First of all, it should be noted that there are two sources of intruders, one is an attack carried out by insiders who use their job opportunities and permissions to obtain permissions that should not be obtained. The other is external incursion, including remote intrusion and network node access incursion. This section focuses on long-range attacks.

Conducting a cyber attack is a very systematic task, and its main workflows are: gathering intelligence, remote attack, remote login, obtaining the privileges of ordinary users, obtaining the privileges of superusers, leaving backdoors, and clearing logs. The main contents include target analysis, document acquisition, password cracking, log clearing and other technologies, which are described below.

1. Determine the purpose of the attack

Before an attacker carries out a complete attack, he must first determine what the attack is intended to achieve, that is, what consequences it will cause to the other party. There are two common types of attack targets: sabotage and intrusion. A destructive attack is one that destroys the target and makes it unable to work properly, but does not control the operation of the target's system at will. The main means to achieve the purpose of destructive attacks is denial-of-service attacks. Another common type of attack is to invade the attack target, which is to obtain certain permissions to achieve the purpose of controlling the attack target. It should be said that this type of attack is more common and more threatening than the destructive attack. This is because once a hacker obtains the administrator privileges of the target, they can do whatever they want on the server, including destructive attacks. This type of attack is also carried out by exploiting vulnerabilities in the server's operating system, application software, or network protocols. Of course, there is another cause of this type of attack, which is password leakage, where the attacker uses guesswork or exhaustive methods to get the password of the server user, and then can access the server like a real administrator.

2. Information Collection

In addition to determining the purpose of the attack, the most important task before an attack is to gather as much information as possible about the target. This information mainly includes the type and version of the target operating system, what services the target provides, the type and version of each server program, and related social information.

To attack a machine, you must first determine what the operating system is running on it, because for different types of operating systems, the system vulnerabilities on them are very different, so the methods of attack are completely different, and even the system vulnerabilities of different versions of the same operating system are not the same. Determining a server's operating system is generally based on experience, and some servers have certain services that reveal information about their operating system. For example, when we connect to a machine via TELNET, if it is displayed

Unix（r）SystemVRelease4．0

login：

As a rule of thumb, it is possible to determine that the operating system running on this machine is SUNOS5.5 or 5.5.l. However, this is inaccurate to determine the type of operating system, as some webmasters will deliberately change the display information to create a false impression in order to confuse attackers.

There are also methods that are not very efficient, such as querying the host information of the DNS (which is not very reliable) to see the type of machine and operating system that applied for the domain name, or using social engineering methods to obtain it, and using the public group of SNMP open by some hosts.

Another relatively accurate approach is to use the TCP/IP stack in the network operating system as a special "fingerprint" to determine the true identity of the system. Because different operating systems have slightly different implementation details of the underlying protocol of the network. The operating system type can be determined by sending a special package to the target remotely, and then by the returned package. For example, by sending a FIN packet (or any packet without an ACK or SYN tag) to an open port on the target host and waiting for a response. Many systems such as Windows, BSDI, CISCO, HP/UX, and IRIX return a RESET. By sending a SYN packet that contains a TCP header with no defined TCP tag. The response packet on Linux will contain this undefined marker, while on other systems the connection will be closed after receiving the SYN+BOGU packet. Or by finding a way to match the initialization sequence length template to a specific operating system. It can be used to classify many systems, such as the 64K length of older Unix systems, and the random increase in length of some new Unix systems. There is also the ability to check the length of the windows contained in the return package, which is a technique that uniquely determines the size of the initialization window for each operating system. There are many tools that can be implemented using this technology, and the more famous ones are NMAP, CHECKOS, QUESO, etc.

It is also important to know which services the target provides, as well as the type and version of each service daemon, because known vulnerabilities are generally for a certain service. The service provided here refers to the breath we usually mention, for example, TELNET is on port 23, FTP is on port 21, WWW is on port 80 or port 8080, this is just a general situation, website management can modify the port number of the service according to their own wishes. The software that provides the same service on different servers can also be different, we call this kind of software daemon, for example, it also provides FTP services, and you can use many different kinds of daemon such as wuftp, proftp, ncftp, etc. Determining the type version of daemon also helps hackers exploit system vulnerabilities to compromise websites.

In addition, the information about the system that needs to be obtained is some social information that has nothing to do with the computer itself, such as the name and size of the company to which the website belongs, the living habits of the network administrator, the telephone number, etc. This information does not appear to be related to attacking a website, but in fact many hackers use this type of information to compromise a website. For example, some webmasters use their own phone number as the system password, if they have the phone number, it is equivalent to mastering the administrator authority to collect information can be done manually, or by using tools, and the tool to complete the information collection is called a scanner. The advantage of collecting information with a scanner is that it is fast and can scan multiple targets at once.

The stage of the implementation of the attack

1. Get permissions

Once enough information has been gathered, the attacker is ready to proceed with the attack. As a destructive attack, simply use tools to launch the attack. As an intrusive attack, it is often necessary to use the collected information to find the vulnerability of the system, and then exploit the vulnerability to obtain certain permissions. Sometimes obtaining the permission of a general user is enough to achieve the purpose of modifying the homepage, etc., but as a complete attack, it is necessary to obtain the highest authority of the system, which is not only to achieve a certain purpose, but more importantly, to prove the ability of the attacker, which is also in line with the pursuit of hackers.

Vulnerabilities that can be exploited by attackers include not only security vulnerabilities in system software design, but also vulnerabilities caused by improper management configuration. Not long ago, the homepage of Apache, the most popular www server provider on the Internet, was hacked, and the PoweredbyApache pattern (feathered picture) on its main page was changed to the PoweredbyMicrosoft Backoffice pattern, and the attacker took advantage of the administrator's improper configuration of the Webserver database to successfully obtain the highest privilege.

Of course, most of the successful attacks exploit vulnerabilities in the system software itself. The main cause of software vulnerabilities is the lack of security awareness of the programmers who write the software. When an attacker makes an abnormal call request to the software, a buffer overflow or unauthorized access to a file is created. Among them, the use of buffer overflow is the most common, and according to statistics, more than 80% of successful attacks are exploited to obtain illegal permissions. Buffer overflows are explained in detail in a dedicated section at the end.

Whether you're a hacker or a network administrator, you need to be aware of as many system vulnerabilities as possible. Hackers need to use it to complete their attacks, and administrators need to take different defenses based on different vulnerabilities. For the most up-to-date vulnerability information, you can go to websites such as Rootshell, Packetstorm, Securityfocus, etc.

2. Expansion of Authority

There are two types of system vulnerabilities: remote vulnerabilities and local vulnerabilities, and remote vulnerabilities mean that hackers can directly exploit the vulnerabilities on other machines to attack and obtain certain permissions. This type of vulnerability is quite threatening, and hacker attacks generally start with remote vulnerabilities. However, the remote vulnerability is not necessarily the highest privilege, but often only the permission of an ordinary user, so there is often no way to do what hackers want to do. At this time, it is necessary to cooperate with local vulnerabilities to expand the permissions obtained, often to the administrator permissions of the system.

Only after obtaining the highest administrator privileges can you do things such as network snooping, cleaning traces, etc. In order to complete the expansion of permissions, not only can you use the permissions you have obtained to execute programs that exploit local vulnerabilities on the system, but you can also put some deceptive programs such as Trojans to obtain the administrator's password, which is placed locally to obtain the highest permission, and cannot be remotely controlled. For example, if a hacker has obtained an ordinary user's account and login privileges on a machine, then he can place a fake SU program on this machine. Once the hacker places the fake su program, when the real legitimate user logs in, runs su, and enters the password, then the root password will be recorded, and the next time the hacker logs in again, he can use su to become root.

Aftermath of the attack

1. Introduction to the logging system

If an attacker leaves the system immediately after completing the attack without doing any aftermath work, his whereabouts will be quickly discovered by the system administrator, because all network operating systems generally provide a logging function that records the actions that occur on the system. Therefore, for the sake of their own concealment, hackers generally erase the traces they leave in the logs. To understand how hackers can erase their traces, you must first understand how common operating systems are structured and how they work. Unix log files are usually located in the following locations, with slight variations depending on the operating system

/usr/adm - Early versions of Unix.

The newer version of /var/adm uses this position.

Some versions of Solaris, LinuxBSD, FreeBSD use this position.

/etc, most Unix versions put Utmp here, and some Unix versions also put Wtmp here, which is where Syslog.conf is located.

The following files may vary depending on the directory you are in:

acct or pacct - a record of the commands used by each user.

The accesslog is mainly used for servers running NCSAHTTP servers, and this log file will record which sites have connected to your server.

aculo keeps a record of the modems dialed out.

The lastlog keeps a record of the most recent login and the initial destination of each user, and sometimes the last unsuccessful login record.

loginlog records some abnormal L0gin records.

messages - records output to the system console, and additional information is generated by the syslog

security records a number of instances of attempts to enter restricted areas using the UUCP system.

sulog records that use the su command.

UTMP keeps a record of all users currently logged into the system, and this file changes as users enter and leave the system.

UTMPX, an extension of UTMP.

WTMP logs user logon and logout events.

The most important log files for syslog, which are obtained using the syslogd daemon.

2. Hide tracks

After the attacker obtains the highest administrator privilege of the system, he can modify the files on the system at will (only for regular Unix systems), including the log files, so if the hacker wants to hide his tracks, he will modify the logs. The easiest way to do this is, of course, to delete the log files, but this prevents the system administrator from tracking you based on your IP address, but also tells the administrator unequivocally that the system has been compromised. So the most common approach is to only make changes to the part of the log file that is relevant to you. The specific details of the modification method vary according to different operating systems, and there are many programs with such functions on the network, such as zap, wipe, etc., and the main method is to clear the information of a user in the log files such as utmp, wtmp, lastlog, and pacct, so that when the log file is viewed with commands such as w, who, last, etc., the user's information is hidden.

Administrators who want to prevent the logging system from being modified by hackers should take certain measures, such as using a printer to record network log information in real time. But there is a downside to this, as hackers will keep writing useless information to the logs once they know what you're doing, causing the printer to keep printing the logs until all the paper runs out. Therefore, a better way to avoid log modification is to send all log files to a more secure host, i.e., use loghost. Even this does not completely prevent the possibility of the log being modified, because if a hacker can attack the host, it is likely to attack the loghost.

It's not enough to just change the logs, because there must be a leak in the 100 secrets, and even if you think you have changed all the logs, you will still leave some clues. For example, some backdoors are installed and may be discovered by administrators after they are run. Therefore, master hackers can further hide their tracks by replacing some system programs. This kind of hacking program used to replace normal system programs is called rootkit, and this kind of program can be found on some hacking websites, the more common one is LinuxRootKit, which has now developed to version 5.0. It can replace a series of important system programs such as ls, ps, netstat, inetd, etc., when replacing ls, you can hide the specified files, so that the administrator can not see these files when using the ls command, so as to achieve the purpose of hiding themselves.