Fundamentals of Network Attack and Defense (Review)

15671020:

Chapter 1 Overview of Software and System Security

Network security : refers to the protection of the hardware and software of the network information system and the data in the system from accidental or malicious damage, change, or leakage, so that the system can operate continuously, reliably, and normally, and the service will not be interrupted.

• Narrow interpretation : security of information processing and transmission
• Broad interpretation : the hardware and software of the network system and the information in the system are protected

Network Security Type:

• System security : focus on ensuring the security of information processing and transmission systems
• Cybersecurity : The security of information systems on the Internet. Including user password identification, user access authority control, data access authority, mode control, security audit, tracking, computer virus prevention and control, data encryption, etc.
• Information dissemination security : focuses on preventing and controlling the consequences of the dissemination of illegal and harmful information.
• Information content security : focuses on protecting the confidentiality, authenticity and integrity of information.

The main body of network security:

• Data security : software and hardware protection measures to prevent unauthorized disclosure, transfer, modification and destruction of data, etc.
• Communication security : Communication protection measures, requiring confidentiality security, transmission security, radiation security and other measures in communication

The core of network attack and defense:

• Attack : Exploitation
• Defense : Bugfixes

The security vulnerability of the information system itself : the vulnerability of the operating system, the vulnerability of the computer system, and the vulnerability of the network communication protocol

Security threats faced by information systems : information leakage, integrity damage, denial of service, unauthorized access

Major methods of threatening information systems : impersonation, bypassing control, breach of information integrity, breach of system availability, replay, interception and radiation detection, trapdoors, Trojan horses, repudiation

Classification of cyber attacks:

• According to the type of attack : active attack, passive attack
• According to the attack location : remote attack, local attack, pseudo remote attack

Chapter 2 Scanning and Defense Technology

2.1 Overview of Scanning Technology

Scanner : A program that automatically detects security weaknesses on remote or local hosts. It is not only an effective tool for system administrators to ensure system security , but also an important means for network intruders to collect information . So it's a double-edged sword.

Main functions of Network Scanner:

• Scan the target host to identify its working status (on/off)
• Identify the state of the target host port (listening/closed)
• Identify the type and version of the target host operating system
• Identify the type and version of the target host service program
• Analyze the vulnerability (vulnerability) of the target host and target network
• Generate scan result report

Scan trilogy:

• Phase 1 : Discover target host or network (Ping scan)
• The second stage : After discovering the target, further collect target information. Include the operating system, running services and their versions. If the target is a network, you can further discover the topology of the network, routing devices, and information about each host (OS scanning, firewall penetration scanning, port scanning)
• The third stage : Judging or further testing whether there are security vulnerabilities in the system based on the collected information (vulnerability scanning)

Scanning tool or command:

• Host detection: ping
• Port detection: nmap
• Vulnerability Detection: Nessus

2.2 Common Scanning Techniques

• Common network commands:

  1. ping command

     The Ping command verifies the connection with a remote computer or a local computer by sending an ICMP response message to the computer and monitoring the return of the response message .

  2. Traceroute

     Traces the path between two machines, displaying information about every node in between. This tool can be used to determine the location of a host .
     The traceroute command is intended for use in network testing, assessment, and management . It should be used primarily for manual fault isolation.

  3. x-firewalk

     Can view routing information

  4. net use

     Many Windows network commands start with net. Many network management functions can be realized by using the commands beginning with net.
     net use is used to connect the computer to shared resources, or to cut off the connection between the computer and shared resources. When this command is used without options, it will list the connections of the computer.

• host scan technology

  1. ICMP Echo scan
  2. ICMP Sweep scanning
  3. Broadcast ICMP scan
  4. Non-Echo ICMP drawing

• port scanning technology

  0-1023: Well-known ports, provided for use by specific services
  1024-49151: Registered ports, recorded and tracked by IANA
  49152-65535: Dynamic or dedicated ports, provided for dedicated applications

  1. full scan

     The scanning host attempts (using a three-way handshake) to establish a canonical connection to a port on the target host.

  2. half scan

     TCP Connect port scan server and client failed to establish a connection (target port closed) process

  3. secret scan

     • TCP FIN scanning
       A closed port will return an RST, and an open port will not reply
     • SYN | ACK scanning
       A closed port will return an RST, and an open port will not reply
     • ACK scan
       Method 1: If the TTL value of the returned RST packet is less than or equal to 64, the port is open, otherwise the port is closed Method 2: If the
       WINDOW value of the returned RST packet is non-zero, the port is open, otherwise the port is closed

  4. authentication scan

  5. FTP proxy scan

     The scanning end first establishes a control connection with an FTP server that supports proxy locally, and then uses the PORT command to explain to the FTP server the IP address and port number of the target machine to be scanned, where the IP address is the destination address of the proxy transmission, and the port number It is the passive port required for transmission and sends the LIST command. At this time, the FTP server will try to initiate a data connection request to the specified port of the target host.

• Remote host OS fingerprinting

  1. Active Protocol Stack Fingerprinting

     • FIN detection
     • ISN sampling detection
     • Don't Fragment bit detection
     • TCP initial window size detection
     • ACK value detection
     • ICMP Error Message Suppression
     • ICMP Error Message Echo Integrity
     • TOS service type
     • fragment processing

  2. Passive Protocol Stack Fingerprinting

     • TTL value: This data is the survival time set by the operating system for outbound packets
     • Windows Size: The TCP window size set by the operating system. This window size is an option included when sending FIN packets.
     • DF: You can check whether the operating system has set the no-fragmentation bit.
     • TOS: Whether the operating system has set the type of service.

• vulnerability scan

  Two methods:

  • Vulnerability database-based feature matching : After the ports opened by the target host and the network services on the ports are known through port scanning, these relevant information are matched with the vulnerability database provided by the network vulnerability scanning system to check whether there are any vulnerabilities that meet the matching conditions. ;
  • Based on simulated attack : By simulating hacker's attack means, write an attack module, and scan the target host system for aggressive security vulnerabilities, such as testing weak passwords, etc. If the simulated attack is successful, it indicates that there are security vulnerabilities in the target host system.

2.3 Scanning tools

https://zhcn.tenable.com/products/nessus
https://www.openvas.org/
https://nmap.org

• SATAN
• Nmap
  host scan, port scan, remote host OS identification
• Nessus
  host scan, port scan, remote host OS identification, vulnerability scan
• OpenVAS
  host scan, port scan, remote host OS identification, vulnerability scan
• X-scan
  host scan, port scan, remote host OS identification, vulnerability scan

2.4 Defense against scanning

Protection against active scanning:

1. Reduce open ports and do a good job of system protection
2. Real-time monitoring and scanning, timely alarm
3. Pretending to be a well-known port for information deception

Protection against passive scanning:

information deception

Some specific methods:

1. Listen on an uncommon port
2. Capture packets in promiscuous mode and further analyze and judge
3. Honeypot system
4. Intrusion Detection System
5. firewall
6. audit
7. Modify Banner

Some specific tools:

ProtectX: anti-hacking tool
Winetd and DTK: honeypot
Snort: lightweight network intrusion detection system

Chapter 3 Network Monitoring and Defense Technology

3.1 Overview of network monitoring

Network monitoring technology is also called network sniffing technology (Network Sniffing), as the name implies, this is a technology that captures its communication messages or communication content without the other party being aware of it.

• Four working modes of network card:

  • Broadcast mode : The network card in this mode can receive broadcast information in the network.
  • Multicast mode : The network card in this mode can receive multicast data.
  • Direct mode : In this mode, only the network card matching the destination MAC address can receive the data frame.
  • Promiscuous mode : In this mode, the network card can accept all received data frames, regardless of the destination MAC address.

• Classification of network listeners:

  • Software sniffer : cheap and easy to use, the disadvantage is that the function is often limited, it may not be able to capture all the transmitted data on the network (such as fragments), or the efficiency is easily limited
  • Hardware sniffer : protocol analyzer, its advantages are exactly what software sniffer lacks, high processing speed, but expensive.

• The main working mechanism of Sniffer software:

  • driver support
  • Packet Capture Filtering Mechanism

3.2 Monitoring technology

• Shared LAN : A LAN that uses a hub or shares a single bus, which uses a carrier detection multi-channel listening mechanism for transmission control.

  Shared LAN is based on broadcasting to send data, because the hub cannot recognize the frame, so it does not know which port the frame received by a port should be forwarded to, it has to send the frame to all ports except the source port, In this way, all hosts on the network can receive these frames.

  Under normal circumstances, the network card should work in broadcast mode and direct mode , and a network interface (network card) should only respond to these two types of data frames:

  • A data frame that matches its own MAC address (the destination address is the MAC address of a single host).
  • Broadcast data frame sent to all machines (destination address is 0xFFFFFFFFFF).

• Monitoring of shared LAN: In a shared LAN, the hub will broadcast all data. At this time, if a host in the LAN sets the network card to promiscuous mode, it can receive all the data in the LAN.

• Classification of packet filtering:

  Information filtering includes the following types: site filtering, protocol filtering, service filtering, and general filtering .

  According to the filtering time, it can be divided into two filtering methods: pre-capture filtering and post-capture filtering .

• Related development libraries:

  • Unix system: libpcap
  • windows system: winpcap

• Switched LAN : Switched Ethernet is a LAN built with switches or other non-broadcast switching devices. These devices determine which port of the switch the data frame should be sent to based on the MAC address in the received data frame. Because the frame transmission between the ports shields each other, the node does not worry that the frame it sends will be sent to a non-destination node.

• Monitoring of switched LAN:

  • Overflow attack :
    When the switch works, it needs to maintain a mapping table of MAC addresses and ports. But the memory used to maintain this table is limited. If a large number of data frames with wrong MAC addresses are used to attack the switch, the switch may overflow. At this time, the switch will return to the HUB broadcast mode and send data packets to all ports. Once this is the case, monitoring is very easy.
  • ARP spoofing :
    The computer maintains an IP-MAC address correspondence table, which records the correspondence between IP addresses and MAC addresses. This table will be continuously updated with ARP request and response packets. Through ARP spoofing and changing the corresponding relationship in the table, the attacker can become a "middleman" between the victim and the switch, so that all data packets in the switched LAN flow through the network card of the host, so that it can be like a shared Analyze data packets like LAN.

• Network monitoring tools:

  • Tcpdump/Windump
  • Nope
  • Ethereal/Wireshark
  • Sniffer Pro
  • NetXray

3.3 Defense against monitoring

• General strategy:

  1. Secure network topology:

  • Network segmentation : divide the network into some small networks, the hub of each network segment is connected to a switch (Switch), so the data packets can only be intercepted by the network monitor inside the network segment, so that the rest of the network Some (not in the same network segment) are protected. There are three types of network devices that are impossible for sniffers to cross: switches, routers, and bridges . We can segment the network by using these devices flexibly.
  • Divide VLAN : Make the network isolate unnecessary data transmission. Generally, 20 workstations can be used as a group, which is a reasonable number. Network segmentation is only suitable for small and medium networks. Network segmentation requires expensive hardware equipment.

  2. Data encryption technology:

  • Data channel encryption : SSH, VPN
  • Data content encryption : PGP

  3. Detection of possible network monitoring:

  • Ping with the wrong physical address, the machine running the listener will respond
  • Sending a large number of packets with non-existent physical addresses to the Internet will occupy a lot of CPU resources because the listener needs to analyze and process a large number of data packets, which will lead to performance degradation. Judge by comparing the performance of the machine before and after. This method is more difficult.

• Anti-monitoring under shared network:

  1. Network and host response time test : The test principle is that the network card in non-monitoring mode provides a certain hardware underlying filtering mechanism, that is, data packets with non-local destination addresses (except broadcast addresses) will be discarded by the network card. In this case, a sudden increase in the network traffic whose destination address is not local has little impact on the operating system. The machine in promiscuous mode lacks bottom-level filtering, and a sudden increase in network traffic whose destination address is not local will have a more obvious impact on the machine (different operating systems/kernels/users will have different methods). The implementation method is to use ICMP ECHO request and response to calculate the response time benchmark and average value of the machine to be detected.
  2. ARP detection : In the promiscuous mode, the network card will not block the packets whose destination address is not its own, but will accept them as ordered and send them to the system kernel. Then, the system kernel will return a message containing error information. Based on this mechanism, we can fake some ARP request messages to be sent to each node on the network. No network card in promiscuous mode will block these messages, but if some nodes respond, it means that the network cards of these nodes are in promiscuous mode Down. These nodes in promiscuous mode may run sniffer programs.

• Anti-monitoring under the switched network:

  1. Do not base the network security trust relationship on a single IP or MAC. The ideal relationship should be based on the IP-MAC correspondence.
  2. Use the static ARP or IP-MAC correspondence table instead of the dynamic ARP or IP-MAC correspondence table, prohibit automatic update, and use manual update.
  3. Regularly check ARP requests, and use ARP monitoring tools such as ARPWatch to monitor and detect ARP spoofing.
  4. Develop a good security management strategy to enhance user security awareness.

• Prevent ARP spoofing:

  1. ARP packet detection measures
  2. ARP gateway filtering protection measures
  3. Rate Limiting Measures for ARP Packets

Chapter 4 Password Cracking and Defense Technology

4.1 History and current status of passwords

The role of passwords : provide the system with a mechanism to uniquely identify individuals, and only give individuals access to the information they need, so as to protect sensitive information and personal privacy.

4.2 Password cracking method

• Password cracking method:

  1. Crack by hand

  Steps:
  (1) Generate a list of possible passwords
  (2) Sort the passwords from most likely to least likely
  (3) Manually enter each password in turn
  (4) If the system allows access, succeed
  (5) If not succeed, then Retry.
  (6) Be careful not to exceed the limited number of passwords

  2. Automatic cracking
     As long as you get a copy of the encrypted password, you can crack it offline. This method of cracking takes a lot of work, because access to the system is required to obtain a copy of the encrypted password.

  Steps:
  (1) Find the available userID
  (2) Find the encryption algorithm used
  (3) Obtain the encrypted password
  (4) Create a list of possible passwords
  (5) Encrypt each word
  (6) Observe whether all userIDs match
  ( 7) Repeat the above process until all passwords are found

  3. other methods

  • network sniffing
  • keylogger

• Dictionary attack : a dictionary is a common password list file summarized according to people's habit of setting their own account passwords

• Brute force attack : also known as brute force cracking, try all combinations of letters, numbers, and special characters

• Combination attack : Combination attack is an attack method based on using dictionary words and concatenating several letters and numbers behind the word.

• Other Attacks : Social Engineering, Snooping, Trash Search, Password Worms, Trojan Horses, Network Listening, Replay

4.3 Typical password cracking tools

• Password cracker: A password cracker usually consists of a candidate password generator, a password encryption module, and a password comparison module.
• Candidate Password Generator: The Candidate Password Generator is used to generate words that are considered possible passwords.
• Dictionary generation script: cupp tool
• The password file for the operating system:

  • unix：/etc/passwd
  • windows：SAM：%systemroot%system32\config\sam

• Password Cracking Tool:

  • unix：Crack、John the Ripper 、XIT 、Slurpie
  • windows：L0phtcrack、Cain＆Abel、NTSweep、NTCrack、PWDump2、RainbowCrack

4.4 Comprehensive application of password attack

• Local password attack:

  • Windows system password attack:

  1. Extract the SAM file for cracking
  2. Replace the current SAM file with the backup SAM file
  3. Modify software with password
  4. Replace screen saver

  • Unix system password attack: reverse comparison method

• Remote password attack:

  1. Establishes a network connection to the target network service.
  2. Select a user list file and a dictionary file.
  3. In the user list file and a dictionary file, select a group of users and passwords, and send the user names and passwords to the target network service port according to the network service protocol
  4. Detect the information returned by the remote service to determine whether the password attempt was successful

4.5 Defense against password attacks

• Strong passwords: Based on current technology, the characteristics of strong passwords are as follows:

  • Change every 45 days
  • Password must contain at least 10 characters
  • Must contain letters, numbers, special symbols
  • Letters, numbers, special symbols must be mixed, not added at the end
  • cannot contain dictionary words
  • The previous five passwords cannot be reused
  • After a certain number of login failures, the password will be blocked for a period of time

• To protect passwords from unauthorized disclosure, modification and deletion , passwords cannot be stored in the system in plain text. If a text file containing all passwords is stored in the system, it is easy for someone to read and obtain everyone's password .

• encryption

• One-Time Password Technology:

  

• biotech password

Chapter 5 Deception Attack and Defense Technology

5.1 Overview

Authentication : Authentication is an authentication process used by computers on the network to identify each other. After the authentication process, a mutual trust relationship will be established between computers that are allowed to communicate with each other.

Trust : Trust and authentication have an inverse relationship, that is, if there is a high degree of trust between computers, strict authentication will not be required for communication. Conversely, if there is no good trust relationship between computers, strict authentication will be performed.

Deception : Deception is essentially an attack method that impersonates an identity and defrauds trust through authentication. The attacker disguises himself as a trusted party to communicate with the victim based on the flaws in the authentication mechanism, and finally grabs information or launches further attacks.

5.2 IP spoofing and defense technology

IP spoofing: An attacker can use the IP address of another host and pretend to be from that host to gain access to information he is not authorized to access. This type of attack is called IP spoofing.

Basic IP spoofing methods:

• Simple IP address change : The attacker changes the IP address of a computer to the address of another host to pretend to be other machines. The fatal flaw of a simple IP address change is that the attacker cannot receive the returned information flow.
• Source routing attack : Ensure that data packets will always go through a predetermined path, and the attacker's machine is in this path.

Loose source station selection : The sender specifies the list of IP addresses that the data flow must pass through, but it can also pass through some addresses other than these addresses.
Strict source routing : The sender specifies the exact address through which the IP packet must pass. If the exact path is not passed, the packet will be discarded and an ICMP message will be returned.

• Use the trust relationship of the Unix system : In the Unix world, a special trust relationship can be established between accounts on different hosts to facilitate access between machines. This is often used for system administration of large numbers of machines. The trust relationship here is based on IP address authentication, rather than asking for usernames and passwords. That is, anyone from a trusted IP address will be recognized.

rlogin: remote login
rsh: remote shell
rcp: remote copy
A to add trust relationship to B: echo “B usernameB” > ~/.rhosts, so that host B can use the r* remote call command to log in directly to host A without hindrance

Advanced application of IP spoofing:

• Session hijacking : The process of taking over an existing dynamic session. In other words, the attacker can replace the original legitimate user through session hijacking, and at the same time be able to monitor and grasp the session content. At this point, the attacker can record the victim's reply and respond to it in the following time to launch further deception and attacks. Session hijacking combines sniffing and spoofing techniques. The key to session hijacking is predicting the correct sequence number .

• The SEQ of the second packet (B->A) = the ACK of the first packet (A->B);
• The ACK of the second packet (B->A) = the SEQ of the first packet (A->B) + the transmission data length (number of bytes) of the first packet (A->B).

• Session hijacking process:

1. find target
2. Confirm dynamic session
3. Guess the serial number
4. Take the client host offline
5. take over session

• Harm of session hijacking: As far as its realization principle is concerned, any host using the Internet for communication may be subject to this attack.

The reason for the great harm: It does not depend on the operating system; it can be used to carry out active attacks, and the possibility of entering the system can be obtained through the attack behavior.

• Tools for TCP session hijacking: Juggernaut, Hunt

Defense against IP spoofing attacks:

• Protection against address change spoofing:

Method 1: Restrict users from modifying network configuration
Method 2: Ingress filtering
Method 3: Egress filtering

• Prevent source routing spoofing: set the router to prohibit the use of source routing
• Prevent trust relationship deception:

Method 1: Do not use the trust relationship
Method 2: Restrict who has the trust relationship
Method 3: Do not allow the use of the trust relationship through the external network
Method 4: For UNIX systems, do not use the vulnerable r command, use a secure method, such as SSH or VPN to replace the r command.

• Protection against session hijacking attacks:

Method 1: Encryption
Method 2: Use a secure protocol
Method 3: Limit protection

5.3 ARP deception and defense technology

ARP spoofing: There is an imperfection in the mechanism for the host to implement the ARP cache table. When the host receives an ARP response packet, it does not verify whether it has sent the ARP request, but directly sends the ARP request in the response packet. Replace the corresponding information in the original ARP cache table with the corresponding relationship between the MAC address and the IP.

The harm of ARP spoofing:

1. As a result, other users on the same network segment cannot access the Internet normally (frequent network disconnection or slow network speed)
2. Using ARP spoofing can sniff all data packets in the switched LAN, thereby obtaining sensitive information.
3. ARP spoofing attacks can tamper with information, for example, by adding advertisements to all web pages you visit.
4. Using ARP spoofing attacks can control any host in the LAN and play the role of "network management", for example, to prevent a host from accessing the Internet.

ARP cheat tool: Arp cheat and sniffer V2.1

Detection and defense of ARP spoofing:

• How to detect ARP spoofing attack in LAN:

1. Frequent network disconnection
2. Internet speed suddenly slows down
3. Use the ARP -a command to find that the MAC address of the gateway is different from the real gateway MAC address
4. Use sniffer software to find a large number of ARP reply packets in the LAN

• How to discover hosts that are under ARP attack

1. If you know the correct gateway MAC address, the gateway MAC listed by the ARP -a command is different from the correct MAC address, that is the MAC of the attacking host
2. Use the Sniffer software to capture packets and find a large number of ARP reply packets sent with the IP address of the gateway. The MAC specified in the packets is the MAC address of the attacking host.

• Defense against ARP spoofing attacks:

1. MAC address binding, so that the IP address of each computer in the network corresponds to the hardware address one by one, and cannot be changed.
2. Use the static ARP cache and update the records in the cache manually to make ARP spoofing impossible.
3. Use the ARP server to find its own ARP conversion table through the server to respond to the ARP broadcast of other machines. Make sure this ARP server is not hacked.
4. Use ARP spoofing protection software, such as an ARP firewall
5. Timely discover hosts that are performing ARP spoofing and isolate them

5.4 E-mail deception and defense technology

basic method:

• Utilize similar email addresses
• Direct use of fake e-mail addresses: SMTP is based on the assumption that people's identities are what they claim to be, without verifying the identity of the sender. This allows people to freely construct the sender address to send mail.

• Remotely log in to the SMTP port to send mail: The attacker first finds the IP address of the mail server, or runs a port scanner to determine which machines are mail servers with port 25 open. After the attacker has a machine with port 25 open and a mail server running, enter the following command: telnet IP地址 25. Once connected, enter the following:

MAIL FROM: 欺骗伪装的mail地址
RCPT TO: 收件的受害者mail地址
DATA
邮件的内容

Defenses against email spoofing:

1. Mail recipients : As mail recipients, users need to configure their mail clients reasonably so that they can always display their full email address every time, instead of just displaying their aliases. The full email address can provide some indication that the Something unusual happened.
2. Email sender : As an email sender, you must protect the email client to prevent others from modifying the settings of the client.
3. Mail server : For the mail server provider, the SMTP authentication mechanism adopted.
4. PGP Encryption : PGP (Pretty Good Privacy) is a program that allows your e-mail to have a confidential function. With this you can encrypt your email, once encrypted, the email looks like a bunch of meaningless gibberish. PGP provides such strong protection that even the most advanced decoding analysis techniques cannot decipher encrypted text.

5.5 DNS spoofing and defense technology

DNS spoofing: A deceptive behavior in which an attacker pretends to be a domain name server. Set the IP address of the query as the IP address of the attacker. In this way, the user can only see the homepage of the attacker instead of the homepage of the website that the user wants to obtain when surfing the Internet. This is the basic principle of DNS spoofing.

One of the key conditions for an intruder to achieve DNS spoofing is to cache a forged resolution record in the local Cache of the DNS server.

Attack method:

1. The attacker can control the local domain name server
2. Attackers cannot control any DNS servers

DNS spoofing has two main limitations:

1. An attacker cannot replace an existing record in the cache
2. DNS server has a cache refresh time issue

Defense against DNS spoofing:

1. hosts file binding
2. Implement secure methods of encryption and authentication

5.6 Web deception and defense technology

Web spoofing: is a type of electronic message deception in which an attacker creates an entire convincing web world, but in reality it is a false copy. Fake Web looks very real, it has the same pages and links. However, the attacker controls this false Web site, so that all network communications between the victim's browser and the Web are completely intercepted by the attacker.

Phishing: Hackers use e-mail or imitate the pages of online banking, online shopping and other online transactions to create fake web pages, so that users can disclose their relevant account information (account number) without knowing it. , password), once these hackers get the user's account information, the consequences can be imagined.

Ways to prevent web spoofing:

1. Configure your web browser to always display the destination URL and get used to viewing it
2. Use anti-phishing software.
3. Disable JavaScript, ActiveX, or any other scripting language that executes locally.
4. Make sure the app works and tracks users appropriately. Whether you use a cookie or a session ID, you should make sure it is as long and random as possible
5. Cultivate users' good habit of paying attention to the URL displayed on the browser address line. Cultivate user security awareness and security education for developers.

Chapter 6 Denial of Service Attack and Defense Technology

6.1 Overview of denial of service attacks

Denial of service: It is a simple destructive attack, usually using a certain weakness in the transmission protocol, a loophole in the system, or a loophole in the service to launch a large-scale attack on the target system, using massive data beyond the target's processing capacity The package consumes available system resources, bandwidth resources, etc., or causes program buffer overflow errors, making it unable to process normal requests from legitimate users, unable to provide normal services, and eventually paralyzing network services and even system crashes.

DoS attack types:

From the perspective of the implementation ideas used to implement DoS attacks:

• Abuse of legitimate service requests
• Create high traffic useless data
• Exploiting Transport Protocol Flaws
• Exploiting the vulnerability of the service program

Classification by exploit method:

• Specific resource consumption class
• Brute force attack

According to the change mode of attack packet sending rate:

• fixed rate
• variable rate

Possible impact by attack:

• System or program crash class
• service downgrade class

According to the protocol layer of the attack object:

• DDoS attack on the network transport layer
• Application layer DDoS attack

6.2 Typical denial of service attack techniques

• Ping of Death : Once the actual size of the sent ICMP data packet exceeds 64KB (65536B), when the operating system fills the received data packet into the buffer area, if the packet length is greater than 64KB, a buffer overflow will occur, and the result will be Lead to the collapse of the TCP/IP protocol stack, causing the host to restart or crash.
• Teardrop : If an intruder forges a data packet, it sends a segmented packet containing overlapping offset information to the server to the target host. After such information is received by the destination host, when it is reorganized in the stack, due to the existence of malformed fragments, it will lead to reorganization errors. This error not only affects the reorganized data, but also causes memory errors due to the protocol reorganization algorithm. Cause the collapse of the protocol stack.
• IP spoofing DoS attack : During the attack, the attacker will forge a large number of IP addresses and send RST data to the target, so that the server does not serve legitimate users, thereby realizing a denial of service attack on the victim server.
• UDP flood : It mainly uses the service that the host can automatically reply (such as the chargen service and echo service using the UDP protocol) to attack.
• SYN flood : During the three-way handshake process of a TCP connection, if a client sends a SYN message to the server and suddenly crashes or goes offline, then the server cannot receive the client's ACK message after sending a SYN/ACK response message Yes, in this case the server will generally retry and discard the unfinished connection after waiting for a period of time. The length of this time is called SYN Timeout. Generally speaking, this time is on the order of minutes.
• Land attack : Send a special SYN packet to the target host, and the source address and destination address in the packet are both the addresses of the target host. When the target host receives such a connection request, it will send a SYN/ACK packet to itself, resulting in the target host sending an ACK packet back to itself and creating a connection. A large number of such data packets will cause the target host to establish many invalid connections, and the system resources will be occupied in large quantities.
• Smurf attack : Use IP spoofing and ICMP response packets to cause network blockage of the target host and implement DoS attacks.
• Fraggle attack : Similar to Smurf attack, the difference is that Fraggle uses UDP reply messages instead of ICMP.
• Email bomb : traditional email bombs simply send a large number of emails to your mailbox. The purpose of the intruder is to fill your mailbox with spam, and normal emails will be rejected by the server due to insufficient space. receive. If the user's mailbox usage space is not limited, then the email bomb attack may affect the normal work of the server.
• Malformed message attack : It is a targeted attack method, which exploits the security loopholes in the target host or specific services to attack.
• Slashdot effect : overloading a web server or other type of server due to a large amount of network traffic, usually for a certain page or a link
• WinNuke attack
• CC attack : Simulate multiple users accessing the dynamic pages of the target website through a proxy server or a large number of "broilers", create a large number of background database query actions, consume target CPU resources, and cause denial of service.
• Reflection amplification attack : In the reflection amplification attack, the reflection means that the attacker does not directly attack the target service IP, but sends the constructed request packet to the multicast address, and forges the IP address of the attacked party as the source IP address of the packet. . Amplification means that these devices send reply data that is several times larger than the request message to the attacker

DoS common tools: Dictator, NetBot_Ataker, Synbomb, UDP Flooder

6.3 Distributed denial of service attack

Distributed denial of service : refers to the use of client/server technology to combine multiple computers as an attack platform to launch DoS attacks on one or more targets, thereby multiplying the power of denial of service attacks.

The composition of the software for the distributed denial of service attack:

• Client : also known as the attack console, it is the host that initiates the attack
• Server : also known as the attack server, it accepts the control commands sent by the client
• Daemon : also known as attacker and attack agent, it communicates with the attack target directly (such as SYN Flooding) or indirectly (such as reflective DDoS)

The intruder sends an attack command to the server software through the client software, and the server controls the daemon process to launch an attack on the target host after receiving the attack command. The intruder first controls multiple unrelated hosts, and installs daemons and server programs on them.

Tools for DDoS : TFN2K, Trinoo, Stacheldraht, Trinity, Shaft, Mstream, LOIC

6.4 Defense against denial of service attacks

• Effective and perfect design
• bandwidth limit
• Install patches to the system in time
• Run as few services as possible
• Only allow necessary communication
• Block hostile IP addresses

6.5 Defense against distributed denial-of-service attacks

• Monitoring of distributed denial of service attacks:

• A large number of DNS PTR query requests
• Exceeding the limit communication flow when the network works normally
• Oversized ICMP and UDP packets
• TCP and UDP packets that are not part of normal connection traffic
• A data packet whose contents contain only alphanumeric characters (for example, no spaces, punctuation, and control characters).

• Defense against distributed denial of service attacks:

• Optimizing network and routing structures
• Protect network and host system security
• Install an intrusion detection system
• Cooperate with ISP service provider
• use scan tool

Chapter 7 Buffer overflow attack and defense technology

7.1 Overview of Buffer Overflows

Buffer : It is a contiguous block of computer memory that contains instances of the same data type. It is a continuous area allocated in memory during the running of the program, used to save various data types including character arrays

Buffer overflow : Writing to a fixed-length buffer that exceeds its pre-allocated length causes overflow of data in the buffer, thereby overwriting the memory space around the buffer. Hackers use this to carefully construct and fill data, leading to changes in the original process, allowing the program to execute special codes, and finally gain control

The main reason for the buffer overflow vulnerability is : C/C++ supports arrays and pointers to access memory data, but there is no security check to limit the access boundary, so a large number of buffer overflow problems occur

7.2 Principle of buffer overflow

• stack overflow

  The stack frame when the function is called:

  (memory high address)
  actual parameter passed to Func
  return address after exiting Func function local variable in
  EBP Func function before calling Func function (memory low address)
  
  

• heap overflow

• BSS overflow : The .bss segment stores global and static uninitialized variables, and its allocation is relatively simple. Variables are stored consecutively, and there is no reserved space. The two character arrays defined as follows are located in the BSS segment: static char buf1[16]，buf2[16]；if you write 16 characters A into buf2 in advance, and then write 24 characters B into buf1, since the variables are stored continuously, the static character array buf1 After overflow, it will overwrite the value of character array buf2 in its adjacent area. Taking advantage of this, the attacker can change the original execution flow of the program by rewriting the pointer or function pointer in the BSS, so that the pointer jumps to a specific memory address and executes the specified operation.

• Format string overflow : This kind of overflow exploits the security problems of the programming language itself. The format string overflow comes from the parameter format problem of *printf() class function (such as printf, fprintf, sprintf, etc.)

7.3 The process of buffer overflow

To implement a buffer overflow attack, an attacker must complete two tasks,

1. arrange the appropriate code in the address space of the program;
2. By properly initializing registers and memory, the program jumps to the arranged address space for execution.

   • Function Pointers
   • Activation Records (function stack frame)
   • Longjmp buffers (long jump buffer)

7.4 Code implantation technology

The implanted code is generally composed of three elements: shellcode, return address, and filling data according to a certain structure and construction type

• shellcode : It is the core component of the implant code, and it is a self-contained binary code that can complete special tasks.

• Return address : the entry address of the shellcode. If an attacker wants the target program to change its original execution flow and execute shellcode instead, he must try to cover a certain jump instruction with the entry address of the shellcode.

• Filling data : Since the attacker cannot accurately determine the entry address of the shellcode, in order to improve the hit rate of the shellcode, a certain amount of filling data is often arranged in front of the shellcode.

The construction type of implanted code: NSR mode, RNS mode, AR mode

7.5 Example: ida overflow vulnerability attack

7.6 Defense against buffer overflows

• Source-level protection methods:

• Avoid related bugs in the source code
• Searching for overflow bugs in source code
• array bounds checking compiler

• Runtime protection method:

• Insert object code for array bounds checking
• Sanity check of return pointer

• Block attack code execution:

• Non-executable buffer technology : By setting the attribute of the buffer address space as non-executable, the attack code cannot be executed, thereby avoiding attacks. This technology is called non-executable buffer technology.

• Enhanced system protection:

• Protect System Information
• Turn off unneeded services
• Principle of Least Privilege
• Use the system's stack patch
• Check system vulnerabilities and apply security patches for software in time

Chapter 8 Web Attack and Defense Technology

8.1 Overview of Web Security

Web security:

• Web server security:

• Attacks using web server vulnerabilities: IIS buffer overflow exploits, directory traversal exploits, etc.;
• Use the security holes of the webpage itself to attack: SQL injection, cross-site scripting attack

• Web client security
• Security of Web communication channels: Like other Internet applications, Web channels also face the threat of network sniffing (Sniffer) and denial of service attacks (Denial of Service) aimed at congested channels and resource consumption.

8.2 Web server fingerprinting

Web server fingerprint : This concept is applied to the Web server, which is to remotely spy on the HTTP application installation and configuration information on the server, so as to understand the configuration information of the remote Web server, and then perform purposeful fingerprinting based on different versions of the Web server. attack.

Banner information : Obtain the version of the web server, welcome message or other prompt information to find out possible content that is conducive to attack.

Fuzzy web server Banner information :

• Custom Http response header information
• add plugin

8.3 Web page theft and defense

Web page theft: Through detailed analysis of the source code of each web page, find out the key flaws and vulnerabilities that may exist in the code, comments or design, so as to determine the breakthrough point of the attack.

Two methods of web page theft:

• Manually scan page by page
• auto scan

Defense method:

• Improve the quality of web page code
• Monitor the access log for rapidly growing GET requests
• Set up the garbage.cgi script on the Web site
• Always pay attention to the attack content of new web scanning scripts emerging on the network

8.4 Cross-site scripting attack and defense

XSS: Attackers create malicious scripts, forward them to common user clients through the web server, and then execute them in their browsers.

Classification: reflection type, storage type, based on DOM type

Harm: XSS attacks can collect user information, and attackers usually insert JavaScript, VBScript, ActiveX or Flash into vulnerable programs to deceive users. Once successful, they can steal user accounts, modify user settings, steal/pollute cookies, make false advertisements, view host information, etc.

XSS attack steps:

1. Finding XSS Vulnerabilities
2. inject malicious code
3. cheat user access

Defense method: input is escaped; output is filtered

8.5 SQL injection attack and defense

SQL injection process:

1. Look for links that may have SQL injection vulnerabilities
2. Test the site for SQL injection vulnerabilities
3. Guess the administrator account table
4. Guess the fields in the admin table
5. Guess the length of usernames and passwords
6. guess username
7. guess password

Prevention method:

• Programmers strengthen their own technical level and use fixed development standards
• Check the legality of the data before submitting it to the server for processing
• Encapsulate client submission information
• Replace or delete sensitive characters, strings
• Error messages are not returned to the user
• Unconventional encryption of data sensitive information to prevent information leakage
• Enhanced database checks
• Do not build SQL queries with string concatenation, but use SQL variables, because variables are not executable scripts
• Use SQL Injection Prevention System
• Use preventive tools for rigorous security testing before web application deployment, such as Pangolin
• The defense system filters the keywords submitted by visiting webpages (including Get, Post methods and cookies). Once illegal keywords are found (such as ',;, and, exec, select, insert, etc.), it will prompt illegal access, and Store the IP address in the server blacklist database, so that the IP can no longer access the website.

8.6 Google Hacking

• Search syntax:

• intext: It is to use a certain character in the text content of the web page as the search condition
• allintext: the usage method is similar to intext
• intitle: Similar to intext, search for the characters you are looking for in the title of the web page.
• allintitle: similar to intitle
• cache: Search Google's cache for certain content.
• define: search for the definition of a word
• filetype: Search for files of the specified type
• info: Find some basic information about the specified site
• inurl: Searches if the specified character exists in the URL
• allinurl: similar to inurl, multiple characters can be specified
• link: Find and specify the website that the website has linked to
• site: used to find links related to the specified website
• related: Find pages similar to the specified website
• Ext: Used to search for files in various suffix formats
• Inanchor: inanchor: keyword.
  A link with this keyword as the link keyword must appear in the search results
• phonebook: Phonebook lookup for US street addresses and phone numbers
• operator:

+ : Include words that Google may ignore in the query range
- : Ignore a certain word
~ ​​: Same word
. : A single wildcard
* : A wildcard that can represent multiple letters
"": Exact query

• Prevention of Google Hacking:

1. Forbidden Directory Listing
2. Reasonably set the NOSNIPPET of the page
3. Reasonably set the robots.txt of the site
4. Stop bots from collecting information
5. trick bots
6. self test

8.7 Web page verification code

The main idea of ​​the verification code technology : to process the font and background of the verification code, so that the information submission process must be completed through human participation.

The functions of the verification code mainly include : preventing brute force cracking, preventing malicious flooding, preventing automatic submission, etc.

8.8 Defense against Web attacks

• Server security configuration:

• Security configuration of the host system
• Security Configuration of Web Server

• Security measures for web browsers:

• Frequently patch and upgrade the operating system
• Use a browser with a low vulnerability count, such as Firefox
• Frequent browser updates
• Don't open untrustworthy websites out of curiosity