20,199,134 2019-2020-2 "network attack and defense practice" work week 4

Others 2020-03-24 19:01:03 views: null

20,199,134 2019-2020-2 "network attack and defense practice" work week 4

1. Practice content

1.1 network sniffer

1.1.1 definitions

Computer network interface using network sniffer intercepted data packets to other computers, in order to effectively monitor the information contained in the data stream. Since the captured data packets through the packet processing is binary data, it is also combined with network protocol analysis technique.

1.1.2 Principle

At present, the wired LAN and wireless LAN most popular link layer protocols as Ethernet and WIFi. With sniffer technology on Ethernet as an example to explain. Ethernet networks into shared and switched network when you deploy the LAN. Shared network connection using a hub; the use of an interactive network switch components, data forwarding through the switch.

1.1.3 sniffer mode

1) MAc address flooding attack 2) MAc address spoofing 3) ARP spoofing

1.1.4 tools

The most commonly used on UNIX-like platforms, including the development of libraries libcap Ethereal, tcpdump and wireshark. There are versions of the corresponding transplant on UNIX-like platforms on Windows platforms, in addition to snifferPro and so on.

1.1.5 Precautions

1) the security network topology: the network segment reasonable to try to make the network packet is forwarded only to the target host. For finer network segment, a network sniffer less information can be collected.
2) or static ARP MAC- port mapping table instead of dynamic mechanisms: by setting a static ARP table in correspondence important host or a gateway, and setting a static port mapping table MAc- on the switch, can be prevented by using MAc address spoofing, ARP spoofing.
3) avoiding the use of password transmission network protocol or sensitive information: strong safe alternative network protocols.

1.2 Protocol Analysis

1.2.1 Principle

Analysis network protocol layer by layer from the bottom-up parsing network protocol, simultaneously recombinant IP packet fragments and TCP sessions, parsing, and the top of the application layer data and information stored on all the header fields of the network layer.
Unpack the data packet as follows:

1.2.2 technology

In the open-source software such as tcpdump, wireshark, snort has a corresponding source code implementation.

2. practice

2.1、tcpdump

Tcpdump use open source software to access the site www.tianya.cn process on this machine sniffing, answer the question:? Their IP address when you visit www.tianya.cn website home page, the browser will access both the number of Web servers What is?

Run the command tcpdump src 192.168.6.8 and tcp dst port 80

By drawing on the results, during the visit tianya.cn in, access the web server as follows:
223.119.248.10 from Hong Kong, China Mobile
221.182.218.244 from Haikou City, Hainan Province, China Mobile
120.201.249.88 move from Dandong City, Liaoning Province, China

2.2 、wireshark

Use wireshark to telnet to log on the local BBS sniffing and protocol analysis. 1) IP address and port BBS server? 2) telnet protocol is how to transfer the username you entered the server login and password? 3) how to use wireshark packet sniffer analysis, and to obtain a user name and login password?

(1) open wireshark, captured on the menu bar -> Options, select the WLAN card

(2) Open the telnet service (win10 default is off), Control Panel -> Enable or disable Windows services -> check Telnet

(3) into the input terminal telnet bbs.fudan.edu.cn Forum
(4) you can see the IP address 202.120.225.9; port 23; input into the guest


Cleartext When the Telnet protocol used in the transmission of user name and password. Tracking TCP stream, we can see the user name guest, the password is blank

2.3, decoding network scanning

The goal is analyzed by artefacts to five different types of port scans a honeypot host. It should be noted that the port scan traffic analysis in this case is not from the "wild" capture, but deliberately constructed, the purpose of this entry-level case studies challenge the sole purpose of study and training opportunities.

Network intrusion detector -snort capture the traffic for each scan and store network tcpdump binary format log file. This challenging task for each group from 5 scans of two randomly selected log file to analyze these two documents, answers to the questions, and to write detailed experimental analysis. Through this challenge, you can learn to use packet capture technique, as well as the use of packet decoding tools tepdump or Wireshark network packet analysis skills.

1. What is the attacking host IP address?

2. What is the IP address of the target network scanning is?

3. This case was initiated by the use of these tools which scan port scan? How did you determine?

4. log file that you analyzed, the attacker uses a scanning method which, what is the destination port scanning, and describe how it works.

5. found on the honeypot which ports are open?

6. Bonus question: What attacks the host's operating system is?

(1) share of the class lesson listen.pcap cloud download the file, open with wireshark

Statistics menu bar -> Conversation -> select IPV4

Only a large number of two-way network packets between 172.31.4.178 and 172.31.4.188

172.31.4.178 can be determined attacker, 172.31.4.188 is the target host being scanned.
(2) parsing through wireshark snort tool pcap file, it can be drawn on by nmap port scan tool

APT-GET Snort the install the sudo

the sudo the chmod 777 /etc/snort/snort.conf
the listen.pcap pasted into the file / home / kali in
sudo snort -A console -q -u snort -c /etc/snort/snort.conf - r /home/kali/listen.pcap

It can be seen using a scanning namp initiated.

(3) screening ARP in Wireshark


We can see the host attack aircraft were scanning nmap -sP 172.31.4.178 through arp packet


icmp packets have found interaction filtered, the instructions of ping icmp scan, i.e. nmap -sP 172.31.4.188

observed a large number of packets have been scanned TCP SYN attack machine scans the nmap -sS 172.31.4.188
(4) in the honey those found on cans host port is open
tcp.flags.syn == 1 and tcp.flags.ack == 1


21,22,23,25,53,80,139,445,3306,3632,5432,8009,8180 that these ports are active

(5) What is the host operating system attack

P0f tool detected by the operating system to attack aircraft, attack aircraft to detect the operating system for the linux 2.6

3. The problems and solutions encountered in the study

  • Question 1: snort installation fails
  • Problem 1 Solution: Update the source list sudo apt-get update
  • Question 2: Update the source list sudo apt-get update also fails
  • Problem 2 Solution: error, find a lot of solutions, but none so that, get a long time, then the honeypot and drones have been opened successfully updated.

4. practice summary

In practice, I met some strange pit problem really is hard to solve, can not solve the waste of half a day or too exercise my patience.

Reference material

  • [ "Network attack and defense technology and practice."]

Guess you like

Origin www.cnblogs.com/zzxb/p/12559988.html
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com