【知己知彼】红蓝对抗之蓝队防守手册-2020/8/12

0x01 前言

红蓝对抗的思想最早可追溯到我国现存最早的一部兵书《孙子兵法》，在孙子·谋攻篇有这么一句话：“知彼知己，百战不殆；”，意为如果对敌我双方的情况都能了解透彻，打多少次仗都不会失败。在信息安全领域目前大家都有一个共识：“未知攻，焉知防”，攻防对抗本身是一个持续的过程，在具体的对抗中，对对手了解越多就会占据主导地位。红蓝对抗的主要目的在于，提高公司安全成熟度及其检测和响应攻击的能力。Red Teams attack, and Blue Teams defend, but the primary goal is shared between them: improve the security posture of the organization.

0x02 准备工作
1 ) 组织结构图
2 ) 全网拓扑图
3 ) 各系统逻辑结构图
4 ) 各系统之间的调用关系
5 ) 数据流关系
6 ) 核心资产清单
7 ) 应急响应计划
8 ) 业务连续性计划
9 ) 灾难恢复计划

0x03 简单安全评估
1. 端口扫描和漏洞检测

1.1主机发现（Ping探测）
1# nmap -sn -PE IP地址或地址段

1.2端口扫描
1# nmap –open IP地址或地址段

1.3服务版本检测
1# nmap -sV IP地址或地址段

1.4扫描多个端口
1# nmap -p 80,443 IP地址或地址段

1.5 UDP扫描
1# nmap -sU -p 53 IP地址或地址段

1.6 TCP/UDP扫描（-Pn 跳过主机发现）
1# nmap -v -Pn -SU -ST -p U:53,111,137,T:21-25,80,139,8080 IP地址或地址段

1.7 Nessus扫描
1# nessus -q -x -T html 服务器IP 服务器端口 管理员帐号 密码 目标.txt 输出报告.html

1.8 OPENVAS扫描
1# apt -y install pcregrep
2
3# wget https://goo.gl/TYbLwE
4
5# chmod +x openvas-automate.sh && ./openvas-automate.sh 目标IP

2. WINDOWS系统篇

2.1 网络发现
基本网络发现：
1# C:> net view /all
2
3# C:> net view 主机名

Ping探测：
1# C:> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "回复" >> 输出.txt

2.2 DHCP
启用DHCP服务器日志功能：
1# C:> reg add HKLMSystemCurrentControlSetServicesDhcpServerParameters /v ActivityLogFlag /t REG_DWORD /d 1

默认日志文件目录：
1C:> %windir%System32Dhcp

2.3 DNS
启用DNS服务器日志功能：
1# C:> DNSCmd DNS服务器名 /config /logLevel 0x8100F331

# 配置日志文件目录:
1C:> DNSCmd DNS服务器名 /config /LogFilePath C:dns.log

# 配置日志文件大小:
1C:> DNSCmd DNS服务器名 /config /logfilemaxsize 0xffffffff

2.4 哈希值
文件校验和完整性验证（FCIV）：
1Ref：http://support2.microsoft.com/kb/841290

# 单个文件:
1C:> fciv.exe 文件名

# 计算C盘所有文件并把结果保存到文件中:
1C:> fciv.exe c: -r -sha1 -xml 结果.xml

# 列出所有hash值:
1C:> fciv.exe -list -sha1 -xml 结果.xml
2
3# certutil & PowerShell
4
5# certutil -hashfile 文件名 SHA1
6
7# PS C:> Get-FileHash 文件名 | Format-List
8
9# PS C:> Get-FileHash -algorithm md5 文件名

2.5 NETBIOS
nbtstat 扫描
1# C:> nbtstat -A 目标IP地址

NetBIOS缓存
1# C:> nbtstat -c

批量扫描
1# C:> for /L %I in (1,1,254) do nbtstat -An 192.168.1.%I

2.6 微软基线安全分析器(MBSA)
扫描单个IP
1# C:> mbsacli.exe /target IP地址 /n os+iis+sql+password

扫描IP地址段
1# C:> mbsacli.exe /r IP地址段 /n os+iis+sql+password

3. LINUX系统篇
3.1 网络发现
查看开放的SMB共享
1# smbclient -L 目标主机名

Ping探测
1# for ip in ip>/dev/null; [ Misplaced &ip UP" || : ; done

3.2 DHCP
DHCP日志
RHEL/CentOS
1# cat /var/lib/dhcpd/dhcpd. leases

Debian/Ubuntu
1# grep -Ei 'dhcp' /var/log/syslog.1

3.3 DNS
DNS日志
1# rndc querylog && tail -f /var/log/messages | grep named

3.4 哈希值
计算某目录下所有可执行文件的HASH值
1# find /sbin -type f -exec md5sum {} >> md5sums.txt ;
2
3# md5deep -rs /sbin > md5sums.txt

3.5 NETBIOS
nbtstat 扫描
1# nbtscan 目标IP地址或IP地址段

举例：nbtscan 192.168.1.2-100

4. 安全加固

4.1 WINDOWS系统篇
4.1.1 禁用/停止服务
1# C:> sc query
2
3# C:> sc config "服务名" start= disabled
4
5# C:> sc stop "服务名"
6
7# C:> wmic service where name="服务名" call ChangeStartmode Disabled

4.1.2 防火墙管理
1# 列出所有规则:
2
3# C:> netsh advfirewall firewall show rule name=all
4
5# 启用或禁用防火墙:
6
7C:> netsh advfirewall set currentprofile state on
8
9C:> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
10
11C:> netsh advfirewall set publicprofile state on
12
13C:> netsh advfirewall set privateprofile state on
14
15C:> netsh advfirewall set domainprofile state on
16
17C:> netsh advfirewall set allprofile state on
18C:> netsh advfirewall set allprof ile state off
19
20# 配置举例：
21
22netsh advfirewall firewall add rule name="开放TCP:80端口" dir=in action=allow protocol=TCP localport=80
23
24netsh advfirewall firewall add rule name="开放TCP:443端口" dir=in action=allow protocol=TCP localport=443
25
26netsh advfirewall firewall add rule name="屏蔽TCP:445端口" dir=in action=block protocol=TCP localport=445
27
28netsh advfirewall firewall add rule name="允许MyApp" dir=in action=allow program="C:MyAppMyApp.exe" enable=yes

4.1.3 清除DNS缓存和Netios缓存
1# C:> ipconfig /flushdns
2
3# C:> nbtstat -R

4.1.4 应用控制
1# AppLocker配置
2
3# 导入Applocker模块
4
5PS C:> import-module Applocker
6
7# 查看system32目录下所有exe文件的Applocker信息
8
9PS C:> Get-ApplockerFileinformation -Directory C:WindowsSystem32 -Recurse -FileType Exe
1# 增加一条针对system32目录下所有的exe文件的允许规则
2
3PS C:> Get-Childitem C:WindowsSystem32*,exe | Get-ApplockerFileinformation | New-ApplockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32

4.1.5 IPSEC
1#使用预共享密钥的方式新建一条IPSEC本地安全策略，应用到所有连接和协议
2
3C:> netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY
4
5C:> netsh ipsec static add filteraction name=MyIPsecAction action=negotiate
6
7C:> netsh ipsec static add policy name=MyIPsecPolicy assign=yes
8
9C:> netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=密码
10
11#新建一条允许访问外网TCP 80和443端口的IPSEC策略
12
13C:> netsh ipsec static add filteraction name=Allow action=permit
14
15C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80
16
17C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443
18
19C:> netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=密码

1#查看和禁用某条IPSEC本地安全策略
2
3C:> netsh ipsec static show policy name=MyIPsecPolicy
4
5C:> netsh ipsec static set policy name=MyIPsecPolicy assign=no
6
7# 新建一条IPSEC对应的防火墙规则，源地址和目的地址为any
8
9C:> netsh advfirewall consec add rule name="IPSEC" endpointl=any endpoint2=any action=requireinrequireout qmsecmethods=default
10
11# 新建一条IPSEC对应的防火墙规则，所有出站请求必须提供预共享密钥
12
13C:> netsh advfirewall firewall add rule name="IPSEC_Out" dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate

4.1.6 其他安全策略
1# 禁用远程桌面连接
2
3C:> reg add "HKLMSYSTEMCurrentControlSetControlTerminalServer" /f /v fDenyTSConnections /t REG_DWORD /d 1
4
5# 只发送NTLMv2响应（防止“永恒之蓝”漏洞攻击）
6
7C:> reg add HKLMSYSTEMCurrentControlSetControlLsa /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
8
9# 禁用IPV6
10
11C:> reg add HKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters /v DisabledComponents /t REG_DWORD /d 255 /f

1# 禁用sticky键
2
3C:> reg add "HKCUControlPanelAccessibilityStickyKeys" /v Flags /t REG_SZ /d 506 /f
4
5# 禁用管理共享（Servers/Workstations）
6
7C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareServer /t REG_DWORD /d 0
8
9C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareWks /t REG_DWORD /d 0
10
11# 禁用注册表编辑器和CMD命令提示符
12
13C:> reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
14
15C:> reg add HKCUSoftwarePoliciesMicrosoftWindowsSystem /v DisableCMD /t REG_DWORD /d 1 /f
16
17# 启用UAC
18
19C:> reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f
20
21# 启用防火墙日志
22
23C:> netsh firewall set logging droppedpackets = enable
24
25C:> netsh firewall set logging connections = enable

4.2 LINUX系统篇
4.2.1 服务管理
1# 查看服务状态
2
3service –status-all
4
5ps -ef OR ps -aux
6
7initctl list
8
9systemctl list-unit-files
10
11# 启动，停止和禁用服务
12
13# For Upstart services:
14
15/etc/init.d/apache2 start | stop | status
16
17service apache2 start | stop | status
18
19update-rc.d apache2 disable
20
21# For Systemd services:
22
23systemctl start | stop | status ntp.service
24
25systemctl disable sshd.service

4.2.2 防火墙管理
1# iptables 常用操作：
2
3iptables-save > filewall_rules.bak # 导出当前规则
4
5iptables -vnL –line # 列出所有规则
6
7iptables -S # 同上
8
9iptables -P INPUT DROP # 默认策略，禁止所有连接
10
11iptables -A INPUT -s 10.10.10.10 -j DROP # 禁止单个IP
12
13iptables -A INPUT -s 10,10.10.0/24 -j DROP # 禁止一个网段
14
15iptables -A INPUT -p tcp –dport ssh -s 10.10.10.10 -j DROP # 禁止某IP访问本机SSH服务
16
17iptables -A INPUT -p tcp –dport ssh -j DROP # 禁止访问本机SSH服务
18
19iptables -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix "
20
21iptables denied: " –log-level 7 # 启用日志
22
23iptables -F # 清除所有已加载的工作

4.2.3 DNS缓存
1# Unix/Linux系统没有系统级别DNS缓存

4.2.4 配置IPSEC

# 在两台服务器之间建立IPSEC通道
1.）添加防火墙规则允许IPSEC协议
1iptables -A INPUT -p esp -j ACCEPT
2
3iptables -A INPUT -p ah -j ACCEPT
4
5iptables -A INPUT -p udp –dport 500 -j ACCEPT
6
7iptables -A INPUT -p udp –dport 4500 -j ACCEPT

2.）安装Racoon
1apt -y install racoon

3.）编辑配置文件：/etc/ipsec-tools.conf
1flush;
2
3spdflush;
4
5spdadd 主机A的IP地址 主机B的IP地址 any -P out ipsec
6
7 esp/transport//require;
8
9spdadd 主机B的IP地址 主机A的IP地址 any -P in ipsec
10
11 esp/transport//require;

4.）编辑配置文件：/etc/racoon/racoon.conf
1log notify;
2
3path pre_shared_key "/etc/racoon/psk.txt";
4
5path certificate "/etc/racoon/certs";
6
7remote anonymous {
8
9 exchange_mode main,aggressive;proposal { encryption_algorithm aes_256; hash_algorithm sha256; authentication_method
10
11pre_shared_key;

1 dh_group modp1024;
2
3}
4
5
6
7 generate_policy off;
8
9}
10
11
12
13sainfo anonymous{
14
15
16
17 pfs_group 2;encryption_algorithm aes_256;authentication_algorithm hmac_sha256;compression_algorithm deflate;
18
19}

5.）添加预共享密钥
1主机A：echo 主机B 123 >> /etc/racoon/psk.txt
2
3主机B：echo 主机A 123 >> /etc/racoon/psk.txt

6.)重启服务，检查协商及配置策略
1service setkey restart
2
3setkey -D
4
5setkey -DP

5. 检测（Visibility）
5.1 网络安全监控
5.1.1 数据包捕捉与分析
1.）TCPDUMP
1tcpdump -tttt -n -vv # 打印时戳、不进行名称解析及verbose方式显示
2
3tcpdump -nn -c 1000 | awk '{print $3}' | cut -d. -f1-4 | sort -n | uniq -c | sort -nr # 捕捉1000个数据包，找出Top talkers
4
5
6
7tcpdump -w target.pcap -i any dst targetIP and port 80 # 在所有接口上捕捉目标IP为：targetIP且端口为80的数据包并写入target.pcap文件
8
9tcpdump host 10.0.0.1 && host 10.0.0.2 # 捕捉两个主机之间的数据包
10
11tcpdump not net 10.10 && not host 192.168.1.2 #检视非10.10网段及非192.168.1.2主机的数据包
12
13tcpdump host 10.10.10.10 && (10.10.10.20 or 10.10.10.30) # 检视主机A和主机B或C的数据包
14
15tcpdump -n -s0 -C 100 -w 001.pcap # 轮询，文件大小超过100M后自动创建新文件
16
17tcpdump -w – | ssh ServerIP -p 50005 "cat – > /tmp/remotecapture.pcap" # 保存捕获的数据包到远程服务器上的/tmp/remotecapture.pcap文件
18
19tcpdump -n -A -s0 port http or port ftp or port smtp or port imap or port pop3 | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|Passwd=|password=|pass:|user:|username:|password:|login:|pass|user' –color=auto –line-buffered -B20 # 抓取明文密码
20
21tcpdump -s 1500 -A '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' #查找自签名证书

2.）TSHARK
1tshark -nr 001.pcap -Y "ssl.handshake.ciphersuites" -Vx | grep "ServerName:" | sort | uniq -c | sort -r # 提取证书Server Name字段
2
3
4
5tshark -D # 列出所有接口
6
7tshark -i eth0 -i eth1 # 监听多个接口
8
9tshark -nn -w 001.pcap # 禁用名称解析并保存到文件
10
11tshark arp or icmp # 捕捉arp或者icmp
12
13tshark "host 主机A && host 主机B" # 捕捉两个主机之间的数据包
14
15tshark -r 001.pcap # 对已保存的数据包进行分析
16
17tshark -n -e ip.src -e ip.dst -T fields -E separator=, -2 -R ip -r 001.pcap # 提取源/目的IP地址
18
19tshark -n -e ip.src -e dns,qry.name -E separator=';' -T fields port 53 # 提取DNS查询的源IP及DNS查询的域名
20
21tshark -2 -R http.request -T fields -E separator=';' -e http.host -e http.request.uri -r 001.pcap # 提取HTTP请求中的host参数和请求uri
22
23tshark -n -c 150 I awk '{print $4}' I sort -n | uniq -c | sort -nr # 提取top talkers
24
25tshark -q -z io,phs -r 001.pcap # 协议统计tshark -n -c 100 -e ip.src -Y "dns.flags.response eq 1" -T fields port 53 # 提取响应的DNS服务器地址
26
27tshark -n -e http.request.uri -Y http.request -T fields | grep exe # 提取通过http下载exe可执行文件的数据包

3.）SNORT
1snort -T -c /etc/snort/snort.conf # 测试配置文件配置
2
3snort -dv -r 001.log # 分析数据包
4
5snort -dvr 001.log icmp # 取icmp数据包
6
7
8
9snort -K ascii -l 001 # 抓包，ASCII格式显示
10
11snort -q -A console -i eth0 -c /etc/snort/snort.conf # 在终端打印
12
13snort eventsecho 'log tcp 192.168.1.0/24 any -> 192.168.1.95 22 ( msg: "ssh access" ; sid:1618008; )' > 001.rule && snort -T -c 001.rule # 规则测试
14
15mkdir logs && snort -vd -c 001.rule -r 001.pcap -A console -l logs # 执行规则

4.）Bro NSM
1apt -y install bro bro-aux
2
3pip install bro-pkg
4
5bro-pkg install bro/hosom/file-extraction
6
7wget https://www.malware-traffic-analysis.net/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zip
8
9wget https://www.bro.org/static/exchange-2013/faf-exercise.pcap
10
11bro -r 2018-01-12-NanoCore-RAT-traffic.pcap # 从pcap文件中读取数据并创建相关日志文件
12
13bro -r faf-exercise.pcap /root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro && ls -lhct ./extract_files/ # 提取exe文件
14
15bro -r faf-exercise.pcap /usr/share/bro/policy/frameworks/files/extract-all-files.bro # 提取多个类型的文件
16
17bro -C -r faf-exercise.pcap && cat ssl.log | bro-cut server_name , subject , issuer # 提取证书中的server_name,issuer和subjects字段

1cat conn.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , proto , conn_state # 提取源IP，源端口，目的IP，目的端口，协议类型，tcp标记
2
3cat dns.log | bro-cut query | sort -u # 提取DNS查询namecat http.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , host , uri , referrer # 提取源IP，源端口，目的IP，目的端口，host，uri，referrer字段

1cat http.log | bro-cut user_agent | sort -u # 提取user_agent字段

5.）EDITCAP
1editcap -F pcap -c 1000 orignal.pcap out_split.pcap # 以1000为单位进行分割
2
3editcap -F pcap -t+3600 orignal.pcap out_split.pcap # 以1小时为单位进行分割

6.）MERGECAP
1mergecap -w merged_cap.pcap capl.pcap cap2.pcap cap3.pcap # 合并多个文件

7.）PacketTotal
1https://www.packettotal.com/app/analysis?id=c8c11b792272ac19a49299a3687466be&name=files

8.）NetworkMiner
1http://netres.ec/?b=173588E

5.2 蜜罐技术
5.2.1 WINDOWS系统篇
1.）端口蜜罐
1# 原理：监听一些端口，客户端成功建立TCP连接后，记录访问日志，然后添加防火墙规则封禁此IP
2
3PS C:> certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Pwdrkeg/honeyport/master/honeyport.ps1
4
5PS C:> .honeyport.ps1 -Ports 4444,22,21,23 -WhiteList 192.168.10.1,192.168.10.2 -Block $true -Verbose
6
7PS C:> Get-EventLog HoneyPort # 查看日志信息
8
9PS C:> stop-job -name HoneyPort # 停止任务
10
11PS C:> remove-job -name HoneyPort # 移除任务

5.3.2 LINUX系统篇
1.）端口蜜罐
1# 原理同上
2
3wget https://raw.githubusercontent.com/gchetrick/honeyports/master/honeyports-0.5.pypython honeyports-0.5.py -p 1234 -h 192.168.1.100 -D

2.) (PASSIVE)监控DNS解析
1apt -y install dnstop
2
3dnstop -l 3 eth0
4
5dnstop -l 3 001.pcap | out.txt

5.3 日志审计
5.3.1 WINDOWS
1# 增加日志文件大小进行日志审计
2
3C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogApplication /v MaxSize /t REG_DWORD /d 0x19000
4
5C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogSecurity /v MaxSize /t REG_DWORD /d 0x64000
6
7C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventLogSystem /v MaxSize /t REG_DWORD /d 0x19000
8
9# 查看Windows事件日志-安全日志的配置
10
11C:> wevtutil gl Security
12
13# 检查审核策略
14
15auditpol /get /category:*
16
17# 对所有项启用成功和失败的审核策略
18
19C:> auditpol /set /category:* /success:enable /failure:enable
20
21# 查看已配置的事件日志的概要信息
22
23PS C:> Get-Eventlog -list
24
25# 取最近5条应用程序日志
26
27PS C:> Get-Eventlog -newest 5 -logname application | Format-List
28
29# 取Eent ID：4672的所有日志
30
31PS C:> Get-Eventlog Security | ? { $_.Eventid -eq 4672}

1# 登录与注销事件
2
3PS C:> Get-Eventlog Security
4
54625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964 -after ((get-date).addDays(-1))
6
7# DPAPI行为，进程终止，RPC事件
8
9PS C:> Get-EventLog Security 4692,4693,4694,4695,4689,5712 -after ((get-date).addDays(-1)
10
11# 文件共享，文件系统，SAM，注册表，证书时间
12
13PS C: Get-EventLog Security
14
154671,4691,4698,4699,4700,4701,4702,5148,5149,5888,5889,5890,4657,5039,4659,4660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 -after ((get-date).addDays(-1))
16
17# 查看Eent ID：4672的详细信息
18
19Get-Eventlog Security | ? { $_.Eventid -eq 4672} | Format-List

5.3.2 LINUX
1# 认证日志
2
3tail /var/log/auth. log

1grep -i "fail" /var/log/auth. log
2
3tail /var/log/secure
4
5grep -i "fail" /var/log/secure
6
7# samba，cron,sudo相关日志
8
9grep -i samba /var/log/syslog
10
11grep -i samba /var/log/messages
12
13grep -i cron /var/log/syslog
14
15grep -i sudo /var/log/auth. log
16
17grep -i sudo /var/log/secure
18
19# Apache 404错误日志
20
21grep 404 apache.log | grep -v -E "favicon.ico|robots.txt"
22
23# 监控新文件，5分钟刷新一次
24
25watch -n 300 -d ls -lR /web_root

5.4 响应（取证）
5.4.1 WINDOWS系统篇
1.）系统信息
1C:> echo %DATE% %TIME%
2
3C:> hostname
4
5C:> systeminfo
6
7C:> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
8
9C:> wmic csproduct get name
10
11C:> wmic bios get serialnumber
12
13C:> wmic computersystem list brief
14
15C:> psinfo -accepteula -s -h -d

2.）用户信息
1C:> whoamiC:> net users
2
3C:> net localgroup administrators
4
5C:> net group administrators
6
7C:> wmic rdtoggle list
8
9C:> wmic useraccount list
10
11C:> wmic group list
12
13C:> wmic netlogin get name,lastlogon,badpasswordcount
14
15C:> wmic netclient list brief
16
17C:> doskey /history > history.txt

3.）网络信息
1C:> netstat -e
2
3C:> netstat -naob
4
5C:> netstat -nr
6
7C:> netstat -vb
8
9C:> nbtstat -s
10
11C:> route print
12
13C:> arp -a
14
15C:> ipconfig /displaydns
16
17C:> netsh winhttp show proxy
18
19C:> ipconfig /allcompartments /all
20
21C:> netsh wlan show interfaces
22
23C:> netsh wlan show all
24
25C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsConnectionsWinHttpSettings"
26
27C:> type %SYSTEMROOT%system32driversetchosts
28
29C:> wmic nicconfig get descriptions,IPaddress,MACaddress
30
31C:> wmic netuse get name,username,connectiontype, localname

4.）服务信息
1C:> at
2
3C:> tasklist
4
5C:> tasklist /svc
6
7C:> tasklist /SVC /fi "imagename eq svchost.exe"
8
9C:> tasklist /SVC /fi "imagename eq svchost.exe"
10
11C:> schtasks
12
13C:> net start
14
15C:> sc query
16
17C:> wmic service list brief | findstr "Running"
18
19C:> wmic service list conf ig
20
21
22
23C:> wmic process list brief
24
25C:> wmic process list status
26
27C:> wmic process list memory
28
29C:> wmic job list briefPS
30
31C:> Get-Service | Where-Object { $_.Status -eq "running" }

5.）策略、补丁、环境变量信息
1C:> set
2
3C:> gpresult /r
4
5C:> gpresult /z > output.txt
6
7C:> gpresult /H report.html /F
8
9C:> wmic qfe

6.）自启动信息
1C:> wmic startup list full
2
3C:> wmic ntdomain list brief

6.1）检查自启动文件目录
1C:> dir "%SystemDrive%ProgramDataMicrosoftWindowsStart MenuProgramsStartup"
2
3C:> dir "%SystemDrive%Documents and SettingsAll UsersStart MenuProgramsStartup"
4
5C:> dir %userprofile%Start MenuProgramsStartup
6
7C:> %ProgramFiles%Startup
8
9C:> dir C:WindowsStart MenuProgramsstartup
10
11C:> dir "C:Users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup"
12
13C:> dir "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup"
14
15C:> dir "%APPDATA%MicrosoftWindowsStart MenuProgramsStartup"
16
17C:> dir "%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsStartup"
18
19C:> dir "%ALLUSERSPROFILE%Start MenuProgramsStartup"
20
21C:> type C:Windowswinstart.bat
22
23C:> type %windir%wininit.ini
24
25C:> type %windir%win.ini
26
27C:> type C:Autoexec.bat"
28

6.2）使用autoruns
1C:> autorunsc -accepteula -m

6.3）自启动注册表位置
HKEY_CLASSES_ROOT:
1C:> reg query HKCRComfileShellOpenCommand
2
3C:> reg query HKCRBatfileShellOpenCommand
4
5C:> reg query HKCRhtafileShellOpenCommand
6
7C:> reg query HKCRExefileShellOpenCommand
8
9C:> reg query HKCRExefilesShellOpenCommand
10
11C:> reg query HKCRpiffileshellopencommand

HKEY_CURRENT_USERS:
1C:> reg query "HKCUControl PanelDesktop"
2
3C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"
4
5C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"
6
7C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce"
8
9C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceEx"
10
11C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices"
12
13C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce"
14
15C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsRun"
16
17C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsLoad"
18
19C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsScripts"
20
21C:> reg query "HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows" /f run
22
23C:> reg query "HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows" /f load
24
25C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"
26
27C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs"
28
29C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedMRU"
30
31C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComD1g32OpenSaveMRU"
32
33C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedPidlMRU"
34
35C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComD1g32OpenSavePidlMRU" /s
36
37C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU"
38
39C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders"
40
41C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders"
42
43C:> reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegEdit" /v LastKey
44
45C:> reg query "HKCUSoftwareMicrosoftInternetExplorer" TypedURLs
46
47C:> reg query "HKCUSoftwarePoliciesMicrosoftWindowsControlPanelDesktop"HKEY_LOCAL_MACHINE:
48
49C:> reg query "HKLMSOFTWAREMicrosoftActive SetupInstalled Components" /s
50
51C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerUser Shell Folders"
52
53C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerShell Folders"
54
55C:> reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerShellExecuteHooks"
56
57C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects" /s
58
59C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun"
60
61C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"
62
63C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunonce"
64
65C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx"
66
67C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices"
68
69C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce"
70
71C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWinlogonUserinit"
72
73C:> reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionshellServiceObjectDelayLoad"
74
75C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionScheduleTaskCacheTasks" /s
76
77C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows"
78
79C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows" /f Appinit_DLLs
80
81C:> reg query "HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon" /f Shell

1C:> reg query "HKLMSOFTWAREMic rosoftWindowsNTCurrentVersionWinlogon" /f Userinit
2
3C:> reg query "HKLMSOFTWAREPoliciesMicrosoftWindowsSysternScripts"
4
5C:> reg query "HKLMSOFTWAREClassesbatfileshellopencornrnand"
6
7C:> reg query "HKLMSOFTWAREClassescornfileshellopencornrnand"
8
9C:> reg query "HKLMSOFTWAREClassesexefileshellopencommand"
10
11C:> reg query "HKLMSOFTWAREClasseshtafileShellOpenCommand"
12
13C:> reg query "HKLMSOFTWAREClassespiffileshellopencommand"
14
15C:> reg query "HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects" /s
16
17C:> reg query "HKLMSYSTEMCurrentControlSetControlSessionManager"
18
19C:> reg query "HKLMSYSTEMCurrentControlSetControlSessionManagerKnownDLLs"
20
21C:> reg query "HKLMSYSTEMControlSet001ControlSessionManagerKnownDLLs"

7.）取日志文件
1C:> wevtutil epl Security C:bakSecurity-logs.evtx
2
3C:> wevtutil epl System C:bakSystem-logs.evtx
4
5C:> wevtutil epl Application C:bakApplication-logs.evtx

8.）文件、目录、共享信息
1C:> net use 目标IP
2
3C:> net share
4
5C:> net session
6
7C:> wmic volume list brief
8
9C:> wmic logicaldisk get description,filesystem,name,size
10
11C:> wmic share get name,path
12
13# 查找多个类型的文件或某个文件
14
15C:> dir /A /S /T:A *.exe *.dll *.bat *.PS1 *.zip
16
17C:> dir /A /S /T:A evil.exe
18
19# 查找2017/1/1之后创建的文件
20
21C:> forfiles /p C: /M *.exe /S /D +2017/1/1 /C "cmd /c echo @fdate @ftime @path"
22
23C:> for %G in (.exe, .dll, .bat, .ps) do forfiles -p "C:" -m *%G -s -d +2017/1/1 -c "cmd /c echo @fdate @ftime @path"
24
25# 查找文件大小>20MB的文件
26
27forfiles /S /M * /C "cmd /c if @fsize GEQ 2097152 echo @path @fsize"
28
29# 在Alternate Data Streams中查找文件
30
31C:> streams -s 文件或目录
32
33# 检查数字签名，vt扫描
34
35C:> sigcheck -e -u -vr -s C:
36
37C:> listdlls.exe -u# 扫描病毒
38
39C:> "C:Program FilesWindows DefenderMpCmdRun.exe" -SignatureUpdate
40
41C:> "C:Program FilesWindows DefenderMpCmdRun.exe" -Scan“
42

5.4.2 LINUX篇
1.）系统信息
1uname -a
2
3uptime
4
5timedatectl
6
7mount

2.）用户信息
1Wlastlog last
2
3faillog -a
4
5cat /etc/passwd
6
7cat /etc/shadow
8
9cat /etc/group
10
11cat /etc/sudoers
12
13# 查找UID为0的用户
14
15awk -F: '($3 == "0") {print}' /etc/passwd
16
17egrep ':0+' /etc/passwd
18
19cat /root/.ssh/authorized_keys
20
21lsof -u root
1cat /root/.bash_history

3.）网络信息
1# 查看网络接口
2
3ifconfig OR ip a l
4
5# 查看监听端口
6
7netstat -tupnl
8
9# 查看网络连接
10
11netstat -tupnlanetstat -tupnlax
12
13# 路由信息
14
15route OR netstat -r OR ip r l
16
17# ARP表
18
19arp -ne
20
21# 监听端口的进程
22
23lsof -i

4.）服务信息
1# 列出所有进程
2
3ps aux OR ps -ef
4
5# 已加载内核模块
6
7lsmod
8
9# 打开的文件
10
11lsof

1lsof -c sshd
2
3lsof -p PID
4
5lsof -nPi | cut -f1 -d" " | uniq | tail -n +2
6
7# 监控日志
8
9less +F /var/log/messages
10
11tail -F /var/log/messages
12
13journalctl -u ssh.service -f
14
15# 列出所有服务
16
17chkconfig –list
18
19systemctl list-units

5.）策略、补丁、环境变量信息
1# 检查pam.d目录相关文件
2
3cat /etc/pam.d/common*
4
5 # 自启动信息 – 计划任务
6
7crontab -l
8
9crontab -u root -l
10
11cat /etc/crontab
12
13ls /etc/cron,*

6.）命令历史
1cat /root/.*history

7.）文件、目录、共享信息
1df -ah
2
3ls -lhcta /etc/init.d/
4
5stat -x filenamefile
6
7filename
8
9# 特殊属性文件
10
11lsattr -R / | grep "-i-"
12
13# 全局可写文件
14
15find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print
16
17# 某时间点之后新建的文件
18
19find / -newermt 2018-01-22q
20
21# 打印文件的所有属性信息
22
23find /labs -printf "%m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%pn"
24
25# 查看文件的元数据stat 文件名

8.) 简单基线检查
1wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/1_x/unix-privesc-check && ./unix-privesc-check > output.txt

9.) 检测rootkit
1chkrootkit
2
3rkhunter –update && rkhunter -check
4
5tiger && less /var/log/tiger/security.report.*
6
7lynis && lynis audit system && more /var/logs/lynis. log

10.) Fastir Collector Linux，收集artefacts，包括：内核版本、内核模块、网卡、系统版本、主机名、登录、网络连接、SSH know_host、日志文件、进程数据、自启动等信息
1wget https://raw.githubusercontent.com/SekoiaLab/Fastir_Collector_Linux/master/fastIR_collector_linux.py
2
3python fastIR_collector_linux.py –debug –output_dir output

11.) Sysdig and Sysdig Falco 行为监控
1# 观察root用户查看过的目录
2
3sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root"
4
5# 观察SSHD行为
6
7sysdig -A -c echo_fds fd.name=/dev/ptmx and proc.name=sshd
8
9# id为5459的登录shell执行过的所有命令
10
11sysdig -r trace.scap.gz -c spy_users proc.loginshellid=5459
12
13# 安装，启动falco
14
15curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
16
17sudo apt update
18
19apt -y install falco
20
21modprobe sysdig-probe
22
23service falco start
24
25
26
27falco

5.4.2 病毒样本分析
1# 静态分析
2
3# 挂载Sysinternals工具集
4
5live.sysinternals.comtools
6
7# 检查数字签名
8
9C:> sigcheck.exe -u -e C:malware
10
11C:> sigcheck.exe -vt malware.exe
12
13# 16机制和ASCII方式查看PE文件
14
15hexdump -C -n 500 malware.exe
16
17od -x mailware.exe
18
19xxd malware.exe
20
21strings -a malware.exe | more
22
23# 内存镜像分析
24
25python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 malfind -D /output
26
27python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 malfind -p PID -D /output
28
29python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 pslist
30
31python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 pstree
32
33
34
35python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 dlllist
36
37python vol.py -f malware_memory_dump.raw -profile=Win7SPFix64 dlldump -D /output
38
39# HASH分析
40
41curl -v –request POST –url https://www.virustotal.com/vtapi/v2/file/report' -d apikey=VT API KEY -d 'resource=样本文件hash'
42
43curl -v -F 'file=malware.exe' -F apikey=VT API KEY>https://www.virustotal.com/vtapi/v2/file/scanwhois -h hash,cymru.com 样本文件hash
44
45# 获取磁盘和内存镜像
46
47# WINDOWS
48
49C:> psexec.exe IP -u administrator -p 123 -c mdd_l.3.exe –o C:memory.dmp
50
51C:> dc3dd.exe if=.c: of=d:diskiamge.dd hash=md5 log=d:output.log
52
53# LINUX
54
55dd if=/dev/fmem of=/tmp/mem_dump.dd
56
57# 使用LiME
58
59get https://github.com/504ensicslabs/LiME/archive/master.zip
60
61unzip master.zip
62
63cd LiME-master/src
64
65
66
67make
68
69cp lime-*.ko /media/USB/
70
71insmod lime-3.13.0-79-generic.ko "path=/media/USB/mem_dump.lime format= raw"
72
73# 从内存中拷贝PE文件
74
75cp /proc/进程ID/exe /output
76
77# 创建进程core dump
78
79gcore 进程ID
80
81strings -a gcore.* | more
82
83dd if=/dev/sda of=/root/sda.dd
84
85dd if=/dev/sda | ssh root@RemoteIP "dd of=/root/sda.dd"
86
87# 通过netcat传送接收镜像文件
88
89bzip2 -c /dev/sda | nc 8.8.8.8 53
90
91nc -p 53 -l | bzip2 -d | dd of=/root/sda.dd

6. 常用技巧和工具
6.1 技巧
6.1.1 WINDOWS系统篇
1# 将命令结果通过管道输出到粘帖板，然后将粘帖板的内容重定向到文件
2
3C:> some_command.exe | clip
4
5PS C:> Get-Clipboard > clip.txt

1# 检查注册表某路径是否存在
2
3PS C:> Test-Path "HKCU:SoftwareMicrosoft123"
4
5# 可靠文件复制
6
7robocopy c:src 目标计算机dst /E
8
9# 检查某目录是否存在ps1,vbs扩展的文件
10
11PS C:> Test-Path C:ScriptsArchive* -include *.ps1, *.vbs
12
13# 合并多个文件
14
15C:> type 1.txt 2.txt > output.txt
16
17# 多个桌面窗口（Desktops）
18
19C:>"%ProgramFiles%Internet Exploreriexplore.exe" https://live.sysinternals.com/desktops.exe
20
21# 在远程计算机执行命令
22
23C:> psexec.exe 远程计算机 -u admin -p 123 /c c:123.exe
24
25PS C:> Invoke-Command -远程计算机 { ls }
26
27# 比较两个文件的差异
28
29PS C:> Compare-Object (-Content 1.log) -DifferenceObject (Get-Content 2.log)
30
31# 进制转换与编码
32
33C:> set /a 0xff
34
35PS C:> 0xff
36
37C:> certutil -decode BASE64编码文件 output.file
38
39# 解码XOR，搜索关键字：http
40
41
42
43C:> xorsearch.exe -i -s input.file http

6.1.2 LINUX系统篇
1.)SNORT
1# 通过ssh在远程服务器上抓包
2
3ssh root@8.8.8.8 tcpdump -i any -U -s 0 -w – 'not port 22'
4
5# SNORT规则检测Meterpreter
6
7# Snort rules by Didier Stevens (http://DidierStevens.com)
8
9alert tcp HOME_NET any -> EXTERNAL_NET HTTP_PORTS (msg:"Metasploit Meterpreter"; flow:to_server,established; content:"RECV"; http_client_body; depth:4; fast_pattern; isdataat:!0,relative; urilen:23<>24,norm; content:"POST"; pcre:"/^/[a-z0-9]{4,5}_[a-z0-9]{16}//Ui"; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/; sid:1618008; rev:1;)
10
11https://didierstevens.com/files/software/snort-rules-V0_0_1.zip
12
13# SNORT规则检测PSEXEC
14
15alert tcp HOME_NET any -> HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|p|00|s|00|e|00|x|00|e|00|c|00|s|00|v|00|c"; nocase; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:24008; rev:1;)
16
17
18
19alert tcp HOME_NET any -> HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S||E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:30281; rev:1;)

2. ) Bro NSM
1# 检测横向渗透
2
3wget https://raw.githubusercontent.com/richiercyrus/Bro-Scripts/master/detect-mal-smb-files.bro
4
5bro -r faf-exercise.pcap detect-mal-smb-files.bro
6
7less notice.log
8
9# 检测勒索软件
10
11wget https://raw.githubusercontent.com/fox-it/bro-scripts/master/smb-ransomware/smb-ransomware.bro
12
13bro -r faf-exercise.pcap smb-ransomware.bro

3.) 检测DOS/DDOS
1# 检测攻击类型SYN Flood，ICMP Flood，UDP Flood
2
3tshark -r 001.pcap -q -z io,phs
4
5tshark -c 1000 – -z io,phs
6
7tcpdump -tnr $ | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail
8
9tcpdump -qnn "tcp[tcpflags] & (tcp-syn) != 0"
10
11netstat -s
12
13tcpdump -nn not arp and not icmp and not udp
14
15netstat -n | awk '{print $6}' | sort | uniq -c | sort -nr | head
16
17# 应用层
18
19tshark -c 10000 -T fields -e http.host | sort | uniq -c | sort -r | head -n 10
20
21tshark -r capture6 -T fields -e http.request.full_uri | sort | uniq -c | sort -r | head -n 10c
22
23tcpdump -n 'tcp[32:4] = 0x47455420' | cut -f 7- -d":"
24
25# 查找http请求中包含：GIF,ZIP,JPEG,PDF,PNG扩展的数据包
26
27tshark -Y "http contains "ff:d8"" || "http contains "GIF89a"" || "http contains "x50x4Bx03x04"" || "http contains "xffxd8"" || "http contains "%PDF"" || "http contains "x89x50x4Ex47""
28
29取'user-agent'和refer字段
30
31tcpdump -c 1000 -Ann I grep -Ei 'user-agent' | sort | uniq -c | sort -nr | head -1
32
33tcpdump -i en0 -A -s 500 | grep -i refer
34
35
36
37# 第二层攻击
38
39
40
41tcpdump 'arp or icmp'
42
43
44
45tcpdump -tnr 001.pcap ARP | awk -F '.' '{print 1"."2"."3"."4}' | sort | uniq -c | sort -n | tail
46
47tshark -r 001.pcap -q -z io,phs | grep arp.duplicate-address-detected

6.2 兵器谱
1.）KALI 渗透测试发行版
1https://www.kali.org

2.）SIFT SANS 取证工具箱
1http://sift.readthedocs.org/

3.）REMNUX 软件逆向和病毒分析发行版
1https://remnux.org

4.) OPENVAS
1http://www.openvas.org

5.) Security Onion 入侵检测、网络安全监控、日志分析发行版
1https://securityonion.net

6.）OSSEC 开源主机入侵检测系统
1http://ossec.github.io

0x4 参考
https://www.4hou.com/technology/10173.html
https://github.com/fu4ck/btfm0daybank