渗透测试入门实战

本书中文简体字版由 Wiley Publishing, Inc. 授权清华大学出版社出版。未经出版者书面许可，不得以任何
方式复制或抄袭本书内容。
本书封面贴有 Wiley 公司防伪标签，无标签者不得销售。
版权所有，侵权必究。侵权举报电话： 010-62782989 13701121933
图书在版编目(CIP)数据
渗透测试入门实战 / (美)肖恩•飞利浦•奥瑞雅诺(Sean-Philip Oriyano) 著；李博，杜静，李海莉 译.
—北京：清华大学出版社， 2018
( 安全技术经典译丛 )
书名原文 : Penetration Testing Essentials
ISBN 978-7-302-48693-0
Ⅰ. ①渗… Ⅱ. ①肖… ②李… ③杜… ④李… Ⅲ. ①计算机网络—安全技术 Ⅳ. ①TP393.08
中国版本图书馆 CIP 数据核字(2017)第 270947 号
责任编辑： 王 军　于　平
封面设计： 牛艳敏 周晓亮
版式设计： 孔祥峰
责任校对： 曹　阳
责任印制： 杨　艳 杨 艳
出版发行： 清华大学出版社
网　　址： http://www.tup.com.cn， http://www.wqbook.com
地　　址： 北京清华大学学研大厦 A 座 邮　　编： 100084
社 总 机： 010-62770175 邮　　购： 010-62786544
投稿与读者服务： 010-62776969， c-service@tup.tsinghua.edu.cn
质　量　反　馈： 010-62772015， zhiliang@tup.tsinghua.edu.cn
印 刷 者： 北京富博印刷有限公司
装 订 者： 北京市密云县京文制本装订厂
经　　销： 全国新华书店
开　　本： 185mm×260mm 印　　张： 18 字　　数： 404 千字
版　　次： 2018 年 1 月第 1 版 印　　次： 2018 年 1 月第 1 次印刷
印　　数： 1~3000
定　　价： 59.80 元
—————————————————————————————————————————
产品编号： 074947-01
随着计算机网络技术的飞速发展并深入到经济和社会的方方面面，盗用身份、窃取信
息和钱财，甚至进行网络恐怖攻击等种种网络犯罪也随之粉墨登场、愈演愈烈，从而催生
了日益强烈的安全防护需求，而渗透测试正是查找、分析、展现潜在的安全问题并帮助制
定策略以降低安全风险的最佳手段之一。
渗透测试，又称“白帽黑客”测试，是出于增强安全性的目的，在得到授权的前提
下，通过利用与恶意攻击者相同的思路、技术、策略和手段，对给定组织机构的安全问题
进行检测和评估的过程。通过渗透测试，能够由“知彼”做到“知己”，发现使用传统检
测方法无法发现的攻击路径、攻击方法和技术弱点，从而在安全问题被攻击者利用之前，
对其未雨绸缪地进行修复。
本书作者Sean-Philip Oriyano是一位专注于安全领域25年的资深专家，同时还是一名
美军准尉，指挥一支专门从事网络安全训练、开发和策略制定的网络战分队，经验十分丰
富。本书是一本关于渗透测试的入门书籍，适用于具有一定计算机技术基础、希望更深入
学习渗透测试、在网络安全领域有所建树的读者。本书首先从攻击者的视角，介绍了渗透
测试的基本概念和方法论，以及情报收集、漏洞扫描、密码破解、维持访问、对抗防御措
施、无线网络与移动设备攻击、社会工程攻击等种种渗透测试手段；然后从防御方的角度
阐述了如何加固主机和网络的防护；最后给出了如何规划职业发展，建立渗透测试实验
室，进一步锻炼渗透测试技能的指南。书中介绍深入浅出，提供了丰富的操作实例和章后
思考题，便于读者实践和提高。
本书主要内容由李博、杜静、李海莉翻译，参与本书翻译的还有程若思、韩哲、秦
富童、庞训龙、孔德强、黄赪东、刘宇、袁学军、岁赛等。为了完美地翻译本书，做到
“信、达、雅”，译者们在翻译过程中查阅、参考了大量的中英文资料。当然，限于水平
和精力有限，翻译中的错误和不当之处在所难免，我们非常希望得到读者的积极反馈以利
于更正和改进。
感谢本书的作者们，于字里行间感受到你们的职业精神和专业素养总是那么令人愉
悦；感谢清华大学出版社给予我们从事本书翻译工作和学习的机会；感谢清华大学出版社
的编辑们，他们为本书的翻译、校对投入了巨大的热情并付出了很多心血，没有他们的帮
助和鼓励，本书不可能顺利付梓。
最后，希望读者通过阅读本书能够早日掌握渗透测试的技术精髓，成为一名“行黑客
手段，显白帽风范”的安全高手！
译 者
本书献给我的父母，他们赋予我成长过程中尤为宝贵的核心价值观。虽然父亲已经离
开了我们，但我仍然能时时处处感受到他的影响，事实上，我有时会感觉自己自豪地开怀
大笑的样子和从前的他完全一样。我的母亲仍在人世(愿她健康长寿)，我要感谢她支持和
推动我钻研科学技术，并赋予我对科幻、冷笑话的热爱以及对正确行事的追求。我爱你们
两人，这本书首先献给你们。
我也想把这本书献给军队的战友，是他们慷慨地给予我就读候补军官学校(Officer
Candidate School， OCS)的机会，尽管我并不成熟并且以自我为中心。虽然学校里经历的
磨难当时令我难以忍受，但它帮助我的生活走上正轨，并认识到自己的能力。它也帮助我
意识到重要的并不是自己，而是那些生活受自己影响的人。我希望阅读这本书的读者都能
思考这些问题。 K上校、 A中校、 M上尉、 D上尉、 J上尉和A上尉，我永远感谢你们对我
耐心、真诚、直接、坦率的评价。 我希望我已经成为一名令你们自豪的准尉。这本书也
是献给你们的。
我最后还要将这本书献给我的团队，你们展示了化腐朽为神奇的能力。在过去的一年
里，你们一直不断地给我惊喜。你们让我光鲜亮丽，但我不能自居功劳。我没有承担那些
繁重的工作，是你们承担的；我缺乏即兴发挥的能力和创造力，是你们提供的。 E上士、
L上士、 S上士和N准尉，请继续出类拔萃，赢得荣誉。我还要感谢我的指挥官L中校，他
信赖我的能力，给予我完成这一切的支持。
重复一次，需要感谢的人太多，我真心希望没有漏掉任何人。
首先，感谢Jim Minatel给予我创作这本书的机会，我期待今后的其他机会。
接下来，我要感谢Kim Wimpsett。你无疑是我没有因语言和辞不达意的段落显得愚蠢
的主要原因。我不知道如何表达你在团队中的价值，我希望未来我的每一个项目都有
你加入。
然后，我希望向美国军队的所有人致以谢意，不论你们是谁。虽然可能你们不一定所
有人都能安全回家(当然我真诚地希望都能)，任何人都永远不会被遗忘。而当我穿上制服
时，不仅是为了工作，也是为了纪念你们的牺牲。
Sean-Philip Oriyano是一位资深安全专业人士和企业家。在过去的25年中，他将时间
分别投入到安全研究、咨询和提供IT以及网络安全领域的培训。此外，他还是一位在数字
和印刷媒体出版方面均有多年经验的畅销书作家。在过去十年中， Sean出版了几本书，并
通过参与电视和广播节目进一步扩大了他的影响力。到目前为止， Sean已经参加了十几个
电视节目和广播节目，讨论不同的网络安全主题和技术。在摄像机前， Sean因其平易近人
的风度而著称，并因深入浅出地解释复杂话题的能力广受好评。
除了从事自己的商业活动，他还是一名准尉，指挥一支专门从事网络安全训练、开发
和战略的分队。此外，作为一名准尉，他被公认为是其领域的主题专家，经常在需要时被
要求提供专业知识、培训和指导。
在不工作时， Sean是一位狂热的障碍赛跑运动员，已经完成了多项赛事，其中包括一
项世界冠军锦标赛，四次斯巴达三项大满贯。他还喜欢旅游、健身、 MMA格斗、玩游戏
“银河战士”和“塞尔达传说”。
安全是当今世界受到高度重视的主题之一。由于人们越来越依赖不同形式的技术、随
身数字产品以及许多其他类型的系统和设备，对这些设备和系统实际安全性究竟如何的关
注与日俱增。为了应对诸如身份盗用、信息窃取、服务中断、黑客运动甚至恐怖主义等网
络犯罪的增加，许多公共和私人组织面临着必须在自己成为网络犯罪的受害者以及发生诉
讼之前对这些潜在安全性问题进行测试、评估和修复的挑战。正是为了应对过去、现在和
未来的此类情况，许多组织正在仓促实施或寻求各种安全解决方案。
因此，渗透测试者应运而生，他们背后代表的是查找、分析、呈现和推荐策略以降低
安全事件引起的潜在风险的最佳和最有效手段之一。渗透测试者是那些利用他们对技术及
其漏洞和优势的深刻理解，应客户的要求抢在对组织不怀好意者之前定位和评估安全问题
的人。
本书的目标受众包括那些已经拥有一定技术背景并希望进入渗透测试领域的人。与许
多涵盖渗透测试主题的其他书籍不同，本书力图以简单易懂的方式介绍该主题。本书的目
标是帮助读者更好地了解渗透测试过程，并通过学习各种渗透测试基础理论和实践练习获
得经验和知识。
在完成本书之后，你应该能对成为渗透测试者的意义以及成功所需的技能、工具和
通用知识有一个更好的了解。在完成本书并且练习了所学内容后，就掌握了寻求更先进技
术、测试方法和技能所需的工具。
要充分利用本书的价值，需要有一些便利条件。在开始之前，你应该有一台至少具有
8GB RAM的能够运行最新版本微软Windows或Kali Linux的计算机。此外，你应该有能够
使用的虚拟化软件，如Oracle的VirtualBox或VMware的产品；选择使用何种虚拟化软件取
决于个人喜好和经济能力。
在你阅读本书的过程中，将向你介绍用于完成任务的基于硬件和软件的工具。在章节
和习题中，将给出所选工具的下载链接或通过其他方式获取的方法。 本书涵盖了广泛的渗透测试入门主题。下面列出了各章及其关注重点的简介。
第1章“渗透测试简介”　该章重点介绍渗透测试的一般原理，以及成功所需的技能
和知识。
第2章“操作系统与网络简介”　对操作系统及其所连接网络的结构有着扎实了解是
渗透测试者所必需的。该章探讨两者的基本原理，以奠定学习的基础。
第3章“密码学简介”　如果没有加密技术，很多用于防止无意泄露信息的手段将无
法正常工作。另外，如果不了解密码学，满足各种法律法规的要求将非常困难。该章介绍
密码学功能和机制以及如何应用的基础知识。
第4章“渗透测试方法学综述”　为了可靠地获得最完整和最有效的结果，渗透测试
有一套必须遵循的流程和方法。在该章中，将介绍最流行的执行渗透测试的方法。
第5章“情报收集”　渗透测试过程的第一步是收集有关目标的信息。在该章中，将
探讨收集信息的各种手段，以及如何将它们集成到整个渗透过程中。
第6章“扫描和枚举”　一旦收集到关于目标的足够的情报，即可开始探测并找出可
以提取哪些信息。该章包括如何获取用户名、组、安全策略等信息。
第7章“实施漏洞扫描”　想采取一种不同的方法了解目标？ 那么，可以使用手动或
自动漏洞扫描的过程，定位环境中的弱点，以供以后利用。
第8章“破解密码”　由于密码是许多环境和应用程序的第一线防御，因此必须在获
取这些有价值信息的过程中投入一定时间。在枚举中已经获得了用户名，所以可以专注于
收集这些用户名的密码。
第9章“使用后门和恶意软件保持访问权”　通过调查、探索、突破，现在你已进入
系统。但是，在获得访问权并建立这个滩头阵地后，如何才能保住它？该章要探讨的正是
相关内容。
第10章“报告”　记住，你是在根据合同为客户工作，目标是查找问题并报告你的发
现。在该章中，将介绍报告的一般格式和谋篇布局。
第11章“应对安防和检测系统”　当然并非所有的系统都是门户大开，等待渗透的。
事实上，许多系统中会有几层不同形式的防御，严阵以待。在这种情况下，入侵检测和预
防系统是渗透测试者的死敌，而在该章中将学习如何应对它们。
第12章“隐藏踪迹与规避检测”　在犯罪现场留下线索极易导致被抓住和挫败。在该
章中，将学习如何在事后进行清理，以使除了最坚定的人都无法发现你。
第13章“探测和攻击无线网络”　无线网络普遍存在，因此几乎在任何你所探索的环
境中都需要应对它。如果这些环境中包括移动设备，就必然会遇到此类网络，然后即可将
之作为目标。
第14章“移动设备安全”　无论你如何看待移动设备，移动设备都不会就此停下发展 的脚步，而是不断推出新的形式、功能、外形，并且已成为我们日常生活中的一部分。由
于它们已被整合到商业环境中，并且商业和个人使用之间的界限已经模糊，因此你必须学
习如何应对移动设备。
第15章“进行社会工程攻击”　在每个系统中都有一个最弱的环节，在许多情况下，
最弱的环节是人类。作为一名渗透测试人员，可以利用你的伶牙俐齿、心理学和巧妙的措
辞，将谈话引向那些能够提供有用信息的话题。
第16章“加固主机系统”　有着各种可用于迟滞或阻止攻击的对策。最外层防线之一
是经常锁定或者加固系统，以减少其被破坏的机会。
第17章“加固你的网络”　与加固主机一样，具有可用于迟滞或阻止对网络的攻击的
对策。删除非必要协议，应用防火墙和其他机制可以迟滞并挫败攻击者。
第18章“规划职业成功之路”　在该章中，将自己视为一名毕业生。现在你正在寻求
未来在渗透测试领域的发展。该章将提供下一步应如何继续培养技能的指南。
第19章“建立一个渗透测试实验室” 一名好的渗透测试者需要在实践中练习所拥有
的装备。在该章中，我们将探讨如何建立一个可用于实践和实验的基础实验室。
第1章　渗透测试简介········································································1
1.1　渗透测试的定义············································································1
1.1.1　渗透测试者的工作内容···································································· 2
1.1.2　识别对手······················································································ 2
1.2　保护机密性、完整性与可用性··························································3
1.3　黑客进化史漫谈············································································4
1.3.1 Internet的角色 ··············································································· 5
1.3.2　黑客名人堂(或耻辱柱)····································································· 6
1.3.3　法律如何分类黑客行为···································································· 7
1.4　本章小结·····················································································9
1.5　习题························································································· 10
第2章　操作系统与网络简介····························································· 11
2.1　常见操作系统对比······································································· 11
2.1.1　微软Windows ·············································································· 12
2.1.2 Mac OS······················································································ 13
2.1.3 Linux ························································································ 14
2.1.4 Unix·························································································· 15
2.2　网络概念初探············································································· 16
2.2.1 OSI模型····················································································· 17
2.2.2 TCP/IP 协议族 ············································································· 19
2.2.3 IP地址······················································································· 20
2.2.4 IP地址的格式·············································································· 22
2.2.5　网络设备···················································································· 25
2.3　本章小结··················································································· 27
2.4　习题························································································· 27
第3章　密码学简介········································································· 29
3.1　认识密码学的4个目标 ·································································· 29 3.2　加密的历史················································································ 30
3.3　密码学常用语············································································· 31
3.4　比较对称和非对称加密技术··························································· 32
3.4.1　对称加密技术·············································································· 32
3.4.2　非对称(公钥)加密技术··································································· 34
3.5　通过哈希算法变换数据································································· 36
3.6　一种混合系统：使用数字签名························································ 37
3.7　使用PKI···················································································· 38
3.7.1　认证证书···················································································· 39
3.7.2　构建公钥基础设施(PKI)结构··························································· 40
3.8　本章小结··················································································· 40
3.9　习题························································································· 40
第4章　渗透测试方法学综述····························································· 43
4.1　确定工作的目标和范围································································· 43
4.2　选择要执行的测试类型································································· 45
4.3　通过签订合同获取许可································································· 46
4.3.1　收集情报···················································································· 47
4.3.2　扫描与枚举················································································· 48
4.3.3　渗透目标···················································································· 49
4.3.4　维持访问···················································································· 50
4.3.5　隐藏痕迹···················································································· 50
4.3.6　记录测试结果·············································································· 50
4.3.7　了解EC-Council流程 ····································································· 51
4.4　依法测试··················································································· 52
4.5　本章小结··················································································· 53
4.6　习题························································································· 54
第5章　情报收集············································································ 55
5.1　情报收集简介············································································· 55
5.1.1　信息分类···················································································· 56
5.1.2　收集方法分类·············································································· 56
5.2　检查公司网站············································································· 57
5.2.1　离线查看网站·············································································· 58
5.2.2　寻找子域···················································································· 59
5.3　找到不复存在的网站···································································· 60 5.4　用搜索引擎收集信息···································································· 60
5.4.1　利用谷歌进行黑客活动·································································· 61
5.4.2　获取搜索引擎告警········································································ 61
5.5　使用搜人网站定位员工································································· 62
5.6　发现位置信息············································································· 63
5.7　应用社交网络············································································· 64
5.8　通过金融服务查找信息································································· 67
5.9　调查职位招聘公告栏···································································· 67
5.10　搜索电子邮件 ··········································································· 68
5.11　提取技术信息 ··········································································· 68
5.12　本章小结 ················································································· 69
5.13　习题 ······················································································· 69
第6章　扫描和枚举········································································· 71
6.1　扫描简介··················································································· 71
6.2　检查存活系统············································································· 72
6.3　执行端口扫描 ············································································ 76
6.3.1　全开扫描(端口扫描)······································································ 78
6.3.2　隐蔽扫描(半开扫描)······································································ 79
6.3.3　圣诞树扫描················································································· 80
6.3.4 FIN扫描····················································································· 80
6.3.5 NULL扫描·················································································· 81
6.3.6 ACK扫描 ··················································································· 81
6.3.7　分段扫描···················································································· 82
6.3.8 UDP扫描···················································································· 84
6.4　识别操作系统············································································· 84
6.5　漏洞扫描··················································································· 86
6.6　使用代理服务器(即保持低调)························································· 87
6.7　进行枚举··················································································· 88
6.7.1　有价值的端口·············································································· 88
6.7.2　利用电子邮件ID ·········································································· 89
6.7.3 SMTP枚举·················································································· 89
6.7.4　常被利用的服务··········································································· 91
6.7.5 NetBIOS ···················································································· 91
6.7.6　空会话······················································································· 93
6.8　本章小结··················································································· 93 6.9　习题························································································· 94
第7章　实施漏洞扫描······································································ 95
7.1　漏洞扫描简介············································································· 95
7.2　认识漏洞扫描的局限···································································· 96
7.3　漏洞扫描流程概述······································································· 97
7.3.1　对现有设备进行定期评估······························································· 97
7.3.2 评估新的系统············································································· 98
7.3.3 理解扫描目标············································································· 98
7.3.4 缓解风险··················································································· 98
7.4 可执行的扫描类型 ······································································ 99
7.5　本章小结··················································································100
7.6　习题························································································100
第8章　破解密码·········································································· 101
8.1 识别强密码···············································································101
8.2　选择一种密码破解技术································································102
8.3　实施被动在线攻击······································································103
8.3.1　网络嗅探和数据包分析································································· 103
8.3.2　中间人攻击················································································ 104
8.4　实施主动在线攻击······································································104
8.4.1　密码猜测··················································································· 104
8.4.2 　恶意软件·················································································· 105
8.5　实施离线攻击············································································105
8.6　使用非技术性方法······································································107
8.6.1　默认密码··················································································· 107
8.6.2　猜测························································································· 108
8.6.3 使用闪存驱动器窃取密码······························································ 108
8.7　提升权限··················································································109
8.8　本章小结··················································································110
8.9　习题························································································111
第9章　使用后门和恶意软件保持访问权·············································113
9.1 决定如何攻击···········································································113
9.2 使用PsTools安装后门 ·································································114 9.3 使用LAN Turtle开启一个shell·······················································115
9.4 识别各种恶意软件·····································································116
9.5 启动病毒·················································································117
9.5.1　病毒的生命周期·········································································· 117
9.5.2　病毒的类型················································································ 119
9.6　启动蠕虫··················································································121
9.7　启动间谍软件············································································122
9.8　植入木马··················································································123
9.8.1　使用netcat工作 ··········································································· 124
9.8.2　与netcat通信 ·············································································· 126
9.8.3　使用netcat发送文件 ····································································· 126
9.9　安装rootkit················································································127
9.10 本章小结 ···············································································127
9.11 习题 ·····················································································128
第10章　报告 ·············································································· 129
10.1　报告测试参数 ··········································································129
10.2　收集信息 ················································································130
10.3　突出重要信息 ··········································································131
10.4　添加支持文档 ··········································································134
10.5　实施质量保证 ··········································································135
10.6　本章小结 ················································································136
10.7　习题 ······················································································136
第11章　应对安防和检测系统 ························································· 137
11.1　检测入侵 ················································································137
11.1.1　基于网络的入侵检测································································· 137
11.1.2　网络检测引擎的分类································································· 139
11.1.3　基于主机的入侵检测································································· 140
11.1.4　入侵防御系统·········································································· 140
11.2　识别入侵痕迹 ··········································································141
11.2.1　主机系统入侵·········································································· 141
11.2.2　统一威胁管理·········································································· 142
11.2.3　网络入侵的指标······································································· 142
11.2.4　入侵的模糊迹象······································································· 143 11.3　规避IDS ·················································································143
11.3.1　以IDS为目标··········································································· 144
11.3.2　混淆······················································································ 144
11.3.3　利用隐蔽通道·········································································· 145
11.3.4　“狼来了” ············································································· 145
11.3.5　通过加密进行规避···································································· 146
11.4　攻破防火墙 ·············································································146
11.4.1　防火墙配置············································································· 147
11.4.2　防火墙的类型·········································································· 148
11.4.3　了解目标················································································ 148
11.4.4　防火墙上“蹈火” ···································································· 149
11.5　使用蜜罐：披着羊皮的狼 ···························································151
11.5.1　检测蜜罐················································································ 152
11.5.2　蜜罐的问题············································································· 152
11.6　本章小结 ················································································153
11.7　习题 ······················································································153
第12章　隐藏踪迹与规避检测 ························································· 155
12.1　认识规避动机 ··········································································155
12.2　清除日志文件 ··········································································156
12.2.1　禁用Windows中的日志记录过程 ·················································· 157
12.2.2　删除日志文件中的事件······························································ 158
12.2.3　清除Linux计算机上的事件日志 ··················································· 160
12.2.4　擦除命令历史·········································································· 160
12.3　隐藏文件 ················································································161
12.3.1　使用备用数据流(NTFS)隐藏文件 ················································· 161
12.3.2　用隐写术隐藏文件···································································· 163
12.4　规避防病毒软件检测 ·································································166
12.5　通过后门规避防御 ····································································168
12.6　使用rootkit进行规避 ··································································169
12.7　本章小结 ················································································170
12.8　习题 ······················································································170
第13章　探测和攻击无线网络 ························································· 171
13.1　无线网络简介 ··········································································171 13.1.1　认识无线网络标准···································································· 172
13.1.2　比较5GHz和2.4GHz无线网络 ······················································ 173
13.1.3　识别无线网络的组件································································· 174
13.1.4 Wi-Fi认证模式········································································· 177
13.2　攻破无线加密技术 ····································································178
13.2.1　破解WEP ··············································································· 178
13.2.2　从WEP转换到WPA··································································· 179
13.2.3　破解WPA和WPA2 ···································································· 180
13.2.4　了解无线部署选项···································································· 181
13.2.5　防护WEP和WPA攻击································································ 183
13.3　进行Wardriving 攻击··································································183
13.4　进行其他类型的攻击 ·································································185
13.5　选择攻击无线网络的工具 ···························································186
13.5.1　选择实用程序·········································································· 187
13.5.2　选择合适的无线网卡································································· 187
13.6　破解蓝牙 ················································································189
13.6.1　蓝牙攻击的类型······································································· 190
13.6.2　关于蓝牙的注意事项································································· 191
13.7　物联网黑客技术 ·······································································192
13.8　本章小结 ················································································192
13.9　习题 ······················································································193
第14章　移动设备安全 ·································································· 195
14.1　认识当今的移动设备 ·································································195
14.1.1　移动操作系统的版本和类型························································ 196
14.1.2　移动设备面临的威胁································································· 197
14.1.3　移动安全的目标······································································· 197
14.2　使用Android操作系统 ································································199
14.2.1 Android系统的root操作······························································ 200
14.2.2　在沙箱中操作·········································································· 200
14.2.3　搭建定制的Android系统····························································· 202
14.3　使用苹果iOS ···········································································203
14.4　查找移动设备中的安全漏洞 ························································204
14.4.1　破解移动密码·········································································· 204
14.4.2　寻找不受保护的网络································································· 205
14.5　有关自带设备 ··········································································205 14.6　选择测试移动设备的工具 ···························································206
14.7　本章小结 ················································································207
14.8　习题 ······················································································207
第15章　进行社会工程攻击 ···························································· 209
15.1　社会工程导论 ··········································································209
15.2　利用人性 ················································································210
15.3　像社会工程攻击者那样行动 ························································211
15.4　选择特定的受害者 ····································································212
15.5　利用社交网络 ··········································································213
15.6　实现更安全的社交网络 ······························································213
15.7　本章小结 ················································································214
15.8　习题 ······················································································215
第16章　加固主机系统 ·································································· 217
16.1　加固简介 ················································································217
16.2　防御三原则 ·············································································218
16.2.1　采取纵深防御的方法································································· 218
16.2.2　贯彻隐式拒绝原则···································································· 219
16.2.3　贯彻最小权限原则···································································· 220
16.3　建立安全基线 ··········································································221
16.4　使用组策略进行加固 ·································································222
16.5　桌面系统安全加固 ····································································223
16.5.1　管理补丁················································································ 224
16.5.2　增强密码················································································ 227
16.5.3 　谨慎安装软件········································································· 228
16.5.4　使用防病毒软件包···································································· 229
16.6　备份系统 ················································································229
16.7　本章小结 ················································································230
16.8　习题 ·····················································································231
第17章　加固你的网络 ·································································· 233
17.1　网络加固简介 ··········································································233
17.2　入侵检测系统 ··········································································234
17.2.1 IDS原理综述··········································································· 234 17.2.2 HIDS的组件············································································ 235
17.2.3 IDS的局限性··········································································· 235
17.2.4　调查事件················································································ 236
17.3　防火墙 ···················································································236
17.3.1　防火墙的原理·········································································· 237
17.3.2　防火墙的局限性······································································· 238
17.3.3　实现防火墙············································································· 239
17.3.4　制定防火墙策略······································································· 240
17.3.5　网络连接策略·········································································· 240
17.4　物理安全控制项 ·······································································241
17.5　本章小结 ················································································242
17.6　习题 ······················································································242
第18章　规划职业成功之路 ···························································· 243
18.1　选择职业发展路线 ····································································243
18.2　建立资料库 ·············································································245
18.3　练习写作技术文章 ····································································246
18.4　展示你的技能 ··········································································246
18.5　本章小结 ················································································247
18.6　习题 ······················································································247
第19章　建立一个渗透测试实验室 ··················································· 249
19.1　决定建立实验室 ·······································································249
19.2　考虑虚拟化 ·············································································250
19.2.1　虚拟化的优点·········································································· 251
19.2.2　虚拟化的缺点·········································································· 252
19.3　开始行动，以及所需资源 ··························································252
19.4　安装软件 ················································································253
19.5　本章小结 ················································································254
19.6　习题 ······················································································255
附录　习题答案············································································ 257 你已决定成为一名渗透测试者(通常被称为pentester)，但还不知如何入手？本书将帮
助你了解成为渗透测试者的意义，以及这一角色需要具备的技术和担负的道义责任。你将
获得在渗透和实践安全领域取得成功所必备的技能。
具体而言，你将接触到多种正在用于黑客攻防第一线的方法；同时，还将接触到可用
于渗透测试中以获取信息或建立用于发起更高级攻击的支撑点的种种技术。
另外，了解攻击者的动机有助于掌握攻击范围甚至知晓攻击细节。事实上，需要站在
攻击者的角度以理解他们发起攻击的原因，继而利用这种经验来测试客户的网络。
本章将学习：
渗透测试的定义及渗透测试者的工作内容
为何要保护机密性、完整性和可用性
回顾黑客和渗透测试的历史
　渗透测试的定义
在当今世界中，由于各类组织不得不更为认真地审视其安全态势及改善方法，渗透测
试者变得更为重要。诸如零售巨头塔吉特(Target)百货以及娱乐巨头索尼(Sony)公司遭受的
攻击等一些重大安全事件，引发了人们对于训练有素、技能丰富，能够了解系统弱点并能
予以定位的安全专家的需求的关注。通过采取一套综合了技术、行政和物理手段的程序，
许多组织机构已经学会抵御他们系统中的漏洞。
技术手段包含运用虚拟专用网(Virtual Private Network， VPN)、加密协议、入侵
检测系统(Intrusion Detection System， IDS)、入侵防御系统(Intrusion Prevention
System， IPS)、访问控制列表(Access Control List， ACL)、生物识别技术、智能卡
技术以及其他有助于提高安全性的装置。
行政手段包含运用政策、规程以及其他在过去的十年间应用和加强的规则。
物理手段包含运用诸如电缆锁、设备锁、报警系统和其他类似设备。
作为一名渗透测试者，必须为测试包含上述一种或多种技术的各类环境以及几乎数不
胜数的其他情况做好准备。那么，渗透测试者到底承担了什么角色？ 渗透测试者通常由组织机构以内部员工或外部实体(例如按职位或按项目的承包商)的
形式雇佣。不管采取何种雇佣形式，渗透测试者都要开展渗透测试：利用与恶意攻击者相
同的技术、策略和手段，对给定组织结构的安全性进行调查、评估和测试。渗透测试者与
恶意攻击者的主要不同在于目的以及是否获得所评估系统的所有者的法律许可。此外，渗
透测试者不得向除客户指定人员之外的任何人透露测试结果。为保证双方权益，雇用者通
常会与渗透测试者签署一份保密协议(Nondisclosure Agreement， NDA)。这么做既可以保
护公司的财产，又可允许渗透测试者访问内部资源。最终，渗透测试者根据合同为公司服
务，而合同规定了哪些行为是违规的以及在测试结束时渗透测试者需要提交哪些内容。合
同的所有细节取决于组织机构的具体需求。
其他一些术语也常用于称呼渗透测试者：渗透测试人员、道德黑客和白帽黑客。所有
这些术语都是正确的，它们描述的是同一类人员(尽管在某些场合有的人可能会就这些明
显的近义词展开争论)。通常情况下，最常用的是渗透测试者。不过国际电子商务顾问局
(EC-Council)在它自己的证书“道德黑客认证(Certified Ethical Hacker)”中使用的是“道德
黑客”这一称呼。
在某些场合，“什么人才算是黑客”一直是一个热议
话题。几年来，笔者曾就“黑客”这一术语是褒是贬参与过
许多有趣的讨论。许多黑客坏事做尽、百无一益，电影、电
视、书籍及其他媒体上也往往正是这样描写他们的。然而，
黑客也发生了进化，这一术语不再只指那些从事犯罪的人。
事实上，许多黑客已经表明，尽管他们具备犯罪和毁灭的能
力，但他们更有兴趣的是与客户和他人交流以帮助他们提高
安全性或进行相应研究。
在现实世界中，可以对黑客分门别类，以区分他们的技能和意图。
脚本小子　　此类黑客只获得了有限的训练或完全未经训练，只知道如何使用基本的
工具或技术。他们甚至可能完全不理解自己正在做什么。
白帽黑客　此类黑客按照攻击团队的方式思考，但为好人服务。一般认为他们的特征
是，有着一套通常被视为道德规范的“不造成任何损害”的原则。这个群体也被称为渗透
测试者。
灰帽黑客　此类黑客游走在黑白两道之间，现已决定改弦更张，弃恶从善。但即使已
改过自新，仍不能完全信任他们。另外，在现代安全界，这类人员也会发现并利用漏洞，
而后将结果提供给供应商，可能免费，也可能换取某种形式的报酬。
为保险起见，不想造
成困扰的专业人士应避免
使用“黑客”一词，以免
引起客户可能的恐慌。
“渗透测试者”这一术语
应是首选。 黑帽黑客 此类黑客是违反法律的恶徒。他们的行动可能有一定的计划，也可能毫
无规律可言。在大多数情况下，黑帽黑客的做法和彻头彻尾的犯罪行为之间并没有太大
区别。
网络恐怖分子 网络恐怖分子是一种新形式的攻击者，他们试图摧毁目标而不考虑隐
藏身份。本质上他们是为证明某个观点，而并不担心被捕或入狱。
　保护机密性、完整性与可用性
任何有安全意识的组织都在努力维护CIA安全三要素，即机密性(confidentiality)、完
整性(integrity)和可用性(availability)这三个核心原则。以下列表描述了其核心概念。在履
行渗透测试任务和职责时应牢记这些概念。
机密性 这是指对信息的保护，使其免遭非授权者获取。用于保护机密性的控制措施
是权限和加密。
完整性 这是指将信息保持为一种可保留其原始意图的格式，即接收者打开的数据与
创建者意图创建的数据相同。
可用性 这是指保证信息和资源对需要它们者可用。简而言之，无论信息或资源多么
安全，如果不能在需要时就绪并且可用，它们将毫无用处。
在进行系统安全性评估和规划时， CIA准则即使不是最重要的保障目标，也是最重要
的目标之一。在瞄准一个系统后，攻击者便会尝试破坏或扰乱这些目标。 CIA安全三要素
的相辅相成关系如图1.1所示 。

为何CIA安全三要素如此重要？考虑一下，如果投资公司或国防承包商遭受了被某个
恶意团体泄密的事件，会产生怎样的后果？结果将是灾难性的，更不用提它可能会使组织
面临严重的民事甚至刑事风险。作为一个渗透测试者，要做的就是努力在客户的环境中发 现破坏CIA准则的漏洞并搞清楚其机理，而另一种分析该问题的角度是使用一种本书称为
反CIA准则(见图1.2)的工具。

不当泄露 这是指由于疏忽、事故或恶意，导致信息或资源向外泄露或得以访问。简
而言之，如果不是有权访问对象的人，那么永远不应访问到它。
未授权修改 它是完整性的对立面，是指未经授权或其他形式的信息修改。这种修改
可能是由于错误、意外访问或者主观恶意造成的。
中断(亦称损失) 这是指失去对信息或资源的访问，而本不应该这样。本质上，当需
要时而不在其处的信息就是无用的。虽然信息或其他资源不可能100％可用，但某些组织
花费时间和金钱来获得99.999％的正常运行时间，这相当于平均每年只有约6分钟的停机
时间。
　黑客进化史漫谈
渗透测试者的角色常常成为IT安全行业中易被误解的职位之一。为了了解这个角色，
首先需要回顾一下渗透测试者的前身(即黑客)的进化史。
“黑客”一词已有很长历史，其源头可以追溯到五十余年前(20世纪60年代)的那些技
术狂人。这些人和今天的黑客不一样，他们只不过是对新技术有好奇心和热情，并花时间
探索早期系统内在机理和局限性的人。早期，这些黑客会寻找目标系统，并尝试通过发掘
系统的新功能或发现对当时技术而言未公开或未知的秘密来挑战极限。虽然技术已经取得
了长足的进步，但这些早期黑客的理念却一直得以延续。
黑客一词在技术行业中具有双重意义，它既可以描述软件程序员，也可以描述那些未
经许可侵入计算机和网络的人。前者的含义更为正面，而后者则带有贬义。凡涉及计算机 或其他相关技术时，必使用黑客一词的新闻媒体使其含义更加混乱。基本上，新闻媒体、
电影和电视节目会把任何改变技术或具有高水平知识的人称为黑客。
回顾这些早期的技术爱好者时，可以发现他们有一个共同的特点，那就是对新技术
的好奇心和对学习新事物的渴望。最初的黑客们的好奇心是由院校或企业中的大型机激
发的。而随着时间的推移，个人电脑(PC)引起了他们的注意，因为它是一项全新的、光芒
四射的技术，有待探索、解析和利用。事实上，早期PC机(的普及)使得相比之前的短暂年
代，能够有更多的人继承技术爱好者和黑客的衣钵。 20世纪90年代， Internet使得黑客能够
比以往任何时候都更加容易地广泛传播他们的活动，这对他们形成了不可抗拒的诱惑。现
在，在2016年之后的今天，我们比以前任何时候都有更多(被入侵)的可能。 Wi-Fi、蓝牙、
平板电脑和智能手机以及其他许多技术的爆炸式增长进一步增加了混乱，以及可被黑客入
侵攻击的设备的数量。随着技术的发展，黑客也在进步，他们不断增强的技术能力和创造
力导致攻击也在不断进化。
由于消费类产品并不像注重产品功能那么重视安全，因此攻击也变得更加容易。说到
底，通常发布新产品(如平板电脑、 PC或其他产品)的制造商往往侧重于产品的功能，而不
关注产品是否安全。尽管近几年来这种趋势可能有所改变，一些供应商比过去更加注重产
品安全，但别高兴得太早，许多产品在默认情况下仍然存在漏洞。
Internet向公众开放后不久，黑客更加多产，也更加危险。起初在Internet上进行的许
多攻击都是恶作剧式的，如篡改网页或类似的行为。虽然最初Internet上的这些攻击本质上
可能是恶作剧，但后来的攻击恶劣程度要严重得多。
事实上， 2000年以来，发生的攻击事件越来越复杂，攻击性越来越强，公开化程度也
越来越高。一个例子是2014年8月苹果公司云数据服务iCloud的大规模数据泄露，导致数
百位名人的各种亲密照片被公之于众。遗憾的是，苹果公司的客户条款使得客户并不能追
究其数据泄露和其他问题的责任。迄今为止，该攻击事件已导致多起因照片被盗而提起的
诉讼，同时也给苹果公司带来了大量负面公众影响。由于数据泄露而被盗的照片现在可在
Internet上随意找到，并且以野火燎原之势传播，这给照片上的人带来了极大的困扰。
恶意黑客造成损害的另一个例子是发生在2014年9月的塔吉特公司数据泄露事件。该
事件造成约5600万个信用卡账户泄露。这一数据外泄事件距上一次广为人知的塔吉特公司
数据泄露事件还不到一年时间，而上次事件导致4000万客户账户的泄露。
最后一个例子来自美国政府于2016年3月提供的信息。据透露，截至2015年3月的18
个月期间，已经报告了对奥巴马医改网站316个不同严重程度的网络安全事件。数以百万
计的美国人使用该网站搜索和获取医疗保健信息，除了12个州和华盛顿特区外的所有地区
都使用它。虽然对这些事件的全面分析表明尚未泄露任何个人信息，如社保账号或家庭住
址，但它确实表明该网站可能被视为窃取此类信息的有效目标。令人有些担忧的是，事实 上(该网站)现在还存在着许多其他严重的安全问题，如未打补丁的系统和集成度不佳的系
统等(容易被黑客利用)。
所有这些攻击都是正在发生的并且对公众造成伤害的恶意攻击的例子。
许多因素促成了黑客和网络犯罪的增加，其中Internet上可用的海量数据以及新技术
和数码产品的扩散是两大首要原因。 自2000年以来，越来越多的便携式设备出现在市场
上，且功能和性能均稳步增长。 智能手机、平板电脑以及可穿戴计算和类似产品已经变
得高度开放，易于联网，可让人们轻松共享信息。 此外，请注意可连接Internet设备的巨
大数量，例如智能手机、平板电脑和其他随身携带的数码产品数量。 上述所有例子都引
起了犯罪分子的关注，其中许多人有着窃取金钱、数据和其他资源的动机。
许多发生在过去十几年中的攻击已不再由以往那类好奇黑客发动，而是其他群体。涉
及其中的群体包括那些有政治动机的团体、激进组织和罪犯。虽然很多网络攻击仍然由好
奇者或恶作剧人士发动，但是这些更具恶意动机的攻击往往更易被曝光并产生极大影响。
许多黑客和罪犯选择隐藏在假名之后，在很多案件中，他们一直逍遥法外，但这并不
意味着没有一些知名的黑客人物和事件。下面是一些历史上著名的黑客：
1988年，康奈尔大学的学生Robert T. Morris, Jr.制作了被认为是首个Internet蠕虫的
病毒。由于对蠕虫设计的疏忽，该病毒进行了极快的无差别复制，导致广泛的速
度下降，影响了整个Internet。
1994年， Kevin Lee Poulsen使用假名“黑暗但丁(Dark Dante)”接管了位于洛杉矶
的KIIS-FM广播电台的所有电话线路，以确保他成为第102位来电者，赢得一辆保
时捷944 S2跑车。 Poulsen在出狱后由于成为第一个被禁止使用Internet的人而声名
鹊起(尽管该禁令只是一个有期处罚)。该事件的一个花絮是， Poulsen现在是美国
《连线》杂志的编辑。
1999年， David L. Smith制造了“梅利莎(Melissa)”病毒，该病毒设计为通过发送
电子邮件入侵用户地址簿，而后删除受感染系统上的文件。
2001年， Jan de Wit制造了以网坛美女库尔尼科娃(Anna Kournikova)命名的病毒，
该病毒设计为读取用户Outlook软件(微软办公套件之一，主要用来收发邮件)通讯
录的所有条目，并将自身发送到通讯录的每个邮箱中。
2002年， Gary McKinnon接入了美国军用网络，并删除了其中的关键文件，包括有
关武器和其他系统的信息。
2004年， Adam Botbyl和两位朋友共谋，窃取了劳氏(Loweʼs)工具连锁店的信用卡
信息。
2005年， Cameron Lacroix入侵了大名鼎鼎的帕丽斯 • 希尔顿(Paris Hilton)的电话，
并参与对律商联讯(LexisNexis，世界知名法律服务提供商)网站的攻击，该网站是 一个在线公共记录聚合器，最终导致数千条个人信息记录泄露。
2009年，俄罗斯年轻的黑客Kristina Vladimirovna Svechinskaya参与了几起诈骗美
国和英国一些大型银行的事件。她使用特洛伊木马进行攻击，在美国银行(Bank of
America)开设了数千个银行账户，通过这些银行账户，她总共可诈骗30亿美元。
该事件中一个有趣的花絮是， Svechinskaya女士因为她的美貌而被评为世界上最性
感黑客。提到这一点，是要说明一个事实，即那种生活在地下室的社交困难或一
副书呆子相的黑客形象已一去不复返了。在本案中，这位黑客不仅技能熟练和危
险，而且并不符合对于黑客外貌的那种刻板印象。
2010年至今，黑客组织“匿名者(Anonymous)”攻击了多个目标，包括地方政府网
络和新闻机构等。直到今天，该组织依然活跃并进行了数次高调的攻击。他们曾
将唐纳德 • 特朗普(Donald Trump)和他的2016年总统竞选活动列为攻击目标。
尽管许多攻击与实施这些攻击的黑客使得新闻在某种程度上形成了一些定式或形式，
但还有许多并非如此。事实上，许多高价值、复杂和危险的攻击经常发生，但从未被报
道，更糟的是有的甚至未被发现。在被发现的攻击中，只有少数黑客会受审，锒铛入狱的
更是少之又少。但是，无论是否被抓住，黑客攻击始终是一种犯罪行为，在一个不断发展
的法律体系中将会被起诉。
在过去二十年中，与黑客有关的犯罪行为发生了巨大的变化，下文列出了网络犯罪的
一些宽泛分类：
盗用身份信息
这是指窃取身份信息，从而使得某人可以冒用另一方身份达到非法目的。通常，这种
类型的活动是为了获得经济利益而进行的，例如开立信用卡或银行账户；或者在极端情况
下进行其他犯罪，例如获得租赁资产或其他服务。
盗用服务
这包括未经正式或口头许可使用电话、 Internet或其他类似的服务。属于此类别犯罪行
为的例子一般是窃取密码和利用系统漏洞的行为。有趣的是，在某些情况下，仅仅是窃取
密码等的行为就足以构成犯罪。在某些州，与朋友和家人分享Netflix(著名在线影视服务)
等服务账户可能被视为盗用服务而被起诉。
网络入侵或未经授权访问
这是最古老和常见的攻击类型之一。以这种类型的攻击为先导的其他攻击(例如身份
信息盗用、盗用服务以及其他无数种可能性)并非闻所未闻。在理论上，任何一次未经授
权的网络访问都足以被认为是网络入侵，这包括使用Wi-Fi网络或甚至未经许可登录一个 来宾账户。
发布和/或传播非法材料
在过去十年中，这是一个难以解决和处理的问题。被认定为非法分发的材料包括受版
权保护的材料、盗版软件和儿童色情内容等。相关技术(如加密、文件共享服务和保持匿
名等方式)的易于获得使得这些活动屡禁不止。
欺诈
这是一种使用非法信息或非法访问来欺骗另外一方或多方的行为，目的往往是获取经
济利益或造成损害。
侵占
这是一种金融诈骗形式，涉及盗用或挪用资金，是违反重要职位信用的结果。通过使
用现代技术，这项任务变得更加容易。
垃圾收集
这是最古老、最简单的方法，即获取和收集已丢弃或留在不安全或无保护容器中的材
料。丢弃的数据往往可以拼接到一起，重建敏感信息。虽然翻找垃圾本身并不违法，但翻
找私有物业的垃圾却构成犯罪，可以以入侵犯罪或其他相关罪名起诉。
编写恶意代码
这是指病毒、蠕虫、间谍软件、广告软件、 rootkit或其他类型的恶意软件。基本上而
言，这类犯罪包含一类故意编写用以造成破坏或中断的软件。
未经授权销毁或更改信息
这包括在未获取适当权限的情况下修改、销毁或篡改信息。
拒绝服务(DoS)和分布式拒绝服务(DDoS)攻击
这两种攻击方式都是使系统资源超负荷，以致无法向合法用户提供所需的服务。虽然
目标相同，但DoS和DDoS两个术语实际上描述了两种不同形式的攻击。 DoS攻击是小规模
的一对一的攻击；而DDoS攻击规模更大，其中成千上万的系统攻击同一目标。
网络跟踪
这是在此列举的犯罪行为中相对较新的一种。这种犯罪的攻击者使用在线资源或其他
手段来收集个人相关信息，并使用它来跟踪该人；同时在某些情况下，试图在现实生活中
接触目标。虽然一些州(如加利福尼亚)已经制定了针对网络骚扰犯罪行为的法律，但这类
立法远不普遍。在许多情况下，由于骚扰者在实施犯罪期间穿越了州界，哪个州或管辖范
围可以起诉成为一个问题。 网络欺凌
这种行为与网络跟踪非常类似，区别是在该行为中，个人使用社交媒体和其他技术等
手段来骚扰受害者。虽然此类行为可能看起来不算什么大事，但据称它已导致一些人因被
欺凌而自杀。
网络恐怖主义
遗憾的是，当今世界的一个现实是，敌对方已经意识到，传统武器无法给予他们像发
动网络空间战那样的力量。与被派往目标国家相比，通过网络空间从事恐怖主义行为所冒
的真实风险是微不足道的。
为了帮助了解网络犯罪的本质，首先要了解犯罪行为必有的三个核心要件，它们分
别是：
实现目标或目的的手段或能力，这本质上意味着具备完成工作所需的技能和能力。
动机，即追求既定目标的原因。
机会，即给定时间内落实威胁所需的空缺或弱点。
正如将在本书中探讨的，这些攻击类型中的许多种类开始时非常简单，但迅速发展出
越来越多先进的形式。攻击者迅速地升级了攻击方法并采用更为先进的战略，使得攻击比
以往更加有效。由于他们已经知道如何骚扰和激怒公众，通过将现代这种“互联”的生活
方式作为目标，他们也对当今世界带来了更大的破坏。
随着智能手机和社交网络等新技术更加融入日常生活，本书提到的攻击只会不断增
长。通过这些设备和技术收集、跟踪和处理的信息量大得惊人。据某些信息源估计，每隔
三分钟就会从大多数人身上收集有关定位、应用程序使用、网页浏览和其他数据的信息。
有着如此之大信息量的收集，很容易想象出可能发生的信息滥用场景。
过去十多年来，大量攻击的背后都由贪欲驱使。黑客们已经意识到，他们的技能现在
不仅仅可以满足好奇，也可以用来获得经济利益。常见的例子之一是在这段时间内出现的
恶意软件。恶意软件不仅可以感染系统，而且在许多情况下也可以为其制作者带来收益。
例如，恶意软件可以将用户的浏览器重定向到指定网站，目的是让用户点击或浏览广告。
　本章小结
本章介绍了渗透测试者是通过使用与恶意黑客相同的技术来调查、评估和测试给定组
织安全性的人。他们的“对手”是脚本小子、白帽黑客、灰帽黑客、黑帽黑客和网络恐怖
分子。渗透测试的工作是试图破坏客户的机密性、完整性和可用性。
此外，还介绍了黑客和渗透测试的演化过程，包括Internet在其中扮演的角色和历史上
的著名黑客。 　习题
1. 一家公司可以使用哪三种类型的安全控制措施来防御黑客？
2. 黑客与渗透测试者之间主要有何区别？
3. 渗透测试者都有何别称？
4. 在讨论信息安全时， CIA三要素代表什么？
5. 列举一些网络犯罪的类别。

购买地址：

https://item.jd.com/12286400.html