⒈ What is a remote attack?
A remote attack is an attack. Its attack object is a computer that attacker is still uncontrollable; it can also be said that a remote attack is a computer that specializes in attacking an attacker's own computer (regardless of the attacked computer and attacker located in There is still a thousand miles away from the same subnet). The "Remote Computer" The most exact definition of this noun is: "A remote computer is such a machine, it is not the platform you are working, but it can be used with an agreement through the Internet or any other network media. computer".
⒉ first step
The first step for remote attack does not need to closely contact the target (in other words, if the intruder is smart, the first step can not be). The first task of intruders (after identifying the target and the type thereof) is determined that he is going to align. The acquisition of this information is not required to interfere with the target of the target (assuming the target is not installed. Because most of the networks are not installed, the firewall is installed, which has been the same for a long time). Some of this type of information can be obtained by the following technique: Run a query command Host. With this command, intruders can get all the information stored in the target domain server. The amount of information contained in the query results is mainly on the size and structure of the network. WHOIS query. This query method can identify technical managers. This type of information is also considered to be useless. In fact, otherwise. Because of the usual technical managers need to participate in the daily management of the target network, these people's email address will have some value (and using Host and WHOIS queries help you judgment the goal is a real system or a page junction point Or the virtual domain formed by another service, etc.). Run some USENET and web queries. Before the invaders and goals are actually exposed, many inquiry work should be done. One of them is to query the name information of a technical manager (using forced, case-sensitive, completely matched conditional query). Some query intruders can understand if these system administrators and technical administrators are often used. Also, you can also query their address in the query collection of all available secure mailing lists. "How should you do? First try to collect target information. Many web services can be at this purpose, finger, showmount and rpcinfo are good starting point. But don't stagnate, you can use DNS, WHOIS, Sendmail (SMTP), FTP, UUCP, and other available services. "" The relevant information of the collection system administrator is most important. The system administrator's responsibility is to maintain the security of the site. When they encounter various problems, many administrators will not wait to send these questions to the USENET or mail list to seek the answer. As long as you will find the address of this system administrator for a certain time (and some information), you can completely understand his network, his security concept and his personality. Because system administrators who make this email generally indicate their organizational structure, the network's topology structure and the problems they face. Note: Attacking the Windows NT network is very different. You must keep track of the root account (or system administrator account) on each machine. Because NT did not design a command of the SU, it was used to complete the task that only root accounts. Moreover, the system administrator account and the root account on UNIX have great differences. Because it is not directly used, the system administrator's ID can be any string. Let us assume that you know that ID: Walrus. Further assume that you get information about 150 computers through the HOST query command, including the name of each computer. For example, they can be mail.victim.net, news.victim.net, shell.victim.net, cgi.victim.net, etc. (although they may have "theme" name, so that outsiders don't know What kind of work, such as Sabertooth.victim.net, Bengal. Victim.Net, etc.). The invader should try the address of the administrator on each machine. For example, he will try a try Walrus @ shell.victim.net, Walrus @ Sabertooth.victim.net, etc. In other words, in addition to attempting the address of the administrator on each computer in the network, try all the universal things on each computer. Perhaps you can find a computer that Walrus likes to use, the letter is filed from this computer.
Note that if the target is a service provider (or allows the user to legally access the system), more information can be obtained by observing the system administrator from which to enter the system. These information can generally use the Finger and RUSERS commands from the outside. In other words, you have to stay a business network (in addition to the network other than the target network, there are some accounts on these networks), if his recent login is in Netcom, track him at the Netcom account, see what happens. ⒊ About finger inquiry
Finger is likely to expose your behavior, in order to avoid the finger query generated tag, most intruders use the Finger GateWays (finger gateway). The finger gateway is some web homepage, which typically contains a simple input box (Field), which points to a CGI program on the remote server hard drive. This remote server performs a Finger query. One of the following examples of such a Finger Gateway is provided http://www.hgp.med.umich.edu/cgi-bin/finger The invader can hide its source address through the finger gateway.
⒋ operating system
Perhaps you have used various methods (including methods mentioned above and other methods) to identify the type of operating system used on the target network. In any case, once it is determined that the operating system and structure on the target network are diverse, the next research work can be carried out. First make a table, list the type of each operating system and machine (this table is greatly helped for further research), then studies each platform and finds the vulnerabilities in them. Know the operating system to find related security reports as follows: http://info.arc.com/sec_bull/sec_bullsearch.html
⒌ Test In fact, only those intruder who are keen on intrusion will do the test part during the attack. Most intruders don't want to try this behavior because it takes a certain fee. However, I recommend that invaders don't skip this step. In this step, you first have one and the same environment as the target. Once this environment is established, you can conduct a series of attacks. In the process, there are two things to note: ■ From the attack party, see what these attack behaviors look like ■ Look at these attacks from the attacker look like what is the log file of the attacker, invaders can It is approximately what attacks on an almost no protective measures to attack the attack behavior look like what (the target does not protect measures refer to the "there is no traditional daemon" on the target. This provides some tips to intruders; if the real attack behavior is inconsistent with the experimental results, there must be some reason. A machine (or, I should say a clear consistent machine) should produce the same response under the same attack. If the result is not the case, that explains that the person who manages the target machine has an emergency plan. In this case, the intruder should take careful action. By checking the log of the attacker, the invader can understand what the "trace" left in the attack process looks like something. This is important for invaders. In a heterogeneous system, there is a different log process. Intrusion should at least know what these logs are, in other words, he needs to know each file that saves the "trace" (on the same configuration). This information is critical and has a guidance: Can it tell the invader to delete the evidence of the intrusion. The only way to find these files is to test and check the log in your own environment.
6. A variety of tools related to vulnerabilities and other important features, you collect various tools that are actually used, these tools are most likely to be some scanning tools. You should judge all devices on the target online. Based on your analysis of operating systems (and others I have mentioned in this chapter), you need to evaluate your tools to determine which vulnerabilities and areas are not covered. Use only one tool without another tool to cover a particular device, it is best to use these two tools at the same time. Whether the joint use of these tools is convenient to whether these tools can be easily attached to a scanning tool as an external module, such as Satan or Safesuite. This test is extremely valuable because in most cases. Additional external modules and make it not so simple to work properly. In order to obtain the exact results of these tools, it is best to conduct experiments on a machine (this machine can even be different from the target machine). This is because. We want to know if it will cause the scanning tool to suddenly be interrupted or failed due to two or more separate modules. Remember that the actual scanning attack process can only be accomplished, if the middle is interrupted, then you will not have a second chance. So, depending on what you want to get on the target, you can pick some suitable tools. In some cases, this is a relaxed thing. For example, maybe you already know that someone on the target system is running some X-window system applications through the network. In this case, if you search for the vulnerability of Xhost, you will be able to gain something. Remember to use the scan tool is a fierce solution. It is equivalent to rushing to a family in the daytime, trying to smash all the doors and windows. As long as the administrator of this system is moderately hunting some security topics, then your behavior will be exposed in front of him.
⒎ Form an attack policy to attack this or that server's day in the Internet roaming process has basically passed. Many years ago, as long as the system did not suffer, the behavior of breakthrough system security was read with a slight offshore behavior. Today, the situation is very different. Today, the value of data has become the focus of talking. Therefore, as a modern intruder, there is no reason to implement invasion. Conversely, it is wise that only a particular plan begins to enter the invasion. Your attack strategy is mainly based on what you want to do. We assume that your hand is basically the security measures to break a system. If this is your plan, then you need to plan how to complete this attack. The longer the scan is spent (the more machines are involved), the more likely to be discovered; the more scanned data requires you to screen, while the attack on these scan data is time to time. I have mentioned that the shorter the time of the scanning attack is, the better. Therefore, some things can be obvious (or should be reasonably), once you judge a part of the network through the collected data, you may take it through the router, switches, bridges or other devices, then you should exclude it In addition to the object being scanned. After all, the benefits that have been brought to these systems may be minimal. Assume that you get the root permissions of a system on this segment, what do you want you to get? Can you easily pass through the router, bridge or switch? I am afraid! Therefore, Sniffing can only provide information about other computers on this network segment, and the spoofing method can only be valid for the machine in this network segment. Because the root permissions you want (or an available maximum network segment), it is impossible to scan a smaller and safer network. Note: Of course, if these machines (any reason) happens to be those unprotected machines, you should take all possible ways to attack them (unless they are really worthless). For example, a web server is usually placed outside the network firewall or makes it a machine that is unique to access from the outside. Unless the purpose of behavior is to invade this web server (and some of the managers of this web server), don't harass it. These machines are typical victims - the system administrator has estimated that this machine will be successfully captured by a remote attack, so there is almost no other data available in other than the home page on the hard disk of this computer. Anyway, once you identify the scanning parameters, you can start actions.
⒏⒏ About the time of scanning about this problem, there is no exact answer. If you really want to scan, I want to be better late at the region of the target. After the scan is over, you can start analyzing this data after you complete the scan. First, you should consider whether the information obtained by this method is reliable (reliability, to some extent by scanning experiments in a similar environment.) Then analyze, the data obtained by the scanned data is also analyzed. different. Documents in Satan can greatly help you. These documents (some descriptions about vulnerabilities) are short, but direct and guided. If you get a vulnerability, you should reform the database information created by searching BugTraq and other available resources. The main point is that there is no way to make a novice becomes an experienced system administrator or intruder overnight. This is a cruel fact. You really understand the essence of the attack and what should be removed from the attack, you may have to spend a few weeks to study the source code, vulnerabilities, a particular operating system and other information. These are insurmountable. Experience in the attack is not alternative, patience cannot be replaced. If you lack any of the above features, then forget the attack. This is an important point here. Whether it is like Kevin Mitnik (invader), it is still like Weitse Venema (hacker), they have little difference. Their work and results have always been the focus of news magazines and online forums. They are famous people in the field of computer security (in some cases, even far more than). However, their results (whether it is good or bad) comes from hard work, learning, talent, thinking, imagination, and self-study. Since this, the firewall cannot save a system administrator who cannot skilled it; Similarly, Satan cannot help a new intruder to attack the protection of remote goals. Small knot
Remote attacks become more common. Boxa, as discussed in the previous chapters, the application of scanning tools have been mastered by more common users. Similarly, the large amount of increase in the inquiry security vulnerability index has also greatly facilitated the ability to identify possible security issues. Some people think that the free sharing of this information is why INTENET is in a poor security state. In fact, this idea is wrong. Instead, system administrators should use these available public information. They should have the process described in their own network from the perspective of technology. This is not expensive and does not cost money. The specific method of attacking a particular operating system is also exceeded the scope of this book, mainly because it is necessary to write too much. Further, a very good plan and terrible distance attack is not the hacker who is rushing, only those who have a deep understanding of the system can do. These people are very calm and have a deep understanding of TCP / IP (although the way known is not official). It is precisely because of this reason, the invaders should be ashamed to take this terrible path. People want to know why this genius will leave this road?
