渗透过程中,我们可能用普通账号进到了系统,在提权或者进一步信息收集的过程中,我们会获得一些日志文件,根据这些日志文件我们需要进一步的分析。
下面是kali官方给的日志文件,根据这个日志,讲述一下信息收集的方法:
wget http://www.offensive-security.com/pwk-files/access_log.txt.gz
1. 目录权限升级和解压
2. 查看具体内容
root@Fkali:/tmp/test# more access_log.txt
201.21.152.44 - - [25/Apr/2013:14:05:35 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31" "random-site.com"
70.194.129.34 - - [25/Apr/2013:14:10:48 -0700] "GET /include/jquery.jshowoff.min.js HTTP/1.1" 200 2553 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"
70.194.129.34 - - [25/Apr/2013:14:10:48 -0700] "GET /include/main.css HTTP/1.1" 304 - "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"
70.194.129.34 - - [25/Apr/2013:14:10:49 -0700] "GET /images/menu/2ny.png HTTP/1.1" 200 2732 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"
70.194.129.34 - - [25/Apr/2013:14:10:58 -0700] "GET /chicago/ HTTP/1.1" 200 7451 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
70.194.129.34 - - [25/Apr/2013:14:10:58 -0700] "GET /include/jquery.js HTTP/1.1" 304 - "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
70.194.129.34 - - [25/Apr/2013:14:10:59 -0700] "GET /images/header.png HTTP/1.1" 200 13610 "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
70.194.129.34 - - [25/Apr/2013:14:11:00 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:13 -0700] "GET / HTTP/1.1" 200 4135 "http://startuplife.fi/you-know-you-are-in-san-francisco-when-your-favorite-spare-time-activities-include-eating-or-drinking/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jquery.jshowoff.min.js HTTP/1.1" 200 6227 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jquery.js HTTP/1.1" 200 25139 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jshowoff.css HTTP/1.1" 200 1045 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/main.css HTTP/1.1" 200 2638 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:20 -0700] "GET /include/jquery.js HTTP/1.1" 200 25139 "http://random-site.com/san_francisco/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:22 -0700] "GET /san_francisco/images/mainimages.jpg HTTP/1.1" 200 60342 "http://random-site.com/san_francisco/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"
88.112.192.2 - - [25/Apr/2013:14:11:23 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"
208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
可以看到这边完全是一个web的请求信息。
3. 过滤IP地址信息
root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1
4.过滤IP地址并去重复
root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort -u
201.21.152.44
208.115.113.91
208.54.80.244
208.68.234.99
70.194.129.34
72.133.47.242
88.112.192.2
98.238.13.253
99.127.177.95
5. 去重后统计IP地址的访问次数
/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort| uniq -c :
1 201.21.152.44
59 208.115.113.91
22 208.54.80.244
1038 208.68.234.99
8 70.194.129.34
8 72.133.47.242
8 88.112.192.2
8 98.238.13.253
21 99.127.177.95
/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort| uniq -c | sort -run :
1038 208.68.234.99
59 208.115.113.91
22 208.54.80.244
21 99.127.177.95
8 70.194.129.34
1 201.21.152.44
cat access_log.txt | grep 208.68.234.99
8. 通过上面的结果,可以看出多次请求/admin这个接口,对这个接口进行统计查看
cat access_log.txt | grep 208.68.234.99 | grep "/admin" | sort -u
9. 从上面的分析可以看到,这个ip地址对/admin地址进行了爆破等相关操作,而且从结果可以看出,爆破应该已经成功了。
上面是针对日志文件分析的思路,这边也感谢yuan老师的讲解
版权声明:本文为CSDN博主「一杯咖啡的时间」的原创文章
原文链接:https://blog.csdn.net/m0_37268841/article/details/124417252
黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!
如侵权请私聊我们删文
END
多一个点在看多一条小鱼干
原文始发于微信公众号(黑白之道):渗透过程中日志信息分析示例!
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论