Summary of 2022 blue team HW elementary interview questions

 Zero basic hacker , Search official account ： White hat left 

author ： Control the safety trainees ——garry

The company interviewed ： Deep blue ,360, Changting , Convinced （ The questions are almost the same , So I mixed it up and summed it up ）

Interview position ： Blue team junior

The interviewer's question ：

Fundamental vulnerabilities

SQL Inject

principle （ Oral language ）： User input is embedded in SQL In the sentence , Then it is executed as code

origin ： The data entered by the user is not verified or processed （ precompile ）

defense ： precompile （ Can prevent SQL Inject , But it can't handle % and _ Special characters ）

The blacklist ： Escape, filter, replace or delete special characters 、
White list ： Restrict user input （ Regular expression restrictions ）、
Canonical encoding and character set （ Different encodings may lead to wide byte injection ）、
Parameterized query （ principle ）： The contents of parameters are not treated as sql Statement execution , Run with parameters after compilation

classification ：

• Head injection ：UA（useragent）,Referer,cookie
• Joint query injection
• An error injection The functions you need to use ：updataxml（）

rand()： Produce a 0-1 Between random numbers ,rand(0), Randomly produce a 0-1 The random number , Running multiple times produces the same results 
floor()： Rounding down ,floor(rand()*2), Randomly generated 0 and 1 Two Numbers 
group by： Arrange in groups 
count()： Statistical quantity 
concat()： Concatenate strings 

• Bull's blind note
• The stack ：1;select··
• Time blind note ： The functions you need to use

  if(condition,A,B) -- If the condition holds, return A, Otherwise return to B; What statement to use instead of if？？？？？？？
sleep(num) -- Indicates a delay of several seconds 
left(m,n) -- Cut strings from left to right  m  Go back to it  n  position 
substr(m,1,1) -- Take the string  m  From the first on the left ,1 Word length string 
ascii(m) -- Return character  m  Of  ASCII  code 
length(m) -- Return string  m  The length of 
count(column_name) -- Returns the number of values for the specified column 

• Wide byte Injection ：

PHP utf-8 code database GBK code

PHP Defense function ：magic_quotes_gpc()

origin ：PHP Send a request to mysql After one time gbk code ,PHP The obtained data will be processed with magic quotes , because GBK It's a double byte code , So we submitted %df This character and the translated backslash form a new Chinese character , Then the database processing is based on GBK To deal with , Then the single quotation mark escaped .

principle ： Use a wide character set in the database , stay web This problem is not considered in . because 0XDF27 stay web There are two characters in , stay php Will be right 0x27 Transference , hold 0XDF27 become 0XDF5c27

Always ask questions ：

What to do if it is filtered

 (1) Filter * keyword *             Use case to bypass , Double writing bypasses ,URL Code bypass 
 (2) Filter * Special characters *,* Space *     Use URL Code bypass 
 (4) Filter * notes *             Use add a closure to bypass , Logical operations bypass 
 (5) Filter * Single quotation marks *              Use wide characters to bypass ( Premise PHP Use GBK code )
 (6) Filter * Clear data *         Use burpsuite Encrypted sending data bypasses 

Instead of spaces ：/**/、、%0a、%0b、%a0

How to write shell： Use logs to write shell：

root jurisdiction ,GPC close , Know the file path   The premise of 
 Log path ：var/log/mysqld.sql
select ' In a word ' into outfile ' route '
select ' In a word ' into dumpfile ' route '

If you get it sql Authority , How do you get system permissions

Mysql_UDF  Raise the right   Take advantage of root high authority , Create one that can call  cmd  Of a function of  udf.dll  Dynamic link library ,  export  udf.dll  After the document , We can directly enter... In the command box  cmd

Limiting conditions ：
1-MySQL The database does not have security mode enabled （ confirm secure_file_priv='' Is it empty ）
2- The known database account has a pair of MySQL database insert and delete Authority , It is best to root Highest authority .
3-shell Have the permission to write to the database installation directory .

• MOF Raise the right ： Basically, in Windows Server 2003 You can succeed in an environment .

principle yes C:/Windows/system32/wbem/mof/ In the catalog mof Files are executed by the system every few seconds , Because of this MOF Part of it is VBS Script , So you can use this VBS Script To call CMD To execute system commands
If MySQL Have permission to operate mof In the case of catalogues , You can execute any command .

mysql5.0 Above and 5.0 What's the difference ：

5.0 There are no system tables below （information_schema）, Can only run the watch violently ;

Why one mysql Database station , only one 80 Port open ：

1、 Changed database port , Not scanned .
2、 Station library separation .
3、3306 Ports are not open to the public

XSS Cross-site scripting attacks

principle : By splicing malicious html Code , utilize js Statement to execute the attack , To attack the user's browser
type :

• reflective ： The attack code is url in , Output in http Response
• Storage type ： Store the user input data on the server
• DOM type ： By modifying the DOM Node formation xss

Reflection and dom The difference between : DOM-XSS yes javascript Processing output , And reflexivity xss It is the background program processing

XSS Bypass ：

1. Case write
2.js Fake protocol
3. There's no semicolon
4.Flash
5.Html5 The new label
6.Fuzz To test
7. Double label bypass

Repair defense ：
1. Encode the output substantively , Yes JavaScript To filter events
2. To the important cookie Set up httpOnly, Prevent clients from passing through document.cookie Read cookie, this HTTP The header is set by the server .
3.csp To guard against xss

Always ask questions ：

  - xss Worm generation conditions ： Pages that generate interactive behavior between users may cause xss worm , Storage is not necessarily required xss
  -  Yes shell How to control for a long time ：
           Add a section to the background login to record the login account and password js, Determine whether the login is successful ,
           If login is successful , Record the account and password in a file in an unknown path or send it directly to your own website file . Insert... In a file that can only be accessed after login XSS Script 

CSRF Cross Station Request Forgery Attack / Client request forgery

principle ： When a user visits a malicious web site, it runs the... Loaded on the malicious web site JS, The attacker can then use the victim's identity Send packets to normal websites that have been logged in , To tamper with information 、 Modify configuration and other functions

origin ：Cookie Not overdue , No further verification of user information , Visited a malicious site without security awareness

utilize ： The victim must complete two steps in turn , Log in to trusted websites A, And build locally cookie, Do not log out A Under the circumstances , Visit the danger website B

defense ： Add token Or captcha ; Use as much as possible POST, Limit GET;

SSRF Server request forgery

principle ： Use a service that can initiate network requests as a springboard to attack other internal services .

Often appear in ：

1. The place where network requests can be sent out
2. Where to request remote server resources
3. Database built-in functions
4. Mail system
5. Document processing
6. Online processing tools

agreement :

file： In case of echo , utilize  file  The protocol can read any content 
dict： Disclose the version information of the installed software , Check the port , Operating intranet redis Service etc. 
gopher：gopher Support the issue of GET、POST request ： You can intercept first get Request package and post Request package , Reconstruct to conform to gopher Request for agreement .gopher Agreement is ssrf Take advantage of one of the most powerful protocols in ( It's commonly known as the omnipotent agreement ). Can be used to rebound shell
http/s： Detect the survival of Intranet hosts 

trigger ssrf Loopholes PHP function

file_get_contents： File write string , When url It's time for intranet files , I will read out the contents of this file first and then write , Caused the file to read .

fsockopen( Host name , Port number , The accepted variable of the error number , Accept variable for error prompt , Timeout time )

curl_exec()： Execute one curl conversation

Bypass ：

utilize @：http://example@127.0.0.1. for example ：http://www.baidu.com@10.10.10.10 And http/10.10.10.10 The request is the same

Add port number ：http://127.0.0.1:8080

Use short address ：http://dwz.cn/11SMa

ip Address hexadecimal conversion

DNS analysis http://127.0.0.1.xip.io/ Can point to any ip Domain name of ：xip.io

utilize ： Use pseudo protocol to detect intranet information

Specific ways of utilization ：

file Protocol view file 、dict Protocol probe port 、ophergopher agreement
Support GET&POST request , At the same time, they are attacking the intranet ftp、redis、telnet、Memcache Has a great effect on . utilize
gopher Agreement to access redis rebound shell

defense ： No jumping ; Disable unnecessary protocols ; Blacklist intranet ip

Add xss、csrf、ssrf difference ：

xss And csrf difference

XSS： Cross-site scripting attacks ; Use trusted users in the site to steal cookie
CSRF： Cross Station Request Forgery Attack ; Request a trusted website by pretending to be a trusted user

CSRF And SSRF difference

CSRF（ cross-site / Client request forgery ) => Browser because JS Send packets secretly
SSRF（ Server side Request Forgery ）=> The server secretly sends packets because of the parameters you pass
C or S => C client （client）s Server side （server）

Upload files

principle （ official language ）： Due to the programmer's insufficient control over the user's file upload part or handling defects , As a result, users can upload executable dynamic script files to the server beyond their own permissions , And through this script file to get the ability to execute server-side commands .

Server parsing vulnerability

apache:

   Bypass program detection ： When encountering an unknown extension , Will parse from back to front , Until you come across an extension you know , If you don't know , Will expose its source code .
  When uploading files , Determine whether the file name is PHP,ASP,ASPX,ASA,CER Wait for script extensions , If it is , Upload is not allowed , This can be constructed similar to 1.php.rar Wait for extensions to bypass program detection , And cooperate with the analysis vulnerability to obtain webshell

iis

Dangjian *.asa ,.asp,.cer Format folder , Any file with an extension in its directory will be IIS treat as asp File parsing

When the file is *.asp;1.jpg when ,IIS Will asp Script to execute

nginx

principle ：Nginx It's actually PHP CGI Parsing vulnerabilities , stay PHP There is a key option in the configuration file cgi.fi:x_pathinfo, It is generally enabled by default ,
therefore When parsing to a file that does not exist ,PHP Will recursively parse forward , This creates a parsing vulnerability .
Attackers can upload Trojan files , And then in URL Followed by xxx.php( You can name it as you like ）, You can get the website webshell. For example, visit http://www.xxx.com/1.jpg/1.php, here 1.jpg Will be regarded as php Script to parse , there 1.php It doesn't exist .

Bypass method

 1. The blacklist  
      a. Incomplete suffix  .php5 .phtml etc. 
      b. .htacess
      c. Case write 
      d. In the packet   Add a space before the file suffix 
      e. Prefix the suffix with 
      f. add ::$DATA
      g. No cyclic validation , have access to x.php.. Similar approach 
  2. White list :%00 truncation , Picture horse , Conditional competition 

defense ：

  1. Back-end verification ： The server authentication mode is adopted  2. Suffix validation ： Based on the white list , Blacklist filtering  3.MIME verification ： It is difficult to detect based on the type of upload  4. Content detection ： The file header , Integrity testing  5. Built in function filtering  6.WAF Protection software ： pagoda 、 Yundun et al 
    Link the uploaded file to web Service isolation   
    White list filtering 、 Limit upload file type   
    The file upload path is set to non executable permission   
    Check file upload path   
    Built in function detection   
    Custom function detection   
    Image rendering   
    Rename the uploaded file   
    Compress the contents of the file , Regenerate file contents   
    Check the contents of the file 

File contains

principle ： Programmers do not strictly filter the included files when developing , An attacker can construct his own image Trojan file as PHP perform

Common include functions ：

include（）： Only a warning will be generated when the included file cannot be found , The script will continue to run .
  include_once（）： Only a warning will be generated when the included file cannot be found , The script will continue to run . If the code in the file has been included , It will not contain again , That is, the program is called only once .
  require（）： A fatal error occurs when the included file cannot be found , And stop the script .
  require_once（）： A fatal error occurs when the included file cannot be found , And stop the script . If the code in the file has been included , It will not contain again , That is, the program is called only once .

PHP Encapsulation protocol ：

file:// —  Access local file system 
http:// —  visit  HTTP(s)  website 
ftp:// —  visit  FTP(s) URLs
php:// —  Access individual inputs / Output stream （I/O streams）
zlib:// —  Compressed flow 
data:// —  data （RFC 2397）
glob:// —  Find matching file path patterns 
phar:// — PHP  file 
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// —  Audio stream 
expect:// —  Handling interactive flows 

utilize ：
utilize …/ Directory traversal
Use parsing vulnerability to upload files Bypass waf obtain webshell
utilize PHP Encapsulation protocol Read php File source code

defense
PHP Use in open_basedir Restrict access to the specified directory area
Filter spot . The backslash / \, Prevent cross Directory
Prohibit server remote files from containing
Try not to use dynamic inclusion , It can be fixed on the page to be included

harm ： Leakage of sensitive information （ Any file read ）;PHP Fake protocol , The file contains the read source code , Command execution ; Match the picture horse to get webshell

PHP Serialization and deserialization

principle ：（ The variable is controllable and unserialize Inject the serialized object into the operation , Implement code execution ） The serialized string entered by the user was not detected , This allows an attacker to control the deserialization process , This leads to code execution ,SQL Inject , Directory traversal and other uncontrollable consequences . In the process of deserialization, some magic methods are automatically melted . When deserializing, it is possible to trigger some magic methods in the object .

Serialization function ：serialize()： Convert objects to strings

Deserialization function ：unserialize()： Convert string to object

Magic methods ( There are available classes in the file , Class has magic methods

__wakeup() // Use unserialize Trigger when 
 __sleep() // Use serialize Trigger when 
 __construct() // Triggered when an object is created 
 __destruct() // Triggered when an object is destroyed 
 __call() // Triggering an invocable method in an object context 
 __callStatic() // Triggering an invocable method in a static context 
 __get() // Used to read data from inaccessible properties 
 __set() // Used to write data to an inaccessible property 
 __isset() // Called on an inaccessible property isset() or empty() Trigger 
 __unset() // Use on inaccessible properties unset() Trigger when 
 __toString() // Triggered when a class is used as a string 
 __invoke() // Triggered when a script attempts to call an object as a function 

Bypass wakeup The main points are ： When the number of member attributes is greater than the actual number, you can bypass

Flow analysis （PCAP file ）

 1、 a large number of 404 request ： Directory scanning 
 2、 A lot of select *** from：SQL Inject 
 3、 One in a row IP Multiple port requests or multiple IP Several of the same ports ： Port scanning 
 4、 Blasting account password ：ip.addr219.239.105.18 and http.request.uri matches “edit|uoload|modify”
 5、 Linked bag with kitchen knife ,post request  ip.addr219.239.105.18 and htpp.request.method==POST

High risk ports

 21 FTP  It can explode ,FTP Anonymous logins ,anonymous/anonymous
 22 SSH
 23 telnet
 80 web
 81 web
 139/445 IPC, Network sharing （MS17-010）
 1433 mssql
 1521 oracle
 3306 mysql
 3389 rdp
 6379 redis?? Redis Unauthorized access , Because there is no password, anyone can enter , Can cause information leakage , rebound shell, Write to the server ssh Public key , Connect directly with the private key 
 7001/7002 weblogic, Various vulnerabilities 
 8080 Tomcat,PUT Upload webshell, however JSP It's filtered , have access to 1.jsp%00; Background deployment war package ; Phantom cat orders execution 
 8888
 50050 cobalt strike Default open port 

log4j Deserialization

The core principle is , In the normal log In the process of processing **${** These two adjacent characters are detected , Once matched to something like A string in an expression structure triggers a substitution mechanism , Replace the content of the expression with the content after the expression is parsed , Instead of Is the expression itself , This will cause the attacker to construct a qualified expression for the system to execute .
Causes of loopholes 、 features ： When printing logs , If the content of the log contains keywords ${, The attacker can replace the content contained in the keyword as a variable with any attack command , And perform .

Safety tools

nmap

 1 .-Pn, Forbid ping scanning ,nmap Before performing a scan on the host , Will send a ICMP package , To detect whether the remote host is alive , If the other party returns ,nmap Just think that the execution of this scanning task is meaningful , And start scanning . If no package is returned , The scan is not performed . If the host of the other party is set to disable ping, In does not add -Pn Under the circumstances , The scanning result will not be returned .
 2 .-sP, The meaning of this order is to make nmap To use ping Command to detect the survival of the other host . If the other party's machine can ping Words of communication , Just tell us host is up. Not absolutely accurate , Because the other host may have set a prohibition ping.
 3 .-sS, Semi open scan . stay TCP During the three handshakes of the agreement . Will be sent by the client to the server SYN package , If the server port is open , The server will return a SYN package + One ACK, In the third part, the client verifies the server ACK Whether it is right , If correct , Then send ACK Package to the server to complete TCP Connection establishment . The principle of this scanning is that the client only performs the first step , The server performs the second step , The third step is not done . The advantage of this method is that it can avoid logging .
 4 .-sT,TCP Protocol three full scans .
 5 .-PR, Use ARP agreement , Scan the host in the LAN , This kind of scanning will make it faster , And the results are more accurate .
 6 .-O, Used to detect the operating system of the other host .
 7 .-p, The port of the computer has 65535 One of the . If you scan the full port , Then writing -p 1-65535
 8 .-T4, The default is 3.
 9 .-P0, It is used in forbidden ping The probe host survives .

sqlmap obtain webshell Parameters of

sqlmap Of –os-shell Parameters get shell
The essence ： Write two php file , One of them allows us to execute commands , The other one allows us to upload files .
There are three conditions for execution
（1） The website must be root jurisdiction
（2） The attacker needs to know the absolute path of the website
（3）GPC by off,php The function of active escape is off

Infiltrate ideas

goby, Scan tool

Some common port scans can be customized according to the situation
Can not only sweep IP , You can also scan the domain name

When scanning, you can also add Want to test for the existence of Loopholes POC

You can customize the broken dictionary
Finally, the report can be imported and exported
Penetration testing process ： If I give you a website , What is your penetration test idea ?/ Get a station to be tested , What do you think you should do first ？

Search engine

information gathering

   a、 Information about the server （ real ip, System type , edition , Open ports ,WAF etc. ）
     b、 Website fingerprint recognition （ Include ,cms,cdn, Certificates, etc ）,dns Record 
     c、whois Information , full name , Keep on record , mailbox , Call back （ The mailbox is lost in the social work Library , Social workers are ready to wait ）
     e、 Subdomain collection , Side station ,C Duan et al 
     f、google hacking Targeted search ,pdf file , Middleware version , Weak password scanning, etc 
     g、 Scan the site directory structure , Burst backstage , Website banner, The test file , Leakage of sensitive files such as backup 
     h、 Transfer protocol , Common vulnerabilities ,exp,github Source code, etc.             

Vulnerability mining

   a、 Browse the website , Look at the size of the website , function , Characteristics, etc 
     b、 port , Weak password , Directory scanning , Vulnerability detection on the responding port , such as  rsync, Bleeding from the heart ,mysql,ftp,ssh Weak password, etc .
     c、XSS,SQL Inject , Upload , Command injection ,CSRF,cookie Safety inspection , Sensitive information , Communication data transmission , Brute force , Upload any file , Ultra vires access , Unauthorized access , Directory traversal , file   contain , Replay attack （ SMS bombing ）, Server vulnerability detection , Finally, use missing scanning tools, etc 

Vulnerability scanning

   Start detecting vulnerabilities , Such as XSS,XSRF,sql Inject , Code execution , Command execution , Ultra vires access , Directory read , Arbitrary file reading , download , File contains , Remote command execution , Weak password , Upload , Editor vulnerability , Violent cracking, etc 

Exploit

utilize msf,nc Some tools to take shell, Or other authorities

Elevated privileges

   a、mysql Raise the right ,udf Raise the right ,mof Raise the right ,serv-u Raise the right ,oracle Raise the right 
     b、windows  Spillover claims 
     c、linux Dirty cattle , Kernel vulnerability rights 

Log cleaning

Summary report and repair plan

fofa grammar

  The query cms Management system ：app="cms"
 domain=  Search the root domain with xx Website . example ：domain=“baidu.com”
 host= from url In the search site, pay attention to the use of host As name . example ：host= “.edu.cn”
 port=  Find corresponding 443 Port assets . example ：port=3389
 protocol=  Search for protocol types ( Valid when port scanning is turned on ). example ：protocol=ssh
 cert= Search for certificates (https perhaps imaps etc. ) Assets with domain name in . example ：cert=baidu.com
 banner=  Search for assets with account text in the agreement . example ：banner=users && protocol=ftp
 type= Search all agreement assets , Support subdomain and service Two kinds of . example ：type=servicce
 server==  Search server 、 Middleware name . example ：server=apache
  High level syntax needs to be connected with pipeline characters, such as ：‘|| ‘ ‘&&’, as follows ：
 body=” backstage ”&&domain=”xxx.com”  Query the background of the specified domain name 
 Header=”Hikvision”  Find the camera 

Google Syntax

  | intext      Look for pages with keywords in the body 
 | intitle     Look for pages with keywords in the title                                   
 | allintitle  Usage and intitle similar , It's just that you can specify multiple words                       
 | inurl       Will return url Web pages with keywords                                   
 | allinurl    Usage and inurl similar , It's just that you can specify multiple words ,//  All keywords must appear in the text  
 | site        Specify the site to visit                                                
 | filetype    Specify the type of file to access                                            
 | cache       Display the cached version of the page 

shodan、 quarks

Zhong Kui's eyes （zoomeye）, Focus on web Containers , Fingerprint search .

  Fingerprint search ： for example ：php app:dedecms var:5.7.
 app: Component name , for example ：app:apache.
 ver: The component version , for example ：ver:2.0.
 OS: operating system , for example ：os:window.
 Service: The service name , for example ：service:vpn.
 Cidr: Network segment , for example ：cidr:192.168.1.1/24.
 Devic: Device name , for example ：devic:router.
 keyword: Keyword query , for example ：keyword:technology.
  Try weak password ： for example ：php app：phpmyadmin.
  Search for camera equipment ：1.DVRDVS-Webs,2.JAWS wait .

wireshark Simple filtering rules

 Filter  ip:  Filter source  ip  Address :ip.src==1.1.1.1;, Purpose  ip  Address :ip.dst==1.1.1.1; 
   Filter port :  Filter  80  port :tcp.port==80, Source port :tcp.srcport==80, Destination   mouth :tcp.dstport==80 
   Protocol filtering :  Just enter the protocol name directly , Such as  http  agreement  http http 
   Mode filtering :  Filter  get/post  package  http.request.mothod=="GET/POST

kitchen knife 、 Ant sword 、 Flow characteristics of ice scorpion

Kitchen knife features

Used base64 Is encrypted and sent to “ Chopper horse ” Instructions , Two of the keys payload z1 and z2, this A name is variable

Characteristics of ant sword

default USER-agent Request header yes antsword xxx, however It can be repaired by Change ：/modules/request.js In file
request UA Bypass The most obvious characteristic of the flow is @ini_set(“display_errors”,“0”); This code is basically all
WebShell Client link PHP class WebShell There is a kind of code
There is another obvious feature after ant sword confusion encryption , That is, parameter names are mostly in “_0x…=” This form （ Draw down
Line replaceable ）, So _0x The first parameter name is also likely to be malicious traffic

The ice scorpion did not find any features in the bag , But it can be found that it is POST Requested

1、Accept Head has application/xhtml+xmlapplication/xmlapplication/signed- exchange Weak characteristic （UA The browser version of the header is very old ）

2、 Characteristics analysis Content-Type: application/octet-stream This is a strong feature of access to information know octet-stream It means , Only binary files can be submitted , And only one binary can be submitted , If the document is submitted word , Only one file can be submitted , Background receive parameters can only have one , And it can only be a stream （ Or byte array ）; Rarely used

Ice scorpion 2 features ：

Default Accept The value of the field is very special , And every stage is the same. There are more than ten kinds of ice scorpions UserAgent , Every connection shell Will randomly select one to use . But they are all older ,r It's easy to detect , But you can burp Revision in China ua head .Content-Length: 16, 16 Ice scorpion 2 Characteristics of the connection

Ice scorpion 3 features ：

Ice scorpion 3 Cancel dynamic key acquisition , At present a lot of waf And other equipment are made of ice Scorpions 2 Analysis of flow characteristics , therefore 3 Dynamic... Is cancelled The secret Key acquisition ;

php No features are found in the bag , But it can be found that it is POST Requested 1）Accept head application/xhtml+xmlapplication/xmlapplication/signed- exchange Weak characteristic 2）ua This feature belongs to weak feature . adopt burp You can modify , Ice scorpion 3.0 Built in default 16 individual userAgent All comparison The old .

Few people use it in real life , So this can also be used as waf Rule characteristics jsp Analysis of packet capturing characteristics Content-Type: application/octet-stream This is a strong feature lookup The information shows that octet-stream It means , Only binary files can be submitted , And only one binary can be submitted , If you submit Word of the file , You can only submit A file , Background receive parameters can only have one , And it can only be a stream （ Or byte array ）; Rarely used .

Emergency response

How to deal with the emergency when the website is suspended

  1. obtain evidence , logon server , Backup , Check the server sensitive directory , Check the poison （ Search for backdoor files - Pay attention to the time of the file ,  user , Suffix and other attributes ）, Call logs （ System , Middleware log ,WAF Log etc. ）;
  2. Handle , Restore backup （ Snapshot rollback last ）, Determine the intrusion method （ Vulnerability detection and repair ） 
  3. Tracing to the source , Check the invasion IP, Invasion tactics （ Network attack events ） And so on  
  4. Record , file -------- The prevention of - Event detection - Inhibition - Eradicate - recovery - track - Record the response to common vulnerabilities and other   Safety emergency events 

Specific process of intrusion troubleshooting

1、 Check system account security
Check whether the server has a weak password , Whether the remote management port is public
Check whether the server has a suspicious account ：cmd Input lusrmgr.msc command
Check whether there is a hidden account on the server 、 Clone accounts
Combined with the log , View administrator login time , Whether the user name is abnormal

2、 Check for abnormal ports 、 process
Check the port connection , Whether there is a remote connection 、 Suspicious connection ：
a、netstat -ano View current network connections , Locate suspicious ESTABLISHED
b、 according to netstat Located pid, Re pass tasklist Command to locate the process tasklist | findstr “PID”

3、 Check the startup 、 Planning tasks 、 service
win+r： Input msconfig, View abnormal startup items
win+r： Input regedit, Open the registry , Check boot entry

4、 Check system information
win+r： Input systeminfo Check system information

5、 Log analysis
win+r： Input eventvwr.msc, Open the event viewer
Export application log , Security log , system log , utilize log parser analysis
How to judge whether a threat intelligence is wrong

Analyze traffic packets , It can be used wireshark, Analyze whether traffic is a normal business operation
How to judge yourself to be getshell 了 ： use D Shield killing

webshell：
check web journal , Analyze attack traffic
sweep webshell
Check the website directory , View recently changed files
shell：
View unknown port , Unknown process
Check malicious traffic , Lock down the infection process
If there is safety equipment, it depends on the safety equipment
If a server is invaded , How would you respond to an emergency ?》》》 Check logs , Search service , Check the progress , Check whether there is any suspicious login , New account

What should I do if the intranet gives an alarm ？（ You may ask in different ways ）

First of all, if the status of a specific machine , Since the alarm is given, it means that the specific vulnerability type is known , Add the corresponding patch to make , With linux Mainly （ I usually ask linux Of ）, see /var/log/secure system log , Check the log of login failure , also Linux History commands –>home The directory bash_histor, View the executed commands . Using webshell Or is it shell Killing tools killing , see tmp There is a Trojan horse with no killing under the directory . To remove completely . Then go to the full flow analysis machine , Right and wrong have passed through other machines . Get the attack ip Then go to some online websites to check the host type , such as 360 Or take small steps , Check whether it is a puppet machine ,vps The springboard , Or domestic personal virtual machine . If it is a personal virtual machine , You can go through whois Check whether there is a recently bound domain name , Or the binder's mailbox . After you know the email address, you can reverse the query qq How much do you say , Then use the social worker to query the mobile phone number , Go to a well-known website to check whether this mobile number has registered any websites , You can go to these websites and log in by hitting the library , So you can get the attacker's ID card , School , These are the addresses .
（ The idea is emergency response -> strengthening -> Tracing to the source ）

After being attacked , How to check if log files and Trojan files are deleted
lsof Restore deleted files , Then check the log , Search service , Check the progress , Check whether there is a new account

An alarm message appears on the safety equipment , How to judge whether it is a false positive or an attack

Analyze the alarm data , See if it is the operation of internal personnel , Or a real attack
How to analyze whether the traffic is false positive

Analyze traffic packets , It can be used wireshark, Analyze whether traffic is a normal business operation
Service is in progress webshell How to find... From the log webshell Location , Be taken shell How to deal with emergencies after , How to quickly locate shell

From log Traffic File start , Position first Check out the sensitive Directory tmp usr/sbin etc/ssh , For newly created files , Modify files, etc. to view , Find the special permission file such as 777 . Flow words from ua and playload To analyze . Such as kitchen knife company jsp Trojan horse ： The first parameter is a-q, This won't change , The second is coding , The third is playload. I found it in the log shell Point in time decorrelation analysis , You can restore the attack technique
Rapid positioning Just look at the process and memory Look at those with long occupancy time and high occupancy rate
Equipment alarm ,SQL Injected alarm , You can see the attack time , attack ip,payload, How to judge whether it is a false positive or an attack , If it's a real attack , How to judge whether his attack was successful , What to do if it succeeds

First look at ip, If ip It is within the company. Let's see if the internal personnel have relevant operations , If it is not the business operation of the company personnel, it is an attack ,
Then analysis payload, Analyze what it says payload Can the security device filter and intercept it , If it can really bypass , Then the attack should be successful ,
If you succeed, report it immediately , Do emergency response , Deal with it accordingly , Add filtering rules , Modify the data that can be modified in the database, such as administrator account and password

Security device deployment

WAF

I have opened a firewall on my server , Use cname Access , Add the domain name of the website to be protected on the console , And then modify dns The resolution setting resolves the traffic to waf.

ufw（ Simple firewall Uncomplicated FireWall）

  Check the status of the firewall （ Default  inactive） # ufw status
  Firewall version  # ufw version
  start-up ufw A firewall  # ufw enable
  close ufw A firewall  # ufw disable
  Access to all... Is disabled by default  # ufw default deny
  to open up 22/TCP port  # ufw allow 22/tcp
  to open up 53 port (tcp/udp) # ufw allow 53
  No external access  # ufw deny 3306
  Delete the rule that has been added  # ufw delete allow 22
  Allow this IP Access all native ports  # ufw allow from 192.168.1.100
  Delete the above rule  # ufw delete allow from 192.168.1.100
  Look at the rules , According to the line Numbers  # ufw status numbered
  Delete the third rule  # ufw delete 3
  close ufw # ufw disable
  No right 8888 Port access  # ufw deny 8888
  Open from 192.168.0.1 Of tcp Requested 22 port  # ufw allow proto tcp from 192.168.0.1 to any port 22

Honeypot ： It's a target plane full of loopholes , Attract hackers to attack honeypot system , And then get information about the hackers

Questions to ask ：

 -  You just said , You know something about honeypots , Can you tell me what you know about the honeypot ？ Have you really participated in the deployment of honeypots .
 answer ： Take a small step Hfish Honeypot 
 -  So if you are asked to deploy a honeypot , Which ports will you open , Why? // Which ports of the enterprise host do you think are at risk // What do you think enterprises should pay attention to 
21 port ：FTP File transfer protocol port , Used to capture hackers FTP Blasting behavior 
22 port ：SSH port   link Linux host SSH Port of service , Used to capture hackers SSH Blasting behavior 
23 port ：Telnet service , Command execution service , Used to detect hackers for telnet Blasting 
80 port /443 port ：WEB Port of service , Used to capture hackers WEB Characteristics of aggressive behavior 
1521：oracle Database open port , Capture hackers oracle Blasting behavior ,UDF The act of executing a command 
3306：MYSQL port , Used to capture hackers for mysql Database explosion behavior ,UDF The act of executing a command 
3389：Windows Remote desktop port , Used to capture the hacker's blasting behavior 
··········· The following can be said or not ···········································
6379 port ：REDIS port , Capture hackers REDIS Unauthorized access attacks , Hackers use redis Write ssh Secret key , Write webshell, An attack on the execution of a planned task, etc 
445 port ：SMB Service port - Hackers use eternal blue Enternalblue Aggressive behavior of , Hacker's SMB Account blasting （ Easy to understand , Blast windows Account and password ）
1433 port ：Microsoft SQLserver port , Used to capture hacker blasts 1433 Port behavior , And see how hackers exploit sqlserver xp_cmdshell,sp_cmdshell And other component commands , Utilization of stored procedures  
135、139 port ： Capture the use of hackers RPC Shared attacks （ When honeypots are deployed in the intranet ）
 For example 8080 port , Deploy a fake vpn page , Attract hacker attacks 

Intranet penetration

Intranet penetration process ：

After getting the springboard , First detect a wave of Intranet surviving hosts , use net user
/domian Command to check whether the springboard is in the domain , Detect live hosts 、 Raise the right 、 extract hash、 Move horizontally , location dc Location , Check whether there is a vulnerability that can directly claim domain management , Get dc The right of control is raised after the right of control , Then make gold notes to protect rights , Clean up the logs and wipe the footprints

information gathering

Host information collection

 1. The network configuration  ipconfig /all 
 2. operating system  systeminfo | findstr /B /C:"OS  name " /C:"OS  edition " 
 3. Software information  systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 
 4. Service information  wmic /namespace:\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe 
 5. User list  net user 
 6. Local administrator information  net localgroup administrators 
 7. Port information  netstat –ano 
 8. Patch Info  wmic qfe get Caption,Description,HotFixID,InstalledOn 
 9. Check the firewall  netsh firewall show config 

In domain information collection

  Whether there is a domain   Use ipconfig /all Command to view the gateway IP Address 、DNS Of IP Address and determine the current host   Whether it is within the domain ： By way of anti   To parse query commands nslookup To resolve the domain name IP Address , Use the parsed IP The earth   Site comparison , Determine the domain controller and  DNS Whether the server is on the same server  
  Login domain information  net config workstation  In domain information collection  
 ICMP Detect the Internet  for /L %I in (1,1,254) DO <span class="label label-primary">@ping</span> -w 1 -n 1 192.168.174.%I | findstr "TTL=" 
 ARP Detect the Internet  
  Port information collection  
  Query domain information  net view /domain 
  Query domain host  net view /domain:XXX 
  Query domain users  net group /domain 
  Search for domain control  Nslookup -type=SRV _ldap._tcp net time /domain net group "Domain Controllers" /domain 
  Query domain user information  net user /domain 
  Query domain administrator  net group "Domain Admins" /domain 
  Query domain sid Information  whoami /all

The Intranet environment does not go out of the network

1. adopt webshell Implement intranet socket agent
2. Forward link
3.ssh Tunnel
4. Different protocols have different outgoing methods , Such as dns Corresponding dnscat2 tcp Corresponding
5. Test whether a specific protocol or port is out of the network

The interview is difficult ： Simple

Interview feelings and suggestions ： It's not difficult for the blue team to ask , There are more emergency responses , But you can also read more information on the Internet