Quick start to learn hacker attack and defense

Source: Internet
Author: User

I. Network Attack basics-Understanding network protocols

Network Protocols refer to the rules established for data exchange in the computer network, a collection of Standard Goods agreements. Common network protocols includeTCP/IP, ARP, and ICMPEtc!

1. Standard network connection interface-TCP/IP protocol

TCP/IP protocol. The entire process is Transmission Control Protocol/Internet Protocol. As we all know, TCP/IP must be set after computers access the internet. Therefore, TCP/IP is the most basic protocol on the Internet and the basis of the Internet.

TCP/IP protocol defines how computers access the Internet and how data is transmitted between them.

TCP/IP includes two-layer protocol, TCP protocol and IP protocol. The TPC protocol is responsible for mobile phone information or splitting files into the smallest data packets. The sending end sends these packets to the TCP layer of the receiving end through the network. The TCP layer of the receiving end restores the packets to the original file, while the underlying IP Protocol processes the address of each packet, this allows the gateway computer on the network to identify the IP address of the data packet and select the route so that the data packets can reach the destination correctly.

2. ARP spoofing attack: ARP Protocol

ARP is the Address Resolution Protocol. It can obtain the corresponding physical address (MAC address) through a persistent IP address ). In a TCP/IP network environment, each host is assigned a 32bit IP address (such as 220.248.138.116), which is a logical address used to identify the host in the network, if you want to create packets (data units exchanged and transmitted between hosts in the network) to the host at the destination, you must know the physical address of the host at the destination, in this case, you can use ARP to convert the IP address of the target host to a physical address.

Simply put, ARP is the process of converting the IP address of the target host into the corresponding MAC address before the host sends a message. Speaking of ARP, ARP spoofing is essential.

3. Flood attack knowledge-ICMP protocol

ICMP (Internet Control Packet Protocol) is a word protocol in the TCP/IP protocol family used to transmit control messages between IP hosts and routers. Control messages include network communication, host existence, and route availability. Although these control messages do not transmit user data, they play an important role in transferring user data.

ICMP provides consistent and easy-to-understand error report information in the network. It returns the error message sent to the host that sends the data. The only function of ICMP is to report the problem rather than solve the problem. The task of solving the problem is completed by the sender!

This feature makes it very easy to attack routers and hosts on the network. For example, for ping of death attacks, the operating system requires that the maximum size of ICMP data packets should not exceed 64 kB before patches are released to limit the size of ICMP data packets, therefore, Ping of death initiates an attack on the host according to this rule. The attack principle is: if the size of the ICMP data packet exceeds 64 KB, the host encounters a memory allocation error, causing the TCP/IP stack to crash, leading to host crash.

Tip: flood attacks are a common attack technology used by hackers. They are characterized by simple implementation and powerful capabilities, and are mostly defensive. The most common flood attack is Mac flooding. Mac flood refers to the attacker entering the LAN and sending the fake source MAC address and target MAC address data to the Ethernet, the counterfeit source MAC address and target MAC address are filled with the MAC address table of the switch, causing the switch to fail to transmit data correctly.

2. The two necessary ports for hackers-IP addresses and ports

To attack other computers, a hacker must determine the IP address of the target host and scan the open port of the target host. Therefore, the IP address and open port of the target host are very important information for hackers and necessary information for hackers to intrude into the target host.

Port 21 (ftp-File Transfer Protocol) port 79 (finger-view the running status of the machine)

Port 23 (telnet-remote login protocol) port 80 (http-Hypertext Transfer Protocol)

Port 53 (DNS ---- Domain Name Server) port 110 (POP ---- Post Office Protocol)

Port 3389 (remote login) port 139 (NetBIOS service, ---- Sharing Service)

The port distribution can be dividedRecognized port, registered port, and dynamic/private port.

Recognized port: Also known as common port. These ports include ports 0-, which are closely bound to specific services. Generally, the communication between these ports clearly indicates the protocol of a certain service. Such ports cannot be redefined as the target.

Registered ports: including ports 1024-48 151, which are loosely bound to some services. That is to say, many services are bound to these ports, which are also used for many other purposes. Most of these ports do not have clearly defined service objects. Different programs can be defined as needed. These ports define some remote control software and trojan programs. Therefore, it is necessary to protect and kill these ports.

Dynamic/private ports: including port 49152-65535. Theoretically, common services should not be allocated to these ports. But in fact, some special programs, especially some trojan programs, like using these ports very much, because these ports are easy to hide without notice.

3. Understanding System Processes

A process is an execution activity of a program on a computer. When a user runs a program, a process is started. The process can be divided into system processes and user processes, all the processes used to complete various functions of the operating system are system processes. They are all operating systems themselves. User processes are all processes started by users.

1. Basic Processes and definitions in Windows 7

Audiodg.exe Windows Audio Device Manager can end, but once the audio file is opened, it will be reloaded

Csrss.exe Microsoft Client/Server Runtime subsystem, which is used to manage Windows Graphics related tasks

Dwm.exe desktop window manager, which can be terminated (twice required). The aero effect cannot be displayed after it is finished, and tasks cannot be created.

Services.exe this process is mainly used to manage start and stop services. Colleagues process services that run when the computer is started and shut down.

Lsass.exe is a system process used for local security authorization. Shut down the process. The system will shut down the firewall and restart it in 1 minute.

Svchost.exe the process contains many system services used to hold the DLL file. The number of services started in the system cannot be reached, generally 4-5.

Lsm.exe local Session Manager Service, shut down the process, the system will restart in 1 minute

The assumer.exe background processing program can be technical, but the taskbar and desktop icons will be updated in hours.

Spoolsv.exe background processing program Subsystem Application, manage all printing work

System Windows page memory management process

The system ldle Process System Virtual route displays the CPU space occupation rate. Because it is a virtual route, there is no Suffix of .exe.

Taskhost.exe Task Manager

Wininit.exe starts the initialization process in windows and starts. Service. exe lsass. EXE lsm.exe

In addition to these basic processes, there are also some attachment system processes in Windows 7. To close the system processes of some attachments, you only need to close the corresponding services in the "service" window.

This article from the "Blacksmith O & M network" blog, please be sure to keep this source http://blacksmith.blog.51cto.com/7087635/1602325

Quick start to learn hacker attack and defense

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.