第一章 应急响应-Linux日志分析
|
79
|
0
|
CP,penetration test

622 字
|
12 分钟

第一章 应急响应-Linux日志分析

image-20240614191517670

基础信息搜集

hgbe02@pwn:~/temp$ ssh root@69.230.247.36
The authenticity of host '69.230.247.36 (69.230.247.36)' can't be established.
ED25519 key fingerprint is SHA256:YaKYCubzBNoPqUFqbT3FPvAWs34syoDa/ex4NYogZqw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '69.230.247.36' (ED25519) to the list of known hosts.
root@69.230.247.36's password:
Linux ip-10-0-10-1 4.19.0-25-cloud-amd64 #1 SMP Debian 4.19.289-1 (2023-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug  1 07:50:37 2023 from 192.168.200.2
root@ip-10-0-10-1:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-0-10-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:58:04:2c:a8:90 brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.1/16 brd 10.0.255.255 scope global dynamic eth0
       valid_lft 3541sec preferred_lft 3541sec
    inet6 fe80::58:4ff:fe2c:a890/64 scope link
       valid_lft forever preferred_lft forever

有多少IP在爆破主机ssh的root帐号

有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割

root@ip-10-0-10-1:~# cd /var/log
root@ip-10-0-10-1:/var/log# ls -la
total 2476
drwxr-xr-x  6 root root   4096 Jun 14 11:55 .
drwxr-xr-x 11 root root   4096 Nov 18  2022 ..
-rw-r--r--  1 root root      0 Jun 14 11:55 alternatives.log
-rw-r--r--  1 root root  31451 Aug  1  2023 alternatives.log.1
drwx------  3 root root   4096 Aug  1  2023 amazon
drwxr-xr-x  2 root root   4096 Jun 14 11:55 apt
-rw-r-----  1 root adm     393 Jun 14 11:55 auth.log
-rw-r-----  1 root adm   17873 Jun 14 11:55 auth.log.1
-rw-r--r--  1 root root    600 Aug  1  2023 aws114_ssm_agent_installation.log
-rw-r--r--  1 root root 453632 Nov 18  2022 bootstrap.log
-rw-rw----  1 root utmp      0 Jun 14 11:55 btmp
-rw-rw----  1 root utmp  18432 Aug  1  2023 btmp.1
-rw-r--r--  1 root adm  508488 Jun 14 11:55 cloud-init.log
-rw-r-----  1 root adm   44420 Jun 14 11:55 cloud-init-output.log
-rw-r-----  1 root adm    5181 Jun 14 11:56 daemon.log
-rw-r-----  1 root adm  144189 Jun 14 11:55 daemon.log.1
-rw-r-----  1 root adm       0 Jun 14 11:55 debug
-rw-r-----  1 root adm   43411 Jun 14 11:55 debug.1
-rw-r--r--  1 root root      0 Jun 14 11:55 dpkg.log
-rw-r--r--  1 root root 211484 Aug  1  2023 dpkg.log.1
-rw-r--r--  1 root root  32064 Aug  1  2023 faillog
-rw-r-----  1 root adm       0 Jun 14 11:55 kern.log
-rw-r-----  1 root adm  241683 Jun 14 11:55 kern.log.1
-rw-rw-r--  1 root utmp 292584 Jun 14 11:55 lastlog
-rw-r-----  1 root adm     991 Jun 14 11:55 messages
-rw-r-----  1 root adm  223852 Jun 14 11:55 messages.1
drwxr-xr-x  2 ntp  ntp    4096 Mar 21  2019 ntpstats
drwx------  2 root root   4096 Nov 26  2022 private
-rw-r-----  1 root adm    6326 Jun 14 11:56 syslog
-rw-r-----  1 root adm  412413 Jun 14 11:55 syslog.1
-rw-r-----  1 root adm     837 Jun 14 11:55 user.log
-rw-r-----  1 root adm   24221 Aug  1  2023 user.log.1
-rw-rw-r--  1 root utmp  21504 Jun 14 11:55 wtmp
root@ip-10-0-10-1:/var/log# cat auth.log
Jun 14 11:55:54 ip-10-0-10-1 sshd[603]: Accepted password for root from 218.201.30.74 port 4614 ssh2
Jun 14 11:55:54 ip-10-0-10-1 sshd[603]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 14 11:55:54 ip-10-0-10-1 systemd-logind[428]: New session 1 of user root.
Jun 14 11:55:54 ip-10-0-10-1 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
root@ip-10-0-10-1:/var/log# head -n 20 auth.log.1

Aug  1 07:40:47 linux-rz sshd[7461]: Invalid user test1 from 192.168.200.35 port 33874
Aug  1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug  1 07:40:52 linux-rz sshd[7461]: Connection closed by invalid user test1 192.168.200.35 port 33874 [preauth]
Aug  1 07:40:58 linux-rz sshd[7465]: Invalid user test2 from 192.168.200.35 port 51640
Aug  1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug  1 07:41:07 linux-rz sshd[7465]: Connection closed by invalid user test2 192.168.200.35 port 51640 [preauth]
Aug  1 07:41:09 linux-rz sshd[7468]: Invalid user test3 from 192.168.200.35 port 48168
Aug  1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug  1 07:41:19 linux-rz sshd[7468]: Connection closed by invalid user test3 192.168.200.35 port 48168 [preauth]
Aug  1 07:42:30 linux-rz sshd[7471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.32  user=root
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:42:33 linux-rz sshd[7471]: Connection closed by authenticating user root 192.168.200.32 port 51888 [preauth]
Aug  1 07:42:49 linux-rz sshd[7288]: Received disconnect from 192.168.200.2 port 54682:11: disconnected by user

第一个短的文件,一看就是我本地登陆的记录,所以看/var/log/auth.log.1

root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c
      4 192.168.200.2
      1 192.168.200.31
      1 192.168.200.32

故flag为:

flag{192.168.200.2,192.168.200.31,192.168.200.32}

ssh爆破成功登陆的IP是多少

ssh爆破成功登陆的IP是多少,如果有多个使用","分割

root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Accepted password for root" | awk '{print $11}' | sort | uniq -c
      2 192.168.200.2

故flag为:

flag{192.168.200.2}

爆破用户名字典是什么?

爆破用户名字典是什么?如果有多个使用","分割

root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep "Failed password for"
Binary file (standard input) matches
root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for"
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug  1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug  1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug  1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug  1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug  1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug  1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug  1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug  1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug  1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user  from 192.168.200.2 port 37013 ssh2
Aug  1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user  from 192.168.200.2 port 37545 ssh2
Aug  1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user  from 192.168.200.2 port 39111 ssh2
Aug  1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user  from 192.168.200.2 port 35173 ssh2
Aug  1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user  from 192.168.200.2 port 45807 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2
root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for" | awk '{print $9 $11}'  | sort | uniq -c | sort -
nr
      5 invaliduser
      5 invalidhello
      5 invalidfrom
      4 root192.168.200.2
      1 root192.168.200.32
      1 root192.168.200.31
      1 invalidtest3
      1 invalidtest2
      1 invalidtest1

故flag为:

flag{user,hello,root,test3,test2,test1}

官方使用perl进行了解答,很优雅:

root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password" | perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'| uniq -c | sort -nr
      5  invalid user user
      5  invalid user hello
      5  invalid user
      4  root
      1  root
      1  root
      1  invalid user test3
      1  invalid user test2
      1  invalid user test1
  • perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}': 这一部分使用 Perl 脚本。-e 选项表示在命令行中提供脚本代码。Perl 脚本的作用是遍历每一行,然后使用正则表达式 /for(.*?) from/ 捕获括号中的内容,即登录失败的用户名。捕获的内容由 $1 引用,然后通过 print "$1\n"; 打印出来,每个用户名占一行。
  • sort -nr: 该部分使用 sort -nr 命令对计数结果进行排序,其中 -n 表示按数字顺序排序,-r 表示逆序(从高到低)排序。

登陆成功的IP共爆破了多少次

root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort -n | uniq -c
      4 192.168.200.2
      1 192.168.200.31
      1 192.168.200.32

192.168.200.2登录成功了,爆破了四次。故flag为:

flag{4}

黑客登陆主机后新建了一个后门用户,用户名是多少

root@ip-10-0-10-1:/var/log# cat auth.log.1 |grep -a "/bin"
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
Aug  1 08:18:27 ip-172-31-37-190 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch /var/log/aws114_ssm_agent_installation.log
root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "/bin/" | grep "sh"
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash

或者使用:

root@ip-10-0-10-1:/var/log# cat /var/log/auth.log.1 | grep -a "new user"
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash

发现确实添加了用户test2

root@ip-10-0-10-1:/var/log# cat /etc/passwd | grep -v "nologin" | grep "sh"
root:x:0:0:root:/root:/bin/bash
test2:x:1000:1000::/home/test2:/bin/sh
debian:x:1001:1001:Debian:/home/debian:/bin/bash
root@ip-10-0-10-1:/var/log# ls -la /home
total 12
drwxr-xr-x  3 root   root   4096 Aug  1  2023 .
drwxr-xr-x 18 root   root   4096 Jun 14 11:55 ..
drwxr-xr-x  3 debian debian 4096 Aug  1  2023 debian
root@ip-10-0-10-1:/# cat /etc/shadow
root:$6$V5ItX87cUllL5G4h$yATBAGCLFnkAoW4erj4cBGT9mXg3kdqkItr8xX.64LJwsq48qDeukrTkOwoTE6TSYnaTDfSRvpWiq/BIMmhom/:19570:0:99999:7:::
daemon:*:19314:0:99999:7:::
bin:*:19314:0:99999:7:::
sys:*:19314:0:99999:7:::
sync:*:19314:0:99999:7:::
games:*:19314:0:99999:7:::
man:*:19314:0:99999:7:::
lp:*:19314:0:99999:7:::
mail:*:19314:0:99999:7:::
news:*:19314:0:99999:7:::
uucp:*:19314:0:99999:7:::
proxy:*:19314:0:99999:7:::
www-data:*:19314:0:99999:7:::
backup:*:19314:0:99999:7:::
list:*:19314:0:99999:7:::
irc:*:19314:0:99999:7:::
gnats:*:19314:0:99999:7:::
nobody:*:19314:0:99999:7:::
_apt:*:19314:0:99999:7:::
systemd-timesync:*:19314:0:99999:7:::
systemd-network:*:19314:0:99999:7:::
systemd-resolve:*:19314:0:99999:7:::
messagebus:*:19314:0:99999:7:::
unscd:*:19314:0:99999:7:::
ntp:*:19314:0:99999:7:::
sshd:*:19314:0:99999:7:::
systemd-coredump:!!:19322::::::
test2:$6$oIpMwQHVAWKNjsi1$kMV6ZNSOTZfqnNSxqMkl9tLj/1Y5KOJMZBzCu.qQgFxezvXrn..gHkt8lieFTDVCUI0PhVASNpZvKCJwsN3gH1:19570:0:99999:7:::
debian:!:19570:0:99999:7:::

所以flag为:

flag{test2}
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
hmv[-_-]lookup

							
							

							
hmv[-_-]UnbakedPie

							
							

							
hmv[-_-]Pickle

							
							

							
hmv[-_-]Random

							
							

							
Vulnyx(°ー°〃)Psymin

							
							

							
hmv[-_-]HackingToys