20,199,324 2019-2020-2 "network attack and defense practice" work week 4

Others 2020-03-24 13:13:51 views: null

Job Description

Text of the job

1. Practice content (knowledge summary)

Network sniffer

  • It is defined : a network sniffer eavesdropping techniques used by hackers using a computer network interface to intercept data packets destined for other computers, user account password to listen for the data stream or contained private information.
  • Network sniffer : Tools for network sniffing technology called network sniffer. Sniffer captured data packet is binary data after packet processing , and therefore often combined with network protocol analysis technology to resolve sniff network data, so as to restore the contents of each layer of the network protocol TCP / IP protocol stack and the application layer information event sent.
  • Principle and Implementation of Network Sniffer
    • Ethernet works: Ethernet uses CSMA / CD technology, the use of a broadcast mechanism, all workstations connected to the network can see the data transfer over the network. A network card host is a hardware device receiving the transmitted data. Card send and receive data packets to complete the work. For incoming data card has four modes:
      • Broadcast mode: in this mode the card is able to receive the broadcast data network.
      • Multicast mode: in this mode the card can receive the multicast data.
      • Direct Mode: only matching destination MAC address. The card can receive the data.
      • Promiscuous mode: No matter what the destination MAC address is the network card can receive all the monitored data .
    • Network monitoring principle:
      • Properties using Ethernet NIC set in promiscuous mode state tool, once the card is set to this mode, it can receive information via each of its packets.
    • Shared Network sniffing: a hub connected to the hub Renyiyitai host can sniff all network traffic on the entire hub.
    • Interactive Network sniffing: transmitting data by MAC address mapping table. There are usually three ways sniffing:
      • MAC address flooding attacks
      • MAC spoofing
      • ARP spoofing
  • Network sniffer software
    • UNIX-platform network sniffer software
      • libpcap packet capture library development: on UNIX-platform development library of standards-based packet capture kernel mode BPF provided to the application.
      • tcpdump sniffer software: the oldest and most versatile sniffer program. It is generic command packet network sniffer and analysis program, allowing the user to be able to intercept and display specific TCP / IP packets from the network host is located. The key take advantage of BPF filter rule also use tcpdump-depth analysis of network data packets and lies.
      • wireshark sniffer software: it is the current UNIX-based platform best sniffer software graphical interface. Network packets may be captured, and a detailed protocol analysis.
    • There are versions of the corresponding transplant on UNIX-like platforms on Windows platforms, in addition to snifferPro and so on.

Network Protocol Analysis

  • Is defined : a network protocol analyzer is further resolved to capture packets appreciated network sniffer necessary technical means, refers to data in binary format packet transmitted on the network is parsed to recover the information and network protocol layers art method transferring content .
  • Principle : a network protocol analyzer layer by layer from the bottom up parsing required network protocol, simultaneously recombinant IP packet fragments and TCP sessions, need to parse all of the header field information stored on the network layer, and application layer data of the highest level, and provided to the user to understand the full range of network packet information.
  • Unpack the data packet illustrated process:
  • Technology : has a corresponding source to achieve such Tcpdump, Wireshark and Snort in open source software.

2. practice

Hands: tcpdump

Tcpdump to sniff the use of open source software for accessing the website www.tianya.cn process on this machine. Answer the question: when you visit www.tianya.cn Home, the browser how many Web server access? What are their IP address?

  • Www.tianya.cn site on the first visit kail
  • In the run command terminal sudo tcpdump src 192.168.200.3 and tcp dst port 80, wherein srcand dstdetermining transmission direction key indicating ip packet source address 192.168.200.3, indicates that only 80 captures the TCP protocol packet port.
  • Successfully get the browser to access the IP address of the Web server 124.225.135.230, 124.225.65.154 , 124.225.214.205, 124.225.65.155.
  • By nslookup tianya.cnviewing www.tianya.cn corresponding IP address of the command.
  • View relevant information can also be found with the command tcpdump host tianya.cn, tcpdump -nn '(tcp[tcpflags] & tcp-syn !=0 and tcp[tcpflags] & tcp-ack!=0) and (host 192.168.0.11)'or the like. The latter -nnspecifies converting each of the monitored packet into the domain IP, port name from the display after conversion to the application port number, (tcp[tcpflags] & tcp-syn !=0 and tcp[tcpflags] & tcp-ack!=0)simultaneously with the gripping of SYN and ACK packets.

Hands: Wireshark

Task: Use Wireshark open source software to telnet to log on the local BBS sniffing and protocol analysis. Answer questions given operation:

  1. What IP address and port BBS server you are logged each a?
  2. telnet protocol is how to pass the username you entered the server login and password?
  3. How to use Wireshark packet sniffer analysis, and to obtain a user name and login password?
  • Choose to telnet on the host, will first open telnet
  • Open wireshark
  • With bbs.fudan.edu.cn, for example, at the command line input telnet bbs.fudan.edu.cninto the Forum
  • It found that BBS server logged IP is 202.120.225.9then input newregister
  • And then re-enter:
  • Telnet directly input wireshark filter, the filter can show packets related telnet, which can be seen by looking at wireshark port number 23 which
  • When can be found here passes the user name and password, a character is a character transfer.





  • You can see the transfer password is transmitted in the clear, it is easy to obtain, it is transmitted in the clear telnet seen very unsafe.







  • It can also be seen username and password by tracking TCP stream
  • telnet protocol is how to pass the username you entered the server login and password?
    • Telnet is a simple remote terminal protocol, Telnet service is built on the basis of tcp
    • Driving data to the end user through the process of the operating system kernel of a terminal keyboard input, driven by the terminal then processes the data to the client process Telnet, Telnet client processes the received TCP data transmission, established by the TCP client and server TCP connection through the TCP connection data is sent to the server, the server TCP layer of the received data to the corresponding application layer Telnet server process.

Practice work - forensic analysis practice: decoding network scanning

Analysis of the artefacts to five different types of port scan a honeypot host. Snort network intrusion detector to capture and store traffic for each scan tcpdump binary format network log file.
problem:

  1. What is the IP address of the attacking host?
  2. What destination IP address of the network scanning is?
  3. The case which uses a scan tool to initiate these port scan? How did you determine?
  4. You log file analyzed, the attacker uses a scanning method which, what is the destination port scanning, and describe how it works.
  5. Found on the honeypot which ports are open?
  6. What operating system attacks the host is?
  • Open downloaded listen.pcap, select statistics menu bar -> Sessions, and then click IPv4, you can see 172.31.4.178and 172.31.4.188there are plenty of two-way data packets between networks, it can be initially identified the two are attacking host IP and network scanning target host IP.
  • See session data packet contents, found in all request packets (e.g., TCP SYN packet) from 172.31.4.178 is initiated, all of the response data packet (e.g., SYN / ACK packet) are sent from 172.31.4.188.
  • IP address of the attacking host is: 172.31.4.187
  • Destination IP address of the network scan are: 172.31.4.188
  • Use snort binary log files intrusion detection.
sudo apt-get update
sudo apt-get install snort  // 安装snort
sudo chmod 777 /etc/snort/snort.conf // 给予snort.conf可读可写可执行权限
snort -A console -q -u snort -c /etc/snort/snort.conf -r ~/listen.pcap // -A开启报警模式,-q不显示状态报告,,-u为初始化后改变snort的UID,-c为使用后面的配置文件,进入IDS模式,-r从pcap格式的文件中读取数据包

  • It can be found in this attack is initiated using nmap.

  • Before initiating nmap port scan to determine the target host is always the first and the probe is active for 80 ports by Ping Scan (host scanning). Searching through the filter icmp, may be positioned corresponding to the protocol ICMP Ping scanning, scanning for Double Ping, instructions may benmap -sP 172.31.4.188

  • Search through the filter tcp

  • We can see a set of numbers 9,10,13 is half-open scanning, using incomplete three-way handshake tcp connection to the target host tentative No. 57738 Port attacking host sends a SYN packet to the target ip port number 3306, No. 3306 target ip port open, returns a TCP SYN & ACK packet, then send a RST packet attack the host to establish a connection stop. This is typical of a scan half-open (TCP SYN scan), red and blue frame in the following also similar, respectively, to monitor the target host port 23, port 80 and port 139 is open.

  • Look at the green box, the attacking host port on the target machine sends the SYN packet number 955, the port returns a TCP RST & ACK packet, indicating that the port is closed.

  • Above half scan instruction may be open nmap -sS 172.31.4.188

  • You can see the image above number 135477,135478,135479 is a full TCP three-way handshake, speculated that it was first opened scanning (TCP connect scan), the handshake to establish tentative target host port connection through a full TCP three times, and returns an ACK packet 8009 described the port is open. Scan instruction may benmap -sT -p 8009 172.31.4.188

  • Through the filter tcp.flags.syn == 1 and tcp.flags.ack == 1can filter out SYN | ACK packet, which is the target host port active feedback attacking host. View the drone of open ports are:21 22 23 25 53 80 139 445 3306 3632 5432 8009 8180

Practice work - offensive and defensive combat practice

Nmap scanning by the attacker (up specifically purposes), with defender tcpdump sniffer, with Wireshark analysis, and analysis of the scanned object and the attacker nmap command each use.

  • windowsXP for the attacking side, IP address 192.168.200.2, kali for the defensive side, IP address 192.168.200.3.

3. The problems and solutions encountered in the study

  • Question 1:
  • Problem 1 Solution: Unresolved

4. practice summary

5. References

Guess you like

Origin www.cnblogs.com/yangdd/p/12551702.html
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com