20199118 "network attack and defense practice," the fourth week of work

Others 2020-03-24 19:57:19 views: null

Student ID: 20199118 "network attack and defense practice," the fourth week of work

1. knowledge carding and summary

We learned in Chapter IV courses network sniffer and protocol analysis of important elements:

① basic introduction to network sniffer

Using a computer network interface of the network sniffer intercepted data packets to the destination address of the other computer to monitor the data stream contained in the private information; tools for network sniffer technology called network sniffer; is intercepted packets via after the network is a network sniffer technology penetration attackers often used, usually to gain access to the internal network in a host of attackers; binary data, often in conjunction with network protocol analysis technology to resolve sniff network data embodiment; silence can be passively sniffing data transmitted over the network; so for the detection and prevention network sniffer is quite difficult, the detection basic precautions follows:

  • Detecting a network sniffer: inspecting whether the card running in promiscuous mode. It may be different for flavor promiscuous mode judged by the operating system and protocol stack.

  • Sniffer precautions: using secure network topology (switched network), instead of the dynamic static ARP, to avoid transmitting the plaintext, attention to the protection of the nodes in the network (routers, switches, etc.).

② network sniffer principles and implementation

It works Ethernet: Ethernet is shared communication channel data transmission in units of frames, the Ethernet frame includes the MAC address and destination MAC address of the transmission source. When the site needs to send data, the TCP / IP protocol stack packet, the data link layer "assembly" for the header and the frame end is transmitted to the shared communication medium. NIC driver in the normal mode, only accept data frame destination MAC address and own MAC address matches. However, the card will promiscuous mode all data frames received via a shared communication medium which is connected.

  • Shared Network sniffing: a hub connected to the hub Renyiyitai host can sniff all network traffic on the entire hub.

  • Interactive Network sniffing: transmitting data by MAC address mapping table. There are generally three ways Sniffer:
    (. 1) MAC address flooding attack: the switch sends a data packet containing a large number of fictitious MAC address and IP address of the mapping table overflow can not be processed into the switch works like a hub.
    (2) MAC spoofing: access control based on commonly used to break through the LAN MAC addresses.
    (3) ARP spoofing: the use of loopholes in the agreement at the time of conversion between IP address and MAC address, to MAC spoofing, ARP spoofing is recommended here in detail with reference to the secret eavesdropping and implementation.

  • Unix-sniffer technology: achieved by the BPF and libpcap capture tool library user mode kernel mode. BPF original interface data link layer, a link layer provides the transceiver functions of the original packet. If the card is in promiscuous mode will receive all packets on the network. and kernel mode BPF libpcap packet sniffing and filtering mechanisms with want to provide standard interfaces for the network sniffer applications on the Unix-like platforms, a standard format for the network packets pcap.

  • Windows network sniffing technology: Windows operating system kernel does not provide a standard network sniffer and packet capture interface. NPF is a kernel mode virtual device driver, is used to filter packets, the packets passed to the user module intact. WinPcap packet.dll including standard packet capture module and wpcap.dll two interfaces.

③ software network sniffer

Commonly used network sniffer software is generally based on standard interfaces BPF and libpcap, the most popular development libraries including libcap Ethereal, tcpdump and wireshark sniffer software (like Unix and Windows platforms).

  • libpcap packet capture library development: basic libpcap development step is to open a network device, setting the filtering rule, capture data, the network device off.
  • tcpdump: tcpdump is a general command line network sniffer and packet protocol analysis. By src 192.168.199.200 and tcp dst port 80can see the case where the source host is connected outwardly HTTP network traffic. By tcpdumpmonitors all the packets flowing on the first network interface.
  • Wireshark sniffer software: is an open source packet analysis tool, the main role is to capture network packets, data packets for protocol analysis presented to the user in a format that is easier to understand in order to display detailed information as possible, and.
④ network protocol analysis technology

Network sniffer is intercepted by the packet format during the assembly of a binary original message content, in order to acquire information containing protocol specification, the stack according to the TCP / IP protocol data packets to re-format and restore the contents of the respective protocol layers. At present, network protocol analysis tool is wireshark. A typical procedure of network protocol analyzer comprising the steps of:

  • Sniffer raw data obtained in the binary data link layer packet transmission.
  • Analysis of the frame structure, the frame header fields obtained structure, a network layer protocol type is determined according to the frame header field, and extracts the data content contains the network layer.
  • IP packets further analyzed to determine the type of transport layer protocol, a transport layer to extract the data content.
  • Port OK OK particular application layer protocol TCP or UDP according to the target, to give the application layer protocol-specific interactive application content.
  • Integrating the data recovery based on the respective application layer protocol, and the actual data transmission.

2. practice

A practice : the use of open source software to access www.tianya.cn tcpdump process on the local network sniffing, answer the question:
are you accessing www.tianya.com Home, the browser how many web server access? What are their IP address?

  • The Kali-Linux virtual machine network mode is changed to bridge mode, it can be connected to the network.

  • Checks the local IP address to 192.168.31.149enter the command to open the Kali-Linux virtual terminalsudo tcpdump -n src 192.168.31.149 and tcp port 80 and "tcp[13] & 18 =2"

  • Open URL in a browser "End of the World Forum"

  • The results were analyzed monitor

  • We observed that found major Web server accessed as follows:
    99.86.84.76
    99.86.84.220
    99.86.84.65
    124.225.214.206
    99.86.84.97
    124.225.65.154
    202.108.23.152

Practice two : Using Wireshark open source software to TELNET to log on the local BBS sniffing and protocol analysis, answer the following questions and give the operation:
what IP address and port BBS server you are logged each a?
TELNET protocol is how to pass the username you entered the server login and password?
How to use Wireshark packet sniffer analysis, and obtain your user name and login password?

  • Local open Wireshark, and open the capture.

  • Open Kali-Linux virtual terminal and enter luit -encoding gbk telnet bbs.fudan.edu.cn(specify the encoding format) to access Fudan BBS server, its IP address is found 202.120.225.9.

  • Wireshark found through port 23, was found by tracking the TCP stream user name guest.

Practice three : the practice of forensic analysis: decoding network scanning
IP address of the attacking host 1. What is?
2. What is the IP address of the target network scanning is?
3. This case was initiated by the use of these tools which scan port scan? How did you determine?
4. log file that you analyzed, the attacker uses a scanning method that, what is the destination port scanning, and describe how it works.
5. On the honeypot host port which is found to be open?
6. What operating system attacks the host is?

  • Download lesson class cloud resource library listen.pacp file, open the file with Wireshark, found IP attack aircraft for the 172.31.4.178target IP network scanning for172.31.4.188

  • sudo sucd 'Desktop'sudo apt-get install snort安装snortsudo chmod 777 /etc/snort/snort.confadministered snort.conf read-write permission to execute the operation command →sudo snort -A console -q -u snort -c /etc/snort/snort.conf -r listen.pcap

  • It can be seen snort scan is initiated using namp

  • nmap each probe is active in the host broadcast arp request packets broadcast domain, so you want to filter ARP in Wireshark, we can see from the front of the serial number, found the four who has 172.31.4.188?tell172.31.4.178, thereby determining four sweeps.
  • Using p0f -r listen.pcapan operating system type of detection system is foundLinux 2.6X

Practice four : offensive and defensive combat practice attacker with nmap scan with nmap defender sniffer, wireshark analysis, and analysis of the purpose and nmap scan attack, orders

  • Attack aircraft for the kali 192.168.2237.129drone is Metasploitable2172.16.8.128

  • Run tcpdump -i on Metasploitable2 eth0 -w listen.pcap monitor

  • Attack on kali host with nmap, including -sP, -sV, -sS, -O attack.
  • In use tcpdump -r listen.pcapviewing and analysis

3. The problems and solutions encountered in the study

  • Problem ①: garbled visit Fudan BBS

  • ① problem solution: download the finished file and use luit -encoding gbk telnet bbs.fudan.edu.cn(specify the encoding format) command "kali linux Chinese to solve the garbage problem occurs"

  • ② problem: the use of apt-getthis occurs when:
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package
    a problem ② solution: Baidu found by omnipotent need to update APT repository "apt-get"

4. Learning perception, thinking, etc.

  • Deepen the understanding of network attack and defense technology, theory and practice, to improve their ability to use network sniffing.
  • Cultivate the ability to practice learning for practical application of network attack and defense had a great interest.

Reference material

Guess you like

Origin www.cnblogs.com/dkycjy/p/12553905.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com