设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 渗透过程中日志信息分析示例!!!
返回列表 发新帖
查看: 753|回复: 0

渗透过程中日志信息分析示例!!!

[复制链接]
adopi

179

主题

179

帖子

630

积分

高级会员

Rank: 4

积分
630
发表于 2023-8-24 18:59:30 | 显示全部楼层 |阅读模式
渗透过程中日志信息分析示例!!!
渗透过程中,我们可能用普通账号进到了系统,在提权或者进一步信息收集的过程中,我们会获得一些日志文件,根据这些日志文件我们需要进一步的分析。



下面是kali官方给的日志文件,根据这个日志,讲述一下信息收集的方法:

  1. wget http://www.offensive-security.com/pwk-files/access_log.txt.gz
复制代码





1. 目录权限升级和解压



2. 查看具体内容

  1. root@Fkali:/tmp/test# more  access_log.txt
  2. 201.21.152.44 - - [25/Apr/2013:14:05:35 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31" "random-site.com"
  3. 70.194.129.34 - - [25/Apr/2013:14:10:48 -0700] "GET /include/jquery.jshowoff.min.js HTTP/1.1" 200 2553 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"
  4. 70.194.129.34 - - [25/Apr/2013:14:10:48 -0700] "GET /include/main.css HTTP/1.1" 304 - "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"
  5. 70.194.129.34 - - [25/Apr/2013:14:10:49 -0700] "GET /images/menu/2ny.png HTTP/1.1" 200 2732 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "www.random-site.com"
  6. 70.194.129.34 - - [25/Apr/2013:14:10:58 -0700] "GET /chicago/ HTTP/1.1" 200 7451 "http://www.random-site.com/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
  7. 70.194.129.34 - - [25/Apr/2013:14:10:58 -0700] "GET /include/jquery.js HTTP/1.1" 304 - "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
  8. 70.194.129.34 - - [25/Apr/2013:14:10:59 -0700] "GET /images/header.png HTTP/1.1" 200 13610 "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
  9. 70.194.129.34 - - [25/Apr/2013:14:11:00 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "http://random-site.com/chicago/" "Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "random-site.com"
  10. 88.112.192.2 - - [25/Apr/2013:14:11:13 -0700] "GET / HTTP/1.1" 200 4135 "http://startuplife.fi/you-know-you-are-in-san-francisco-when-your-favorite-spare-time-activities-include-eating-or-drinking/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
  11. 88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jquery.jshowoff.min.js HTTP/1.1" 200 6227 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
  12. 88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jquery.js HTTP/1.1" 200 25139 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
  13. 88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/jshowoff.css HTTP/1.1" 200 1045 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
  14. 88.112.192.2 - - [25/Apr/2013:14:11:14 -0700] "GET /include/main.css HTTP/1.1" 200 2638 "http://www.random-site.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "www.random-site.com"
  15. 88.112.192.2 - - [25/Apr/2013:14:11:20 -0700] "GET /include/jquery.js HTTP/1.1" 200 25139 "http://random-site.com/san_francisco/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"
  16. 88.112.192.2 - - [25/Apr/2013:14:11:22 -0700] "GET /san_francisco/images/mainimages.jpg HTTP/1.1" 200 60342 "http://random-site.com/san_francisco/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"
  17. 88.112.192.2 - - [25/Apr/2013:14:11:23 -0700] "GET /favicon.ico HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31" "random-site.com"
  18. 208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
  19. 208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
  20. 208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
  21. 208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
  22. 208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
  23. 208.68.234.99 - - [22/Apr/2013:07:51:20 -0500] "GET //admin HTTP/1.1" 401 742 "-" "Teh Forest Lobster"
复制代码



可以看到这边完全是一个web的请求信息。



3. 过滤IP地址信息

  1. root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1
复制代码


4.过滤IP地址并去重复

  1. root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort -u
  2. 201.21.152.44
  3. 208.115.113.91
  4. 208.54.80.244
  5. 208.68.234.99
  6. 70.194.129.34
  7. 72.133.47.242
  8. 88.112.192.2
  9. 98.238.13.253
  10. 99.127.177.95
复制代码




5. 去重后统计IP地址的访问次数

  1. root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort| uniq -c
  2.       1 201.21.152.44
  3.      59 208.115.113.91
  4.      22 208.54.80.244
  5.    1038 208.68.234.99
  6.       8 70.194.129.34
  7.       8 72.133.47.242
  8.       8 88.112.192.2
  9.       8 98.238.13.253
  10.      21 99.127.177.95
复制代码


6.对于去重IP地址访问次数排序:
  1. root@Fkali:/tmp/test# cat access_log.txt | cut -d " " -f 1 |sort| uniq -c | sort -run

  3.            1038 208.68.234.99
  4.              59 208.115.113.91
  5.              22 208.54.80.244
  6.              21 99.127.177.95
  7.               8 70.194.129.34
  8.               1 201.21.152.44
复制代码


7. 查看第一个1000多次请求的ip地址对应log
  1. cat access_log.txt | grep 208.68.234.99
复制代码



8. 通过上面的结果,可以看出多次请求/admin这个接口,对这个接口进行统计查看

  1. cat access_log.txt | grep 208.68.234.99 | grep "/admin" | sort -u
复制代码




9. 从上面的分析可以看到,这个ip地址对/admin地址进行了爆破等相关操作,而且从结果可以看出,爆破应该已经成功了。


上面是针对日志文件分析的思路,这边也感谢yuan老师的讲解


  1. 版权声明:本文为CSDN博主「一杯咖啡的时间」的原创文章
  2. 原文链接:https://blog.csdn.net/m0_37268841/article/details/124417252
复制代码




本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 11:48 , Processed in 0.015043 second(s), 19 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表