20,199,103 2019-2020-2 "network attack and defense practice" work week 4

Others 2020-03-22 20:13:03 views: null

20,199,103 2019-2020-2 "network attack and defense practice" work week 4

1, practice content

Network sniffer

definition:

Network Sniffer is an eavesdropping technology, the use of drones network interface to intercept messages. Because after the protocol processing when the intercepted messages, so in general and protocol analysis technology will be used in combination. Sniffer technology can follow the link layer protocol classification, the main link layer protocol is definitely Ethernet and Wi-Fi, the only difference between them is wireless sniffer technology can analyze wireless transmission protocol.

working principle:

  • Ethernet: Ethernet is the transmission of information on a shared communications channel, the station transmits, as broadcast data. That is, for the channel information is not addressed to itself, the computer is also acceptable. Typically, the computer receives the packet according to the MAC address of its network card, if the message contained in the MAC address is not its own will not be accepted. But in promiscuous mode, the card can receive information of all the media of his connection forwarded.
  • Switch: Because the switch will become closed to storm entered the MAC and port mapping table, so the two hosts under the unified switch can not be sent to the other party should have direct access to the packet. In this regard, the approach taken are:
    • Flooding attack: sending large amounts of fiction contains MAC and IP packets, so the switch can not handle the overflow, into hub mode
    • MAC Spoofing: MAC keep sending the source instead interception target MAC packet to the switch, let the switch mistakenly thought he was a target drone.
    • APR deception: using the conversion between IP and MAC MAC spoofing vulnerabilities to achieve the effect.

Network Protocol Analysis

definition:

Doubts packets to be transmitted binary digital analysis, the content of the protocol and the packet technology used.

principle:

Firstly sniffing intercepted link-layer packets, and then step by step analysis to determine the network layer protocol used in the packet, the outgoing layer protocol, an application layer protocol, to get the final parsed data transmission.

2, practice

www.tianya.cn using tcpdump tcpdump to visit the site on this machine sniffing process, answer: when accessing www.tianya.cn home, browse how many ip server, how many addresses are

  • I use tcpdump src to detect all packets sent by the host, it can be found, visited180.101.212.39 192.168.254.2 220.181.107.131 180.101.49.11 124.225.65.154

wireshark wireshark to use telnet to log on the local BBS sniffing and protocol analysis, the answer (1) IP and port BBS server logs in what is (2) telnet login name and password how to transfer to the server (3 ) data analysis package, derive landing password

  • First enable telnet on windows
  • Then download wireshark, and start, start sniffing.
  • telnet login Fudan BBS
  • From the figure, the BBS can be obtained as IP 202.120.225.9, port23
  • Then select TCP flow analysis, select the sender and the recipient can get the user name and login password I use, and found to be (unencrypted about it) is directly transmitted in the clear.

Practical assignments

Forensic analysis practice

  • The teacher gave the file is opened with wireshark.

  • Select a random port scan can be found: IP attack aircraft is 172.31.4.178, IP network scanning target is 172.31.4.188.

  • By snort, nmap can be found by the attacks launched.

  • After guiding the students, I know every time before nmap scan arp will use to determine the target's MAC address. So my first arp package selected. Then find four who has 172.31.4.188?tell172.31.4.178, four scans in order to determine the starting point: No, 5, No, 7 , No, 2071, No, 133220

  • We can see from the front of the number, after N0,5 and N0,6, followed by another one arp. Visible, the first scan only purpose is to identify active hosts, and then it did not do what matter it started a scan. Command used should be nmap -sP.

  • Then you can see, the second three-port of the scan are half-open TCP SYN scanning. But the difference is that the second scan just from No, 9 to No, 2070. The third is No, 2073 to No, 133219, has a great number of gaps. Visible, not the second scan to scan all ports. The following two figures are scanning port among the second scan and third scan, you can see a half-open TCP SYN scanning.

  • Because the third great number of scans, may only be nmap -sSused to specify the number of SYN TCP port scan.

  • The fourth scanning is different from before, until all are carried out during the half-open port scanning, Saowan you close. But this time it establishes a connection. Port 23 as in the following examples

  • Prior to ignore 133,220 before the three scans can see, the fourth scanning, first had a half-open scanning, open ports after confirming directly to end. But, once again, after sending SYN, the difference is that this is not the end of recovery RST after receiving ACK, but the ACK reply to establish a link, after the establishment of a telnet.

  • Similarly, the port 22, you can finally see the end to establish a SSH connection.

  • In last week's study, we know the network service network service port scan is based on the difference in the realization of the application layer protocol to determine network services. So, last scan should be nmap -sV scanning of network protocols.

  • The big question now is what to scan on the part of the second port of yes. With the help of students. I'm sure the scanning of the operating system. nmap resolution different operating system is discriminated by the difference in the realization of the operating system protocol stack, the sequential scan is not a scan, some selected port is a port control table, so guess nmap -O.

  • Selection filter tcp.flag.ack == 1 and tcp.flags.syn == 1to determine port viable detected, are arranged in good order. Since sorting is in accordance with the first number, so 139 are arranged in the front 21. Open ports there 139 21 22 23 25 3306 445 53 5432 80 8009 8180.

Offense and defense against the practice attacker with nmap scan with nmap defender sniffer, wireshark analysis, and analysis of the purpose and nmap scan attack, orders

  • In the first, I try to use xp attack kali, kali grabbed file with tcpdump

  • There is a very strange phenomenon in this scan, all ports scanned are closed, there may kali precautions. Nevertheless, it can be seen that the attacker uses TCP and UDP scanning scans. UDP port scan icmp unreachable message reply can be seen using the nmap -sUcommand scans, but TCP scans can not tell is nmap -sTstill -nmap -sS. (Perhaps? But the drone did not return ACK, I do not know after the drone attack aircraft replies ACK ACK reply is to establish a connection or RST reply directly off, according to the book knowledge so I can not see).

3, learning problems encountered and solutions

  • Question 1: kali Chinese garbage problem, but this problem has been there before, "dark" can go, but this week wireshark software garbled so I have to solve.
  • Problem 1 Solution: See References.

4, practice summary

This time jobs, and before different. Even before the job can be done out of principle do not know, this time the "hands-on" Fortunately, the man behind the analysis of "practical work" needs, needs a thorough grasp of the principles of the previous scan command.

Reference material

Guess you like

Origin www.cnblogs.com/maomutang/p/12547482.html
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com