linux渗透测试
Got IT infrastructure? Do you know how secure it is? The answer will probably hurt, but this is the kind of bad news you’re better off getting sooner rather than later.
有IT基础架构吗? 你知道它有多安全吗? 答案可能会很痛苦,但这是一种坏消息,您最好早点而不是迟点。
The only reasonably sure way to find out what’s going on with your servers is to apply a solid round of penetration testing. Your ultimate goal is to uncover any dangerous vulnerabilities so you can lock them down.
找出服务器运行状况的唯一合理确定的方法是进行可靠的渗透测试。 您的最终目标是发现所有危险漏洞,以便将其锁定。
By “dangerous vulnerability” I mean obvious things like unprotected open ports and unpatched software. But I also mean the existence of freely available intelligence about your organization that’s probably just floating around the internet, waiting to be collected and turned against you.
“危险漏洞”是指显而易见的事情,例如未受保护的开放端口和未修补的软件。 但我的意思是,存在关于您的组织的免费情报,这些情报可能只是在Internet上徘徊,正等待收集和反对。
Pen testing is made up of three very different parts, each with its own unique tools and protocols.
笔测试由三个截然不同的部分组成,每个部分都有自己独特的工具和协议。
Passive information gathering, where testers scour the public internet looking for subtle hints or carelessly revealed private data that can be used against the organization.
被动信息收集,测试人员在其中搜寻公共互联网,以寻找可用于组织的微妙提示或不小心泄露的私人数据。
Active information gathering, where the organization’s networks and servers are scanned for potential vulnerabilities.
主动信息收集,在其中扫描组织的网络和服务器以查找潜在的漏洞。
Identifying exploitsthat could possibly be run against the organization’s infrastructure.
识别可能在组织的基础架构上运行的漏洞。
Let’s look at those one at a time.
让我们一次看看那些。
被动信息收集(OSINT) (Passive Information Gathering (OSINT))
Say your company has around 50 employees and a handful of outside contractors, each of whom is most likely active on both professional and personal social networks. And say you’ve got the usual range of corporate and product websites and social media accounts (like LinkedIn).
假设您的公司有大约50名员工和少数外部承包商,每个承包商最有可能活跃在专业和个人社交网络上。 并说您拥有通常的公司和产品网站以及社交媒体帐户(例如LinkedIn)。
Now pause for a moment and try to imagine that you’re a hacker who’s searching for exploitable information about your company which he can use to launch an attack. Assuming he’ll stick exclusively to the public internet and not break any laws, how much do you think he’ll find?
现在暂停片刻,尝试想象您是一名黑客,他正在搜索有关您公司的可利用信息,他可以利用这些信息来发起攻击。 假设他将完全坚持使用公共互联网并且不违反任何法律,那么您认为他会发现多少呢?
Not too much? After all, no one is stupid enough to post passwords and account information to the internet, right?
不会太多吗 毕竟,没有人足够愚蠢地将密码和帐户信息发布到互联网上,对吗?
Perhaps. But you won’t believe how easy it can be to use whatisthere to figure out all the passwords and administration information that hackers will need to get what they’re after. Don’t believe me? Do some passive information gathering yourself.
也许。 但是您不会相信使用其中的内容来找出黑客获得其所需要的所有密码和管理信息是多么容易。 不相信我吗 做一些被动的信息来收集自己。
Among the fantastic/frightening information gathering tools available to help you (which also include Maltego and Shodan) there’s a great Linux-based open source package named Recon-ng — about which I created a video course on Pluralsight.
在可帮助您(包括Maltego和Shodan)的奇妙/令人恐惧的信息收集工具中,有一个名为Recon-ng的基于Linux的出色开源软件包–我在Pluralsight上创建了一个视频课程 。
You start by providing Recon-ng with some information about your company and choosing the particular scans that interest you. All the hard work will then be done by tools they callmodules. Each of the 90+ available modules is a script that reads data from the Recon-ng database and launches a scanning operation against some remote data resource.
首先,向Recon-ng提供有关您公司的一些信息,然后选择您感兴趣的特定扫描。 然后,所有艰苦的工作将由它们称为模块的工具完成。 90多个可用模块中的每个模块都是一个脚本,该脚本从Recon-ng数据库读取数据并针对某些远程数据资源启动扫描操作。
Based on your choices, Recon-ng will intelligently comb through vast volumes of DNS, social media, and search engine results, plus information-rich position postings for new developers and hints to internal email addresses relating to your target. When it’s done, the software will prepare a report that’s guaranteed to scare the daylights out of you.
根据您的选择,Recon-ng将智能地梳理大量的DNS,社交媒体和搜索引擎结果,并为新开发人员提供信息丰富的职位发布,并提示与目标有关的内部电子邮件地址。 完成后,该软件将准备一份报告,保证可以吓到您。
With this information, all a hacker would have to do is sift through the data and set the launch date for your attack. With this information, allyouwill have to do is tighten up your defences and speak with your team about being alotmore careful when communicating online.
有了这些信息,黑客要做的就是筛选数据并设置攻击的开始日期。 有了这些信息,您所要做的就是加强防御,并与您的团队讨论在线交流时要多加注意。
That OSINT acronym I used above? It stands for Open Source Intelligence. Stuff anyone can get.
我上面使用的OSINT缩写? 它代表开源情报。 任何人都能得到的东西。
主动信息收集(漏洞评估) (Active information gathering (vulnerability assessment))
Besides all the things you thoughtlessly leave lying around across the internet, there’s probably a lot more that a hacker can learn about your infrastructure from the infrastructure itself. If your servers are on a network, it’s because, to some degree, you want them exposed to network users. But that might also expose things you’d rather keep quiet, including the fact that you might be running software that’s buggy and open for exploits.
除了您无意间在互联网上留下的所有东西之外,黑客还可以从基础设施本身中学到更多有关您的基础设施的信息。 如果您的服务器在网络上,那是因为在某种程度上您希望它们对网络用户公开。 但这也可能暴露出您宁愿保持安静的事物,包括您可能正在运行有漏洞的软件并且可以利用漏洞的事实。
The good news is that government and industry players — like the US government’s NIST and their National Vulnerability Database — have been actively tracking software vulnerabilities for decades now and they make their information freely available. The bad news is that their databases contain hundreds of thousands of those vulnerabilities and it makes for really dull reading.
好消息是,政府和行业参与者(例如美国政府的NIST及其国家漏洞数据库 )已经积极跟踪软件漏洞已有数十年了,他们可以免费获取信息。 坏消息是他们的数据库包含成千上万个此类漏洞,这使阅读变得很乏味。
You’d like to be able to quickly and regularly scan your network and the devices attached to it to make sure there’s nothing that needs patching, but it’s just not humanly possible to do it manually. So forget humans. You’re going to need software.
您希望能够快速且定期地扫描您的网络及其连接的设备,以确保没有需要修补的内容,但是人工操作几乎是不可能的。 所以忘记人类。 您将需要软件。
Vulnerability scanners are software tools that automatically scan your network and servers for unpatched software, open ports, misconfigured services, and potential exploit vectors (like SQL injection or cross-site scripting). Generally, the software will handle the vulnerability data and search for any matches with what you’ve got running. It’s your job to define the target, set the scan types you want run, read the reports that come out the other end, and — most important of all — fix whatever’s broken.
漏洞扫描程序是软件工具,可以自动扫描网络和服务器上是否有未修补的软件,打开的端口,配置错误的服务以及潜在的利用媒介(例如SQL注入或跨站点脚本)。 通常,该软件将处理漏洞数据并搜索与您所运行的内容是否匹配。 定义目标,设置要运行的扫描类型,阅读另一端的报告是您的工作,并且-最重要的是-修复所有问题。
Commercial scanning packages with free tiers include Nessus, Nexpose, and Burp Suite. OpenVAS is a mature, fully open source tool that can handle just about anything you throw at it. And, most conveniently, it just so happens that my Pluralsight collection also includes a video guide to using OpenVAS.
具有免费套餐的商业扫描软件包包括Nessus,Nexpose和Burp Suite。 OpenVAS是成熟的,完全开源的工具,可以处理您扔给它的几乎所有东西。 而且,最方便的是,我的Pluralsight系列还包括一个使用OpenVAS的视频指南 。
An outstanding platform for running all kinds of scans and testing is the Kali Linux distribution. Kali, which itself is highly secure by default, comes with dozens of networking and security software packages pre-configured. OpenVAS, while easily installed to Kali, was left out of the default profile due to its size.
Kali Linux发行版是运行各种扫描和测试的出色平台。 Kali本身在默认情况下是高度安全的,它随附了许多预先配置的网络和安全软件包。 虽然OpenVAS易于安装到Kali,但由于其大小而没有包含在默认配置文件中。
It’s common to run Kali within a virtual environment like VirtualBox rather than having it take up a whole physical machine. That way you can safely isolate your testing from your regular compute activities…not to mention save yourself significant time and money.
通常在像VirtualBox这样的虚拟环境中运行Kali,而不是占用整个物理计算机。 这样一来,您就可以安全地将测试与常规计算活动隔离开了……更不用说节省大量时间和金钱了。
利用(渗透)测试 (Exploit (penetration) testing)
Here (afterobtaining explicit authorization from the organization’s management) is where your pen testers try to actually penetrate your defences to see how far in they can get. Testers will make use of tools like the Metasploit Framework (often also run from Kali Linux), which executes live exploits against target infrastructure. My bad luck: I don’t have a course on Metasploit, but other Pluralsight authors sure do.
在这里(从组织的管理层获得明确授权后),笔测试人员会尝试在这里实际渗透您的防御措施,以了解他们能得到多大的帮助。 测试人员将使用Metasploit框架(通常也从Kali Linux运行)之类的工具,该工具针对目标基础结构执行实时漏洞利用。 不幸的是:我没有关于Metasploit的课程,但是其他Pluralsight的作者肯定会。
The immediate goal is to leverage any of the network or operating system exploits discovered during the earlier stages of the scanning process. But the ultimate idea, of course, is to shut down the security flaws your pen tester uncovers. All the testing in the world won’t do you an ounce of good if you don’t use it to improve.
近期目标是利用在扫描过程的早期阶段发现的任何网络或操作系统漏洞。 但是,最终的想法当然是关闭笔测试仪发现的安全漏洞。 如果您不使用它进行改进,那么世界上所有的测试都不会给您带来一点好处。
Besides the purely technical hacking tools you’ll use, the exploitation phase of pen testing can also incorporate some good old social engineering. That’s where (when authorized) you can use emails, phone calls, and personal contact to try to fool employees into giving up sensitive information.
除了您将使用的纯技术黑客工具之外,笔测试的开发阶段还可以结合一些良好的旧社会工程学。 在那儿(获得授权时),您可以使用电子邮件,电话和个人联系人来欺骗员工,以放弃敏感信息。
It’s a lot of work and requires a great deal of training and preparation to do it well. But if you’re responsible for your company’s IT resources, you can’t leave pen testing for later.
要做很多工作,需要大量的培训和准备工作才能做好。 但是,如果您对公司的IT资源负责,则不能再进行笔测试。
So what’s your next step? If you’re a do-it-yourself type then by all means, carefully work through some online resources or courseware and dive right in. Otherwise, find a professional you can trust and see what they recommend.
那么,下一步是什么? 如果您是一个自己动手的类型,则一定要仔细研究一些在线资源或课件,然后直接研究。否则,请找一个您可以信任的专业人员,看看他们的建议。
Good luck!
祝好运!
Don’t think I’m just some kind of one-dimensional geek. Besides myPluralsight courses, I also writebooks courses on Linux and AWSand even a hybrid course calledLinux in Motionthat’s made up of more than two hours of videos and some 40% of the content of myLinux in Actionbook. Ok. So I suppose I am some kind of one-dimensional geek.
不要以为我只是某种一维怪胎。除了我的Pluralsight课程以外,我还编写有关Linux和AWS的书籍课程,甚至还包括一个名为Linux in Motion的混合课程,该课程由两个多小时的视频和我的Linux in Action书籍内容的大约40%组成。好。所以我想我是一种一维怪胎。
翻译自: /news/penetration-testing-choosing-the-right-linux-tool-stack-to-fix-your-broken-it-security/
linux渗透测试
