Today's attackers hiding in the network also widely use similar methods to hide secret information in unsuspected files and session communications. This communication method is "covert tunnel communication".
The following quotes a real attack and defense drill scene to see how the attack and detection of covert tunnels are carried out.
# 1 DNS resolution and DNS tunnel
DNS resolution is a service that points the domain name to the web space IP, allowing people to easily access the website through the registered domain name.
DNS tunnel refers to the direct transmission of the data to be transferred through DNS packets. Most security protection devices allow DNS traffic by default. Attackers use this vulnerability to smuggle data to build a very covert command and control channel.
# 2 DNS Tunnel Scenario
The red team delegates the relevant domain name to the C&C server, and builds a DNS tunnel server on the host. When a user sends a domain name resolution request, the host will analyze the DNS request and complete the data reception; if it is necessary to send instructions to the user, the instruction will be encrypted and encoded and transmitted to the user, and the user will receive the DNS response, analyze the response content data and complete the instruction reception. At this time, the two-way communication of the covert tunnel is realized.
Two-way covert tunnels usually need to install malicious programs on the target host, and then communicate with the C&C server actively or passively. Common tools include CobaltStrike, dnscat2, and iodine.
As shown in the figure, it is the malicious traffic generated after the DNS covert tunneling tool is installed on a certain intranet host and run.
Swipe down to view decryption results
Swipe down to continue to view alarms
Elephant uses machine learning technology to avoid the risk of false positives in signature detection, uses the real positive and negative sample data accumulated by the vulnerability box and Elephant platform during offensive and defensive drills, collects and selects a lot of effective information, and builds a set of covert channel communication detection models for ICMP, DNS and other protocols
.
Taking the DNS covert tunnel attack mentioned above as an example, Xiangshou’s DNS covert tunnel model
can perform feature mining on DNS tunnel traffic and perform statistical analysis on each field of the DNS protocol, based on characteristics such as request and response frequency, average message length, domain name characteristics, etc., combined with the static characteristics of Xiangshou’s covert tunnel and the covert tunnel model to improve the detection accuracy
of covert tunnels .
It has been proved by practice that Xiangshou has been able to effectively detect covert communication behaviors using tunnel tools , adding a "machine emergency response expert" to the protection process for enterprises.
//Wonderful spoiler//
The next issue of Excalibur will bring you
Password Security of Attack and Defense Drill Series
What are the implications for password security?
How to detect and manage a large number of weak passwords?
How to Use a Good Password Encryptor
how to keep passwords safe?
Let's continue to be wonderful together in the next issue.
and manage?
How to Use a Good Password Encryptor
how to keep passwords safe?
Let's continue to be wonderful together in the next issue.
at last
Share a quick way to learn [Network Security], "maybe" the most comprehensive learning method:
1. Theoretical knowledge of network security (2 days)
①Understand the industry-related background, prospects, and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operation.
④Multiple guarantee introduction, guarantee regulations, procedures and norms. (Very important)
2. Penetration testing basics (one week)
①Penetration testing process, classification, standards
②Information collection technology: active/passive information collection, Nmap tool, Google Hacking
③Vulnerability scanning, vulnerability exploitation, principle, utilization method, tool (MSF), bypassing IDS and anti-virus reconnaissance
④Host attack and defense drill: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Operating system basics (one week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion troubleshooting/system reinforcement basis)
4. Computer network foundation (one week)
①Computer network foundation, protocol and architecture
②Network communication principle, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principle and defense: active/passive attack, DDOS attack, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tools
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (chopper, missing scan, etc.)
Congratulations, if you learn this, you can basically work in a job related to network security, such as penetration testing, web penetration, security services, security analysis and other positions; if you learn the security module well, you can also work as a security engineer. The salary range is 6k-15k.
So far, about a month. You've become a "script kiddie". So do you still want to explore further?
Friends who want to get involved in hacking & network security, I have prepared a copy for everyone: 282G, the most complete network security data package on the entire network, for free!
Click [Card at the end of the article] to get it for free
With these foundations, if you want to study in depth, you can refer to the super-detailed learning roadmap below. Learning according to this route is enough to support you to become an excellent intermediate and senior network security engineer:
[High-definition learning roadmap or XMIND file (click the card at the end of the article to get it)]
There are also some video and document resources collected during the study, which can be taken by yourself if necessary:
supporting videos for each growth path corresponding to the section:
Of course, in addition to supporting videos, various documents, books, materials & tools have also been sorted out for you, and have been classified into categories for you.
Due to the limited space, only part of the information is displayed. If you need it, you can [click the card below to get it for free]