1) Common methods used by hackers
1. Network scanning--conducting extensive searches on the Internet to find weaknesses in specific computers or software.
2. Network sniffing program - secretly view data packets passing through the Internet to capture passwords or entire contents. Monitor the network data flow by installing a listener program to obtain the user name and password entered by the user when connecting to the network system.
3. Denial of service - By repeatedly sending too many information requests to a website's equipment, hackers can effectively clog the system on the site, preventing the completion of the intended network services (such as e-mail system or online functionality), known as a "denial of service" problem.
4. Deceive users - forge email addresses or Web page addresses to obtain passwords, credit card numbers, etc. from users. Spoofing is the process used to trick a target system into thinking that the information is coming from or being sent to someone it believes it is. Spoofing can occur at the IP layer and above (address resolution spoofing, IP source address spoofing, email spoofing, etc.). When a host's IP address is assumed to be valid and trusted by Tcp and Udp services. Using source routing of IP addresses, an attacker's host can be disguised as a trusted host or client.
5. Trojan horse - a program that is invisible to the user and contains instructions that can exploit known weaknesses in some software.
6. Backdoor--to prevent the original entry point from being detected, leave several hidden paths to facilitate re-entry.
7. Malicious applets - tiny programs that modify files on the hard drive, send false emails or steal passwords.
8. Competition dialer - can automatically dial thousands of phone numbers to find a path into the modem connection. A logic bomb is an instruction in a computer program that triggers a malicious operation.
9. Buffer overflow - sending too much data to the computer memory buffer to destroy the computer control system or gain control of the computer.
10. Password deciphering--use software to guess passwords. A common approach is to crack the encrypted form of the password by monitoring the password packets on the communication channel.
11. Social engineering-talk to company employees to extract valuable information.
12. Dumpster diving--carefully go through the company's trash to find information that can help get into the company's computers.
(2) Hacking methods:
1. Hide the location of the hacker
Typical hackers will use the following techniques to hide their real IP addresses: < /p>
Use the compromised host as a springboard;
Use the Wingate software as a springboard on a Windows computer; use an improperly configured Proxy as a springboard.
More sophisticated hackers use call redirection techniques to hide themselves. Their common methods include: using the private transfer service of the 800 number to connect to the ISP, and then stealing other people's accounts to access the Internet; connecting to a host through the phone, and then accessing the Internet through the host.
Using this "triple jump" method on the telephone network to enter the Internet is particularly difficult to track. In theory, hackers could come from anywhere in the world. If a hacker uses an 800 number to dial up the Internet, he doesn't have to worry about Internet access charges.
2. Network detection and data collection
Hackers use the following methods to learn the host names located on the internal and external networks.
Use the ls command of the nslookup program;
Find other hosts by visiting the company homepage;
Read the documentation on the FTP server;
Connect to mailserver and send expn request;
Finger username on external host.
Before looking for vulnerabilities, hackers will try to collect enough information to outline the layout of the entire network. Using the information obtained from the above operations, hackers can easily list all hosts and guess the relationship between them.
3. Find trusted hosts
Hackers always look for trusted hosts.
These hosts may be machines used by administrators, or servers that are considered secure.
As a first step, it checks the NFS output of all hosts running nfsd or mountd. Often some key directories of these hosts (such as /usr/bin, /etc and /home) can be mounted by the trusted host.
The Finger daemon can also be used to find trusted hosts and users, because users often log in from a specific host.
Hackers also check for other ways of trusting relationships. For example, he can exploit CGI vulnerabilities, read the /etc/hosts.allow file, etc.
After analyzing the above various check results, you can have a general understanding of the trust relationship between hosts. The next step is to detect which of these trusted hosts have vulnerabilities and can be remotely invaded.
4. Find vulnerable network members
When a hacker obtains the list of internal and external hosts in the company, he can use some Linux scanner programs to find vulnerabilities in these hosts. Hackers generally look for Linux hosts with fast network speeds to run these scanners.
All these scanners perform the following checks:
TCP port scan;
RPC service list;
NFS output list; < /p>
*** Share (such as samba, netbiox) list;
Default account check;
Sendmail, IMAP, POP3, RPC status and RPC mountd are defective Version detection.
After conducting these scans, hackers will have a good idea of ??which hosts are vulnerable.
If the router is compatible with the SNMP protocol, experienced hackers will also try aggressive SNMP scanners, or use "brute force" programs to guess the public and private community strings of these devices. .
5. Exploiting vulnerabilities
Now, hackers have found all trusted external hosts and have also found all possible vulnerabilities in external hosts. The next step is to start hacking into the host.
The hacker will choose a trusted external host to try. Once successfully penetrated, the hacker will start from here and try to enter the company's internal network. However, the success of this method depends on the filtering strategy between the company's internal host and the external host. When attacking an external host, a hacker usually runs a program and uses a vulnerable daemon running on the external host to steal control. Vulnerable daemons include vulnerable versions of Sendmail, IMAP, and POP3, as well as RPC services such as statd, mountd, pcnfsd, etc. Sometimes, those attacking programs must be compiled on the same platform as the host being attacked.
6. Gain control
Hackers will do two things after using the daemon vulnerability to enter the system: clear records and leave a backdoor.
He will install some backdoor programs so that he can re-enter the system without being noticed in the future. Most backdoor programs are pre-compiled, and you only need to find a way to modify the time and permissions before they can be used. Even the size of the new file is the same as the original file. Hackers generally use rcp to transfer these files so as not to leave FTP records.
Once they confirm that they are safe, the hackers begin to invade the company's entire intranet
7. Steal network resources and privileges
After the hacker finds the attack target, he will continue the next attack. The steps are as follows:
(1) Download sensitive information
If the hacker The purpose is to download sensitive information from an organization's internal FTP or WWW server. He can easily obtain this information by using an external host that has been compromised.
(2) Attack other trusted hosts and networks
Most hackers only want to detect hosts on the internal network and gain control. Only those "ambitious" hackers can In order to control the entire network, Trojan horses and backdoors are installed and records are cleared.
Hackers who wish to download data from critical servers are often not satisfied with just one way of gaining access to critical servers. They will go to great lengths to find hosts trusted by key servers and arrange several backup channels.
(3) Install sniffers
On the intranet, the most effective way for hackers to quickly obtain a large number of accounts (including user names and passwords) is to use the "sniffer" program.
Hackers will use the methods mentioned in the above sections to gain control of the system and leave a backdoor for re-intrusion to ensure that the sniffer can be executed.
(4) Paralyze the network
If a hacker has invaded the server running key applications such as databases and network operating systems, it is easy to paralyze the network for a period of time.
If a hacker has entered the company's intranet, he can exploit the weaknesses of many routers to restart or even shut down the router. If they can find the vulnerabilities in the most critical routers, they can completely paralyze the company's network for a period of time