Cold Road
█“十年来攻击和防卫的弱点”——缓冲区溢出*攻击* █ "ten years vulnerabilities to attack and defense" - a buffer overflow attack * *
大凡上网久点的网人对缓冲区溢出应该是知道的,因为它的确是一个众人皆知、非常危险的漏洞,它是个不分什么系统、什么程序,都广泛存在的一个漏洞。 Almost all network access points for a long time people should be aware of the buffer overflow, because it is indeed a well-known, very dangerous vulnerability, it is regardless of what system, what procedures are a widespread vulnerability. 以缓冲区溢出为类型的安全漏洞是最为常见,也是被黑客最多使用的攻击漏洞。 To the type of buffer overflow vulnerabilities are the most common, is the most used hacker vulnerabilities. 所以了解缓冲区溢出方面的知识对于黑客也好或者管理员也好也或者是一般的网人也好都相对是有必要的。 Therefore, the knowledge about buffer overflow or administrator for the hacker Ye Hao Ye Hao is also a general network or have relatively no matter how it is necessary.
►缓冲区溢出的概念和原理 ► buffer overflow concepts and principles
缓冲区是内存中存放数据的地方。 Data is stored in the buffer memory areas. 在程序试图将数据放到机器内存中的某一个位置的时候,因为没有足够的空间就会发生缓冲区溢出。 Trying to put the data in the program memory in the machine to a place in time, because there is not enough space to buffer overflow occurs. 而人为的溢出则是有一定企图的,攻击者写一个超过缓冲区长度的字符串,然后植入到缓冲区,而再向一个有限空间的缓冲区中植入超长的字符串可能会出现两个结果,一是过长的字符串覆盖了相邻的存储单元,引起程序运行失败,严重的可导致系统崩溃;另有一个结果就是利用这种漏洞可以执行任意指令,甚至可以取得系统 root特级权限。 The man is a certain attempt to overflow, the attacker than to write a string buffer length, and then implanted into the buffer, but again the limited space of a long string buffer implant may occur two results, one long string that covers the adjacent memory cell, causing the program to fail, serious enough to cause a system crash; Another consequence is that you can use this vulnerability to execute arbitrary commands, or even get the system root premium rights. 大多造成缓冲区溢出的原因是程序中没有仔细检查用户输入参数而造成的。 Most buffer overflow because the program did not carefully check the result of user input parameters.
缓冲区是程序运行的时候机器内存中的一个连续块,它保存了给定类型的数据,随着动态分配变量会出现问题。 Buffer when the machine is running in a continuous block of memory, which holds a given type of data, with dynamically allocated variables problems. 大多时为了不占用太多的内存,一个有动态分配变量的程序在程序运行时才决定给它们分配多少内存。 Most of the time in order not to take up too much memory, a dynamic allocation of variables in the program to run when the program decided to give them how much memory. 这样想下去的话,如果说要给程序在动态分配缓冲区放入超长的数据,它就会溢出了。 So want to go on, if a dynamically allocated buffer to give the program long into the data, it will overflow. 一个缓冲区溢出程序使用这个溢出的数据将汇编语言代码放到机器的内存里,通常是产生root权限的地方,这就不是什么好现象了。 This program uses a buffer overflow overflow data will be compiled into machine language code in memory, usually resulting local root privileges, this is not a good phenomenon. 仅仅就单个的缓冲区溢出惹眼,它并不是最大的问题根本所在。 Only a single buffer overflow on the eye-catching, it is not the biggest problem lies. 但如果溢出送到能够以root权限运行命令的区域,一旦运行这些命令,那可就等于把机器拱手相让了。 However, if the overflow to be able to run commands as root zone, once run these commands, it may mean to hand over to the machine.
►缓冲区溢出漏洞攻击方式 ► buffer overflow attacks
缓冲区溢出漏洞可以使任何一个有黑客技术的人取得机器的控制权甚至是最高权限。 Buffer overflow vulnerability allows a hacker to any person to obtain control of the machine or even the highest authority. 一般利用缓冲区溢出漏洞攻击root程序,大都通过执行类似“exec(sh)”的执行代码来获得root General use of buffer overflow exploits root programs, mostly through the implementation of a similar "exec (sh)" to get the root of the code
的shell。 The shell. 黑客要达到目的通常要完成两个任务,就是在程序的地址空间里安排适当的代码和通过适当的初始化寄存器和存储器,让程序跳转到安排好的地址空间执行。 Hackers aim to achieve two tasks usually done, that is, the program's address space to arrange appropriate initialization code and through the appropriate registers and memory, make the program jump to the scheduled execution address space.
●在程序的地址空间里安排适当的代码: ● In the program's address space, arrange the appropriate code:
其实在程序的地址空间里安排适当的代码往往是相对简单的,但也同时要看运气如何。 In fact, the program's address space, arrange an appropriate code is often relatively simple, but it also depends on luck. 如果说要攻击的代码在所攻击程序中已经存在了,那么就简单的对代码传递一些参数,然后使程序跳转到目标中就可以完成了。 If the attack code to be attacks in the program already exists, then simply pass some parameters to the code, and then make the jump to the target program can be completed. 攻击代码要求执行“exec('/bin/sh')”,而在libc库中的代码执行“exec(arg)”,当中的“arg”是个指向字符串的指针参数,只要把传入的参数指针修改指向“/bin/sh”,然后再跳转到libc库中的响应指令序列就OK了。 Attack code requires the implementation of "exec ('/ bin / sh')", and in the libc library code execution "exec (arg)", among the "arg" is a pointer to a string argument, as long as the incoming parameters pointer changes to point "/ bin / sh", and then jump to the libc library instruction sequence in response to OK. 当然了,很多时候这个可能性是很小的,那么就得用一种叫“植入法”的方式来完成了。 Of course, many people in this possibility is very small, so you have to use something called "implants" approach to complete. 当向要攻击的程序里输入一个字符串的话,程序就会把这个字符串放到缓冲区里,这个字符串包含的数据是可以在这个所攻击的目标的硬件平台上运行的指令序列。 When to attack the program to enter a string, the program will put this string into the buffer, the string contains the data is the target of attacks in the hardware platform to run on the sequence of instructions. 缓冲区可以设在像:堆栈(自动变量)、堆(动态分配的)和静态数据区(初始化或者未初始化的数据)等的任何地方。 Buffer can be located in as: stack (automatic variables), heap (dynamic allocation), and static data areas (initialized or uninitialized data) in any other place. 也可以不必为达到这个目的而溢出任何缓冲区,只要找到足够的空间来放置这些攻击代码就够了。 Can not achieve this purpose for the overflow of any buffer, as long as enough space to place to find these exploits is enough.
●将控制程序转移到攻击代码的形式: ● control program will be transferred to the attack code in the form of:
所有的这些方法都是在寻求改变程序的执行流程,使它跳转到攻击代码,最为基本就是溢出一个没有检查或者其它漏洞的缓冲区,这样做就会扰乱程序的正常执行次序。 All of these methods are seeking to change the program execution flow, it jumps to the attack code, without the most basic is to overflow a buffer check or other flaws, this will disrupt the normal execution sequence. 通过溢出某缓冲区,可以改写相近程序的空间而直接跳转过系统对身份的验证。 Through a buffer overflow, can be rewritten similar to the space program to jump through the system of identity verification. 原则上来讲攻击时所针对的缓冲区溢出的程序空间可为任意空间。 In principle, the attack against buffer overflow program space can be any space. 但因不同地方的定位相异,所以也就带出了多种转移方式。 Position but are different in different places, so it brings out a variety of transfer methods.
1、 unction Pointers(函数指针) 1, unction Pointers (function pointers)
在程序中,“void (* foo) ( )”声明了个返回值为“void” Function Pointers的变量“foo”。 In the process, "void (* foo) ()" declares a return value is "void" Function Pointers variable "foo". Function Function
Pointers可以用来定位任意地址空间,攻击时只需要在任意空间里的Function Pointers can be used to locate any address space, only need to attack any space in the Function
Pointers邻近处找到一个能够溢出的缓冲区,然后用溢出来改变Function Pointers。 Pointers to find a place close to the buffer to overflow, and then overflow to change the Function Pointers. 当程序通过Function When the program by Function
Pointers调用函数,程序的流程就会实现。 Pointers call the function, the program flow will be achieved. 这个你可调用Linux下的superprobe程序体验一下。 You can call this under Linux superprobe program experience.
2、 ctivation Records(激活记录) 2, ctivation Records (activation record)
当一个函数调用发生时,堆栈中会留驻一个Activation Records,它包含了函数结束 When a function call occurs, the stack will stay in a Activation Records, it contains the end of the function
时返回的地址。 Return address. 执行溢出这些自动变量,使这个返回的地址指向攻击代码,再通过改变程序的返回地址。 Perform automatic overflow these variables, so the return address points to the attack code, and then by changing the program's return address. 当函数调用结束时,程序就会跳转到事先所设定的地址,而不是原来的地址。 When the function call ends, the program will jump to the address set in advance, rather than the original address. 这样的溢出方式也是较常见的。 This approach is also more common overflow. 你在使用漏洞扫描(Unix下的SATAN或者NT下的Retina)器时,最好是多注意“stack You are using vulnerability scanning (Unix or NT, SATAN under the Retina) device, it is best to pay more attention "stack
smashing attack”的字样。呵呵。 smashing attack "message. Oh.
3、 Longjmp buffers(长跳转缓冲区) 3, Longjmp buffers (long jump buffer)
在C语言中包含了一个简单的检验/恢复系统,称为“setjmp/longjmp”,意思是在 In C contains a simple test / recovery system, known as the "setjmp / longjmp", meaning that
检验点设定“setjmp(buffer)”,用longjmp(buffer)“来恢复检验点。如果攻击时能够进入缓冲区的空间,感觉“longjmp(buffer)”实际上是跳转到攻击的代码。像Function Checkpoint set "setjmp (buffer)", using longjmp (buffer) "to restore the checkpoint if the attack can enter the buffer space, feeling" longjmp (buffer) "is actually a jump to the attack code like Function
Pointers一样,longjmp缓冲区能够指向任何地方,所以找到一个可供溢出的缓冲区是最先应该做的事情。 Pointers, like, longjmp buffers can point anywhere, so find a buffer overflow is available for the first thing to do.
●植入综合代码和流程控制 ● Integrated the code and process control implants
常见的溢出缓冲区攻击类是在一个字符串里综合了代码植入和ctivation Common buffer overflow attacks in a string class is a combination of code into and ctivation
Records。 Records. 攻击时定位在一个可供溢出的自动变量,然后向程序传递一个很大的字符串,在引发缓冲区溢出改变ctivation Attack targeting a variable for the automatic overflow, and then passed to the program a big string buffer overflow caused by changes in ctivation
Records的同时植入代码(权因C在习惯上只为用户和参数开辟很小的缓冲区)。 Records of the implanted code (in the customary right of C and parameters for the user to open only a small buffer). 植入代码和缓冲区溢出不一定要一次性完成,可以在一个缓冲区内放置代码(这个时候并不能溢出缓冲区),然后通过溢出另一个缓冲区来转移程序的指针。 Embed Code and one-time buffer overflow not necessarily complete, you can place the code in a buffer (buffer overflow at this time and can not), then transfer the program to overflow a buffer pointer. 这样的方法一般用于可供溢出的缓冲区不能放入全部代码时的。 This method is generally used for a buffer overflow when all the code can not be placed. 如果想使用已经驻留的代码不需要再外部植入的时候,通常必须先把代码做为参数。 If you want to use the code do not need to have been resident outside the implanted, usually must first code as a parameter. 在 libc(熟悉C的朋友应该知道,现在几乎所有的C程序连接都是利用它来连接的)中的一部分代码段会执行“exec(something)”,当中的 something就是参数,使用缓冲区溢出改变程序的参数然后利用另一个缓冲区溢出使程序指针指向libc中的特定的代码段。 In libc (C-familiar friends should know that almost all C programs are used to connect it to connect) part of the code executes "exec (something)", which is the parameter of something, use the buffer overflow to change parameters and then use another program to make the program pointer to a buffer overflow in libc-specific code.
对缓冲区溢出有兴趣的朋友,有必要找找eEye公司开发的Retina发现IIS4.0的那个缓冲区溢出漏洞引起的很多黑客攻击实例来看看。 Of buffer overflow interested friends, companies need to look for the development of the Retina eEye discovered a buffer overflow vulnerability that IIS4.0 caused many instances of hackers to see. 你可以在http://www.safefan.com(傲气雄鹰网络安全小组)找到关于它们的资料,做为网络管理人员最因该熟悉它们。 You can http://www.safefan.com (arrogance Eagle network security group) to find information about them, as a result of the network management personnel most familiar with them.
程序编写的错误造成网络的不安全性也当受到重视,因为它的不安全性已被缓冲区溢出表现的淋漓尽致了。 Programming error caused by the network when attention is also unsafe because of its insecurity has been the performance of the head of the buffer overflow.
█缓冲区溢出的防患 █ hedge against buffer overflow
缓冲区溢出的漏洞被发现到利用以来一直都是网络安全领域的最大隐患,很多安全人士均对这些漏洞做了仔细的研究,但是缓冲区溢出的完全防止往往因为这样那样的人为或者其它的因素仍显得有点力不从心。 Buffer overflow vulnerability has been found to use is the biggest network security risks, many of the security vulnerabilities of these people have done a careful study, but to completely prevent buffer overflow often because of this man-made or other factors still seemed a bit powerless. 在这篇文章里,就目前缓冲区溢出漏洞的几种保护方法做个简单的描述。 In this article, we present several buffer overflow vulnerability protection methods to be a simple description.
►正确的编写代码 ► the right to write code
我想在编写代码的时候一般不会有人故意想要发生错误的,但是丝毫的错误往往会造成严重后果(C语言多是字符串因0收尾,往往就是一个很不安全例子)。 I want to write code is generally not an error that some people deliberately want, but the slightest error will often result in serious consequences (C language string mostly ending by 0, is often a very safe example). 所以正确的编写代码是很关键的。 Therefore, the correct code is critical.
在编写时以免错误发生最原始的方法就是用gerp来找出源代码中较容易产生的漏洞的库的调用。 In order to avoid errors when writing the most primitive way is to find the source code with gerp more prone to loopholes in the library call. 像对sprintf和strcpy的调用,这两个函数都不会检查参数输入的长度。 As a call to the sprintf and strcpy, these two functions are not checked the length of the input parameters. 有的在编写的时候采用了sprintf和strcpy的替代函数来防止,但是还是会有问题发生的。 Some of the time used in the preparation of sprintf and strcpy function to prevent the alternative, but still have the problem occurred. 因为这些错误的隐蔽性,所以就出现了查错工具faultin-jection。 Because the hidden nature of these errors, so there have been troubleshooting tools faultin-jection. faultin-jection可以通过人为随时产生一些缓冲区溢出来找到代码的安全漏洞。 faultin-jection can be artificially produced at any time to find the code number of buffer overflow vulnerabilities. 只能说faultin-jection等类似的工具可以让编写时缓冲区溢出的漏洞更少一点,而完全的没有则是不现实的。 Can only say faultin-jection and other similar tools allow write buffer overflow vulnerability when a little less, but is not completely unrealistic. 因为它们确实不可能找到所有的溢出缓冲区的漏洞。 Because they do not find all the buffer overflow vulnerability. 编写时重复的检查代码的漏洞可以使程序更加完美和安全。 Duplicate check writing code vulnerabilities can make the program more perfect and secure.
►非执行的缓冲区 ► Non-Executive buffer
在老版的UNIX系统中,程序的数据段地址空间是不可执行的,这样就使得黑客在利用缓冲区植入代码时不能执行。 In the old version of the UNIX system, the program's data segment address space is not performed, so that makes the hacker code embedded in the use of the buffer can not be executed. 但是现在的UNIX和Windows系统考虑到性能和功能的速率和使用合理化,大多在数据段中动态形式的放入了可执行的代码,为了保证程序的兼容性不可能使用所有程序的数据段不可执行间。 But now the UNIX and Windows systems for performance and functionality of the rate and the use of rationalization, mostly in the data segment into a dynamic form of executable code, in order to ensure the compatibility of the program can not use all the program's data segment can not perform room. 但可以通过只设定堆栈数据段不可执行,这样就很大程度上保证了程序的兼容性能。 But you can only set the stack non-executable data segment, so much to ensure the program's compatibility. UNIX、Linux、Windows、Solaris都已经发布了这方面的补丁。 UNIX, Linux, Windows, Solaris have been released this patch.
►检查数组边界 ► Check array bounds
数组边界检查完全没有缓冲区溢出的产生,所以只要保证数组不溢出,那么缓冲区溢出攻击也就只能是望梅止渴了。 Array bounds checking, no buffer overflow production, so as long as the array does not overflow, then the buffer overflow attack will only fancies of. 实现数组边界检查,所有的对数组的读写操作都应该被检查,这样可以保证对数组的操作在正确的范围之内。 Implement array bounds checking, all read and write operations on the array should be checked, so you can ensure the correct operation of the array within the scope. 检查数组是一件叫人头大的事情,所以利用一些优化技术来检查就减少了负重。 Check the array is a Jiaoren head thing, so use some optimization techniques to examine the reduced weight. 可以使用Compaq公司专门为Alpha You can use the company specifically for the Compaq Alpha
CPU开发的Compaq C编译器、Jones&Kelly的C的数组边界检查、Purify存储器存取检查等等来检查。 CPU developed by Compaq C compiler, Jones & Kelly C-array bounds checking, Purify memory access checking, and so on to check.
所有的缓冲区溢出漏洞都归于C语言的“功劳”。 All buffer overflows are attributed to the C language "credit." 如果只有类型-安全的操作才可以被允许执行,这样就不会出现对变量的强制操作。 If only type - safe operation can be allowed to perform, so there is no mandatory operation of the variable. 类型-安全的语言被认定为Java和ML等,但作为Java执行平台的Java虚拟机是C程序,所以攻击JVM的途径就是使JVM的缓冲区溢出。 Type - the language of security has been identified as Java and ML, etc., but as a Java platform Java virtual machine implementation is a C program, so the way to attack is to make the JVM JVM buffer overflow. 。 . 。 . 。 . 。 . 。 . 。 .
►程序指针完整性检查 ► pointer integrity checking procedure
程序指针完整性检查在程序指针被引用之前检测到它的改变,这个时候即便是有人改变了程序的指针,也辉因为系统早先已经检测到了指针的改变而不会造成指针对利用的。 Pointer integrity checking procedure is referenced in the program counter to detect it before the change, this time even if someone changes the pointer to the program, but also because the system-hui has been detected earlier changes will not cause the pointer refers for use. 但程序指针完整性检查不能解决所有的缓冲区溢出问题;如果有人使用了其它的缓冲区溢出,那么程序指针完整性检查就不可能检测到了。 However, pointer integrity checking programs can not solve all of the buffer overflow problem; if someone uses another buffer overflow, then the program checks the integrity of the pointer can not be detected. 可话又说回来了,程序指针完整性检查在性能上却有着很大的优势,并且有良好的兼容性。 Can then again, the program checks the integrity of the performance indicators has great advantages, and has good compatibility.
网络监听攻击技术 Eavesdropping attack technology
在网络中,当信息进行传播的时候,可以利用工具,将网络接口设置在监听的模式,便可将网络中正在传播的信息截获或者捕获到,从而进行攻击。 In the network, when the information transmission time, you can use the tool, the network interface settings in the monitor mode, it will be the spread of information networks are being intercepted or captured, and thus attack. 网络监听在网络中的任何一个位置模式下都可实施进行。 Network monitoring network in any one location model can be implemented. 而黑客一般都是利用网络监听来截取用户口令。 The hackers usually use network monitoring to intercept user passwords. 比如当有人占领了一台主机之后,那么他要再想将战果扩大到这个主机所在的整个局域网话,监听往往是他们选择的捷径。 For example when someone occupied after a host, then he should think of the results have expanded to the entire local area network where the host if they choose to listen is often a shortcut. 很多时候我在各类安全论坛上看到一些初学的爱好者,在他们认为如果占领了某主机之后那么想进入它的内部网应该是很简单的。 Many times I see some of the various security forums beginner fans, they think if occupied then want to enter a host after its internal network should be very simple. 其实非也,进入了某主机再想转入它的内部网络里的其它机器也都不是一件容易的事情。 Definitely not a matter of fact, entered into a host think it's an internal network where other machines is not an easy thing. 因为你除了要拿到他们的口令之外还有就是他们共享的绝对路径,当然了,这个路径的尽头必须是有写的权限了。 Because you have to get their password in addition there is the outside of their share of the absolute path, of course, the end of this path must have write permissions. 在这个时候,运行已经被控制的主机上的监听程序就会有大收效。 At this time, the control has been running on the host will have a large effective listener. 不过却是一件费神的事情,而且还需要当事者有足够的耐心和应变能力。 But it is a fee the things of God, but also the parties have enough patience and resilience.
█网络监听的原理 █ principle of network monitoring
Ethernet(以太网,它是由施乐公司发明的一种比较流行的局域网技术,它包含一条所有计算机都连接到其上的一条电缆,每台计算机需要一种叫接口板的硬件才能连接到以太网)协议的工作方式是将要发送的数据包发往连接在一起的所有主机。 Ethernet (Ethernet, which is invented by the Xerox Corporation as a popular LAN technology, which includes an all computers are connected to a cable on it, each computer requires a hardware interface board called to connect to the Ethernet) protocol works by sending packets to be sent to all hosts connected together. 在包头中包括有应该接收数据包的主机的正确地址,因为只有与数据包中目标地址一致的那台主机才能接收到信息包,但是当主机工作在监听模式下的话不管数据包中的目标物理地址是什么,主机都将可以接收到。 In the header include should receive data packets the host's correct address, because only with the packet destination address is the same that the hosts will receive the packet, but when the host is in Listen mode, then regardless of the packet in the target physical What is the address, the host will be able to receive. 许多局域网内有十几台甚至上百台主机是通过一个电缆、一个集线器连接在一起的,在协议的高层或者用户来看,当同一网络中的两台主机通信的时候,源主机将写有目的的主机地址的数据包直接发向目的主机,或者当网络中的一台主机同外界的主机通信时,源主机将写有目的的主机IP地址的数据包发向网关。 There are many LAN hosts more than ten or even hundreds of through a cable connected to a hub, in the high-level protocol or the user point of view, when the same two hosts in the network communications, the source host written with the purpose of the host address of the packet sent directly to the destination host, or when a host in the network host communication with the outside world, the source host will write a purpose host IP address of the packet sent to the gateway. 但这种数据包并不能在协议栈的高层直接发送出去,要发送的数据包必须从TCP/IP协议的IP层交给网络接口,也就是所说的数据链路层。 However, this packet is not in direct high-level protocol stack to send out the packet must be sent from the TCP / IP protocol over the IP network interface layer, which is called the data link layer. 网络接口不会识别IP地址的。 Does not recognize the network interface IP address. 在网络接口由IP层来的带有IP地址的数据包又增加了一部分以太祯的祯头的信息。 In the network interface by the IP layer to the IP address of the packet with the addition of some ether Zhen Zhen header information. 在祯头中,有两个域分别为只有网络接口才能识别的源主机和目的主机的物理地址这是一个48位的地址,这个48位的地址是与IP地址相对应的,换句话说就是一个IP地址也会对应一个物理地址。 In the head Zhen, there were only two fields identify the source network interface to the host and destination host's physical address is a 48-bit address, the 48-bit address is the IP address corresponding to, in other words, an IP address will correspond to a physical address. 对于作为网关的主机,由于它连接了多个网络,它也就同时具备有很多个IP地址,在每个网络中它都有一个。 As a gateway for the host, because it connects multiple networks, it will also have a lot of IP addresses in each network, it has a. 而发向网络外的祯中继携带的就是网关的物理地址。 And sent to the relay network to carry outside Zhen is the physical address of the gateway.
Ethernet中填写了物理地址的祯从网络接口中,也就是从网卡中发送出去传送到物理的线路上。 Fill in the Ethernet physical address of Chen from the network interface, which is sent out from the card sent to the physical line. 如果局域网是由一条粗网或细网连接成的,那么数字信号在电缆上传输信号就能够到达线路上的每一台主机。 If the LAN is a coarse mesh or fine mesh connected, then the digital signal transmitted over the cable signal to reach the line on each host. 再当使用集线器的时候,发送出去的信号到达集线器,由集线器再发向连接在集线器上的每一条线路。 When using a hub and then the time to send out the signal to reach the hub, the hub and then connect the hub to send each and every line. 这样在物理线路上传输的数字信号也就能到达连接在集线器上的每个主机了。 This line on the physical transmission of digital signals connected to the hub can be reached on each host. 当数字信号到达一台主机的网络接口时,正常状态下网络接口对读入数据祯进行检查,如果数据祯中携带的物理地址是自己的或者物理地址是广播地址,那么就会将数据祯交给IP层软件。 When the digital signal to reach a host network interface, the normal state of the network interface for reading data checks Chen, Chen if the data is carried in their physical address or physical address is the broadcast address, it will exchange data Chen to the IP layer software. 对于每个到达网络接口的数据祯都要进行这个过程的。 For each network interface data to reach Chen should be carried out this process. 但是当主机工作在监听模式下的话,所有的数据祯都将被交给上层协议软件处理。 But when the host is in Listen mode, then all data will be handed over to the upper Zhen protocol software processing.
当连接在同一条电缆或集线器上的主机被逻辑地分为几个子网的时候,那么要是有一台主机处于监听模式,它还将可以接收到发向与自己不在同一个子网(使用了不同的掩码、IP地址和网关)的主机的数据包,在同一个物理信道上传输的所有信息都可以被接收到。 When connected to a cable or hub with the host is logically divided into several subnets of time, then if there is a host in a listening mode, it will be sent to and received their not on the same subnet (using the different mask, IP address and gateway) host packets transmitted in the same physical channel all the information can be received.
在UNIX系统上,当拥有超级权限的用户要想使自己所控制的主机进入监听模式,只需要向Interface(网络接口)发送I/O控制命令,就可以使主机设置成监听模式了。 On UNIX systems, when a user with root authority in order to make their own control of the host into the monitor mode, just to Interface (network interface) to send I / O control command, the host can be set to monitor mode. 而在Windows9x的系统中则不论用户是否有权限都将可以通过直接运行监听工具就可以实现了。 In Windows9x system regardless of whether the user has permissions will be run by directly monitoring tool can be achieved.
在网络监听时,常常要保存大量的信息(也包含很多的垃圾信息),并将对收集的信息进行大量的整理,这样就会使正在监听的机器对其它用户的请求响应变的很慢。 In network monitoring, we often want to save a lot of information (also contains a lot of spam), and the information collected a lot of finishing, so that would make the machine is listening on the other user's request to respond to change very slowly. 同时监听程序在运行的时候需要消耗大量的处理器时间,如果在这个时候就详细的分析包中的内容,许多包就会来不及接收而被漏走。 At the same time when the listener is running consume a lot of processor time, and if at this time on the detailed analysis of the contents of the package, many packets will be received too late to drain away. 所以监听程序很多时候就会将监听得到的包存放在文件中等待以后分析。 So the listener will listen many times to get the package will be stored in a file waiting for later analysis. 分析监听到的数据包是很头疼的事情。 Analysis of the data packet monitor is headache. 因为网络中的数据包都非常之复杂。 Because the network packets are very complex. 两台主机之间连续发送和接收数据包,在监听到的结果中必然会加一些别的主机交互的数据包。 Continuous between the two hosts to send and receive data packets, in listening to the results of interaction is bound to add some other host packets. 监听程序将同一TCP会话的包整理到一起就相当不容易了,如果你还期望将用户详细信息整理出来就需要根据协议对包进行大量的分析。 Monitoring program will collate the same TCP session package together is quite difficult, and if you expect the user sort out details of the agreement on the need to package a lot of analysis. Internet上那么多的协议,运行进起的话这个监听程序将会十分的大哦。 Protocol on the Internet so much, since it runs into this listener will be very big oh.
现在网络中所使用的协议都是较早前设计的,许多协议的实现都是基于一种非常友好的,通信的双方充分信任的基础。 Now the network protocols are used in the earlier design, the realization of many protocols are based on a very friendly, communication between the parties fully trust. 在通常的网络环境之下,用户的信息包括口令都是以明文的方式在网上传输的,因此进行网络监听从而获得用户信息并不是一件难点事情,只要掌握有初步的TCP/IP协议知识就可以轻松的监听到你想要的信息的。 Under normal network environment, user information including passwords are in clear text transmitted over the Internet, so the network monitor to obtain user information is not a difficult thing, as long as there is a preliminary master TCP / IP protocol knowledge You can easily listen to the information you want. 前些时间美籍华人China-babble曾提出将望路监听从局域网延伸到广域网中,但这个想法很快就被否定了。 Some time ago the Chinese-American China-babble Hope Road was proposed to extend monitor from LAN to WAN, but the idea was quickly rejected. 如果真是这样的话我想网络必将天下大乱了。 If so, then I think the network will chaos. 而事实上现在在广域网里也可以监听和截获到一些用户信息。 In fact, now in the wide area network where you can monitor and intercept to some user information. 只是还不够明显而已。 It just was not enough. 在整个Internet中就更显得微不足道了。 Throughout the Internet is all the more negligible.
下面是一些系统中的著名的监听程序,你可以自己尝试一下的。 Here are some well-known system of the listener, you can try for yourself.
Windows9x/NT NetXRay http://semxa.kstar.com/hacking/netxray.zip Windows9x/NT NetXRay http://semxa.kstar.com/hacking/netxray.zip
DEC Unix/Linux Tcpdump DEC Unix / Linux Tcpdump
http://semxa.kstar.com/hacking/management.zip http://semxa.kstar.com/hacking/management.zip
Solaris Nfswatch http://semxa.kstar.com/hacking/nfswatch.zip Solaris Nfswatch http://semxa.kstar.com/hacking/nfswatch.zip
SunOS Etherfind http://semxa.kstar.com/hacking/etherfind012.zip SunOS Etherfind http://semxa.kstar.com/hacking/etherfind012.zip
█检测网络监听的方法 █ detect network monitoring method
网络监听在上述中已经说明了。 Network monitoring has been described in the above. 它是为了系统管理员管理网络,监视网络状态和数据流动而设计的。 It is for system administrators manage the network, monitor network status and data flow and design. 但是由于它有着截获网络数据的功能所以也是黑客所惯用的伎俩之一。 However, because it has a function of intercepted network data it is also one of the usual trick of hackers.
一般检测网络监听的方法通过以下来进行: General method of detecting network monitoring carried out by the following:
►网络监听说真的,是很难被发现的。 ► network monitoring Really, it is difficult to be found. 当运行监听程序的主机在进听的过程中只是被动的接收在以太网中传输的信息,它不会跟其它的主机交换信息的,也不能修改在网络中传输的信息包。 When the host running the listener into the process of listening in just a passive receiver of information transmission in Ethernet, it will not exchange information with other hosts, and can not modify the information transmitted in the network packets. 这就说明了网络监听的检测是比较麻烦的事情。 This explains the detection of network monitoring is more troublesome.
一般情况下可以通过ps-ef或者ps-aux来检测。 Under normal circumstances you can ps-ef or ps-aux to detect. 但大多实施监听程序的人都会通过修改ps的命令来防止被ps-ef的。 But most people will implement monitoring programs by modifying the ps command ps-ef to prevent the. 修改ps只需要几个shell把监听程序的名称过滤掉就OK了。 Ps just a few changes to the listener the name of the shell to filter out OK. 一能做到启动监听程序的人也绝对不是个菜的连这个都不懂的人了,除非是他懒。 One can do start listener who is definitely not a dish even this did not know the person, unless he lazy.
上边提到过。 Above mentioned. 当运行监听程序的时候主机响应一般会受到影响变的会慢,所以也就有人提出来通过响应的速率来判断是否受到监听。 When running the listener to respond when the host becomes general will be affected will be slow, so it was put forward by the response rate to determine whether they are listening. 如果真是这样判断的话我想世界真的会大乱了,说不准一个时间段内会发现无数个监听程序在运行呢。 If so, determine if I really want to mess up the world, that allowed a period of time will find numerous listener running it. 呵呵。 Oh.
如果说当你怀疑网内某太机器正在实施监听程序的话(怎么个怀疑?那要看你自己了),可以用正确的IP地址和错误的物理地址去ping它,这样正在运行的监听程序就会做出响应的。 If you suspect the machine within the network is implementing a listener too, then (how a suspect? It depends on your own), you can use the correct IP address and the wrong physical address to ping it, so that the listener is running on will respond. 这是因为正常的机器一般不接收错误的物理地址的ping信息的。 This is because the normal machines generally do not receive the wrong physical address of the ping information. 但正在进听的机器就可以接收,要是它的IP But ongoing listening can receive the machine, if it's IP
stack不再次反向检查的话就会响应的。 stack is not checked, then it will once again reverse the response. 不过这种方法对很多系统是没效果的,因为它依赖于系统的IP stack。 However, this method for many systems are not effective, because it depends on the system's IP stack.
另一种就是向网上发大量不存在的物理地址的包,而监听程序往往就会将这些包进行处理,这样就会导致机器性能下降,你可以用icmp echo Another is to send a large number of non-existent online physical address of the packet, and the listener will often deal with these packets, so the machine will lead to performance degradation, you can use icmp echo
delay来判断和比较它。 delay to determine and compare it. 还可以通过搜索网内所有主机上运行的程序,但这样做其的难度可想而知,因为这样不但是大的工作量,而且还不能完全同时检查所有主机上的进程。 You can also search the net for all programs running on the host, but that it's difficult to imagine, because it is not only a large amount of work, but can not check all the host of the process. 可是如果管理员这样做也会有很大的必要性,那就是可以确定是否有一个进程是从管理员机器上启动的。 But if the administrator to do so will be a great need, that is, to determine whether a process is started from the administrator on the machine.
在Unix中可以通过ps –aun或ps In Unix, you can ps-aun or ps
–augx命令产生一个包括所有进程的清单:进程的属主和这些进程占用的处理器时间和内存等。 -Augx command produces a list of all processes, including: the process of the proprietors of these processes processor time and memory. 这些以标准表的形式输出在STDOUT上。 The standard output in the form of tables on STDOUT. 如果某一个进程正在运行,那么它将会列在这张清单之中。 If a process is running, it will be listed among this list. 但很多黑客在运行监听程序的时候会毫不客气的把ps或其它运行中的程序修改成Trojan But many hackers will run when the listener without any kind of running the ps program, or other changes to Trojan
Horse程序,因为他完全可以做到这一点的。 Horse program, because he can do that. 如果真是这样那么上述办法就不会有结果的。 If so, then there would be the result of the above approach. 但这样做在一定程度上还是有所作为的。 However, doing so to some extent still a difference. 在Unix和Windows On Unix and Windows
NT上很容易就能得到当前进程的清单了。 NT is very easy to get a list of the current process. 但DOS、Windows9x好象很难做到哦,具体是不是我没测试过不得而知。 However, DOS, Windows9x seems difficult to do Oh, I did not specifically tested is not known.
还有一种方式,这种方式要靠足够的运气。 There is also a way, this approach is sufficient to rely on luck. 因为往往黑客所用的监听程序大都是免费在网上得到的,他并非专业监听。 Often used by hackers as a listener to be mostly free on the Internet, he is not a professional monitor. 所以做为管理员用来搜索监听程序也可以检测。 So as an administrator to search listener can detect. 使用Unix可以写这么一个搜索的小工具了,不然的话要累死人的。 Can be written using the Unix search for such a gadget, and otherwise to worn people. 呵呵。 Oh.
有个叫Ifstatus的运行在Unix下的工具,它可以识别出网络接口是否正处于调试状态下或者是在进听装下。 A man named Ifstatus running under Unix tool that can identify the network interface is in debug state or in the cans into the next. 要是网络接口运行这样的模式之下,那么很有可能正在受到监听程序的攻击。 If the network interface to run under this model, it is likely that the listener is being attacked. Ifstatus一般情况下不会产生任何输出的,当它检测到网络的接口处于监听模式下的时候才回输出。 Ifstatus generally does not produce any output when it detects the network interface is in monitor mode when it is back to the output. 管理员可以将系统的cron参数设置成定期运行Ifstatus,如果有好的cron进程的话可以将它产生的输出用mail发送给正在执行cron任务的人,要实现可以在crontab目录下加****/usr/local/etc/ifstatus一行参数。 Administrators can set the parameters of the system cron to run regularly Ifstatus, if there is a good cron process then output it generates can be sent by mail to people who are running a cron job, to achieve the increase in the crontab directory **** / usr / local / etc / ifstatus line parameters. 这样不行的话还可以用一个脚本程序在crontab下00****/usr/local/etc/run-ifstatus。 Do not do that, then you can use a script in crontab under 00 ****/ usr / local / etc / run-ifstatus.
抵御监听其实要看哪个方面了。 Which in fact depends on listening to resist the. 一般情况下监听只是对用户口令信息比较敏感一点(没有无聊的黑客去监听两台机器间的聊天信息的那是个浪费时间的事情)。 Under normal circumstances the user monitor is a little more sensitive password information (not bored hackers to monitor chat messages between two machines that are a waste of time). 所以对用户信息和口令信息进行加密是完全有必要的。 Therefore, the user information and password information is encrypted is completely necessary. 防止以明文传输而被监听到。 To prevent the monitor to be transmitted in the clear. 现代网络中,SSH(一种在应用环境中提供保密通信的协议)通信协议一直都被沿用,SSH所使用的端口是22,它排除了在不安全信道上通信的信息,被监听的可能性使用到了RAS算法,在授权过程结束后,所有的传输都用IDEA技术加密。 Modern networks, SSH (a kind of environments to provide secure communications protocol) communication protocol has long been in use, SSH uses port 22, which excludes the information in an insecure communication channel, the possibility of being monitored the RAS algorithm used in the authorization process is complete, all transfers are encrypted with the IDEA technology. 但SSH并不就是完全安全的。 However, SSH is not completely safe. 至少现在我们可以这么大胆评论了。 At least now we can be so bold comment.
█著名的Sniffer监听工具 █ renowned Sniffer monitoring tool
Sniffer之所以著名,权因它在很多方面都做的很好,它可以监听到(甚至是听、看到)网上传输的所有信息。 Sniffer been famous, right in many ways because it is done well, it can listen to (or even to listen, to see) all of the information transmitted over the Internet. Sniffer可以是硬件也可以是软件。 Sniffer hardware can also be software. 主要用来接收在网络上传输的信息。 Mainly used to receive the information transmitted on the network. 网络是可以运行在各种协议之下的,包括以太网Ethernet、TCP/IP、ZPX等等,也可以是集中协议的联合体系。 Network can be run under a variety of protocols, including Ethernet Ethernet, TCP / IP, ZPX, etc., can also be a joint system of centralized protocol.
Sniffer是个非常之危险的东西,它可以截获口令,可以截获到本来是秘密的或者专用信道内的信息,截获到信用卡号,经济数据,E-mail等等。 Sniffer is a very dangerous thing, it can intercept the password, you can intercept the supposed secret or private information within the channel, to intercept credit card numbers, financial data, E-mail and so on. 更加可以用来攻击与己相临的网络。 More can be used to attack and has adjacent network.
Sniffer可以使用在任何一种平台之中。 Sniffer can be used in any platform. 而现在使用Sniffer也不可能别发现,这个足够是对网络安全的最严重的挑战。 Now use the Sniffer can not do that, is this enough to the most serious network security challenges.
在Sniffer中,还有“热心人”编写了它的Plugin,称为TOD杀手,可以将TCP的连接完全切断。 In Sniffer, there are "enthusiastic" and wrote its Plugin, called TOD killer, the TCP connection can be completely cut off. 总之Sniffer应该引起人们的重视,否则安全永远做不到最好。 In short Sniffer should arouse people's attention, or safety can not always be the best.
如果你只是想用来研究的话可以在这里http://semxa.kstar.com/hacking/sniffer260.zip找到一个经过我汉化的Sniffer程序工具。 If you just want to study here, then you can find one after I finished http://semxa.kstar.com/hacking/sniffer260.zip the Sniffer tool.
Tidak ada komentar:
Posting Komentar