Part 1: Building a Network Attack and Defense Environment

Using virtual machine image and Vmware Wordstion software, a set of personal network attack and defense experimental environment is deployed, and connectivity test is carried out. As shown

Attacker IP address

Target IP address

configure honeywall

Attack aircraft ping target aircraft icon

Target drone pings attack aircraft

The monitoring process of the gateway when the attacker pings the target machine, the ICMP ping packet is monitored on the honeynet gateway and passes through the external network port and the internal network

The monitoring process of the gateway when the target machine pings the attack machine, the ICMP ping packet is monitored on the honeynet gateway and passes through the external network port and the internal network port

Problems encountered in configuring the gateway and the solution process

honeywall installation failed to successful installation

I got this error and found a solution later

The reason for this problem is that the quick installation method was selected during installation, resulting in many packages not being installed, including the graphical interface and so on.

When the installation proceeds as shown in the following steps, we will choose the second option, but looking closely, it will be shown that the installation method will use easy install, so we cannot choose this one.

The third option should be selected for installation, as shown in the image below:

Then select the corresponding options step by step according to the document, when proceeding to the following steps, select other for both options.

Others must choose LSI Logic, SCSI, etc. in strict accordance with the document, and then proceed to the following steps

Click the customize hardware button, as shown in the figure below, select the new CD/DVD option box, import the honeywall iso file in the use iso image file on the right, and click OK.

Then click finish, then power on to install, after the installation is complete, you can see the graphical interface comes out, just use su - to root to automatically enter the honeywall configuration interface

Part II: Summary of the content of the textbook

Linux basic framework

1、linux优势：跨平台的硬件支持、丰富的软件支持、多用户多任务、可靠的安全性、良好的稳定性、完善的网络功能。 2、系统结构：内核、一些GNU运行库和工具、命令行shell、图形界面、X窗口系统以及相应桌面环境，并包含许多应用程序。 3、功能模块：进程与线程管理机制、内存管理机制、文件系统管理机制、设备控制机制（字符设备、块设备和网络设备）、网络机制、系统调用机制（软件中断实现）

linux security mechanism

1、身份认证机制：用户（Root根用户、普通用户、系统用户）用户组（相同特征的用户账号集合）本地登陆用户认证机制：DES算法（早期）、MD5、blowfish；SHA-256和SHA-512（现在）；SALT编码长度扩充到12个字符远程登录用户认证机制：SSH提供两种方式的用户身份认证机制（第一种方式为基于口令的身份认证；第二种方式为基于非对称密钥的身份认证）统一身份认证中间件——PAM：四种管理界面（认证管理、账户管理、密码管理、会话管理） 2、授权与访问控制机制系统安全模型：文件所有者、文件访问权限（R、W、X）和一些特殊权限位来进行系统的授权与访问控制（SUID和SGID权限）不足和改进：无法细分权限控制、POSIX ACLS for linux内核补丁包 3、安全审计机制日志子系统：连接时间日志、进程统计日志、错误日志记录审计守护进程审计日志分析工具：OSSEC、Snare

Linux remote attack and defense technology

1、四种方法：对Linux系统各种网络服务的身份认证过程所涉及的用户口令字进行猜测攻击、发掘Linux系统某个监听网络服务的安全漏洞、通过网页木马、发送欺诈邮件、提供特洛伊木马程序等技术和社会工程学手段、在Linux系统作为连接多个网络的路由器，或者打开“混杂模式”实施网络嗅探的监听器时，可能遭受攻击者特意构造的数据包攻击，从而被攻击者取得访问权。 2、远程口令字猜解攻击：SSH、telnet、FTP、HTTP 工具：Brutus（远程口令猜解工具）、THC Hydra（网络身份口令猜解工具）、Cain and Abel 防范：使用强口令字；对于安全敏感的服务器，使用严格的口令字管理制度和措施；在非标准端口上运行易受攻击的服务；口令猜测防御软件（Denyhosts、blockhosts等）、防火墙IPTables。 3、网络服务远程渗透攻击：系统渗透最重要的攻击渠道：对监听网络服务安全漏洞的渗透利用。 4、安全漏洞信息库：CVE、Bugtraq、Security Focus、OSVDB 5、针对linux系统网络服务的远程渗透攻击 6、内核中网络协议栈实现漏洞 7、LAMP Web网站构建解决方案中的网络服务：Apache————HTTP/HTTPS;Mysql————WEB后台数据存储；PHP————应用程序 8、FTP(TCP 20/TCP 21）、Samba（TCP 445）等文件共享服务：FTP(ProFTPD、vs-ftpd) 9、电子邮件收发服务：Sendmail服务 10、其他服务：OPENSSH、OPENSSL、NFS等 11、防范措施：强口令字、禁用不必要的服务、选择安全的网络协议和服务软件、及时更新网络服务版本、使用xinetd、防火墙为linux网络服务添加网络访问控制机制、建立入侵检测与应急相应计划流程。 12、攻击linux客户端程序和用户：攻击linux平台上的用户端程序：web浏览器firefox、电子邮件客户端软件thunderbird 攻击linux系统用户：电子邮件、即时通信中设计欺骗场景、服务配置信息的泄漏防范：软件自动跟新机制、提高自身抗欺骗能力 13：攻击路由器和监听器：攻击路由器和防火墙:ip_forward=1 net子系统：route.c（路由器录址和数据包转发）、netfilter（配置防火墙）攻击监听器和入侵检测器（libpcap、tcpdump、wireshark、snort）防范：意识到网络和安全设备的安全性和可用性，身处攻击者角度、掌握渗透测试工具

Linux local security attack and defense technology

1、本地提权：破解出Root用户的口令，然后执行su或者sudo命令进行提升；发掘并利用su或者sudo程序中的安全漏洞；攻击用户态SUID特权提升漏洞；攻击Linux内核代码特权提升漏洞；过从系统中搜索全局可写的敏感文件与目录位置并加以利用 2、用户口令字破解：shadow文件中记录行格式登录名、口令、最后一次修改时间、最小间隔时间、最大间隔时间、警告时间、不活动时间、失效时间。工具：John the ripper 方式：字典攻击、暴力破解 3、破解linux前提为获取到/etc/shadow文件利用sudo的缺陷进行权限提升利用用户态SUID程序漏洞进行特权提升针对SUID程序的本地缓冲区溢出攻击（Ettercap）针对SUID程序的符号链接攻击（Ncpfs——ncpmount）针对SUID程序的竞争条件攻击（Exim）针对SUID程序的共享函数库攻击利用内核空间代码漏洞进行特权提升防范：合理设置SUID特权程序、关注内核代码中的安全漏洞、安全配置系统、应用SELinux等安全增强模块，替身抗入侵防护水平

linux intrusion wipes out the trail

1、改变当前活动日志、清除登录日志（WZAP工具）、清除自己在shell程序中的输入命令历史 2、后门程序：特洛伊木马化的系统程序（始终接受攻击者所配置的账户登录）、命令行后门工具、图形化后门工具（VNC）

Video learning summary

In the video learning, we mainly learned five videos of kali. It first introduces the use of SET tools in exploiting vulnerabilities, including eleven different social engineering penetration tests, which are used in conjunction with Metasploit; then introduces sniffing deception and man-in-the-middle attacks: through the introduction of the man-in-the-middle attack tool Ettercap; then through the introduction of permission maintenance Backdoor tools, including three categories: Tunnel toolset, web backdoor, system backdoor, and introduced seven tools of web backdoor and system backdoor; then introduced Tunnel for permission maintenance, introduced twelve tools; finally introduced reverse engineering of ten tools. `

Video Learning Practice

Man-in-the-middle attack test

The purpose is to use the ettercap tool to capture relevant information. Here, the Ubuntu virtual machine (IP 192.168.200.64) is used for testing.

First enable port forwarding in kali with the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then set up ssltrip and hijack the SSL data:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8081 sslstrip -l 8081

2017-2018-2 20179317 The eighth week work of "Network Attack and Defense Technology"