佚名MYHACK58:6220069980Graphic explanation: hacking demo-vulnerability warning-the black bar safety net
A simple"hacker"invasion
TCP/IP Protocol sequence number prediction attack is the most simple"hacker"invasion, is also a system security the biggest threat. On the network, each computer has a unique IP address, the computer of the target IP address and a unique sequence number loaded in the transmission of each data packet. In a TCP connection, the receiver received only has the correct IP address and the sequence number of the package. Many security devices, such as routers, allowing only a certain IP address of the computer receiving the transmission. TCP/IP sequence number prediction of the invasion will be the use of the network to the computer assigned the address of the way and wrapped the Exchange in order to attempt to access the network. In General, the"hacker"TCP/IP sequence number prediction attack two steps:
First, get the server’s IP address. Hack General online through packet sniffing, a sequential test number, by the WEB browser connected to the node and in the status bar to find the node’s IP address. Because hackers know that the other computer has an IP address of the server public IP address, he will try to simulate a way to make it through the router and as a network user to access the system IP number. For example, if the system’s IP address 1 9 2. 0. 0. 1 5, The hack will be known to nearly 2 5 6 computer can be connected to a C-level network, and guess all the last bit in the sequence appears in the address number. The IP address indicates a network-connected computer the number, while the address of the high byte the two most significant bits set to indicate the network is a class C network, Figure 1 shows a hack is how Cheung predicted Class C network IP number.
"Hackers"use the server’s IP address to guess the other network address
Second, the hack in tried online IP address, it will start monitoring the network under a transmit packet sequence number, and then, hackers will attempt to speculate the server can generate the next sequence number, and then will themselves effectively into the server and the user. Because hackers have the server’s IP address, you can generate have the correct IP address and sequence Code of the package to intercept the user’s transmission, Figure 2 indicates how to mimic the IP address and the package serial number to fool the server to trust the hacker as a legitimate network user.
Hack to simulate a TCP/IP communication to fool the server
Hack by sequence number prediction to obtain system access, you can access the communication system to the server any information, including key documents, a log name, confidential data, or transmission over the Internet of any information. Typically, a hacker will use sequence number prediction as an actual invasion of the server is ready, or that human invasion online related servers provide a base.
Technical: defence sequence number prediction of the invasion
On your system, the defence Order No. predicted the invasion of the most simple and effective method is to ensure that your router, firewall, on your system each server has a full audit trail protection. Use the audit trail function, in a"hacking"attempt by the router and firewall to access the server, you will be able to find it. Your audit tracking system can be displayed following entry of the order, which, of course, according to youroperating system:
access denied. The IP address unknown
When hackers circulating constantly test the possible sequence number, the access denied entry will one by one appear. Use youroperating systemcan be used on some devices, you can make it in the auditing system to produce a certain number of access refused entry after the command event log to your auto Alarm.
Second, the TCP Protocol hijack invasion
Maybe the connection to the Internet server of the the biggest threats is TCP hijacking of the invasion that we know the main function of sniffing, and although the sequence number prediction method of the invasion and TCP hijacking method has many similarities, but TCP hijacking is different is that the hackers will force the network to accept the IP address as a trusted site to gain access, rather than constantly guess IP addresses until the correct. TCP hijacking method the basic idea is that a hacker took control of a station connected to the invasion of the target network computer, and then from online to OFF to allow the network server to mistakenly think that the hacker is the actual client. Figure 3 shows a hack how to operate a TCP hijacking invasion.
Hack by disconnecting and mimic the actual client connection to implement TCP hijacking invasion
Successfully hijacking a trusted computer, the hacker will use your IP address to replace the invasion of the target machine of every packet of the IP address, and imitating their order number. Security experts said sequence number disguised as"IP imitation", the hackers used IP to imitate in your own machine on the simulation of a trusted system’s IP address, the hacker mimics the target computer after the will With smart the sequence number of the mimic method to become a server of the target.
Hack to implement a TCP hijacking after the invasion more easy to implement an IP to mimic the invasion, and TCP hijacking allows hackers through a one-time password request in response to the system, such as a shared password system, and then let the one with higher security host compromise. Through the password system can also allow a hacker to pass through the oneoperating systemrather than hacking your own system.
Finally, TCP hijacking intrusion than IP mimic more dangerous, because the hackers are generally in a successful TCP hijacking after the invasion than the success of IP imitation after the invasion with greater access capabilities. Hack because interception is an ongoing transaction and to have greater access, rather than Analog into a computer to initiate a transaction.
Third, sniffing the invasion
The use of the Sniffer’s passive invasion has been on the Internet occur frequently, such as passive sniffing invasion is a hack to implement an actual hijacking or IP to mimic the invasion of the first step. Want to start a Sniffer intrusion, the hackers have the user’s IP and the legitimate user’s password, and a user information registered in a distributed network. Into the network after the hacker sniff the transmitted packet and try as much as possible to get online information.
Hack how to implement a robbery sniffing invasion
In order to prevent a distributed network Sniffer intrusion, the system administrator generally with a one-time password system or ticket authentication system such as Kerberos and other identification scheme. For example, some of the one-time password system to provide the user at each exit after login, the next login password. Although the one-time password systems and Kerberos scheme can allow a hacker to password sniffing on an unsecured network becomes more difficult, but if they are both not encrypted and is not specified in the data stream will continue to face the actual invasion risk. Figure 4 shows a hack how to implement a passive Sniffer invasion.
The following describes hacking the TCP Stream is directed to the own on the machine for the TCP of the actual invasion. In hack re-orientation of the TCP stream, the hacker can be through either a one-time password system or ticket authentication system to provide protection of the safety line, so a TCP connection to any one in the connection path with a TCP packet sniffer and TCP packet generator to become very fragile. In the back, you will see a TCP packet arrives in the destination system prior to go through many systems, in other words, as long as you have a placed a good Sniffer and generator, the hacker can access any package-they may include you in the Internet to upload the package.
In the later part, we detail some of you may be used to detect the actual intrusion of the programme and some of you may be used to defend the invasion of the method. Hackers can use this Chapter in the most simple ways to invade the Internet to the host system, and hackers can be implemented once and for passive sniffing of the required resources as less active asynchronous attack.
! fourth, proactive asynchronous intrusion
TCP connections require the synchronization of data package exchange, in fact, if due to some reason, the packet sequence number is not the desired receiver, the receiver will abandoned it, and went to wait for the sequence number of the correct data packet. Hackers can be proven TCP Protocol for the sequence number of the request to intercept the connection.
The following will be described non-synchronous invasion to attack the system, the hacker or cheat or force the Parties to abort the TCP connection and enters an asynchronous state, so that the two systems could not exchange any data. Hackers then use a third party host other words to include, say, another connected to a physical medium and transport the TCP packet to the computer to intercept the actual data in the packet and is initially connected to the two calculate to create to accept the alternative package. Third-party generated data to mimic the connections in the system should exchange data packets.
1. Asynchronous after the hijacking of the invasion
Assuming, for the moment, hackers can eavesdrop on the two systems exchange to form TCP connections to any data packet, and, in the interception of data packets, a hacker can forge its want of any IP packet to replace the original package. Hack the security package could allow a hacker to impersonate the client or the server, or even a pseudo-packet can allow a hacker to either impersonate the client and to impersonate the server. If the hackers can make those assumptions become reality, then in fact a hacker can force the client and the server between the transmission of the message to change direction, i.e. from the client to the hacker from the server to the hacker.
You will be part of the learn to hack you can use some techniques to make a TCP connection to asynchronous are. In this case, assume that the hacker has successfully asynchronous TCP part, and a hacker sends a header that contains the following code packages:
SEG_SEQ = CLT_SEQ
SEG_ACK = CLT_ACK
Header fields in the first row, SEG_SEQ = CLT_SEQ, indicating the packet sequence number is the client a series of the next sequence number SEG representative of the data segment; the second line, SEG_ACK = CLT_ACK, the data packet acknowledgment value is assigned to the next to confirm the value. Because the hack asynchronous TCP connection, the client’s packet sequence number CLT_SEQ with the front expected sequence number are not equal, the server does not receive data and the packs to give up, the hackers copied the server to abandon the packages as shown in Figure 5)。
Hack copy Server, give up the package
The server discards the packet after a short delay time, hack will with the client as sent in the same package, just change the SEG_SEQ and SEG_ACK command and a packet count value, so that the header field entries into the following code:
SEG_SEQ = SVR_ACK
SEG_ACK = SVR_SEQ
Because the header fields of the sequence number is correct SVR_ACK equal to SEG_SEQ, the server accepts the header the domain part of the entry at the same time accept the packet and process the data, in addition, on the basis of the client is transmitted but the server discards the packet number, the original client will continue to transmit the packet.
If you define your variables CLT_TO_SVR_OFFSET equal to SVR_ACK reduction CLT_SEQ of results that the server expected sequence number and the client’s actual sequence number is a distinct number, the SVR_TO_CLT_OFSET equal to CLF_ACK minus SVR_SEQ, hackers will rewrite the client sends to the server a TCP packet to allow the packet representative of the SEG_SEQ and SEG_ACK of values, as shown in Figure 6)。
Is truncatedEligible connection
SEG_SEG =(SEG_SEQ+CLT_TO_SVR_OFFSET)
SEG_ACP =(SEG_ACK_SVR_TO_CLT_OFFSET)
Because all transmission are through hacking, it can be in the transport stream add any data or delete any data. For example, if the connection is a remote login using Telnet, the hacker can on behalf of the user to add any command to the Unix command echo jamsa.com it will generate a all connected to jamsa. com server to the network host list, is that a hacker issued the command examples(such as Figure 7)。
Hack to transfer package add command
The server receives the packet, the server of the hacker requested data and the client requests the data to be response. In the server to the client before a response, the hacker may miss or remove a server to hack in response to the command, so the user will not perceive any hacked, such as Figure 8)。
Hackers from the server of the transport packet to remove its request for information
The following section you will learn about TCP ACK storm, which in the hackers continue to camouflage, in a non-synchronized after the hijacking intrusion in the attack. 2. TCP ACK storm
The previous section detailed the late asynchronous hijack invasion has a basic disadvantage, i.e. it will be a large number of generated TCP ACK packet, the network experts call these a large number of the ACK packet is a TCP ACK storm. When a host, either the client or server receiving an unacceptable packet, the host to generate the host sends the expected sequence number to authenticate this can not receive the package. In the previous detailed description of the active TCP of the invasion of the case, the first TCP ACK packet will contain the server’s sequence number, the client because without sending out the request to change the package, so will not accept this certification package. Therefore, the client generates its own authentication package, which in turn forces the server to generate another authentication packet, these repeated cycles, the theory of the transmission of each data packet is an endless loop, as shown in Figure 9. The
The invasion generated a storm cycle
Because the authentication packet does not transmit data, if the receiver has lost the packet, the ACK packet the sender will no longer transfer. In other words, if a machine is in the ACK storm loop to throw away a package, the cycle will be terminated. Fortunately, as you previously know, TCP will IP used in the unreliable network layer, with a non-null packet loss, the network designers will quickly end of the cycle. Moreover, online throw away the package, the more ACK storm duration is shorter. Plus, the ACK cycle is self-regulation-in other words, the hackers generated the loop, the more the client and the server connected to the traffic quantity also more, which in turn increases congestion. This will throw away the packet, there are more of the end of the cycle.
A TCP connection each time the client or server to send data when creating a loop. If neither the client not the server sends data, the TCP connection will not produce the loop. If the client and server are not sending the data without hacking the authentication data, the sender will then retransmit this data. In re-transmission after the TCP connection for each re-transmission to create a storm, and finally connected both sides to give up the connection, because the client and server are not sending the ACK packet. If a hacker authentication of the data transfer, the TCP connection will only produce a storm. In fact, since online load, hackers often missed the data packet, and therefore the hackers will be certified re-transmission of the first packet-means that every time the hacker transmission when the invasion will at least generate an ACK storm.
The server receives the packet, the server of the hacker requested data and the client requests the data to be response. In the server to the client before a response, the hacker may miss or remove a server to hack in response to the command, so the user is no longer aware of any hacking.
Hackers from the server of the transport packet to remove its request for information
The following section you will learn about TCP ACK storm, which in the hackers continue to camouflage, in a non-synchronized after the hijacking intrusion in the attack.
3. Early non-synchronized invasion
Earlier, you learned about asynchronous after TCP hijacking of the invasion, namely the client and the server connection after the occurrence of the intrusion of. Unlike asynchronous after the hijacking of the invasion, the early non-synchronous intrusion on the client and server early in a connection is established when the destruction of their connection, not the connection has been established or completed. Early non-synchronized invasion on the server break the connection, in the destruction after the connection, the hackers create a different sequence number of the new connection, the previous asynchronous invasion of the work is as follows.
(1)in the connection creation Phase 2, the hacker eavesdropping the server sends to the client a SYN/ACK packet as shown in Figure 1 0 is.
The server to the client sends an ACK packet
(2)when the hack detects a SYN/ACK packet, the hacker sends a RST reset request packet, and then sends a server a SYN/ACK packet with the same parameters of the SYN packet. However, the hacker’s request with a different sequence number. You can put this as an intruder confirmation package ATK_ACK_0)(as shown in Figure 1 1 in.
Hackers send two data packets to the server
- the server will receive a RST packet when closing the first connection, and will at the same end open a new connection, but when it receives the SYN packet, it will have a different sequence number, the server will send the original user sends back a SYN/ACK packet.
(4)the hacker intercepts the SYN/ACK packet, the server sends its own ACK packet, the server throw of the switch synchronization connection to create a state as shown in Figure 1 2 in.
The hacker intercepted the package and the establishment of the synchronization
When the client from the server receives the first SYN/ACK packet from the switch throw of the ESTABLISHED have created the state, the hacker’s success relies on is CLT_TO_SVR_OFFSET made to take the correct values, select the wrong values will make the client’s package and hack the packet can not be accepted, and such may produce unexpected results, including the connection termination. 4. Empty data asynchronous invasion
In the previous section, you understand how a hacker can use the connection the early stages of intercepting a TCP connection to implement a pre-asynchronous intrusion, asynchronous a TCP connection, a hacker can implement a null data asynchronous invasion. Null data refers to not impact the server for anything, does not change the TCP authentication number, hack through at the same time to the server and the client sends large amounts of data to an empty data invasion.
The hackers sent data to the client is not visible. On the contrary, the available data forces the TCP session to connect two computers to switch to the asynchronous state because of the sheer empty data intervention into a computer maintain a TCP connection capacity.
5. Telnet session intrusion
The previous section has detailed the hack in an existing or a new Run of the TCP connection on the implementation of the various invasion. However, hacking can also be the intervention to almost any network communication. For example, hackers can use the TELNET session to implement the following intercept solutions:
(1)before the invasion, the hacker is usually the first observed online the transmission, without any intervention.
(2)the appropriate time, the hacker sends the server a large number of empty data. In the intercepted a TELNET session, a hacker sends a free extension font IAC NOP LAC NOP ATK_SVR_OFFSET word. The TELNET Protocol the NOP command is defined as"air operations", in other words, do not do anything and ignore this pair of words. Since this air operation, the server TELNET the background resident program will put each word are interpreted as the empty value, because of this, the background resident program of the data stream of each of the deleted. However, the server on the extension of the air transfer receiving will disrupt the ongoing work of the TELNET session, in this step, the server receives the following command:
SVR_ACK = CLT_SEQ+ATK_SVR_OFFSET
(3)server for hack receive commands will create an asynchronous TELNET connection.
(4)In order to force the client to convert to a non-synchronized state, the hack to the client to implement a server with the same steps as shown in Figure 1 3 in.
Hack how to the client and the server sends empty data
(5)for the completion of a TELNET session intrusion, hacking embodiment detailed in previous steps, until the hackers became the TELNET session Connection Broker such as Figure 1 4 in.
If a Telnet session can transmit null Data Words, the hackers only the use of the foregoing detailed description of the five steps of the TELNET intercept. Even so, hacking for selecting the appropriate time to send the empty data is still difficult. If the time is incorrect, the invasion will be very easy to destroy a Telnet session, or will be caused by a session interference, and not allow hackers to control the session. When you participate in a TELNET session, unexpected results will show that hackers are to intercept the session.
6. The ACK storm learn
In a TCP connection, almost all containing ACK set identification without the data packet is not received packet acknowledgment information. In any online, especially in INTERNET communications, the occurrence of a large number of the transfer. In one suffered a front detailed description of the various invasion of the Internet, will happen more transfer. The transfer of the number will be based on the online load and cause a storm of hacking the host, and a server log can contain up to 3 0 0 more empty packages. In particular, in an actual invasion in the transmission of data packets may be generated 1 0 to 3 0 ACK empty bag.
7. Detection and its side effects
You can use ACK the invasion of various defects to intrusion detection, this section will describe the three detection methods, but remember that there are still other methods.
Asynchronous state is detected. You can use TCP packets to observe the connection of both the sequence number. According to the order number. You can determine whether the connection is in asynchronous state. However, only when it is assumed that you are connected to transmit the sequence number when there is no hack to change it, you can only be in the reading packet-this is a generally safe assumption.
The ACK storm detection: some of the local Ethernet of the TCP traffic in the pre-invasion statistics show that the total of the TELNET packet is no data packet rate is one-third, and when the A hacking, is 1/3 0 0 all.
The package The percentage of the count: you can pass to the package The percentage of the count to monitor the connection state. By the invasion when the package percentage and ordinary data packets to the percentage of the contrast, can alert you to the presence of non-synchronous invasion. Table 1 shows the usual connection in data packets and ACK packets per minute number.
Table 1 ordinary transmission, the ACK packets per minute transmitted the number of
The package type of the local Ethernet transmission
Total TCPs 80-100 1 4 0 0
Total ACK 25-75 5 0 0
Total Telnet 10-20 1 4 0 0
Total Telnet ACK 5-10 4 5
TCP packet and the ACK number of the packet on the local Ethernet. A conventional connection of ACK TELNET packets percentage generally stable in the 4About 5%, the Telnet session is an interactive session, the server must be on the user to type every letter of the response and certification. In fact this is the Telnet packet counter for stability reasons. In a TELNET session, based on reducing the packet loss rate considered, each packet usually containing only one letter or one line of text, so the data exchange of smaller amounts. As the TELNET data stream, the stream to the remote Ethernet data thereto is the same. Because of its high data load, the receiving host may be lost some packets.
In contrast, when the hacker intrusion, the real packet and the ACK packet ratio will change. Table 2 shows the hacking when the packet count.
Table 2 invasion, the ACK packet count
Package Type local connection
Total Telnet 80-400
Total Telnet ACK 75-400
In Table 2, the local connection refers to only a few from the client to the IP of the jump of a host of the communication session. Communication session of the round trip delay RTD is about 3 milliseconds. For example, the communication session may span a client and a host between the 4 local area Server. As you know, in hacking when the packet counter of the change is very apparent. Even if it changes relatively minor, the ACK count and total packet Count is almost the same, the transport amount is designated by the permit package, meaning that hardly comprises a data packet
Fifth, another sniff–posing invasion
You have learned the actual sniffing the invasion of the base, including some of the components. This section described in detail the posing the invasion, the hackers used the Client IP address as the source address to the server to send a SYN packet to initiate the call. Hack transfer the address MUST BE posing as a trusted host address. The server with a SYN/ACK packet to confirm the SYN packet, which contains the following line:
SEG_SEQ = SVR_SEQ_O
Hack so you can use your package to confirm that the server’s SYN/ACK packets. Hack data package contains a hack guess the SVR_SEQ_O the value of that sequence number. If successful, then the hacker does not have to sniff the client packets, because a hacker can predict the SVR_SEQ_O and confirm it.
1. Posing as the invasion of the two major drawbacks
(1)a hacker posing as a client will receive from the server SYN/ACK packet, and the server sent back a RST(reset)package, because on the client it seems that the call does not exist. While hacking may prevent a client reset packet generation, or when the client does not press into network intrusion, or that the client’s TCP queue overflow, so that the client will in to the server to send data in the lost packet.
(2)hacker can not from on the server to get the data, but hackers can send some enough to harm the host data.
2. Posing invasion and asynchronous after the hijacking of the invasion of different points
Posing invasion and you have previously understood to asynchronous after the hijacking of the invasion of the four differs in that:
(1)asynchronous after the hijacking of intrusion for hackers to implement and control connection authentication stage, and posing for invasion relies on the trusted hosts identification scheme.
(2)asynchronous after the hijacking of the invasion enabled the hackers for the TCP stream with great access. In other words, a hacker can simultaneously send and receive data, rather than posing invasion that can only send data.
(3)asynchronous after the hijacking of the invasion using the Ethernet Sniffer to predict or obtain SVR-SEQ-O.
(4)the hacker can use asynchronous after the hijacking of intrusion law to attack any type of host. Because posing time of the invasion to be reliant on a UNIX trusted host mode, so it can only be on UNIX hosts to attack.
However, if the client is off-line or can not receive RST reset packet, the hacker can impersonate the invasion to the server to establish a full TCP connection. Hackers will be on behalf of the client to send data. Of course, the hacker must be certified by the obstacles. If the system used is based on trusted-host authentication, so hackers will be the host of the service have full access.
Although when a hacker be asynchronous after the hijacking of the invasion offensive LAN, the system analyst is easy to verify to the invasion, but in the remote low-bandwidth and low-latency online asynchronous support the hijacking of the invasion is very effective. And, as you know, hackers can use with the passive sniffing of the invasion, which often happens in the INTERNET when the same resources to implement asynchronous after the hijacking of the invasion. Two invasion of hackers to say the advantage is that its users are not. Invisible to the user is very important, on the INTERNET invasion of the host more and more frequent, network security becomes a concern, the hack Secret action is hacking an important factor.