- Practical content and process
- The technical definition of a network sniffer
- Hazards and the role of network sniffer
- Network sniffing tools and classification
- Ethernet
- Unix-platform network sniffer software
- Tcpdump sniffer software
- Network sniffing detection
- Precautions network sniffer
- Practice: Tcpdump
- Network protocol analysis technology principle
- Wireshark
- Practice: Wireshark
- Forensic analysis practice: decoding network scanning
- Offense and defense against the practice
- Learning problems encountered and solutions
- Practice summary
- Reference material
Practical content and process
The technical definition of a network sniffer
Sniffer (Sniff) is a technique used by hackers eavesdropping, which uses a destination computer network interface for intercepted data packets to other computer user account password to listen for the data stream or contained private information.
Hazards and the role of network sniffer
harm:
- Passively, silently sniff data, theft of confidential information;
- Sniffing the underlying network protocol information, to launch further attacks to gather information;
- Man in the middle attack for the attacker to provide help;
- Concealed, difficult to detect.
Value:
- Network administrators can identify potential problems in the network and address them;
- Network intrusion detection system provides the basis of the underlying data sources, capture raw network packet transmission, it found evidence of the invasion by the detection system;
- Development of network applications programmer can be used for the actual capture and analyze network packet transmission. The application development, and the analysis.
Network sniffing tools and classification
| ? Classification according to the link-layer network monitor | Classified according to the form of realization |
|---|---|
| Ethernet, Wi-Fi | Sniffer software, hardware sniffer |
Ethernet
Ethernet is a computer local area network technology. The IEEE 802.3 standard Ethernet IEEE organization developed technical standard, which defines the connection includes a physical layer, a medium access layer, and an electronic signal protocol. Ethernet is the most popular LAN technology, replacing the other LAN technology such as Token Ring, FDDI, and ARCNET.
Unix-platform network sniffer software
(. 1) capture libpcap development libraries
on Unix-based platforms is libpcap kernel mode BPF packet capture library developers to provide a standard application.
(2) tcpdump sniffer software
tcpdump is the oldest and most versatile sniffer program. It provides a command line, using filters BFP supports syntax selective packet sniffing on the network, and then protocol TCP / IP protocol stack analysis, and to each row of a content packet capture results presented sniffer .
(. 3) software sniffer wireshark
wireshark sniffer is based on best software graphical interface Unix-current internet.
Tcpdump sniffer software
TCPDump may be transmitted in the packet network is completely intercepted from the analysis provided. It supports filtering for the network layer, protocol, host, network, or port, and provide and, or, not logic statements and other information to help you get rid of useless.
Network sniffing detection
- On the same host, you can check whether the network card running in promiscuous mode to monitor the ongoing discovery of sniffer;
- Based on the different characteristics of the hybrid mode and the operating system protocol stack, sniffer to detect other hosts on the network.
Precautions network sniffer
- Using secure network topology switched network as far as possible, and by providing the other technical means VLAN in the switch, the network segment reasonable, as far as possible so that the network packet is only forwarded to the destination host;
- Instead of the dynamic or static ARP mechanism with MAC- port mapping table;
- Attention focus location point data transmission network security, such as gateways, routers, switches and the like;
- Avoid the use of password transmission network protocol or sensitive information, and the use of encryption and security enhanced network protocol instead.
Practice: Tcpdump
Use Tcpdump access on this machine www.tianya.cn website sniffing process, answer the question: How many Web browser will access the server? What their IP address?
Open the terminal, enter the following command:
sudo tcpdump -nn '(tcp[tcpflags] & tcp-syn !=0 and tcp[tcpflags] & tcp-ack!=0) and (host 192.168.1.12)'
Where 192.168.1.12is the IP address of the machine, said command fetch SYN and ACK packet is not 0, the detailed information about the meaning of the two references.
After entering the command, browser access www.tianya.cn , the terminal has the following output:
clear access to the Web server are:
| IP | position |
|---|---|
| 124.225.65.154 | Haikou City, Hainan Telecom |
| 124.225.214.206 | Haikou City, Hainan Telecom |
| 106.120.159.126 | Beijing Telecom |
| 124.225.135.230 | Sanya City, Hainan Telecom |
| 103.79.25.53 | Haidian District, Beijing BGP multi-line |
| 218.77.130.200 | Haikou City, Hainan Telecom |
| 124.225.214.214 | Haikou City, Hainan Telecom |
Network protocol analysis technology principle
- First, the raw data obtained in the sniffer binary data link layer packet transmission, in most cases is Ethernet data frame;
- Ethernet data frame structure analysis, the structure of positioning the frame header fields, the header type field is determined according to the network layer protocol type, in most cases the IP protocol, network layer and extracts content data included in the frame;
- Further analysis of the IP packet, if the bit slice set points, IP fragment reassembly is performed according to Protocol IP protocol header fields, determining the type of transport layer protocol, TCP or the UDP is often the case, and extracts the IP packet the transport layer data content;
- The port continues to determine the specific destination TCP or UDP application layer protocols such as http, ftp, telnet and so protocol data packet, and the TCP or UDP packet recombinant splicing to give the application layer protocol-specific interactive application content;
- Integrating the data recovery based on the corresponding application layer protocol, to get the actual data transmission.
Wireshark
Wireshark (formerly Ethereal) is a network packet analysis software. Network packet analysis function of the software is network packet capture and show as much as possible the most detailed packet data network. Wireshark WinPCAP use as an interface for data exchange messages directly with the card. In the past, network packet analysis software is very expensive or specialized software belonging to profit with. Ethereal has changed all that. GNUGPL coverage under the General Public License, users can get the software and its source code is free of cost and for its own source code modification and customization rights. Ethereal is one of the most extensive worldwide network packet analysis software.
Practice: Wireshark
Wireshark software for use telnet to log on the local BBS sniffing and protocol analysis, replied:
- What IP address and port BBS server you are logged each a?
- telnet protocol is how to pass the username you entered the server login and password?
- How to use Wireshark packet sniffer analysis, and obtain your login name and login password?
Open Wireshark, open the capture.
Open a terminal, enter the following command to access Fudan BBS:
telnet bbs.fudan.edu.cn
Ethereal Results:
From the above, the server IP is 202.120.225.9, port 23
Telnet uses clear text transmission of user name and password.
In the terminal, use the "guest" user login BBS.
Enter the filter rules Wireshark telnet, may be used to view all data packets of the protocol, as shown below, can be found sequentially "guest" user name string (single character transmission) just logged in the Data items:
the character data screenshot omitted.
Forensic analysis practice: decoding network scanning
Pcap download package provided by the teacher, using the Wireshark open, open the Statistics - Conversations
can be seen, attack aircraft IP: 172.31.4.178, network scanning target IP: 172.31.4.188
Open kali experimental environment, snort installation tool, the above-described intrusion detection pcap packet:
sudo apt-get install snort
Giving all permissions:
sudo chmod 777 /etc/snort/snort.conf
After entering the pcap packet directory, execute:
sudo snort -A console -q -u snort -c /etc/snort/snort.conf -r listen.pcap
Thus, attack aircraft using nmap to scan the target network.
The following analysis of the scanning process:
First screened ARP packet, the next figure no other additional data packets between No. 5,6,7,8 packet, so you can know this is to use namp -sPthe probe active hosts.
Next screening tcp.port == 57738 and tcp.flags.syn == 1 and tcp.flags.ack == 0, represents tcp tcp port 57738 to send a request but no response. The basic scanning encompasses all protocols and services on the drone, so speculation is the namp -Ooperating system installed on the scanning drone.
Below, and from the third scanning package is substantially 12W, generally scanned ports 6W. Because nmapdefault can only scan 1000 ports, so you can guess the third scan with the command should be nmap -sSmanually specified number of ports.
Screening tcp.port == 23(telnet to port 23) filter file data. Drone attack aircraft was found to be four times the scanning process. Easy to see in the first, second and third scans are only established connection is ended, but the emergence of a telnet connection when the fourth scan; If you use the command tcp.port == 22(ssh port 22) is also seen first, second and third it is to establish a connection, the fourth appeared ssh connections, so guess the fourth time nmapscans using the command nmap -sVto detect the drone of open network services.
Determine the port: screening tcp.flags.syn == 1 and tcp.flags.ack == 1, you can get:
the port are:21、22、23、25、53、80、139、445、3306、5432、8009、8180
Determine the operating system:
first install p0f:
sudo apt-get install p0f
Use the following command to detect:
sudo p0f -r listen.pcap
Seen from the chart, the system is Linux 2.6.x
Offense and defense against the practice
kali attack machine IP: 192.168.237.128
drone IP: 192.168.119.128
drone surveillance: sudo tcpdump -i eth0 -w dump.pcap
Attacker: sudo nmap -sP 192.168.119.128
drone View Log: sudo tcpdump -r dump.pcap
the above figure "who-has" field content expressed drones detected a host active.
Learning problems encountered and solutions
Q: System can not Telnet
A: By brew install telnetmounting
Q: As the network reasons, Homebrew package management tools can not be installed properly
A: change the source installation: Homebrew domestic-step installation
Q: telnet access Fudan BBS garbled
A: Chinese encoding selected terminal sets
Q: blog Garden uploaded images sometimes does not display
A: Figure bed may be a problem with the server, consider replacing the view of the bed: https://sm.ms
Practice summary
The practical content is a certain difficulty, networks need a lot of computer expertise, it would be difficult to understand the meaning of each step.