20199116 2019-2020-2 "Network Attack and Defense Practice" Week 8 Assignment

20199116 2019-2020-2 "Network Attack and Defense Practice" Week 8 Assignment

Foreword

problem	answer
Which course does this assignment belong to	"Network Attack and Defense Practice"
What are the requirements for this assignment	<Job requirements>
My goal in this course is	Master the knowledge of network offensive and defensive, learn the eighth chapter of Linux operating system security offensive and defensive
What specific aspect of this assignment helped me achieve my goal	Learn Linux operation commands and the application of virtual machines; learn network attack and defense knowledge to lay the foundation for future research
Homework	as follows
Other references	See the end of the text

1. Practice content

1.1 Overview of the basic framework of the Linux operating system

1.1.1 Development and status of Linux operating system

• Advantages of Linux operating system
  (1) Free open source code
  (2) Cross-platform hardware support
  (3) Rich software support
  (4) Multi-user multitasking
  (5) Reliable security
  (6) Good stability
  (7) Perfect network function

1.1.2 Linux system structure

• Linux process and thread management mechanism: adopt preemptive multi-user multi-process mode

• Linux memory management mechanism

  • Allow multiple processes to share physical memory areas
  • The memory management module provides processes such as memory allocation, memory reclamation, request paging, and swap pages.

• Linux file system management mechanism: The Linux kernel uses a virtual management VFS mechanism, which can support dozens of different types of logical file systems

• Linux device control mechanism

  • The software that handles or manages hardware controllers in the Linux kernel is called device drivers, and is essentially a shared library of privileged, low-level memory-resident hardware control routines.

• Linux network mechanism

  • Linux kernel
  • Network interface can be divided into network protocol stack and network driver
  • The network protocol stack is responsible for implementing every possible network transmission protocol, and its structure is as follows:

• Linux system call mechanism
  • Linux provides a system call interface to allow applications to access hardware devices and other system resources through this layer of interface
  • The system call of Linux system is realized by soft interrupt

1.2 Linux operating system security mechanism

1.2.1 Linux identity authentication mechanism

Linux is a multi-user multi-tasking operating system

• Linux users

  • Root user, the highest authority in the system, any file and command in the operating system
  • Ordinary users can only operate the content in their own directory
  • System users do not have the ability to log in to the system, but they are indispensable. They are used to start network services, such as daemon and apache, and anonymously accessed users such as nobody and ftp.

• Linux User Group

  • A collection of user accounts with the same characteristics is used to simplify user rights management for the entire system.
  • Linux user group information is saved in the / etc / gshadow file, and you can use id -a to query the user group to which the current user belongs.
  • grouppaddCommands can add user groups, add users usermod -G group_name_ user_nameto specific groups

• Linux local login user authentication mechanism:

  • User authentication mechanism refers to the process of user login in the console
  • Basic process: Start getty through the init process to generate several virtual consoles. Each console executes the login process to perform the authentication process. After the authentication is passed, the login process will fork the child process of the corresponding user Shell and the login process is completed.
  • The login process uses the crypt () function to verify the password entered by the user. This function introduces a salt value and encrypts it together with the user's password to obtain the encrypted password.

• Linux remote login authentication mechanism

  • Linux systems generally use SSH service for remote user login and access
  • SSH provides two methods: the first is a password-based authentication mechanism; the second is an asymmetric password-based authentication mechanism.
  • In addition, a large number of network services in the Linux system have implemented their own identity authentication mechanism, such as MD5 hash, LANMAN \ NTLM hash algorithm and so on.

• Linux unified identity authentication middleware--PAM

  • The core part of PAM is a collection of libraries (libpam) and PAM modules, which are dynamic link library (.so) files located in the folder / lib / security /, and various PAMs located in the /etc/pam.d/ directory Module configuration file. PAM provides four available module interfaces for authentication tasks.

  • Four management interfaces supported by PAM:
    (1) Authentication management: accept the user name and password, authenticate the user password, set user secret information
    (2) Account management: check whether the specified account is allowed to log in to the system, and check whether the account expires
    ( 3) Password management: used to modify user password
    (4) Session management: provide session management and audit. The session takes effect after the user is successfully authenticated

1.2.2 Linux authorization and access control mechanism

Linux supports the different types of file system formats through the VFS virtual file system mentioned above

• File owner: Use the file owner's uid and the file owner's gid to indicate the file owner, which is automatically set when the user creates the file.
• File access authority: The file access authority is set by the attached 10 flag bits. The first digit indicates the file type, and 2 to 9 digits are grouped into groups of 3 digits. The three digits in the group respectively indicate read permission, write permission and execution permission. The three groups represent the owner, all groups, and all users.
• Special execution permissions: Common permissions are SUID or SGID. SUID allows executable files to be elevated from the identity of the operator to the owner of the file at runtime. The SGID bit is similar to the SUID bit, except that it operates in the form of permission groups.
• Inadequacies and improvements: Users can only be divided into three categories: owner, owner's group, and other users to assign permissions. The fine-grained access permissions are insufficient, and the complete ACL access control list settings are not supported.

1.2.3 Linux security audit mechanism

• Three log subsystems
  • Connection time log: System administrators can track who logs in to the system and when
  • Process statistics log: write a record for each process, the purpose is to provide command usage statistics for basic services in the system
  • Error log

1.3 Remote attack and defense technology of Linux system

1.3.1 Linux remote password guessing attack

• The Linux system mainly supports network remote control of telnet, rogin, rsh, and SSH protocols. These protocols authenticate the identity of remote users.
• Use the aforementioned service to sniff the user account name or use the default internal account user name for password guessing.
• Usually for accounts with weak passwords.
• In addition to SSH network services, you can also guess the network services used for your account system and identity authentication mechanism such as HTTP / HTTPS and FTP.
• Common tools for password guessing are as follows: Brutus, THC Hydra, Cain and Abel and other tools.
• Defense against remote password guessing technology
  • Ensure that each user has their own valid account and password, instead of using a root privileged account
  • Privileged accounts should avoid remote direct login, only log in locally
  • Password must be at least 8 characters long, including letters, numbers and punctuation marks
  • Record multiple authentication failures and disconnect after multiple invalid logins
  • Don't use the same password on all systems that log in by yourself
  • Don't write down your password
  • Use identity authentication mechanism based on public key certificate
  • Modify the default port of the network service

1.3.2 Network service remote penetration attack

• Network protocol stack attack in Linux kernel
• Network service attack in LAMP WEB website
• FTP, Samba and other file sharing services
  • FTP services generally monitor TCP20 and port 21, of which port 21 is used for control command transmission, and port 20 is used for data transmission
  • Samba is a network service used to connect Linux and other UNIX-like operating systems to Microsoft's Windows system SMB / CIFS network protocol, listening on TCP445 port
• Email sending and receiving service
• Attacks on other network services
• Security precautions for remote penetration attacks on network services
  • Disable unnecessary network services
  • Try to choose safer network protocols and service software
  • Update the network service version in time
  • Use xinetd (network daemon service program), firewall to add network access control for Linux network services
  • Establish an intrusion detection and emergency response planning process

1.3.3 Attacking Linux client programs and users

• Attack client programs on the Linux platform
• Attacking Linux system users
  • Obtain system administrator information, combined with social engineering
  • Trap some software distribution and distribution sites, Trojanize the software provided on the site, the Trojanized version introduces a backdoor at runtime, allowing unauthorized users to remotely obtain the system's root permissions
• Security precautions for client and user attacks
  • Understand social engineering knowledge and improve anti-fraud ability
  • Update software in time
  • When downloading software, go through the official download channel and verify MD5

1.3.4 Attacking routers and listeners

• Attacking Linux routers and firewalls
• Attack listeners and intrusion detectors running under Linux, such as Libpcap packet capture library, tcpdump command line program, wireshark software, snort intrusion detection system, etc.
• Preventive measures against router and listener attacks
  • Network administrators enhance security awareness and pay attention to vendor's security threat reports
  • Firmware upgrade in time
  • Grasp the attacker's infiltration penetration method and conduct penetration test

1.4 Linux system local security attack and defense technology

1.4.1 Elevation of local Linux privileges

• Common methods of local privilege escalation:
  (1) Crack the password of the root user, and then execute the su or sudo command to escalate privileges
  • Obtain the encrypted value of the password through the hash value of the password recorded in the / etc / shadow configuration file, and then brute force the guessed plaintext through the known ciphertext to crack the password.
    (2) Discover and use security vulnerabilities in su or sudo programs
  • You can bypass the identity authentication mechanism in some ways, or use path misconfiguration to allow an attacker to create a file and execute it.
    (3) Attack the user mode SUID privilege elevation vulnerability and attack the Linux kernel code privilege elevation vulnerability.
  • Use of user mode SUID programs: mainly including the use of program vulnerabilities for privilege escalation, local buffer overflow attacks, symbolic link attacks, race condition attacks, shared function library attacks, etc.
    (4) Finally, global writable sensitive files can be searched from the system Use with directory location
• Preventive measures for local privilege escalation
  • Assess risk when installing software
  • Upgrade and maintain the server in time
  • Safe configuration system, set strong password
  • Apply SELinux and other security enhancement modules

1.4.2 Disappear on Linux system

• After attacking the Linux system, attackers usually do not want to leave their own intrusion records to the system administrator, so they often clean up the log directory on the system and erase their own traces of actions.
• For text files, use text editing tools such as vi and emacs to clean up the logs; for wtmp files that log in, use wzap special tools to clean up
• The attacker also needs to clean up the history of commands entered in the shell program. Many shell programs in the Linux system record the historical commands that have been run to provide the function of retrieving and repeatedly executing commands.

1.4.3 Linux system remote control backdoor program

• The main types are:
  • Trojanized system program: The attacker replaces the original system program (such as remote login and control software) to make it have some backdoor functions.
  • Command-line backdoor tool: Provide remote command-line shell access, usually use Netcat and other backdoor tools to run on the system, open a TCP port to listen, and return a Linux system shell to interact with the client after receiving the request.
  • Graphical backdoor tool: The most commonly used is the graphical remote control free software VNC.

1.2 Practice

Use Metaploit for Linux remote penetration attacks
1) Use Metaspolit as a penetration testing software to attack the Samba service usermap_script security vulnerability on a Linux target machine and obtain host access permissions for the Linux target machine. The practical steps are as follows:
2) Use exploit: exploit / multi / samba / usermap_script to penetrate the attack module
3) Select the attack PAYLOAD as the remote shell
4) Set the attack parameters
5) Perform the attack
6) See if you get the correct remote shell
attack machine kali (192.168 .200.6), target machine Metasploitable (192.168.200.125)
First, start the penetration software through the command msfconsole, use the penetration attack module through the command use exploit / multi / samba / usermap_script, and then show options