2018-5-6 Ninth week homework

2018-5-6 Ninth week homework

9.1 Malicious code basics

Malicious code refers to a set of instructions that cause a computer to execute as an attacker intended to achieve a malicious goal. Malicious code can be classified into computer viruses, worms, malicious mobile code, Trojans, backdoors, bots, kernel suites, etc.
A computer virus is a self-replicating code that infects itself by embedding itself in other programs, often requiring human intervention. The basic characteristics of computer viruses are: infectious, latent, triggerable, destructive, and derivative. Its potential infection targets can be divided into three categories: executable files, boot sectors and data files that support macro instructions. The transmission channels of computer viruses include mobile devices, e-mail and downloads, shared directories, etc.
A network worm is a malicious code that spreads autonomously through the network. From the definition and essence analysis, a network worm is a kind of code that can replicate itself and spread through the network, usually without human intervention. Worms are precisely because of their defining characteristics of rapid and active propagation, which can cause paralyzing and harmful consequences to the entire Internet, also known as "the plague of the Internet era". Basic features: self-propagating through the network.
Backdoors and Trojans are two types of technical forms that are often confused in malicious code. Backdoors are programs that allow attackers to bypass the conventional security control mechanism of the system and provide access channels according to the attacker's own intentions. Trojans are short for Trojans. Refers to a class of programs that appear to have a useful or benign purpose, but actually conceal some hidden malicious functionality.

9.2 Malicious code analysis methods

Code analysis, or program analysis, is the process of using certain rules, methods, and tools to analyze computer programs as required to derive program structure, data flow, and program behavior. Program analysis techniques have important applications in program understanding, program testing, program optimization, and program refactoring. Malicious code analysis uses a series of program analysis techniques and methods to identify the key program structure and behavior characteristics of malicious code. The analysis of malicious code and benign code can be based on general code analysis techniques, including dynamic analysis and static analysis, to reverse engineer the code to determine its function. A fully controlled, easy-to-build and recoverable analysis environment is a must for malicious code analysis practices.
In the malicious code analysis network segment, there are four main types of malicious code automatic analysis components in the system, namely static analysis machine, dynamic analysis machine, network analysis machine and comprehensive analysis machine. Static analysis: Using static analysis methods, you can have a general understanding of the characteristics and purposes of malicious code, and even identify various components of malicious code; however, using dynamic analysis is actually activating a controlled analysis experimental environment. code, when a code is run in the actual system, we can more quickly understand its behavior. The main technical means of static analysis of malicious code, including anti-virus software scanning, file format identification, string extraction analysis, binary structure analysis, disassembly, decompilation, code structure and logic analysis, packing identification and code unpacking, etc. The most direct way to analyze malicious code is to use off-the-shelf anti-virus software to scan the sample to be analyzed to determine whether the anti-virus software can identify the sample, as well as the identified type, family, variant and other information. When faced with an unknown malicious code sample file, the first step is to identify its file format. On Windows platforms, binary executable files EXE and DLL are organized in PE file format, while on Linux platform, the executable file format is ELF. In the extracted string, the possible information content includes the following: malicious code instance name, help or command line options, user session, backdoor password, related URL information E-mail address, including library files and function calls. The command tool for string extraction on UNIX-like platforms is strings. Use Strip tool to delete all unexecutable marked information dynamic analysis: The main technical means of malicious code dynamic analysis include snapshot comparison, system dynamic behavior monitoring, network protocol stack monitoring, sandbox, dynamic debugging, etc. Snapshot comparison is the easiest way to monitor the dynamic running behavior of malicious code. Tools and software for snapshot comparison include RegSnap, Perfect Uninstall, etc.

time:

Kali Stress Testing Tool
Stress testing measures the maximum service level a system can provide by identifying bottlenecks or unacceptable performance points of a system. In layman's terms, stress testing is to test that the performance of an application will become unacceptable.
The stress testing tools under Kali include VoIP stress testing, Web stress testing, network stress testing and wireless stress testing.
1. Voip stress testing tools,
including iaxflood and inviteflood
2. Web stress testing tool
THC-SSL-DOS With the THC-SSL-DOS attack tool, anyone can attack websites that provide SSL secure connections offline. This attack method is called For SSL Denial of Service Attacks (SSL-DOS). The German hacker group released THC SSL DOS, which exploits the known weaknesses in SSL and quickly consumes server resources. Unlike traditional DDoS tools, it does not require any bandwidth, just a computer to perform a single attack. The vulnerability exists in the renegotiation process of the protocol, which is used for authentication between the browser and the server. 3. Network stress test tool dhcpig: stress test that exhausts DHCP resource pool 4, ipv6 attack toolkit 5, Inundator IDS/IPS/WAF stress test tool 6 , Macof can do flood attack Evaluation tool, designed for Web development, to evaluate the application's ability to withstand pressure, to perform concurrent access to a Web site by multiple users according to the configuration, to record the response time of all request processes of each user, and to access a certain number of concurrent accesses. Repeat the following steps: 8. T50 stress test














Powerful, and has a unique data packet injection tool, T50 supports nix system, can carry out multi-protocol data packet injection, actually supports 15 kinds of protocols.
9. Wireless stress testing
Including MDK3 and Reaver
(37) Digital forensics tools
Digital forensics technology applies computer investigation and analysis techniques to the determination and acquisition of potential, legally valid electronic evidence, also they are all aimed at hackers and intrusions Yes, the purpose is to ensure network security.
1. PDF forensics tools
pdf-parser and peepdf
peepdf is a PDF file analysis tool written in python, which can detect malicious PDF files. Its design goal is to provide security researchers with all the components that may be used in PDF analysis.
2. Anti-digital forensics chkrootkit
Find rootkit backdoor tools under Linux system. A powerful tool for judging whether a system has been implanted with a rootkit.
3. Memory forensics tool
Volatility is an open-source memory forensics analysis tool for Windows, Linux, Mac, and Android. It is written in python, operates from the command line, and supports various operating systems.
4. Forensic analysis tool binwalk
Binwalk is a firmware analysis tool designed to assist researchers in firmware analysis, extraction and reverse engineering. Simple to use, fully automated scripting, and easily extensible with custom signatures, extraction rules and plugin modules, and more importantly.
With the help of a very powerful function in binwalk - extract hidden files (or content files) in files (compressed packages). File formats can also be analyzed.
Analyze the compressed package binwalk .zip
binwalk -e *.zip decompresses all the files to generate a new directory _zip.zip.extracted, which can also be used as a tool for file format analysis
5. The forensic hash verification tool set
md5deep is a set of cross-platform solutions that can calculate and Compare digests of hashed encrypted messages like MD5, SHA-1, SHA-256, Tiger, Whirlpool.
6. Forensic image tool set Forensic tools
for image files, such as mmsstat and mmls commands.
7. Digital Forensics Suite
Digital Forensics Tool ! [enter description here] autopsy DFF (Digital Forensics Framework) is a simple but powerful aid for digital forensics work, it has a flexible module system with multiple functions including: replying to errors or Loss of documents due to crashes, research and analysis of evidence. DFF provides a powerful architecture and a list of useful modules. Anti-digital forensics chkrootkit (38) Kali reporting tools and system services A complete penetration test, the final report should be completed as a summary. Correspondingly, Kali Linux has prepared a reporting tool set for security engineers: ![enter description here] System Services 1. Dradis Dradis is an information sharing framework (collaboration platform) used to improve the efficiency of security detection. Dradis provides a centralized repository of information to mark what we have done so far and what we plan to do next. Browser-based online note taking. 2. Keepnote is a streamlined notebook software with the following features:
















Rich text format: color fonts, built-in pictures, hyperlinks, and can save complete content such as web page pictures and texts.
The content is organized hierarchically in a tree-like manner, categorized into categories, and clear at a glance.
Full-text search
Integrated screenshots
File attachments
Integrated backup and restore
Spell check (via gtkspell)
Auto-save
Built-in backup and restore (zip file archive)
3. Media capture tool Cutycapt
once introduced a tool to cut web content into pictures and save.
4. Recordmydesktop
screen recording tool
5. Evidence management
Maltego Casefile
6. MagicTree is a tool for penetration testers that can help attackers with data merging, querying, external command execution (such as calling nmap directly) and report generation. All data will be stored in a tree structure, which is very convenient.
7. Truectypt is
free and open source encryption software, and supports Windows, OS, Linux and other operating systems.
8. System service introduction
BeEF: corresponding to the startup and shutdown of XSS testing framework BeEF;
Dradis: corresponding to the startup and shutdown of the note sharing service Dradis;
HTTP: startup and shutdown of the native Web service using Kali;
Metasploit: corresponding to the startup and shutdown of the Metasploit service and shutdown;
Mysql: corresponding to the startup and shutdown of the Mysql service;
Openvas: corresponding to the startup and shutdown of the Openvas service;
SSH: corresponding to the startup and shutdown of the SSH service; (it is best not to open the remote connection)