Reading notes-"Hacker Exposure" (5/8)

Source: Internet
Author: User
Tags time zones administrator password strong password rsa securid

Part 3rd Infrastructure attacks

Set the wireless card to "listening" status to identify which wireless network is active. With the help of "Aircrack-ng"-a wireless Network monitoring toolkit, the ability to intercept the 802.11 wireless network raw transmission data, especially good at intercepting the WEP initialization vector, to crack the WEP key.

7th. Remote connection and VoIP attacks

1. The public switched telephone network has a modem connected to the critical device as a backdoor into the system.

2, dial-up connection intrusion in a manner similar to other types of intrusion: casing, scanning, enumeration, vulnerability exploration.
Common tools: Tonel oc and Thc-scan, Warvox (an open source, VoIP-based War dialer), Phonesweep.

7.1 Ready to Dial

1. The first step in dialing an intrusion is to identify the phone number to be loaded into the war dialer. Usually starts with a phone directory, or calls a local phone company.

2. The two valuable information provided by the management personnel in the Communications section for the attackers are:

(1) Possible effective switching starting with 555-555-5555 dialing
(2) Call the company's front desk or collect more dialing information from the local telephone company.

3. Countermeasures against leakage

(1) Avoid unnecessary leakage of information
(2) Establish close cooperation with telecom providers
(3) Establish a valid list of authorized personnel
(4) To set a password in advance should be required for any queries on the account.

7.2 War Dialer 7.2.1 Hardware

1, carefully consider the multi-transfer demodulator between the mathematical relationship.

2, two will increase the penetration of the detection of the level of responsibility of the factors:
(1) Customers across multiple time zones
(2) Users who are restricted by multiple control restrictions to prevent their dialing

7.2.2 Legal Issues

War dialing can only be used for legitimate and authorized security audits and directory management.

7.2.3 Marginal Overhead

When submitting an outline of a war dial plan to your business, you need to explain this marginal overhead to the manager.

7.2.4 Software

1, need to consider easy to install, easy to use features.

Warvox installation is the most challenging, there are many program errors, but the accuracy of its casing, recording of the multi-use, multi-VoIP provider of alternative features and the potential for rapid development in the future make it a very valuable competitor.

The advantage of Telesweep is its distributed dialing capability and the flexibility of multi-time zone dialing. But its registration and authorization are the biggest hindrance, and its price is prohibitive for most users.

2,Warvox
An attacker would normally scan a direct inner dial block for line identification before the carrier is detected.
Remember to set environment variables in the shell's user profile so that they are available in subsequent logins.

During the analysis phase, Warvox creates a unique fingerprint for each captured audio sample and remains in the database, using the tools provided by the command-line window to implement the export, authentication, and comparison operations of the captured audio.

3,Telesweep
Telesweep requires the use of corporate or university mail accounts for registration. They are not allowed to register through any of the free mail providers.

Its most powerful feature is the ability to control multiple war dialer with a secure Management server through an interface. Includes scheduled scans and multiple modems that support higher detection accuracy.

It is controlled through objects, and for user name and password guessing, an object must be acquired to guess and re-use the object.

At the bottom of the screen, the status of each number can be updated in real time, showing the progress of its completion and the information the system identifies.

When dialing is complete, the total number of calls, the average duration of each call, the number of all numbers, and the breakdown of line types are all displayed in the upper part of the screen.

4,Phonesweep
The most notable features of the phonesweep are its simple graphical interface, automated scheduling, carrier infiltration attempts, multi-modem concurrency support, and exquisite reporting.

It is configured to automatically stop working when it is not needed or within the defined control window, and to restart within the corresponding time period until all numbers are scanned or tested for the permeable modem.

If the target's response is customized for another way, the phonesweep may not be able to identify it.

Phonesweep can programmatically initiate dictionary attacks to recognized modems, and can export call results in different formats.

5. Carrier exploration Technology carrier is not the only interesting information that can be found from the War dial scan.
The most detailed banner and carrier exploration technology site is M4phrlk's Wall of Voodoo site, which focuses on the war Dial Group.

7.3 Brute force hack script-native way

1. Low Hanging fruit
Regardless of the list of usernames and passwords you use or consult, it is critical that you do not exceed the time required to do all the default IDs and passwords.

2, single certification, unlimited attempts
One of the most common tools is the ProComm Plus and aspect scripting languages.

The hardest part of creating a script is to enter a password or other dictionary variable into the script. Create a source script file with QBasic developed for DOS. The ability to generate log files is an important feature when trying brute force scripts.

3, single certification, limited attempts
The ATH0 character is a typical haves modem used to suspend the character set, adding code to handle callback after a specified number of attempts fail and the modem disconnects.

4, double authentication, unlimited attempts
5, double authentication, limited attempt

7.4 Attacking the PBX

The approach used to attack the PBX is similar to that of a typical dial-up connection attack.

1, Octel language network login
In the Octel PBX, the system administrator password must be digital, the dial-in account and the system administrator may use the account is not the same, for ease of use and management, the system administrator will set the two to the same account.

2. Williams/northern Telecom PBX
This user number is generally the first level of the user and requires a four-digit access code.

3. Meridian Link
The management interface uses a regular, limited shell application to manage the PBX.

4, Rolm telephone mail
Rolm Phonemail system default account ID and password:

SysAdmin Password:sysadmin Tech Password:tech poll Password:tech

5. PBX protected by RSA SecurID
Mechanisms to protect them may not be compromised. It uses a "query-answer" system that requires tokens.

Countermeasures against PBX attack
Make sure that you turn on your modem as briefly as possible, deploying multiple authentication methods, such as two-way authentication (if possible), and blocking failed attempts.

7.5 Attacking voice mail

1. Brute Force voice mail
Common tools: Voicemail Box Hacker3.0, Vrack 0.51
Voicemail box only allows testing of language messages using the mind digital password, and this version we use cannot be extended.
Vrack program its scripting difficult, trusted Aspect scripting language to implement the intrusion of language mail.
About the Voice mail system password: Almost all language mail mailbox passwords are made up of only 0~9 numbers, and the disadvantage of this process is that it is an intrusive attack that you must always listen to before the script uses a brute-force export order.

Countermeasures against violence to crack down on language mailbox
Set a high level of security for the language messaging system that you use. Establish a connection between the voice mail system and the log, and detect unusual recurring attempt activity.

2. Attack direct dial-in system access (DISA)
Direct dial-in system access is a remote access service provided by a PBX that allows employees of the company to make long-distance or international calls at a lower price.
A misconfigured DISA system can result in unrestricted access, which can cause significant financial losses to the company.

The sign of successful DISA invasion is that you hear a dial tone.

Countermeasures against the attack Disa
(1) If you need Disa, it is best to work with a PBX vendor to ensure that DISA is configured with a strong password and removes the default authorization.
(2) At least six-digit authentication pin is used to strengthen it, and more than six attempts to establish a locking mechanism, often view call detail records.
(3) Work with the PBX vendor to prevent special code from leaking out from voice mail tones, directory services, and extension dialing.

7.6 Attacking a virtual private network (VPN)

Virtual private network VPNs include encryption and the use of the Internet to create "tunnels" for private data. Its main advantage is its security, low overhead and convenience. The IPSec and second tier tunneling protocols are the most famous of the two VPN "standards", which supersede the point-to-Point Tunneling Protocol and second-tier forwarding.

7.6.1 the basics of IPSec VPN

1, VPN can be divided into two types of site-to-site or client-to-site VPN. All VPNs are private tunnels that are built on a slightly less secure third-party network that connects two networks.

Site-to-site VPN: The gateway forwards these traffic to the remote site through a secure tunnel. This process does not require interaction between the clients.
Client-to-site VPN: A client can be a thick client, such as a Cisco VPN client, or a Web browser.

2. Authentication and tunnel establishment in IPSEC VPN
IPSec uses an Internet Key exchange protocol for authentication, setting up keys, and tunneling, and Ike is divided into two phases:

(1) The main purpose of the IKE phase 1:ike Phase 1 is to authenticate each side of the communication and establish a secure channel for the IKE Phase 2.
(2) Main mode: in three mutually independent two-way handshake, the main mode authentication will realize mutual authentication.
(3) Aggressive mode: Only three messages are used, and no secure channel is provided to protect the authentication message, so it is susceptible to eavesdropping attacks.

3. Using Google to attack VPN
Tool: Filetype.pcf
PCF file extensions are typically used to store profile settings for Cisco VPN clients. All PCF files stored in the target domain can be centrally searched.
Passwords stored in a PCF file can also be used to implement password replay attacks.

Countermeasures against using Google to attack VPN
(1) Alertness of the user
(2) An organization can conduct annual checks to search for sensitive information on its site, and can use the "site:" Action to target search, "Google Alerts".

4. Probing the IPSec VPN server
Tool: Ike-scan
This tool is suitable for all kinds of operating systems, can be used to listen for IPSec VPN connections, can also recognize that it supports IKE Phase 1 mode, and indicates messages used by remote servers.
Tool: Ikeprober
It can be used to create arbitrary IKE initiator packets that are useful in locating error conditions and identifying the behavior of a VPN device.

Countermeasures against the detection of IPSec VPN
You can use Access control lists to restrict the sensitive information on the provided site. You can use the site: action to target a search.

5. Probing the IPSec VPN server
Tool: Ike-scan
This tool is suitable for all kinds of operating systems and can be used to perform IPSec VPN identification and gateway casing.
Ike-scan tells us that the host listens for IPSec VPN connections and also recognizes that it supports IKE Phase 1 mode and indicates the hardware used by the remote server.

Tool: Ikeprober
It can be used to create arbitrary IKE initiator packets, which are very useful in finding error conditions and identifying the behavior of the VPN setting.

Countermeasures against the detection of IPSec VPN
Access control lists can be used to restrict access to VPN gateways that provide site-to-site connections, but this approach is not feasible for deployed client-to-site VPNs.

6. Attacks against IKE aggressive mode
Tool: Ikecrack
This tool enables brute force ipsec/ike authentication. Need to identify if the target server supports aggressive mode.
Tool: Ikrprobe
An attacker would use a VPN client at the same time to conduct eavesdropping and mock connection attempts in conjunction with Cain.

Countermeasures against attacking Ike's aggressive mode
(1) The best way to defend against Ike aggressive mode attack is to disconnect it from use
(2) using a token-based authentication mechanism
(3) Instead of patching the existing problem, the attacker will not be able to connect to the VPN after the key has been cracked because the key was modified before the attacker invaded.

7.6.2 Attack Citrix VPN Solution

1. Citrix software, which provides access to remote desktops and applications, it can be integrated with the Windows environment using Active Directory.

Common types of Citrix deployments:

(1) A complete Remote Desktop, typically windows like Microsoft
(2) Commercial spot Supply application
(3) Custom applications

2. Assistance (Help system)
There are two types of help available in Citrix environments: Help for Windows operating systems and help for specific applications.

3. Microsoft Office Software
Microsoft Office provides a number of ways to generate a shell:
(1) Help system
(2) Printing
(3) Hyperlinks
(4) Save
(5) Language macros in VBA

4. Internet browser
Removing the address bar is a good habit of layered defense, but it does not completely eliminate the pitfalls. CTRL + N shortcut keys can also be used to generate a new instance.

5. Microsoft Games and Calculators
How to generate the shell:
(1) Help for Windows
(2) About calculator "About Calculator"

6. Printing
How to open the Print dialog box:
(1) Press the CTRL+P key combination
(2) Press the CTRL+SHIFT+F12 key combination
(3) Right-click and select "Print"

7. Hyperlinks
File:///c:/windows/system32/cmd.exe

8. Internet access
An attacker could create a page on the Internet, add a hyperlink to it, and let it link to the user's local command-line prompt shell, which could also host Cmd.exe or explore.exe on the Internet site it controls.
Another alternative is to use the file drop-down site to host both programs.
If the system's Group Policy is used to block the command-line shell, another possible way is to use the host to get a high-level shell.
Tool: IKat
It can pull all the stops out, primarily designed for attack kiosks, but can also be used to help "jailbreak" The Citrix VPN environment that does not have access to the Internet whitelist.

8. eula/text Editor Attackers may use the following methods to get into the shell

Through the Help system
by printing
By clicking the hyperlink
By saving

9. Countermeasures against Citrix attack
The following guidelines are helpful when you determine whether you need to access the Citrix environment:

Whether you can figure out the number of users
Can you get to know them by name?
If they secretly use the shell in your network, can you still trust them?

7.7 Attack IP Voice

1. VoIP is used to describe the voice transmitted over an IP network.

2. At present, the two most common open signaling protocols (SIP) are two, the most commonly used to manage call creation, modification, and shutdown.

The implementation of the net is more easily integrated with the public switched telephone network.

SIP is an Internet Engineering Task Force protocol that not only transmits voice traffic, but also runs on tcp/udp 5060, and does not use different methods and response codes to establish and dismantle sessions.

Real-time Transport Protocol (RTP) transmits encoded voice traffic, and its attached real-time Control protocol provides call statistics and provides control information for RIP streams. Primarily used to monitor data distribution and adjust quality of service parameters.

3. One of the main differences between using a PBX and a traditional voice network that is established with VoIP is that the RTP stream does not need to cross any voice infrastructure and that it is exchanged directly between the endpoints, that is, RTP makes the phone call to the phone.

4. Attack VoIP
The QoS of network is the key factor to determine the quality of VoIP system.
(1)SIP scan
When a SIP proxy or other SIP device is targeted, such an exploratory process is called SIP scanning.

Common tools: Sivus
The tool supports Windows and Linux systems and supports a graphical user interface. It uses a command-line-based SIP toolkit written in Python. The svmap.py tool is a SIP scanner.

Preventive measures against SIP scanning
The isolation between the VoIP network and the user access network segment must be implemented to prevent direct attacks against SIP systems.

5. Plunder TFTP for VoIP valuable resources
TFTP is the perfect implementation of covert security, to download specific files, all you need to know is the file name.

The countermeasures against plundering TFTP
Access restrictions are implemented at the network layer.
By setting up a TFTP server, only connections from known static IP addresses are received.
Centralize the control that can achieve that purpose:
(1) Turn off access to the settings menu on the device
(2) Turn off the Web server on the IP phone
(3) Use of signed configuration files to prevent configuration tampering

6. Enumeration of VoIP Users
The 4~6 digits in the phone number are often used as half of the authentication certificate, and the other half is the pin code of the 4~6 bit. The extension of VoIP can be easily identified by observing the server's response, and sip is a human-readable request/protocol.

7. Automatic enumeration of users
Tool: Sipvicious
The Svwar.py tool supports option, register, and invite user enumeration techniques and is also used for probing user-defined extended attribute ranges or dictionary files.

Countermeasures against the enumeration of VoIP
Separate the VoIP segment from the user network segment, or deploy the ids/ips system in the IT policy implementation area.

8. "Intercept" attack
The attack first needs to understand the signaling protocol (SIP, skinny, and Unistim), as well as the media RTP stream.
Common tools: Vomit, VoIP hopper tools, etc.

Countermeasures against "interception" attack
Firewalls can and should be deployed to protect the core part of the VoIP infrastructure;
Make sure that the IP phone is only allowed to download the signed configuration and firmware, and that they are using TLS to identify the server.

9. Denial of Service Attacks
It is possible to set up a signaling stream by sending a large number of bogus calls, intercepting the use of a large amount of useless traffic to overwhelm a phone.
The Inviteflood tool needs to call hack_library and use this tool for denial-of-service attacks. This tool simply uses SIP invite requests to overwhelm the target.

Countermeasures against the utilization of SIP invite traffic
The first item of the security checklist should be to ensure that the voice virtual local area network and the data virtual local area network are separated on the network segment.
All SIP traffic provides authentication and encryption, and a ids/ips system is deployed to detect and block attacks.

8th Chapter Wireless Attack

Defining today's wireless network as an IEEE 802.11 standard is also known as the abbreviation for wifi--Wireless fidelity.

Use modern drive-by-street scanning attack systems to perform the most up-to-date attack methods.

8.1 Background

Institute of Electrical and Electronic Engineers IEEE publishes a standard--802.11, which specifically specifies a WLAN.

8.1.1 Frequency and Channel

1, the general Wireless frequency band can be divided into: industrial, scientific and pharmaceutical ism Wireless band.

2, 802.11 can work in the ISM band at 2.4GHz or 5GHz, and a 802.11n device can define the bands it can run.

3, in the 5GHz band, all channels are non-overlapping.

Establishment of 8.1.2 session

Two main types of wireless networks:

Infrastructure network
An access point is required to establish a communication bridge between the customer and the server between wireless and wired networks. Ad hoc Network
Run in end-to-end mode without the need to establish an access point.

8.1.3 Security mechanism

1, the basic level of security can be used for wired networks.

2. Basic mechanism

MAC filtering
"Hidden" wireless network
Response to broadcast probe request

3. Identity authentication
The purpose of authentication is not only to establish the identity of the client, but also to generate a key for the session encryption process. Both authentication and encryption occur on the second layer of the OSI model, before the user obtains the IP address.

WiFi protection accesses or is called WPA. WPA indicates that the device is certified to support at least the temporary key integrity protocol, and WPA2 indicates that the set-up authentication must support TKIP and Advanced Encryption Standard AES.

Two types of WPA:

WPA pre-shared key pre-shared secret key
WPA Enterprise

4. Encryption
Three available wireless network encryption options:

Limited equivalent Cryptographic WEP
Temporary key complete Protocol TKIP
Advanced Encryption Standard

8.2 Device 8.2.1 Wireless Card

1. Chipset
Need to get more control over the wireless card.

2. Frequency band Support
It is important to select a wireless network card that can support both 2.4GHz and 5GHz.

3. Antenna support

4. Interface
The interface of the wireless card determines the flexibility of the installation.

8.2.2 Operating System

1, adhere to the retrospective procedure from LiveCD, to launch all attacks.

8.2.3 Other Items

1. Antennas
The directivity of the antenna is divided into:

Directional antennas--only suitable for communication with fixed locations
Multi-directional antennas-the receiving range is usually slightly smaller than the antenna of the same power
Omni-directional antennas-capable of transmitting and receiving signals in any direction, providing maximum reception angle

2. GPS

3, Access point AP
Common products: OpenWrt or dd-wrt, you can turn the access point into a complete attack device.

8.3 Discovery and monitoring

802.11 the source and destination address of the data frame are always unencrypted.

8.3.1 found wireless network

1. Active discovery
In earlier wireless hacking attacks, it is more commonly used.

Preventive countermeasures against active discovery
Disable this option when configuring an access point.

2. Passive discovery
The passive Discovery tool lists the passive BSSID found in the beacon in the access point and marks the SSID as unknown.

Discovery Tools: Kismet, Airodump-ng

Protect yourself against wireless attacks from passive attacks
You can only mitigate the risk by shielding external windows and walls from wireless signal leaks.
Reducing the output power of the access point allows the wireless signal to cover only a limited area.

8.3.2 eavesdropping on wireless communication data

Thwart wireless eavesdropping
Implement 802.11-layer encryption and use corner high-level encryption to improve protection levels.

8.4 Denial of Service attacks

Eliminate authentication attacks
Impersonate a "de-authenticated" data frame from the client to the access point, in turn impersonating the access point to the client's "de-authenticated" data frame.

Prevent authentication attacks from being eliminated
Creating a custom client causes its wireless network card driver to disconnect when it receives a de-authenticated data frame, and quickly reconnect to another different access point in the company.

8.5 Cryptographic attacks

1. WEP
Cracking WEP relies on collecting large amounts of data (initialization vectors or specific types of data frames).

2. ARP replay attack using fake identity authentication
ARP replay attacks will find the network WEP key within five minutes.
Fake authentication attack: The ARP request sent to the access point must come from a valid wireless client to establish the process of this virtual connection.

A fake authentication attack establishes a connection to an access point, but never sends real data.

Countermeasures against the WEP attack
(1) Disable it
(2) Rely on Network higher protocol layer encryption

8.6 Identity authentication attacks

The target of identity authentication attack is the process that the user provides the identity document, then the identity of the user is inferred.

8.6.1 WPA pre-shared key

1. Get four handshake
Can passively wait to implement handshake eavesdropping, or to eliminate authentication attacks to the effective client to kick out of the wireless network, and then the client to reconnect to the network when the four handshake information to eavesdrop.

2. Violent cracking
You can use:

Aircrack-ng
Rainbow Table
Graphics processor hack

3. WPA-PSK Risk Control
The security of WPA-PSK depends on the complexity of the pre-shared key chosen and the integrity of the user's network protection.

8.6.2 WPA Enterprise Edition

1. Identifying the EAP type is a good way to identify the EAP type that the client is using, by observing the communication between the client and the access point during the initial EAP handshake.

2. LEAP
The lightweight Extensible Authentication protocol, LEAP, acquires MACHAPV2 queries and responses and transmits them in a wireless transmission network.

3. Protect Leap
Use EAP-TTLS or PEAP delegated management on the network

4, EAP-TTLS and PEAP
Eap-ttls and PEAP are two of the most commonly used EAP types. Same point:

Both establish an unauthenticated TLS tunnel between the wireless client and the wired side of the RADIUS server. The TLS tunnel is established so that the client can send an identity certificate through an insecure internal authentication protocol.
The attacker's goal is to obtain the data from this tunnel and the internal authentication protocol.

5. Protection of EAP-TTLS and PEAP
You can use a simple check box and an input field for security protection settings.
Checked for the validity of all server certificates on wireless network clients that make EAP-TTLS or PEAP.
Force the client to ignore any RADIUS servers that are not explicitly allowed by selecting the check box and setting the common name on the certificate.

9th Hardware Attack 9.1 Physical access: Push the door into the

1. Latch Technology
can help an attacker to open locks of almost the same type with a common key. The use of Newton's principles of physics. The method is: The standard key puts the lock pin in a straight line so that the user can turn the key.

Countermeasures against key-hitting
The side pin is used to provide multiple layers of safety protection.
You can also use multi-lock devices, video surveillance, security, and alarms to protect against physical means.

2. Copy the Access card
Two common types of cards: Magnetic stripe cards and RFID cards

Attack Magnetic stripe Card
Brute force attacks on in-card data are a quick way to invade a system or bypass access control.

Attack RFID Card
Common methods:
(1) Use the pre-assembled card reader device and kit, and the corresponding replication device.
(2) Using PROXMARK3 equipment
(3) Use of generic software radio equipment.

Preventive measures against duplicated cards
Use a fully encrypted query-answer algorithm to protect against replication, replay, and other attacks.

9.2 Hacker attacks on devices

1. Bypassing ATA Password security
ATA is a common security measure in a company that protects stolen notebooks from being accessed illegally. The ATA security mechanism requires the user to enter a password before the BIOS reads the hard drive.

The simplest approach is to hot-plug the hard disk into a system that disables the ATA security feature.

Countermeasures against ATA hacker attack
Do not rely on the ATA password to protect the drive or protect the contents of the drive from being accessed.
You can use full-disk encryption to protect all content on a drive or content within a sensitive partition.

2, for USB U3 hacker attack
One of the easiest ways to hack into the system is to use a USB flash drive that complies with the U3 standard.

Hackers can use the tools provided by the manufacturer to write malicious programs to the U3 partition to run the malicious program with the current user logon rights.

The most common attack is to read the login password in the local Windows password hash file or to install the Trojan for remote control.

Countermeasures against the U3 attack
(1) According to the website:http://support.microsoft.com/kb/953252 Discussion Disable the system Autorun function
(2) Hold down the SHIFT key before inserting the USB device, which prevents the Autorun function from executing the default program.

9.3 Danger of default configuration facing 9.3.1 using default factory settings

The standard Metasploit module allows easy intrusion into the Eee PC notebook factory configuration.

Risk of 9.3.2 standard passwords

Non-embedded routers: The same default password is used for devices that are in the positive line of the product line.

An attacker could use the "cross-site Answer forgery" method to log on to the router and modify the configuration to route users to malicious DNS and other servers.

9.3.3 the dangers of Bluetooth devices

Hack Tool: Ubertooth

9.4 Reverse engineering attacks on hardware 9.4.1 get the circuit diagram of the device

1. Physical Protection removal

2. Identify IC Chip
Using a search engine to identify IC chips is the first step in understanding embedded systems. The composition includes:

Micro Controller
Eeprom
Fpga

9.4.2 sniffing the data on the bus

Data on the bus can be easily intercepted, replayed, and "in-the-middle" attacks. The only exception is a content digital rights management system like HDMI-HSCP.

9.4.3 sniffing the data of the wireless interface

The first step in implementing a wireless interface attack is to identify the FCC authentication code for the device. The authentication code consists of a three-dimensional applicant number and a variable-length optional number.

Symbolic decoding is an efficient decoding method, which can extract the underlying bitstream from the wireless channel as the data is parsed from the physical bus.

9.4.4 Reverse engineer attack on firmware (Firmware)

Study the firmware file to get a lot of information about the device: default password, management port, or debug interface. The most convenient way is to use the hex editing tool.

Other common tools: IDA Pro, Unix command strings
Other attack directions: look for backdoor code written for testing purposes before development is completed, typically in physical interface segments, special structure debug interfaces, diagnostics and serial ports, and some unwanted program code.

9.4.5 Ice Tools

The internal circuit mapping can help us to test the internal circuit of the hardware in a static or dynamic environment.
Common tools: Mplab tool kit for common PIC series microcontrollers, AVR Jtagice

Summary

This week I read the 7th, 8, 9 chapters of "Hacker big exposure", mainly about infrastructure attacks, respectively, the telephone VoIP attacks, wireless attacks and hardware attacks related attack methods and prevention measures, through this part of the reading, I have a basic infrastructure part of the attack means and methods have a general understanding , I can say that the knowledge of this part is completely unfamiliar.
The book introduces a lot of attack methods, but due to this part of the attack, but also need hardware and other facilities, so the book of some of the attack methods, in a short period of time there is no conditional implementation, but this book can be used as a tool and manual, in any period of re-reading will have a different understanding, All the reading of the latter part of the book, I can only temporarily understand the relevant theoretical knowledge, the practical part will be in the future Information security learning, step by step in-depth practice.

Reading notes-"Hacker Exposure" (5/8)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.