bakabtw/Cool-Y.github.io
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9cce0d65f9
Cool-Y.github.io/index.html

1421 lines
72 KiB
HTML
Raw Normal View History

Site updated: 2019-03-17 18:53:16
2019-03-17 10:53:20 +00:00
<!DOCTYPE html>
<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">
<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
<meta name="keywords" content="Hexo, NexT">
<meta property="og:type" content="website">
<meta property="og:title" content="混元霹雳手">
<meta property="og:url" content="https://cool-y.github.io/index.html">
<meta property="og:site_name" content="混元霹雳手">
<meta property="og:locale" content="zh-Hans">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="混元霹雳手">
<script type="text/javascript" id="hexo.configurations">
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Muse',
version: '5.1.4',
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
</script>
<link rel="canonical" href="https://cool-y.github.io/">
<title>混元霹雳手</title>
</head>
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
<div class="container sidebar-position-left
page-home">
<div class="headband"></div>
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-wrapper">
<div class="site-meta ">
<div class="custom-logo-site-title">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<span class="site-title">混元霹雳手</span>
<span class="logo-line-after"><i></i></span>
</a>
</div>
<p class="site-subtitle"></p>
</div>
<div class="site-nav-toggle">
<button>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
</button>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section">
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
首页
</a>
</li>
Site updated: 2019-03-17 18:58:19
2019-03-17 10:58:24 +00:00
<li class="menu-item menu-item-about">
<a href="/about" rel="section">
<i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br>
关于
</a>
</li>
Site updated: 2019-03-17 18:53:16
2019-03-17 10:53:20 +00:00
<li class="menu-item menu-item-tags">
<a href="/tags" rel="section">
<i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br>
标签
</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories" rel="section">
<i class="menu-item-icon fa fa-fw fa-question-circle"></i> <br>
分类
</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section">
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
归档
</a>
</li>
</ul>
</nav>
</div>
</header>
<main id="main" class="main">
<div class="main-inner">
<div class="content-wrap">
<div id="content" class="content">
<section id="posts" class="posts-expand">
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/03/16/qq数据库的加密解密/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.gif">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/16/qq数据库的加密解密/" itemprop="url">qq数据库的加密与解密</a></h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-03-16T18:35:27+08:00">
2019-03-16
</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="qq数据库采用简单加密——异或加密"><a href="#qq数据库采用简单加密——异或加密" class="headerlink" title="qq数据库采用简单加密——异或加密"></a>qq数据库采用简单加密——异或加密</h1><h2 id="数据获取:"><a href="#数据获取:" class="headerlink" title="数据获取:"></a>数据获取:</h2><p>DENGTA_META.xml—IMEI:867179032952446<br>databases/2685371834.db——数据库文件</p>
<h2 id="解密方式:"><a href="#解密方式:" class="headerlink" title="解密方式:"></a>解密方式:</h2><p>明文msg_t 密文msg_Data keyIMEI<br>msg_t = msg_Data[i]^IMEI[i%15]</p>
<p>实验:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">import sqlite3</span><br><span class="line"></span><br><span class="line">IMEI = &apos;867179032952446&apos;</span><br><span class="line">conn = sqlite3.connect(&apos;2685371834.db&apos;)</span><br><span class="line">c = conn.cursor()</span><br><span class="line"></span><br><span class="line">def _decrypt(foo):</span><br><span class="line"> substr = &apos;&apos;</span><br><span class="line"> #print(len(foo))</span><br><span class="line"> for i in range(0,len(foo)):</span><br><span class="line"> substr += chr(ord(foo[i]) ^ ord(IMEI[i%15]))</span><br><span class="line"> return substr</span><br><span class="line"></span><br><span class="line">#rem = c.execute(&quot;SELECT uin, remark, name FROM Friends&quot;)</span><br><span class="line">Msg = c.execute(&quot;SELECT msgData, senderuin, time FROM mr_friend_0FC9764CD248C8100C82A089152FB98B_New&quot;)</span><br><span class="line"></span><br><span class="line">for msg in Msg:</span><br><span class="line"> uid = _decrypt(msg[1])</span><br><span class="line"> print(&quot;\n&quot;+uid+&quot;:&quot;)</span><br><span class="line"> try:</span><br><span class="line"> msgData = _decrypt(msg[0]).decode(&apos;utf-8&apos;)</span><br><span class="line"> print(msgData)</span><br><span class="line"> except:</span><br><span class="line"> pass</span><br></pre></td></tr></table></figure></p>
<h2 id="结果"><a href="#结果" class="headerlink" title="结果"></a>结果</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1552728077/qq.png" alt></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</div>
</article>
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/03/16/BIBA访问控制模型实现(python)/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.gif">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/16/BIBA访问控制模型实现(python)/" itemprop="url">利用python实现BIBA模型</a></h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-03-16T15:35:27+08:00">
2019-03-16
</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="基于python语言的BIBA模型图形界面实现"><a href="#基于python语言的BIBA模型图形界面实现" class="headerlink" title="基于python语言的BIBA模型图形界面实现"></a>基于python语言的BIBA模型图形界面实现</h1><h2 id="一、实验目的:"><a href="#一、实验目的:" class="headerlink" title="一、实验目的:"></a>一、实验目的:</h2><ol>
<li><strong>查阅资料了解biba安全模型的相关知识</strong></li>
<li><strong>通过编程实现基于biba模型的完整性访问控制进一步掌握biba模型的规则</strong></li>
<li><strong>使用python语言实现熟练pyqt的图形界面设计方法</strong></li>
</ol>
<hr>
<h2 id="二、实验环境:"><a href="#二、实验环境:" class="headerlink" title="二、实验环境:"></a>二、实验环境:</h2><ul>
<li>操作系统Windows10</li>
<li>工具版本python3.7pyqt5</li>
</ul>
<hr>
<h2 id="三、实验原理:"><a href="#三、实验原理:" class="headerlink" title="三、实验原理:"></a>三、实验原理:</h2><h4 id="1-什么是安全模型"><a href="#1-什么是安全模型" class="headerlink" title="1. 什么是安全模型"></a>1. 什么是安全模型</h4><ul>
<li>系统的元素 <blockquote>
<p>具有行为能力的主体<br>不具有行为能力的客体</p>
</blockquote>
</li>
<li>系统的操作行为<blockquote>
<p>可以执行的命令:读、写、执行</p>
</blockquote>
</li>
<li>对系统行为的约束方式<blockquote>
<p>对行为的控制策略</p>
</blockquote>
</li>
<li>模型从抽象层次规定了系统行为和约束行为的方式</li>
<li>模型往往用状态来表示<blockquote>
<p>系统行为所依赖的环境<br>行为对系统产生的效果</p>
</blockquote>
<h4 id="2-biba完整性模型"><a href="#2-biba完整性模型" class="headerlink" title="2. biba完整性模型"></a>2. biba完整性模型</h4><ul>
<li>完整性威胁问题<blockquote>
<p>完整性的威胁就是一个子系统在初始时刻认为不正常的修改行为;<br>来源:内部&amp;外部;<br>类型:直接&amp;间接</p>
</blockquote>
</li>
</ul>
</li>
</ul>
<table>
<thead>
<tr>
<th>外部的直接</th>
<th>外部的间接</th>
<th>内部的直接</th>
<th>内部的间接</th>
</tr>
</thead>
<tbody>
<tr>
<td>外部系统恶意地篡改另一个系统的数据或程序</td>
<td>一个外部系统插入恶意的子程序</td>
<td>修改自己的代码</td>
<td>修改自己的指针</td>
</tr>
</tbody>
</table>
<ul>
<li>biba模型的完整性定义<blockquote>
<p>完整性级别高的实体对完整性低的实体具有完全的支配性,反之如果一个实体对另一个实体具有完全的控制权,说明前者完整性级别更高,这里的实体既可以是主体也可以是客体。<br>完整性级别和可信度有密切的关系,完整级别越高,意味着可信度越高。</p>
</blockquote>
</li>
<li>biba模型的规则 </li>
</ul>
<ul>
<li style="list-style: none"><input type="checkbox"> 对于写和执行操作,有如下规则:<blockquote>
<p><strong>写规则控制</strong><br>当且仅当主体S的完整性级别大于或等于客体O的完整性级别时主体S可以写客体O,一般称之为<strong>上写</strong><br><strong>执行操作控制</strong><br>当且仅当主体S2的完整性级别高于或等于S1,主体S1可以执行主体S2。 </p>
</blockquote>
</li>
<li style="list-style: none"><input type="checkbox"> 关于读操作,有不同的控制策略:<blockquote>
<p><strong>低水标模型</strong><br>任意主体可以读任意完整性级别的客体,但是如果主体读完整性级别比自己低的客体时,主体的完整性级别将为客体完整性级别,否则,主体的完整性级别保持不变。<br><strong>环模型</strong><br>不管完整性级别如何,任何主体都可以读任何客体<br><strong>严格完整性模型</strong><br>这个模型对读操作是根据主客体的完整性级别严格控制的,即只有完整性级别低或相等的主体才可以读完整性级别高的客体,称为<strong>下读</strong></p>
</blockquote>
</li>
</ul>
<p><strong>一般都是指毕巴严格完整性模型,总结来说是上写、下读</strong></p>
<hr>
<h2 id="四、实验内容:"><a href="#四、实验内容:" class="headerlink" title="四、实验内容:"></a>四、实验内容:</h2><h3 id="1-用户登录实现"><a href="#1-用户登录实现" class="headerlink" title="1. 用户登录实现"></a>1. 用户登录实现</h3><p><strong>核对用户输入的账户密码与存储的是否匹配</strong></p>
<p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/login.PNG" alt="login"></p>
<ul>
<li>从用户输入框获取账户和密码</li>
<li>检查输入信息是否合法(为空)</li>
<li>从password.txt中获取并保存在列表listFromLine中</li>
<li>检查输入的账户是否存在</li>
<li>若存在,检查对应的密码是否正确</li>
<li><p>若正确,判断是管理员还是普通用户,并跳转相应的界面</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">checkPass</span><span class="params">(self)</span>:</span></span><br><span class="line"> nameIn = self.lineEdit.text()</span><br><span class="line"> passwdIn = self.lineEdit_2.text()</span><br><span class="line"> md5 = hashlib.md5()</span><br><span class="line"> md5.update(passwdIn.encode(<span class="string">"utf-8"</span>))</span><br><span class="line"> passwdIn = md5.hexdigest()</span><br><span class="line"> <span class="keyword">if</span> (nameIn == <span class="string">''</span>) <span class="keyword">or</span> (passwdIn == <span class="string">''</span>):</span><br><span class="line"> QMessageBox.warning(self,</span><br><span class="line"> <span class="string">"警告"</span>,</span><br><span class="line"> <span class="string">"账号和密码不能为空"</span>,</span><br><span class="line"> QMessageBox.Yes)</span><br><span class="line"> self.lineEdit.setFocus()</span><br><span class="line"> print(nameIn, passwdIn)</span><br><span class="line"> fr = open(<span class="string">'./etc/passwd.txt'</span>)</span><br><span class="line"> arrayofLines = fr.readlines()</span><br><span class="line"> numberofLines = len(arrayofLines)</span><br><span class="line"> <span class="keyword">for</span> line <span class="keyword">in</span> arrayofLines:</span><br><span class="line"> line = line.strip()</span><br><span class="line"> listFromLine = line.split(<span class="string">':'</span>)</span><br><span class="line"> name = listFromLine[<span class="number">0</span>]</span><br><span class="line"> <span class="keyword">if</span> name == nameIn:</span><br><span class="line"> numberofLines = <span class="number">-1</span></span><br><span class="line"> passwd = listFromLine[<span class="number">1</span>]</span><br><span class="line"> <span class="keyword">if</span> passwd == passwdIn:</span><br><span class="line"> group = listFromLine[<span class="number">2</span>]</span><br><span class="line"> print(<span class="string">"\n登录成功!\n"</span>)</span><br><span class="line"> <span class="keyword">if</span> name == <span class="string">'root'</span>:</span><br><span class="line"> print(<span class="string">'root登录'</span>)</span><br><span class="line"> rootUI.show()</span><br><span class="line">
</li>
</ul>
<hr>
<h3 id="2-管理员功能实现"><a href="#2-管理员功能实现" class="headerlink" title="2. 管理员功能实现"></a>2. 管理员功能实现</h3><p><strong>管理员可以对用户进行增、删、查的操作</strong></p>
<p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/rootUI.PNG" alt="login"></p>
<h4 id="增加用户的实现"><a href="#增加用户的实现" class="headerlink" title="增加用户的实现"></a>增加用户的实现</h4><blockquote>
<ul>
<li>获取管理员输入的用户名、密码和用户等级</li>
<li>将明文密码转换为md5值</li>
<li>判断输入的账户是否已经存在以及是否为空</li>
<li>如果没有问题将其存入passwd.txt的末尾</li>
</ul>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">adduser</span><span class="params">(self)</span>:</span></span><br><span class="line"> print(<span class="string">'开始添加'</span>)</span><br><span class="line"> name = self.lineEdit_4.text()</span><br><span class="line"> passwd = self.lineEdit_6.text()</span><br><span class="line"> md5 = hashlib.md5()</span><br><span class="line"> md5.update(passwd.encode(<span class="string">"utf-8"</span>))</span><br><span class="line"> passwd = md5.hexdigest()</span><br><span class="line"> group = self.comboBox.currentText()</span><br><span class="line"> self.name = name</span><br><span class="line"> <span class="keyword">if</span> self.euxit():</span><br><span class="line"> <span class="keyword">if</span> name == <span class="string">''</span> <span class="keyword">or</span> passwd == <span class="string">''</span>:</span><br><span class="line"> QMessageBox.warning(self,</span><br><span class="line"> <span class="string">"警告"</span>,</span><br><span class="line"> <span class="string">"账号和密码不能为空"</span>,</span><br><span class="line"> QMessageBox.Yes)</span><br><span class="line"> self.lineEdit.setFocus()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> cur_path = os.getcwd()</span><br><span class="line"> filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line"> fi = open(filename, <span class="string">'r+'</span>)</span><br><span class="line"> str = name + <span class="string">':'</span> + passwd + <span class="string">':'</span> + group + <span class="string">'\n'</span></span><br><span class="line"> print(<span class="string">'成功增加用户'</span> + str + <span class="string">'\n'</span>)</span><br><span class="line"> fi.seek(<span class="number">0</span>, <span class="number">2</span>)</span><br><span class="line"> fi.write(str)</span><br><span class="line"> fi.close()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> QMessageBox.warning(self,</span><br><span class="line"> <span class="string">"警告"</span>,</span><br><span class="line"> <span class="string">"用户已存在"</span>,</span><br><span class="line"> QMessageBox.Yes)</span><br><span class="line"> self.lineEdit.setFocus()</span><br></pre></td></tr></table></figure>
<h4 id="查询已有用户的实现"><a href="#查询已有用户的实现" class="headerlink" title="查询已有用户的实现"></a>查询已有用户的实现</h4><blockquote>
<p>从passwd.txt中逐行读出</p>
</blockquote>
<p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/existUser.PNG" alt="login"></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">readuser</span><span class="params">(self)</span>:</span></span><br><span class="line"> print(<span class="string">'readuser'</span>)</span><br><span class="line"> cur_path = os.getcwd()</span><br><span class="line"> filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line"> fo = open(filename)</span><br><span class="line"> arrayofLines = fo.readlines()</span><br><span class="line"> names = <span class="string">''</span></span><br><span class="line"> <span class="keyword">for</span> line <span class="keyword">in</span> arrayofLines:</span><br><span class="line"> line = line.strip()</span><br><span class="line"> listFromLine = line.split(<span class="string">':'</span>)</span><br><span class="line"> names = names + listFromLine[<span class="number">0</span>] + <span class="string">'\n'</span></span><br><span class="line"> self.textEdit.setPlaceholderText(names)</span><br></pre></td></tr></table></figure>
<h4 id="删除用户的实现"><a href="#删除用户的实现" class="headerlink" title="删除用户的实现"></a>删除用户的实现</h4><blockquote>
<p>从passwd.txt中逐行读出用户名并与待删除用户比较如果相同则删除该行</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">rmuser</span><span class="params">(self)</span>:</span></span><br><span class="line"> print(<span class="number">1</span>)</span><br><span class="line"> cur_path = os.getcwd()</span><br><span class="line"> filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line"> rmName = self.lineEdit.text()</span><br><span class="line"> <span class="keyword">with</span> open(filename, <span class="string">'r'</span>,encoding=<span class="string">"utf-8"</span>) <span class="keyword">as</span> r:</span><br><span class="line"> lines = r.readlines()</span><br><span class="line"> lenl = len(lines)</span><br><span class="line"> <span class="keyword">with</span> open(filename, <span class="string">'w'</span>,encoding=<span class="string">"utf-8"</span>) <span class="keyword">as</span> w:</span><br><span class="line"> <span class="keyword">for</span> line <span class="keyword">in</span> lines:</span><br><span class="line"> l = line.strip()</span><br><span class="line"> listFromLine = l.split(<span class="string">':'</span>)</span><br><span class="line"> <span class="keyword">if</span> rmName == listFromLine[<span class="number">0</span>]:</span><br><span class="line"> print(<span class="string">'删除用户'</span> + rmName)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">if</span> line == <span class="string">'\n'</span>:</span><br><span class="line"> print(<span class="string">'find换行'</span>)</span><br><span class="line"> line = <span class="string">''</span></span><br><span class="line"> w.write(line)</span><br></pre></td></tr></table></figure>
<hr>
<h3 id="3-普通用户功能实现"><a href="#3-普通用户功能实现" class="headerlink" title="3. 普通用户功能实现"></a>3. 普通用户功能实现</h3><p><strong>普通用户可以完成对合法权限文件的读取、增加内容(上写下读)以及创建文件的操作</strong></p>
<p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/normal.PNG" alt="login"></p>
<h4 id="读取文件内容"><a href="#读取文件内容" class="headerlink" title="读取文件内容"></a>读取文件内容</h4><blockquote>
<p>双击文件名<br>获取选中文件和当前用户的完整性级别<br>如果用户的级别低于文件,则读取文件内容</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">readfile</span><span class="params">(self)</span>:</span></span><br><span class="line"> dict = self.getGrade()</span><br><span class="line"> fgrade = str(dict[self.file_path])</span><br><span class="line"> ugrade = self.lineEdit_2.text()</span><br><span class="line"> <span class="keyword">if</span> ugrade &gt;= fgrade:</span><br><span class="line"> print(ugrade+ <span class="string">' 正在读取 '</span>+fgrade)</span><br><span class="line"> filename = self.file_path</span><br><span class="line"> print(filename)</span><br><span class="line"> fr = open(filename)</span><br><span class="line"> lines = <span class="string">''</span></span><br><span class="line"> arrayofLines = fr.readlines()</span><br><span class="line"> <span class="keyword">for</span> line <span class="keyword">in</span> arrayofLines:</span><br><span class="line"> lines += line</span><br><span class="line"> self.textEdit.setText(lines)</span><br><span class="line"> print(<span class="string">'读取成功\n'</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> QMessageBox.warning(self,</span><br><span class="line"> <span class="string">"警告"</span>,</span><br><span class="line"> <span class="string">"您的用户等级太高"</span>,</span><br><span class="line"> QMessageBox.Yes)</span><br><span class="line"> self.lineEdit.setFocus()</span><br></pre></td></tr></table></figure>
<h4 id="增加文件内容"><a href="#增加文件内容" class="headerlink" title="增加文件内容"></a>增加文件内容</h4><blockquote>
<p>双击文件名<br>获取选中文件和当前用户的完整性级别<br>如果用户的级别高于文件,则写入文件内容</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">writefile</span><span class="params">(self)</span>:</span></span><br><span class="line"> dict = self.getGrade()</span><br><span class="line"> fgrade = dict[self.file_path]</span><br><span class="line"> ugrade = self.lineEdit_2.text()</span><br><span class="line"> print(ugrade + <span class="string">' 正在写入 '</span> + fgrade)</span><br><span class="line"> <span class="keyword">if</span> ugrade &lt;= fgrade:</span><br><span class="line"> filename = self.file_path</span><br><span class="line"> str = self.textEdit.toPlainText()</span><br><span class="line"> print(str)</span><br><span class="line"> fo = open(filename, <span class="string">'r+'</span>)</span><br><span class="line"> fo.seek(<span class="number">0</span>, <span class="number">2</span>)</span><br><span class="line"> fo.write(str)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> QMessageBox.warning(self,</span><br><span class="line"> <span class="string">"警告"</span>,</span><br><span class="line"> <span class="string">"您的用户等级太低"</span>,</span><br><span class="line"> QMessageBox.Yes)</span><br><span class="line"> self.lineEdit.setFocus()</span><br></pre></td></tr></table></figure>
<h4 id="创建文件"><a href="#创建文件" class="headerlink" title="创建文件"></a>创建文件</h4><blockquote>
<p>获取当前用户名和输入的文件名<br>在当前路径下创建名为用户名的文件<br>并对新创建的文件与用户等级建立字典新文件路径为key用户等级为value<br>这个字典方便读写时判断等级高低</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">touchfile</span><span class="params">(self)</span>:</span></span><br><span class="line"> urName = self.lineEdit.text()</span><br><span class="line"> filename = self.lineEdit_4.text()</span><br><span class="line"> cur_path = os.getcwd()</span><br><span class="line"> new_path = os.path.join(cur_path + <span class="string">'/file'</span>, urName)</span><br><span class="line"> print(urName)</span><br><span class="line"> <span class="keyword">if</span> os.path.exists(new_path) == <span class="literal">False</span>:</span><br><span class="line"> os.mkdir(new_path)</span><br><span class="line"> os.chdir(new_path)</span><br><span class="line"> fr = open(filename, <span class="string">'w'</span>)</span><br><span class="line"> key = (new_path + <span class="string">'/'</span> + filename).replace(<span class="string">'\\'</span>, <span class="string">'/'</span>)</span><br><span class="line"> fr.close()</span><br><span class="line"> os.chdir(cur_path)</span><br><span class="line"> fa = open(<span class="string">'./etc/ac.txt'</span>, <span class="string">'r'</span>)</span><br><span class="line"> a = fa.read()</span><br><span class="line"> <span class="keyword">if</span> a == <span class="string">''</span>:</span><br><span class="line"> dict = &#123;&#125;</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> dict = eval(a)</span><br><span class="line"> dict[key] = self.lineEdit_2.text()</span><br><span class="line"> fr = open(<span class="string">'./etc/ac.txt'</span>, <span class="string">'w'</span>)</span><br><span class="line"> fr.write(str(dict))</span><br><span class="line"> fr.close()</span><br><span class="line"> fa.close()</span><br></pre></td></tr></table></figure>
<hr>
<h2 id="五、心得体会:"><a href="#五、心得体会:" class="headerlink" title="五、心得体会:"></a>五、心得体会:</h2><h2 id="六、改进部分:"><a href="#六、改进部分:" class="headerlink" title="六、改进部分:"></a>六、改进部分:</h2>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</div>
</article>
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/03/16/wwifi半双工侧信道攻击学习笔记/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.gif">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/16/wwifi半双工侧信道攻击学习笔记/" itemprop="url">wifi半双工侧信道攻击学习笔记</a></h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-03-16T15:35:27+08:00">
2019-03-16
</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="TCP侧信道分析及利用的学习报告"><a href="#TCP侧信道分析及利用的学习报告" class="headerlink" title="TCP侧信道分析及利用的学习报告"></a>TCP侧信道分析及利用的学习报告</h1><h2 id="背景知识"><a href="#背景知识" class="headerlink" title="背景知识"></a>背景知识</h2><h3 id="测信道"><a href="#测信道" class="headerlink" title="测信道"></a>测信道</h3><p><strong>香农信息论</strong></p>
<p><img src="./1.png" alt="信息熵"></p>
<p><strong>什么是信息?</strong> 用来减少随机不确定的东西</p>
<p><strong>什么是加密?</strong> 类似于加噪声,增加随机不确定性</p>
<blockquote>
<p>“从密码分析者来看,一个保密系统几乎就是一个通信系统。待传的消息是统计事件,加密所用的密钥按概率选出,加密结果为密报,这是分析者可以利用的,类似于受扰信号。”</p>
</blockquote>
<p><strong>侧信道随之出现</strong> 越过加密算法增加的随机不定性,从其他的渠道获取数据标签,确定信息内容。</p>
<ol>
<li>早期:采集加密电子设备在运行过程中的时间消耗、功率消耗或者电磁辐射消耗等边缘信息的差异性</li>
<li>而随着研究的深入逐渐从加密设备延伸到计算机内部CPU、内存等之间的信息传递</li>
<li>并在Web应用交互信息传递越来越频繁时延伸到了网络加密数据流的破解方面</li>
</ol>
<p><strong>侧信道攻击的流程</strong> 第一个就是侧信道泄露的截取,第二个是信息的恢复。</p>
<hr>
<h3 id="网络攻击"><a href="#网络攻击" class="headerlink" title="网络攻击"></a>网络攻击</h3><ol>
<li>中间人攻击<blockquote>
<p>“指攻击者与通讯的两端分别创建独立的联系,并交换其所收到的数据,使通讯的两端认为他们正在通过一个私密的连接与对方直接对话,但事实上整个会话都被攻击者完全控制。”</p>
</blockquote>
</li>
</ol>
<p><img src="./2-Man_in_the_middle_attack.svg.png" alt></p>
<ul>
<li>公共wifi、路由器劫持</li>
<li>一般使用加密来防御</li>
<li>加密的代价:维护密钥证书、影响功能(运营商无法做缓存)</li>
</ul>
<ol start="2">
<li>非中间人攻击/偏离路径攻击/off-path attack<blockquote>
<p>通信线路之外,攻击者看不到双方的消息,没办法截获和发送通信包。智能伪造成一方给另一方发消息。</p>
</blockquote>
</li>
</ol>
<ul>
<li>攻击成功需要:消息合法+最先到达</li>
<li>防御措施challenge-response/询问-应答机制<br>双方在通信前交换一个随机数,这个随机数在每次的通信中都要被附带,而中间人看不见这个随机数,因此伪造的消息被认为不合法。</li>
<li>攻击者如何得到这个随机数:侧信道</li>
</ul>
<hr>
<h3 id="TCP三次握手"><a href="#TCP三次握手" class="headerlink" title="TCP三次握手"></a>TCP三次握手</h3><p><img src="./3-Connection_TCP.png" alt></p>
<blockquote>
<ol>
<li>客户端通过向服务器端发送一个SYN来创建一个主动打开作为三路握手的一部分。客户端把这段连接的序号设定为<em>随机数A</em></li>
<li>服务器端应当为一个合法的SYN回送一个SYN/ACK。ACK的确认码应为A+1SYN/ACK包本身又有一个<em>随机产生的序号B</em></li>
<li>最后客户端再发送一个ACK。当服务端收到这个ACK的时候就完成了三路握手并进入了连接创建状态。此时包的序号被设定为收到的确认号A+1而响应号则为B+1。</li>
</ol>
</blockquote>
<p>通过三次握手,确定对方不是非中间人</p>
<p><strong><em>TCP序列号的问题</em></strong></p>
<table>
<thead>
<tr>
<th style="text-align:center">1985</th>
<th style="text-align:center">1995</th>
<th style="text-align:center">2001</th>
<th style="text-align:center">2004</th>
<th style="text-align:center">2007</th>
<th style="text-align:center">2012</th>
<th style="text-align:center">2012</th>
<th style="text-align:center">2016</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:center">Morris</td>
<td style="text-align:center">Mitnik</td>
<td style="text-align:center">Zalewsky</td>
<td style="text-align:center">Waston</td>
<td style="text-align:center">kLM</td>
<td style="text-align:center">Herzberg</td>
<td style="text-align:center">作者</td>
<td style="text-align:center">作者</td>
</tr>
<tr>
<td style="text-align:center">初始序列可预测</td>
<td style="text-align:center">真实利用</td>
<td style="text-align:center">漏洞仍在</td>
<td style="text-align:center">BGP DoS</td>
<td style="text-align:center">Windows攻击</td>
<td style="text-align:center">Puppet-assisted</td>
<td style="text-align:center">Malware-assisted</td>
<td style="text-align:center">off-path attack</td>
</tr>
</tbody>
</table>
<ol>
<li>90年代时发现并不随机1995年伪造客户端连接微软大楼的服务器</li>
<li>2007年在windows场景下用IDID侧信道猜出序列号只针对Windows花费几小时</li>
</ol>
<hr>
<h2 id="Malware-assisted"><a href="#Malware-assisted" class="headerlink" title="Malware-assisted"></a>Malware-assisted</h2><p><strong>攻击模型:</strong><br>给受害者安装一个无特权的应用程序仅能网络连接这个程序跟非中间人的攻击者里应外合劫持手机上所有的TCP连接。<br><img src="./5-攻击模型.PNG" alt></p>
<p><strong>如何劫持TCP</strong></p>
<ol>
<li><p>需要的信息Facebook的连接IP地址和端口号由此可以知道TCP连接的序列号利用序列号伪装成Facebook给手机发消息。<br>使用netstat命令获取<br><img src="./4-netstat获取信息.jpg" alt></p>
</li>
<li><p>任务由于TCP的序列号通常连续所以要精确猜到它的下一个序列号。</p>
</li>
<li>如何验证序列号正确:通过某种侧信道,这个恶意软件在后台可以提供反馈。</li>
</ol>
<h3 id="变种一:防火墙"><a href="#变种一:防火墙" class="headerlink" title="变种一:防火墙"></a>变种一:防火墙</h3><p><strong>攻击过程:</strong> TCP三次握手之后产生A和B将来传输的包序列号必须跟A和B很接近否则防火墙会丢弃这个包。因此只有猜对了序列号包才能到达手机端。到达手机端后后台的恶意软件可以帮助我们判断手机是否接受了这个数据包。</p>
<p><strong>具体侧信道方案:</strong> CPU资源使用率噪音很大——&gt;TCP计数器后台软件运行制造噪音——&gt;低噪音计数器:包被丢掉时,一个相应的错误计数器。</p>
<p><strong>解决方法:</strong> 关闭防火墙检查序列号的功能</p>
<h3 id="变种二:无防火墙"><a href="#变种二:无防火墙" class="headerlink" title="变种二:无防火墙"></a>变种二:无防火墙</h3><p>具体侧信道方案跟TCP业务逻辑有关的计数器——收到的TCP包序列号小于期望时增加大于时不变。二分查找搜索正确的序列号。<br>影响范围Android、Linux、MacOS、FreeBSD</p>
<hr>
<h2 id="Pure-off-path-无恶意软件协助"><a href="#Pure-off-path-无恶意软件协助" class="headerlink" title="Pure off-path:无恶意软件协助"></a>Pure off-path:无恶意软件协助</h2><blockquote>
<p>不植入恶意软件劫持任意两台机器的TCP连接首先确定是否建立TCP连接然后推测其序列号A和B。</p>
</blockquote>
<h3 id="Global-Rate-Limit"><a href="#Global-Rate-Limit" class="headerlink" title="Global Rate Limit"></a>Global Rate Limit</h3><blockquote>
<p>USENIX 2016 : Off-Path TCP Exploits: Global Rate Limit Considered Dangerous</p>
</blockquote>
<p><strong>侧信道:</strong> 所有的侧信道本质上就是攻击者和受害者之间共享着某些资源如之前的全局TCP计数器。这里使用的侧信道是 <strong><em>服务器上</em></strong> 的共享资源,<strong><em>限速器</em></strong>RFC 5961限制某一种包的发送速率默认100p/s</p>
<p><strong>如何利用共享限速器:</strong><br>先判断是否建立了连接。然后伪造TCP包需要猜测源端口如果猜测正确服务器会返回一个challenge攻击者不断触发一共可以收到99个还有一个发给了客户端如果猜测错误则一共可以收到100个challenge。</p>
<p><img src="./6-GRL-R.png" alt></p>
<p><img src="./7-GRL-L.png" alt></p>
<p><strong>评估:</strong> 是否建立了连接:&lt;10s ; Seq30s ACK:&lt;10s</p>
<p><strong>解决方案:</strong> 1. 加噪音100变成150、2002. 限速器做成局部的</p>
<hr>
<h3 id="Unfixable-WiFi-timing"><a href="#Unfixable-WiFi-timing" class="headerlink" title="Unfixable WiFi timing"></a>Unfixable WiFi timing</h3><blockquote>
<p>USENIX 2018 : Off-Path TCP Exploit: How Wireless Routers<br>Can Jeopardize Your Secrets<br>之前的漏洞无论是计数器还是限速器都属于软件,很好更正,但这篇文章的漏洞利用无法修复。</p>
</blockquote>
<p><strong>TCP收包的原理</strong> 通常TCP收包要看这个包是否匹配了当前的某一个连接。如果连接匹配上了就会去看这个包的序列号如果序列号不对会触发一个回复说明这个序列号存在问题如果序列号正确但反向序列号不对也会丢包。当连接匹配、序列号和反向序列号正确时就会返回一个数据包。<br><img src="./8-收包原理.jpg" alt></p>
<p><strong>侧信道:</strong> 攻击者伪装成服务器给客户端发包,正确的序列号会有<strong><em>回复</em></strong>,错误则没有。但回复时发送给服务器的,有没有回复攻击者并不知道。那么如何去判断有没有回复,利用无线网络的 <strong><em>半双工</em></strong> 传输。<br>让有回包和没有回包的时间差异放大。</p>
<p><strong>判断流程:</strong> 客户端和路由器之间wifi通信。攻击者依次发送三个数据包第一个包用来测试正常的RTT。第2个包是伪装成服务器发送的如果第2个包猜对了客户端会向服务器返回数据包这会导致占用更长时间的wifi信道从而会使第3个包的RTT更长。<br><img src="./8-noTrigger.PNG" alt></p>
<p><img src="./8-trigger.PNG" alt></p>
<p><strong>评估:</strong> 在本地环境下如果发送40个包就有20ms的RTT差别。</p>
<p><strong>攻击应用:</strong><br><strong>1. 攻击模型:</strong> 受害者访问了我们的钓鱼网站这时javascript傀儡会在后台执行主动建立到攻击者的连接规避NAT或防火墙造成的不可抵达问题这时攻击者就可以从外网测试RTT。</p>
<blockquote>
<p>与理想情况的不同客户端通常在NAT或防火墙之后操作系统不一定严格遵守TCP收包的原则</p>
</blockquote>
<pre><code>Attacker -------wire----------|
Router ---------wireless-------Victim (client)
Server -------wire----------|
</code></pre><p><strong>2. 攻击目标:</strong> 推断出客户端和服务器是否建立了连接合计连接中交换的字节数或强制中断连接注入恶意payload到连接不失一般性的关注web缓存投毒。前两个不需要傀儡初始化连接第三个不一定需要但攻击者控制了时序能够简化攻击。</p>
<p><strong>3. 攻击过程:</strong> 假设傀儡已经建立了连接攻击者可以劫持并替换任何不加密的网站如武汉大学并在浏览器缓存。这是因为当浏览器请求相同的ip地址时会复用之前的TCP连接。这意味着恶意网站中的傀儡可以通过重复HTML元素来建立到目标域名的单个持久连接。然后路径外攻击者可以进行侧信道攻击以推断目标连接中使用的端口号和序列号然后注入虚假的http响应并要求浏览器不重新检查对象的新鲜度从而达到持续性的缓存投毒。</p>
<p><strong>4. 细节:</strong></p>
<ul>
<li><strong>连接(四元组)推断:</strong> 每一轮使用30个重复包测试一个端口如果端口号正确就会发现RTT大幅增加。如果还要完成 <strong><em>web缓存投毒</em></strong> ,还需要傀儡初始化连接来协助,根据系统不同,有不同的端口选择算法可以优化:<strong><em>windows&amp;macOS</em></strong> 使用全局和顺序端口分配策略为其TCP连接选择短暂的端口号这意味着攻击者可以在观察到与恶意Web服务器的初始连接后推断出要使用的下一个端口号这完全消除了对端口号推断的需要。<strong><em>NAT</em></strong> 端口保留,不需要关心外部端口被转换成不可预知的内部端口。<strong><em>来自同一域名的多个IP地址</em></strong>,这意味着攻击者需要付出更大的代价来推断端口号。</li>
<li><strong>序列号推断:</strong> 通过利用时序侧信道来判断是否存在相应的响应,从而将窗口序列号与窗外序列号区分开来。一旦我们得到一个 <strong><em>窗口内序列号</em></strong>,通过进行二分搜索进一步将序列号空间缩小到单个值 <strong><em>RCV.NXT</em></strong>。如果还要使用傀儡建立的连接发起web缓存投毒可以进一步优化<strong><em>增大接收窗口的大小</em></strong>可以减少猜测的迭代次数通常可以放大到500000(之前是65535)而且根据RFC793,窗口放大之后就永远不会缩小。<br><img src="./9-序列号推断.PNG" alt></li>
<li><p><strong>TCP劫持</strong> 通过劫持傀儡初始化的连接可以简化web缓存投毒的过程。三个os在ACK验证上都不符合规范所以各自处理情况也不同——<strong><em>windows</em></strong>客户端必须持续发送请求以防止ACK接收窗口仅为一个字节这要求攻击者必须能准确预期下一个序列号并解决大量流量带来的噪声。<br>因此作者设计了一种新策略该策略利用处理重叠数据的TCP行为和处理损坏的HTTP响应的浏览器行为——在Windows主机上缓冲的攻击者注入数据可能会破坏来自服务器的真实HTTP响应。 <strong><em>1注入</em></strong>傀儡不断从服务器上请求脚本而攻击者发送2^23/|wnd|个欺骗性数据包这些包的窗口序列号与RCV.NXT加上偏移量相匹配其中|wnd|为ack接收窗口大小第i个数据包的ACK号为i*|wnd|payload为</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">websocket.send(|wnd|*i)</span><br></pre></td></tr></table></figure>
<p> 因此这些数据包中包含有效ACK号的一个包将被缓冲并破坏真实的HTTP响应头。浏览器执行注入的脚本时它将通过websocket发送猜测的ACK号提供有效的窗口内ACK号。<br><img src="./9-http注入.PNG" alt><br><strong><em>2利用</em></strong>由于客户端已经接受了额外的欺骗payload推进了其预期的序列号因此客户端和服务器实际上已经被去同步。攻击者现在可以简单地发送欺骗性响应知道预期的序列号和有效的ACK号。如果我们只想执行一次性注入只需用恶意脚本替换第一步中的payload就足够了。<br>此外针对Windows的注入步骤存在更加通用的替代策略不依赖于浏览器行为。 具体来说由于HTTP响应的前几个字节是可预先确定的即HTTP不破坏真实的响应而是覆盖标题和正文以形成合法但恶意的响应。 在这种情况下,浏览器将完全忘记注入的存在。 这表明一旦序列号泄露就存在各种方法来有效地将数据注入浏览器而不用进行基于时间信道的慢得多的ACK号推断。</p>
</li>
</ul>
<hr>
<h2 id="Discussion"><a href="#Discussion" class="headerlink" title="Discussion"></a>Discussion</h2><p>时序侧信道来自无线网络的半双工性质。由于无线协议中固有的冲突和回退它被进一步放大。正如我们的测试路由器所证实的那样现代无线路由器都支持CSMA / CA和RTS / CTS因为它是802.11标准的一部分,并且该原则不太可能很快改变。<br>虽然作者只讨论威胁模型其中来自受害客户端的连接是针对性的但攻击实际上也适用于源自通过同一无线路由器连接的其他客户端的连接。这是因为所有这些客户端例如在相同NAT之后共享了相同的冲突域并因此遭受相同的定时信道。通过探测数据包在任何客户端上触发的响应将有效地延迟探测后查询。在这种情况下受害者连接通过傀儡打开只是为远程攻击者提供了测量碰撞的机会。<br>此外我们可以扩展威胁模型以考虑无线连接的服务器例如物联网设备。已经证明通过公共IP地址和开放端口可以访问数百万个物联网设备。在这种情况下可以针对此类IoT设备上的连接启动完全偏离路径的攻击。例如计算在连接上交换的字节终止与另一主机的连接在正在进行的telnet连接上注入恶意命令。</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</div>
</article>
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/03/16/小米固件工具mkxqimage/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.gif">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/16/小米固件工具mkxqimage/" itemprop="url">小米固件工具mkxqimage</a></h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-03-16T14:57:56+08:00">
2019-03-16
</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="小米固件工具mkxqimage"><a href="#小米固件工具mkxqimage" class="headerlink" title="小米固件工具mkxqimage"></a>小米固件工具mkxqimage</h1><p>小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]</span><br><span class="line"> [-x file]</span><br><span class="line"> [-I]</span><br></pre></td></tr></table></figure></p>
<h2 id="固件解包"><a href="#固件解包" class="headerlink" title="固件解包"></a>固件解包</h2><p>固件工具mkxqimage完成对固件的解包在解包前先检查Checksum是否正确然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名这两个步骤通过后根据[0x0C]的固件类型,以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。</p>
<h2 id="固件打包"><a href="#固件打包" class="headerlink" title="固件打包"></a>固件打包</h2><p>小米官方在打包固件时用RSA私钥计算出固件的RSA签名小米路由器下载固件后用RSA公钥来验证RSA签名有效地防止固件被篡改。</p>
<h2 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a><a href="http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target="_blank" rel="noopener">固件格式</a></h2><p>路由固件的格式,基本是基于 openwrt 的 trx 这个简单的二进制文件格式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00</span><br><span class="line">20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00</span><br><span class="line">FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5</span><br></pre></td></tr></table></figure></p>
<p>第14字节ASCII字符串“HDR0”作为固件的标识<br>第58字节4字节整型数0x0311D464表示固件的大小51500132字节<br>第9~12字节固件的检查和<br>第1314字节0x0005表示固件中包含哪些部分<br>第1516字节0x0002表示固件格式版本号<br>第1720字节0x00000020表示固件第一部分在整个固件中的偏移量0.4.85固件的第一部分是brcm4709_nor.bin也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像<br>第2124字节0x00FE0020表示固件第二部分在整个固件中的偏移量0.4.85固件的第二部分是root.ext4.lzma也就是硬盘中128M固件的压缩包<br>第33字节开始是固件的正式内容开始。</p>
<h2 id="小米开启ssh工具包"><a href="#小米开启ssh工具包" class="headerlink" title="小米开启ssh工具包"></a>小米开启ssh工具包</h2><p>使用mkxqimage解包<br>(现在会提示秘钥不存在)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">error fopen public key</span><br><span class="line">Image verify failed, not formal image</span><br></pre></td></tr></table></figure></p>
<p>如果能解包应该可以得到脚本文件upsetting.sh</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">nvram set ssh_en=1</span><br><span class="line">nvram set flag_init_root_pwd=1</span><br><span class="line">nvram commit</span><br></pre></td></tr></table></figure>
<p>执行脚本文件upsetting.sh后将ssh_en设置为1同时设置了flag_init_root_pwd项。当正式启动时/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时自动修改root用户密码具体脚本为<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">flg_init_pwd=`nvram get flag_init_root_pwd`</span><br><span class="line">if [ &quot;$flg_init_pwd&quot; = &quot;1&quot; ]; then</span><br><span class="line"> init_pwd=`mkxqimage -I`</span><br><span class="line"> (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root</span><br><span class="line"> nvram unset flag_init_root_pwd</span><br><span class="line"> nvram commit</span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p>
<p>初始密码是mkxqimage -I的结果实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上12位数字561000088888</p>
<p>初始密码计算算法为:</p>
<p><code>substr(md5(SN+&quot;A2E371B0-B34B-48A5-8C40-A7133F3B5D88&quot;), 0, 8)</code></p>
<p><strong><em>A2E371B0-B34B-48A5-8C40-A7133F3B5D88</em></strong> 为分析mkxqimage得到的salt</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</div>
</article>
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/03/16/hello-world/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.gif">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/16/hello-world/" itemprop="url">Hello World</a></h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-03-16T14:53:10+08:00">
2019-03-16
</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>你好!我是混元霹雳手</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</div>
</article>
</section>
</div>
</div>
<div class="sidebar-toggle">
<div class="sidebar-toggle-line-wrap">
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
</div>
</div>
<aside id="sidebar" class="sidebar">
<div class="sidebar-inner">
<section class="site-overview-wrap sidebar-panel sidebar-panel-active">
<div class="site-overview">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<p class="site-author-name" itemprop="name">Cool-Y</p>
<p class="site-description motion-element" itemprop="description"></p>
</div>
<nav class="site-state motion-element">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">5</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/index.html">
<span class="site-state-item-count">4</span>
<span class="site-state-item-name">标签</span>
</a>
</div>
</nav>
</div>
</section>
</div>
</aside>
</div>
</main>
<footer id="footer" class="footer">
<div class="footer-inner">
<div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
<span class="with-love">
<i class="fa fa-user"></i>
</span>
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
</div>
<div class="powered-by"><a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
<span class="post-meta-divider">|</span>
<div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>
</div>
</footer>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
</div>
</div>
<script type="text/javascript">
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
</script>
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
<!-- LOCAL: You can save these files to your site and update links -->
<link rel="stylesheet" href="https://aimingoo.github.io/gitmint/style/default.css">
<script src="https://aimingoo.github.io/gitmint/dist/gitmint.browser.js"></script>
<!-- END LOCAL -->
</body>
</html>
Reference in New Issue Copy Permalink