当前位置:网站首页>Chapter 2 - cyber threats and attacks

Chapter 2 - cyber threats and attacks

2022-06-12 07:34:00 bugmaker.

  1. Security threats in the network
    Insert picture description here
    From the perspective of information flow : interrupt 、 Intercept 、 Fabricate 、 modify .
    From the source of the threat : Internal and external threats , Natural and man-made threats .
    From the behavior of the attacker : Active and passive threats .
    From the perspective of threat motivation : Intentional and accidental threats .
  2. Common security attack methods
    (1) Take advantage of the system's own security vulnerabilities ;
    (2) Trojan horse program : Disguise as a tool program or game to entice users to open or download , Then enable the user to inadvertently activate , The rear door of the system is installed ;
    (3)WWW cheating : Entice users to visit the modified web page ;
    (4) Email attacks ( Mail bombs 、 Email spoofing );
    (5) Network monitoring ( Get sensitive information about plaintext transmission );
    (6) Springboard attack
    (7) Denial of service attacks (DoS) And distributed denial of service attacks (DDoS)
    (8) Steal password to enter the system ( Network monitoring 、 Brute force ).
  3. The cause of software vulnerability
    technology : The complexity of software ( Lack of demand 、 Design flaws 、 Development time is pressing 、 Errors in the software development tools themselves ).
    personnel : Human defects .
    cost : Software security requires investment ( Indirect benefits )
    To configure 、 management : Managers are inert , Lack of safety awareness ( The default configuration 、 The administrator is negligent 、 Temporary port 、 Trust relationship ).
  4. Common steps of intrusion system
    Insert picture description here
  5. The course of the attack : Step on the spot ( information gathering )—> location ( Analysis objectives )—> intrusion ( Attack )—> leave oneself a way out ( Easy to re-enter )—> Erase the traces ( Clean the battlefield ).
  6. The general process of attack : Pre attack —> attack —> Post attack .
    Pre attack : The purpose is to collect information , Make further decision attacks . The content of pre attack is to obtain domain name and IP Distribution 、 Obtain topology and OS etc. 、 Get ports and services 、 Get the application system information 、 Track new vulnerability releases .
    attack : The purpose is to attack , Obtain certain permissions of the system . The content of the attack is : Get remote permission 、 Enter the remote system 、 Increase local permissions 、 Further expand permissions 、 Carry out substantive operations .
    Post attack : The aim is to remove traces , Maintain certain authority for a long time , The content of the post attack is to implant a backdoor Trojan horse 、 Delete log 、 Fix obvious bugs 、 Further penetration and expansion .
  7. The type of attack : Pre attack 、 attack 、 Post attack . Other attack types : Denial of service attacks 、 Sniffer attacks 、 Malicious Web attack 、 Social engineering attacks .
    Pre attack : Port scanning 、 Vulnerability scanning 、 Operating system type identification 、 Network topology analysis .
    attack : Buffer overflow attack 、 Scripting vulnerability attacks 、 Password attack 、 Error and weak configuration attacks 、 Network spoofing and hijacking attacks .
    Post attack : Back door Trojan 、 Trace erasure .
  8. Pre attack Overview
    Ping sweep: Looking for a surviving host Port scan: Looking for open services ( port )OS fingerprint: Operating system identification . Resource and user information scanning .
  9. Network scanner
    brief introduction : Automatically detect remote or local system security vulnerabilities ( Loophole ) The program .
    The main function ( step / working principle ):
    a. Scan the target host to identify its working status ( open / To turn it off );
    b. Identify the status of the target host port ( monitor / close );
    c. Identify the type and version of the target host system and service program ;
    d. Based on known vulnerability information , Analyze system vulnerabilities ;
    e. Generate scan results report
    Scanning technology :
    (1) Traditional host scanning technology : The purpose is to determine whether hosts on the target network can reach , Common means are :ICMP Echo scanning 、ICMP Sweep scanning 、Broadcast ICMP scanning 、Non-Echo ICMP scanning .
    (2) Advanced scanning technology : Firewalls and network filtering devices often make traditional detection methods ineffective . utilize ICMP The protocol provides the means to transmit error messages between networks : abnormal IP baotou 、 stay IP Invalid field value set in 、 Wrong data fragmentation 、 Detect the internal router through ultra long packets 、 Reverse mapping detection .
    (3) Port scanning technology : Send information to the computer port , Observe whether there is a response or the type of response , The purpose is to discover the open port of the host , Different ports correspond to different network services . It mainly includes three categories : Open scan (TCP Connect scanning )、 Semi open scan (TCP SYN scanning )、 Covert scanning (TCP FIN scanning 、 Segmented scanning )
  10. Operating system identification : The vulnerability is related to the operating system , Corresponding to version . Main technology : Active protocol stack fingerprint identification : Send a specific message to the target host IP package , Judge the operating system type and version according to different responses . Common means :ACK、SYN( Both can be for open or closed ports ),UDP package ( For closed ports ). Passive protocol stack fingerprint identification : Passively monitor network communication to determine the operating system type . The reliability is worse than the fingerprint identification of active protocol stack .
  11. Vulnerability scanning : Scan and judge possible vulnerabilities according to the open applications and services of the target host . significance : Network security assessment 、 Provide basis for network system reinforcement 、 It is used by network attackers to obtain important data information . Common methods : Vulnerability library matching method 、 Simulate hacker attack methods 、 Vulnerability scanning tool .
  12. Network monitoring : Monitor network traffic 、 state 、 Data and other information , Analyze packets , Get valuable information . Network monitoring is a double-edged sword , It is a management tool ( Real time observation and analysis data package , So as to locate the network fault ) It is also a tool for collecting information ( Information gathering tools commonly used by attackers ).
    Eavesdropping on Information : password 、 account number 、 Confidential data 、 Traffic information .
    Principle of shared network monitoring : The network card works in the data link layer —— Transmission in frames , The frame header contains the purpose MAC Address and source MAC Address .
    (1) Common mode : The network card only receives and communicates with itself MAC Packets with the same address , And pass it to the operating system .
    (2) Hybrid mode : The network card passes all packets to the operating system .
    Principle of switched network monitoring
    (1) Normal mode : Switch press MAC Address forwarding packets , At this time, only broadcast packets can be monitored ;
    (2) Network monitoring : Make unreachable packets arrive locally ( utilize ARP Cheating, etc ).
  13. Sniffer The network environment
    Shared networks :
    (1) use HUB Connect to the network .
    (2) radio broadcast : All packets sent to each host through the network .
    Switched network :
    (1) Connect to the network through a switch .
    (2) Switch construction “MAC Address - port “ The mapping table .
    (3) When sending the packet , Send to specific ports only .
  14. ARP working process : Hair IP Packet time , Determine whether the target is in the same network segment ;
    (1) Same segment :a. Check ARP cache , Is there a < Purpose IP、MAC> Table item , There is direct transmission b. nothing , radio broadcast ARP Request< who IP Follow the purpose IP identical , Report location (MAC)>c. Purpose IP Host received Request, Respond ARP Reply( Include yourself MAC Address ), Update yourself ARP surface , Add or update the sender's ARP Table item <ip,mac>d. The sender receives Reply, Get the target MAC, Send and add ARP Table item , Otherwise, the transmission fails ( Destination host not found ).
    (2) Different segments : Send to gateway , Also find the gateway MAC
    ARP Dynamic refresh : All received ARP Reply All hosts update their own ARP cache .
  15. ARP The problem of the agreement : Broadcast request :request( radio broadcast ), All recipients add about the sender ARP Table item ; Send the wrong ARP request , FALSE < The sender IP,MAC>, Pollute everyone's ARP cache . Unicast response : No state , Answer without asking ; active ARP The response is accepted as a valid message .Eg: utilize ARP To deceive : An attacker can disguise ARP Reply The message counterfeits other hosts .
  16. IP cheating : The attacker masquerades as the target host to communicate with other hosts , achieve : Hide your IP, Prevent being tracked ; With IP Address as the basis of authorization ; The purpose of going through the firewall . Take advantage of IP Defects in the agreement : The foundation of trust service is only based on the verification of network address , and IP The address is easy to forge ;IP The form of deception : A one-way IP cheating : Do not consider the returned packets ; two-way IP cheating : Request to see the returned packets ; The more advanced IP cheating :TCP Reply hijacking . How to avoid : Host protection : Protect your IP Not used to implement IP cheating . Network protection : Set spoofing filter on the route ; Protect against source routing attacks : Such packets are forbidden on the router
  17. Denial of service (DoS)
    Attack availability : By some means, the target system or network cannot provide normal services .
    Purpose : Destroy the normal operation of the organization ; Bring down a server , So that hackers can impersonate ; Force the server to restart , So that hackers can start Trojan horse programs .
    DoS In the form of :
    (1) Run out of resources
    (2) Configuration modification
    (3) Based on system defect type
    (4) Physical entity destructive .
    The nature of denial of service attacks :(1) Resource confrontation : Consume the victim's resources ;(2) Simple DOS attack : Use the attacker's Stand-alone Resources ;(3) Reflection attack : Use the resources of the reflection server to attack ;(4) Distributed denial of service attacks : Control the puppet hosts in the network , Botnet , Use its resources to attack .(SYN Flood: Forge an address to SYN request )
    Typical DOS attack :land、ping of death、teardrop、SYN Flood、Smurf
    prevent DOS:(1) For network : Routers and firewalls are properly configured ; intrusion detection system , Detect abnormal behavior ;(2) For the system : Upgrade the system kernel , Apply the necessary patches , Especially simple DOS attack ; Shut down unnecessary services and network components ; If there is a quota function , Set these quotas correctly ; Monitor the operation of the system , Avoid lowering below baseline ; Detect the change of system configuration information ;(3) Ensure physical security (4) Establish a backup and recovery mechanism
  18. DDoS( Distributed denial of service attacks DDoS): By seeding the agent , Combine multiple computers with security vulnerabilities as an attack platform , The attacker communicates with the agent through the master program ; Manipulate the puppet host to launch... Against one or more targets DOS attack , This will multiply the power of denial of service attacks . There are two steps in the attack process : Development team : Capture the proxy host ; Cooperative attack : Attack the target . Specific steps : Probe scans a large number of hosts for intrusive hosts , Invade a host with security vulnerabilities and gain control , Install the client process or daemon used for the attack , Issue commands to the client process , Manipulate the proxy host for cooperative intrusion . To guard against : The most effective defense ( Network export is prohibited IP cheating , No driving force ), Perform their respective duties and coordinate defense ( Establish in-depth system ).
  19. Buffer overflow vulnerability : Do not check whether the input data length exceeds the buffer length , Always match by default , So there are loopholes
    Buffer overflow attack : Exploit buffer overflow vulnerability , Write more than its length to the buffer , Cause buffer overflow , Thus, the stack of the program is destroyed and the program is turned to execute other instructions .(1) Break the stack of the program ;(2) Switch the program to other instructions .
    The harmfulness of buffer overflow attack :a. stay UNIX An interactive shell;b. stay Windows Any code can be uploaded and executed on the platform c. The discovery of overflow vulnerabilities requires high skills and knowledge background d. Once someone writes overflow code , It is very simple to use e. Compared with other attack types , Buffer overflow attacks do not require too many prerequisites , Very destructive , Highly technical f. Through the firewall
    Attack steps : Attack code scheduling ( Code injection )( In some storage structures with vulnerabilities ( buffer ) Arrange appropriate attack code in shellcode) Process control ( Rewrite the program execution process , Move to attack code ) One step code implantation and process control
    Attack code scheduling : Implantation : Write attack code to a buffer ; Use existing code .
    Control process transfer methods : Activate the record ; A function pointer ; Long jump buffer
    Prevention of buffer overflow attack : Prevent buffer overflow ; Allow overflow but not change control flow ; Allow to change control flow but prohibit sensitive code execution .
  20. Malicious code classification : Viruses : It can spread itself 、 User intervention is required to trigger execution . worm : It can spread itself 、 The execution can be triggered without user intervention . Trojan horse ( Like a glacier 、 Internet penetration 、 Grey dove ): It seems to have normal function , But it actually hides a lot of other functions . back door : A program method that bypasses security controls to gain access to a program or system .RootKit: Hide yourself and the specified files in the installation target 、 Information about processes and Web Links , Give an attacker access .
  21. Trojan horse , Also known as Trojan virus , Through specific procedures ( Trojan ) To control another computer .
    There are usually two programs : Control terminal :– client – The attacker 、 Controlled end :– Server side – The victim
    Trojan horse concealment :(1) Storage location and file name ;(2) communication mode ;(3) Process hiding .
    Storage location and file name : The file name is close to the system file , The file location is on the location of the system file .
    communication mode :(1) Basic communication mode :TCP agreement , Server side listening , Client connection ;(2) Reverse connection : client : There is a fixed IP Or domain name third party ( Such as public mailbox , Personal home page ) Publish yourself IP , Open the port to listen , Wait for the server to connect . Server side : Get clients regularly IP, Active connection ;(3) Use UDP agreement : Divided into positive ( The server listens , Client connection ) And reverse ( Client listening , Server connection );(4) Code injection ;(5) use ICMP Protocol to communicate .
    Process hiding :(1) The process name is confused (2) Write the Trojan to the driver and kernel level (3) Trojan horse process is not easy to find , After discovery, it cannot or is not allowed to delete .
    Starting mode : Start menu start , Auto start , Bundle startup , Modify file association
  22. Code injection
    Whether it's positive or negative , When the server and the client try to establish a connection, they will cause a firewall alarm , So use code injection . That is, the server injects itself into the process address space that can legally communicate with the external network , Run as a new thread or just modify the host process , Intercept the network system call of the host process .
  23. The similarities and differences between the back door and the Trojan horse
    Same as : Are hidden in the user's system to send out information , And it has certain permissions , It is convenient for the remote computer to control this machine .
    different : Trojans are relatively independent 、 Complete and powerful ; The back door does not exist independently , Small volume , Single function .
  24. Prevention methods of Trojan horse and back door
    Technical means : Run the real-time monitor , Such as firewalls 、 Antivirus software ; Port scanning ; View connections .
    safety consciousness : Don't open emails and software of unknown origin at will ; Fix vulnerabilities and close suspicious ports in time ; Use as few shared folders as possible ; Upgrade the system and update the virus database .
  25. Honeypot technology : A deceptive means or tool of attack , To simulate a normal system , Induce an attacker to attack , Collect attack information . Significance of action : Study and research attacks 、 Improve defense capability 、 Attract attack fire , Latency delays attacks on real systems . Functional components : System simulation 、 data collection 、 Connection control .
原网站

版权声明
本文为[bugmaker.]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/03/202203010556252582.html

边栏推荐

猜你喜欢

随机推荐