| Course work | https://edu.cnblogs.com/campus/besti/19attackdefense |
|---|---|
| Work requirements | https://edu.cnblogs.com/campus/besti/19attackdefense/homework/10518 |
| Course targets | Learning "network attack and defense technology and practice" textbook chapter, and complete homework |
| In particular aspects of the job which helped me achieve goals | Learning related technology network sniffer and protocol analysis |
Text of the job:
1 comb knowledge
1.1 network sniffer
Network sniffing : one kind of eavesdropping techniques used by hackers using a computer network interface IDE intercept data destined for another computer message, the user account password to listen for the data stream or contained private information. Sniffer capturing data packets after the packet is processed binary data, in conjunction with a network protocol analysis technique to recover the contents of the respective layers of the network protocol TCP / IP protocol stack, and application layer information actually transmitted.
Ethernet : is the Institute of Electrical and Electronics Engineers, developed a wired network protocol standard, 802.3, shared communication channel, using a carrier sense / collision detection (CSMA / CD) to avoid conflict even shared communication path. Network station transmitting its own data broadcast mechanism in the channel, the computer can receive the information to another computer on a shared medium. Ethernet data is transmitted in units of frames, the network interface device 48 typically has a MAC address of the Ethernet frame header includes a MAC address and destination MAC address of the transmission source, transmitted to the shared communication medium. NIC driver only accepts destination MAC address and own MAC address that matches the data frame, then an interrupt signal is generated by the CPU, the data received by the interrupt program address according to the operating system calls the driver card is set, into the stack so that the signal operating system of reverse unpacking process, and to unpack the data in response to the application.
Promiscuous mode : receiving all data frames which are connected via a shared communication medium, sniffing Ethernet traffic.
Ethernet deployment : shared network (the hub Hub, receiving the data transmitted to all interfaces), data frame switched network (switches, each to check the mapping table is received to the designated port and, if it will not broadcast to All ports, with the MAC address of the network card will make a response, avoiding the network broadcast storm).
MAC address flooding attack : sending large amounts of data packet containing fictitious MAC address and IP address to the switch, causing the MAC address of the switch - can not handle the overflow port mapping table and start working in a manner similar hub.
MAC spoofing: Let's switch to believe that MAC address MAC address of the attacker's host is the target host, which is fake to be listening host NIC attacker to cause the source MAC address of the destination address by the source MAC address of the sham, and such data packets through the switch sent out.
2 Experimental content
2.1 network sniffer
Network sniffing : a passive non-intrusive means of attack, with high hidden.
- UNIX-platform network sniffer technology :
the libpcap capture tool library BPF and user mode kernel mode primarily through the - Windows platform network sniffer implementation techniques :
Compatible with BPF module NPF, libpcap library compatible standard interfaces WinPcap packet capture
Sniffer software : the ability to perform network sniffing software.
-
UNIX-platform network sniffer :
the libpcap capture development libraries : libpcap packet network under unix / linux internet packet capturing function, a system independent of the user-level network packet capture interface, can in most class Libpcap work under unix platform.
tcpdump sniffer : providing a command line, using filters BFP supports syntax selective packet sniffing on the network, and then protocol TCP / IP protocol stack analyzed per line and a data packet capture mode content The results presented sniffing.
wireshark sniffer : under the current UNIX-based platform best sniffer software graphical interface on the Windows platform has its known versions. -
Other sniffing software : open source network intrusion detection system Snort, dsniff, sniffit, linux_sniffer
-
Windows platform network sniffer : NPF / winpcap / windump, wireshark have Windows version, there are other Buttsniffer, NetMon, Network Associates Sniffer
tcpdump Reference : kali machine used ontcpdump src 192.168.200.103 and tcp dst port 80the command of the IP address of192.168.200.103the Windows network sniffing drone, drone and then log on Windows browserwww.baidu.com, browser version is too low because the drone, page read error occurs, whether correct the error click No.
The situation sniffing attack aircraft, drones establish a session from the HTTP protocol on port 80 with the target IP address.
Detection Network sniffing :
1. Check whether there is card operation mode to promiscuous mode
2 with different characteristics promiscuous mode operating system and protocol stack, to check to see if the MAC address of the destination host.
3. Before detecting whether the MAC address of eight 0xff.
4. The host response time detection target is in an abnormal state.
The recognition software tool sniffer AntiSniff.
Hands : tcpdump
use of tcpdumpopen source software on the machine to access www.tianya.cnthe site sniffing process, answer the question: You visit www.tianya.cna Web site home page, the browser how many Web server access? What are their IP address?
To the local IP network sniffing
in the browser to access the site, appear four Web servers, IP respectively 124.225.65.154, 200.130.77.218, 124.225.135.230, 124.225.214.206
which 124.225.65.154is www.tianya.cnthe corresponding IP address
2.2 network protocol analysis technology
Network protocol analysis : refers to the binary format data packet transmitted on the network is parsed to recover the information and network protocol layers art method of transmitting content, similar to the process of decompressing data packets.
A typical network protocol analyzer process of :
1) a network sniffer raw data, i.e., binary data link layer packet transmissions;
2) analysis of the data frame structure, field structure positioning frame header, the network is determined according to the Type field of the header layer protocol, IP protocol 0800, the network layer and extracts content data included in the frame;
3) of the IP packet further analysis, according to the recombinant fragment bit, transport layer protocol type is determined according to the IP header protocol field protocol ;
4) to determine the specific port in accordance with certain application layer protocol TCP or UDP;
5) according to the application layer protocol for data recovery integrated to obtain the actual data transmission.
Hands : Wireshark
Task : Use Wireshark open source software to talnet log on the local BBS sniffing and protocol analysis, answer the following questions and give the operation:
1) IP address and port BBS server you are logged each What is?
In Mizuki community registered users
with telnet bbs.newsmth.net connected community forums, while the network package wireshark arrest by
calling the menu bar on the wireshark 视图, 过滤器工具栏can filter out packets from the Protocol in the search box as telnet TELNET packets.
IP address: 120.92.212.76 port: 23
How 2) telnet protocol is transmitted user name you input to the server and login password?
According to captured packets, you can see the user name and login password by a local character successive plaintext to the server by server returns a confirmation message.
3) how to use Wireshark packet sniffer analysis, and obtain your user name and login password?
Since the character limit has BBS user name and login password, it is complex, it is taken only to show the user name portion (louhao123) as follows:
3. Practice jobs
The practice of forensic analysis - decoding network scanning
Share on download class cloud course listen.pcap, open to be analyzed with wireshark binary log file, use the Conversation (session) under the menu bar of Statistics (statistics), select IPV4 get the following figure:
only 172.31.4.178and 172.31.4.188there are plenty of two-way network between data packets , it can be initially identified as an attack both the host and target IP host IP.
Then select TCP packet filtering, packet content viewing sessions, all from the request packet is 172.31.4.178initiated, the response packets are from the 172.31.4.188issue, you can determine 172.31.4.178that attack the host, 172.31.4.188it is the target host being scanned.
1. What is the attacking host IP address?
IP address of the attacking host is172.31.4.178
2. What is the IP address of the target network scanning is?
IP address of the network scan target is172.31.4.188
3. This case was initiated using the scan tool to scan these ports? How did you determine?
By snort tool parses the pcap file wireshark can be drawn on by nmap port scan tool
can also be viewed in a Web page by websnort
4. log file that you analyzed, the attacker uses a scanning method which, what is the destination port scanning, and describe how it works.
Because it is simulation, scanners detect and target the same segment, Nmap can adopt that type of target protocol arp, arp request can be directly broadcast messages broadcast domain, if you receive arp response packet that is active. You can get the target host mac address.
Since we have determined that these scans are initiated by the nmap, and nmap port scan before initiating always the first by Ping扫描and for 80端口the detection of the target host to determine whether active.
Searching through the filter icmp, it may be positioned corresponding to the ICMP protocol Ping扫描, to achieve two Ping scan.
There is a large number of SYN request packet, which is attack aircraft 57738 port to the target host in the packet TCP SYN扫描, the purpose is the port used to scan the target host is active, if the active feedback target host a SYN | ACK packet, attack aircraft port We will immediately send a RST packet to close the link, the destination port will be inactive RST feedback | ACK packet, the instruction may be nmap -sS -p XXX端口 172.31.4.188.
5. found on the honeypot those ports are open?
tcp.flags.syn == 1 and tcp.flags.ack == 1Can filter the SYN | active port ACK packet information, i.e. feedback scan target host machine. You can determine 21,22,23,25,53,80,139,445,3306,3632,5432,8009,8180these ports are active.
6. Bonus question: What attacks the host's operating system is?
By p0f /home/kali/listen.pcapcan query the operating system to attack the host for linux 2.6.x
Offense and defense against the practice
Nmap scanning by the attacker (specific purpose), by the defender tcpdump sniffer, with Wireshark analysis, and analysis of the scanned object and the attacker nmap command each use.
Since the defender need Wireshark analysis, it will be a copy of, a kali machine 192.168.200.7as a scanner, one 192.168.200.6as a detector
performs ping sweep, ICMP protocol packet is detected and analyzed by Wireshark, presumed to be pingthe command:
it can be found 4 and 5 in the data packet is broadcast arp request packets broadcast domain, tcpdump and Wireshark are captured.
TCP port on the target machine to scan, do not know because kali special port settings, scan TCP port 1000 are closed.
tcpdump capture the TCP RST packet capture with Wireshark to analyze a large number of [RST ACK] package, indicates that the port is not active, presumably scan command nmap -sS 192.168.200.6.
UDP port of the target machine scans the target to detect large amounts tcpdump UDP data packet, according to a large number of available Wireshark UDP packet length 60, i.e. to detectnmap -sU 192.168.200.6
4. learning problems and solutions encountered
- Question 1 : Can not find the right BBS conducted telnet login
problems Solution 1 : Refer to the on visiting the telnet bbs forum BBS sites offer this blog
- Question 2 : Using snort tool to resolve wireshark of pcap file, when you snort install several errors
Problem 2 Solution : Start looking for installation tutorial is the source code installation procedure is very complex, and the current environment because of the lack of a lot of dependencies often failed to install, later reference to the Snort installation tutorial , you cansudo apt-get install snortandsudo pip install websnortinstalled directly, save a lot of steps.
- Question 3 : forensic analysis practice for job nmap scan analysis
Question 3 solutions : a reference network sniffer and protocol analysis of this data
5. Learn sentiment and reflection
The learning content includes related techniques and protocol analysis of network sniffer, network sniffer tcpdump and snort main use of the software, and protocol analysis of the main analysis of different data packets through wireshark, and then infer some network scanning and connectivity behavior in this regard for protocol analysis, feel the grasp is not enough depth and comprehensive, needs to be improved.