Review:
In the previous chapter, the protagonist Carl used a variety of attack methods to the good Luck Company's network information system attack, through the MAC address deception to obtain a connection with the company's internal network, through password cracking, remote access to the company's internal server, through the buffer overflow vulnerability into the operating system and have the highest authority, The key is that Karl is targeting the company's credit card information in three ways, including file upload vulnerabilities for Web applications, SQL injection attacks, and methods to circumvent legitimate applications, to bulk export large amounts of sensitive information in the database.
There are various methods of attack, some of which have been used in the above attacks, some have changed with the attack object, but they are also regular. In general, the attack is carried out step by part, which can be divided into several parts: reconnaissance----------------------------
1. Reconnaissance
650) this.width=650; "Src=" http://www.dbsec.cn/a/shujukuanquan/shujukufanghushouduan/shujukuyunxi/2011/0822/ Images/gjsl2_1.jpg "width=" 499 "height=" 363 "alt=" Gjsl2_1.jpg "/>
Many security attacks begin with a reconnaissance of the target, which is generally not technically significant, and in the previous attack, what Carl started to do would fall into this category.
Social engineering is often a kind of use of human vulnerability, greed and other psychological manifestations of attacks, is impossible to guard against, it is characterized by ordinary telephone conversations to induce victims to reveal passwords and other sensitive information.
Scouring garbage is also a noteworthy means of detection, it refers to the office supplies abandoned from a unit to search for sensitive information process, so many important units have a special abandoned office supplies destruction processing mechanism.
Attackers can find application technology information, employee contact information through the Web site of the unit, and search engines like Google will automatically ingest this information, and through the search engine can easily detect some sensitive information.
At the same time, WHOIS, DNS servers, and some of the Internet's reconnaissance tools can be downloaded, and through the website can see what development technology to complete, these technologies have been published loopholes can be found on the Internet.
2 , Scan
650) this.width=650; "Src=" http://www.dbsec.cn/a/shujukuanquan/shujukufanghushouduan/shujukuyunxi/2011/0822/ Images/gjsl2_2.jpg "width=" 557 "height=" 403 "alt=" Gjsl2_2.jpg "/>
Before an attack is carried out, the information that is detected is often not enough, and more information about the target can be further mastered by scanning, so the scan has a certain technical content.
Wireless access scanning is mainly to obtain the wireless access point of the target network and determine the SSID (wireless access point name), NetStumbler is the active scanning tool, it actively detects the wireless network, most of the wireless access point will respond to its request. Wellenreiter is a passive wireless access scanning tool that detects wireless local area networks (WLANs) by sniffing the frequency of wireless communications.
Port scanning is the process of determining which ports in the target network are listening for service requests. The port scanner can determine the inventory of all running services in the system by talking to the various ports in the target system.
Taking the database server Port discovery technology as an example, the bottleneck of realizing the automatic discovery Technology of database server is the Port Automatic identification technology, for the common database service port, such as 1433 is SQL server,1521 is oracle,3306 is MySQL, This type of port can be quickly identified by the knowledge base, but it is more difficult for service recognition to modify the default port.
Gets the port information that the specified database is running through "proactive", that is, polling a range of ports, sending it a connection request that conforms to a specific database protocol, and, in the event of a conforming response, the port that the specified database service listens on.
As an example of Oracle's TNS protocol (server-to-client communication protocol), a connection request is sent to a port that, if it is the listening port of an Oracle server, will inevitably return a reject message and redirect message. As soon as one of the above two messages is received, the port is the listening port for the Oracle service.
There are other software, such as Nmap software found that TCP port 80 is open to the Web server, UDP 53 port is open DNS server, while discovering packet filtering firewall, with the Nessus software to scan and analyze system vulnerabilities, to find the presence of security vulnerabilities or no security patching services can be exploited.
3 , get access
650) this.width=650; "Src=" http://www.dbsec.cn/a/shujukuanquan/shujukufanghushouduan/shujukuyunxi/2011/0822/ Images/gjsl2_3.jpg "alt=" Gjsl2_3.jpg "/>
Using the information gathered during the reconnaissance and scanning phases, an attacker could exploit the operating system, application, database, or network to gain access to the system.
Metasploit is an open source security vulnerability detection tool that identifies security issues, validates vulnerabilities, provides real security risk intelligence, and is an integrated buffer overflow attack tool commonly used by attackers. The buffer overflow referred to here refers to when the data of the source buffer is copied to a buffer less than its own number of bits, beyond the bit boundary of the target buffer, and the database does not have a boundary judgment on the data being deposited, resulting in the target buffer being full. Target buffer memory changes control flow, capture operating system, prohibit access and many other results.
Password attacks are also one of the most common attacks that attackers launch into the system, and common password attacks include dictionary attacks, brute force attacks, or mixed attacks. The database may also be password attacks, such as: The hacker by collecting the internet has leaked user and password information, generate the corresponding dictionary table, bulk attempt to log on to other sites, many users in different sites using the same user and password, so hackers can get user a site account to try to log on to the B site.
Now b/S Architecture application system widespread popularity and popularity has become an important target of attackers, common attack methods such as SQL injection, and so on, by inserting SQL commands into the Web Form, page request query string, eventually to deceive the server to execute a malicious SQL command. Leverage existing applications to inject (malicious) SQL commands into the background database engine execution to gain unauthorized access to the application backend database.
Sniffing, IP address spoofing and session hijacking are common means of cyber attacks. It is the attacker who forges the source IP address of the information he sends, impersonating the other sender of the message, and spoofing the recipient of the information. Session hijacking is a comprehensive use of sniffer and IP address deception, the legitimate user has established a legitimate session for the appropriation, thereby obtaining access to the system.
For Oracle database, with the development of database intrusion, the attack on database is not only against the database itself, but extends to the various components of the database, TNS session hijacking is one of them, simply said that if TNS has a vulnerability can be directly to Oracle intrusion.
Denial-of-service (DoS) attacks are associated with the process of acquiring access, which does not directly gain access to the system, but destroys the normal access that the system provides to legitimate users, thereby indirectly achieving the purpose. The basic approach to Dos attacks is to make system services stop working or drain system resources, either locally or remotely.
4 , maintain access
650) this.width=650; "Src=" http://www.dbsec.cn/a/shujukuanquan/shujukufanghushouduan/shujukuyunxi/2011/0822/ Images/gjsl2_4.jpg "alt=" Gjsl2_4.jpg "/>
It is not easy to hack into a system, and once successful, attackers will always take all possible steps to open the door to the next attack, which is the goal of maintaining access, and the Trojan Horse and backdoor are the main weapons to achieve that goal.
Trojan Horse is such a kind of program, it looks very useful on the surface, until very attractive, secretly but hidden malicious function. The backdoor allows attackers to evade normal security controls and thus gain access to the system.
Software has application software and operating system, operating system has a user state and the core state of the points, according to the software can be divided into the application layer, the system layer, the core layer three levels, and the corresponding level, Trojan back door can be divided into application layer, user state, kernel state three types.
Application-level Trojan backdoor is a standalone application that can run on the target machine, allowing attackers to access and control the target machine. Such programs can be used by attackers to access arbitrary files on the target machine, observe user behavior, record keyboard input, and perform other operations.
User Configuration is a Trojan backdoor that is implanted into the operating system's user-state program.
The kernel is the backdoor of the Trojan that is implanted into the operating system kernel. To prevent kernel-state attacks, the operating system should be patched in a timely manner, enable host-based IPs, the first time to prevent attackers to gain access to the system, while detecting the user state and the kernel state caused by system anomalies.
5 , cover up the trail
650) this.width=650; "Src=" http://www.dbsec.cn/a/shujukuanquan/shujukufanghushouduan/shujukuyunxi/2011/0822/ Images/gjsl2_5.jpg "alt=" Gjsl2_5.jpg "/>
In order to successfully implement a security attack, to achieve the target, but also to go unpunished, attackers often try to hide their
The attack behavior. In particular, after installing a Trojan backdoor, an attacker would always destroy or modify the system logging information associated with his or her behavior. For example, an attacker would typically modify a log record that reflects his attack behavior, failed login attempts, use of special accounts, execution of security-sensitive commands, and so on.
In Windows systems, you can use the Winzapper tool to delete information that logs specific security events. There are many tools in the UNIX system that can be used to modify logging information.
Although the database itself has audit logs, many users, including the database vendors themselves, also recommend that due to performance impact, do not open audit records, and even if the audit log is turned on, it may be deleted by the database administrator. Therefore, the Independent database audit device records the operation of all databases becomes necessary, but also can encrypt the audit log files to prevent malicious tampering.
6 , summary of this chapter
In this chapter we describe the process of the security attack: reconnaissance, scanning, access, maintenance access and cover-up traces of the technology used in the five steps, through a simple and understandable introduction, so that everyone from the network, host, operating system, database attack technology has a comprehensive and preliminary understanding, A brief introduction to the database-related attack techniques is also presented. Since Anwarking has a certain research and accumulation in the field of database security, the next chapter starts to give full play to our advantages, focusing on the principle of database attack into in-depth analysis.
This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1682298
"Serial" View database security from the instance of security Attack (ii) Analysis of security attack methods