Information Security Final Review

1. Mitnick's Christmas attack

1. Attack background

In the Unix world, trust can be easily given. Assuming that the user has an account on both machine A and machine B, in order to minimize the trouble between the two, a full-duplex trust relationship can be established between them. In A's home directory, create a .rhosts file:, echo "hostB 用户名" > .rhostsdo the same operation in B's home directory. Now, the user can use any r* command to operate another server, these commands will only verify the address.

On Christmas Day 1994, Kevin Mitnick attacked Shimomura's machine, using two main techniques: IP source address spoofing and TCP sequence number prediction

• IP source address spoofing : the ip protocol is not secure, its source address can be modified at will, and with other operations, it can pretend to be other hosts to communicate with the destination host

• TCP sequence number prediction : Each TCP message will carry a sequence number, which is used to confirm the message segment during the data transmission process, and the sequence number is required to complete the connection during the three-way handshake. The TCP sequence number is generated by the network protocol stack. By sending SYN packets multiple times, the sequence number in the received SYN+ACK packet can be used to predict the sequence number generation rule of the other party (has been fixed, and now the initial sequence number generation is random ), this operation must be performed when the host of the other party is not active, otherwise other TCP connections will disrupt this rule, which is why the Christmas attack is chosen.

2. Attack process

This attack mainly involved four objects:

• apollo: The attacker invaded this host first to hide his whereabouts
• target: target Shimura Mian’s machine, the ultimate goal is to access files on this machine
• x-terminal: A trusted connection has been established with the target (it can no longer pretend to be connected to the target)
• server: trust each other with x-terminal through .rhosts

First, let's go through the attack ideas:

Apollo needs to gain access to the target. At this time, x-terminal already has a trusted connection to the target, and the attacker's purpose is to hijack this connection. To hijack this connection, you need to control the x-terminal first. How to control the x-terminal? Need to be trusted by it, how to be trusted by it? Need to modify the .rhosts file, how to modify the .rhosts file remotely? It needs to establish a TCP connection with the identity of the machine it trusts, and transmit commands in the TCP connection, so in the end it is necessary to pretend to be a server to establish a connection with the x-terminal

Start the attack:

1. apollo uses SYN flooding to fill the "half-open" connection queue of port 513 on the server to achieve the purpose of blocking, so that it will no longer respond to any new connection requests
2. apollo sends a string of SYN requests to x-terminal to predict the law of x-terminal generating the initial serial number
3. Apollo pretends to be the server to initiate a connection to the x-terminal, although it cannot receive the SYN-ACK (it is sent to the server, but the server will not respond or send a rejection packet due to blocking), but the sequence number is predicted, and you can continue to reply ACK. establish connection
4. Send a command to the x-terminal as the server, modify the rhosts file to make it trust any source
5. apollo connects to the x-terminal, implants the kernel module, and hijacks the connection with the target
6. Successfully access the target, then send an RST to the server to release the blocked connection

3. Question thinking

1. Why is the ip transmission protocol unreliable?

• The ip protocol is connectionless, it is delivered with best effort, and only the header is verified
• The source address and other information can be arbitrarily set by the sender

2. Describe the TCP three-way handshake in detail

• A --> SYN（seq） --> B
• B --> SYN + ACK（ack=seq+1，seq） --> A
• A --> ACK（ack=seq+1） --> B

3. What is the role of port?

• Multiplexing/demultiplexing

4. When are SYN/ACK/RST used respectively?

• SYN: request to establish a connection
• ACK: confirm connection
• RST: Reset the wrong connection for some reason, and it can also be used to reject illegal data and requests

5. What is the port number of the trusted server that performs SYN flooding to achieve DoS? Why choose this port? Can I switch to another port?

• 513, because you want to pretend to be this port to establish a connection with x-terminal to send remote commands, you can also change to other privileged ports <1024

6. After successfully adding the backdoor, why does the attacker send RST to release the TCP connection in the trusted server?

• Clean the crime scene

Two, network commands

1. Route (can add -n to display ip directly without resolving the name)

• default default route, when the destination network segment of a data packet is not in the routing record, the data packet will be sent to the default route
• link-local is the link local address, which is used when the device communicates in the local network. It is mainly used when the DHCP server fails or DHCP timeouts. It is used to communicate with devices in the network segment or broadcast domain without passing through the router. Forward, so Gateway is 0.0.0.0
• The routing record of the directly connected network segment. When the data packet is sent to the directly connected network segment, the data packet is not forwarded by the route, so the gateway is 0.0.0.0
• Flag explanation
  • U: Effective
  • G: Connecting route, without this mark, it means that it is directly connected to the destination address
  • H: specific host, not network segment

2. Ping: send icmp packet to test reachability

3. Traceroute (route tracking)

• First, it sends an IP packet with a TTL field of 1 to the destination host. The first router that processes this packet reduces the TTL value by 1, then discards the datagram, and sends an ICMP packet ("Timeout") to the source host. "Information, this message contains the IP address of the router, so you get the address of the first router), then traceroute sends a datagram with a TTL of 2 to get the IP address of the second router, and this process continues until The datagram arrives at the destination host

4. nslookup: domain name query

5、whois

• A query and response protocol, widely used to query databases that store Internet resources, such as domain names, IP address blocks, or autonomous systems

6、netstat

• Display statistical data related to IP, TCP, UDP and ICMP protocols, generally used to check the network connection of each port of the machine
• -t only displays TCP related, -l displays the socket in the listening state, -n does not display the name but the real ip, -p displays the process pid

Three, ARP protocol security

ARP protocol

ARP is used to obtain the MAC address of the target machine through the target machine ip

The arp request is encapsulated in a data link layer message:

When sending an arp request, the destination address of the Ethernet header is all 1s, which means broadcast, and the destination mac of the arp message part is all 0s, because the mac address of the destination host is not yet known, and it is about to be inquired through the Ethernet broadcast

There is a kind of ARP package called Gratuition ARP (gratuitous ARP or gratuitous ARP), which has the following functions:

• Tell other computers their IP address and MAC address
• Detect IP address conflicts. After a host sends a gratuitous ARP request message, if it receives an ARP response message, it means that a host using this IP address already exists in the network
• Update the ARP cache table of other hosts

1. What is the purpose of introducing ARP cache

Each host maintains an ARP cache table in which the mapping of <ip, mac> is stored. Each entry in the table has a validity period, and it is stateless, that is, as long as it receives new ARP information, the ARP cache table will be updated

When sending out packets, you can directly obtain the mapping relationship between the destination IP and the destination MAC through the ARP cache, instead of using the ARP protocol to obtain the mapping relationship

2. What are the attack methods and effects of ARP cache poisoning?

Send an ARP response message to the target host. The effect is to update the ARP cache of the target machine. When the target machine sends a data packet to the specified ip, the packet will be sent to the machine we specified

Four, IP protocol security

Attacks against IP fragmentation

• DOS attack: the attacker constructs two fragments, one fragment has an offset of 0, and the second fragment has an offset of 64800. Because the IP fragments arrive out of order, the receiver will wait for other fragments while serving other fragments. Allocate space, which means that a data packet will use 64K of space, and this space will continue to be reserved for 15-225 seconds
• TearDrop: The attacker constructs two shards, the second shard is completely contained in the first shard, that is, the offset of the second shard is greater than the offset of the first shard, and the offset +The total length of fragment 2 is less than the position of the last byte of the first fragment. The condition for this attack to succeed is that the receiving host handles overlapping fragments by ignoring the overlapping part of the second fragment, calculating end2-end1, and copying the content of this part to form a complete message. Then when offset2> offset1 and end2 <end1, end2-end1 will be calculated with an unsigned integer to get a very large number, which will squeeze the available memory

1. Why do we need IP fragmentation?

An IP message can reach up to 65535 bytes, but the network hardware limits the frame size, and Ethernet is limited to 1500 bytes

2. How to reorganize IP fragments?

There are id field and offset and flag fields in IP fragmentation. The same id indicates that they belong to the same IP packet, offset indicates the offset of a fragment in the original IP packet, and flag indicates whether there is fragmentation or more fragments. Waiting for the flag

3. The packet filtering firewall prevents external connections by filtering SYN packets. How can an attacker bypass this filtering rule?

• Micro-fragment attacks can be used, because when the firewall filters packets, only the filtering rules are applied to the initial fragments. STD 5, RFC 791 stipulates that each Internet module can forward the smallest datagram of 68B, and no further fragmentation is allowed. The IP header The length can be as long as 60B, so that the first fragment only contains 8B content. In the case of TCP, this is enough to contain the source and destination port numbers, but it will force the TCP flag field to enter the second fragment, thus making SYN Packet bypass filtering rules

• Overlapping fragment attack, that is, the first fragment flag SYN=0, ACK=1 and long enough, then it can pass the filter smoothly, the second fragment overlaps with the first fragment, and the overlapped part contains the flag bit as SYN= 1. If the host uses the latter to cover the previous algorithm, it will be successfully bypassed at this time

Five, ICMP protocol security

ICMP is an Internet Message Control Protocol, mainly because the IP protocol may have errors in the process of message sending. For example, if the target is unreachable, TTL expired, etc., the sender needs to be notified of the cause of the error

There are many different ICMP messages, each of which has its own format, but all ICMP messages have three common fields: type, code, checksum. Different types of icmp messages are distinguished by type and code :

Some common icmp messages:

• type=8, code=0: echo request, that is, ping request
• type=0, code=0: will send a response, that is, a ping response
• type=5: change route (redirect), code=0 (change to specific network route), code=1 (change to specific host route)
• type=4, code=0: source point suppression, in order to add a certain degree of flow control and congestion control to the ip protocol

Among them, the redirect message with type=5 is used by the router to notify the host of changes in the network topology. In the following cases, the router will send a redirect message to the host:

In the above case, the IP address of the host is 10.0.0.100, and the default gateway in the routing table of the host is 10.0.0.1, and now the host 100 wants to send data packets to network X. According to its default gateway, 100 sends the data to G1. G1 checks its routing table and finds that to reach network X, it needs to go through G2. G1 forwards the data packet to G2. At the same time, it finds that the source address 10.0.0.100 of the data packet is on the same network segment as G2. Host sends a redirect message, telling it to send it directly to G2 next time it will be faster

The host always assumes that the information of the router is more authoritative, and the router is always right, so it will update its routing table, but both the icmp packet and the ip packet encapsulating it can be forged, which presents a security problem

1. What is a Smurf attack? How to prevent it?

A distributed denial of service attack that pretends to be the IP of the target machine and broadcasts ICMP echo request messages to the network. Then the target machine will receive a large number of ICMP echo reply messages, which makes the victim busy processing ping packets and cannot work normally

The attack can be prevented in the following ways:

• Configure each host and route not to respond to ICMP requests or broadcasts
• Configure routing not to forward data packets directed to broadcast addresses (by default before 1999)

2. What is an ICMP redirect attack? How to prevent it?

In the same local area network, the attacker A fakes the gateway B of the target machine, and sends redirection packets to the target machine, so that the target machine's packets are redirected to the designated host, so that it can achieve the purpose of not being able to access the Internet or hijacking the traffic.

Can not allow redirection to prevent such attacks

Six, TCP protocol security

1. What is a SYN flooding attack? What is the effect? How to prevent it?

The host maintains a TCP half-open connection queue with a limited size. Once full, the host will discard other TCP connection packets

Then the essence of the SYN flooding attack is to use a large number of fake IPs to send SYN packets to the target machine, making the other party's connection queue full, making the target machine unable to process new TCP connections.

Prevention: Set tcp_syncookie=1 (this is also the system default value). In the TCP three-way handshake process, the host does not allocate memory space for the connection before the ACK message arrives, but uses the sequence number to identify the three-way handshake

2. What is the principle of port scanning?

Use nmap to scan the target address. It will first try to connect to some ports one by one. If the port responds and the connection can be established, then nmap can determine that the port is open

3. What is the difference between nmap -sT and nmap -sS?

nmap -sT <ip> # connect扫描, 发送SYN报文，若对方回复SYN+ACK，则会回复ACK建立连接
nmap -sS <ip> # 半开扫描，发送SYN报文，若对方回复SYN+ACK，则会回复RST中断连接, 需要sudo权限

4. What is the principle of nmap -sA scanning?

Send an ACK message to the target machine, if the port is filtered, there will be no response, otherwise, no matter whether the port is open or closed, it will return an RST message, which can detect whether the port is filtered

With nmap -sF scanning (sending FIN packets, the port will be open or filtered, there will be no response, and the port will be closed, it will receive RST), and the port status can be accurately known

5. What is the principle of nmap -idle scanning?

Check the port status of the target machine through the zombie host. The zombie needs to satisfy that it will not send out messages by itself during the attack, and it is best to have a trust relationship with the target machine

• The attacker sends a SYN|ACK packet to zombie, gets the RST packet and obtains the IP ID
• The attacker fakes the zombie to send a SYN message to the target machine. If the port of the target machine is open, it will send a SYN|ACK message to the zombie, otherwise it will send an RST message.
• The attacker sends a SYN|ACK packet to zombie, gets the RST packet and obtains the IP ID
• Compare the two IP IDs. If the interval is 1, it means that the port of the target is not open; if the interval is 2, it means that the port of the target is open. If the distance is larger, it means that zombie is not a good zombie host

Seven, firewall

The firewall is placed between the internal network and the external network, the only place where the internal network communicates with the external network

1. What kinds of firewalls are there?

• Packet filtering firewall

  Also known as a stateless firewall, a static firewall. The data flow is controlled by ACL rules. The five core elements are: source IP, destination IP, source port, destination port, and protocol . In a session, these five elements will not change, so it is also called a static firewall.

  **Advantages: **Simple implementation and fast processing speed

  **Disadvantages: **It is difficult to handle fragmentation, does not support complex protocols, and cannot prevent malicious attacks at the application layer (because it cannot detect application layer data)

• Application-level gateway proxy firewall

  The client does not establish a real connection with the server, but the client accesses the server by accessing the proxy server. When communicating, the data packets must pass the detection of the proxy server.

  **Advantages: **The control of data rises to the application layer

  **Disadvantages: **Each service needs to implement a specific security proxy service

• Stateful firewall

  The data packets in the session are not independent, but are connected before and after. In the same session, the quintuple will not change, but various state identifiers, fragments, etc. can be changed

  For example: the TCP three-way handshake process, if an ACK message is suddenly received, then the message needs to be discarded

2. What is the role of NAT?

Network address translation makes an entire organization appear on the Internet as a public IP address. Because the IPv4 address is not enough, NAT is generated, that is, when the host in the internal network wants to access the Internet, the source address will be converted into the public network ip through the NAT router to access.

3. Forward proxy and reverse proxy

• Forward proxy

  Forward proxy proxy client, the main function can be kxsw and the like.

• Reverse proxy

  Reverse proxy proxy server, mainly to prevent the direct exposure of the server's ip address, and at the same time, it can also implement request filtering on the reverse proxy, which plays a great role in the field of intranet security.

4. Analysis of the role of iptables statements

iptables/netfilter is a built-in firewall in Linux. It filters packets through some tables and rule chains. Each table has a different number of rule chains. When packets come in, they pass through a certain chain on each table in order:

We can specify rules for each chain. Common parameters are:

Basic chain management:

• -L, --list [chain]: List rules;

• -F, --flush [chain]: Flush the rules on the specified rule chain;

• -P, --policy [chain] target Make the policy of the linked list (ACCEPT|DROP|REJECT)

Basic rule management:

• -A, --append chain rule-specification: Append the new rule to the end of the specified chain;
• -D, --delete chain rulenum: delete the rule according to the rule number;
• -D, --delete chain rule-specification: delete the rule according to the rule itself;

# 使用 -t 指定表，默认为 filter 表
# 指定 INPUT 链丢弃所有包
$ sudo iptables -P INPUT DROP

# 在 INPUT 链上添加规则，源端口为80的tcp报文可以进来 
$ sudo iptables -A INPUT -p tcp --sport 80 -j ACCEPT

Eight, rootkit

Security model under unix

• Dacian

  Discretionary access control, that is, the file owner can determine the access rights of the file

• MAC

  Mandatory access control, an optional module built on top of the DAC, the MAC will be verified if the DAC is verified and the system supports it

User management mechanism

• Real UID: the currently logged in uid

• Effective UID: which user ID is the current process running under

• Saved UID: A copy of the effective user ID, related to SUID permissions

• SUID permission: If a file has SUID permission, then if a user has execute permission on it, then it will be executed with root permission when executed

• setuid(uid)Detailed

  ruid:Real and uid euid:effective uid suid:saveduid

  • When the user has super user privileges, setuid(uid)the three uids of the process can be set touid
  • Otherwise, only when the id is ruid or suid, the id is effective for euid
  • If the above conditions are not met, an error will be reported

• seteuid(uid)

  seteuid(uid)The only request euidis set touid

• For example:

  In terms of user logged into the system and open the shell, and then open a file in the shell, this file has the s-bit (setuid), then the time ruidfor the user is uid, euidshould the file owner ruid

1. What is a rootkit?

The root in Rootkit comes from unix. The system administrator account on the Unix host is the root account. This account has minimal security restrictions, fully controls the host and has administrator rights, which is called "root" the host. However, being able to temporarily control the host is not enough, because the administrator can take certain security measures, such as patching. Therefore, the role of Rootkit is "a set of tools that can maintain root privileges." Its purpose is to hide itself and malicious programs, to achieve the purpose of long-term existence on the destination host and collecting information.

2. What are the benefits of LKM?

• Definition: LKM is a loadable kernel module used by the Linux kernel to extend its functions
• Advantages: dynamic loading, no need to implement the entire kernel. Based on this feature, LKM is often used as a special device driver

3. Please describe the process of system call hijacking

• System call procedure

  1. The application code calls the system call function xyz, which is a library function that wraps system calls
  2. The library function xyz is responsible for preparing the parameters (system call number) passed to the kernel, and triggering the soft interrupt to switch to the kernel mode
  3. The system call enters the kernel mode through the soft interrupt 80, and finds the interrupt handler corresponding to 80 in the IDT (Mid Descriptor Table), that is, the system call processing function
  4. The system call processing function uses the incoming system call number to call the system call service routine.

  So in the above procedure, linux kernel space stores a table called the system call table (system_call_table), the table stores the address of the system call number corresponding to the system call service routine

• Hijacking process

  According to the above process, how to hijack the system call is very clear. What we need to do is to modify the system call table so that the system call service routine corresponding to the target system call number becomes a function written by ourselves.

  1. Find the first address of the system call table (SCT)
  2. Modify the address of the target system to call the service routine in the SCT (write protection needs to be turned off when modifying, and write protection needs to be restored after writing)

  How to find SCT address?

  • In the old version of the Linux kernel, SCT is directly exported, that is, SCT symbols are stored in the symbol table, so that the kernel program can be used directly.
  • After the kernel version 2.6, SCT is no longer derived directly, so another look SCT is by /boot/System.maplookup
  • However, in later versions, System.mapthere is no more. At this time, you can /proc/kallsymsquery through it. All the linux kernel symbols are saved in this file.

4. Why can Unix do everything as a file?

The virtual file system (VFS) is the key to such a feature. It is a software layer in the Linux kernel that provides a file system interface for user-space programs. At the same time, it also provides an abstract function in the kernel that allows different file systems to coexist.

In order to be able to support various actual file systems, VFS defines the basic and conceptual interfaces and data structures supported by all file systems; at the same time, the actual file system also provides the abstract interfaces and data structures expected by VFS, and combines its own files such as files. Concepts such as, directory are consistent with the definition of VFS in form. In other words, if an actual file system wants to be supported by Linux, it must provide an interface that conforms to the VFS standard in order to work with VFS

Therefore, the meaning of VFS is as follows:

1. Upward, provide a standard file operation interface for the application layer
2. Next, provide a standard interface for the file system, so that the file system of other operating systems can be easily ported to Linux
3. Inside the VFS, through a series of efficient management mechanisms, such as inode cache, dentry cache, and file system pre-reading technologies, the underlying file system can achieve high performance without indulging in complex kernel operations.
4. In addition, VFS abstracts some complex operations into the VFS as much as possible, making the implementation of the underlying file system easier

Nine, buffer overflow

1. What is a buffer

Because computer programs frequently need to manipulate a piece of data read in from various sources such as files and networks, the program often needs to allocate a limited amount of memory space in order to store the data in it. This memory space becomes a buffer. Buffer overflow means that the data written to or read from the buffer exceeds the range that the buffer can contain.

Buffer overflow includes various types, such as stack overflow, heap overflow, and so on. The type of our main concern is stack buffer overflow.

2. What is the return address

When calling another function in one function, when the called function ends, it needs to return to the original function, and then execute the next instruction of the calling statement, then the address of the next instruction is the return address of the called function

3. What is the function of the call instruction in assembly language?

The jump is realized by modifying the instruction pointer register eip, which is used to realize the subroutine. Specifically, when calling call:

• Push the current eip (note that the address of the next instruction to be executed is stored in eip) onto the stack
• Jump to the address specified after call for execution

In conjunction with it, there is also a ret instruction, which is used to return in the subroutine. When calling:

• Pop out of the stack, assign to eip, return to the original program to continue execution

4. Please describe the change of the stack frame in the process address space when the function call occurs

First, push the parameters of the function call on the stack, then push the eip (return address) on the stack, and ebp (the bottom of the stack) on the stack. Next, update the value of ebp to the value of esp (stack alignment), reduce esp by a specific value (related to the internal application space of the calling function), and obtain a certain stack space for the calling function.

5. How to prevent buffer overflow attacks

String storage grows from a low address to a high address, so the main idea of ​​a buffer overflow attack is to put the shellcode (code that generates the shell, and execute it to get a shell) somewhere in the memory, and then overflow through the buffer Override the return address of the function to point to the shellcode, the prevention methods are as follows:

• Stack canary protection: Get a random value from the gs (32-bit) or fs (64-bit) segment at the entry of the function. If the attacker uses a stack overflow to modify this value, causing the value to be inconsistent with the stored value, the function will Throw an exception and exit the program
• Prevent the stack from running
• Randomize the stack start address