0x01 前言
红蓝对抗的思想最早可追溯到我国现存最早的一步兵书《孙子兵法》,在孙子·谋攻篇有这么一句话:”知己知彼,百战不殆”,意为如果对敌我双方的情况都能了解透彻,打多少次仗都不会失败。在信息安全领域目前大家都以一个共识:”未知攻,焉知防”,攻防对抗本身是一个持续的过程,在具体的对抗中,对对手了解越多就会占据主导地位。红蓝对抗的主要目的在于,提高公司安全成熟度及其检测和响应攻击的能力。Red Teams attack, and Blue Teams defend, but the primary goal is shared between them: improve the security posture of the organization.
0x02 准备工作
1) 组织结构图
2) 全网拓扑图
3) 各系统逻辑结构图
4) 各系统之间的调用关系
5) 数据流关系
6) 核心资产清单
7) 应急响应计划
8) 业务连续性计划
9) 灾难恢复计划
0x03 简单安全评估
1.端口扫描和漏洞检测
1.1主机发现(Ping探测)
# nmap -sn -PE IP地址或地址段
1.2 端口扫描
# nmap -open IP地址或地址段
1.3 服务版本检测
# nmap -sV IP地址或地址段
1.4 扫描多个端口
# nmap -p 80,443 IP地址或地址段
1.5 UDP扫描
# nmap -sU -p 53 IP地址或地址段
1.6 TCP/UDP扫描(-Pn跳过主机发现)
# nmap -v -Pn -SU -ST -p U:53,111,137,T:21-25,80,139,8080 IP地址或地址段
1.7 Nessus扫描
# nessus -q -x -T html 服务器IP 服务器端口 管理员账号 密码 目标.txt 输出报告.html
1.8 OPENVAS扫描
# apt -y install pcregrep
# wget https://goo.gl/TYbLwe
# chmod +x openvas-automate.sh && ./openvas-automate.sh 目标IP
2. WINDOWS系统篇
2.1 网络发现
基本网络发现:
# C:> net view /all
# C:> net view 主机名
Ping探测:
# C:> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find “回复” >> 输出.txt
2.2 DHCP
启用DHCP服务器日志功能:
# C:> reg add
HKLMSystemCurrentControlSetServicesDhcpServerParameters /v ActivityLogFlag /t REG_DWORD /d 1
默认日志文件目录:
C:> %windir%System32Dhcp
2.3 DNS
启用DNS服务器日志功能:
# C:> DNSCmd DNS服务器名 /config /logLevel 0x8100F331
# 配置日志文件目录:
C:> DNSCmd DNS服务器名 /config /LogFilePath C:dns.log
# 配置日志文件大小:
C:> DNSCmd DNS服务器名 /config /logfilemaxsize 0xffffffff
2.4 哈希值
文件校验和完整性验证(FCIV):
Ref:http://support2.microsoft.com/kb/841290
# 单个文件:
C:> fciv.exe 文件名
# 计算C盘所有文件并把结果保存到文件中:
C:> fciv.exe c: -r -sha1 -xml 结果.xml
# 列出所有hash值:
C:> fciv.exe -list -sha1 -xml 结果.xml
# certutil & PowerShell
# certutil -hashfile 文件名 SHA1
# PS C:> Get-FileHash 文件名 | Format-List
# PS C:> Get-FileHash -algorithm md5 文件名
2.5 NETBIOS
nbtstat 扫描
# C:> nbtstat -A 目标IP地址
NetBIOS缓存
# C:> nbtstat -c
批量扫描
# C:> for /L %I in (1,1,254) do nbtstat -An 192.168.1.%I
2.6 微软基线安全分析器(MBSA)
扫描单个IP
# C:> mbsacli.exe /target IP地址 /n os+iis+sql+password
扫描IP地址段
# C:> mbsacli.exe /r IP地址段 /n os+iis+sql+password
3. LINUX系统篇
3.1 网络发现
查看开放的SMB共享
# smbclient -L 目标主机名
Ping探测
# for ip in ip>/dev/null; [ Misplaced &ip UP” || :; done
3.2 DHCP
DHCP日志
RHEL/CentOS
# cat /var/lib/dhcpd/dhcpd.leases
Debian/Ubuntu
# grep -Ei ‘dhcp’ /var/log/syslog.1
3.3 DNS
DNS日志
# rndc querylog && tail -f /var/log/messages | grep named
3.4 哈希值
计算某目录下所有可执行文件的HASH值
# find /sbin -type f -exec md5sum {} >> md5sums.txt;
# md5deep -rs /sbin > md5sums.txt
3.5 NETBIOS
nbtstat 扫描
# nbtscan 目标IP地址或IP地址段
举例: nbtscan 192.168.1.2-100
4. 安全加固
4.1 WINDOWS系统篇
4.1.1 禁用/停止服务
# C:> sc query
# C:> sc config “服务名” start = disabled
# C:> sc stop “服务名”
# C:> wmic service where name=”服务名” call ChangeStartmode Disabled
4.1.2 防火墙管理
# 列出所有规则:
# C:> netsh advfirewall firewall show rule name=all
# 启用或禁用防火墙
C:> netsh advfirewall set currentprofile state on
C:> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
C:> netsh advfirewall set publicprofile state on
C:> netsh advfirewall set privateprofile state on
C:> netsh advfirewall set domainprofile state on
C:> netsh advfirewall set allprofile state on
C:> netsh advfirewall set allprofile state on
# 配置举例
netsh advfirewall firewall add rule name=”开放TCP:80端口” dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name=”开放TCP:443端口” dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name=”屏蔽TCP:445端口” dir=in action=block protocol=TCP localport=445
netsh advfirewall firewall add rule name=”允许MyApp” dir=in action=allow program=”C:MyAppMyApp.exe” enable=yes
4.1.3 清除DNS缓存和Netios缓存
# C:> ipconfig /flushdns
# C:> nbtstat -R
4.1.4 应用控制
# AppLocker配置
# 导入Applocker模块
PS C:> import-module Applocker
# 查看system32目录下所有exe文件的Applocker信息
PS C:> Get-ApplockerFileinformation -Directory C:WindowsSystem32 -Recurse -FileType Exe
# 增加一条针对system32目录下所有的exe文件的允许规则
PS C:> Get-Childitem C:WindowsSystem32*,exe | Get-ApplockerFileinformation |
New-ApplockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32
4.1.5 IPSEC
# 使用预共享密钥的方式新建一条IPSEC本地安全策略,应用到所有连接和协议。
C:> netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY
C:> netsh ipsec static add filteraction name=MyIPsecAction action=negotiate
C:> netsh ipsec static add policy name=MyIPsecPolicy assign=yes
C:> netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=密码
# 新建一条允许访问外网TCP 80和443端口的IPSEC策略
C:> netsh ipsec static add filteraction name=Allow action=permit
C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80
C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443
C:> netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=密码
#查看和禁用某条IPSEC本地安全策略
C:> netsh ipsec static show policy name=MyIPsecPolicy
C:> netsh ipsec static set policy name=MyIPsecPolicy assign=no
# 新建一条IPSEC对应的防火墙规则,源地址和目的地址为any
C:> netsh advfirewall consec add rule name=”IPSEC” endpointl=any endpoint2=any action=requireinrequireout qmsecmethods=default
# 新建一条IPSEC对应的防火墙规则,所有出站请求必须提供预共享密钥
C:> netsh advfirewall firewall add rule name=”IPSEC_Out” dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate
4.1.6 其他安全策略
# 禁用远程桌面连接
C:> reg add
“HKLMSYSTEMCurrentControlSetControlTerminalServer” /f /v fDenyTSConnections /t REG_DWORD /d 1
# 只发送NTLMv2响应(防止“永恒之蓝”漏洞攻击)
C:> reg add HKLMSYSTEMCurrentControlSetControlLsa /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
# 禁用IPV6
C:> reg add HKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters /v DisabledComponents /t REG_DWORD /d 255 /f
# 禁用sticky键
C:> reg add “HKCUControlPanelAccessibilityStickyKeys” /v Flags /t REG_SZ /d 506 /f
# 禁用管理共享(Servers/Workstations)
C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareServer /t REG_DWORD /d 0
C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareWks /t REG_DWORD /d 0
# 禁用注册表编辑器和CMD命令提示符
C:> reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:> reg add HKCUSoftwarePoliciesMicrosoftWindowsSystem /v DisableCMD /t REG_DWORD /d 1 /f
# 启用UAC
C:> reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f
# 启用防火墙日志
C:> netsh firewall set logging droppedpackets = enable
C:> netsh firewall set logging connections = enable
4.2 LINUX系统篇
4.2.1 服务管理
# 查看服务状态
service -status-all
ps -ef OR ps -aux
initctl list
systemctl list-unit-files
# 启动,停止和禁用服务
# For Upstart services:
/etc/init.d/apache2 start | stop | status
service apache2 start | stop | status
update-rc.d apache2 disable
# For Systemd services
systemctl start | stop | status ntp.service
systemctl disable sshd.service
4.2.2 防火墙管理
# iptables 常用操作:
iptables-save > filewall_rules.bak # 导出当前规则
iptables -vnL -line # 列出所有规则
iptables -S # 同上
iptables -P INPUT DROP # 默认策略,禁止所有连接
iptables -A INPUT -s 10.10.10.10 -j DROP # 禁止单个ip
iptables -A INPUT -s 10.10.10.0/24 -j DROP # 禁止一个网段
iptables -A INPUT -p tcp –dport ssh -s 10.10.10.10. -j DROP # 禁止某IP访问本机SSH服务
iptables -A INPUT -p tcp –dport ssh -j DROP # 禁止访问本机SSH服务
iptables -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix “
iptables denied: ” –log-level 7 # 启用日志
iptables -F # 清除所有已加载的工作
4.2.3 DNS缓存
# Unix/Linux系统没有系统级别DNS缓存
4.2.4 配置IPSEC
# 在两台服务器之间建立IPSEC通道
1.)添加防火墙规则允许IPSEC协议
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp –dport 500 -j ACCEPT
iptables -A INPUT -p udp –dport 4500 -j ACCEPT
2.)安装Racoon
apt -y install racoon
3.)编辑配置文件:/etc/ipsec-tools.conf
flush;
spdflush;
spdadd 主机A的IP地址 主机B的IP地址 any -P out ipsec
esp/transport//require;
spdadd 主机B的IP地址 主机A的IP地址 any -P in ipsec
esp/transport//require;
4.)编辑配置文件:/etc/racoon/racoon.conf
log notify;
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
remote anonymous {
exchange_mode main,aggressive;proposal { encryption_algorithm aes_256; hash_algorithm sha256; authentication_method
pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo anonymous{
pfs_group 2;encryption_algorithm aes_256;authentication_algorithm hmac_sha256;compression_algorithm deflate;
}
5.)添加预共享密钥
主机A:echo 主机B 123 >> /etc/racoon/psk.txt
主机B:echo 主机A 123 >> /etc/racoon/psk.txt
6.)重启服务,检查协商及配置策略
service setkey restart
setkey -D
setkey -DP
5. 检测(Visibility)
5.1 网络安全监控
5.1.1 数据包捕捉与分析
1.)TCPDUMP
3.)SNORT
snort -T -c /etc/snort/snort.conf # 测试配置文件配置
snort -dv -r 001.log # 分析数据包
snort -dvr 001.log icmp # 取icmp数据包
snort -K ascii -l 001 # 抓包,ASCII格式显示
snort -q -A console -i eth0 -c /etc/snort/snort.conf # 在终端打印
snort eventsecho ‘log tcp 192.168.1.0/24 any -> 192.168.1.95 22 ( msg: “ssh access” ; sid:1618008; )’ > 001.rule && snort -T -c 001.rule # 规则测试
mkdir logs && snort -vd -c 001.rule -r 001.pcap -A console -l logs # 执行规则
4.)Bro NSM
apt -y install bro bro-aux
pip install bro-pkg
bro-pkg install bro/hosom/file-extraction
wget https://www.malware-traffic-analysis.net/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zip
wget https://www.bro.org/static/exchange-2013/faf-exercise.pcap
bro -r 2018-01-12-NanoCore-RAT-traffic.pcap # 从pcap文件中读取数据并创建相关日志文件
bro -r faf-exercise.pcap /root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro && ls -lhct ./extract_files/ # 提取exe文件
bro -r faf-exercise.pcap /usr/share/bro/policy/frameworks/files/extract-all-files.bro # 提取多个类型的文件
bro -C -r faf-exercise.pcap && cat ssl.log | bro-cut server_name , subject , issuer # 提取证书中的server_name,issuer和subjects字段
cat conn.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , proto , conn_state # 提取源IP,源端口,目的IP,目的端口,协议类型,tcp标记
cat dns.log | bro-cut query | sort -u # 提取DNS查询namecat http.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , host , uri , referrer # 提取源IP,源端口,目的IP,目的端口,host,uri,referrer字段
cat http.log | bro-cut user_agent | sort -u # 提取user_agent字段
5.)EDITCAP
editcap -F pcap -c 1000 orignal.pcap out_split.pcap # 以1000为单位进行分割
editcap -F pcap -t+3600 orignal.pcap out_split.pcap # 以1小时为单位进行分割
6.)MERGECAP
mergecap -w merged_cap.pcap capl.pcap cap2.pcap cap3.pcap # 合并多个文件
7.)PacketTotal
https://www.packettotal.com/app/analysisd=c8c11b792272ac19a49299a3687466be&name=files
8.)NetworkMiner
http://netres.ec/=173588E
5.2 蜜罐技术
5.2.1 WINDOWS系统篇
1.)端口蜜罐
# 原理: 监听一些端口,客户端成功建立TCP连接后,记录访问日志,然后添加防火墙规则封禁此IP
PS C:> certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Pwdrkeg/honeyport/master/honeyport.ps1
PS C:> .honeyport.ps1 -Ports 4444,22,21,23 -WhiteList 192.168.10.1,192.168.10.2 -Block $true -Verbose
PS C:> Get-EventLog HoneyPort # 查看日志信息
PS C:> stop-job -name HoneyPort # 停止任务
PS C:> remove-job -name HoneyPort # 移除任务
5.3.2 LINUX系统篇
1.)端口蜜罐
# 原理同上
wget https://raw.githubusercontent.com/gchetrick/honeyports/master/honeyports-0.5.pypython honeyports-0.5.py -p 1234 -h 192.168.1.100 -D
2.) (PASSIVE)监控DNS解析
apt -y install dnstop
dnstop -l 3 eth0
dnstop -l 3 001.pcap | out.txt
5.3 日志审计
5.3.1 WINDOWS
# 增加日志文件大小进行日志审计
C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogApplication /v MaxSize /t REG_DWORD /d 0x19000
C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogSecurity /v MaxSize /t REG_DWORD /d 0x64000
C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventLogSystem /v MaxSize /t REG_DWORD /d 0x19000
# 查看Windows事件日志-安全日志的配置
C:> wevtutil gl Security
# 检查审核策略
auditpol /get /category:*
# 对所有项启用成功和失败的审核策略
C:> auditpol /set /category:* /success:enable /failure:enable
# 查看已配置的事件日志的概要信息
PS C:> Get-Eventlog -list
# 取最近5条应用程序日志
PS C:> Get-Eventlog -newest 5 -logname application | Format-List
# 取Eent ID:4672的所有日志
PS C:> Get-Eventlog Security | { $_.Eventid -eq 4672}
# 登录与注销事件
PS C:> Get-Eventlog Security
4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964 -after ((get-date).addDays(-1))
# DPAPI行为,进程终止,RPC事件
PS C:> Get-EventLog Security 4692,4693,4694,4695,4689,5712 -after ((get-date).addDays(-1)
# 文件共享,文件系统,SAM,注册表,证书时间
PS C: Get-EventLog Security
4671,4691,4698,4699,4700,4701,4702,5148,5149,5888,5889,5890,4657,5039,4659,4660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 -after ((get-date).addDays(-1))
# 查看Eent ID:4672的详细信息
Get-Eventlog Security | { $_.Eventid -eq 4672} | Format-List
5.3.2 LINUX
# 认证日志
tail /var/log/auth. log
grep -i “fail” /var/log/auth. log
tail /var/log/secure
grep -i “fail” /var/log/secure
# samba,cron,sudo相关日志
grep -i samba /var/log/syslog
grep -i samba /var/log/messages
grep -i cron /var/log/syslog
grep -i sudo /var/log/auth. log
grep -i sudo /var/log/secure
# Apache 404错误日志
grep 404 apache.log | grep -v -E “favicon.ico|robots.txt”
# 监控新文件,5分钟刷新一次
watch -n 300 -d ls -lR /web_root
5.4 响应(取证)
5.4.1 WINDOWS系统篇
1.)系统信息
C:> echo %DATE% %TIME%
C:> hostname
C:> systeminfo
C:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
C:> wmic csproduct get name
C:> wmic bios get serialnumber
C:> wmic computersystem list brief
C:> psinfo -accepteula -s -h -d
2.)用户信息
C:> whoamiC:> net users
C:> net localgroup administrators
C:> net group administrators
C:> wmic rdtoggle list
C:> wmic useraccount list
C:> wmic group list
C:> wmic netlogin get name,lastlogon,badpasswordcount
C:> wmic netclient list brief
C:> doskey /history > history.txt
3.)网络信息
C:> netstat -e
C:> netstat -naob
C:> netstat -nr
C:> netstat -vb
C:> nbtstat -s
C:> route print
C:> arp -a
C:> ipconfig /displaydns
C:> netsh winhttp show proxy
C:> ipconfig /allcompartments /all
C:> netsh wlan show interfaces
C:> netsh wlan show all
C:> reg query “HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsConnectionsWinHttpSettings”
C:> type %SYSTEMROOT%system32driversetchosts
C:> wmic nicconfig get descriptions,IPaddress,MACaddress
C:> wmic netuse get name,username,connectiontype, localname
4.)服务信息
C:> at
C:> tasklist
C:> tasklist /svc
C:> tasklist /SVC /fi “imagename eq svchost.exe”
C:> tasklist /SVC /fi “imagename eq svchost.exe”
C:> schtasks
C:> net start
C:> sc query
C:> wmic service list brief | findstr “Running”
C:> wmic service list conf ig
C:> wmic process list brief
C:> wmic process list status
C:> wmic process list memory
C:> wmic job list briefPS
C:> Get-Service | Where-
来源:zhangge3663
声明:本站部分文章及图片转载于互联网,内容版权归原作者所有,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!