种植树木 美化环境
下面内容节选小密圈部分资源
AI 与红队实践的结合开启了网络安全评估、漏洞发现、漏洞利用和后漏洞利用技术的新时代。AI 极大地增强了红队演习中使用的攻击工具的能力。BurpGPT 就是其中的一个例子,它是一款功能强大的工具,旨在提高使用 Burp Suite 进行应用程序安全测试的精度和效率。它使用高级语言处理和易于使用的界面。该工具利用大型语言模型 (LLM),使用户能够执行复杂的任务,例如评估加密完整性和检测零日漏洞。可以实现的范围取决于所提供提示的质量,允许测试人员使用 AI Copilot 进行 Web 流量分析和 Web 应用程序评估。BurpGPT 可以从 burpgpt.app 下载。
一方面,传统的漏洞扫描工具虽然能够很好地识别已知的安全漏洞,但其运行受限于预定义的规则和签名,通常会遗漏复杂的应用程序逻辑漏洞和新颖的攻击模式。这些工具擅长发现常见漏洞,但经常产生大量误报,并且难以处理情境感知安全问题。
另一方面,人工智能工具可以通过引入智能、情境感知的分析功能彻底改变应用程序安全测试。这些先进的工具利用人工智能模型来理解应用程序行为、适应新的攻击模式,甚至建议潜在的漏洞利用路径——这些功能远远超出了传统扫描器的功能。自然语言处理 (NLP) 的集成使您可以更直观地与这些工具交互,而它们的学习和发展能力使它们擅长识别零日漏洞和复杂攻击。
使用人工智能,你现在可以
以前所未有的速度和规模自动进行漏洞扫描。
生成复杂的网络钓鱼电子邮件,使其与合法通信越来越难以区分。
开发可以逃避传统检测方法的自适应有效载荷。
执行智能网络映射和目标优先级排序。
这些人工智能驱动的工具使红队能够更有效地模拟高级持续性威胁 (APT),从而对组织的安全态势提供更现实的评估。
创建人工智能驱动的攻击性安全工具
有许多由人工智能驱动的进攻性安全工具可以帮助红队自动化并分析此类工具的结果。让我们仔细看看示例 8-1 。示例 8-1中的脚本是一个由人工智能驱动的开源情报 (OSINT) 分析工具,我(Omar)创建它来对给定域进行侦察。该脚本使用工具certspy。Certspy是我创建的另一个工具,用于使用证书透明度日志枚举子域和主机(甚至组织中的内部主机)。示例 8-1中的代码可在https://github.com/santosomar/certspy_ai处访问。可以使用pip3 install certspy安装certspy工具,可从https://github.com/santosomar/certspy获取源代码核心。
示例 8-1中的脚本使用 LangChain、OpenAI 模型和各种库来执行从certspy检索证书信息、DNS 解析和 WHOIS 查找等任务。它还加载环境变量并初始化 OpenAI 聊天模型。它对certspy检索到的主机名执行 DNS 解析,并检索每个 IP 的 WHOIS 信息。
AI 使用 GPT 模型来分析收集到的信息,并深入了解域的安全态势、潜在的敏感主机和其他侦察步骤。
例 8-1 人工智能驱动的开源情报的简单示例
# ai_recon.py__author__ = "Omar Santos"__version__ = "0.1.0"__license__ = "BSD 3-Clause"__description__ = "AI-powered OSINT Analysis of hosts based on certificatetransparency logs"__usage__ = "python3 ai_recon.py secretcorp.org"# Import the necessary librariesfrom certspy import certspyfrom dotenv import load_dotenvfrom langchain.prompts import ChatPromptTemplatefrom langchain_openai import ChatOpenAIimport osimport argparseimport socketfrom ipwhois import IPWhoisimport dns.resolverdef load_environment():load_dotenv()return ChatOpenAI(model="gpt-4o-mini")def create_prompt_template(domain):template = f"""You are an expert security researcher and OSINT investigatorspecializing in analyzing domain information for {domain}.Given the following information about SSL/TLS certificates associated with{domain}, provide an analysis:Domain: {domain}Certificate Information:{{cert_info}}Please analyze this information and provide insights on:1. The security posture of the domain2. Any potential sensitive hosts3. Additional reconnaissance steps that could be taken based on this information4. Any other relevant observationsYour analysis:"""return ChatPromptTemplate.from_template(template)def get_certificate_info(domain):try:api = certspy.certspy()results = api.search(domain)if results:formatted_results = api.format_results(results, common_name_only=True)return formatted_resultsreturn Noneexcept Exception as e:print(f"Error retrieving certificate info: {e}")return Nonedef resolve_dns(hostname):try:return socket.gethostbyname(hostname)except socket.gaierror:return Nonedef get_whois_info(ip):try:obj = IPWhois(ip)results = obj.lookup_rdap(depth=1)org = results.get('network', {}).get('name')cidr = results.get('network', {}).get('cidr')return org, cidrexcept Exception:return None, Nonedef analyze_hostnames(cert_info):additional_info = []for hostname in cert_info:ip = resolve_dns(hostname)if ip:org, cidr = get_whois_info(ip)additional_info.append(f"Hostname: {hostname}nIP:{ip}nOrganization: {org}nCIDR: {cidr}n")return "n".join(additional_info)def analyze_domain(model, prompt_template, domain, cert_info):prompt = prompt_template.invoke({"cert_info": cert_info})return model.invoke(prompt)def parse_arguments():parser = argparse.ArgumentParser(description="AI-powered OSINT Analysis ofhosts based on certificate transparency logs")parser.add_argument("domain", help="The domain to analyze")return parser.parse_args()def main():args = parse_arguments()domain = args.domainprint(f"-----OSINT Analysis of Domain {domain}-----")model = load_environment()prompt_template = create_prompt_template(domain)cert_info = get_certificate_info(domain)if cert_info:print("n----- Raw Certificate Information -----")print("Hostnames:")for hostname in cert_info:print(f" {hostname}")print("n----- DNS Resolution and WHOIS Information -----")additional_info = []for hostname in cert_info:print(f"nHostname: {hostname}")ip = resolve_dns(hostname)if ip:print(f"IP: {ip}")org, cidr = get_whois_info(ip)print(f"Organization: {org}")print(f"CIDR: {cidr}")additional_info.append(f"Hostname: {hostname}nIP:{ip}nOrganization: {org}nCIDR: {cidr}n")else:print("DNS resolution failed")full_info = "n".join(cert_info) + "nnAdditional Information:n" + "n".join(additional_info)print("n----- AI Analysis -----")result = analyze_domain(model, prompt_template, domain, full_info)print(result.content)else:print(f"No certificate information found for {domain}")if __name__ == "__main__":main()
示例 8-1中的脚本旨在从命令行运行,以域名作为参数。它提供对域的全面 OSINT 分析,将技术数据与 AI 生成的见解相结合,以协助安全研究人员和 OSINT 调查员。
示例 8-2显示了针对域secretcorp.org运行脚本时的输出(以 markdown 格式)。
示例 8-2 ai_recon.py 的 AI 驱动输出
-----OSINT Analysis of Domain secretcorp.org-----### Analysis of SSL/TLS Certificates for secretcorp.org#### 1. Security Posture of the DomainThe domain secretcorp.org has multiple subdomains that are linked to differentIP addresses and organizations.- Organization: The majority of the subdomains (backdoor, mail, internal,secretcorp, app1, vpn, finance-app, cloud) are associated with 'US-GITHUB-20170413', suggesting a centralized control and potentially sharedresources. The presence of a subdomain named 'backdoor' is particularlyconcerning as it may imply a weak or intentionally lax security posture, whichcould facilitate unauthorized access or exploitation.- IP Addresses: The IP addresses associated with the subdomains fall within twodifferent CIDR blocks (185.199.108.0/22 and 198.49.23.0/24). The latter isassociated with Squarespace, which indicates that some services may be hosted on athird-party platform. This could introduce vulnerabilities if the hosting providerhas security issues.- SSL/TLS Certificates: The use of SSL/TLS is indicative of an attempt to securecommunications for these subdomains. However, the effectiveness of this securitylayer largely depends on proper certificate management, including ensuring thatcertificates are valid, up-to-date, and not using deprecated cryptographicalgorithms.#### 2. Potential Sensitive HostsThe following subdomains stand out as potentially sensitive:- backdoor.secretcorp.org: The name itself suggests that it may be a point of entryfor unauthorized access or a hidden service. This warrants immediate investigation.- mail.secretcorp.org: This subdomain likely handles email communications, makingit a target for phishing or data breaches.- internal.secretcorp.org: This suggests an internal network resource which shouldnot be exposed publicly. If exposed, this could be a significant security risk.- finance-app.secretcorp.org: This implies a financial application which could bea target for attackers looking to steal sensitive information or exploit financialtransactions.#### 3. Additional Reconnaissance StepsBased on the information provided, the following additional reconnaissance stepscould be taken.- DNS Enumeration: Use DNS enumeration tools to uncover other potential subdomainsassociated with secretcorp.org that may not be publicly listed.- Port Scanning: Conduct port scans on the IP addresses associated with thesensitive subdomains to identify open ports and services running on them.- Web Application Testing: Perform web application security testing, includingvulnerability scanning and penetration testing, particularly on sensitivesubdomains like 'finance-app' and 'mail'.- Social Engineering: Investigate any social engineering possibilities, such asresearching employees or public-facing personnel who may inadvertently exposesensitive information.- Threat Intelligence: Utilize threat intelligence platforms to check if any of thedomains or IPs have been reported in security incidents or breaches.#### 4. Other Relevant Observations- Concentration of IPs: Most of the subdomains share the same IP address(185.199.109.153), which could indicate that they are hosted on the same serveror service. If this server is compromised, multiple services could be affected.- Lack of Diversity in Hosting: The reliance on a single organization (US-GITHUB-20170413) for most of the subdomains may introduce a single point offailure in terms of security. If this organization's security is compromised, itcould impact all services under their control.- Potential for Misconfiguration: Given the presence of a subdomain named'backdoor', there may be misconfigurations in the domain's security posture thatneed to be addressed immediately to prevent exploitation.- Monitoring and Alerting: It would be prudent for secretcorp.org to implementmonitoring and alerting for unusual traffic patterns, especially targetingsensitive subdomains.### ConclusionThe analysis of the SSL/TLS certificates associated with secretcorp.org revealsa domain with potentially sensitive subdomains that could be at risk. Immediateattention should be given to the 'backdoor' subdomain, along with enhancedsecurity measures for email and internal resources. Further reconnaissanceand security testing are recommended to assess vulnerabilities and improve theoverall security posture of the domain.
LangChain、提示模板、LangSmith、LangGraph 和 LlamaIndex
LangChain、LangSmith、LangGraph 和 LlamaIndex 都是功能强大的工具和框架,旨在利用大型语言模型增强应用程序的开发和部署。这些工具在 AI 驱动应用程序生态系统中各有其独特用途。
朗链
LangChain 是一个开源框架,可简化由 LLM 驱动的应用程序的创建。它提供了一套全面的工具和组件,使开发人员能够构建、自定义和部署可以与语言模型和外部数据源交互的应用程序。LangChain 的核心功能包括与语言模型交互以管理输入和提取输出。它允许通过查询和多个提示、任务和其他组件的链来转换和检索数据,以构建复杂的 AI 驱动应用程序。它用于通过决定解决问题的最佳步骤来协调行动。它还提供短期和长期记忆功能来记住用户交互。
提示模板和系统提示
示例 8-1中的脚本创建了一个提示模板,其中包含对 LLM 非常规范的说明。示例 8-3中也显示了该提示模板。
例 8-3 提示模板示例
You are an expert security researcher and OSINT investigator specializing inanalyzing domain information for {domain}.Given the following information about SSL/TLS certificates associated with{domain}, provide an analysis:Domain: {domain}Certificate Information:{{cert_info}}Please analyze this information and provide insights on:1. The security posture of the domain2. Any potential sensitive hosts3. Additional reconnaissance steps that could be taken based on this information4. Any other relevant observations
LangChain 中的提示模板是可重复使用的结构,允许开发人员生成带有动态内容占位符的提示。这些模板有助于为 AI 模型创建一致且精确的查询。LangChain 提供from_template()和PromptTemplate()等函数来创建这些模板,然后可以使用特定输入格式化这些模板以生成所需的输出。
系统提示充当指导 AI 模型解释和响应用户输入的框架。它们通过建立 AI 运行的特定参数,为 AI 交互奠定基础,发挥着至关重要的作用。它们通过定义 AI 的目标、角色和上下文来实现这一点,这有助于定制响应,使其更符合语境且更具吸引力。
系统提示在指导 AI 模型行为方面非常有用。它们可以帮助开发人员和研究人员利用 AI 模型的功能,引导它们生成不仅准确而且符合语境的输出。通过结合特定角色的指导方针、语气指示和创造力限制,系统提示使 AI 模型能够表现出更自然、更连贯的响应,模仿类似人类的交互。
此外,系统提示还能提高自然语言处理系统的整体性能和效率。它们可以帮助 AI 模型处理复杂的查询、处理歧义并生成准确且相关的响应。许多人已将系统提示用于聊天机器人、虚拟助手和内容生成等应用程序。
制作系统提示的最佳实践包括提供详细的背景信息、指定所需的格式以及设定明确的目标,以提高 AI 响应的质量和相关性。有效的提示设计可以确保 AI 输出符合用户的需求和期望,从而获得更精确的答案、减少错误并增强用户体验。
现在让我们看另一个示例。示例 8-4包含一个脚本,用于对给定主机或 IP 地址执行 AI 驱动的 SSL/TLS 分析。它结合了 Nmap SSL 密码扫描结果和 AI 驱动的分析,以提供有关主机 SSL/TLS 配置的全面见解。
该脚本读取由 ai_recon_md.py 创建的 results.md 文件并从文件中提取主机名。它在指定的主机或 IP 地址上执行 Nmap SSL 密码扫描。然后将扫描结果发送到 AI 模型进行分析。
AI 生成的见解被保存到包含最终输出的文件中。
示例 8-4 在给定主机上进行 AI 驱动的 SSL/TLS 分析的示例
# ai_scan.py__author__ = "Omar Santos"__version__ = "0.1.0"__license__ = "BSD 3-Clause"__description__ = "AI-powered SSL/TLS analysis of hosts"__usage__ = "python3 ai_scan.py"# Import the necessary librariesimport reimport subprocessimport jsonimport osfrom openai import OpenAIimport nmapfrom dotenv import load_dotenv# Load environment variables from .env fileload_dotenv()def extract_hostnames_and_ips(file_path):"""Extracts the hostnames and IPs from the results.md file.Args:file_path (str): The path to the results.md file.Returns:list: A list of tuples containing the hostname and IP."""with open(file_path, 'r') as file:content = file.read()pattern = r'### Hostname: ([w.-]+)n- IP: ([d.]+)'matches = re.findall(pattern, content)return matchesdef run_nmap_scan(ip):"""Runs an Nmap scan on the specified IP address.Args:ip (str): The IP address to scan.Returns:str: The scan results."""nm = nmap.PortScanner()nm.scan(ip, '443', arguments='--script ssl-enum-ciphers')# Convert the scan results to a stringscan_results = json.dumps(nm[ip], indent=2)return scan_resultsdef analyze_with_ai(scan_results):"""Analyzes the Nmap SSL cipher scan results using AI.Args:scan_results (str): The scan results to analyze.Returns:str: The analysis results."""client = OpenAI(api_key=os.getenv("OPENAI_API_KEY"))prompt = f"""Analyze the following Nmap SSL cipher scan results and provideinsights on the security posture, potential vulnerabilities, and recommendationsfor improvement:{scan_results}Please structure your analysis as follows:1. Overall Security Posture2. Identified Vulnerabilities3. Recommendations for Improvement"""response = client.chat.completions.create(model="gpt-4o-mini",messages=[{"role": "system", "content": "You are a cybersecurity expertspecializing in SSL/TLS analysis."},{"role": "user", "content": prompt}])return response.choices[0].message.contentdef save_results(hostname, ip, analysis):"""Saves the analysis results to cipher_scan_results.md file.Args:hostname (str): The hostname of the scanned target.ip (str): The IP address of the scanned target.analysis (str): The AI-generated analysis of the scan results."""with open('cipher_scan_results.md', 'a') as f:f.write(f"# Analysis for {hostname} ({ip})nn")f.write(analysis)f.write("nn" + "="*50 + "nn")def main():"""Main function to execute the script."""hostnames_and_ips = extract_hostnames_and_ips('results.md')# Clear the contents of cipher_scan_results.md at the startopen('cipher_scan_results.md', 'w').close()for hostname, ip in hostnames_and_ips:print(f"Scanning {hostname} ({ip})...")scan_results = run_nmap_scan(ip)print(f"Analyzing results for {hostname}...")analysis = analyze_with_ai(scan_results)save_results(hostname, ip, analysis)print(f"Analysis for {hostname} ({ip}) saved to cipher_scan_results.md")print("="*50 + "n")if __name__ == "__main__":main()
AI 模型的推理和分析结果保存在名为 cipher_scan_results.md 的文件中。示例 8-5显示了该文件的摘录。
例 8-5 扫描和 AI 分析结果摘录
# Analysis for internal.secretcorp.org (185.199.110.153)### Analysis of SSL/TLS Cipher Scan Results#### 1. Overall Security PostureThe SSL/TLS cipher scan results indicate that the host at IP address185.199.110.153 is utilizing a strong set of cipher suites for both TLSv1.2 andTLSv1.3 protocols, receiving an overall rating of A for cipher strength. Thisrating suggests that the server is configured to offer modern cryptographic optionsthat resist common attacks, which is critical for ensuring confidentiality andintegrity in communications. The use of strong ephemeral keys (ECDHE) for keyexchange indicates a good practice towards maintaining forward secrecy.#### 2. Identified Vulnerabilities- Protocol Versions Not Present: While the server supports both TLSv1.2 andTLSv1.3, older protocols such as TLSv1.0 and TLSv1.1 are not mentioned in theresults. If they were configured but simply not listed, their use could lead tovulnerabilities, especially since they are considered insecure and deprecated.- Cipher Suites: Although the listed cipher suites are strong, there are still somethat could be improved upon:- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAboth use CBC mode which can be vulnerable to certain attack vectors, such aspadding oracle attacks.- Lack of Forward Secrecy: The inclusion of some RSA-based cipher suites means thatwhile they might still be secure, they do not provide forward secrecy as robustlyas ECDHE-based suites.#### 3. Recommendations for Improvement- Enable Strict TLS Configuration: Ensure that only TLSv1.2 and TLSv1.3 aresupported, completely disabling TLSv1.0 and TLSv1.1. Use settings that explicitlyreject weak protocols to enhance security.- Review Cipher Suite Usage: Consider removing weaker CBC-based cipher suites,switching entirely to authenticated encryption with associated data (AEAD)-basedalgorithms. This could involve focusing on using only the following ciphers:- 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'- 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'- 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305'This helps to maximize both security and performance.- Regularly Update Server Configurations: Maintain regular reviews of your TLSconfigurations and update cipher suites as necessary to comply with emergingsecurity best practices.- Perform Regular Vulnerability Scans: Continually conduct SSL/TLS scans andmaintain vigilance for any vulnerabilities that may arise due to new threat vectorsor weakened ciphers.- Consider HSTS: If not already implemented, consider enabling HTTP Strict TransportSecurity (HSTS) to prevent downgrade attacks and ensure secure communications.In summary, while the security posture of the TLS implementation is strong, thereare opportunities to enhance security by tightening protocol support and continuallyupdating cipher suite selections. Implementing the recommendations will help furthersecure communications and mitigate risks.<output omitted for brevity>
在示例 8-5中,您可以看到 AI 模型如何根据示例 8-4中的脚本中使用的提示模板提供详细的建议和分析。
朗史密斯
LangSmith 是一个专为构建生产级 LLM 应用程序而设计的平台。它专注于监控、评估和优化语言模型应用程序。LangSmith 特别适合从原型设计过渡到生产,为调试和评估提供强大的支持。
图 8-1展示了 LangSmith 的功能示例。它展示了如何在 LangSmith 环境中使用系统提示模板与 LLM 进行交互。
您可以从https://smith.langchain.com/hub/dsfsdkjhfsd/red_team_expert获取图 8-1所示的提示模板。您也可以通过编程方式使用此模板,如示例 8-6所示。
示例 8-6 以编程方式使用 LangSmith 中的提示模板
from langchain import hubprompt = hub.pull("dsfsdkjhfsd/red_team_expert")
了解红队的检索增强生成 (RAG)
RAG 技术正在彻底改变红队处理信息收集、利用、后利用和报告的方式。但什么是 RAG?检索增强生成是一种 AI/ML 技术,它有助于利用来自文档集合的外部知识增强生成式 AI 模型的功能。RAG 充当 AI 框架,旨在通过将模型附加到外部知识库来提高语言模型 (LLM 或 SLM) 生成的响应质量,从而丰富模型的固有数据表示。
图 8-2说明了以下元素:
文档矢量化
矢量数据库存储
用户查询处理
语义搜索和文档检索
文档排序
法学硕士 (LLM) 或语言文学硕士 (SLM) 的背景准备
响应生成以及后处理和细化
在实际的红队行动中,RAG 可以以多种强大的方式发挥作用。例如,在初始侦察阶段,RAG 系统可以自动处理和分析目标组织的公开文档、社交媒体存在和技术文档,以识别潜在的攻击媒介。该系统可以将这些信息与已知的漏洞数据库和攻击技术相关联,从而提供针对具体情况的利用建议。
另一个实际应用涉及使用 RAG 来分析收集的凭证或泄露的数据转储;该系统可以快速识别可能对社会工程或凭证喷洒攻击有用的模式、潜在密码策略和命名约定。
RAG 还可以通过分析目标环境规范并建议定制的恶意软件变体或利用最有可能成功同时逃避检测的组合来协助有效载荷生成。
向量嵌入
在图 8-2中,与安全相关的文档(有效载荷、OSINT/侦察和漏洞数据)被转换为向量表示,称为嵌入。此过程捕获高维空间中文本的语义含义。可以使用许多技术。以下是几个示例:
传统方法包括词频-逆文档频率 (TF-IDF) 和主成分分析 (PCA)。TF-IDF 用于评估文档中单词相对于文档集合 (语料库) 的重要性。它通常用于文本挖掘和信息检索,以改善文本数据的表示。PCA 是一种降维技术,用于减少数据集中的特征数量,同时尽可能多地保留方差 (信息)。它简化了数据集并有助于可视化和降噪。
基于神经网络的嵌入模型,如 Word2Vec 和 FastText。Word2Vec 是学习词嵌入的首批成功方法之一。它将单词表示为连续向量空间中的密集向量,其中具有相似含义的单词彼此接近。Word2Vec 使用浅层神经网络模型来学习词嵌入。在训练过程中,网络会调整词向量,以便出现在相似上下文中的单词由相似的向量表示。FastText 由 Facebook 人工智能研究 (FAIR) 团队开发,是 Word2Vec 的扩展,它将子词信息合并到嵌入中。
现代嵌入模型,例如 OpenAI 的嵌入以及https://huggingface.co/spaces/mteb/leaderboard上的海量文本嵌入基准 (MTEB) 中列出的许多模型。Word2Vec 和 FastText 是静态的、与上下文无关的嵌入。它们更快、更简单,但在处理上下文方面不太灵活。OpenAI 的嵌入和 Hugging Face 中的几个嵌入提供了由高级转换器模型生成的与上下文相关的嵌入。它们比刚才提到的其他嵌入更强大、更灵活,适合复杂任务和细致入微的语言理解。
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...