• 软件测试技术
  • 软件测试博客
  • 软件测试视频
  • 开源软件测试技术
  • 软件测试论坛
  • 软件测试沙龙
  • 软件测试资料下载
  • 软件测试杂志
  • 软件测试人才招聘
    暂时没有公告

字号: | 推荐给好友 上一篇 | 下一篇

security+ 学习

发布: 2007-5-25 12:09 | 作者: 未知 | 来源: Blog.ChinaUnix.net | 查看: 34次 | 进入软件测试论坛讨论

领测软件测试网

contains most about tcp/ip hijacking

encryptionsystem in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message. Contrast this with public key cryptology, which utilizes two keys - a public key to encrypt messages and a private key to decrypt them.

Symmetric-key systems are simpler and faster, but their main drawback is that the two parties must somehow exchange the key in a secure way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted.

Symmetric-key cryptography is sometimes called secret-key cryptography. The most popular symmetric-key system is the Data encryption standard DES.

复习一下private address: 169.254.x.x,k 什么破题,出个169.253, 太狡诈了。

Class A: 10.0.0.0 - 10.255.255.255Class B: 172.16.0.0 - 172.31.255.255Class C: 192.168.0.0 - 192.168.255.25

Split tunneling:

The process of allowing a remote vpn user to access a public 网络, most commonly the internet, at the same time that the user is allowed to access resources on the vpn. This method of network access enables the user to access 远端 devices, such as a 网络打印机, at the same time as accessing the public network.

An advantage of using split tunneling is that it alleviates bottleneck and conserves 带宽 as internet traffic does not have to pass through the VPN 服务器. A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network.

Tcp/ip hijacking,这个讲的非常清楚。

 

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.

If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.

A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".

A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.

man in the middle

kkkkkkkk,这里应该有个图的,气死我了。

#Attacker is the system used by the attacker for the hijack.

#Victim is the system used by the victim for Telnet client connections to the target system.

#Target is the target system that the intruder wants to compromise. It is where the telnetd daemon is running.

A simple diagram of the network shows the Attacker and Victim hosts are on the same network (which can be Ethernet switched and the attack will still work), while the target system can be anywhere. (Actually, either victim or target can be on the same network as attacker: it doesn't matter.)

For the attack to succeed, the victim must use Telnet, rlogin, ftp, or any other non-encrypted TCP/IP utility. Use of SecurID card, or other token-based two-factor authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session.

The attack scenario can be as simple as:

1 Attacker: Spends some time determining the IP addresses of target and victim systems. Determining trust relationships can be easily done with utilities like SATAN, finger, systat, rwho or running who, ps, or last from previously stolen (or wide open "guest" style) accounts.

2 Attacker: Runs hunt as root on attacking host. Waits for hunt to indicate a session has been detected.

3 Attacker: Starts ARP relay daemon, prepares RST daemon entry for use later, sets option to enable host name resolution (for convenience).

4 Victim: Logs in to target using Telnet. Runs pine to read/compose email.

5 Attacker: Sees new connection; lists active connections to see if this one is potentially "interesting." If it is, attacker can either watch the session (packet sniffing) or hijack the session. Decides to hijack.

6 Victim: Sees strange new prompt. Tries pressing RETURN and doesn't know what to think. Tries web browser and notices that it still works fine (not a network problem). Not sure what to think.

7 Attacker: Finds this is a user session and decides to give it back (resynchronizes TCP/IP stream).

8 Victim: Sees prompt for keystroke, follows request, gets session back. Puzzled, decides to log in to root account to take a closer look.

9 Attacker: Turns on RST daemon to prevent new connections, waits to hijack root session.

10 Victim: Runs ssu to get SecurID protected root shell.

11 Attacker: Completes hijack after seeing root login.

12 Victim: Sees strange prompt. Tries pressing RETURN again. Same result as before. Tries web browser again. Same thing. Tries getting a new Telnet session. Fails. Tries ftp. Fails.

13 Attacker: Sets up backdoor, disables command history, resets session, turns off RST daemon.

14 Victim: Finally gets a new session. Original session is now gone. Assumes network outage or Windows TCP/IP stack corruption. Reboots system and everything is back to "normal".

15 Attacker: Waits for admin's sessions to all disappear (gone home for the night), then logs in using new backdoor. Installs rootkit (more backdoors, sniffer), cleans log files.

The development model is based on a packet engine (hunt.c) which runs in its own thread and captures packets from the network. The packet engine collects information of TCP connections/starting/termination, sequence numbers and MAC addresses. It collects the MAC addresses and sequence numbers from the server point of view and separate MAC addresses and sequence numbers from the client point of view. So it is prepared for hijacking. This information (seq. num., MAC, etc.) is available to modules so they don't have to analyze and collect it.

Modules can register functions with the packet engine, which are then invoked when new packets are received. A module function determines if the module is interested in a packet or not and can place the packet in a module specific list of packets. A module function can also send some packet to the network if it is desirable to do it very fast. The module (usually in some other thread so it needs to be scheduled to be run) then gets packets from the list and analyzes them. In this way, you can easily develop modules, which perform various activities. Refer to the appendix section for learning the features offered by hunt.

 

refrence : from http://www.ouah.org/mitmbrief.htm

http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm

延伸阅读

文章来源于领测软件测试网 https://www.ltesting.net/


关于领测软件测试网 | 领测软件测试网合作伙伴 | 广告服务 | 投稿指南 | 联系我们 | 网站地图 | 友情链接
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备2023014753号-2
技术支持和业务联系:info@testage.com.cn 电话:010-51297073

软件测试 | 领测国际ISTQBISTQB官网TMMiTMMi认证国际软件测试工程师认证领测软件测试网