Three. Network Service penetration attack 3.1 memory attack and defense technology 3.1.1 buffer Overflow vulnerability mechanism A buffer overflow is an unusual behavior that a program causes due to a lack of checks on the boundary condition of a buffer. The buffer overflow is divided into stack overflow and heap overflow based on buffer overflow memory location. 3.1.2 Stack Overflow principle Stack overflow occurs when writing data to the stack, which can cause overflow when the data length exceeds the allocated space of the stack. ① cover function return address usage The program generally executes the function The function returns the call parameters of the address and function, and the local variables are stored in the stack, giving the attacker an opportunity to overflow the stack buffer to modify the return address of the function. Because the address of the variable in the stack changes each time the program runs, it will be used as a springboard through some of the jump register's instructions, enabling the program to execute to the shellcode in the stack. , the most common is to overwrite the return address with the address of the JMP ESP, so that the program executes the instruction and skips back to the stack to execute the data after the buffer overflow. ② override exception handling structure usage The program runs with exceptions that may occur , an exception handling mechanism is required, and Windows provides SEH to handle exceptions. The exception handling structure is stored in the stack as a linked list, and the operating system looks for the function that handles this exception from the list header to the tail, if not found, is responsible for the last function, which is the default exception handler for the system. &NBsp exception handling structure is to overwrite the exception handling function pointer in the stack with a specific address and trigger an exception to load the tampered function pointer. 3.1.3 Heap Overflow utilization principle Heap is the memory that the program runs dynamically allocates, the position is not fixed, the concrete implementation is more complicated, This is a simple introduction to the heap buffer overflow caused by the most common free heap block operations. Free heap blocks contain two pointers, pointing to the front and back two free blocks, respectively. heap block memory in the same heap is usually contiguous, so if the data exceeds the size of a heap block, the data overflow will overwrite the adjacent free block behind the heap block, and the two pointers contained will be overwritten. After this opportunity, an attacker could overflow a heap overlay. 3.1.4 Buffer overflow usage Limitations The size, style, and bad character of the buffer space need to be considered. 3.2 Network Service penetration attack surface 3.2.1 Network Service penetration attack for Windows systems 1. NetBIOS network services is implemented with the NBT protocol, including the NetBIOS name service on the UDP137 port, The NetBIOS datagram service on the UDP138 port and the session service on the UDP139 port. Penetration attacks with NetBIOS are rare, and Metasploit do not have such modules.  2.SMB services The penetration of SMB services EXPLOIT/WINDOWS/SMB in Metasploit, where only a handful of them are directed to SMB, mostly for MSPRC over SMB channel.  3.MSRPC Web services  MSRPC Yes W Indows has the largest attack surface of its own network service, and this type of penetration module exists in the Metasploit framework, located in EXPLOIT/WINDOWS/SMB and Exploit/windows/dcerpc.  4.RDP Remote Desktop Services By default run at 338 9 ports. 3.2.2 Penetration attacks on Microsoft Web Services for Windows operating systems Common IIS services, MSSQL services, The Exchange e-mail Service, the MSDTC service, the DNS domain name service, the WINS service, and so on, may have a large security vulnerability that could be the target of an attacker. 3.2.3 penetration attacks on third-party network services on Windows operating systems Common Apache, Ibmwebsphere,tomcat,oracle,mysql,ser-u,filezilla and so on. The attacker scans the default port of the service to detect the use of some common third-party services. 3.2.4 penetration attacks on industrial control system services Industrial control systems are systems used in the industrial field to control the generation of equipment, including SCADA systems, DCs, and other device controllers. Metasploit has many penetration modules for these software in the Exploit/windows/scada directory. Differences between 3.2.5linux and Windows ① Process memory space layout differences Windows stack the first byte of memory address is 0x00 and n ULL, which is usually a bad character to consider, while the memory address of a stack in Linux does not have empty bytes, there is no need to consider the problem of input truncation caused by bad characters. ② handling of discarded stacks during program operation &NBSP ; windows writes random data to the discarded stack, and Linux doesn't do anything ③ system function calls are implemented differently & nbsp windows through the API and kernel handler call chain to complete the system function call, Linux through "int 80" interrupt processing to invoke the system function, So there is no small difference in implementing Shellcode ④ different dynamic link library implementation mechanisms &NBS P Linux introduces got and PLT tables, and uses a variety of reset entries to achieve "location-independent code" for better sharing performance. 3.2.6linux system service penetration attack principle and Windows principles are basically the same, The attack on Linux contains some of its own characteristics. for white-box testing due to open source code. due to the large number of distributions, the same vulnerabilities need to be adjusted for different system environments. &NBSP Linux security is more user-dependent.
Metasploit penetration Test Devil's Training camp fifth chapter-Network service penetration attack