20,199,323 2019-2020-2 "network attack and defense practice" work week 4
1. Practice content
网络嗅探是一种黑客常用的窃听技术,它利用计算机的网络接口截获目的地为其他计算机的数据报文,以监听数据流中包含的用户账户密码或私密信息等。实现网络嗅探的技术工具为网络嗅探器。
网络嗅探技术分类:按监听的链路层网络分类分为以太网和WIFI。无线嗅探器支持对WIFI的监听。无限嗅探器和有线嗅探器的唯一区别是无线嗅探器可以读取和分析符合IEEE 802.11等无线传输协议的数据包。
Into the form of a realization of software and hardware sniffer sniffer, sniffer is dedicated hardware to capture and analyze data on the network by dedicated hardware, the advantage of speed, full. Some intrusion detection, firewall and other equipment are also hardware-based sniffer running.
交换式网络的嗅探:
- MAC地址泛洪攻击:指向交换机发送大量含有虚构MAC地址和IP地址的数据包,致使交换机的“MAC地址——端口映射表”溢出无法处理,是交换机打开失效模式,向所有端口广播数据包。
- MAC欺骗:假冒所要监听的主机网卡,攻击者将通过源MAC地址伪造成目标地址的源MAC地址,并将这样的数据包通过交换机发送出去,使得交换机不断更新他的“MAC地址——端口映射表”。
- ARP欺骗:利用IP地址与MAC地址之间进行转换时的协议漏洞,达到MAC地址欺骗。
UNI class platform network sniffer technology is mainly achieved through BPF libpcap packet capture library tool and the user mode kernel mode
network sniffer Windows platform implementation technologies:
Windows does not provide a standard network sniffing and subcontracting interface, you need to add a Oh, that program or network component, are compatible with the most common type of UNIX platform module BPF NPF, is used to filter the packet, the packet intact and passed to the user mode module. And libpcap Similarly WinPcap.
Software tools:
UNIX platform, libpcap, tcpdump, wireshark
Windows platform, tcpdump
Network protocol analyzer principle: from the bottom layer by layer network protocol parsing upward, while restructuring fragmented IP packets and TCP sessions, needs to resolve to save each network layer packet header field information, as well as the highest level of application layer data content.
2. practice
tcpdump
Tcpdump use open source software to access the site www.tianya.cn process on this machine sniffing, answer the question: When you visit www.tianya.cn Home, the browser how many Web server access? What are their IP address?
Kali virtual terminal is opened, the input tcpdump src 192.168.200.4 and tcp dst port 80 , and then open www.tianya.cn ,
appear recurring several IP addresses, respectively 124.225.65.154,124.225.135.230,218.77.130.200,106.120 .159.126, enter nslookup www.tianya.cn , is found in its Ip 124.225.65.154
wireshark:
Wireshark open source software for use telnet to log on the local BBS sniffing and protocol analysis, answer the following questions and give the operation:
(1) what IP address and port BBS server you are logged each a?
(2) telnet protocol is how to transfer the username you entered the server login and password?
(3) how to use Wireshark packet sniffer analysis, and obtain your user name and login password?
Open the Control Panel, click Programs, open to enable or disable Windows features, select Telnet Client:
Open wireshark, watercress is a start telnet but has not connected, then check the relevant information, watercress port 23 is not open. Then changed the site bbs.newsmth.net
be seen from the figure, IP of this machine is 192.168.2.228, the bbs's Ip is 120.92.212.76, the port number is 23.
Log in using guest mode
to view wireshark
These are the first two accounts bit, not too long account full shots, and following is the password
after screenshots available telnet protocol analysis, incoming local server to a user name and login password characters.
The practice of forensic analysis, decoding network scanning
1. What is the IP address of the attacking host?
The figure shows that the information between the main and 172.31.4.178 172.31.4.188, since the first start message is 172.31.4.178 attack aircraft it is, and in accordance with tcp packets 188 received ack acknowledgment packet
2, network scanning What destination IP address? 172.31.4.188
3, this case is the use of scanning tools which initiated these port scan? How did you determine?
nmap
Use snort tool to scan listen.pcap file
shows generated by nmap scan
4, the log file you analyzed, the attacker uses a scanning method which, what is the destination port scanning, and describe how it works.
These scans are initiated by the nmap, and nmap always first determine whether the target host Ping by active scanning and detection for port 80 before initiating a port scan. Icmp search through the filter, it can be seen corresponding to the protocol ICMP Ping scan.
Seen from FIG. 9, 10 13 just constitutes a TCP SYN scan, the scan target port is
TCP SYN scanning principle: the local host sends a SYN segment to the target host, if the target host response packet SYN = 1, ACK = 1, it indicates that the port is active, then we'll send a RST to the target host, refused to establish a connection, here, if the target host response to RST, it means that the port is dead port, in this case we do not do any response.
5, on the honeypot discover what ports are open?
The principle of scanning tcp syn, on wireshark tcp.flags.syn == 1 and tcp.flags.ack == 1 filter can filter out SYN | ACK packet, it can be seen there are open ports 21 and 22, 23,25,53,80,139,445,3306,3632,5432,8009,8180
6. Bonus question: attack the host operating system, what is?
The operating system can be viewed ttl value,
-
32=WIN 98 95
-
64 = LINUX series
-
255 = UNIX series
ttl 64 is so linux.
3. The problems and solutions encountered in the study
-
Question 1: What is the use of a scan tool to initiate these port scans did not know how to do this problem
-
Question 1: Refer to the Sun Qilong students
-
Question 2: When Installing snort a new problem, can not be installed, linux system has the following problems
-
Question 2 solution: search the Internet for a long time to find a solution to a similar problem occurs,
https://blog.csdn.net/weixin_43729943/article/details/104221462
4. practice summary
Analysis of the problem to combine knowledge learned these problems, many of which are deepening the content of textbooks, did not want to understand, wasting a lot of time.