Pages

Sabtu, 12 November 2011

Meter in the meter hacking

松涛 Greenfield

黑客入侵的手法包括:(1)瞒天过海(2)趁火打劫(3)无中生有(4)暗渡陈仓(5)舌里藏刀(6)顺手牵羊(7)供尸还魂(8)调虎离山(9)抛砖引玉(10)湿水摸鱼(11)远交近攻(12)偷梁换柱(13)反客为主。 Hacking techniques include: (1) deception (2) in trouble (3) out of nothing (4) to steal (5) tongue in knives (6) pilfering (7) for the dead resurrection (8) Tiaohulishan (9) serve as a catalyst (10) wet water fishing in troubled waters (11) distant past attack (12) substitution (13) to become masters. 黑客常有连环计,防不胜防,不可不小心。 Hackers often have a chain of dollars, hard to detect, not careless.

1、瞒天过海, 数据驱动攻击 1, deceive, data-driven attacks

当有些表面看来无害的特殊程序在被发送或复制到网络主机上并被执行发起攻击时,就会发生数据驱动攻击。 Some seemingly harmless when the special program is sent or copied to a network and executed on the host attack occurs when a data-driven attacks. 例如,一种数据驱动的攻击可以造成一台主机修改与网络安全有关的文件,从而使黑客下一次更容易入侵该系统。 For example, a data-driven attacks can cause a host to modify and network security-related documents, making it easier for hackers to invade the next time the system.

2、趁火打劫,系统文件非法利用 2, looting, illegal use of system files

UNIX系统可执行文件的目录,如/bin/who可由所有的用户进行读访问。 UNIX system executable files, such as / bin / who by all users read access. 有些用户可以从可执行文件中得到其版本号,从而结合已公布的资料知道系统会具有什么样的漏洞,如通过Telnet指令操行就可以知道Sendmail的版本号。 Some users can get it from the executable file version number, which combined with published data to know what kind of system vulnerability, such as through Telnet commands conduct can tell Sendmail's version number. 禁止对可执文件的访问虽不能防止黑客对它们的攻击,但至少可以使这种攻击变得更困难。 Prohibit access to the executable file, although they can not prevent hackers attacks, but at least you can make this attack more difficult. 还有一些弱点是由配置文件、访问控制文件和缺省初始化文件产生的。 There are some weaknesses is the configuration file, the access control file and the default initialization file generated. 最出名一个例子是:用来安装SunOS Version 4的软件,它创建了一个/rhosts文件,这个文件允许局域网(因特网)上的任何人,从任何地方取得对该主机的超级用户特权。 The most famous example is: used to install SunOS Version 4 software, it creates a / rhosts file that allows local area network (Internet) on anyone, from any place to obtain superuser privileges on the host. 当然,最初这个文件的设置是为了从网上方便地进行安装,而不需超级用户的允许和检查。 Of course, the initial setting of this document is to be installed from the Internet easily, without super-user permission and inspection. 智者千虑,必有一失,操作系统设计的漏洞为黑客开户了后门,针对WIN95/WIN NT一系列具体攻击就是很好的实例。 Wise man, must be a loss, operating system design, vulnerability to hackers opening the back door, a number of specific attacks against WIN95/WIN NT is a good example.

3、无中生有,伪造信息攻击 3, fabricated, forged information attacks

通过发送伪造的路由信息,构造系统源主机和目标主机的虚假路径,从而使流向目标主机的数据包均经过攻击者的系统主机。 By sending forged routing information to construct the system source and destination hosts of a false path, so that the target host packets flow through the attacker's system are the host. 这样就给人提供敏感的信息和有用的密码。 This gives useful to provide sensitive information and passwords.

4、暗渡陈仓,针对信息协议弱点攻击 4, steal, attack weakness for Information Protocol

IP地址的源路径选项允许IP数据包自己选择一条通往系统目的主机的路径。 IP address of the source path option allows IP packets to choose a path leading to the destination host system. 设想攻击者试图与防火墙后面的一个不可到达主机A连接。 Idea behind the firewall an attacker trying to reach a host A can not connect. 他只需要在送出的请求报文中设置IP源路径选项,使报文有一个目的地址指向防火墙,而最终地址是主机A。 He only needs to send the request message to set the IP source route option, the packet destination address points to a firewall, but the final address is the host A. 当报文到达防火墙时被允许通过,因为它指向防火墙而不是主机A。 When the packet reaches the firewall is allowed through, because it points to the firewall instead of the host A. 防火墙的IP层处理该报文的源路径被改变,并发送到内部网上,报文就这样到达了不可到达的主机A。 Firewall IP layer packet's source path is changed and sent to the intranet, so the message reached the unreachable host A.

5、笑里藏刀,远端操纵 5, idiom, the remote control

缺省的登录界面(shell scripts)、配置和客户文件是另个问题区域,它们提供了一个简单的方法来配置一个程序的执行环境。 The default login screen (shell scripts), configuration and customer files is another problem area, they provide a simple way to configure a program execution environment. 这有时会引起远端操纵攻击:在被攻击主机上启动一个可执行程序,该程序显示一个伪造的登录界面。 This sometimes causes the remote control attack: the attack on the host starts an executable program that displays a fake login screen. 当用户在这个伪装的界面上输入登录信息(用户名、密码等)后,该程序将用户输入的信息传送到攻击者主机,然后关闭界面给出“系统故障”的提示信息,要求用户重新登录。 When the user interface in this disguise to enter the login information (user name, password, etc.), the program will send the information entered by the user to the attacker host, and then close the interface gives the "system failure" message, requiring users to log in . 此后才会出现真正的登录界面。 Since then real login screen will appear. 在我们能够得到新一代更加完善的操作系统版本之前,类似的攻击仍会发生。 Before we can get a more complete next-generation operating system version before, a similar attack will happen. 防火墙的一个重要作用就是防止非法用户登录到受保护网的主机上。 An important role of the firewall is to prevent unauthorized users from logging into a protected network hosts. 例如可以在进行报文过滤时,禁止外部主机Telnet登录到内部主机上。 For example, during packet filtering can prohibit external host to Telnet to internal host.

6、顺手牵羊,利用系统管理员失误攻击 6, pilfering, the use of the system administrator error attack

网络安全的重要因素之一就是人! 无数历史事实表明:保垒最容易从内攻破。 Network security is one of the important factors people! Numerous historical facts that: security barrier most likely to break from the inside. 因而人为的失误,如WWW服务器系统的配置差错,普通用户使用户使用权限扩大,这样就给黑客造成了可趁之机。 Thus human errors, such as the WWW server system configuration errors, the average user to expand the user permissions, which gives the hacker can take advantage of the machine caused. 黑客常利用系统管理员的失误,收集攻击信息。 Hackers often use the system administrator's failure to collect attack information. 如用finger、netstat、arp、mail、grep等命令和一些黑客工具软件。 Such as the use of finger, netstat, arp, mail, grep and other commands, and some hacking tools.

7、借尸还魂,重新发送(REPLAY)攻击 7, reincarnated, re-send (REPLAY) attack

收集特定的IP数据包,篡改其数据,然后再一一重新发送,欺骗接收的主机。 Collection of specific IP packets, the data tampering, and then eleven re-sent, to deceive receiving host.

8、调虎离山,声东击西 8, Tiaohulishan, diversion

对ICMP报文的攻击,尽管比较困难,黑客们有时也使用ICMP报文进行攻击。 ICMP packet to the attack, though more difficult, hackers sometimes attack using ICMP packets. 重定向消息可以改变路由列表,路由器可以根据这些消息建议主机走另一条更好的路径。 Redirect message can change the routing list, the router can host these messages suggest better take another path. 攻击者可以有效地利用重定向消息把连接转向一个不可靠的主机或路径,或使所有报文通过一个不可靠主机来转发。 An attacker can effectively use a redirect to connect the host turned a unreliable or path, or all packets to forward an unreliable host. 对付这种威肋的方法是对所有ICMP重定向报文进行过滤,有的路由软件可对此进行配置。 Wei rib approach to deal with this for all ICMP redirect packet filtering, and some routing software to configure this. 单纯地抛弃所有重定向报文是不可取的:主机和路由器常常会用到它们,如一个路器发生故障时。 Simply discard all redirect messages is not desirable: hosts and routers often use them, such as a breaker failure.

9、抛砖引玉,针对源路径选项的弱点攻击 9, initiate, for the weakness of the source path option attack

强制报文通过一个特定的路径到达目的主机。 Force packets through a specific path to the destination host. 这样的报文可以用来攻陷防火墙和欺骗主机。 This can be used to capture packets and spoofing the host firewall. 一个外部攻击者可以传送一个具有内部主机地址的源路径报文。 An external attacker can send an internal host address of source path messages. 服务器会相信这个报文并对攻击者发回答报文,因为这是IP的源路径选项要求。 Server will believe that this message and send reply messages the attacker, because this is the IP source route option requires. 对付这种攻击最好的办法是配置好路由器,使它抛弃那些由外部网进来的却声称是内部主机的报文。 The best way to deal with this attack is to configure the router, it abandoned those coming from the external network claim is within the host message.

10、混水摸鱼,以太网广播攻击 10 fish in troubled waters, Ethernet broadcast attacks

将以太网接口置为乱模式(promiscuous),截获局部范围的所有数据包,为我所用。 The Ethernet interface is set to random mode (promiscuous), intercept all packets of local scope, for my own use.

11、远交近攻,跳跃式攻击 11, far past attack, jump attack

现在许多因特网上的站点使用UNIX操作系统。 Many sites on the Internet using the UNIX operating system. 黑客们会设法先登录到一台UNIX的主机上,通过该操作系统的漏洞来取得系统特权,然后再以此为据点访问其余主机,这被称为跳跃(Island-hopping)。 Hackers will try to log on to a UNIX host, through the operating system vulnerabilities to gain system privileges, and then as a base to access the rest of the host, which is known as the jump (Island-hopping).
黑客们在达到目的主机之前往往会这样跳几次。 Hackers often before reaching the destination host will jump several times this. 例如一个在美国黑客在进入美联邦调查局的网络之前,可能会先登录到亚洲的一台主机上,再从那里登录到加拿大的一台主机,然后再跳到欧洲,最后从法国的一台主机向联邦调查局发起攻击。 For example, a hacker in the United States Federal Bureau of Investigation in the network before entering the United States may be logged in to a host of Asia, from where they log on to a host in Canada, and then jump to Europe, the last one from France host to the FBI attack. 这样被攻击网络即使发现了黑客是从何处向自己发起了攻击,管理人员也很难顺藤摸瓜找回去,更何况黑客在取得某台主机的系统特权后,可以在退出时删掉系统日志,把“藤”割断。 This was discovered hacker attacks on the network even from where to launch an attack on their own, managers find difficult to follow it back, not to mention a host hackers to obtain system privileges, you can delete the system log at the exit, the "Vine" cut. 你只要能够登录到UNIX系统上,就能相对容易成为超级用户,这使得它同时成为黑客和安全专家们的关注点。 As long as you can log on to the UNIX system, you can relatively easily become a super user, which makes it the same time as hackers and security experts concern.

12、偷梁换柱,窃取TCP协议连接 12, perpetrating a fraud, theft of the TCP protocol to connect

网络互连协议也存在许多易受攻击的地方。 Interconnection agreements there are many vulnerable areas. 而且互连协议的最初产生本来就是为了更方便信息的交流,因此设计者对安全方面很少甚至不去考虑。 And interconnection agreements have always been first, to facilitate the exchange of information, so little or designers do not consider security. 针对安全协议的分析成为攻击的最历害一招。 For the analysis of security protocols to become the most attack victims experience a stroke.
在几乎所有由UNIX实现的协议族中,存在着一个久为人知的漏洞,这个漏沿使得窃取TCP连接成为可能。 In almost all the UNIX implementation of the protocol suite, there is a long-known vulnerability, the leakage along the TCP connection makes it possible to steal. 当TCP连接正在建立时,服务器用一个含有初始序列号的答报文来确认用户请求。 When the TCP connection is established, the server that contains the initial sequence number with a message to confirm the answer to user requests. 这个序列号无特殊要求,只要是唯一的就可以了。 The serial number No special requirements, as long as only it. 客户端收到回答后,再对其确认一次,连接便建立了。 After the client receives the answer, once again confirm their connection will be established. TCP协议规范要求每秒更换序列号25万次。 TCP protocol specification requires replacement of the serial number per 250,000. 但大多数的UNIX系统实际更换频率远小于此数量,而且下一次更换的数字往往是可以预知的。 However, most UNIX systems is far smaller than the actual number of replacement frequency, and number of the next replacement is often predictable. 而黑客正是有这种可预知服务器初始序列号的能力使得攻击可以完成。 The hacker is such a predictable initial sequence number the server the ability to make the attack can be completed. 唯一可以防治这种攻击的方法是使初始序列号的产生更具有随机性。 The only way to combat such attacks is to make the initial sequence number generation is more random. 最安全的解决方法是用加密算法产生初始序列号。 The safest solution is to use encryption algorithms to generate the initial sequence number. 额外的CPU运算负载对现在的硬件速度来说是可以忽略的。 Additional load on the CPU operation speed of the current hardware is negligible.

13、反客为主,夺取系统控制权 13, to become masters, to seize control of the system

在UNIX系统下,太多的文件是只能由超级用户拥有,而很少是可以由某一类用户所有,这使得管理员必须在root下进行各种操作,这种做法并不是很安全的。 On UNIX systems, too many files are owned by the superuser only, and rarely is a class of users by all, which allows administrators to perform various operations as root, this approach is not very safe . 黑客攻击首要对象就是root,最常受到攻击的目标是超级用户Password。 Hacking is the primary object root, most often the target of attacks by the super user Password. 严格来说,UNIX下的用户密码是没有加密的,它只是作为DES算法加密一个常用字符串的密钥。 Strictly speaking, UNIX under a user password is not encrypted, it is only used as a DES algorithm encryption key string. 现在出现了许多用来解密的软件工具,它们利用CPU的高速度究尽式搜索密码。 Now there were many used to decrypt the software tools they use every type of CPU speed research search password. 攻击一旦成功,黑客就会成为UNIX系统中的皇帝。 Attack, if successful, the hacker will become emperor in the UNIX system. 因此,将系统中的权利进行三权分立,如果设定邮件系统管理员管理,那么邮件系统邮件管理员可以在不具有超级用户特权的情况下很好地管理邮件系统,这会使系统安全很多。 Therefore, the right system for the separation of powers, if you set the mail system administrators to manage, e-mail administrator can then e-mail system does not have super user privileges in the case of good management of e-mail system, which makes the system much safer .

此外,攻击者攻破系统后,常使用金蝉脱壳之计删除系统运行日志,使自己不被系统管理员发现,便以后东山再起。 In addition, the attacker compromised the system, often using the withdraw its role of running the system account to delete the log, so that they are not found by the system administrator, then later make a comeback. 故有用兵之道,以计为首之说,作为网络攻击者会竭尽一切可能的方法,使用各种计谋来攻击目标系统。 Therefore, military forces of the road, to take account of that led, as the network attacker will try all possible ways, using various tricks to attack the target system. 这就是所谓的三十六计中的连环计。 This is the so-called Thirty-Six in the chain of dollars.

Tidak ada komentar:

Posting Komentar