2017-2018-2 20179213 "Network Attack and Defense Technology" Week 8 Homework

learning materials

An overview of the basic framework of the linux operating system

Many operating system distributions have been developed: ubuntu, debian, fedora, centos, rhel, opensuse and stackware, etc.

Advantage:

• Open Source and Free
• Cross-platform hardware support
• Rich software support
• Multi-user multi-tasking
• solid security
• good stability
• Perfect network function

Linux system structure:

• Linux process and thread management mechanism
• Linux memory management mechanism
• Linux file system management mechanism
• Linux device control mechanism
• Linux network mechanism
• Linux system call mechanism

Linux operating system security mechanism

The core security mechanism of the Linux operating system is mainly three parts: identity authentication, authorization and access control, and security audit.

• linux authentication:
  • Linux users (root users, ordinary users, system users)
  • linux user group (a collection of user accounts with the same characteristics)
  • Linux local login user authentication mechanism (console)
  • Linux remote login user authentication mechanism (ssh service)
  • Unified authentication middleware for Linux - PAM (Plugable Authentication Module)
• Linux authorization and access control:
  • file owner (chown command)
  • File access permissions (read, write, execute, chmod command)
  • Special execute permissions for files
  • Insufficiency and Improvement of Linux Access Control Mechanism
• Linux security auditing: It is mainly implemented through three main logging subsystems:
  • connection time log
  • Process statistics log
  • error logging

Linux system remote attack and defense technology

Linux remote password guessing attack

• Password guessing attacks on services such as ssh, telnet, ftp, and http are the most common attack modes for compromised systems on the Internet.
• Automated remote password guessing tools (brutus, thc hydra, cain and abel)
• Best defense: Use strong passwords that are hard to guess

Linux network service remote penetration attack
The most important attack channel is the penetration and utilization of monitoring network service security vulnerabilities.

• Remote Penetration Attacks on Linux Network Services
• Implementation of Network Protocol Stack in Linux Kernel
• Web Services in LAMP Web Site Building Solutions
• FTP, Samba and other file sharing services
• Email sending and receiving service
• Other network services

Safety precautions:

• Disable all unnecessary network services
• Try to choose more secure network protocols and service software, and deploy using best security practices
• Update the network service version in time
• Use xinetd and firewall to add network access control mechanism for linux network services
• Establish an intrusion detection and emergency response planning process

Attacking Linux client programs and users
Security precautions:

• Update frequently used network client software in time
• Self-safety awareness, experience and mental ability

Attacking Linux routers and listeners

• Attack linux routers and firewalls
• Attack listener & intrusion detector (libpcap packet capture library, tcpdump command line program, wireshark network monitoring and protocol analysis software, snort intrusion detection system)

Linux system local security attack and defense technology

1. Linux local privilege escalation

• Linux user password cracking
• Privilege escalation exploiting sudo flaws
• Elevation of Privilege Exploiting Userland SUID Program Vulnerability
• Local buffer overflow attack against SUID programs
• Symbolic link attacks against SUID programs
• Race condition attack against SUID programs
• Shared library attack against SUID programs
• Elevation of Privilege Exploiting Kernel Space Code Vulnerability
• Exploiting system misconfiguration to enforce local elevation of privilege

2. Eliminate traces on the Linux system
Clean up the log records on the system, thereby effectively erasing the traces of your actions.

3. Linux system remote control
backdoor programs The types of remote control backdoor programs implanted on the Linux system include: Trojanized system programs, command line backdoor tools and graphical backdoor tools.

Video Learning (31-35)

SET exploited by Kali

Social Engineering Toolkit（SET）是一个开源、Python驱动的社会工程学渗透测试工具。提供了非常丰富的攻击向量库。是开源的社会工程学利用套件，通常结合metasploit来使用。

• Type settoolkit to open the SET suite
• Menu option 1 is social engineering attack, enter 1 and press Enter, you can see the corresponding module
  1) Spear-Phishing Attack Vectors: The main purpose of this attack vector is to send phishing emails with malware. The corresponding payload can choose different vulnerabilities.
  2) Website Attack Vectors: At this time, a WEBSever service can be opened. If the other party accesses this page, if there is a vulnerability triggering condition in the system, a backdoor will be implanted. For example, the Java Applet Attack method requires the target to have a Java runtime environment. For simulation, you can choose to build a template or clone a website.
  3) Infectious Media Generator: Exploit is executed with the help of Autorun.inf to get a returned shell, and it can also be combined with the backdoor of Metasploit.
  4) Create a Payload and Listener:
  5) Mass Mailer Attack: Supports importing lists and sending emails to everyone in the list.
  6) Arduino-Based Attack Vector
  7) Wireless Access Point Attack Vector: A wireless access point attack will create a virtual wireless AP through which all connections can be captured Incoming device traffic.
  8) QRCode Generator Attack Vector: Fill in a dangerous URL, so that the attacker scans the QR code to automatically access the page and is attacked.
  9) Powershell attack (Powershell Attack Vectors): for attack modules above vista.
  10) SMS Spoofing Attack Vector: The source of fake SMS.
  11) Third Party Modules

Kali sniffing spoofing and man-in-the-middle attack

Linux下的中间人攻击套路都是一样的，这里介绍进行ARP欺骗、DNS欺骗和嗅探以及会话劫持（cookies）的方法。

• ettercap is a suite of tools for man-in-the-middle attacks. As famous as the dsniff suite. Support plug-ins and filtering scripts, directly display account and password without manual data extraction. If it is the first man-in-the-middle attack operation,
  configure the etteracp under kali.
• The Dsniff suite is mainly arpspoof and dsniff, the former is used for arp spoofing, the latter is used for sniffing.

Kali permission maintenance backdoor

权限维持包含Tunnel工具集、Web后门、系统后门三个子类。其中系统后门与web后门统称后门，都是为渗透测试后，为方便再次进入系统而留下的恶意程序。

• Weevely is a webshell tool written in python, which can be regarded as a kitchen knife replacement tool under linux (limited to php).
• WeBaCoo (Web Backdoor Cookie) script-kit is a small, covert php backdoor that provides a terminal that can connect to a remote web server and execute php code. WeBaCoo uses HTTP response headers to transmit command
  results, and shell commands are base64 encoded and hidden in Cookie headers.

Tunnel for Kali Privilege Maintenance

权限维持包含Tunnel工具集、Web后门、系统后门三个子类。Tunnel工具集包含了一系列用于创建通信隧道、代理的工具。

• Miredo
  Miredo is a network tool, mainly used for IPV6 Teredo tunnel links of BSD and Linux. It can convert network connections that do not support IPV6 to IPV6. The kernel needs to have IPV6 and TUN tunnel support.

• Proxytunnel
  Proxytunnel can connect to remote servers through a standard HTTPS proxy, which is a proxy that implements the function of bridging. Specifically for HTTP(S) transfers over SSH.

• ptunnel
  establishes tunnel communication with the help of icmp packets.

• Communicate through udp under the pwnat
  intranet.

• socat
  can forward data on different protocols.

• sslh
  is a ssl/ssh port multiplexing tool. sslh can accept https, ssh and openvpn connections on the same port, which makes it possible to connect ssh server or openvpn service through port 443 and provide https service on this port at the same time, sslh can As an example to study port multiplexing.

Kali reverse engineering tool

逆向工程是根据已有的东西和结果，通过分析来推导出具体的实现办法。比如看到别人写的某个exe程序能够做出某种漂亮的动画效果，你通过反汇编、反编译和动态跟踪等方法，分析出其动画效果的实现过程，这种行为就是逆向工程：不仅仅是反编译，而且还要推导出设计，并且文档化，逆向软件工程的目的是使软件得以维护。

• The edb-debugger
  graphical interface, a binary debugging tool developed based on qt4, is mainly to be in line with the ollydbg tool, and functions can be expanded through the plug-in system.
• Radare2
  radare2 is an open source reverse engineering platform that can disassemble, debug, analyze and manipulate binaries.
• Recstudio - decompilation tool
• Apktool
  APKTool is an APK compilation tool provided by google, which can decompile and recompile apk, and install the framework-res framework required by the decompilation system apk at the same time.
• Javasnoop is a java application security testing tool that allows you to intercept, tamper with data and hack java applications running on your computer. Often without source code, testing the security of a java client is unpredictable at best and impractical at worst.