linux滲透測試_滲透測試：選擇正確的（Linux）工具棧來修復損壞的IT安全性

linux滲透測試

Got IT infrastructure? Do you know how secure it is? The answer will probably hurt, but this is the kind of bad news you’re better off getting sooner rather than later.

有IT基礎架構嗎？你知道它有多安全嗎？答案可能會很痛苦，但這是一種壞消息，您最好早點而不是遲點。

The only reasonably sure way to find out what’s going on with your servers is to apply a solid round of penetration testing. Your ultimate goal is to uncover any dangerous vulnerabilities so you can lock them down.

找出服務器運行狀況的唯一合理確定的方法是進行可靠的滲透測試。您的最終目標是發現所有危險漏洞，以便將其鎖定。

By “dangerous vulnerability” I mean obvious things like unprotected open ports and unpatched software. But I also mean the existence of freely available intelligence about your organization that’s probably just floating around the internet, waiting to be collected and turned against you.

“危險漏洞”是指顯而易見的事情，例如未受保護的開放端口和未修補的軟件。但我的意思是，存在關于您的組織的免費情報，這些情報可能只是在Internet上徘徊，正等待收集和反對。

Pen testing is made up of three very different parts, each with its own unique tools and protocols.

筆測試由三個截然不同的部分組成，每個部分都有自己獨特的工具和協議。

Passive information gathering, where testers scour the public internet looking for subtle hints or carelessly revealed private data that can be used against the organization.
被動信息收集 ，測試人員在其中搜尋公共互聯網，以尋找可用于組織的微妙提示或不小心泄露的私人數據。
Active information gathering, where the organization’s networks and servers are scanned for potential vulnerabilities.
主動信息收集 ，在其中掃描組織的網絡和服務器以查找潛在的漏洞。
Identifying exploits that could possibly be run against the organization’s infrastructure.
識別可能在組織的基礎架構上運行的漏洞。

Let’s look at those one at a time.

讓我們一次看看那些。

被動信息收集(OSINT) (Passive Information Gathering (OSINT))

Say your company has around 50 employees and a handful of outside contractors, each of whom is most likely active on both professional and personal social networks. And say you’ve got the usual range of corporate and product websites and social media accounts (like LinkedIn).

假設您的公司有大約50名員工和少數外部承包商，每個承包商最有可能活躍在專業和個人社交網絡上。并說您擁有通常的公司和產品網站以及社交媒體帳戶(例如LinkedIn)。

Now pause for a moment and try to imagine that you’re a hacker who’s searching for exploitable information about your company which he can use to launch an attack. Assuming he’ll stick exclusively to the public internet and not break any laws, how much do you think he’ll find?

現在暫停片刻，嘗試想象您是一名黑客，他正在搜索有關您公司的可利用信息，他可以利用這些信息來發起攻擊。假設他將完全堅持使用公共互聯網并且不違反任何法律，那么您認為他會發現多少呢？

Not too much? After all, no one is stupid enough to post passwords and account information to the internet, right?

不會太多嗎畢竟，沒有人足夠愚蠢地將密碼和帳戶信息發布到互聯網上，對嗎？

Perhaps. But you won’t believe how easy it can be to use what is there to figure out all the passwords and administration information that hackers will need to get what they’re after. Don’t believe me? Do some passive information gathering yourself.

也許。但是您不會相信使用其中的內容來找出黑客獲得其所需要的所有密碼和管理信息是多么容易。不相信我嗎做一些被動的信息來收集自己。

Among the fantastic/frightening information gathering tools available to help you (which also include Maltego and Shodan) there’s a great Linux-based open source package named Recon-ng?—?about which I created a video course on Pluralsight.

在可幫助您(包括Maltego和Shodan)的奇妙/令人恐懼的信息收集工具中，有一個名為Recon-ng的基于Linux的出色開源軟件包–我在Pluralsight上創建了一個視頻課程。

You start by providing Recon-ng with some information about your company and choosing the particular scans that interest you. All the hard work will then be done by tools they call modules. Each of the 90+ available modules is a script that reads data from the Recon-ng database and launches a scanning operation against some remote data resource.

首先，向Recon-ng提供有關您公司的一些信息，然后選擇您感興趣的特定掃描。然后，所有艱苦的工作將由它們稱為模塊的工具完成。 90多個可用模塊中的每個模塊都是一個腳本，該腳本從Recon-ng數據庫讀取數據并針對某些遠程數據資源啟動掃描操作。

Based on your choices, Recon-ng will intelligently comb through vast volumes of DNS, social media, and search engine results, plus information-rich position postings for new developers and hints to internal email addresses relating to your target. When it’s done, the software will prepare a report that’s guaranteed to scare the daylights out of you.

根據您的選擇，Recon-ng將智能地梳理大量的DNS，社交媒體和搜索引擎結果，并為新開發人員提供信息豐富的職位發布，并提示與目標有關的內部電子郵件地址。完成后，該軟件將準備一份報告，保證可以嚇到您。

With this information, all a hacker would have to do is sift through the data and set the launch date for your attack. With this information, all you will have to do is tighten up your defences and speak with your team about being a lot more careful when communicating online.

有了這些信息，黑客要做的就是篩選數據并設置攻擊的開始日期。有了這些信息，您所要做的就是加強防御，并與您的團隊討論在線交流時要多加注意。

That OSINT acronym I used above? It stands for Open Source Intelligence. Stuff anyone can get.

我上面使用的OSINT縮寫？它代表開源情報。任何人都能得到的東西。

主動信息收集(漏洞評估) (Active information gathering (vulnerability assessment))

Besides all the things you thoughtlessly leave lying around across the internet, there’s probably a lot more that a hacker can learn about your infrastructure from the infrastructure itself. If your servers are on a network, it’s because, to some degree, you want them exposed to network users. But that might also expose things you’d rather keep quiet, including the fact that you might be running software that’s buggy and open for exploits.

除了您無意間在互聯網上留下的所有東西之外，黑客還可以從基礎設施本身中學到更多有關您的基礎設施的信息。如果您的服務器在網絡上，那是因為在某種程度上您希望它們對網絡用戶公開。但這也可能暴露出您寧愿保持安靜的事物，包括您可能正在運行有漏洞的軟件并且可以利用漏洞的事實。

The good news is that government and industry players?—?like the US government’s NIST and their National Vulnerability Database?—?have been actively tracking software vulnerabilities for decades now and they make their information freely available. The bad news is that their databases contain hundreds of thousands of those vulnerabilities and it makes for really dull reading.

好消息是，政府和行業參與者(例如美國政府的NIST及其國家漏洞數據庫 )已經積極跟蹤軟件漏洞已有數十年了，他們可以免費獲取信息。壞消息是他們的數據庫包含成千上萬個此類漏洞，這使閱讀變得很乏味。

You’d like to be able to quickly and regularly scan your network and the devices attached to it to make sure there’s nothing that needs patching, but it’s just not humanly possible to do it manually. So forget humans. You’re going to need software.

您希望能夠快速且定期地掃描您的網絡及其連接的設備，以確保沒有需要修補的內容，但是人工操作幾乎是不可能的。所以忘記人類。您將需要軟件。

Vulnerability scanners are software tools that automatically scan your network and servers for unpatched software, open ports, misconfigured services, and potential exploit vectors (like SQL injection or cross-site scripting). Generally, the software will handle the vulnerability data and search for any matches with what you’ve got running. It’s your job to define the target, set the scan types you want run, read the reports that come out the other end, and?—?most important of all?—?fix whatever’s broken.

漏洞掃描程序是軟件工具，可以自動掃描網絡和服務器上是否有未修補的軟件，打開的端口，配置錯誤的服務以及潛在的利用媒介(例如SQL注入或跨站點腳本)。通常，該軟件將處理漏洞數據并搜索與您所運行的內容是否匹配。定義目標，設置要運行的掃描類型，閱讀另一端的報告是您的工作，并且-最重要的是-修復所有問題。

Commercial scanning packages with free tiers include Nessus, Nexpose, and Burp Suite. OpenVAS is a mature, fully open source tool that can handle just about anything you throw at it. And, most conveniently, it just so happens that my Pluralsight collection also includes a video guide to using OpenVAS.

具有免費套餐的商業掃描軟件包包括Nessus，Nexpose和Burp Suite。 OpenVAS是成熟的，完全開源的工具，可以處理您扔給它的幾乎所有東西。而且，最方便的是，我的Pluralsight系列還包括一個使用OpenVAS的視頻指南。

An outstanding platform for running all kinds of scans and testing is the Kali Linux distribution. Kali, which itself is highly secure by default, comes with dozens of networking and security software packages pre-configured. OpenVAS, while easily installed to Kali, was left out of the default profile due to its size.

Kali Linux發行版是運行各種掃描和測試的出色平臺。 Kali本身在默認情況下是高度安全的，它隨附了許多預先配置的網絡和安全軟件包。雖然OpenVAS易于安裝到Kali，但由于其大小而沒有包含在默認配置文件中。

It’s common to run Kali within a virtual environment like VirtualBox rather than having it take up a whole physical machine. That way you can safely isolate your testing from your regular compute activities…not to mention save yourself significant time and money.

通常在像VirtualBox這樣的虛擬環境中運行Kali，而不是占用整個物理計算機。這樣一來，您就可以安全地將測試與常規計算活動隔離開了……更不用說節省大量時間和金錢了。

利用(滲透)測試 (Exploit (penetration) testing)

Here (after obtaining explicit authorization from the organization’s management) is where your pen testers try to actually penetrate your defences to see how far in they can get. Testers will make use of tools like the Metasploit Framework (often also run from Kali Linux), which executes live exploits against target infrastructure. My bad luck: I don’t have a course on Metasploit, but other Pluralsight authors sure do.

在這里(從組織的管理層獲得明確授權后 )，筆測試人員會嘗試在這里實際滲透您的防御措施，以了解他們能得到多大的幫助。測試人員將使用Metasploit框架(通常也從Kali Linux運行)之類的工具，該工具針對目標基礎結構執行實時漏洞利用。不幸的是：我沒有關于Metasploit的課程，但是其他Pluralsight的作者肯定會。

The immediate goal is to leverage any of the network or operating system exploits discovered during the earlier stages of the scanning process. But the ultimate idea, of course, is to shut down the security flaws your pen tester uncovers. All the testing in the world won’t do you an ounce of good if you don’t use it to improve.

近期目標是利用在掃描過程的早期階段發現的任何網絡或操作系統漏洞。但是，最終的想法當然是關閉筆測試儀發現的安全漏洞。如果您不使用它進行改進，那么世界上所有的測試都不會給您帶來一點好處。

Besides the purely technical hacking tools you’ll use, the exploitation phase of pen testing can also incorporate some good old social engineering. That’s where (when authorized) you can use emails, phone calls, and personal contact to try to fool employees into giving up sensitive information.

除了您將使用的純技術黑客工具之外，筆測試的開發階段還可以結合一些良好的舊社會工程學。在那兒(獲得授權時)，您可以使用電子郵件，電話和個人聯系人來欺騙員工，以放棄敏感信息。

It’s a lot of work and requires a great deal of training and preparation to do it well. But if you’re responsible for your company’s IT resources, you can’t leave pen testing for later.

要做很多工作，需要大量的培訓和準備工作才能做好。但是，如果您對公司的IT資源負責，則不能再進行筆測試。

So what’s your next step? If you’re a do-it-yourself type then by all means, carefully work through some online resources or courseware and dive right in. Otherwise, find a professional you can trust and see what they recommend.

那么，下一步是什么？如果您是一個自己動手的類型，則一定要仔細研究一些在線資源或課件，然后直接研究。否則，請找一個您可以信任的專業人員，看看他們的建議。

Good luck!

祝好運！

Don’t think I’m just some kind of one-dimensional geek. Besides my Pluralsight courses, I also write books courses on Linux and AWS and even a hybrid course called Linux in Motion that’s made up of more than two hours of videos and some 40% of the content of my Linux in Action book. Ok. So I suppose I am some kind of one-dimensional geek.

不要以為我只是某種一維怪胎。 除了我的 Pluralsight課程以外 ，我還編寫 有關Linux和AWS的書籍課程 ，甚至還包括一個名為 Linux in Motion 的混合課程，該課程 由兩個多小時的視頻和我的 Linux in Action 書籍 內容的大約40％組成 。好。 所以我想我是一種一維怪胎。