前言
红蓝对抗的思想最早可追溯到我国现存最早的一部兵书《孙子兵法》,在孙子·谋攻篇有这么一句话:“知彼知己,百战不殆;”,意为如果对敌我双方的情况都能了解透彻,打多少次仗都不会失败。在信息安全领域目前大家都有一个共识:“未知攻,焉知防”,攻防对抗本身是一个持续的过程,在具体的对抗中,对对手了解越多就会占据主导地位。红蓝对抗的主要目的在于,提高公司安全成熟度及其检测和响应攻击的能力。
准备工作
1 ) 组织结构图
2 ) 全 拓扑图
3 ) 各系统逻辑结构图
4 ) 各系统之间的调用关系
5 ) 数据流关系
6 ) 核心资产清单
7 ) 应急响应计划
8 ) 业务连续性计划
9 ) 灾难恢复计划
简单安全评估
1.端口扫描和漏洞检测
1.1主机发现(Ping探测)
# nmap -sn -PE IP地址或地址段
1.2端口扫描
# nmap –open IP地址或地址段
1.3服务版本检测
# nmap -sV IP地址或地址段
1.4扫描多个端口
# nmap -p 80,443 IP地址或地址段
1.5 UDP扫描
# nmap -sU -p 53 IP地址或地址段
1.6 TCP/UDP扫描(-Pn 跳过主机发现)
# nmap -v -Pn -SU -ST -p U:53,111,137,T:21-25,80,139,8080 IP地址或地址段
1.7 Nessus扫描
# nessus -q -x -T html 服务器IP 服务器端口 管理员帐 密码 目标.txt 输出 告.html
1.8 OPENVAS扫描
# apt -y install pcregrep
# wget https://goo.gl/TYbLwE
# chmod +x openvas-automate.sh && ./openvas-automate.sh 目标IP
WINDOWS系统篇
2.1 络发现
基本 络发现:
# C:> net view /all
# C:> net view 主机名
Ping探测:
# C:> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find “回复” >> 输出.txt
2.2 DHCP
启用DHCP服务器日志功能:
# C:> reg add HKLMSystemCurrentControlSetServicesDhcpServerParameters /v ActivityLogFlag /t REG_DWORD /d 1
默认日志文件目录:
C:> %windir%System32Dhcp
2.3 DNS
启用DNS服务器日志功能:
# C:> DNSCmd DNS服务器名 /config /logLevel 0x8100F331
# 配置日志文件目录:
C:> DNSCmd DNS服务器名 /config /LogFilePath C:dns.log
# 配置日志文件大小:
C:> DNSCmd DNS服务器名 /config /logfilemaxsize 0xffffffff
2.4 哈希值
文件校验和完整性验证(FCIV):
Ref:http://support2.microsoft.com/kb/841290
# 单个文件:
C:> fciv.exe 文件名
# 计算C盘所有文件并把结果保存到文件中:
C:> fciv.exe c: -r -sha1 -xml 结果.xml
# 列出所有hash值:
C:> fciv.exe -list -sha1 -xml 结果.xml
# certutil & PowerShell
# certutil -hashfile 文件名 SHA1
# PS C:> Get-FileHash 文件名 | Format-List
# PS C:> Get-FileHash -algorithm md5 文件名
2.5 NETBIOS
nbtstat 扫描
# C:> nbtstat -A 目标IP地址
NetBIOS缓存
# C:> nbtstat -c
批量扫描
# C:> for /L %I in (1,1,254) do nbtstat -An 192.168.1.%I
2.6 微软基线安全分析器(MBSA)
扫描单个IP
# C:> mbsacli.exe /target IP地址 /n os+iis+sql+password
扫描IP地址段
# C:> mbsacli.exe /r IP地址段 /n os+iis+sql+password
LINUX系统篇
3.1 络发现
查看开放的SMB共享
# smbclient -L 目标主机名
Ping探测
# for ip in ip>/dev/null; [ Misplaced &ip UP” || : ; done
3.2 DHCP
DHCP日志
RHEL/CentOS
# cat /var/lib/dhcpd/dhcpd. leases
Debian/Ubuntu
# grep -Ei ‘dhcp’ /var/log/syslog.1
3.3 DNS
DNS日志
# rndc querylog && tail -f /var/log/messages | grep named
3.4 哈希值
计算某目录下所有可执行文件的HASH值
# find /sbin -type f -exec md5sum {} >> md5sums.txt ;
# md5deep -rs /sbin > md5sums.txt
3.5 NETBIOS
nbtstat 扫描
# nbtscan 目标IP地址或IP地址段
举例:nbtscan 192.168.1.2-100
安全加固
4.1 WINDOWS系统篇
4.1.1 禁用/停止服务
# C:> sc query
# C:> sc config “服务名” start= disabled
# C:> sc stop “服务名”
# C:> wmic service where name=”服务名” call ChangeStartmode Disabled
4.1.2 防火墙管理
# 列出所有规则:
# C:> netsh advfirewall firewall show rule name=all
# 启用或禁用防火墙:
C:> netsh advfirewall set currentprofile state on
C:> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
C:> netsh advfirewall set publicprofile state on
C:> netsh advfirewall set privateprofile state on
C:> netsh advfirewall set domainprofile state on
C:> netsh advfirewall set allprofile state on
C:> netsh advfirewall set allprof ile state off
# 配置举例:
netsh advfirewall firewall add rule name=”开放TCP:80端口” dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name=”开放TCP:443端口” dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name=”屏蔽TCP:445端口” dir=in action=block protocol=TCP localport=445
netsh advfirewall firewall add rule name=”允许MyApp” dir=in action=allow program=”C:MyAppMyApp.exe” enable=yes
4.1.3 清除DNS缓存和Netios缓存
# C:> ipconfig /flushdns
# C:> nbtstat -R
4.1.4 应用控制
# AppLocker配置
# 导入Applocker模块
PS C:> import-module Applocker
# 查看system32目录下所有exe文件的Applocker信息
PS C:> Get-ApplockerFileinformation -Directory C:WindowsSystem32 -Recurse -FileType Exe
# 增加一条针对system32目录下所有的exe文件的允许规则
PS C:> Get-Childitem C:WindowsSystem32*,exe | Get-ApplockerFileinformation | New-ApplockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32
4.1.5 IPSEC
#使用预共享密钥的方式新建一条IPSEC本地安全策略,应用到所有连接和协议
C:> netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY
C:> netsh ipsec static add filteraction name=MyIPsecAction action=negotiate
C:> netsh ipsec static add policy name=MyIPsecPolicy assign=yes
C:> netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=密码
#新建一条允许访问外 TCP 80和443端口的IPSEC策略
C:> netsh ipsec static add filteraction name=Allow action=permit
C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80
C:> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443
C:> netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=密码
#查看和禁用某条IPSEC本地安全策略
C:> netsh ipsec static show policy name=MyIPsecPolicy
C:> netsh ipsec static set policy name=MyIPsecPolicy assign=no
# 新建一条IPSEC对应的防火墙规则,源地址和目的地址为any
C:> netsh advfirewall consec add rule name=”IPSEC” endpointl=any endpoint2=any action=requireinrequireout qmsecmethods=default
# 新建一条IPSEC对应的防火墙规则,所有出站请求必须提供预共享密钥
C:> netsh advfirewall firewall add rule name=”IPSEC_Out” dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate
4.1.6 其他安全策略
# 禁用远程桌面连接
C:> reg add “HKLMSYSTEMCurrentControlSetControlTerminalServer” /f /v fDenyTSConnections /t REG_DWORD /d 1
# 只发送NTLMv2响应(防止“永恒之蓝”漏洞攻击)
C:> reg add HKLMSYSTEMCurrentControlSetControlLsa /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
# 禁用IPV6
C:> reg add HKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters /v DisabledComponents /t REG_DWORD /d 255 /f
# 禁用sticky键
C:> reg add “HKCUControlPanelAccessibilityStickyKeys” /v Flags /t REG_SZ /d 506 /f
# 禁用管理共享(Servers/Workstations)
C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareServer /t REG_DWORD /d 0
C:> reg add HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters /f /v AutoShareWks /t REG_DWORD /d 0
C:> reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:> reg add HKCUSoftwarePoliciesMicrosoftWindowsSystem /v DisableCMD /t REG_DWORD /d 1 /f
# 启用UAC
C:> reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f
# 启用防火墙日志
C:> netsh firewall set logging droppedpackets = enable
C:> netsh firewall set logging connections = enable
4.2 LINUX系统篇
4.2.1 服务管理
# 查看服务状态
service –status-all
ps -ef OR ps -aux
initctl list
systemctl list-unit-files
# 启动,停止和禁用服务
# For Upstart services:
/etc/init.d/apache2 start | stop | status
service apache2 start | stop | status
update-rc.d apache2 disable
# For Systemd services:
systemctl start | stop | status ntp.service
systemctl disable sshd.service
4.2.2 防火墙管理
# iptables 常用操作:
iptables-save > filewall_rules.bak # 导出当前规则
iptables -vnL –line # 列出所有规则
iptables -S # 同上
iptables -P INPUT DROP # 默认策略,禁止所有连接
iptables -A INPUT -s 10.10.10.10 -j DROP # 禁止单个IP
iptables -A INPUT -s 10,10.10.0/24 -j DROP # 禁止一个 段
iptables -A INPUT -p tcp –dport ssh -s 10.10.10.10 -j DROP # 禁止某IP访问本机SSH服务
iptables -A INPUT -p tcp –dport ssh -j DROP # 禁止访问本机SSH服务
iptables -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix “
iptables denied: ” –log-level 7 # 启用日志
iptables -F # 清除所有已加载的工作
4.2.3 DNS缓存
# Unix/Linux系统没有系统级别DNS缓存
4.2.4 配置IPSEC
# 在两台服务器之间建立IPSEC通道
1.)添加防火墙规则允许IPSEC协议
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp –dport 500 -j ACCEPT
iptables -A INPUT -p udp –dport 4500 -j ACCEPT
2.)安装Racoon
apt -y install racoon
flush;
spdflush;
spdadd 主机A的IP地址 主机B的IP地址 any -P out ipsec
esp/transport//require;
spdadd 主机B的IP地址 主机A的IP地址 any -P in ipsec
esp/transport//require;
log notify;
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
remote anonymous {
exchange_mode main,aggressive;proposal { encryption_algorithm aes_256; hash_algorithm sha256; authentication_method
pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo anonymous{
pfs_group 2;encryption_algorithm aes_256;authentication_algorithm hmac_sha256;compression_algorithm deflate;
}
5.)添加预共享密钥
主机A:echo 主机B 123 >> /etc/racoon/psk.txt
主机B:echo 主机A 123 >> /etc/racoon/psk.txt
6.)重启服务,检查协商及配置策略
service setkey restart
setkey -D
setkey -DP
检测(Visibility)
5.1 络安全监控
5.1.1 数据包捕捉与分析
1.)TCPDUMP
tcpdump -tttt -n -vv # 打印时戳、不进行名称解析及verbose方式显示
tcpdump -nn -c 1000 | awk ‘{print $3}’ | cut -d. -f1-4 | sort -n | uniq -c | sort -nr # 捕捉1000个数据包,找出Top talkers
tcpdump -w target.pcap -i any dst targetIP and port 80 # 在所有接口上捕捉目标IP为:targetIP且端口为80的数据包并写入target.pcap文件
tcpdump host 10.0.0.1 && host 10.0.0.2 # 捕捉两个主机之间的数据包
tcpdump not net 10.10 && not host 192.168.1.2 #检视非10.10 段及非192.168.1.2主机的数据包
tcpdump host 10.10.10.10 && (10.10.10.20 or 10.10.10.30) # 检视主机A和主机B或C的数据包
tcpdump -n -s0 -C 100 -w 001.pcap # 轮询,文件大小超过100M后自动创建新文件
tcpdump -w – | ssh ServerIP -p 50005 “cat – > /tmp/remotecapture.pcap” # 保存捕获的数据包到远程服务器上的/tmp/remotecapture.pcap文件
tcpdump -n -A -s0 port http or port ftp or port smtp or port imap or port pop3 | egrep -i ‘pass=|pwd=|log=|login=|user=|username=|pw=|passw=|Passwd=|password=|pass:|user:|username:|password:|login:|pass|user’ –color=auto –line-buffered -B20 # 抓取明文密码
tcpdump -s 1500 -A ‘(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)’ #查找自签名证书
2.)TSHARK
tshark -nr 001.pcap -Y “ssl.handshake.ciphersuites” -Vx | grep “ServerName:” | sort | uniq -c | sort -r # 提取证书Server Name字段
tshark -D # 列出所有接口
tshark -i eth0 -i eth1 # 监听多个接口
tshark -nn -w 001.pcap # 禁用名称解析并保存到文件
tshark arp or icmp # 捕捉arp或者icmp
tshark “host 主机A && host 主机B” # 捕捉两个主机之间的数据包
tshark -r 001.pcap # 对已保存的数据包进行分析
tshark -n -e ip.src -e ip.dst -T fields -E separator=, -2 -R ip -r 001.pcap # 提取源/目的IP地址
tshark -n -e ip.src -e dns,qry.name -E separator=’;’ -T fields port 53 # 提取DNS查询的源IP及DNS查询的域名
tshark -2 -R http.request -T fields -E separator=’;’ -e http.host -e http.request.uri -r 001.pcap # 提取HTTP请求中的host参数和请求uri
tshark -n -c 150 I awk ‘{print $4}’ I sort -n | uniq -c | sort -nr # 提取top talkers
tshark -q -z io,phs -r 001.pcap # 协议统计tshark -n -c 100 -e ip.src -Y “dns.flags.response eq 1” -T fields port 53 # 提取响应的DNS服务器地址
tshark -n -e http.request.uri -Y http.request -T fields | grep exe # 提取通过http下载exe可执行文件的数据包
3.)SNORT
snort -T -c /etc/snort/snort.conf # 测试配置文件配置
snort -dv -r 001.log # 分析数据包
snort -dvr 001.log icmp # 取icmp数据包
snort -K ascii -l 001 # 抓包,ASCII格式显示
snort -q -A console -i eth0 -c /etc/snort/snort.conf # 在终端打印
snort eventsecho ‘log tcp 192.168.1.0/24 any -> 192.168.1.95 22 ( msg: “ssh access” ; sid:1618008; )’ > 001.rule && snort -T -c 001.rule # 规则测试
mkdir logs && snort -vd -c 001.rule -r 001.pcap -A console -l logs # 执行规则
4.)Bro NSM
apt -y install bro bro-aux
pip install bro-pkg
bro-pkg install bro/hosom/file-extraction
wget https://www.malware-traffic-analysis.net/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zip
wget https://www.bro.org/static/exchange-2013/faf-exercise.pcap
bro -r 2018-01-12-NanoCore-RAT-traffic.pcap # 从pcap文件中读取数据并创建相关日志文件
bro -r faf-exercise.pcap /root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro && ls -lhct ./extract_files/ # 提取exe文件
bro -r faf-exercise.pcap /usr/share/bro/policy/frameworks/files/extract-all-files.bro # 提取多个类型的文件
bro -C -r faf-exercise.pcap && cat ssl.log | bro-cut server_name , subject , issuer # 提取证书中的server_name,issuer和subjects字段
cat conn.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , proto , conn_state # 提取源IP,源端口,目的IP,目的端口,协议类型,tcp标记
cat dns.log | bro-cut query | sort -u # 提取DNS查询namecat http.log | bro-cut id.orig_h , id.orig_p , id.resp_h , id.resp_p , host , uri , referrer # 提取源IP,源端口,目的IP,目的端口,host,uri,referrer字段
cat http.log | bro-cut user_agent | sort -u # 提取user_agent字段
5.)EDITCAP
editcap -F pcap -c 1000 orignal.pcap out_split.pcap # 以1000为单位进行分割
editcap -F pcap -t+3600 orignal.pcap out_split.pcap # 以1小时为单位进行分割
6.)MERGECAP
mergecap -w merged_cap.pcap capl.pcap cap2.pcap cap3.pcap # 合并多个文件
7.)PacketTotal
https://www.packettotal.com/app/analysisd=c8c11b792272ac19a49299a3687466be&name=files
8.)NetworkMiner
http://netres.ec/=173588E
5.2 蜜罐技术
5.2.1 WINDOWS系统篇
1.)端口蜜罐
# 原理:监听一些端口,客户端成功建立TCP连接后,记录访问日志,然后添加防火墙规则封禁此IP
PS C:> certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Pwdrkeg/honeyport/master/honeyport.ps1
PS C:> .honeyport.ps1 -Ports 4444,22,21,23 -WhiteList 192.168.10.1,192.168.10.2 -Block $true -Verbose
PS C:> Get-EventLog HoneyPort # 查看日志信息
PS C:> stop-job -name HoneyPort # 停止任务
PS C:> remove-job -name HoneyPort # 移除任务
5.3.2 LINUX系统篇
1.)端口蜜罐
# 原理同上
wget https://raw.githubusercontent.com/gchetrick/honeyports/master/honeyports-0.5.pypython honeyports-0.5.py -p 1234 -h 192.168.1.100 -D
2.) (PASSIVE)监控DNS解析
apt -y install dnstop
dnstop -l 3 eth0
dnstop -l 3 001.pcap | out.txt
5.3 日志审计
5.3.1 WINDOWS
# 增加日志文件大小进行日志审计
C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogApplication /v MaxSize /t REG_DWORD /d 0x19000
C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventlogSecurity /v MaxSize /t REG_DWORD /d 0x64000
C:> reg add HKLMSoftwarePoliciesMicrosoftWindowsEventLogSystem /v MaxSize /t REG_DWORD /d 0x19000
# 查看Windows事件日志-安全日志的配置
C:> wevtutil gl Security
auditpol /get /category:*
C:> auditpol /set /category:* /success:enable /failure:enable
# 查看已配置的事件日志的概要信息
PS C:> Get-Eventlog -list
# 取最近5条应用程序日志
PS C:> Get-Eventlog -newest 5 -logname application | Format-List
# 取Eent ID:4672的所有日志
PS C:> Get-Eventlog Security | { $_.Eventid -eq 4672}
# 登录与注销事件
PS C:> Get-Eventlog Security
4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964 -after ((get-date).addDays(-1))
# DPAPI行为,进程终止,RPC事件
PS C:> Get-EventLog Security 4692,4693,4694,4695,4689,5712 -after ((get-date).addDays(-1)
# 文件共享,文件系统,SAM,注册表,证书时间
PS C: Get-EventLog Security
4671,4691,4698,4699,4700,4701,4702,5148,5149,5888,5889,5890,4657,5039,4659,4660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 -after ((get-date).addDays(-1))
# 查看Eent ID:4672的详细信息
Get-Eventlog Security | { $_.Eventid -eq 4672} | Format-List
5.3.2 LINUX
# 认证日志
tail /var/log/auth. log
grep -i “fail” /var/log/auth. log
tail /var/log/secure
grep -i “fail” /var/log/secure
# samba,cron,sudo相关日志
grep -i samba /var/log/syslog
grep -i samba /var/log/messages
grep -i cron /var/log/syslog
grep -i sudo /var/log/auth. log
grep -i sudo /var/log/secure
# Apache 404错误日志
grep 404 apache.log | grep -v -E “favicon.ico|robots.txt”
# 监控新文件,5分钟刷新一次
watch -n 300 -d ls -lR /web_root
5.4 响应(取证)
5.4.1 WINDOWS系统篇
1.)系统信息
C:> echo %DATE% %TIME%
C:> hostname
C:> systeminfo
C:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
C:> wmic csproduct get name
C:> wmic bios get serialnumber
C:> wmic computersystem list brief
C:> psinfo -accepteula -s -h -d
2.)用户信息
C:> whoamiC:> net users
C:> net localgroup administrators
C:> net group administrators
C:> wmic rdtoggle list
C:> wmic useraccount list
C:> wmic group list
C:> wmic netlogin get name,lastlogon,badpasswordcount
C:> wmic netclient list brief
C:> doskey /history > history.txt
3.) 络信息
C:> netstat -e
C:> netstat -naob
C:> netstat -nr
C:> netstat -vb
C:> nbtstat -s
C:> route print
C:> arp -a
C:> ipconfig /displaydns
C:> netsh winhttp show proxy
C:> ipconfig /allcompartments /all
C:> netsh wlan show interfaces
C:> netsh wlan show all
C:> reg query “HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsConnectionsWinHttpSettings”
C:> type %SYSTEMROOT%system32driversetchosts
C:> wmic nicconfig get descriptions,IPaddress,MACaddress
C:> wmic netuse get name,username,connectiontype, localname
4.)服务信息
C:> at
C:> tasklist
C:> tasklist /svc
C:> tasklist /SVC /fi “imagename eq svchost.exe”
C:> tasklist /SVC /fi “imagename eq svchost.exe”
C:> schtasks
C:> net start
C:> sc query
C:> wmic service list brief | findstr “Running”
C:> wmic service list conf ig
C:> wmic process list brief
C:> wmic process list status
C:> wmic process list memory
C:> wmic job list briefPS
C:> Get-Service | Where-Object { $_.Status -eq “running” }
5.)策略、补丁、环境变量信息
C:> set
C:> gpresult /r
C:> gpresult /z > output.txt
C:> gpresult /H report.html /F
C:> wmic qfe
6.)自启动信息
C:> wmic startup list full
C:> wmic ntdomain list brief
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!