Network attack technology (more exciting than playing chicken and getting MVP)

1. Overview of cyber attacks

1. Targets of cyber attacks:

The targets of network attacks mainly include systems and data , and their corresponding security also involves two aspects: system security and data security.

• Characteristics of system attacks: The attacks occur at the network layer, destroying the availability of the system and causing the system to fail to work properly. It may leave obvious traces of attack, and users will find that the system cannot work.
• Characteristics of data-based attacks: They occur at the application layer of the network and are information-oriented. The main purpose is to tamper with and steal information without leaving any obvious traces.

2. Means of network attacks:
At present, there are many means of attacking the network, and new means are emerging in an endless stream. Network attacks can be divided into the following two categories.

• One type is active attack. This kind of attack obtains relevant information of the attack target in various ways, finds system vulnerabilities, and after intruding into the system, it will selectively destroy the validity and integrity of the information, such as mail bombs.
• The other type is passive attack, which intercepts, steals, and deciphers to obtain important confidential information without affecting the normal operation of the network, including eavesdropping and communication traffic analysis, such as scanners.

The main means used in current network attacks are:

• Exploiting vulnerabilities in current network systems and various network software, such as imperfections in the TCP/IP protocol itself, various defects in the operating system, etc.; improper firewall settings; electronic fraud; denial of service (including DDoS); network viruses; use of hacking tools Software; taking advantage of the user's weak security awareness, such as improperly setting passwords; or directly placing password files in the system, etc.

3. Levels of cyber attacks:
Cyber ​​attacks use different methods and cause different degrees of harm. They are generally divided into 7 levels:

1. Simple denial of service.
2. A local user has obtained unauthorized read permissions.
3. A local user has obtained unauthorized write permissions.
4. Remote users obtain unauthorized account information.
5. The remote user gains read permissions to the privileged file.
6. The remote user gains write permission to a privileged file.
7. The remote user has system administrator rights.

Among these seven layers, as the layer number increases, the degree of harm increases.

4. Classification of network attacks:
1. Blocking attacks

• Blocking attacks attempt to forcefully occupy channel resources, network connection resources, and storage space resources, causing the server to crash or become exhausted and unable to provide external services. Denial of Service (DoS) is a typical blocking attack. It is a type of attack in which an individual or multiple people use certain tools of the Internet protocol group to deny legitimate users legal access to target systems (such as servers) and information.
• Common methods include TCP SYN flood attacks, Land attacks, Smurf attacks, email bombs, etc. The consequences of a DoS attack: causing the target system to crash; putting the port in a paused state; sending out cluttered information on the computer screen, changing file names, and deleting key program files; distorting the system's resource status and reducing the system's processing speed.

2. Detection attacks

• Information detection attacks mainly collect various network security-related information of the target system to provide help for the next intrusion. Mainly includes scanning technology, architecture probing, system information service collection, etc. More advanced network traceless information detection technologies are currently being developed.
• Network security scanning technology: An important technology in network security defense. Its principle is to use simulated attacks to check the known security vulnerabilities that may exist on the target one by one. It can be used to enhance the security of local networks and can also be used by network attackers to conduct network attacks.

3. Control attacks

• A control attack is a type of attack that attempts to gain control of a target machine. The three most common types: password attacks, Trojan horses, and buffer overflow attacks. Password interception and cracking are still the most effective means of password attacks, and further development should be the development of more powerful password cracking programs; Trojan technology is currently focusing on newer hiding technologies and secret channel technologies; buffer overflow is a commonly used attack Technology, in the early days, the buffer overflow flaws in the system software were exploited to carry out attacks, and now we are studying the creation of buffer overflows.

4. Deception attacks

• Spoofing attacks include IP spoofing and fake message attacks. The former attack defrauds sensitive information by pretending to be a legitimate network host, while the latter attack mainly implements deception attacks by configuring or setting some false information. Mainly include ARP cache fabrication, DNS cache pollution, fake emails, etc.

5. Vulnerability attacks

• Hole: There is some form of security vulnerability in system hardware or software. The direct consequence of this vulnerability is to allow illegal users to gain access or increase their access rights without authorization. Corresponding attacks are carried out against various vulnerabilities in the network system discovered by the scanner. With the newly discovered vulnerabilities, the attack methods are constantly updated, making it difficult to prevent. It is also relatively simple to find a certain platform or a certain type of security vulnerability. Many sites on the Internet, whether public or secret, provide archiving and indexing of vulnerabilities.

6. Destructive attacks

• Destruction attacks refer to a type of attack that damages various data and software of the target machine, including computer viruses, logic bombs and other attack methods. The main difference between logic bombs and computer viruses: logic bombs have no infection ability and will not automatically spread to other software. Since most of the systems used in our country are imported from abroad, we should remain vigilant to whether there are logic bombs in them. For computer systems in confidential departments, you should mainly use self-developed software.

2. Information search technology

Before attackers attack specific network resources, they need to understand the environment they are going to attack, which requires collecting and summarizing various information related to the target system, including the number, type, operating system, etc. of machines. The purpose of checking and scanning is to collect information.

• Use various scanning tools to conduct large-scale scans of intrusion targets to obtain system information and running service information;
• Use third-party resources to collect information on the target, such as common search engines; use various query methods to obtain some information related to the invaded target, such as social engineering.
• Social engineering is usually a trick that exploits the public's lack of precautions to make victims fall into a trap. This technique usually uses conversation, deception, impersonation, or spoken words to obtain sensitive information from legitimate users.

Attackers generally use 7 basic steps to collect target information. Each step has available tools, and attackers use them to obtain the information needed to attack the target.

1. Find initial information.
2. Find the network's address range.
3. Find the active machine.
4. Find open ports and population points.
5. Figure out the operating system.
6. Find out what service is running on each port.
7. Draw a network diagram.

The main methods of information collection are as follows:

1. Hidden address: The attacker first looks for other people's computers that can be used as a "puppet machine" to hide their real IP address and other location information.
2. Locking the target: There are many hosts on the network, and the attacker's next job is to find and identify the target host.
3. Understand the target's network structure: After determining the target to attack, the attacker will try to understand the network structure information where it is located, including gateway routing, firewalls, intrusion detection systems (IDS), etc. The simplest way is to use the tracert command to trace the route , you can also send some data packets to see if they can pass to guess the settings of firewall filtering rules, etc.
4. Collect system information: After understanding the network structure information, the attacker will conduct a comprehensive system analysis of the host to find the operating system type of the host, the services provided, and its security vulnerabilities or security weaknesses. The attacker can use some scanners Tool, easily obtain the operating system and version running on the target host, the account information in the system, the version and service type of server programs such as WWW.FTP, Telnet, SMTP, etc., the port opening status and other information. The main methods include port scanning, service analysis, protocol analysis and user password detection, etc.

Network inspection:
Site inspection is to gain a multi-faceted understanding of the target to be attacked through various channels, including any available clues, but it is necessary to ensure that the information is accurate to determine the time and location of the attack. Common methods of inspection include the following .

1. Query of domain names and their registration authorities.
2. Understanding of the nature of the company.
3. Analyze the homepage.
4. Collection of email addresses.
5. Target IP address range query.

The tools and software for information collection include the following:

1. Ping、fping、ping sweep。
2. ARP detection.
3. Finger。
4. Whois。
5. DNS/ nslookup。
6. Search engines (Google, Baidu).
7. Telnet。

The easiest way to get a network IP address is to ping the domain name. When pinging a domain name, the first thing the program does is try to resolve the hostname into an IP address and output it to the screen. The attacker obtains the address of the network and can use this network as the initial point.

Network scanning overview:

• Scanning technology is a major type of information gathering attack. The purpose of network scanning is to use various tools to find vulnerabilities in the host IP address or address range of the attack target determined by the site. The scan takes the form of a simulated attack to check each known security vulnerability that may exist on the target. The target can be workstations, servers, switches, routers, database applications, etc. Provide thorough and reliable analysis reports to scanners or administrators based on scan results.

Scanning is divided into two strategies:

Passive strategy:

• It is based on the host to check inappropriate settings, fragile passwords and other objects that conflict with security rules in the system. The active strategy is network-based. It simulates attacks on the system by executing some script files and records the system's response to discover vulnerabilities. Passive scanning does not cause damage to the system

Active scanning simulates attacks on the system and may cause damage to the system:
Active scanning can generally be divided into the following types.

1. Active host detection. .
2. ICMP query.
3. Network PING scan.
4. Port scan.
5. Identifies UDP and TCP services.
6. Specify vulnerability scans.
7. Comprehensive scan.

Scanning methods can also be divided into two categories: slow scanning and out-of-order scanning.

Network monitoring:

• Network monitoring refers to a method of intercepting the data flow communicated on other people's networks and illegally extracting important information from them. Network monitoring is a working mode of the host. In this mode, the host can receive all the information transmitted on the same physical channel of this network segment, regardless of the sender and receiver of the information, and the attacker is extremely vulnerable. Data may be monitored at both ends. At this time, if the data communication information between the two hosts is not encrypted, information including account numbers can be easily intercepted using only network monitoring tools. Although the user accounts and passwords obtained by network monitoring have certain limitations, the listener It is often possible to obtain the accounts and passwords of all users on the network.
• The purpose of network monitoring is to intercept the content of communication, and the method of monitoring is to analyze the protocol. This is achieved by exploiting some loopholes in existing network protocols without directly performing any operations or damaging the integrity of the victim host system. Network eavesdropping only operates on the data stream sent by the victim host, does not exchange information with the host, and does not affect the normal communication of the victim host.

3. Network intrusion

1. Social engineering attacks

1. Call and request password
2. Forged E-mail

2. Password attack

• Password authentication is a means of identity authentication. The authentication process can be a user-to-host process, or it can be a computer sending a request to another computer over the network. Password-based authentication is a more common form.
• Attackers often start their attack by deciphering the user's password. As long as the attacker can guess or determine the user's password, he can gain access to the machine or network and access any resources that the user can access. This is extremely dangerous if this user has domain administrator or root user rights.
• Password attacks are hackers’ favorite method of invading networks. By obtaining the password of the system administrator or other special users, hackers gain management rights of the system, steal system information, files on the disk, and even destroy the system. The premise of this method is that you must first obtain the account of a legitimate user on the host, and then decipher the legitimate user's password.

Password attack methods:

1. The first is to illegally obtain user passwords through network monitoring. This method has certain limitations, but is extremely harmful. Listeners often use interception methods, which is also an effective way to obtain user accounts and passwords.
2. The second is to use some specialized software to forcibly crack the user's password after knowing the user's account (such as the front part of the email @). This method is not restricted by the network segment, but the attacker must have enough patience and time.
3. The third type is to take advantage of the system administrator's mistakes. Obtain the passwd file that stores user information and the shadow file that accesses DES-encrypted passwords.

Password attack techniques:

1. Brutal attack

• From a technical perspective, the key to password protection is to increase the time cost for attackers to decipher passwords. For a fixed-length password, within a long enough time, all possible values ​​can always be enumerated. If you have a fast enough computer that can try all combinations of letters, numbers, special characters, etc., you will eventually be able to crack all passwords. This type of attack is called a brute force attack (brute force attack).

2. Dictionary attack

• Dictionary attack is to store some common passwords with high probability of use in a dictionary file, and try them one by one using a method similar to brute force attack. Generally, attackers have their own password dictionaries, which include commonly used words, phrases, numbers and their combinations, etc., and they constantly enrich their own dictionaries during the attack process. Attackers also often exchange their own dictionaries. . Using a 10,000-word dictionary can generally guess 70% of the passwords in the system. The most effective way to deal with dictionary attacks is to set an appropriate password. It is strongly recommended not to use your own name or simple words as your password. At present, many application systems test the strength of the password entered by the user. If a weak password is entered, the system will warn the user.

3. Combination attack

• Dictionary attacks can only discover word passwords that exist in the dictionary, but they are very fast. A brute force attack can discover all passwords, but takes a long time to crack. Since many administrators require users to use letters and numbers, the user's solution is to add a few numbers after the password, such as changing the password ericgolf to ericgolf55. Some people think that attackers need to use brute force attacks. In fact, they can use combination attacks, that is, using dictionary words and concatenating any letters or numbers at the end. This attack is between dictionary attack and powerful attack, and the attack effect is significant.

4. Attacks on password storage

• Usually, for the purpose of verification, the system will store the password in the system in plain text or cipher text. For attackers, if they can remotely control or operate the target host locally, they can obtain the plain text of these passwords through some technical means. This is an attack on password storage. Different systems store passwords in different locations. In addition, when the authentication program is running, the password or the ciphertext of the password will be loaded into the memory. Therefore, password attacks include attacks on cached passwords, attacks on password files, and password attacks on other storage locations.

Tools for cracking passwords:

1. L0phtcrack
2. NT Sweep
3. NTCrack
4. PWDump2
5. Crack
6. John the Ripper
7. XIT
8. Slurpee

3. Vulnerability attack:

Basic concepts of vulnerabilities:

• A vulnerability is a flaw in hardware, software, or policy that allows an attacker to gain unauthorized access to a system. Under normal circumstances, a 99.99% error-free program will rarely have problems, and the use of those 0.01% errors will lead to 100% failure.

Type of vulnerability:

1. Management vulnerabilities. If two servers use the same user/password, after server A is invaded, server B will not be spared either.
2. Software vulnerabilities. Many programs will cause buffer overflow as long as they receive some exceptions or overly long data and parameters.
3. Structural holes. For example, due to unreasonable settings of switches and hubs on an important network segment, hackers can monitor the data of network communication flows. Another example is that the deployment of security products such as firewalls is unreasonable and the relevant security mechanisms cannot function, paralyzing technical management personnel and causing hacker intrusion accidents.
4. Trust holes. For example, if the system trusts a certain external partner's machine too much, once the partner's machine is hacked, the security of the system will be seriously threatened.

Published vulnerabilities:

The 20 most dangerous three types of security vulnerabilities that have been released so far are:

1. 7 vulnerabilities affecting all systems (G1~G7);
2. 6 vulnerabilities affecting Windows systems (W1~W6);
3. 7 vulnerabilities affecting UNIX systems (U1~U7).

4. Spoofing attack:

1. IP spoofing
2. IP source routing spoofing
3. Email spoofing
4. Web spoofing
5. DNS spoofing

5. Denial of service attack:

Basic concept:
DoS (Denial of Service) is the abbreviation of Denial of Service and cannot be considered as Microsoft's DOS operating system. DoS attack is a network attack behavior that uses reasonable service requests to occupy too many service resources, thereby preventing legitimate users from receiving service responses.

• A single DoS attack generally adopts a one-to-one approach. When the performance indicators of the attack target such as low CPU speed, small memory or small network bandwidth are not high, its effect is obvious. With the development of computer and network technology, computer processing capabilities have rapidly increased, memory has greatly increased, and gigabit-level networks have also emerged, which makes DoS attacks more difficult. For example, the attacker's attack software attacks every second. 4,000 attack packets can be sent, but the user's host and network bandwidth can handle 10,000 attack packets per second, so the attack will have no effect.
• At this time, distributed denial of service attacks (DDoS) came into being. If the processing power of computers and networks has been increased by 10 times, and using one attack machine to attack is no longer effective, what if the attacker uses 10 attack machines to attack at the same time? What about 100? DDoS uses more " "Puppet Machine" to launch an attack, attacking its victims on a larger scale than ever before. Distributed denial of service attack DDoS is a type of attack method based on traditional DoS attacks. DDoS uses multiple computers to launch distributed DoS attacks on single or multiple targets simultaneously.
• A DDoS attack consists of three parts: client program (hacker host), control point (master), agent program (zombie), or attack point (daemon), as shown in Figure 5-15.

Some common phenomena when being attacked by DoS are as follows:

1. There are a large number of waiting TCP connections on the attacked host.
2. The network is flooded with a large number of useless data packets with false source addresses.
3. Create high traffic of useless data, causing network congestion, making the victim host unable to communicate with the outside world normally.
4. Taking advantage of defects in the services or transmission protocols provided by the victim host, it repeatedly issues specific service requests at a high speed, making it impossible for the victim host to process all normal requests in a timely manner.
5. In severe cases, the system may crash.

TCP - SYN denial of service attack:
TCP SYN denial of service attack exploits the inherent vulnerabilities of the TCP/IP protocol, and the connection-oriented TCP three-way handshake is its basis.

Using this process, some malicious attackers can carry out so-called TCP SYN denial of service attacks, as shown in Figure 5-17.

1. The attacker sends a TCP SYN message to the target computer.
2. After receiving this message, the target computer establishes a TCP connection control structure (TCB), responds with an ACK, and waits for a response from the initiator.
3. The initiator does not respond with an ACK message to the target computer, which causes the target computer to remain in a waiting state.

It can be seen that if the target computer receives the TEP SYN message but does not receive the third ACK response from the initiator, it will wait forever (the third handshake cannot be completed). In this case, the server will generally retry ( Send SYN+ACK to the client again) and wait for a period of time before discarding the unfinished connection. The length of this period is called SYN Timeout. Generally speaking, this time is on the order of minutes (generally 0.5~2 minutes);

It is not a big problem for a user to have an exception that causes a thread of the server to wait for 1 minute. However, if a malicious attacker simulates this situation in large numbers, the server will consume a lot of money to maintain a very large semi-connection list. resources, tens of thousands of half-connections, which will exhaust the resources of the target computer and be unable to respond to normal TCP connection requests.

The main defense measures against SYN denial of service attacks include:

• One type is filtering gateway protection through firewalls, routers, etc.
• The other type is to strengthen the TCP/IP protocol stack defense.

The main technologies for gateway protection include SYN-cookie technology and monitoring-based source address status, shortening SYNTimeout time. SYN-cookie technology implements stateless handshake and avoids the resource consumption of SYN Flood. Monitoring-based source address status technology can monitor the status of each IP address connected to the server and proactively take measures to avoid the impact of SYN Flood attacks.

ICMP flood, UDP flood:

• Under normal circumstances, in order to diagnose the network, some diagnostic programs, such as Ping, will send an ICMP response request message (ICMP ECHO). After receiving the ICMP ECHO, the receiving computer will respond with an ICMP ECHO Reply message. This process requires CPU processing, and in some cases may consume a large amount of resources, such as when processing shards. In this way, if an attacker sends a large number of ICMP ECHO messages to the target computer (generating an ICMP flood), the target computer will be busy processing these ECHO messages and will be unable to continue processing other network data messages. This is also a denial of service attack ( DoS).
• The principle of UDP flooding is similar to ICMP flooding. The attacker sends a large number of UDP messages to the target computer, causing the target computer to be busy processing these UDP messages and unable to continue processing normal messages.

Smurf attack:
Smurf is a DoS attack with amplification effect and is very harmful. This form of attack takes advantage of the directed broadcast feature in TCP/IP.

• People usually use ICMP ECHO request packets to diagnose the network. When a computer receives such a message, it will respond with an ICMPECHOReply to the source address of the message. Under normal circumstances, the computer does not check the source address of the ECHO request. Therefore, if a malicious attacker sets the source address of the ECHO to a broadcast address, the computer will use the broadcast address as the purpose when replying to ICMPECHOReply. address, so: all computers on the local network must process these broadcast messages. If the attacker sends enough ECHO request messages, the generated ICMP ECHO Reply broadcast messages may flood the entire network. This is called a Smurf attack.
• In addition to setting the source address of the ECHO message as a broadcast address, the attacker may also set the source address as a subnet broadcast address, so that the computer on the subnet may be affected. In order to prevent becoming an accomplice of DoS, it is best to turn off the broadcast address feature of the external router or firewall; filter out ICMP messages on the firewall, or disable Ping on the server, and only open the Ping service when necessary.

Teardrop attack:

• Implement your own attack by leveraging information contained in the headers of packets in the TCP/IP stack to trust IP fragments. IP segments contain information indicating which segment of the original packet the segment contains. Some TCP/IP (including Windows NT before Servicepack 4) will crash when receiving forged segments containing overlapping offsets. For some large IP packets, they need to be fragmented and transmitted in order to meet the MTU (Maximum Transmission Unit) requirements of the link layer. For example, a 4500-byte IP packet needs to be divided into 3 IP packets when transmitted on a link with an MTU of 1500.
• There is an offset field and a fragmentation flag (MF) in the IP header. If the MF flag is set to 1, it appears that this IP packet is a fragment of a large IP packet. The offset field indicates that this fragment is in the entire IP packet. location in.
• For example, if a 4500-byte IP packet is fragmented (MTU is 1500), the values ​​of the offset fields in the three fragments are 0, 1500, and 3000. In this way, the receiving end can successfully assemble the IP packet based on this information. If an attacker breaks this normal situation and sets the offset field to an incorrect value, a coincidence or disconnection may occur, which may cause the target operating system to crash. For example, set the above offsets to 0, 1300, 3000. This is the so-called teardrop attack.
• The best way to defend against teardrop attacks is to upgrade the service pack software, such as downloading operating system patches or upgrading the operating system; reorganizing the packets without forwarding them when setting up the firewall can also prevent this attack.

4. Network backdoor and network stealth consolidation technology

Simply put, a backdoor is a covert channel through which an attacker can re-enter a network or system without being discovered. The simplest method is to open a port that is monitored by a port listening agent. There are many softwares that can do this.

It is quite easy to establish a backdoor when you have obtained the storage rights of the system. However, when you have not fully obtained the access rights to the system, you can usually achieve this by using a Trojan horse. A Trojan horse is a program that can reside in the other party's system.

Trojan horses generally consist of two parts:

• A server side called a Trojan horse that resides on the other party's server.
• The remote program that can connect to the Trojan server is called a client.

The function of the Trojan is to control the server through the client, and then control the other party's host. On the surface, Trojan horse programs do not cause any damage, but in fact they hide functions that can control the user's entire computer system, open backdoors, and other functions that endanger system security.

Set up proxy springboard:

• When invading other hosts locally, your IP will be exposed to the other party. By setting a certain host as a proxy and then invading other hosts through this host, the IP address of the proxy will be left behind, thus effectively protecting your own security.

The basic structure of the secondary agent is shown in Figure 5-18.

Clear log:

After successfully gaining access and completing their intended goal, the attacker has one last job to complete - hiding the traces of the attack. This included re-entering the system and hiding all evidence that he had been there. To achieve this goal, there are four aspects of work to be done.

1. Log files

• Most systems use log files to detect who has entered the system and how long they stayed. Depending on the levels set in the log files, you can also discover what they did and which files they operated on. Before using log files for monitoring, you must first do two things: first, you must turn on the logging function of the system; second, read the contents of the log files in detail. Many administrators do not turn on the function option of recording log files, and even if they are turned on, they do not read it regularly. Therefore, even if the hacker does not hide his traces, there is a high chance that he will not be discovered.
• Experienced attackers will not take this risk, they will clear all log files. This can be done in two ways. The simplest one is to log into the system and delete all log files. When a large number of log files suddenly become very small, the system will automatically notify the system administrator because there is a trigger at the end of each log file. The second method is that the attacker can "heal" the log file, first obtain the log file, and then delete the part related to the attack record. The difficulty of the work varies depending on the system being attacked, because Windows NT systems and UNIX systems process log files differently.

2.File information

• In order to gain access to the system and create a backdoor in the system, attackers usually have to modify certain system files. When they do this, some information about the file, such as modification time and file length, will change, which can also be used to determine whether the system has been attacked.
• For attackers, it is very critical to restore the system to its previous state after entering the system and implanting the backdoor program. Therefore, every file that has been modified should be restored or pretended to be its original state. For the modification date of the file, you can easily do this: enter the system, change the system time to the time when the file was first modified, and then read the file, because the system does not know what the current date is. Wrong, so that the file looks like it was modified during the first installation and will not arouse suspicion. Then change the original wrong date to the correct date.

3. Additional information

• In many cases, hackers must upload or install additional files in order to gain access to the system. These files, used to hide traces or launch new attacks on other sites, often take up a certain amount of disk space. System administrators can check disk free space to determine whether an attack has occurred.

Attackers who want to hide the system attachment files they upload can use the following methods.

• Set the hidden attribute for a file: All file systems allow the file owner to set the file to be hidden. When a file is set to hidden, if the user just uses the command to display the file, he will not be able to see the file. Rename files: In most systems, there is a system directory where many important files are stored. The attacker can change the name of his own file to be similar to these files, so the possibility of being discovered by the administrator is very small. This is suitable for situations where there are relatively few files to hide. Create hidden directories or shared devices: If a hard disk has a large space, you can create many partitions. Normally, system administrators only check the main partition of the system, so if an attacker creates another partition, it is likely to escape the system administrator's inspection. This is suitable when you need to hide a large number of files. Tools to change disk space: If the administrator uses a tool to check the remaining space of the system, he will find the hard disk space problem. And if an attacker can upload a Trojan, they can deceive the administrator how much space is left. Use Steganography tools: Steganography or information hiding tools can allow attackers to hide their information in another file. Therefore, hackers use this tool to hide their important files in important files of the system.

4. Network communication traffic

• When hackers attack a system, they do so through the network in most cases. This also means that attackers must clean up the traces they leave on the network. Since network systems all run IDS (Intrusion Detection Systems), any suspicious network communications will be marked. It is very difficult to delete records on IDS because it is monitored in real time.
• With the widespread use of network intrusion detection systems and firewalls, attackers need to pay attention to how to hide their traces on the network. If attackers can hide their attacks or make them appear less conspicuous by disguising them as legitimate communications on the network, they may be able to evade capture. Tools that can be used include Loki, Reverse wwwshell, CovertTCP. The first two are to disguise the traces left by the attacker as legitimate communication information on the network, and the third program is to evade the detection of the administrator by hiding these traces in the data packets.

at last

Statistics show that the current talent gap for cybersecurity in China is as much as 1.4 million...
Whether you are a cybersecurity enthusiast or a practitioner with certain work experience,
whether you are a new graduate in the industry or a professional
who wants to change jobs , you all need this job This super comprehensive material
beats almost 90% of the self-study materials on the market
and covers the entire network security learning field.
Bookmark it! It will definitely help your study!

Friends, if you need a complete set of network security introduction + advanced learning resource package, you can click me to get it. If you have problems with scanning the QR code, you can leave a message in the comment area to get it)~

[282G] A complete learning gift package from basic to advanced aspects of network security & hacking technology, free to share!






Friends who need a complete set of network security introductory + advanced learning resource packages, you can click to receive it for free (if you encounter problems with scanning the QR code, you can leave a message in the comment area to receive it)~

[282G] A complete learning gift package from basic to advanced aspects of network security & hacking technology, free to share!