a. Learning in the ninth and tenth weeks of the textbook
1. Chapter 9 Learning
1.1 Basic knowledge of malicious code
Malicious code definition:
Malicious code (Unwanted Code) refers to code that has no effect but will bring danger. A safest definition is to treat all unnecessary code as malicious. Unwanted code has a broader meaning than malicious code, including All software that may conflict with an organization's security policy. The types of malicious code can be divided into: computer viruses, worms, malicious mobile code, backdoors, Trojans, botnets, kernel suites.
computer virus:
A computer virus is a program, a piece of executable code. Like biological viruses, computer viruses have a unique ability to replicate. Computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to various types of files. When files are copied or transferred from one user to another, they spread with the files. In addition to the ability to replicate, some computer viruses share some other characteristic: a contaminated program can deliver viral vectors. When you see virus vectors that appear to be nothing more than words and images, they may also have corrupted files, reformatted your hard drive, or caused other types of disasters. If a virus doesn't live in a polluting program, it can still cause you trouble by taking up storage space and reducing the overall performance of your computer.
The basic characteristics of computer viruses: infectious, latent, triggerable, destructive, derivative.
Web Worms:
Worms are a common computer virus. It is reproduced and disseminated using the network, and the transmission route is through the network and e-mail. The original definition of worm was because in the DOS environment, a worm-like thing would appear on the screen when the virus attacked, devoured the letters on the screen and reshaped them.
The structure of network worm can be divided into: warhead, propagation engine, target selection algorithm and scanning engine, and payload.
Backdoors and Trojans:
Backdoors generally refer to program methods that bypass security controls to gain access to programs or systems. During the development phase of software, programmers often create backdoors within the software so that flaws in the program design can be corrected. However, if these backdoors are known to others, or the backdoors are not removed before the software is released, then it becomes a security risk that can be easily exploited by hackers as vulnerabilities. Backdoor programs, also known as Trojan horses, are used to lurk in computers to collect information or facilitate hackers' entry. The biggest difference between backdoor programs and computer viruses is that backdoor programs may not necessarily replicate themselves, that is, backdoor programs may not necessarily "infect" other computers. A backdoor is a method of logging into a system that not only bypasses the system's existing security settings, but also defeats various enhanced security settings on the system.
Bots and Botnets:
Botnet refers to a one-to-many controllable network formed between the controller and the infected host by infecting a large number of hosts with bot program (bot program) virus by one or more means of propagation. Attackers spread bots through various ways to infect a large number of hosts on the Internet, and the infected hosts will receive the attacker's instructions through a control channel to form a botnet. The reason why the name botnet is used is to make people realize the characteristics of this kind of harm more vividly: many computers are unknowingly
Juezhong is driven and directed by people like the zombies in ancient Chinese legends, and has become a tool used by people.
1.2 Malicious code analysis method
The technical methods of malicious code analysis mainly include static analysis and dynamic analysis.静态分析的方法有反病毒软件扫描、二进制结构分析、反汇编反编译、代码结构与逻辑分析等方法;动态分析的方法有系统动态行为监控、网络协议栈监控、沙箱技术、动态调试技术等。
Malicious code static analysis techniques include: anti-virus software scanning, text format recognition, character string extraction analysis, binary structure analysis, disassembly, decompilation, code structure and logic analysis, packing identification and code unpacking.
Malicious code dynamic analysis techniques include: snapshot comparison, system dynamic behavior monitoring, network protocol stack monitoring, sandboxing, and dynamic debugging.
2. Chapter 10 Learning
2.1 The concept of buffer overflow
Buffer overflow means that when the computer fills the buffer with the number of data bits, it exceeds the capacity of the buffer itself, and the overflowed data is overwritten on the legal data. The ideal situation is that the program checks the data length and does not allow the input to exceed the buffer length. characters, but most programs assume that the data length always matches the allocated storage space, which creates a potential for buffer overflow. The buffer used by the operating system is also called the "stack". Between operation processes, the instructions will be temporarily stored in the "stack", and the "stack" will also have a buffer overflow.
2.2 Stack Overflow and Shellcode on Linux Platform
The Linux platform stack overflow attack technology can be divided into three modes: NSR, RNS and RS according to the construction of attack data.
2.3 Defense Techniques for Buffer Overflow Attacks
The methods of solving buffer overflow can be divided into defense techniques that try to prevent overflow, defense techniques that allow overflow but do not allow the program to change the execution flow, and defense techniques that cannot allow the execution of attack code.
b. Kali video learning
1. KaliSecurity - Stress Testing Tool
Stress testing is a test to obtain the maximum service level that a system can provide by identifying bottlenecks or unacceptable performance points of a system. In layman's terms, stress testing is to discover under what conditions your application's performance becomes unacceptable.
1. VoIP stress testing tools
include iaxflood and inviteflood
2. Web stress test
With the help of THC-SSl-DOS attack tool, anyone can attack the website that provides SSL secure connection offline. This attack method is called an SSL denial of service attack. The German hacker group "The Hacker's Choice" released THC SSL DOS, which exploits known weaknesses in SSL and quickly consumes server resources. Unlike traditional DDos tools, it does not require any bandwidth, but only a computer that performs a single attack.
The vulnerability exists and the renegotiation process of the protocol, renegotiation is used for authentication between the browser and the server.
3. dhcpig
exhausts the stress test of the DHCP resource pool.
4. IPV6 attack toolkit
5. Inundator
IDS/IPS/WAF stress testing tools, firewall stress testing tools, exhaust the other party's certification resources.
6, Macof, can do flooding attacks.
7. Siege
stress testing and evaluation tool, designed for WEB development and evaluating the ability of applications to withstand stress; it can perform concurrent access to a WEB site by multiple users according to the configuration, record the corresponding time of all request processes of each user, and Repeatedly with a certain number of concurrent accesses. Data analysis is performed at the same time as the attack.
8. T50 Stress Test
T50 Sukhoi PAK FA Mixed Packet Injector is a stress test tool that is powerful and has a unique packet injection tool. T50 supports Unix system to perform packet injection of multiple protocols, and actually supports 15 protocols.
9. Wireless stress test
mdk3 and reaver
2. Digital forensics tools
Digital forensics technology applies computer investigation and analysis techniques to the determination and acquisition of potential, legally effective electronic evidence. Likewise, they are all aimed at hackers and intrusions, all for the purpose of Baohang network security.
1. The PDF forensics tool 
peepdf is a PDF file analysis tool written in Python that can detect malicious PDF files. Its design goal is to provide security researchers with all the components that may be used in PDF analysis without using 3 or 4 types. Tools to accomplish unified tasks.
2. Anti-digital forensics chkrootkit
A tool for finding and detecting rootkit backdoors in Linux systems. Applying this instruction can detect whether it is injected into the backdoor
3. Memory forensics tools
Open source Windows, Linux, mac, Android memory forensics analysis tool, written in Python, command line operation, supports various operating systems.
4. Forensic segmentation tool binwalk
It is a firmware analysis tool designed to assist researchers in firmware analysis, extraction and reverse engineering. It is easy to use, fully automated scripting, and can be easily extended through custom signatures, extraction rules and plugin modules, and more importantly.
With the help of binwalk, a very powerful function is to extract hidden files existing in the file, and to analyze the file format.
5. Forensic Hash Verification Toolset
md5deep is a set of cross-platform solutions that can calculate and compare digests of hash encrypted information such as MD5, SHA-1, SHA-256, Tiger, Whirlpool
6. Forensic image toolset
Forensics tools for image files, such as mmsstat and mmls commands.
7. Digital Forensics Suite
dff is a simple and powerful aid for digital forensics work, with a flexible module system, with a variety of functions, including: recovery of files lost due to errors or crashes, research and analysis of evidence, etc. dff provides a powerful architecture and some useful modules.
autopsy provides a browser console.
3. KaliSecurity - reporting tools and system services
A complete penetration test always ends with an elegant report as a summary. There are also related reporting toolsets under kali.
1. Dradis
is an information sharing framework for improving the efficiency of security detection. It provides a centralized information warehouse for marking the work we have done so far and the next steps.
2、Keepnote
A very streamlined note-taking software with the following features:
Rich text format: color fonts, built-in pictures, hyperlinks (ie: full information such as graphics and text that can save the entire web page).
Tree-like hierarchical organization of content into
categories, at a glance
Full-text search
Comprehensive screenshots: After screenshots, you can insert
file attachments directly into the notebook
Integrated backup and restore
Spell check
Auto save Built-in backup and restore ( zip
file archive)
Save the content of the web page as a picture
4, Recordmydesktop
screen recording tool, used to record the desktop
5 、 Maltego Casefile
6. MagicTree
is a tool for penetration testers, which can help you easily and directly perform data merging, query, external command execution, and report generation. All data will be stored in a tree structure, which is very convenient.
7. Truecrypt
is a free and open source encryption software that supports Windows Vista/7/XP, Mac OS X, Linux and other operating systems.
8. Introduction to system services
beEF: corresponding to the startup and shutdown of the XSS test framework BeEF
Dradis: corresponding to the startup and shutdown of the notebook sharing service
HTTP: corresponding to the startup and shutdown of the local WEB service of kali
Metasploit: corresponding to the startup and shutdown of the Metasploit service
MySQL: corresponding to the startup and shutdown of the mysql service Close
openvas: corresponding to the startup and shutdown of the scanner openvas service
SSh: corresponding to the startup and shutdown of the SSh service