Article directory
1. Network and system attack process
1.1 Typical attack process
1.2 Network and System Investigation Definition
- Network and system investigation refers to the attacker's search and judgment of network information and weaknesses, which is an indispensable step in the attack.
- The objects mainly include technical information such as network topology, host address, open server port, and service program version, as well as non-technical information such as administrator name, hobbies, and email address.
1.3 Main methods of network and system investigation
1.3.1 Network scanning
1.Definition
- Network scanning is a network-based remote service discovery and system vulnerability discovery technology.
- Scanning can be divided intoHost-based scanningandNetwork-based scanning。
- There are two techniques for vulnerability scanning:Vulnerability-based matching methodandPlug-in based approach
2. System vulnerability scanning and analysis software
Nessus is the most used system vulnerability scanning and analysis software in the world. In total, more than 75,000 organizations use Nessus as software to scan their organization's computer systems.
- Nessus is a powerful yet easy-to-use remote security scanner that is free and updates extremely quickly.
- Nessus adoptsplug-in based technology。
- The working principle is to simulate hacker attacks through plug-ins and conduct offensive security vulnerability scans on the target host system.
- The purpose of development is to help system administrators search for the weaknesses of the system host and allow the system administrator to correct or protect the host to avoid being attacked by intruders.
- In the new version, the operating system platforms supported by Nessus include Linux, FreeBSD, Solaris, Mac OSX and Windows.
1.3.2 Direct access
- The PING command is used toCheck whether the network is smoothorInternet connection speed。
- Its principle is this: computers on the network have unique IP addresses. If you send a data packet to the target IP address, the other party will return a data packet of the same size. Based on the returned data packet, you can determine the existence of the target host. , you can initially determine the operating system of the target host, etc.
1.3.3 Network topology detection
1. Network topology definition
- Network topology structure refers to the physical layout of various devices interconnected using transmission media. If the connection structure of two networks is the same, we say that their network topology is the same, although their internal physical wiring and distance between nodes may be different.
2. Network topology detection
- For attackers, mastering the topology of the target network, understanding the device types of the target network, and clarifying the geographical location corresponding to the target device entity can better guide them to implement intrusion behaviors. This is just like in military operations, when the commander has an accurate map of the battlefield, he can accurately deploy his troops and focus on attacking key strongholds.
1.3.4 Utilizing network protocols
- Network layer protocol attacks mainly includeIP source address spoofing, ARP spoofing and ICMP route redirection attacks。
- IP source address spoofing
simply means that the attacker forges IP data packets with false source addresses and sends them in order to hide the identity of the perpetrator and impersonate other computers. - ARP spoofing
ARP spoofing is also called ARP poisoning. An attacker sends forged ARP information on a wired Ethernet or wireless network to spoof the MAC address corresponding to a specific IP to achieve malicious purposes. - ICMP routing redirection attack
refers to a technique in which an attacker pretends to be a router and sends false ICMP routing path control messages, causing the victim host to choose the routing path specified by the attacker, thereby conducting sniffing or impersonation attacks.
1.3.5 Exploiting system weaknesses
- Scan the open ports in the attack target host to see if there are any types of vulnerabilities that can be exploited.
- In a Linux-like system, the best way to complete the vulnerability detection task of a specified host port is to useNessusVulnerability scanning software;
- Under Windows systems, in addition to using this software, you can also useX-ScanandSuperScanand other software.
1.3.6 Password attack
1. Enumerate passwords
- Brute force cracking. Brute force password cracking is a common password attack method in history. Hackers use a massive password dictionary to exhaustively enumerate user passwords. As people's security awareness increases, login authentication systems usually limit the number of failed logins. Currently, this attack method has been significantly reduced.
2. Dictionary generation
- The dictionary is a dictionary file containing many passwords generated according to a specific combination, including character, numeric, combination, etc. Common passwords for Web accounts include admin, test, guest, administrator, 666666, 123456, etc. Usually administrators choose passwords that are easy to remember, which can lead to brute force cracking of accounts and passwords.
3. Password interception and deception
- Network sniffing. Network sniffing password methods usually use a host to monitor the network and capture network data to analyze passwords. At present, sensitive information such as passwords is mostly encrypted, so this attack method is also subject to certain restrictions. But for web applications with a high proportion, hackers will sniff unencrypted HTTP communications to obtain the website's cookie (a piece of
data sent by the server to the browser after the browser accesses the server), and then can do it without using a password. Identity theft.
4. Non-technical means
- Social engineering hack. Hackers use social engineering to crack passwords by deceiving and harming victims through psychological traps such as psychological weaknesses, instinctive reactions, curiosity, trust, and greed, etc., in order to obtain user passwords. For example, someone may pretend to be an email administrator and send email upgrade information, lead you to a phishing website, and steal your email password. This type of attack is now relatively common. A well-known domestic network security company was once attacked by this type of attack, and a large number of employee passwords were stolen.
2. Network and system security vulnerabilities
2.1 Security Vulnerabilities
- A security vulnerability is an inadvertently unprotected entry point into a restricted computer, component, application, or other online resource. Vulnerabilities are flaws in hardware and software usage strategies that expose computers to viruses and hacker attacks.
2.2 Common security vulnerabilities
2.2.1 Injection vulnerability
- The injection vulnerability is caused by loose character filtering, and the administrator's account password and other related information can be obtained.
- SQL injection vulnerability is one of the most serious of all vulnerability types. SQL injection vulnerabilities mainly involve forging client requests, submitting SQL commands to the server for illegal request operations, and ultimately deceiving the server to execute malicious SQL commands.
2.2.2 Buffer overflow
1. Buffer overflow
- Computer programs generally use some memory, which is either used internally by the program or to store user input data. Such memory is generally called a buffer.
- Buffer overflow means that when the computer fills the buffer with data bits that exceed the capacity of the buffer itself, the overflowed data covers the legal data.
2. Buffer overflow attack
- A buffer overflow attack destroys the buffer size of the specified buff, causing it to overflow into other spaces and destroy the stack.
- Decompilation and development under Linux can carry out buffer overflow attacks
2.2.3 Sensitive data leakage
- Sensitive information leakage refers to vulnerabilities in which data including user information, corporate employee information, internal information, etc. that should not be accessed by the outside world are leaked to the outside without authorization through websites, interfaces, external storage, etc.
2.2.4 Authentication and session management attacks
- Authentication or session-related functions in the application are not implemented correctly, allowing attackers to compromise passwords, session tokens, or exploit other flaws to impersonate the user's identity for the purpose of attack.
2.2.5 Denial of service attack Dos
1.Definition
- A Denial of Service attack (DoS) occurs when an attacker sends a large number of server or operation requests, making it difficult for service programs to operate normally.
- DDOS: The Chinese name is distributed denial of service attack. It refers to an attacker controlling multiple hosts to launch a DOS attack on the same host or network at the same time.
2.DDOS manifestations
There are two main forms of DDoS, one istraffic attack, mainly attacks on network bandwidth, that is, a large number of attack packets causeNetwork bandwidth is blocked, legitimate network packets are flooded by false attack packets and cannot reach the host; the other isresource exhaustion attack, mainly targeted at political attacks on server hosts, that is, through a large number of attack packets causingThe host's memory is exhausted or the CPU coresand applications are full, resulting in the inability to provide network services.
3. Attack identification
Ping test: If it is found that Ping times out or packet loss is severe, it may be under attack. If it is found that
the server on the same switch cannot be accessed, it can basically be determined to be a traffic attack.