pressure test
The stress test attack under Kali includes four categories: VoIP stress test, WEB stress test, network stress test and wireless stress test.
VoIP stress test
Including iaxflood and inviteflood.
WEB stress testing tool
THC-SSL-DOS differs from traditional DDoS tools in that it does not require any bandwidth, just a computer to perform a single attack. command thc-ssl-dos -l 500 目标IP 443 --accept.
Network stress testing tool
dhcpig is a stress test that drains the DHCP resource pool. The DHCP service automatically assigns IP addresses to computers newly connected to the intranet, and the dhcpig tool uses Scapy to forge a large number of Mac addresses, defrauding the IP from the DHCP server, and then exhausting all the IP addresses that can be assigned by DHCP. In this way, computers newly joining the network will not be able to obtain an IP address and thus cannot access the Internet.
The Macof tool can do flooding attacks. The space of the switch Mac table is limited. When the Mac table is full of Mac addresses, an error will be reported and an abnormal state will be entered. In this state, the switch will send the received information in the form of broadcast, so that the broadcast information can be captured by the packet capture tool.
Siege can perform concurrent access to a Web site by multiple users according to the configuration, record the response time of all request processes of each user, and repeat it under a certain number of concurrent accesses.
T50 has a unique packet injection tool with powerful functions, supports unix systems, and can perform packet injection of multiple protocols. It is the only tool that can use the GRE encapsulation protocol.
Data forensics tools
PDF Forensics Tools
peepdf is a PDF file analysis tool written in python that can detect malicious PDF files.
Anti-Digital Forensics
chkrootkit is a tool for finding and detecting rootkit backdoors under Linux system.
Memory Forensics Tool
Volatility is an open source memory forensics analysis tool for Windows, Linux, Mac, and Android. It supports various operating systems. It can analyze which programs were running on the system at that time and some data of the system through the captured memory status files.
For details, see the use of Volatility, a memory forensics tool under Linux.
Forensic segmentation tools
binwalk is a firmware analysis tool designed to assist researchers in firmware analysis, extraction and reverse engineering.
Forensic Hash Verification Toolset
Mainly used for hash verification, such as hashing the downloaded file, calculating its MD5 value and comparing it with the MD5 value of the official website to determine whether the file is implanted with backdoor information.
- md5deep can batch calculate the hash value of the file and compare it with the hash value list
- rahash2 can quickly perform various operations such as encryption, decryption and hashing of the whole file, partial blocks, strings, etc.
Digital Forensics Suite
Autopsy is a digital forensics platform that provides a browser platform to access local port 9999.
DFF is a digital forensics work aid, it has a flexible module system with a variety of functions including: replying to lost files due to errors or crashes, research and analysis of evidence. DFF provides a powerful architecture and a list of useful modules.
Forensic Image Toolset
It is mainly for forensic analysis of image files, such as mmstat and mmls commands.
Reporting Tools and System Services
1.Dradis is a standalone web application that automatically opens in the browser https://127.0.0.1:3004. Set a password and use any login name to enter the Dradis framework for use.
2. Media capture tools include Cutycapt (cut web content into pictures and save) and Recordmydesktop (screen recording tools).
3. Evidence management: Maltego
4.MagicTree can help attackers perform data merging, query, external command execution (such as calling nmap directly, importing scan results directly into tree) and report generation, all data will be stored in a tree structure.
5.Truectypt: Free and open source encryption software, supports Windows, OS, Linux and other operating systems.
6. The system service directory is mainly to facilitate us to start or close some services in time, and the command line input service 服务名 startcan service 服务名 stopachieve the same effect.
textbook notes
1. Malicious code security attack and defense
1. Definition and classification of malicious code: computer virus, worm, malicious mobile code, backdoor, Trojan horse, bot, kernel kit (Rootkit), fusion malicious code.
2.Rootkit: User mode rootkit and kernel mode rootkit. The kernel-mode Rootkit includes Linux kernel-mode Rootkit and Windows kernel-mode Rootkit.
3. Malicious code analysis method:
- Overview of Malicious Code Analysis Techniques: Static Analysis and Dynamic Analysis
- Malicious code analysis environment: an analysis environment for malicious code enthusiasts, a malicious code analysis environment based on virtualization, an automatic analysis environment for malicious code for research
- Malicious code static analysis technology: anti-virus software scanning, file format identification, string extraction analysis, binary structure analysis, disassembly, decompilation, code structure and logic analysis, packing identification, code unpacking
- Malicious code dynamic analysis technology: methods and tools based on snapshot comparison, system dynamic behavior monitoring methods (file behavior monitoring software, process behavior monitoring software, registry monitoring software, local network stack behavior monitoring software), network protocol stack monitoring methods, sand box technology, dynamic debugging technology
2. Buffer overflow and Shellcode
1. The three elements of the software security dilemma are complexity, scalability and connectivity. Software security vulnerabilities are technically classified into memory security violations, input validation, race conditions, and limit obfuscation and promotion.
2. The basic concept of buffer overflow: a type of memory security violation vulnerability that exists in computer programs. When the computer program fills data into a specific buffer, it exceeds the capacity of the buffer itself, resulting in overflow data covering adjacent memory space The legitimate data, thus changing the program execution flow and destroying the integrity of the system.
3. The location of buffer overflow in the process memory space is different, and it is divided into stack overflow, heap overflow and kernel overflow.
4. In order to prevent buffer overflow attacks, defense techniques that try to prevent overflow are generally used, techniques that allow overflow but do not allow the program to change the execution process, and defense techniques that cannot allow the execution of attack code.
---End of recovery content---