Network Security ------ network attack classification

1. Read attack Read attacks mainly include all attacks related to information retrieval from victims. Such attacks scan ports and vulnerabilities within the IP address range of the organizational structure, and finally obtain information from vulnerable hosts.

1. Reconnaissance recon Attacks:

Reconnaissance recon attacks: these attacks are designed to enable attackers to obtain more information about victims. They can use active and passive methods, in almost all cases, successful reconnaissance attacks greatly increase the possibility of subsequent attacks because attackers obtain more information about the victims.
Data Sorting attack: This is the first step of all network attacks. Attackers can combine various network-based utilities and Internet search engine queries to obtain more information. Network utilities are often used: Whois, NSlookup, finger, tranceroute, Ping, and Google. Attackers can exploit this attack to obtain the IP address of the key system, the address range assigned by the victim, and the Internet service provider of the victim.
Detection and scanning attacks: Also known as port scanning or vulnerability scanning. Attackers use data collection to obtain information about the attacked network. Generally, they must first perform port scanning, then conduct a vulnerability scan. By using tools such as NMAP, attackers can obtain all public IP addresses on the attacker's network, and the prediction results of each OS running on the reachable system, the type of the firewall that runs the reachable service on each IP address, whether the network is under the protection of the firewall. Note: Make sure you have time to organize an article about NMAP usage.
2. sniffing attacks
When an attacker captures data packets from a cable or passes through the attacker's system, this can be called a form of sniffing attack. The purpose of the sniffing attack is to read information and obtain information so that attackers can understand the target system. In this way, the intercepted protocol information must be sent in plaintext rather than ciphertext to succeed, obtain the following information: authentication information, network management information, and confidential transactions. Frequently used tools such as ethereal and Wireshark are not dedicated to attackers, but also an excellent fault queuing tool. Most network engineers often use it to diagnose various network problems, tcpdump is commonly used in UNIX environments.
3. Direct Attack

Direct access covers all attacks that attackers attempt to directly access network resources. For example, after an attacker finds a way to cross the firewall, the attacker can directly access the attack and log on to the system that has been protected by the firewall. After that, the attacker can initiate an unlimited number of other attacks, the most common attack is manipulation. Although direct access attacks are almost always initiated at Layer 7, if the attacks are not very special, direct attacks can be blocked at lower layers. For example, configuring the correct firewall can prevent Telnet background programs that support web services, because common users should not
With telnet, the firewall can block this request at Layer 4th. If the attack is targeted at the available services of the application at Layer 7, the responsibility for blocking the attack will be borne by the system that can perceive the application, for example, security configurations of IDs or applications.

Ii. Operation attacksAny major means of success relies on operations on data at a layer of the OSI model. These attacks are called manipulation attacks, mainly including network manipulation and application manipulation.



1. Network manipulation attack
The most common is IP sharding. attackers deliberately fragment traffic to try to bypass network-based (IDs or firewall) or application-based security control. Fragroute is a tool used to initiate IP sharding attacks. In addition to IP fragmentation, attackers can also perform source route attacks. Attackers can select the attack path in the network by using the source route. There is almost no legal application for source route selection. By default, it is disabled on most routers. Many attackers can use IP, TCP, and UDP protocols to launch attacks. In addition to layer-7 and layer-4 Operations, attackers can modify layer-4 Information for Virtual LAN jump or other local network attacks.
2. Application manipulation attack
It refers to attacks executed at the application layer. It mainly utilizes the defects in application design or implementation solutions. The most famous application manipulation attack is the buffer overflow attack. For example, web application attacks and insecure Common Gateway interfaces (CGI ). Buffer Overflow: It is a manifestation of application vulnerabilities. When application developers do not perform sufficient binding checks on the memory address occupied by the application, buffer overflow occurs. For example, for a memory address, a typical program may expect to receive 50 bytes of input from the user. If the user sends 400 bytes, the application will discard 350 bytes. However, if the application contains an Encoding Error, the 350 bytes will affect other parts of the memory, and the code can be executed with the permissions of the original application. For example, if the vulnerable application runs as root, successful buffer overflow attacks usually result in attackers obtaining root privileges. It is almost impossible to block all these attacks by using security technologies. Because most state firewalls monitor traffic at Layer 4th, attackers can remotely initiate web buffer overflow attacks. Because the firewall allows traffic on port 80 to pass through, attackers will succeed. Web application attacks: These attacks are changeable, such as cross-site scripting and insecure CGI. For cross-site scripting, malicious information is embedded in the URL clicked by the victim, if a user clicks a malicious link on the Internet, the user's information may be accidentally leaked. Preventing users from being victims of cross-script attacks relies on teaching them how to identify malicious URLs. Note: Cross-Site Scripting uses obfuscation. Some Web browser status bars (at the bottom of the browser, you can see the URL details) are disabled. When the status bar is closed, before clicking the link, the user will never see the address occupied by the actual site to be visited. Likewise, attackers can use DNS to confuse the user. If the attacker can let the client see the specific DNS name consistent with the attacker's IP address, then the client will think that it is connected to a legitimate site, but in fact they are connected to an attacker's machine. Because the actual IP address is never displayed in the browser, the client may be unaware of the attack, and common web users will never notice these differences, even if the browser shows these differences very clearly. Early Attackers may use insecure CGI for attacks. Every time a website fills in a form or enters an IP address, some form of CGI script is used. Note: You have time to write about Web attacks. 3. spoofing attacks. The attacker can cause the user or the device in the system to think that the information is from the source where the information is not actually sent. This is a spoofing attack, spoofing attacks can be initiated in almost any weak or unauthenticated location in network communication. Common devices include Mac spoofing, IP spoofing, transmission spoofing, identity spoofing, and rogue devices.
1. Mac Spoofing
It is a very intuitive attack. The attack system uses this attack to change its MAC address to the address of a trusted system. In the Ethernet environment, the cam table on the vswitch can track the ports connected to the MAC address, VLAN, and MAC address. When an attacker changes the MAC address to the address of another system connected to the vswitch, the cam table will be updated, the switch owner assumes that a machine is moved from one location to another. All traffic destined for this MAC address is sent to attackers. This type of attack is very effective in systems that only receive data but not actively send data. A Syslog Server is an appropriate example. CAM (content addressable memory) stores the corresponding table of MAC addresses and ports (layer-2 interfaces. The ethernet switch can learn the addresses of each device on the network by reading the MAC address and recording frame from the source package to the port of the switch. Then, the switch adds the information to its forwarding database (MAC address table ). This database is stored in cam.
2. IP Spoofing
An attacker only needs to enter the system's original data packet drive, and then the attacker can send packets with IP headers. Encryption can only be used as a protection mechanism in systems that require encrypted communication to access the IP layer. For example, financial applications that use IPsec for communication do not accept the original IP connection of any host, whether it is legal or fake, this encryption system concept is also suitable for transmission spoofing.

3. Transmission Spoofing
Transport spoofing means that communication spoofing is successfully implemented at the transport layer. UDP spoofing: because of its simple header structure, management applications such as Simple Network Management Protocol (SNMP), syslog, common file transmission protocol (TFTP) All use UDP as its transmission mechanism, this is also the weakest link in system security. TCP spoofing: TCP has high security because it is a connection-oriented protocol. Because the 32bit serial number is specific to the connection and the operating system is pseudo-random, it is difficult to predict the serial number of the connection, attackers try to pretend to be trusted clients by inserting sessions between real clients and servers after authentication. However, when attackers cannot see data packets exchanged between the client and the server, such attacks are very difficult to implement. When an attack is initiated from a location on the path between the client and the server, the attack is extremely destructive. Identity spoofing: identity spoofing involves many different forms, including password cracking, brute force logon attempts, digital certificate theft, and forgery. The identity authentication mechanism can be implemented by the following methods from the least secure to the safest:
1) plaintext user name and password (Telnet)
2) pre-shared key (WEP)
3) encrypted users and passwords (SSH)
4) one-time password (OTP)
5) public key encryption system (Pgp, IPSec)
John the Ripper and LC4 are both forms of password cracking attacks. These attacks are essentially password guesses and encryption, then try to compare it with the encrypted password stored by the victim on the server. Most passwords are stored in a one-way hash with strong encryption, which is irreversible. Therefore, the easiest way to steal a password is to launch a so-called dictionary attack on the subsequent passwords.
4. Rogue Devices
The above discussion is based on the software layer. Attackers can use rogue devices to launch attacks and add rogue devices to the network to make the devices a valid identity, such as DHCP attacks. Add the device system to the network. In this network, the system tries to determine the IP address addressing scheme, search for the HTTP proxy server, and then create a tunnel connection to connect to the attacker. This allows remote attackers to launch attacks as local users. Rogue devices can be used to initiate devastating attacks. However, to execute such attacks, attackers need to actually access the target network.

Network Security ------ network attack classification