20199328 2019-2020-2 "Network Attack and Defense Practice" Week 8 Assignment

20199328 2019-2020-2 "Network Attack and Defense Practice" Week 8 Assignment

1. Practice content

Linux system structure

Linux process and thread management mechanism

The Linux kernel adopts the preemptive multi-user multi-processing (multiprocessing) mode. Multiple processes are concurrently active. The kernel's process management module is responsible for scheduling hardware resources for use

Linux memory management mechanism

The Linux memory management module (MM) allows multiple processes to safely share physical memory areas.

Linux file system management mechanism

The Linux kernel uses a virtual file management VFS mechanism, which enables it to support dozens of different types of logical file systems

Linux device control mechanism

Abstract the processing of the device, all hardware devices are treated like regular files

Linux network mechanism

The network module in the Linux kernel provides access to various network standards and support for various network hardware

Linux system call mechanism

Linux system call is realized by soft interrupt

Linux operating system security mechanism

The core security mechanism of the Linux operating system is mainly three parts: identity authentication, authorization and access control, security audit

Linux identity authentication mechanism

• Linux users (user information is stored in the / etc / passwd file of the system, and encrypted passwords are stored in the thousands / etc / shadow file): ① Root user, with the highest authority, can use any file and command in the operating system ② Ordinary user , Created by the user, can only operate the content in his own directory, limited execution authority ③ system users, these users do not have the ability to log in to the system, but they are indispensable users of the system operation
• Linux user group (user group information is stored in the system's / etc / group file, user group encrypted passwords are stored in the / etc / gshadow file): a collection of user accounts with the same characteristics
• Linux local login user authentication mechanism: the init process starts getty to generate several virtual consoles (such as ttyI, tty2, etc.). The login is displayed on the console. When the user types in the user, getty executes the login process and enters the login authentication process. After the authentication is successful, the login process will fork the child process of the corresponding user Shell. Start working under the corresponding Shell
• Linux remote login user authentication mechanism: the inux system generally uses SSH service for remote user login and network access. SSH provides two methods of user identity authentication mechanism: the first method is identity authentication based on thousand passwords; the second method Identity authentication for a thousand asymmetric keys
• Linux unified identity authentication middleware PAM: PAM separates the service provided by the system from the authentication method of the service through a dynamic link library and a set of unified APIs, so that the system administrator can flexibly give different services according to needs Configure different authentication methods without changing the service program, and at the same time it is easy to add new authentication methods to the system

Linux authorization and access control mechanism

• File owner: The file owner ’s uid and the file owner ’s group ’s gid indicate which user owns the file
• File access permissions: file access permissions are set by the attached l0 flag bits
• Special execution permissions for files: SUID and SGID permissions are common. SUID permissions allow executables to be raised from the name of the run name to the file owner permissions at run time. The program with the SGID bit set is the owner ’s Group permissions to run

Linux security audit mechanism

To achieve through three main log subsystems: connection time log, process statistics log, error log record

Linux system remote attack and defense technology

Linux remote password guessing attack

The attacker guesses a set of user names and passwords remotely through the network protocol, and uses this information to remotely log in to the Linux system to obtain local access rights.

Implementation of Network Protocol Stack in Linux Kernel

CVE-2010-4161, this hole exists in all
RHEL systems with a thousand-core version before v2.6.37 . The attacker can send a specially constructed UDP
packet directly to a UDP port open to the target system. The system crashes, causing a denial of service attack on the target system.

FTP, Samba and other file sharing services

These services are often more common in key Linux systems that store core data assets of enterprise organizations, such as Web site servers and enterprise internal file servers, and thus have become attack channels that f hackers / negotiate these key systems must try.

The FTP (File Transfer Protocol) service is a very old network service on the Internet. It uses ten file exchanges and shared transfers. The FTP service generally listens to TCP ports 20 and 21, of which port 21 is transmitted with thousands of control commands, while port 20 is used for data transmission.

Samba service software builds an interoperable bridge between UNIX-like and Windows, allows the resources of the two to communicate, and allows two types of operating systems in an organization's internal network to be easily accessed and accessed

Email sending and receiving service

The Sendmail service has always been the most popular e-mail sending and receiving service on UNIX-like systems including Linux, and it is also one of the controversial and insecure well-known network services.

Security precautions against remote penetration attacks on network services

• Disable all unnecessary network services
• Try to choose safer network protocols and service software, and deploy using best security practices
• Update the network service version in time
• Add network access control mechanism for Linux network service using xinetd and firewall
• Establish an intrusion detection and emergency response planning process

Linux local privilege escalation

The easiest way to increase privileges is to be able to crack the password of the root user, and then execute the SU or sudo command to upgrade

The second way of privilege escalation is to discover and exploit security vulnerabilities in SU or sudo programs

At present, the most popular way is to directly attack any code in the Root privileged program to execute Zidong and let them open a Shell command line connection with root permissions for the attacker. This type of approach is divided into attacking user mode SUID privilege elevation vulnerability and Attack the privilege escalation of Linux kernel code

The last local privilege escalation technology takes advantage of some misconfigurations in the system, by searching the system for globally writable sensitive files and directory locations and using them

Disappear on Linux system

View the contents of the /etc/syslog.conf configuration file to understand the types of audit events currently being implemented by the system and where the logs are stored

In the / var / log directory, attackers often need to modify log files such as messages, authe, cure, wtmp, and xferlog

The attacker also needs to clean up the history of commands entered in the Shell program. Many shell programs in the Linux system record the historical commands that have been run to provide the function of retrieving and repeatedly executing commands.

Linux system remote control backdoor program

The most common Linux system backdoor is to provide remote command-line shell access, usually using an anal tool such as Netcat to run on the system, open a TCP port, and return after receiving the request-a Linux system shell interacts with the client

2. Practice process

Hands-on Practice: Using Metasploit for Linux remote penetration attacks

Use the Metasploit penetration test software to attack the Samba service usermap_script on the Linux target machine, and obtain the host access rights of the target Linux target machine. The practical steps are as follows:
①Start Metasploit software, you can use one of msfconsolemsfguimsfweb according to personal preferences; ②Use
exploit: exploit / multi / samba / usermap_script to penetrate the attack module;
③Select the attack PAYLOAD as the remote She1l, (both forward and reverse connection can be );
④ Set the next penetration attack parameters (RHOST, LHOST, TARGET, etc.);
⑤ Perform the penetration attack:
⑥ Check whether the remote shell is correctly obtained, and check the obtained permissions.

Open metasploit in Kali, enter msfconsole, and then press Enter to enter his console interface, and then search for Samba vulnerabilities first, the search results are as follows. This is a penetration attack module for this vulnerability.
We want to target the penetration attack of usermap_script security vulnerability:

usermap_script：

• A vulnerability in the Samba protocol CVE-2007-2447, user name mapping script command execution
• Affects Samba version 3.0.20 to 3.0.25rc3
• Generated when using non-default username mapping script configuration options
• By specifying a username containing shell metacharacters, the attacker can execute arbitrary commands

命令 use multi/samba/usermap_script

Enter show payloads to view attack payloads compatible with the penetration attack module. Execute set payload cmd / unix / bind_netcat to select bind_netcat, that is, use the netcat tool to execute Shell after the penetration attack is successful, and bind to a listening port through netcat. Then select show options to see which parameters need to be set.

After setting the target address, start the attack

After the attack, check whether it is successful and check the permissions

Practical work

Attack and defense confrontation practice: The attacker uses Metasploit penetration software to implement a network attack against a Linux Metasploitable target machine, while the defender uses tcpdump or Wireshark or Snort tools on Metasploitatble to capture the attack stream and analyze which security vulnerability the attacker used to attack. From Download the security turbulence patch on the official website for system repair, and the two parties cooperate to give an attack and defense process report.

• Attacker: Use Metasploit, select the vulnerabilities found in the Metasploitable target machine to conduct penetration attacks, gain remote control, and try to obtain further root permissions.
• Defender: Use tcpdump / wireshark / snort to monitor and obtain the network attack data package, and combine wireshark / snort to analyze the attack process, obtain the attacker's IP address, target IP and port, attack initiation time, attack exploit vulnerability, use Shellcode, And after the success, execute the command input and other information locally.

Experimental environment: Same as practice one
Attacker: Same as practice one
Defender:

• After capturing the packet with wireshark, check the first packet, which is an ARP request packet. Then look down, the attack machine kali (192.168.200.2) initiates a TCP connection request to the target machine (192.168.200.125), which should be the time to formally launch the attack;
  where the source port number is 41737 and the destination port number is 139
  

• Shellcode used
  

• Command executed locally after successful attack

3. Problems encountered in learning and solutions

• Question 1: nessus cannot log in during the update
• Problem 1 solution: Just wait. .

4. Practice summary

Understand each question and wait for the teacher to ask questions. . .