20,199,110 2019-2020-2 "network attack and defense practice," the fourth week of work
1. Practice content
Chapter 4 is a network sniffer and protocol analyzer.
(1) a network sniffer
Using computer network interface intercept data packets destined for other computers, a user account password to monitor the data stream contained or private information. Tools for network sniffing technology called network sniffer (sniffer). Network sniffing can link layer network by listening points, it can be divided into software and hardware sniffing sniffer implemented in accordance with the form.
(I) network sniffing software
-
UNIX-platform network sniffer software (libpcap packet capture library development, tcpdump sniffer software, wireshark sniffer software, Snort open source network intrusion detection system, dsniff, sniffit, linux_sniffer, etc.)
-
Windows platform network sniffer software (NPF, winpcap, windump, wireshark, SniffPro, Buttsniffer, NetMon, Network Associates Sniffer, etc.)
-
tcpdump is a common command packet network sniffer and analysis program, allowing the user to be able to intercept and display specific TCP / IP packets from the network host is located
Precautions (II) of a network sniffer
-
The use of a secure network topology
-
Instead of the dynamic or static ARP mechanism with the port mapping table MAC-
-
Pay attention to safety precautions centralized location point data transmission network
-
The use of encryption and security enhanced network protocols alternative
(2) network protocol analyzer
Refers to a binary format for data packet transmission on the network is parsed to recover the information network protocol layers and transferring content art methods. Analysis of the TCP / IP network protocol stack substantially easy to implement, the corresponding source code implemented in the open-source software network sniffer (e.g. Tcpdump, Wireshark, Snort, etc.) has. Other protocols such as ICMP, ARP, UDP protocol, etc., only to be analyzed according to their protocol format.
Snort process were the main network protocol analysis:
-
Analytical Ethernet data frame (Pretreatment -> unpacking -> Analytical upper layer protocol)
-
Analytical IP packets (Pretreatment -> unpacking -> upper layer protocol packet parsing)
-
Parsing the TCP data packet (Pretreatment -> unpacking -> Analytical)
Wireshark network protocol analyzer tool is an open source network packet analysis tool, its main role is to capture network packets, packet protocol analysis. Wireshark class support UNIX, Windows and Mac OS platforms.
2. practice
A task
Tcpdump use of open source software on the machine to access www.tianya.cnsniffing website process, answer the question: You visit www.tianya.cna Web site home page, the browser how many Web server access? What are their IP address?
answer
Visit www.tianya.cna Web site home page, use the tcpdump src 本机IP and tcp dst port 80command to query the local IP is 192.168.200.6. The results are as follows:
By the figure (due to limited space, does not show all), we can find Web browser to access the server are:
117.18.237.29
221.182.218.229
221.182.218.244
221.182.218.238
221.182.218.151
124.225.214.214
203.208.41.63
By nslookup www.tianya.cninquiries to his IP address 221.182.218.229. As follows:
Task II
Wireshark open source software for use telnet to log on the local BBS sniffing and protocol analysis, answer the following questions and give the operation:
(1) What IP address and port BBS server you are logged each a?
(2) telnet protocol is how to transfer the username you entered the server login and password?
(3) how to use Wireshark packet sniffer analysis, and obtain your user name and login password?
answer
(1) can Wireshark first opened and then enter the command in the terminal luit -encoding gbk telnet bbs.fudan.edu.cnlog BBS. Enter the following interface:
(2) in Wireshark, by inquiry, we can get BBS server for the IP 202.120.225.9, port 23.
When the plaintext transmission (3) Telnet protocol used in the transmission of user name and password, we can see that our user name by tracking the TCP stream guest. As follows:
(4) Select the bottom of the dialogue from the local IP ( 192.168.200.6) to Fudan BBS of IP ( 202.120.225.9), you can find the user name guest, password is blank. As follows:
Task three
Forensic analysis practice: decoding network scanning
Case Study Challenge content: This case study is fully prepared for the challenge just to get a security analyst with the goal of the analysis was to a honeypot five different types of port scan format. It should be noted that the port scan traffic analysis in this case is not from the "wild" capture, but deliberately constructed, the purpose of this entry-level case studies challenge the sole purpose of study and training opportunities.
Network intrusion detector -snort capture the traffic for each scan and store network tcpdump binary format log file. This challenging task for each group from 5 scans of two randomly selected log file to analyze these two documents, answers to the questions, and to write detailed experimental analysis. Through this challenge, you can learn to use packet capture technique, as well as the use of packet decoding tool tcpdump or Wireshark network packet analysis skills.
problem:
What IP address (1) the attacker is?
What destination IP address (2) network scanning is?
(3) in this case is the use of scanning tools which initiated these ports scan /? How did you determine?
(4) the log files of your analysis, the attacker used which scan method, what is the destination port scanning, and describe how it works.
(5) found on the honeypot which ports are open?
(6) Bonus question: attack the host operating system, what is?
answer
(1) According to the meaning of problems requires the use snort binary log files intrusion detection.
-
First,
sudo apt-get install snortfor snort installation command; -
Then, by
sudo chmod 777 /etc/snort/snort.confadministering tosnort.confread-write permission to execute; -
Finally, by
sudo snort -A console -q -u snort -c /etc/snort/snort.conf -r listen.pcap(-Afor the alarm mode is turned on,-qnot to display the status report,-rfrom.pcapreading the packet format file) the query results.
Example follows:
By analyzing snort, we can get to attack the host IP 172.31.4.178, destination IP as network scanning 172.31.4.188. At the same time, we also know that the attack in the form of nmap scan.
(2) According to the meaning of problems, use Wireshark to obtain scan type and destination ports.
(I) in ARP screening in wireshark. nmap host each probe is active in the broadcast domain broadcast arp requestpackets, and will be carried out before each scan to detect active hosts. By screening, we found no data packets between first and second, and then determine for the first time is the use of namp -sP 靶机IPa host of active detection. The results are as follows:
(II) by observing the second scan end of the packet. Found 1 attack aircraft for the port ssh, TCP and UDP use a lot of flag constructed to trigger a different response packet. Thus, judging by these flows are nmap -O 靶机IPtriggered, operating system detects the remote host. The results are as follows:
(III) Next, the third scanning was observed. The third round is 13W scanning packets, port scans estimate more than sixty thousand. So it should be the designated port scan, using namp -sS -p 1-65535(-p port number specified scan) scan instruction. The results are as follows:
The last time (IV) observed scan. Fourth scan time than the three previous scan time, in line with the guidelines of experience acquired when collection techniques to learn before. Therefore, we can assume that the last time namp -sV 靶机IPdetection of network services. Looking for a 8180 port (http), we found a common activity detection is half-open scanning SYN->SYN,ACK->RST, while the fourth scan revealed a handshake and establish a HTTP connection, therefore judged to scanning namp -sV 靶机IP. The results are as follows:
(3) is also in the Wireshark to parse the file.
(I) first identify the ports, by screening tcp.flags.syn == 1 and tcp.flags.ack == 1, get open ports are: 21 22 23 25 53 80 139 445 3306 5432 8009 8180. The results are as follows:
(II) and then determine the operating system using nmap -O -r listen.pcapan operating system type of probe, to determine the basic operating system Linux. The results are as follows:
Task four
Attack against the practice
Nmap scanning by the attacker (specific purpose), by the defender tcpdump sniffer, with Wireshark analysis, and analysis of the scanned object and the attacker nmap command each use. Write a lab report.
answer
The selected IP address is 192.168.200.6the SEEDUbuntu as attack aircraft, comprising a scanning instruction nmap -sP 靶机IP, nmap -sS 靶机IP, nmap -sV 靶机IP, nmap -O 靶机IP. The following operation example is:
IP is chosen 192.168.200.125the Metasploitable as a drone, sniffing instruction tcpdump -i eth0 -w dump.pcap. Use tcpdump -r dump.pcapcan be dump.pcapanalyzed to see, because the Metasploitable command line can not push more, no results are displayed. The following operation example is:
The above is the operation of four parts task, involving analysis of the scanned object and the scanning section detailed investigation task instruction type III.
3. The problems and solutions encountered in the study
-
Question 1: Built between different virtual machines of different tools and different tools.
-
Problem 1 Solution: according to the task and actual needs, choose the right platform and tools to use.
-
Question 2: The virtual machine different characteristics, their shortcomings and little.
-
Problem 2 Solution: According to the reality, select the virtual machine consistent with the public perception of the operation. For example, this assignment used in ubuntu kali Chinese garbled absence.
4. practice summary
Sniffing and analysis can help us to get more information and a better understanding of the system being attacked, attacked more easily scoring system. With the development of offensive and defensive techniques, tools, sniffing and analysis of the increasing integration into the overall platform development. Because of varying degree of integration tools, the work can be done different, so we need to choose the right tool to use.
When using sniffer tools and network analysis tools, we should follow the principle of legitimate and reasonable, without transgressing. When reproduce or perform certain operations, sometimes it will bring a sense of accomplishment. At the same time, it will lead themselves to do more, got the job done better. In the process while learning, we want to continue to accumulate experience and strive to do better. In the problem-solving process, and we continue to learn and grow.