{print $4}' I sort -n | uniq -c | sort -nr # 提取top talkers

tshark -q -z io,phs -r 001.pcap # 協議統計tshark -n -c 100 -e ip.src -Y "dns.flags.response eq 1" -T fields port 53 # 提取響應的DNS服務器地址

tshark -n -e http.request.uri -Y http.request -T fields | grep exe # 提取經過http下載exe可執行文件的數據包

3.）SNORT

snort -T -c /etc/snort/snort.conf # 測試配置文件配置

snort -dv -r 001.log # 分析數據包

snort -dvr 001.log icmp # 取icmp數據包

snort -K ascii -l 001 # 抓包，ASCII格式顯示

snort -q -A console -i eth0 -c /etc/snort/snort.conf # 在終端打印

snort eventsecho 'log tcp 192.168.1.0/24 any -> 192.168.1.95 22 ( msg: "ssh access" ; sid:1618008; )' > 001.rule && snort -T -c 001.rule # 規則測試

mkdir logs && snort -vd -c 001.rule -r 001.pcap -A console -l logs # 執行規則

4.）Bro NSM

apt -y install bro bro-aux

pip install bro-pkg

bro-pkg install bro/hosom/file-extraction

wget https://www.malware-traffic-analysis.net/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zip

wget https://www.bro.org/static/exchange-2013/faf-exercise.pcap

bro -r 2018-01-12-NanoCore-RAT-traffic.pcap # 從pcap文件中讀取數據並建立相關日誌文件

bro -r faf-exercise.pcap /root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro && ls -lhct ./extract_files/ # 提取exe文件

bro -r faf-exercise.pcap /usr/share/bro/policy/frameworks/files/extract-all-files.bro # 提取多個類型的文件

bro -C -r faf-exercise.pcap && cat ssl.log | bro-cut server_name , subject , issuer # 提取證書中的server_name,issuer和subjects字段

cat conn.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , proto , conn_state # 提取源IP，源端口，目的IP，目的端口，協議類型，tcp標記

cat dns.log | bro-cut query | sort -u # 提取DNS查詢namecat http.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , host , uri , referrer # 提取源IP，源端口，目的IP，目的端口，host，uri，referrer字段

cat http.log | bro-cut user_agent | sort -u # 提取user_agent字段

5.）EDITCAP

editcap -F pcap -c 1000 orignal.pcap out_split.pcap # 以1000爲單位進行分割

editcap -F pcap -t+3600 orignal.pcap out_split.pcap # 以1小時爲單位進行分割

6.）MERGECAP

mergecap -w merged_cap.pcap capl.pcap cap2.pcap cap3.pcap # 合併多個文件

7.）PacketTotal

https://www.packettotal.com/app/analysis?id=c8c11b792272ac19a49299a3687466be&name=files

8.）NetworkMiner

http://netres.ec/?b=173588E

5.2 蜜罐技術

5.2.1 WINDOWS系統篇

1.）端口蜜罐

# 原理：監聽一些端口，客戶端成功創建TCP鏈接後，記錄訪問日誌，而後添加防火牆規則封禁此IP

PS C:> certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Pwdrkeg/honeyport/master/honeyport.ps1

PS C:> .honeyport.ps1 -Ports 4444,22,21,23 -WhiteList 192.168.10.1,192.168.10.2 -Block $true -Verbose

PS C:> Get-EventLog HoneyPort # 查看日誌信息

PS C:> stop-job -name HoneyPort # 中止任務

PS C:> remove-job -name HoneyPort # 移除任務

5.3.2 LINUX系統篇

1.）端口蜜罐

# 原理同上

wget https://raw.githubusercontent.com/gchetrick/honeyports/master/honeyports-0.5.pypython honeyports-0.5.py -p 1234 -h 192.168.1.100 -D

2.) (PASSIVE)監控DNS解析

apt -y install dnstop

dnstop -l 3 eth0

dnstop -l 3 001.pcap | out.txt

5.3 日誌審計

5.3.1 WINDOWS

# 增長日誌文件大小進行日誌審計

C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogApplication /v MaxSize /t REG_DWORD /d 0x19000

C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogSecurity /v MaxSize /t REG_DWORD /d 0x64000

C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventLogSystem /v MaxSize /t REG_DWORD /d 0x19000

# 查看Windows事件日誌-安全日誌的配置

C:> wevtutil gl Security

# 檢查審覈策略

auditpol /get /category:*

# 對全部項啓用成功和失敗的審覈策略

C:> auditpol /set /category:* /success:enable /failure:enable

# 查看已配置的事件日誌的概要信息

PS C:> Get-Eventlog -list

# 取最近5條應用程序日誌

PS C:> Get-Eventlog -newest 5 -logname application | Format-List

# 取Eent ID：4672的全部日誌

PS C:> Get-Eventlog Security | ? { $_.Eventid -eq 4672}

# 登陸與註銷事件

PS C:> Get-Eventlog Security

4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964 -after ((get-date).addDays(-1))

# DPAPI行爲，進程終止，RPC事件

PS C:> Get-EventLog Security 4692,4693,4694,4695,4689,5712 -after ((get-date).addDays(-1)

# 文件共享，文件系統，SAM，註冊表，證書時間

PS C: Get-EventLog Security

4671,4691,4698,4699,4700,4701,4702,5148,5149,5888,5889,5890,4657,5039,4659,4660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 -after ((get-date).addDays(-1))

# 查看Eent ID：4672的詳細信息

Get-Eventlog Security | ? { $_.Eventid -eq 4672} | Format-List

5.3.2 LINUX

# 認證日誌

tail /var/log/auth. log

grep -i "fail" /var/log/auth. log

tail /var/log/secure

grep -i "fail" /var/log/secure

# samba，cron,sudo相關日誌

grep -i samba /var/log/syslog

grep -i samba /var/log/messages

grep -i cron /var/log/syslog

grep -i sudo /var/log/auth. log

grep -i sudo /var/log/secure

# Apache 404錯誤日誌

grep 404 apache.log | grep -v -E "favicon.ico|robots.txt"

# 監控新文件，5分鐘刷新一次

watch -n 300 -d ls -lR /web_root

5.4 響應（取證）

5.4.1 WINDOWS系統篇

1.）系統信息

C:> echo %DATE% %TIME%

C:> hostname

C:> systeminfo

C:> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

C:> wmic csproduct get name

C:> wmic bios get serialnumber

C:> wmic computersystem list brief

C:> psinfo -accepteula -s -h -d

2.）用戶信息

C:> whoamiC:> net users

C:> net localgroup administrators

C:> net group administrators

C:> wmic rdtoggle list

C:> wmic useraccount list

C:> wmic group list

C:> wmic netlogin get name,lastlogon,badpasswordcount

C:> wmic netclient list brief

C:> doskey /history > history.txt

3.）網絡信息

C:> netstat -e

C:> netstat -naob

C:> netstat -nr

C:> netstat -vb

C:> nbtstat -s

C:> route print

C:> arp -a

C:> ipconfig /displaydns

C:> netsh winhttp show proxy

C:> ipconfig /allcompartments /all

C:> netsh wlan show interfaces

C:> netsh wlan show all

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsConnectionsWinHttpSettings"

C:> type %SYSTEMROOT%system32driversetchosts

C:> wmic nicconfig get descriptions,IPaddress,MACaddress

C:> wmic netuse get name,username,connectiontype, localname

4.）服務信息

C:> at

C:> tasklist

C:> tasklist /svc

C:> tasklist /SVC /fi "imagename eq svchost.exe"

C:> schtasks

C:> net start

C:> sc query

C:> wmic service list brief | findstr "Running"

C:> wmic service list conf ig

C:> wmic process list brief

C:> wmic process list status

C:> wmic process list memory

C:> wmic job list briefPS

C:> Get-Service | Where-Object { $_.Status -eq "running" }

5.）策略、補丁、環境變量信息

C:> set

C:> gpresult /r

C:> gpresult /z > output.txt

C:> gpresult /H report.html /F

C:> wmic qfe

6.）自啓動信息

C:> wmic startup list full

C:> wmic ntdomain list brief

6.1）檢查自啓動文件目錄

C:> dir "%SystemDrive%ProgramDataMicrosoftWindowsStart MenuProgramsStartup"

C:> dir "%SystemDrive%Documents and SettingsAll UsersStart MenuProgramsStartup"

C:> dir %userprofile%Start MenuProgramsStartup

C:> %ProgramFiles%Startup

C:> dir C:WindowsStart MenuProgramsstartup

C:> dir "C:Users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup"

C:> dir "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup"

C:> dir "%APPDATA%MicrosoftWindowsStart MenuProgramsStartup"

C:> dir "%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsStartup"

C:> dir "%ALLUSERSPROFILE%Start MenuProgramsStartup"

C:> type C:Windowswinstart.bat

C:> type %windir%wininit.ini

C:> type %windir%win.ini

C:> type C:Autoexec.bat"

6.2）使用autoruns

C:> autorunsc -accepteula -m

6.3）自啓動註冊表位置

HKEY_CLASSES_ROOT:

C:> reg query HKCRComfileShellOpenCommand

C:> reg query HKCRBatfileShellOpenCommand

C:> reg query HKCRhtafileShellOpenCommand

C:> reg query HKCRExefileShellOpenCommand

C:> reg query HKCRExefilesShellOpenCommand

C:> reg query HKCRpiffileshellopencommand

HKEY_CURRENT_USERS:

C:> reg query "HKCUControl PanelDesktop"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceEx"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsRun"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsLoad"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsScripts"

C:> reg query "HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows" /f run

C:> reg query "HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows" /f load

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedMRU"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComD1g32OpenSaveMRU"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedPidlMRU"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComD1g32OpenSavePidlMRU" /s

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders"

C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegEdit" /v LastKey

C:> reg query "HKCUSoftwareMicrosoftInternetExplorer" TypedURLs

C:> reg query "HKCUSoftwarePoliciesMicrosoftWindowsControlPanelDesktop"HKEY_LOCAL_MACHINE:

C:> reg query "HKLMSOFTWAREMicrosoftActive SetupInstalled Components" /s

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerUser Shell Folders"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerShell Folders"

C:> reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerShellExecuteHooks"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects" /s

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunonce"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWinlogonUserinit"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionshellServiceObjectDelayLoad"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionScheduleTaskCacheTasks" /s

C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows"

C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows" /f Appinit_DLLs

C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon" /f Shell

C:> reg query "HKLMSOFTWAREMic rosoftWindowsNTCurrentVersionWinlogon" /f Userinit

C:> reg query "HKLMSOFTWAREPoliciesMicrosoftWindowsSysternScripts"

C:> reg query "HKLMSOFTWAREClassesbatfileshellopencornrnand"

C:> reg query "HKLMSOFTWAREClassescornfileshellopencornrnand"

C:> reg query "HKLMSOFTWAREClassesexefileshellopencommand"

C:> reg query "HKLMSOFTWAREClasseshtafileShellOpenCommand"

C:> reg query "HKLMSOFTWAREClassespiffileshellopencommand"

C:> reg query "HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects" /s

C:> reg query "HKLMSYSTEMCurrentControlSetControlSessionManager"

C:> reg query "HKLMSYSTEMCurrentControlSetControlSessionManagerKnownDLLs"

C:> reg query "HKLMSYSTEMControlSet001ControlSessionManagerKnownDLLs"

7.）取日誌文件

C:> wevtutil epl Security C:bakSecurity-logs.evtx

C:> wevtutil epl System C:bakSystem-logs.evtx

C:> wevtutil epl Application C:bakApplication-logs.evtx

8.）文件、目錄、共享信息

C:> net use 目標IP

C:> net share

C:> net session

C:> wmic volume list brief

C:> wmic logicaldisk get description,filesystem,name,size

C:> wmic share get name,path

# 查找多個類型的文件或某個文件

C:> dir /A /S /T:A *.exe *.dll *.bat *.PS1 *.zip

C:> dir /A /S /T:A evil.exe

# 查找2017/1/1以後建立的文件

C:> forfiles /p C: /M *.exe /S /D +2017/1/1 /C "cmd /c echo @fdate @ftime @path"

C:> for %G in (.exe, .dll, .bat, .ps) do forfiles -p "C:" -m *%G -s -d +2017/1/1 -c "cmd /c echo @fdate @ftime @path"

# 查找文件大小>20MB的文件

forfiles /S /M * /C "cmd /c if @fsize GEQ 2097152 echo @path @fsize"

# 在Alternate Data Streams中查找文件

C:> streams -s 文件或目錄

# 檢查數字簽名，vt掃描

C:> sigcheck -e -u -vr -s C:

C:> listdlls.exe -u# 掃描病毒

C:> "C:Program FilesWindows DefenderMpCmdRun.exe" -SignatureUpdate

C:> "C:Program FilesWindows DefenderMpCmdRun.exe" -Scan「

5.4.2 LINUX篇

1.）系統信息

uname -a

uptime

timedatectl

mount

2.）用戶信息

Wlastlog last

faillog -a

cat /etc/passwd

cat /etc/shadow

cat /etc/group

cat /etc/sudoers

# 查找UID爲0的用戶

awk -F: '($3 == "0") {print}' /etc/passwd

egrep ':0+' /etc/passwd

cat /root/.ssh/authorized_keys

lsof -u root

cat /root/.bash_history

3.）網絡信息

# 查看網絡接口

ifconfig OR ip a l

# 查看監聽端口

netstat -tupnl

# 查看網絡鏈接

netstat -tupnlanetstat -tupnlax

# 路由信息

route OR netstat -r OR ip r l

# ARP表

arp -ne

# 監聽端口的進程

lsof -i

4.）服務信息

# 列出全部進程

ps aux OR ps -ef

# 已加載內核模塊

lsmod

# 打開的文件

lsof

lsof -c sshd

lsof -p PID

lsof -nPi | cut -f1 -d" " | uniq | tail -n +2

# 監控日誌

less +F /var/log/messages

tail -F /var/log/messages

journalctl -u ssh.service -f

# 列出全部服務

chkconfig –list

systemctl list-units

5.）策略、補丁、環境變量信息

# 檢查pam.d目錄相關文件

cat /etc/pam.d/common*

# 自啓動信息 – 計劃任務

crontab -l

crontab -u root -l

cat /etc/crontab

ls /etc/cron,*

6.）命令歷史

cat /root/.*history

7.）文件、目錄、共享信息

df -ah

ls -lhcta /etc/init.d/

stat -x filenamefile

filename

# 特殊屬性文件

lsattr -R / | grep "-i-"

# 全局可寫文件

find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print

# 某時間點以後新建的文件

find / -newermt 2018-01-22q

# 打印文件的全部屬性信息

find /labs -printf "%m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%pn"

# 查看文件的元數據stat 文件名

8.) 簡單基線檢查

wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/1_x/unix-privesc-check && ./unix-privesc-check > output.txt

9.) 檢測rootkit

chkrootkit

rkhunter –update && rkhunter -check

tiger && less /var/log/tiger/security.report.*

lynis && lynis audit system && more /var/logs/lynis. log

10.) Fastir Collector Linux，收集artefacts，包括：內核版本、內核模塊、網卡、系統版本、主機名、登陸、網絡鏈接、SSH know_host、日誌文件、進程數據、自啓動等信息

wget https://raw.githubusercontent.com/SekoiaLab/Fastir_Collector_Linux/master/fastIR_collector_linux.py

python fastIR_collector_linux.py –debug –output_dir output

11.) Sysdig and Sysdig Falco 行爲監控

# 觀察root用戶查看過的目錄

sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root"

# 觀察SSHD行爲

sysdig -A -c echo_fds fd.name=/dev/ptmx and proc.name=sshd

# id爲5459的登陸shell執行過的全部命令

sysdig -r trace.scap.gz -c spy_users proc.loginshellid=5459

# 安裝，啓動falco

curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list

sudo apt update

apt -y install falco

modprobe sysdig-probe

service falco start

falco

5.4.2 病毒樣本分析

# 靜態分析

# 掛載Sysinternals工具集

live.sysinternals.comtools

# 檢查數字簽名

C:> sigcheck.exe -u -e C:malware

C:> sigcheck.exe -vt malware.exe

# 16機制和ASCII方式查看PE文件

hexdump -C -n 500 malware.exe

od -x mailware.exe

xxd malware.exe

strings -a malware.exe | more

# 內存鏡像分析

python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 malfind -D /output

python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 malfind -p PID -D /output

python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 pslist

python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 pstree

python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 dlllist

python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 dlldump -D /output

# HASH分析

curl -v –request POST –url https://www.virustotal.com/vtapi/v2/file/report' -d apikey=VT API KEY -d 'resource=樣本文件hash'

curl -v -F 'file=malware.exe' -F apikey=VT API KEY>https://www.virustotal.com/vtapi/v2/file/scanwhois -h hash,cymru.com 樣本文件hash

# 獲取磁盤和內存鏡像

# WINDOWS

C:> psexec.exe IP -u <DOMAIN>administrator -p 123 -c mdd_l.3.exe –o C:memory.dmp

C:> dc3dd.exe if=.c: of=d:diskiamge.dd hash=md5 log=d:output.log

# LINUX

dd if=/dev/fmem of=/tmp/mem_dump.dd

# 使用LiME

get https://github.com/504ensicslabs/LiME/archive/master.zip

unzip master.zip

cd LiME-master/src

make

cp lime-*.ko /media/USB/

insmod lime-3.13.0-79-generic.ko "path=/media/USB/mem_dump.lime format= raw"

# 從內存中拷貝PE文件

cp /proc/進程ID/exe /output

# 建立進程core dump

gcore 進程ID

strings -a gcore.* | more

dd if=/dev/sda of=/root/sda.dd

dd if=/dev/sda | ssh root@RemoteIP "dd of=/root/sda.dd"

# 經過netcat傳送接收鏡像文件

bzip2 -c /dev/sda | nc 8.8.8.8 53

nc -p 53 -l | bzip2 -d | dd of=/root/sda.dd

6. 經常使用技巧和工具

6.1 技巧

6.1.1 WINDOWS系統篇

# 將命令結果經過管道輸出到粘帖板，而後將粘帖板的內容重定向到文件

C:> some_command.exe | clip

PS C:> Get-Clipboard > clip.txt

# 檢查註冊表某路徑是否存在

PS C:> Test-Path "HKCU:SoftwareMicrosoft123"

# 可靠文件複製

robocopy c:src 目標計算機dst /E

# 檢查某目錄是否存在ps1,vbs擴展的文件

PS C:> Test-Path C:ScriptsArchive* -include *.ps1, *.vbs

# 合併多個文件

C:> type 1.txt 2.txt > output.txt

# 多個桌面窗口（Desktops）

C:>"%ProgramFiles%Internet Exploreriexplore.exe" https://live.sysinternals.com/desktops.exe

# 在遠程計算機執行命令

C:> psexec.exe 遠程計算機 -u admin -p 123 /c c:123.exe

PS C:> Invoke-Command -遠程計算機 { ls }

# 比較兩個文件的差別

PS C:> Compare-Object (-Content 1.log) -DifferenceObject (Get-Content 2.log)

# 進制轉換與編碼

C:> set /a 0xff

PS C:> 0xff

C:> certutil -decode BASE64編碼文件 output.file

# 解碼XOR，搜索關鍵字：http

C:> xorsearch.exe -i -s input.file http

6.1.2 LINUX系統篇

1.)SNORT

# 經過ssh在遠程服務器上抓包

ssh root@8.8.8.8 tcpdump -i any -U -s 0 -w – 'not port 22'

# SNORT規則檢測Meterpreter

# Snort rules by Didier Stevens (http://DidierStevens.com)

alert tcp HOME_NET any -> EXTERNAL_NET HTTP_PORTS (msg:"Metasploit Meterpreter"; flow:to_server,established; content:"RECV"; http_client_body; depth:4; fast_pattern; isdataat:!0,relative; urilen:23<>24,norm; content:"POST"; pcre:"/^/[a-z0-9]{4,5}_[a-z0-9]{16}//Ui"; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/; sid:1618008; rev:1;)

https://didierstevens.com/files/software/snort-rules-V0_0_1.zip

# SNORT規則檢測PSEXEC

alert tcp HOME_NET any -> HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|p|00|s|00|e|00|x|00|e|00|c|00|s|00|v|00|c"; nocase; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:24008; rev:1;)

alert tcp HOME_NET any -> HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S||E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:30281; rev:1;)

2. ) Bro NSM

# 檢測橫向滲透

wget https://raw.githubusercontent.com/richiercyrus/Bro-Scripts/master/detect-mal-smb-files.bro

bro -r faf-exercise.pcap detect-mal-smb-files.bro

less notice.log

# 檢測勒索軟件

wget https://raw.githubusercontent.com/fox-it/bro-scripts/master/smb-ransomware/smb-ransomware.bro

bro -r faf-exercise.pcap smb-ransomware.bro

3.) 檢測DOS/DDOS

# 檢測攻擊類型SYN Flood，ICMP Flood，UDP Flood

tshark -r 001.pcap -q -z io,phs

tshark -c 1000 – -z io,phs

tcpdump -tnr $ | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail

tcpdump -qnn "tcp[tcpflags] & (tcp-syn) != 0"

netstat -s

tcpdump -nn not arp and not icmp and not udp

netstat -n | awk '{print $6}' | sort | uniq -c | sort -nr | head

# 應用層

tshark -c 10000 -T fields -e http.host | sort | uniq -c | sort -r | head -n 10

tshark -r capture6 -T fields -e http.request.full_uri | sort | uniq -c | sort -r | head -n 10c

tcpdump -n 'tcp[32:4] = 0x47455420' | cut -f 7- -d":"

# 查找http請求中包含：GIF,ZIP,JPEG,PDF,PNG擴展的數據包

tshark -Y "http contains "ff:d8"" || "http contains "GIF89a"" || "http contains "x50x4Bx03x04"" || "http contains "xffxd8"" || "http contains "%PDF"" || "http contains "x89x50x4Ex47""

取'user-agent'和refer字段

tcpdump -c 1000 -Ann I grep -Ei 'user-agent' | sort | uniq -c | sort -nr | head -1

tcpdump -i en0 -A -s 500 | grep -i refer

# 第二層攻擊

tcpdump 'arp or icmp'

tcpdump -tnr 001.pcap ARP | awk -F '.' '{print 1"."2"."3"."4}' | sort | uniq -c | sort -n | tail

tshark -r 001.pcap -q -z io,phs | grep arp.duplicate-address-detected