20,199,101 2019-2020-2 "network attack and defense practice," the fourth week of work

Others 2020-03-22 20:13:37 views: null

Network sniffer and protocol analyzer

1. Practice content

Chapter IV content is divided into two parts, namely a network sniffer and network protocol analyzer. Specifically divided into the following sections review. Both analyzes usually used in conjunction with the intercepted data.

  • Network sniffing: basic introduction to network sniffer
  • Network sniffer: Principles and Implementation (Ethernet)
  • Network sniffers: Sniffer software
  • Network protocol analysis technology

Network sniffing: basic introduction to network sniffer

Using a computer network interface of the network sniffer intercepted data packet destination address is other computers to monitor private information contained in the data stream. Tools for network sniffing technology called network sniffer . He intercepted a pass binary data packet, usually analytical techniques to resolve sniff network data in conjunction with network protocols. Network Sniffer is often used by attackers within the network penetration technology , usually after obtaining access to the internal network implemented in a host of attackers. Can silence, passive sniffing data transmitted over the network. So for the detection and prevention of network sniffing it is quite difficult. Here are some basic prevention methods of detection.

  • Detecting a network sniffer : inspecting whether the card running in promiscuous mode. It may be different for flavor promiscuous mode judged by the operating system and protocol stack.
  • Sniffer precautions : using secure network topology (switched network), instead of the dynamic static ARP, to avoid transmitting the plaintext, attention to the protection of the nodes in the network (routers, switches, etc.).

Ethernet and WiFi wireless LAN and wired LAN is the most popular link layer protocols, network sniffing is the main target of the listener.

  • Support for Ethernet sniffer tcpdump
  • kismet supports WiFi network monitor
  • Two or more different LAN sniffer packet when actual crack and analysis no difference. The only difference is that the wireless sniffer can read and analyze packets conforming to a wireless transmission protocol.

Network sniffers can be divided according to the form of realization of software and hardware sniffer sniffer:

  • Sniffer hardware capture and analysis of network data through a private network, also known as protocol analyzers.
  • Sniffer software to achieve general application software on different operating systems type bits, achieved by programming the card.

Network sniffer: Principles and Implementation (Ethernet)

This section works from the Ethernet network to sniff shared and switched network, and finally introduces the realization of network sniffing technology of Unix-like platforms and Windows platforms.

  • Works Ethernet : Ethernet is shared communication channel data in a frame in units of transmission, transmitting the Ethernet frame comprises a MAC address and destination MAC address of the source . When the site needs to send data, the TCP / IP protocol stack packet, the data link layer "assembly" for the header and the frame end is transmitted to the shared communication medium. NIC driver in the normal mode, only accept data frame destination MAC address and own MAC address matches. However, the card will promiscuous mode all data frames received via a shared communication medium which is connected.

  • Shared Network sniffing : a hub connected to the hub Renyiyitai host can sniff all network traffic on the entire hub.

  • Interactive Network sniffing : transmitting data by MAC address mapping table. There are usually three ways sniffer

    • MAC address flooding attack: the switch sends a data packet containing a large number of fictitious MAC address and IP address of the mapping table overflow can not be processed into the switch works like a hub.
    • MAC spoofing: access control based on commonly used to break through the LAN MAC addresses. Here Scripture says, rather vague reference MAC address spoofing
    • ARP spoofing: the use of loopholes in the agreement at the time of conversion between IP address and MAC address, MAC spoofing reach, recommended here in detail with reference to the ARP spoofing and eavesdropping secrets to achieve .

  • Unix-sniffer technology : by libpcap and BPF capture tool library user mode kernel mode implementation. BPF original interface data link layer, a link layer provides the transceiver functions of the original packet. If the card is in promiscuous mode will receive all packets on the network. and kernel mode BPF libpcap packet sniffing and filtering mechanisms with want to provide standard interfaces for the network sniffer applications on the Unix-like platforms, a standard format for the network packets pcap.

  • Windows network sniffing technology : Windows operating system kernel does not provide a standard network sniffer and packet capture interface. NPF is a kernel mode virtual device driver, is used to filter packets, the packets passed to the user module intact. WinPcap packet.dll including standard packet capture module and wpcap.dll two interfaces.

Network sniffers: Sniffer software

Commonly used network sniffer software is generally based on standard interfaces BPF and libpcap, the most popular development libraries including libcap Ethereal, tcpdump and wireshark sniffer software (like Unix and Windows platforms).

  • libpcap packet capture library development : basic libpcap development step is to open a network device, setting the filtering rule, capture data, the network device off. For details refer to libpcap explain . (Although it has a lot of integration of the knock two commands to complete the software, but through the development of a packet capture library with their own continued relevance and importance.)
  • the tcpdump : the tcpdump is a general command line network sniffer and packet protocol analysis. By src 192.168.199.200 and tcp dst port 80can see the case where the source host is connected outwardly HTTP network traffic. By tcpdumpmonitors all the packets flowing on the first network interface.
  • Wireshark sniffer software : is an open source packet analysis tool, the main role is to capture network packets, data packets for protocol analysis presented to the user in a format that is easier to understand in order to display detailed information as possible, and.

Network protocol analysis technology

Network sniffer is intercepted by the packet format during the assembly of a binary original message content, in order to acquire information containing protocol specification, the stack according to the TCP / IP protocol data packets to re-format and restore the contents of the respective protocol layers. At present, network protocol analysis tool is wireshark. A typical network protocol analysis process comprises the following steps (FIG Zhang Gaoqing find a):

  • Sniffer raw data obtained in the binary data link layer packet transmission.
  • Analysis of the frame structure, the frame header fields obtained structure, a network layer protocol type is determined according to the frame header field, and extracts the data content contains the network layer.
  • IP packets further analyzed to determine the type of transport layer protocol, a transport layer to extract the data content.
  • Port OK OK particular application layer protocol TCP or UDP according to the target, to give the application layer protocol-specific interactive application content.
  • Integrating the data recovery based on the respective application layer protocol, and the actual data transmission.

tcp.jpg

2. practice

tcpdump

Task: to visit the site on this machine www.tianya.cn process sniff use tcpdump. When accessing the Web page, the browser will access the web server how many, what IP address?

Solution
visit End of the World home page, use the command
tcpdump -nn '(tcp[tcpflags] & tcp-syn !=0 and tcp[tcpflags] & tcp-ack!=0) and (host 192.168.3.7
to explain the command, specify the IP 192.168.3.7, the search criteria are: tcp-syn !=0and tcp-ack!=0that is not equal to 0 and grab syn ack packet is not equal to zero. There are many instructions on tcpdump host tianya.cntcpdump, for example , tcpdump src 192.168.3.7 and tcp dst port 80and so on. You can capture instance tcpdump learn more tcpdump command.

tcpdump.png

By observing the figure, found primarily through the Web server are as follows:

221.182.218.238 
221.182.218.244 
221.182.218.151 
39.156.66.179
124.225.214.214
52.94.234.174
54.240.131.213

Hands Wireshark

Task: Use wireshark to telnet to log on the local BBS sniffing and protocol analysis.

  1. IP address and port BBS server?
  2. How telnet protocol transmits the user name you input to the server and login password?
  3. How to use a packet sniffer wireshark analysis, and to obtain a user name and login password?

Solution
First, explain pit their own problems : my kali attack aircraft for the Chinese is garbled, so I refer Kali Chinese garbled install the Chinese fonts, etc., I was also the terminal can display Chinese fonts, I even changed the system into Chinese, but into the BBS, or the next chart looks like this ghost. Later, after unremitting looking, I finally found the original one instruction to solve the problem luit -encoding gbk telnet bbs.fudan.edu.cn(specify the encoding format).
bbs1.png

The following text began:
back to Fudan University bbs example. First, open the Wireshark, then enter in a terminal luit -encoding gbk telnet bbs.fudan.edu.cnenter bbs Fudan University forum. By capturing Wireshark, we find its IP address 202.120.225.9, its port 23.
bbs2.png
bbs4.png

When cleartext Telnet protocol used in the transmission of user name and password , we can see that our user name by tracking the TCP stream guest. Select the conversation below is from your host to Fudan University bbs, can be found in the user name guest, password is blank.
bbs5.png
bbs6.png

Forensic analysis practice

Task artefacts to a honeypot host of five different types of port scan.

  • What is the IP address of the attacking host
  • What destination IP address is the network scanning
  • The case is the use of scanning tools which initiated these port scan? How did you determine
  • You log file analyzed, the attacker uses a scanning method that, what the scan destination port, and describe how it works
  • Which port on the honeypot was found to be open
  • What operating system is attacking host

Solution

What is the IP address of the attacking host? What destination IP address of the network scanning is? The case is the use of scanning tools which initiated these port scan?
  1. We can use the binary log files snort intrusion detection. By first sudo apt-get install snortmounting snort, and given snort.confread-write executable permissions sudo chmod 777 /etc/snort/snort.conf, operation command sudo snort -A console -q -u snort -c /etc/snort/snort.conf -r ~/listen.pcapquery results are as follows ( detailed description snort instruction , used herein, -Ais on the alarm mode, -qnot to display the status report, -ris read from the file format pcap fetch packet).
  2. At the same time, we can also be analyzed using Wireshark (After importing the file open conversations observed in the statistics).
  3. By analyzing the above two software, we can get to attack the host's IP 172.31.4.178, network scanning target IP is 172.31.4.188. As it can be seen by snort namp be employed to initiate scanning.
    fenxi1.png
    fenxi2.png
Scanning method attacker, and describe how it works.
  1. First, we screened ARP in Wireshark, nmap is because in the broadcast each broadcast domain host active probe arp requestpackets, and before each scan nmap host will be active detection. We found no data packets between first and second, to determine first is the use of namp -sPa host of active detection.listen1.png
  2. By observing the end of the second scan data packets and found that 1 attack aircraft for the port ssh, TCP and UDP, and uses a lot of flag constructed to trigger a different response packet, the traffic is not difficult to confirm its nmap -Ooptions triggered. The main operating system detects remote host specific implementation mechanism is transmitted by constructing special data packet to the target host, then collected (and differences in the operating system stack implementing network protocols) "fingerprint" subtle feedback packet present and compared with a known operating system "fingerprinting" database (nmap-os-fingerprints file).listen2.png
  3. Then observe the third scan, the third round is 13W scanning packets, port scanning estimated sixty thousand, so it should be designated a port scan, using namp -sS -p 1-65535(guess is a full port scan), where the -pnumber of scans specified port.listen3.png
  4. Finally, to observe the last scan, we found the fourth time scans are higher than before the scanning time, so we can guess is namp -sVa network service detection. The specific point of view, we find a 8180port (http). We have found a common activity detection is the three-way handshake SYN->SYN,ACK->SYN/RST, but we look at the fourth scan, but to establish a HTTP connection, indicating that the scan should be namp -sVno doubt.

listen4.png

listen5.png

Operating system and port
  1. First, identify the ports, by screening tcp.flags.syn == 1 and tcp.flags.ack == 1, get open ports are:21 22 23 25 53 80 139 445 3306 5432 8009 8180
    listen6.png
  2. Determine the operating system, first of all I use the nmap -O -r listen.pcapoperating system type of detection, the results feel quite right, so they take advantage of p0f -r listen.pcapprobing to get the following results (first with apt-get install p0f installation), is Linux 2.6.X .

p0f2.png

p0f1.png

Offense and defense against the practice

Task: attacker Scan with nmap, tcpdump sniffer with a defender, with wireshark analysis, and analysis of the attacker scanning purposes, and nmap command each use.

Description: This is an important point of analysis has been completed in the above practice, the relevant instructions on scanning namp scanning has also been described in detail in the previous job. Thus it is not shown.

2. The problems and solutions encountered in the study

  • One problem: Log bbs Chinese garbage problem
  • A solution to the problem: First, start from the system font, found that as long as the code to change the landing.
  • Second problem: the practice of forensic analysis requires a lot of knowledge and tools, wasting a lot of time here
  • Question two solutions: continue to query tool and its principles

3. Learn sentiment, thinking

  • The job has been professional but there are certain requirements, their knowledge of computer network is still relatively weak, need to continue to learn.
  • While learning, while doing problems still pretty painful.

Reference material

Guess you like

Origin www.cnblogs.com/charlesxie/p/12547850.html
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com