目录
T1254 Conduct active scanning (进行主动扫描)
四、Weakness Identification(发现脆弱点)
T1287 Analyze data collected(分析收集的数据)
T1291 Research relevant vulnerabilities/CVEs(研究相关漏洞/CVE)
T1190 Exploit Public-Facing Application(利用公开漏洞)
T1173 Dynamic Data Exchange(动态数据交换)
T1059 Command-Line Interface(命令行界面)
T1055 Process Injection(ms16-075)
T1055 Process Injection(ms16-014)
T1053 Scheduled Task(ms10-092)
0x00 靶机情况
我先选择做一些windows的题目,结合ATT&CK验证一下各个流程。
0x01 ATT&CK
ATT&CK的全称是Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)。它是一个站在攻击者的视角来描述攻击中各阶段用到的技术的模型。
MITRE在定义ATT&CK时,定义了一些关键对象。
- 战术 (Tactics)
- 技术 (Techniques)
- 组织 (Groups)
- 软件 (Software)
ATT&CK能用来干什么?
以下是官方给出的答案:
- Detection (提升检测)
- Assessment and Engineering (评估与工程化)
- Threat Intelligence (威胁情报)
- Adversary Emulation (APT模拟)
网空威胁行为体(CyberThreat Actors)
是网络空间攻击活动的来源,它们有不同的目的和动机,其能力也存在明显的层级差异。根据作业动机、攻击能力、掌控资源等角度,网空威胁行为体划分为七个层级,分别是:
- 业余黑客
- 黑产组织
- 网络犯罪团伙或黑客组织
- 网络恐怖组织
- 一般能力国家/地区行为体
- 高级能力国家/地区行为体
- 超高能力国家/地区行为体
ATT&CK模型
目前ATT&CK模型分为三部分,分别是PRE-ATT&CK,ATT&CK Matrix for Enterprise(包括Linux、macOS、Windows)和ATT&CK Matrix for Mobile(包括iOS、Android),其中PRE-ATT&CK覆盖攻击链模型的前两个阶段(侦察跟踪、武器构建),ATT&CK Matrix for Enterprise覆盖攻击链的后五个阶段(载荷传递、漏洞利用、安装植入、命令与控制、目标达成),ATT&CK Matrix for Mobile主要针对移动平台。
PRE-ATT&CK包括的战术有优先级定义、选择目标、信息收集、发现脆弱点、攻击性利用开发平台、建立和维护基础设施、人员的开发、建立能力、测试能力、分段能力。
ATT&CK Matrix for Enterprise包括的战术有访问初始化、执行、常驻、提权、防御规避、访问凭证、发现、横向移动、收集、命令和控制、数据获取、影响。
TTP的定义
TTP即对手的行为。战术是对此行为的最高级别描述,而技术在战术的上下文中提供更详细的行为描述,而过程是在技术的上下文中更低级别,更详细的描述。
- 战术:对手的技术目标(如,横向移动)
- 技术:如何实现目标(如,PsExec)
- 过程:具体技术实施(如,使用PsExec实现横向移动的过程)
0x02 PRE-ATT&CK
一、Priority Definition(优先级定义)
优先选择windows目标,从易到难
二、Target Selection(选择目标)
靶机Arctic
三、Information Gathering(信息搜集)
Techniques(技术手段)
T1254 Conduct active scanning (进行主动扫描)
端口扫描情况如下:
root@kali:~# nmap -T5 -A -v 10.10.10.11
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-04 09:46 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating Ping Scan at 09:46
Scanning 10.10.10.11 [4 ports]
Completed Ping Scan at 09:46, 0.64s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:46
Completed Parallel DNS resolution of 1 host. at 09:46, 0.31s elapsed
Initiating SYN Stealth Scan at 09:46
Scanning 10.10.10.11 [1000 ports]
Discovered open port 135/tcp on 10.10.10.11
Discovered open port 49154/tcp on 10.10.10.11
Discovered open port 8500/tcp on 10.10.10.11
Warning: 10.10.10.11 giving up on port because retransmission cap hit (2).
Increasing send delay for 10.10.10.11 from 0 to 5 due to 11 out of 20 dropped probes since last increase.
SYN Stealth Scan Timing: About 48.10% done; ETC: 09:47 (0:00:33 remaining)
SYN Stealth Scan Timing: About 54.03% done; ETC: 09:48 (0:00:52 remaining)
SYN Stealth Scan Timing: About 64.80% done; ETC: 09:49 (0:01:02 remaining)
SYN Stealth Scan Timing: About 77.33% done; ETC: 09:50 (0:00:52 remaining)
SYN Stealth Scan Timing: About 86.20% done; ETC: 09:50 (0:00:37 remaining)
Completed SYN Stealth Scan at 09:51, 303.37s elapsed (1000 total ports)
Initiating Service scan at 09:51
Scanning 3 services on 10.10.10.11
Service scan Timing: About 66.67% done; ETC: 09:53 (0:00:35 remaining)
Completed Service scan at 09:53, 157.28s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.11
Retrying OS detection (try #2) against 10.10.10.11
Initiating Traceroute at 09:54
Completed Traceroute at 09:54, 0.44s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:54
Completed Parallel DNS resolution of 2 hosts. at 09:54, 2.29s elapsed
NSE: Script scanning 10.10.10.11.
Initiating NSE at 09:54
Completed NSE at 09:54, 4.25s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 1.38s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Nmap scan report for 10.10.10.11
Host is up (0.39s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|8.1|7|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (90%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.007 days (since Tue Feb 4 09:44:37 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 440.44 ms 10.10.14.1
2 440.52 ms 10.10.10.11
NSE: Script Post-scanning.
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 481.43 seconds
Raw packets sent: 3267 (148.528KB) | Rcvd: 215 (11.216KB)
四、Weakness Identification(发现脆弱点)
Techniques(技术手段)
T1287 Analyze data collected(分析收集的数据)
检查8500端口,发现ColdFusion
确认ColdFusion版本号为V8
T1291 Research relevant vulnerabilities/CVEs(研究相关漏洞/CVE)
搜索漏洞库中ColdFusion相关信息
root@kali:~# searchsploit coldfusion
---------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | exploits/cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | exploits/multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | exploits/multiple/remote/16985.rb
Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting | exploits/cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | exploits/cfm/webapps/36172.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass | exploits/windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | exploits/multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | exploits/multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit) | exploits/multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting 
最低0.47元/天 解锁文章
396
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
