Reading notes-"Hacker Exposure" (6/8)

11th attack mobile device 11.1 attack Android

1, open cell Phone Alliance OHA is mainly responsible for the development of Andriod. The Android system is positioned as "the first full, open and free mobile platform".

2, the Android system faces the biggest security problem--differentiation.

3, another important feature of Android in its core: the Linux kernel.

4, the bottom operating system function interactive penetration test program--nmap and Tcpdump

• Native development Package ndk--allows developers to build libraries using the original code.
• Enables third-party vendors to provide applications that require access to the underlying operating system.

11.1.1 Android Basics

1. Features of Android Architecture:

• Has an arm cross-compiled Linux kernel that provides a bridge between the hardware and the rest of the system components.
• One of the most important and characteristic components is the Dalvik virtual machine--each application runs in its own Dalvik virtual machine instance.
• The next layer of architecture is the application framework, a series of software components that help developers create Android apps, including the ability to create user interfaces and service functions that run in the background.

2, SQLite is the SQL database engine, most applications use SQLite to achieve data in the device's permanent storage, without the need for a corresponding security method to protect their confidentiality.

3. At the system and kernel level, Android provides an application sandbox that uses Linux user-based protection to identify and isolate application resources.

Provides system security practices:

• Provides full system encryption
• System partition is set to read-only by default

Android provides a number of security mechanisms to increase the difficulty of attacking memory leak vulnerabilities:

• Address Space layout randomization
• Using NX bits makes certain areas of memory non-executable and therefore prevents execution in protected memory areas such as stacks and heaps
• Permission mode Controls access to protected APIs for sensitive or private data/Features
• All applications must be signed with a certificate, which is actually signed by the application developer.

4. Useful Android Tools:

Android Emulator (Simulator)

• Enables users to customize, develop, and test Android applications on a single computer.
• BUG: Cannot make actual phone calls or send real text messages, does not support critical device features (Bluetooth, webcam/video input).

Android Debug Bridge

• Implement communication with the emulator or a physical device.

Dalvik Debug Monitoring Server (DDMS)

• DDMS is a debugging tool for connecting to ADB
• Can perform port forwarding, capture device screens, use Logcat to get log information, send simulated location data, SMS, and phone calls to device/emulator
• and provides memory management information such as threads and heaps.

Other tools

• Android Login system or logcat--allows you to collect and view system debug information.
• Sqlite3 allows you to view SQLite databases created using Android apps.

11.1.2 attacking your Android

1. Jailbreak: Before the vulnerability of the existing system is exploited, the user has administrator privileges.

Root privileges can also be obtained by swiping custom system images to get the default root privileges.

2. Common Tools for Jailbreak:

SuperOneClick
Z4Root
Gingerbreak

3. Sophisticated apps on Android devices that get root privileges

Super User

• Control which programs can execute commands on your device with root privileges

ROM Manager

• Install a custom ROM to get the latest version of Android

Market thrusters

• You can temporarily modify the SIMM Publisher code to use fake locations and telephone carrier networks.

Connectbot

• Remote Execute shell command

Screenshot

• Simply shaking your device can implement the screen

ES File Manager

• Ability to decompress and create encrypted ZIP files, access your PC via WiFi, and SMB,FTP server and Bluetooth file Transfer tool.

SetCPU

• The processor can be overclocked or reduced in a specific configuration environment.

4. Native apps on Android

Implemented by using a cross-compiler. Cross-compilation can be executed from a compiler-run platform to compile executable code created on another platform.

5. Install secure native binaries on Android with root access
Some precompiled binaries can be downloaded directly from the Web.

BusyBox

• A UNIX toolkit that allows you to perform useful commands such as tar, DD, and wget. You can use this tool by passing a command name as a parameter.

Tcpdump

• Packets that are transmitted over the network can be captured and displayed and can be used as sniffers to capture network traffic data and store the information in a pcap file.

Nmap

• Send a network packet to an accessible device, and then analyze the resulting response to identify specific detail information.

Ncat

• An effective tool for reading and writing data from the command line on the network and establishing a variety of remote network connections.

6. Trojan Horse Program

Use the same icon or name as the original application to achieve the purpose of spoofing. Hiding within legitimate applications, price malicious code is included in legitimate applications and executed with legitimate programs.

7. apk file contains two most important parts

Manifest (Global configuration)--a coded XML file
classes.dex--the compiled code, dalvik the executable file.
Application components

• Broadcast receivers
• Services

11.1.3 attacking other Android

Common remote Android attacks

1. Remote Shell via WebKit

• The attack is essentially a manually created HTML file that, when accessed via a Web server using the default Android Web browser, returns a remote shell to port 222 on the IP address of 10.0.2.2.

Countermeasures against WebKit floating-point vulnerability:

• Get the latest version of Android for your device
• Install anti-virus software on your device

2. Get root access to Android: Rageagainstthecage

• Common tools: Exploid, Rageagaintthecage

Countermeasures against RATC Vulnerability:

• Get the latest version of Android for your device
• Install anti-virus software on your device

3. Data Theft Vulnerability

• Another attack that can be performed remotely is data theft, which allows a malicious site to steal data and files stored on SD cards and devices.

Countermeasures against data theft vulnerabilities:

• Get the latest version of Android for your device
• Install anti-virus software on your device
• Temporarily turn off JavaScript in the default Android Web browser
• Use third-party browsers such as Firefox or opera
• Unmount the/sdcard partition to protect the stored data so that it is not available when attacked

4. Remote shell with 0 permissions
Another way to attack other Android devices is to "scrap" the security features of Android: a rights-based security model

To perform a specific behavior under conditions that do not have permissions:

• REBOOT
  Restarting is a special privilege because it has a "system or signature" protection level that can only be granted to applications that are installed in the/system/app partition.
• RECEIVEBOOTcomplete
  Need to be used with receivers that listen for intent boot_complete;
  The way to bypass this permission: Do not declare its permissions in the manifest file, as long as the receiver is defined, the application's startup function automatically takes effect.
• The INTERNET uses the default browser and can send data to a remote server without permission.

Countermeasures against data theft vulnerabilities:

• Investigate the applications to be installed and their developers, review their reviews and user awareness, and try to identify suspicious applications.

5. Vulnerability attack of capability leakage

Ability disclosure: Another way to bypass the permissions-based security model is to exploit compromised permissions.
Types of capability leaks:

• An explicit
• An implicit

Countermeasures against data theft vulnerabilities:

• Investigate the applications to be installed and their developers, review their reviews and comments from users, and try to identify suspicious applications.

6. Malicious software from URLs against malware from URLs:

• Find "settings | app" and deselect the "Unknown source" option.

7. Skype data exposure
Another way to attack Android is to exploit vulnerabilities in applications installed on the device.

Countermeasures against Skype data exposure:

• Keep updates to the application
• Remove unused applications at the same time

8. Carrier IQ Software
Android logger applications, which are designed to monitor specific activities on a device and collect diagnostic information to help network vendors or manufacturers address issues such as call-off and answer.
Countermeasures against carrier IQ software:

• Check to see if carrier IQ is installed on your Android.

9. HTC Logger
Pre-installed handheld devices love the manufacturer's app, using Logcat to get sensitive information such as text messages and keystrokes from these apps.
Preventive measures against HTC Logger:

• Automatically get patches via wireless or via "settings | system uploads | HTC Software Updates | Check now to manually open the patch download process.
• If you have root access to your device, you can manually remove the HTC Logger application from/system/app/htcloggers.apk.

10, crack Google mobile wallet PIN code
Mobile payment systems use near-range communication (NFC), which enables electronic transactions using mobile devices and a user-defined PIN code.
Countermeasures against the pin code of Google mobile wallet:

• Don't be indifferent to your phone security.
• Using the traditional Android lock screen mechanism
• If you are using your phone for electronic payments, do not get root access to the phone
• Install anti-virus software on your device to protect your device from vulnerable attacks.

11.1.4 Android as a portable hacker platform

Hack tool:

Network sniffing device
NetWork Spoofer
Connect Cat
Nmap for Android

11.1.5 Protect Your Android

Security checklist for your Android system

• Make sure your device is physically safe
• Lock the device
• Avoid installation of unsolicited/unknown developer applications
• Installing security software
• Set up full internal storage encryption
• Keep updating to the latest version of Android

11.2 IOS

The iphone's closeness is a catalyst for its platform security

11.2.1 Know your iphone

The underlying operating system originates from the Mach core of Carnegie Mellon University.

iOS evolved from the Nextstep/mac OS X family and became more or less a subtractive version of Mac OS X, its kernel is still based on MACH/BSD and has a similar programming pattern, and its application programming pattern remains based on object-oriented C, and relies heavily on the class library provided by Apple.

How secure is 11.2.2 iOS?

Applications installed on the device must be signed by Apple before they can be executed, but the iOS system is not fully secure.

11.2.3 Jailbreak: Vent your rage!

1. Jailbreak can be described as implementing full control of iOS-based devices.

• The jailbroken phone may also lose some functionality.
• Code signature verification is turned off.

Advantages:

• You have complete control over a device and can manipulate it to maximize its potential.

Disadvantages:

• Exposed to multiple types of attack vectors, this could result in your device being compromised.

2. Two ways to escape

• Jailbreak based on the startup process
• Remote Jailbreak

11.2.4 invade other iphone: Vent your rage!

1. It is difficult to access iOS from a remote network for access rights.

• The optional attack method depends on a combination of client exploit, LAN access, or physical access to the device. The viability of a local area network or physical access-based attack depends on the target of the attack.
• The actual option left to the attacker is usually attributed to a client attack
• After gaining control of the application, the first step in the process is to break the sandbox by exploiting kernel-level vulnerabilities.

2. Common attacks

1. JailbreakMe3.0 Vulnerability

• One is a PDF program design error
  It can execute arbitrary code, referring to the attack vector is a specially constructed type 1 font into the PDF file, when loaded will lead to the execution of the aforementioned code.
• One is kernel programming error
  is an invalid type conversion programming error that affects Iomobileframebuffer, which causes arbitrary code to be executed with system privileges.
• Countermeasures against the JailbreakMe3.0 vulnerability
  Ensuring that your operating system and software have the latest patches is the best security method. (1) iOS vulnerabilities must be retained to ensure off-road performance
  (2) Once the system is jailbroken, you will not be able to patch up the bugs found by Apple for official updates.

2, Ikee Attack--the first worm to attack iOS was detected
How to launch an attack:

• Remote network attacks with vulnerable network services
• Client-side attacks using application vulnerabilities
• Local network attack
• Physical attack close to target device

Countermeasures against the Ikee attack

• Don't jailbreak your iphone
• Immediately after installing SSH, modify the default certificate on the jailbreak device and make sure that you are only connected to a trusted network.
• Utilities such as sbsetting can be installed
• You must make sure that the device is updated to the latest jailbreak version for iOS, while installing a bug-based patch from the jailbreak community in a timely manner.

3. FOCUS 11 Man-in-the-middle attack
Intrusion attacks utilize several exploit techniques:

• JBME3.0 technology using client-side vulnerabilities
• Attack technology using SSH certificate to verify vulnerability
• The attack technology of LAN

Countermeasures against Focus 11 man-in-the-middle attack

• Update your device and keep it up to date
• Configure your iOS device to "Ask before joining the network"
• Do not connect to unknown wireless networks
• Evaluate the value of stored data on your device

4. Malicious applications: Handy Light and Instastock

• Handy light--a Flash application
  Allow users to click on the color of the flash in a specific order, and then allow the phone to open a SOCKS proxy server.
• instastock--real-time tracking stock quote software

Countermeasures against malware in the App Store:

• Applications from reputable vendors are almost always secure, and there are no problems with installation
• For users who store highly sensitive data, it is recommended to install the required applications only when it is really necessary.
• Try to install the latest version of the firmware

5. Vulnerable applications: iOS-bound applications and third-party applications
In any event, an application vulnerability is considered to be one of the key factors for unauthorized access to iOS-based devices.
Countermeasures against Focus 11 man-in-the-middle attack

• Ensure your device is updated to the latest version of iOS and keep the app updated to the latest version

6. Physical contact steps to get a sensitive password stored on your iphone

• Get control of your phone using a boot-based jailbreak method
• Then install the SSH server, once access rights through SSH, will upload a script, using the obtained permissions to execute the code, the existence of the device on the key chain to export the password.

Countermeasures against physical contact attack

• Ensure all sensitive data on the device is encrypted
• Devices that store sensitive information must have a password of at least six digits in length and use the password at any time
• Install software that can be used to remotely track device locations or remotely clean up sensitive data.

12th. Handbook of preventive measures 12.1 general strategy

General policy: general principles of the countermeasure mix:

• Move (delete) assets
• Separation of duties
• Identity authentication, authorization, and Auditing (3A)
• Layered
• Adaptive Enhancements
• Orderly failure
• Strategy and Training
• Simple, inexpensive and easy to use

Instance scenario:

• Desktop scene
• Server Scenarios
• Network Scenarios
• Web application and Database scenarios
• Moving scenes

12.1.1 Moving (deleting) assets

The best way to avoid conflict is to not be there when the conflict occurs.

12.1.2 Separation of duties

The premise is to separate each operational aspect of the countermeasure. The way to achieve this goal is to:

Prevention, detection and response

• Prevention: Endpoint Curing
• Detection: Network intrusion detection
• Response: Event Response Process Execution

People, processes, and technologies

• Another way is to transform the nature of the countermeasure itself
• Periodically check the firewall log for exceptions

Check and Balance

• Prevention of collusion
• Provides checks and balances

12.1.3 identity authentication, authorization, and Auditing (3A)

"3 A" is another key foundation of the countermeasure design.

12.1.4 Layering

Layering is often referred to as depth defense or compensation control.

The compensation policy is set at each level of the IT stack:

• Physical
• Internet
• Host
• Application
• Logic

12.1.5 Adaptive Enhancement

The countermeasure method is closely related to the hierarchy.

• The Web application firewall becomes a temporary adaptive mechanism to mitigate the threat of vulnerability.
• Additional authentication elements are used in accordance with changing environmental conditions.

12.1.6 ordered failure

• Good response/Response strategies
• Testing of technology and people and processes
• Plan which features will not reset automatically after a failure.

12.1.7 Strategy and Training

Training should always be taken as a key factor in the planning of countermeasures

12.1.8 simple, inexpensive and easy to use

"Keep it simple and stupid" applies to any design work and also applies to the designation of the action.

12.2 Example Scenario 12.2.1 Desktop Scenario

1, equipped with perfect preventive measures and detection control:

• Anti-Malware for terminal
• Configuration Management
• Log shipping
• Host-based intrusion prevention system
• Tripwire File System Integrity Monitor

2, network-based anomaly detection is also a very important idea.
The terminal deployment Forensics agent can capture information about the intrusion event.

12.2.2 Server Application Scenario

Control of system administrative rights

• Protecting your system administrator account requires a higher threshold, with "3 a" being the most common countermeasure.

The smallest attack surface

• Reducing the number of castle gates is an effective way to stop intruders.
• How to reduce the attack surface on this popular platform
  (1) Use Windows Firewall Photo paper service permissions
  (2) Disabling unnecessary services

Enhanced Maintenance measures

• Using a robust and fast security patching process is a very effective countermeasure.
• Windows Vulnerability patching directs timely testing and patching of vulnerabilities
  Test and implement a temporary workaround before the patch is released
  Enabling logging and monitoring
• A quick patching of vulnerabilities makes the best choice for eliminating this vulnerability

Proactive monitoring, backup and contingency plans

• Monitoring of known vulnerable systems and development of contingency plans for the system to be compromised.

12.2.3 Network Application Scenario

The best defense is to stop the attack before it reaches its target.
Network-level control is invisible to the third-tier firewall-several ways to solve this problem:

• Deploy a more granular firewall for visibility and control at a higher network layer
• Separate the more risky systems from the networks that contain sensitive information and put them in different network segments.

12.2.4 Web application and database application scenarios

How to protect against cyber attacks--by layering the implementation:

• Existing OTS components
• Custom-Developed application code

12.2.5 Mobile Application Scenario

One of the first things to consider when moving (or deleting) data.

12.3 Summary

1, the 10th, 11 and 12 chapters of this book, mainly from the application, mobile equipment and the prevention of the Strategy Manual, the detailed introduction and analysis of the common attack methods, the current popular attack technology and the corresponding preventive measures. SQL injection is a very interesting part, but because of this week's reading volume is relatively large, I just read the contents of the book, has not yet started the actual operation.

2, until now, the book has been all read, is completed in my reading plan, because I began to develop a reading plan, did not consider this is a professional class of reference books, ignoring the practice of the part, so the actual operation has a swallowed feeling. For the latter part of the content, feel practical to have a lot of difficulty, after all, I wanted to scan out an active host, scanned the 192.168.1.0/24 network segment, but did not find the active host. The network segment is not really not a host of activities, but now the computer has opened the firewall and IDs, like me, a newly-introduced layman, the actual operation is a little difficult.

3, although I have finished reading this book, but I think it will take some time to tidy up, so I am ready for the next two weeks, to review the contents of this book, I can achieve the operation, realize, and then proceed to the reading plan, of course, the weekly results will be presented in the form of reading notes.

Reading notes-"Hacker Exposure" (6/8)