渗透过程中日志信息分析示例!

admin 2024年9月28日13:32:19评论2 views字数 5846阅读19分29秒阅读模式

渗透过程中日志信息分析示例!

渗透过程中,我们可能用普通账号进到了系统,在提权或者进一步信息收集的过程中,我们会获得一些日志文件,根据这些日志文件我们需要进一步的分析。

下面是kali官方给的日志文件,根据这个日志,讲述一下信息收集的方法:

wget http://www.offensive-security.com/pwk-files/access_log.txt.gz
渗透过程中日志信息分析示例!
渗透过程中日志信息分析示例!

1. 目录权限升级和解压

渗透过程中日志信息分析示例!

2. 查看具体内容

root@Fkali:/tmp/test# more  access_log.txt 201.21.152.44 - - [25/Apr/2013:14:05:35 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31" "random-site.com"70.194.129.34 - - [25/Apr/2013:14:10:48 -0700] "GET /include/jquery.jshowoff.min.js HTTP/1.1" 200 2553 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"70.194.129.34 - - [25/Apr/2013:14:10:48 -0700] "GET /include/main.css HTTP/1.1" 304 - "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"70.194.129.34 - - [25/Apr/2013:14:10:49 -0700] "GET /images/menu/2ny.png HTTP/1.1" 200 2732 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"70.194.129.34 - - [25/Apr/2013:14:10:58 -0700] "GET /chicago/ HTTP/1.1" 200 7451 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"70.194.129.34 - - [25/Apr/2013:14:10:58 -0700] "GET /include/jquery.js HTTP/1.1" 304 - "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"70.194.129.34 - - [25/Apr/2013:14:10:59 -0700] "GET /images/header.png HTTP/1.1" 200 13610 "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"70.194.129.34 - - [25/Apr/2013:14:11:00 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:13 -0700] "GET / HTTP/1.1" 200 4135 "http://startuplife.fi/you-know-you-are-in-san-francisco-when-your-favorite-spare-time-activities-include-eating-or-drinking/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jquery.jshowoff.min.js HTTP/1.1" 200 6227 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jquery.js HTTP/1.1" 200 25139 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jshowoff.css HTTP/1.1" 200 1045 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/main.css HTTP/1.1" 200 2638 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:20 -0700] "GET /include/jquery.js HTTP/1.1" 200 25139 "http://random-site.com/san_francisco/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:22 -0700] "GET /san_francisco/images/mainimages.jpg HTTP/1.1" 200 60342 "http://random-site.com/san_francisco/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"88.112.192.2 - - [25/Apr/2013:14:11:23 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"

可以看到这边完全是一个web的请求信息。

3. 过滤IP地址信息

root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1

4.过滤IP地址并去重复

root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort -u201.21.152.44208.115.113.91208.54.80.244208.68.234.9970.194.129.3472.133.47.24288.112.192.298.238.13.25399.127.177.95

 5. 去重后统计IP地址的访问次数

root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort| uniq -c      1 201.21.152.44     59 208.115.113.91     22 208.54.80.244   1038 208.68.234.99      8 70.194.129.34      8 72.133.47.242      8 88.112.192.2      8 98.238.13.253     21 99.127.177.95
6.对于去重IP地址访问次数排序
root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort| uniq -c | sort -run   1038 208.68.234.99     59 208.115.113.91     22 208.54.80.244     21 99.127.177.95      8 70.194.129.34      1 201.21.152.44
7. 查看第一个1000多次请求的ip地址对应log
cat access_log.txt | grep 208.68.234.99
渗透过程中日志信息分析示例!

8. 通过上面的结果,可以看出多次请求/admin这个接口,对这个接口进行统计查看

cat access_log.txt | grep 208.68.234.99 | grep "/admin" | sort -u
渗透过程中日志信息分析示例!

9. 从上面的分析可以看到,这个ip地址对/admin地址进行了爆破等相关操作,而且从结果可以看出,爆破应该已经成功了。

上面是针对日志文件分析的思路,这边也感谢yuan老师的讲解

版权声明:本文为CSDN博主「一杯咖啡的时间」的原创文章原文链接:https://blog.csdn.net/m0_37268841/article/details/124417252

黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!

如侵权请私聊我们删文

END

渗透过程中日志信息分析示例!

多一个点在看渗透过程中日志信息分析示例!多一条小鱼干

原文始发于微信公众号(黑白之道):渗透过程中日志信息分析示例!

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日13:32:19
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   渗透过程中日志信息分析示例!https://cn-sec.com/archives/1984591.html

发表评论

匿名网友 填写信息