How to carry out network attacks on the intranet?

1. Regarding the IP Spoofing attack, if the source IP of the packet is constructed by itself, how should this packet be sent out of the gateway? Because the source IP may not be in the gateway subnet.

The main network foundation is not very solid. The routing of IP packets on the network only uses the destination IP to query the routing table, and then decide which interface direction to continue to drive. Many routers do not look at the source IP at all, and attackers who forge the source IP will not expect the returned message to return the same way, which is impossible. It is impossible to think about it. As this type of attack has become more widespread, routers from some manufacturers have added a security feature. Before doing routing and forwarding, first check whether the source IP is legal. This is usually the easiest to check on the Internet ingress router. After all, the user's IP is assigned by himself, and it is clear that he is not legal. This security feature is called "IP Unicast Reverse Path Check" and it needs to be pointed out that not all routers support RPC.

2. Regarding message interception, if A sends a message to B, and then the hacker wants to intercept it, what should I do? Because the hacker and A and B may not be in the same subnet, it is also difficult for him to control the operator's router.

Attackers often start from both ends of the communication, client, wireless network, wireless router, domain name resolution hijacking, server side.

3. Are ACL, firewall and NAT all on one device? Are ACL and firewall equivalent?

Generally speaking, the firewall simultaneously serves these three functions. The basic job of the firewall is ACL. ACL is like a fishing net, filtering only trusted small fish (IP packets) to the internal network, and rejecting unknown fish from the outside. Usually a session, except the first message is processed by CPU software, all subsequent messages are processed by hardware chip, so the forwarding performance of hardware firewall is several orders of magnitude faster than pure broken software firewall. In general, firewalls are mainly used for three or four layers of filtering, but also for seven layers of inspection and filtering, but mainly concentrated on three or four layers. The focus on doing a seven-layer firewall is called WAF (Web Application Firewall). The firewall's way of thinking about protecting the network is like a stern old father who locked his loved daughter in his boudoir while standing at the door guarding him. If the boyfriend who loves the girl comes to let go, if there are not strangers, drive away with a stick. This kind of pedantic protection method is effective in certain historical periods. But then there were more and more smart people. Since they can't get in through the door, can't they climb in through the window? Or mix it in a box! The old father opened the door, and his daughter was bullied by a stranger. . .

Afterwards, the old father realized that the best way to protect his loved daughter was to teach her daughter how to walk the world. Her daughter could resist any invasion from foreign enemies. The daughter here refers to the server and host on the network, and the iron needs to be hard. It is the safest way to upgrade the server to the safest version and leave no security holes.

4. Now that computers are basically in the intranet, how do hackers generally cross the firewall to control users' computers? Is the virus first in the user's computer?

Often, some ports of the host are open by default, such as port 139/445, and even these ports can be directly accessed from the Internet, and the programs that serve these ports have bugs. The cyber attacker has thoroughly studied these BUGs in the laboratory, and used scripts to simulate the "attack message" and the target server processed it. The attacker can then send RPC commands to force the target server to download the attacker's software and install it to obtain files System read and write permissions, use RSA public key to encrypt files, and then save. This is the ransomware virus that broke out in the past few years. Only the RSA private key of the attacker can open these encrypted files. These viruses, once local operations are completed, will use the same method to attack other hosts in the broadcast domain, and even try to attack hosts in the entire LAN. As long as the SMB 445 port is open and has a bug, it can be completely compromised soon. Is it useful for firewall to isolate port 445? it works! But in case the virus has already entered the LAN through other methods, such as file download, email attachment, U disk, and the isolation port is too late, upgrading software to fix bugs is a once and for all method!

5. Is there any practical use of quantum cryptography now?

Quantum cryptography is in its infancy, and in response to quantum decryption encryption algorithms have emerged, quantum computing will only make the Internet more secure, not the other way around!

6. What organizations does CA have, what are the public and private keys, and where are they placed?

You are going to meet with Tony Ma to discuss business. After meeting, Tony takes out a business card and introduces himself to you that he is Tony. Do you believe it or not? Believe it or not, it is blind. In order to overcome this trust problem, a third-party guarantor was introduced. Fortunately, you and Tony both know and trust Jack Ma. When I met, Jack introduced you on the spot, this is the famous Comrade Tony Ma, I hope you have a happy cooperation! At this time, you must no longer have any doubts about Tony's true identity, unless Jack is a liar! The "third party guarantor" in the above is the CA (Certificate Authority) to prove the true identity of the server in https communication! The world is very big, there are more and more occasions where Jack is needed to provide trust guarantees. Jack ca n’t do it anyway, so Jack has developed N-offline, which also has a nice name RA (Registration Authority), by These offline to provide customers with guarantee services! If Jack is a top-level guarantor, or a root-level guarantor (Root CA), or a first-level guarantor. Then Jack's downline is a second-level guarantor, or a second-level certificate authority.

• Level 1 Guarantor (Root CA)

Have your own private key and public key, use your own private key to sign your own public key, and generate a self-signed certificate. Where to put this self-signed certificate? Negotiate with major operating systems around the world to install the self-signed certificate into the operating system in advance. What about the private key? Lock in the safe!

• Second Level Guarantor (RA)

Before the private key of the first-level guarantor is locked into the safe, it is necessary to sign N offline public keys, namely the second-level certificate, and the second-level certificate is placed on the company website. The private key of the second-level guarantor is stored on a highly secure host, protected by N firewalls.

• Client certificate

The large knowledge sharing platform knows "zhihu.com", in order to let the second-level guarantor provide identity guarantee for itself, it does this: knowing that it has generated its own private key and public key, and then its own public key and domain name Key information such as ".com" is uploaded to the RA. After the RA is approved, the key information such as the public key and the domain name "zhihu.com" known to be uploaded is signed with its own private key. After the signature, it becomes a client certificate. Then, if you know, you can hold this certificate to prove yourself. Usually, you need to download the public key certificate of RA. When we communicate with zhihu.com on https, we know that we will throw two certificates to us at once:

• Knowing public key certificates

• RA's public key certificate

Do n’t forget, we still have an implied public key certificate, where is it? In the operating system, it is the self-signed certificate of the first-level CA. The three certificates are:

o Knowing public key certificate

o RA's public key certificate

o CA's self-signed certificate

With these three certificates, our browser started to verify them one by one. The process is as follows: Use the RA public key of certificate 2 to try to decrypt the signature of certificate 1. If the decryption is successful, continue to verify the next step, otherwise the verification fails. Using the CA public key of certificate 3, try to decrypt the signature of certificate 2 and decrypt it successfully. The verification ends, otherwise the verification fails. After successful verification, it will continue to communicate with the server, otherwise it will pop up a message warning box "Invalid Certificate"! There is another case, certificate 2 is a self-signed certificate, but can not find a guarantee for certificate 2 in the operating system CA, then this is a typical man-in-the-middle attack, and the browser will also prompt that there is a problem with certificate verification.

7. When using the hash function for message digest, how to ensure that both parties in communication use the same hash function? For example, if the sender uses MD5 and the receiver uses SHA256, the generated message digest may be different.

The so-called agreement is the meaning of a certain field negotiated in advance. For example, the "SYN" status bit in the TCP three-way handshake is just a binary bit. TCP defines in advance, how many bits deviate from the packet header is the "SYN" status bit, the receiver only needs to check the value of how many bits deviate from this binary bit, you can know whether SYN is 0 or 1, right? In the same way, whether it is digital signature or HMAC, it will tell the other party in the message, what Hash function I am using and what is the length. The receiver only needs to calculate in the same way according to the prior agreement.

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps and CCNP Written dumps waiting for you.