a few years of safety learning experience

Posted by millikan at 2020-02-27

I'm a young rookie who has been in business for about 11 years. Listening to predecessors, they often say that 10 years ago, WAF began to appear slowly in 10 years. As a newcomer, WAF was a good idea at that time, and it really blocked me. On the way of learning penetration, in order to learn well, I chose PHP as a relatively early generation of resource collectors (e.g. electric donkey, etc.) to watch various videos.

After graduation, the work and security that I engaged in have stuck to the edge. I also watched this circle develop to today. From the back-end programmers 12 years ago to the later attacks on browsers (front-end programmers), to mobile attacks (WEB packet capturing and reverse analysis), there are also today's Web fuzz and automation penetration. There are many subdivisions of safe things, but they are also quite miscellaneous. There are not many things to say, but there are many things to say.

When I think of the original wooyun, the strange dog once said that you only need to read all the articles of the dark cloud to infiltrate. You are at least a junior Infiltrator. This idea is also right. Although wooyun has been closed, Maury has made the data of wooyun public in the past few months. If you want to see it, you can see it more. At least it is not bad for you.

In terms of WAF, through wooyun's summary, such as mayikissyou's cookbook, four levels of WAF attack and defense research by pass WAF, c4rt1y's upload bypass WA, leisurely by pass, an'tian technology's analysis of WAF's advantages and disadvantages hardware WAF, software WAF and cloud WAF 》, to a large extent, the idea and characteristics of WAF bypass are explained simply. The main idea is to detect whether each stage can be used through the flow route.

Web penetration often encounters CDN. At this time, we first need to break through the protection of CDN, such as historical registration information, website error reporting, using zamp whole network scanning information collection, through secondary domain name query, etc., because in general, we just mount the server on someone else's CDN instead of parsing all domain names to CDN, at this time, we can use other domain name lines Search for the real IP. In addition, we can directly detect the port of IP, detect the site, or search the side station, segment C, or even multi-level domain name, and test by using the open vulnerability, or logical vulnerability, xxE, SSRF, unauthorized access to the port, command execution vulnerability, etc. we can build some common port services, build the test environment ourselves, or use docker, or learn Exploit of CMS. Here, it should be a lot of big cattle have realized the use of tools to automate the implementation, collection, scanning, testing results.

On the intranet, by taking down a server, we get the permission of the boundary, and then enter the intranet. In the intranet, we use various operations. In general, the traffic of ICMP and DNS will not be blocked. So to a large extent, we can penetrate slowly through these protocols, understand and master the common intranet commands and usage methods, and quickly divide them Identify the key server, draw the topology map of the intranet through your own analysis, and master most of the ideas of information collection. In this section, I think that the article summarized by lostwolf is very good. Collect all kinds of account information of the intranet, and then use ms14-068, NBNS and other protocols to attack, which can cooperate with phishing and kill free. The rest should be waiting time and luck Then there is how to maintain the server, such as stealing hash and clearing the attack log.

As for code audit, I remember that ln launched a code audit directory (unfortunately it disappeared later) and Seay also wrote a book. Here, we can also recommend to go to T00ls, 90sec or the literature of 1000 points PHP code audit before wooyun. According to ln's directory, we can find some open source and old versions for audit. I remember that Yu Dashen's notes on learning other people's code audit were also taken In fact, we can also do it. For code audit and PHP, to a certain extent, there are many types of vulnerabilities, so it's also a systematic way to understand some content. You can also look at the copy of DVWA. The oldest version is chrysanthemum writing a document. Then someone also sent a grammar bypassed by the latest version of 1.09 in freebuf. In addition, safe3 There are also three sets of code auditing for ASP, PHP and JSP. If you want to use JSP, you don't need to look at it. Others should be good for new people. As for Java, I haven't touched it very much, but Java can have a series on drop before dark clouds. There are also a few questions about sharing this information now. However, the CMS of open-source Java is too few, and the framework is difficult to mine. As for Python, all I know is that there is only command execution for it, such as Eval, pyyaml, init, etc.

As for the mobile terminal, web penetration can be done. So far, Android or IOS developers have not paid much attention to security. On the other hand, binary analysis. There are two books about this, which are introduced in all aspects. However, the introduction is relatively shallow. With the operation, it can be basically realized, but for the In depth, it depends on how long you have played. In addition, it's good to see snow, reverse the future, Piaoyun Pavilion, 52 crack, zero day forum, love to crack. Piaoyun pavilion has a 5.4 every year. Learn PC, Android, IOS, free, and the video will also be shared.

About wireless, in other words, it should be the problem of equipment. There should be a lot of videos on the Internet at present. I think it's still the problem of tools, because the external wireless network card, GSM cheating, and even the satellite on the big scale should be the problem of protocol. I'm not a bull. I only use tools. What I can understand is our biggest distance Degree is to learn all kinds of tools, whose tools are more intelligent, if you want to continue, it is the deepening of programming and protocol principles, etc.

For firmware analysis, you can learn all kinds of assembly instructions from a certain point of view. Here's an extra point. Remember that all kinds of tycoons have said that if you want to learn the bottom layer, you should start learning x86, and then you will find all kinds of assembly in the back door. In fact, the difference is not bad. Then, if you think it's hard to read, you can recommend some For example, Beifeng network C + + disassembly foundation, uncover disassembly video tutorial, programming magic cube C + + reverse foundation tutorial, tulip 2013 assembly and plug-in, dripping the third issue and so on. Supporting books, such as C + + disassembly and reverse analysis technology, uncover key technology of data decryption, core principles of reverse engineering, 0day2《 Hack disassembly reveals secrets. The later 0day2 and hack disassembly are the deep part of the analysis of assembly code. There are also a lot of PWN addresses on the Internet. I won't list them one by one here. Searching ctfs on GitHub should be able to find a large area. In the later stage, the router and smart home are basically similar, but they are based on different assembly languages It should be MIPS and so on. It's basically similar.

As for killing free, I explained that using PowerShell for killing free in the intranet, we can take different compilers to compile or run, and we can learn from evi1cg in 2016 In addition, the technology should not be out of date. Most of the contents of "hacker free attack and defense" are similar to "the code of immortality". Or baidu searches "the series of tutorials of script free from killing for a while" to see if they are consistent with the explanation in books. In addition, the recommended one is "hacksky" Resurrection without signature code and his free course for diners.

In terms of operation and maintenance, operation and maintenance, the construction of various environments, and the update of various cloud products and automation in the past two years, it is found that operation and maintenance are also constantly like automation, cloud and other aspects. In this, it seems that there are not many recommended books in the centos7 series at present, although the future mainstream, brother bird three books, centos7 system management and operation and maintenance practice, docker advanced With the actual combat. Huawei docker practice group, the actual combat of automatic operation and maintenance software design. Video words, "a Ming learn Linux third period", "old boy architect eleventh period".

There is too much information about programming. I suggest reading + watching videos. The book recommends Cookbook Series of books, translate them into Chinese, and find out what they say. Video, too much, but as long as you have perseverance, eventually it should be successful, I also watched a lot of tutorials. If you want to learn from any aspect, I suggest you look at the book when watching the video. You will find that the speed of reading is faster than watching the video, and then slowly, you can abandon the video.

Finally, I will briefly elaborate my personal point of view. For a set of videos, I will list the longest time of the third phase of Dishui, which is about 110 hours. It looks like three experimental projects. If you are willing to, in fact, calculate yourself and estimate your own time. If you watch for 2 hours a day, you should be able to watch for 55 days, and then operate for 4 hours. Because sometimes you will encounter obstacles in the video or in the book, which seems to be a lot of time consumption. But if you are engaged in the IT industry, you will find that this will be your future, most of the technology Laying the foundation stone, the future technology is changing. If you go the same way, you can't leave it alone. In fact, 110 hours, a lot of time is bullshit. I remember that during the internal training of Yan Shiba, MySQL (basic use) had less than 8 hours of video in total. To open class, MySQL (basic use) had 40 hours in total. In addition, for example, there is a bug in a certain knowledge point, and there is no such problem in the video or book. I have encountered too many times. You can throw this keyword into Baidu or Google to search. Someone may have written a blog in this regard early, so it can be operated faster and directly according to other people's notes. Isn't it better? There are many learning ideas Many of them should be good at using various ideas. Another example is infiltration. I think it's basically teamwork now. For example, one person takes the station, another takes the source code audit, and then finds more loopholes. An intranet, which can only stand in the current life, is more and more difficult. It still needs to redouble efforts, such as learning programming. At the beginning, the smiling God taught me, but I didn't listen. Now I'm deeply behind Regret.

Finally, this is my summary of my past. Maybe when I have time, I will slowly write the things I have learned into documents and send them out, because I think these are the things of others, they do not belong to my original, so I don't want to write notes in this respect in a large angle, because I feel that practice makes perfect, the difference between me and novice, I It's not a proud place for me to be able to quickly find and then solve problems, and the novice needs to constantly search for information. Long winded, out of tune, big and small problems, no wonder Chinese has been below 60 points before, but I hope it can help the novice to a certain extent, go forward on the ground, or you will regret yourself, not others.