系列文章目录
整理下个人对测试的一些想法和理解,个人之见。
文章目录
整体思路
- 个人粗略地划分系统、应用
- 应用对外提供服务,系统支持应用运行
- 安全问题应包括:数据不安全(敏感数据泄露)、服务不安全(无法提供服务)
- 常见安全问题粗略地分类:
- 远程代码执行:最严重的root权限执行shell反弹,次级的mysql的sql注入导出敏感数据,一些特定应用操作系统数据等
- 应用或系统崩溃或者溢出报错:抛出内部报错信息
- 本地代码运行:xss攻击,导致用户数据泄露等
- 安全策略不完善:缺少加密、认证等,root免密登陆、csrf攻击
- 可以先通过预先设置漏洞的靶向机练习,后续尝试针对测试服务器
- 业务逻辑本身涉及到高危操作的,应尽早提出
安全测试
权限审查
内部人员权限审核,监管,避免敏感数据随意访问
账号管理
严格管理诸如运维账号、常用密码等敏感资源,避免社工
外部攻击
渗透攻击
对靶向机进行攻击,扫描其系统版本查找对应的漏洞,扫描开放的端口及其服务查找对应的漏洞
工具
NMAP
nmap是用来探测计算机网络上的主机和服务的一种安全扫描器。为了绘制网络拓扑图Nmap的发送特制的数据包到目标主机然后对返回数据包进行分析。Nmap是一款枚举和测试网络的强大工具。
最好root权限执行,否则部分功能不可用.
nmap作用网络发现也是很好的工具
- 扫描ip及其端口 (部分数据删除)
nmap -vv .***.***.
Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-16 11:38 CST
Initiating ARP Ping Scan at 11:38
Scanning ***.***.***.*** [1 port]
Completed ARP Ping Scan at 11:38, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:38
Completed Parallel DNS resolution of 1 host. at 11:38, 0.03s elapsed
Initiating SYN Stealth Scan at 11:38
Scanning ***.***.***.*** [1000 ports]
Discovered open port 21/tcp on ***.***.***.***
Discovered open port 22/tcp on ***.***.***.***
Discovered open port 8080/tcp on ***.***.***.***
Completed SYN Stealth Scan at 11:38, 17.96s elapsed (1000 total ports)
Nmap scan report for ***.***.***.***
Host is up, received arp-response (0.00014s latency).
Scanned at 2020-07-16 11:38:28 CST for 18s
Not shown: 993 filtered ports
Reason: 968 no-responses and 25 host-prohibiteds
PORT STATE SERVICE REASON
20/tcp closed ftp-data reset ttl 63
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 64
8080/tcp open http-proxy syn-ack ttl 64
MAC Address: 00:0C:29:BE:62:7C (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 18.36 seconds
Raw packets sent: 2969 (130.620KB) | Rcvd: 41 (2.540KB)
大多数情况下,此处的只能知道对应服务器的开启的端口,并不会有其他作用
- Version版本检测扫描以及系统版本
sudo nmap -sV -O .***.***.
-sV查看服务版本,-O查看系统版本
Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-16 14:00 CST
Nmap scan report for ***.***.***.***
Host is up (0.00017s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
8080/tcp open http Apache Tomcat 8.5.54
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
---------
MAC Address: -------
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.39 seconds
此时已经可以看到端口占用的服务及其版本,还有系统的版本,可以通过版本号查找已知道的漏洞(待定)
- 执行一些脚本
nmap --script ftp-anon
官方脚本https://nmap.org/nsedoc/
chen@***:~$ sudo nmap -p 22 --script ssh-brute ***.***.***.***
Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-16 14:19 CST
NSE: [ssh-brute] Trying username/password pair: root:root
NSE: [ssh-brute] Trying username/password pair: admin:admin
NSE: [ssh-brute] Trying username/password pair: administrator:administrator
NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin
NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin
NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin
NSE: [ssh-brute] Trying username/password pair: guest:guest
NSE: [ssh-brute] Trying username/password pair: user:user
NSE: [ssh-brute] Trying username/password pair: web:web
NSE: [ssh-brute] Trying username/password pair: test:test
NSE: [ssh-brute] Trying username/password pair: root:
NSE: [ssh-brute] Trying username/password pair: admin:
NSE: [ssh-brute] Trying username/password pair: administrator:
NSE: [ssh-brute] Trying username/password pair: webadmin:
NSE: [ssh-brute] Trying username/password pair: sysadmin:
NSE: [ssh-brute] Trying username/password pair: netadmin:
NSE: [ssh-brute] Trying username/password pair: guest:
NSE: [ssh-brute] Trying username/password pair: user:
NSE: [ssh-brute] Trying username/password pair: web:
NSE: [ssh-brute] Trying username/password pair: test:
NSE: [ssh-brute] Trying username/password pair: root:123456
NSE: [ssh-brute] Trying username/password pair: admin:123456
NSE: [ssh-brute] Trying username/password pair: administrator:123456
NSE: [ssh-brute] Trying username/password pair: webadmin:123456
NSE: [ssh-brute] Trying username/password pair: sysadmin:123456
NSE: [ssh-brute] Trying username/password pair: netadmin:123456
NSE: [ssh-brute] Trying username/password pair: guest:123456
NSE: [ssh-brute] Trying username/password pair: user:123456
NSE: [ssh-brute] Trying username/password pair: web:123456
nessus
Nessus 号称是"世界上最流行的漏洞扫描程序,全世界超过75,000个组织在使用它".尽管这个扫描程序可以免费下载得到,但是要从Tenable Network Security更新到所有最新的威胁信息,每年的直接订购费用是$1,200.Linux, FreeBSD, Solaris, Mac OS X和Windows下都可以使用 Nessus
metasploit
Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具,自带的工具作为漏洞扫描工具要相对nessus差点,不过可以加载包括nessus在内其他扫描工具的结果。
metasploit 非常贴心的搭配了一个充满各种漏洞的靶向机,方便练习和提升信心
https://github.com/rapid7/metasploitable3
OWASP ZAP
聊胜于无,WASP ZAP攻击代理服务器是世界上最受欢迎的免费安全工具之一。ZAP可以帮助您在开发和测试应用程序过程中,自动发现 Web应用程序中的安全漏洞。另外,它也是一款提供给具备丰富经验的渗透测试人员进行人工安全测试的优秀工具。
OWASP被视为web应用安全领域的权威参考
漏洞网站
- cve: http://cve.mitre.org/
- 国家信息安全漏洞库: http://www.cnnvd.org.cn/
简单的应对
防火墙
启用iptables等类似防火墙应用
- 默认禁止端口访问
iptables -P INPUT/FORWARD/OUTPUT DROP
- 开启指定端口:22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
账号权限
评估服务所在环境,容易被外部访问的,应当设置严格的权限控制
- 避免直接使用root
- root设置密码或者不启用
应用注入风险
前后端最好代码审查评估
- sql注入
- xss攻击
- csrf攻击
- 其他shell脚本执行
web应用安全可以参考OWASP