Here is a detailed introduction to each step of the attacker's attack process.
Hide the location. Hide the location to protect yourself effectively. All network hosts on the Internet have their own network addresses. According to the provisions of TCP/IP protocol, if no protective measures are taken, it is easy to find out the location of a network host, such as IP address and domain name. Therefore, the first step for experienced hackers to attack is to try to hide their network location, including their network domain and IP address, which makes it difficult for investigators to find the real source of attackers. Attackers usually use the following techniques to hide their real IP addresses or domain names:
Use the invaded host as a springboard, such as Wingate software in the computer with Windows installed and improperly configured Proxy as a springboard; Use telephone transfer technology to hide yourself, such as connecting ISP to provide telephone transfer service; Steal someone else's account to surf the Internet, connect to a host by phone, and then surf the Internet through the host; Free proxy gateway; Fake IP address; Fake user account.
Network detection and data collection Before launching an attack, the attacker usually needs to determine the target of the attack and collect the relevant information of the target system. He may determine the goal from the beginning, and then collect the information of the goal; You can also collect a lot of information from online hosts first, and then determine the final goal according to the security strength of each system.
Information is the attacker's best tool. It may be the ultimate goal of the attacker's attack (such as top secret documents and economic information); It may also be a passport for attackers to gain access to the system, such as user passwords and authentication tickets); ; It may also be a prelude for attackers to gain access to the system, such as the type of software and hardware platform of the target system, the services and applications provided and their security strength. The information that the attacker is interested in mainly includes:
Operating system information; Open service port number; System default account and password; Mail account number; IP address allocation; Domain name information; Network equipment type; Network communication protocol; Application server software type.
In order to fully grasp the information of the target system, attackers often turn to software tools, such as nmap, NESSUS, SATAN and so on. In addition, when the attacker collects the target information, he should also pay attention to hiding himself to avoid attracting the attention of the target system administrator.
The existence of vulnerabilities in vulnerability mining system is the root of all kinds of security threats faced by the system. The attacks of external attackers mainly take advantage of the loopholes in the network services provided by the system; Internal crime takes advantage of the fragility of internal services and their allocation; Denial of service attacks mainly take advantage of the fragility of resource allocation, occupy limited resources for a long time without releasing them, so that other users can not get the services they deserve, or take advantage of the weaknesses in service processing to make the services collapse. The important step of an attacker's attack is to dig out the weaknesses of the system as much as possible, and study the corresponding attack methods according to the specific vulnerabilities. Commonly used vulnerability mining technologies and methods are:
System or application service software vulnerabilities. According to the different services provided by the system, attackers can also use different methods to gain access to the system. If the attacker discovers that the system provides UUCP services, the attacker can gain access to the system by taking advantage of the security vulnerability of UUCP. If the system also provides some other remote network services, such as mail service, WWW service, anonymous FTP service and TFTP service, attackers can take advantage of the weaknesses of these remote services to gain access to the system. The fragility of machine trust relationship. Attackers look for trusted hosts. These hosts may be machines used by administrators or servers that are considered very secure. For example, he can use the vulnerability of CGI to read files such as /etc/hosts.allow. Through this file, you can get a general understanding of the trust relationship between hosts. The next step is to detect which of these trusted hosts are vulnerable. Look for vulnerable network members. Trying to find vulnerable network members is often effective for attackers, and it is for this reason that fortresses are most easily breached from the inside. Users have a weak awareness of network security, so they choose a weak password to directly control the host remotely. Security policy configuration vulnerability. The network service configuration of the host is incorrect, and the vulnerable network service is opened. Communication protocol vulnerabilities. Vulnerabilities can be found by analyzing the protocol information adopted by the target network, such as TCP/IP protocol. Vulnerability of network business system
By mastering the business process information of the target network, and then looking for loopholes, for example, in the WWW service, files uploaded remotely by ordinary users are allowed to be executed.
Ordinary accounts with control rights have limited access to the target system, and attackers must have more access rights to achieve some goals. Therefore, after getting a general account, attackers often try to get higher authority, such as the authority to manage accounts in the system. There are usually the following ways to obtain system management authority:
Get the password of the system administrator, such as password attack specifically for root user; Take advantage of loopholes in system management, such as wrong file permissions, wrong system configuration, buffer overflow in some SUID programs, etc. Let the system administrator run some Trojan horses, such as tampered login programs.
As an intruder, the attacker is always afraid that his whereabouts will be discovered, so after entering the system, the first thing a smart attacker should do is to hide his whereabouts. Attackers usually use the following techniques to hide their whereabouts:
Connection hiding, such as impersonating other users, modifying LOGNAME environment variables, modifying utmp log files, and using IP spoofing technology. Process hiding, such as using redirection technology to reduce the amount of information given by ps, replacing ps program with Trojan horse, etc. Tampering with audit information in the log file; Changing the system time will confuse the log file data and confuse the system administrator.
Different attackers have different attack purposes, which may be to gain access to confidential files, destroy the integrity of system data, or control the whole system: system management rights, and other purposes. Generally speaking, it can be summarized as follows:
Download sensitive information; Attacking other trusted hosts and networks; Paralyze the network; Modify or delete important data.
Open the back door A successful invasion usually requires an attacker to spend a lot of time and energy, so calculating attackers will create some back doors in the system before exiting the system to facilitate their next invasion. Attackers usually consider the following methods when designing backdoors:
Relax the right to record permission; Reopen unsafe services, such as REXD, TFTP, etc. Modify system configuration, such as system startup file and network service configuration file; Replace the * * * library file of the system itself; Install all kinds of Trojans and modify the system source code; Install the sniffer.