现充|junyu33
Home Archive Categories Tags 中文站

Network A/D Notes

The content is excerpted from the instructor's PPT. Apart from correcting obvious factual errors (such as changing /etc/password to /etc/passwd), it does not represent personal opinions.

Network Attack Techniques

(Key Points) Criteria and Categories of Attack Classification

Criteria: Mutual exclusivity, comprehensiveness, non-ambiguity, repeatability, acceptability, and practicality.

Categories: From the attacker's perspective, attacks can be classified into physical (local) attacks, active attacks, passive attacks, and man-in-the-middle attacks.

(Key Points) Attack Steps and Methods, Detailed Understanding of Each Step

Attack Steps:

Physical Attacks and Social Engineering

Definition of Physical Attack: A method of attack that bypasses physical security protection systems through various technical means to gain access to protected facilities or equipment resources, thereby obtaining or destroying protected information stored in the physical media of information systems.

Definition of Social Engineering: The art and science of exploiting human folly to manipulate individuals into performing desired actions or divulging confidential information.

Information Gathering Techniques

Definition, Content, Classification, and Necessity of Open Source Intelligence (OSINT) Gathering

Information Gathering: Refers to all reconnaissance activities conducted by hackers before or during an attack to carry out attacks more effectively.

Content: Domain names and IP addresses, security measures, internal network structure, domain organization, user emails, OS types, open ports, system architecture, sensitive files and directories, application types, etc.

Necessity:

Classification:

(Key Points) Types of Network Scanning (Host, Port, System Type Scanning) and Principles

Scanning Types:

Purpose, Principles, Components, and Methods of Vulnerability Scanning

Vulnerability detection involves inspecting critical computer information systems to identify weaknesses that could be exploited by hackers. This technology generally employs two strategies: passive and active.

The main methods of vulnerability detection include: direct testing, inference, and credentialed testing.

Network Topology Discovery (Topology Detection, Network Device Identification, Geolocation of Network Entity IPs)

Topology Detection: traceroute, SNMP

Device Identification: shodan, zoomeye, FTP, SSH, telnet, HTTP

IP Geolocation: Query-based Geolocation, Network Measurement-based Geolocation

Password Attacks

Definition and Function of Passwords (Operating System Passwords)

A password is a code or phrase typically composed of letters, numbers, or symbols, used to identify and verify the identity of an individual or system. Its main functions include: identity authentication, security assurance, privacy protection, data encryption, and access control.

Attack Methods Against Password Strength

Dictionary, Brute Force, Combination, Credential Stuffing, Rainbow Table

Storage Methods

Linux:

Windows:

Transmission Methods

Methods to Prevent Password Attacks

Software Vulnerabilities

Definition of Vulnerability

Refers to errors, flaws, and oversights in the design or implementation of information system hardware, software, operating systems, network protocols, databases, etc., that can be exploited by attackers.

In simpler terms, a vulnerability is a weakness in a system that can be taken advantage of by an attack.

Common Vulnerability Types

Common vulnerability types:

(Key Points) Principles of Stack Overflow Vulnerability Exploitation (Memory Distribution, Memory Changes During Exploitation, Push/Pop Operations, and Stack Overflow Principles)

The content of the PPT is difficult to summarize concisely. Using GPT-4, a brief summary is provided as follows:

A stack overflow occurs when data exceeds the memory space allocated for the stack. In memory, the stack is responsible for storing local variables and function call information. When too much data is pushed onto the stack (adding data), exceeding its boundaries, adjacent memory regions can be overwritten. This overflow can be exploited to tamper with the stack's control information (such as the return address), leading to the execution of unintended code.

For detailed steps, refer to this article. Reading up to the section on shellcode is sufficient.

(Key Points) Principles of Overflow Vulnerability Exploitation (Basic Process, Key Techniques: Overflow Point Location, Overwriting Execution Control Addresses, Overwriting Exception Handling Structures, Determining Jump Addresses, Shellcode Location and Jumping)

Basic Process: Where to inject the "overflow" data? How long should the data be to overwrite the return address? What content should be used to overwrite the return address? What kind of attack code should be executed?

Definition, Purpose, Steps for Writing, Considerations, and General Methods for Writing Shellcode

Definition: Shellcode is a piece of machine code that can perform specific functions and be executed directly by a computer. It is typically represented in hexadecimal form.

Purpose: Establishing reverse connections, uploading (or downloading) and executing Trojan horses or viruses, among other tasks.

Steps for Writing: Typically written in assembly language.

Considerations: Ensure proper exit, handle null bytes, and load DLLs.

General Methods for Writing Shellcode: List the function addresses corresponding to each version of the Windows operating system and use different addresses for different OS versions. The steps for dynamically locating function addresses (i.e., using GetProcAddress and LoadLibrary functions to dynamically obtain the addresses of other functions) are as follows:

Principles of Environment Variable Attacks, Set-UID Concepts, and Attack Case Analysis

Principle: The hidden use of environment variables is dangerous. Since users can set environment variables, they become part of the attack surface for Set-UID programs.

Set-UID Concept: Allows users to temporarily run a program with the (elevated) permissions of the program's owner.

Case Analysis:

Web Application Attacks

Fundamentals of Web Applications (Architecture, Basic Content)

Web servers (web pages, databases), Web clients, HTTP protocol

(Key Points) XSS Attack (Definition, Same-Origin Policy, Risks, Code Vulnerability Analysis and Exploitation Methods, Types, Preventive Measures)

Definition: XSS attacks occur due to insufficient filtering of user input by web applications, allowing attackers to input specific data that is interpreted as JavaScript scripts or HTML code.

Same-Origin Policy: This policy means that cookies set by webpage A cannot be accessed by webpage B unless the two webpages are "same-origin." "Same-origin" refers to "three samenesses" (same protocol, same domain, same port).

Risks: Phishing, extraction of client-side information, DDoS attacks, privilege escalation, worm propagation, etc.

Types: Reflected (non-persistent, parameter-based, appended to URLs), Stored (persistent, comments, databases), DOM-based XSS (JavaScript-based, does not require server interaction), etc.

Preventive Measures: HttpOnly, secure coding practices

SQL Injection Attack (Definition, Types, Injection Steps, Privilege Escalation Methods, Definition of Database Exposure, Prevention Measures)

Definition: Submitting carefully crafted SQL query statements to a website, causing it to return critical data information.

Attack Types: Character-based, Numeric, Error-based, Blind SQL Injection

Injection Steps: Discover injection points, identify database type, guess table names, guess field names, extract content, access the admin page to upload malicious files.

Privilege Escalation Methods: For example, cracking pcAnywhere .cif files, exploiting Serv-U for privilege escalation (local overflow, VBS scripts).

Definition of Database Exposure: Using technical means or program vulnerabilities to obtain the database address and illegally download data to a local machine.

Prevention Measures: Escape special characters, input validation and filtering, parameterized queries.

HTTP Session Attacks and Defense (Session ID Prediction, Session ID Theft, Session ID Control, CSRF Attacks, Preventive Measures)

To prevent session ID prediction attacks, it is recommended to use built-in session management mechanisms provided by programming languages, such as those in PHP and Java.

To counter session ID theft attacks, different preventive measures should be taken based on the specific methods used for theft. For instance, session ID theft attacks carried out via XSS can be mitigated by using the HttpOnly attribute.

To defend against session fixation attacks, it is advisable to avoid session-adopting web environments whenever possible or implement safeguards against session adoption methods.

To prevent session persistence attacks, the primary defense is to ensure that session IDs are not valid for extended periods. This can be achieved through measures such as forced session destruction or changing the session ID after user login.

To defend against CSRF attacks, the following measures can be taken:

Fake Message Attacks

(Key Points) Principles and Attack Strategies of Packet Sniffing and Spoofing (TCP Communication Code and Process, IP Spoofing Attacks and Prevention)

Packet sniffing can be achieved using raw sockets (creating raw sockets, capturing all types of packets, enabling promiscuous mode, waiting for packets), or by using the pcap API and Scapy for packet sniffing.

When certain critical information in a packet is forged, it is referred to as packet spoofing. Packet spoofing involves two main steps: constructing the packet (filling in the ICMP header and IP header) and sending the packet out.

(Key Points) What is the TCP Protocol, How the TCP Protocol Works, Principles and Steps of SYN Flooding Attacks, Principles and Steps of TCP Reset Attacks, Principles and Steps of TCP Session Hijacking Attacks

The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite, operating at the transport layer on top of the IP layer. It provides host-to-host communication services for applications. There are two transport layer protocols: TCP (connection-oriented, reliable) and UDP (connectionless, unreliable, lower overhead).

How the TCP Protocol Works: SYN, SYN-ACK, ACK

Principle of SYN Flooding Attack: To fill the queue storing half-open connections so that there is no space to store TCBs for any new half-open connections, essentially preventing the server from accepting any new SYN packets.

Steps to Implement SYN Flooding: Continuously send a large number of SYN packets to the server. This consumes space in the queue by inserting TCB records without completing the third step of the handshake.

Principle of TCP Reset Attack: The goal is to disconnect the TCP connection between A and B. A forged RST packet must have the correct source IP address, source port, destination address, destination port, and sequence number (within the receiver's window).

Steps of TCP Reset Attack: Use Wireshark on the attacker's machine to sniff traffic and retrieve the target port, source port number, and sequence number.

Principle of TCP Session Hijacking Attack: The goal is to inject data into an established connection. A forged TCP packet must be set up with the same parameters as in a reset attack.

Steps of TCP Session Hijacking Attack: Same as the TCP reset attack.

(Key Points) DNS Attacks (Domain Name Structure, Query Process, Types and Principles of DNS Attacks (Local DNS Cache Poisoning Attack, Remote DNS Cache Poisoning Attack, Malicious DNS Server Response Spoofing Attack), Prevention Measures)

Domain Name Structure: Root domain, top-level domain, authoritative domain, etc.

Query Process: Iterative query and recursive query

Types and Principles of DNS Attacks:

Prevention Measures: DNSSEC provides authentication and integrity checks for DNS data. All answers from DNSSEC-protected zones are digitally signed. By verifying the digital signature, DNS resolvers can ensure the authenticity of the information. DNS cache poisoning will be defeated by this mechanism, as any forged data will be detected and fail the signature verification. (Strong machine translation tone)

Meltdown and Spectre Attacks

CPU Cache Principles

Based on the principle of locality (computer programs tend to repeatedly access the same data and instruction sets within a short period of time), since cache access is faster than memory access, using a cache can significantly improve the average execution performance of programs.

(Key Point) Principle of Side-Channel Attacks

However, if the CPU attempts to access data that is not present in the cache, a time delay will occur, as the target data must be reloaded from memory into the cache. Measuring this time delay may allow an attacker to determine the occurrence and frequency of cache access failures.

(Key Points) Meltdown Attack Concept

Meltdown attacks exploit the out-of-order execution feature of modern processors to bypass memory isolation. Although certain memory addresses should not be accessible, they are cached due to out-of-order execution. When the program accesses these addresses again, the access time is significantly reduced. This timing difference can be used to infer the original values stored in those memory addresses.

(Key Points) Spectre Attack Concept

Apart from leveraging the branch prediction feature of modern processors, the core idea of the Spectre attack is similar to that of the Meltdown attack.

Traceability Technology

Overview of Traceability and Attribution

Objective: To identify the attacker's identity, the location of the attack point, and the attack path, among other information.

Based on the depth of traceability, it can be categorized into:

Typical scenarios: Within a domain, cross-domain.

Challenges in Traceability

The challenges include:

Typical Techniques for Traceability and Source Tracking

Common techniques include:

The development trends include: