20,199,127 2019-2020-2 "network attack and defense practice," the fourth week of work

20,199,127 2019-2020-2 "network attack and defense practice," the fourth week of work

This work belongs courses	"Network attack and defense practice."
Where the job requires	Fourth job network sniffer and protocol analyzer
My aim in this course is	Learning network attack and defense-related technologies, grasp the network attack and defense related capabilities
In particular aspects of the job which helped me achieve goals	Learning network sniffing technology, analytical information transmitted in the network
reference	TCP / IP Volume Detailed 1: Protocol ; WireShark Tutorial - hacker discovery (5) - (nmap) scanning probe ; Wireshark display filter tips ; sourt Manual

Network sniffer and protocol analyzer

1. Practice content

Fourth chapter includes a network sniffer and network protocol analyzer, the two together to analyze the intercepted data can be divided into the following sections particularly comb.

Network sniffing:

1, a basic introduction to network sniffer

Using a computer network interface of the network sniffer intercepted data packet destination address is other computers to monitor private information contained in the data stream. Tools for network sniffing technology called network sniffer. He intercepted a pass binary data packet, usually analytical techniques to resolve sniff network data in conjunction with network protocols.

Network Sniffer is a network penetration techniques attackers use frequently, usually after obtaining access to the internal network implemented in a host of attackers. It can silently, passively sniffing data transmitted over the network. So for the detection and prevention of network sniffing it is quite difficult. Substantially prevent detecting method comprising: a network sniffer detects: whether the inspection card running in promiscuous mode. It may be different for flavor promiscuous mode judged by the operating system and protocol stack. 2, a network sniffer precautions: using secure network topology (switched network), instead of dynamic static ARP avoid transmitting the plaintext, attention to the protection of the nodes in the network (routers, switches, etc.).

2, Principle and Implementation

principle:

Ethernet is a shared communication channel data transmission in units of frames, the Ethernet frame includes the MAC address and destination MAC address of the transmission source. When the site needs to send data, the TCP / IP protocol stack packet, the data link layer "assembly" for the header and the frame end is transmitted to the shared communication medium. NIC driver in the normal mode, only accept data frame destination MAC address and own MAC address matches. However, the card will promiscuous mode all data frames received via a shared communication medium which is connected.

Network sniffer to achieve:

1, shared network sniffer: a hub connected to the hub Renyiyitai host can sniff all network traffic on the entire hub.

2, the interactive network sniffer: transmitting data by MAC address mapping table. There are generally three ways sniffing: ①MAC address flooding attack: the switch sends a data packet containing a large number of fictitious MAC address and IP address of the mapping table overflow can not be processed into the switch works like a hub. ②MAC deception: Commonly used to break through the LAN access control based on MAC addresses. ③ARP deception: using protocol vulnerabilities when converting between IP addresses and MAC addresses, MAC spoofing reached.

3, Unix-sniffer: switching (Switched) on the data link layer and the non-switched networks (unswitched) there are differences between the networks. In the non-switched networks, Ethernet packets through each device on the network, each system device only the desired view as its destination address of the packet sent. However, the device is set in promiscuous mode (promiscuous mode) is fairly easy to see the device mode allows all packets, regardless of what its destination Yes. Most packet capture program, the tcpdump e.g., their default listening device to promiscuous mode.

4, Windows Network sniffing: Windows sniffing and capture systems do not provide the interface, but there are a kernel mode virtual device driver, NPF can filter packets. Winpcap use to generate the data packet is more flexible than using raw sockets, more feature-rich. In the raw socket based, since the raw sockets certain limitations, the packet structure of a packet which the most underlying protocol only IP packets can not be configured in the IP layer protocol packets, such as link layer packet can not be configured, the Winpcap may be configured based on the data link layer packet.

Network protocol analysis technology

Network protocol analysis technique principle: the binary format of the data packet transmitted on the network is parsed to recover the information network protocol layers and transferring content art methods.

DETAILED process network protocol analysis techniques: obtained by sniffing the raw binary data link layer packet, Ethernet frame structure analysis, the analysis of the IP packet, to determine the specific application layer protocol, the data recovery integrated to obtain the actual transfer data. Commonly used tools such as Wireshark.

2. practice

A job: tcpdump practice

Task: to visit the site on this machine www.tianya.cn process sniff use tcpdump. When accessing the Web page, the browser will access the web server how many, what IP address?

Use tcpdump to sniff. In principle: to establish a TCP three-way handshake, HTTP request packet, HTTP response packet, TCP four waving leave. So the browser will access the number of web servers that TCP three-way handshake is not equal to crawl syn ack is not equal to 0 and 0 package, enter the following command: tcpdump -nn 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0 and(host 192.168.200.64)and(port 80)'where the IP address for the local host address, port 80 for web browsing, if without port name, it will also be queried by the IP 443 port, 443 port for web browsing port, mainly used for HTTPS service is to provide encryption and secure HTTP port by another transmission.

The main IP address is as follows:

221.182.218.229
221.182.218.244
72.21.202.25
99.86.113.26
99.86.113.16
221.182.218.238

Ip address which will be different each time you visit, use nslookup to verify the correctness of tcpdump, according to the End of the World Home's source code can be found in the relevant domain name server, such as passport.tian.cn, static.tianya.cn; phase two to verify the correctness of the more contrast.

Job two: Wireshark practice

Task: Use wireshark to telnet to log on the local BBS sniffing and protocol analysis.

1. IP address and port BBS server?

2. How telnet protocol transmits the user name you input to the server and login password?

3. How to use a packet sniffer wireshark analysis, and to obtain a user name and login password?
   1. Telnet physical machine on the local open, as win10 default is off. Specifically Control Panel - Enable or disable Windows Services> - -> Programs> check Telnet. FIG follows; after turning wireshark, fetch packet
   

   2.wireshark open at the same time, the input terminal telnet bbs.fudan.edu.cnto enter Fudan ASE China Forum (looking to find this other school, but still good-looking Fudan University), you can see the IP address of 202.120.225.9; port 23; enter into the guest
   

   3. In the filter input ip.src == 202.120.225.9can be regarded as telnet protocol packets, we can see the account number and password (in plaintext transmission using the Telnet protocol when transmitting a user name and password) by tracking TCP flow; below
   
   

Third assignment: forensic analysis practice

Task artefacts to a honeypot host of five different types of port scan.

What is the IP address of the attacking host?

What destination IP address of the network scanning is?

The case is the use of scanning tools which initiated these port scan? How did you determine?

You log file analyzed, the attacker uses a scanning method that, what the scan destination port, and describe how it works

Which port on the honeypot was found to be open?

What operating system attacks the host is?

(1) use wireshark to tcpdump binary format web log file analysis, statistical opened in the conversation, two available IP address 172.31.4.178 and 172.31.4.188 and from most closely, content of the response can be obtained by attackers ip port scan address 172.31.4.178, destination IP address of 172.31.4.188

(2) detected by scanning snort. ① To use snort, snort it first solve installation, enter the following command sudo apt-get install snort, great ^_ install snort fail.

② failure error is not what shots do not remember, anyway, is not apt-get update, reported what wrong did not remember the shots, I did not mean to, it is this period too annoying, too much consumption time. Need to update the library source and modify DNS resolution . It would first carry out these two steps, two steps should be used vim, great ^_ , editor vim into the failure save failed.

③ error E212: Can't open file for writing, can not find the link to resolve, the students have the same problem on their own search. After resolving this step, great ^_ the update fails. After ...... ...... I spit blood has added sudo apt-get dist-upgradethis step to update. Finally resolved. (In fact, before also tried some other method, do not know there is no aid to. Also, I see other students did not encounter so many problems, perhaps this is your fate)

④ (to tell you, this process did not solve the screenshot, I really do not know is not resolved after each step to solve the problem)

3. Screening in wireshark ARP, the first ARP nmap scanning is determined by the MAC address, and detects the target before each scan is active ip Found in FIG Broadcast destination, in the form of who has 172.31.4.188?Tell 172.31 .4.178. address using ARP scanning probe means for the target segment, if the segment is not certain filter rules, the target may be acquired through the network in response to a message viable machine IPaddress and MACaddress, then grasp the topology. Such as: 172.31.4.178initiating ARP request to the specified network, if the IP does not exist, no response, due to the presence, all responses can be seen that there is no MAC address packets between attackers first and second scan nmap nmap scanning. the first nmap scan to detect the target IP is activenmap -sP 172.31.4.188

4. the second scan time is not long third scan time, it should not scan all ports simultaneously transmits attack is designed to drone TCP / UDP / ICMP packets, in accordance with nmap -Othe principles of the internal Nmap wherein the fingerprint comprises more than 2600 known systems (in the file nmap-os-db file), comparing it with the packet generation system fingerprint sample returned by the library, the system find a match, if not matched, in the form of probability include possible system. Guess the second scan is an active operating system detection, nmap -Oscanning.

The third scanning is 13W serving packet 6W multiport generally scanned, it is speculated TCP SYN scanning, i.e., scanning half-open connections, that is nmap -sS, without the use of semi-connected to the scan complete TCP connection. The attacker initiates SYN request packet; if the port is open, the target host response to SYN ACK packet, the attacker then sends RST packets. If the port is not turned on, the target host is directly returned RST packet session ends

6. fourth scanning, port filtering tcp.port==80, port 80 is the Hypertext Transfer Protocol (HTTP) for the World Wide Web (WWW) services, discovery fourth scanning to establish a HTTP connection, that is, the scan guess as nmap -sVto determine the target host the type of network application services bundled version of the open ports and network service discovery main scanning host to send specially crafted packets to the target host depending on the particular fingerprint information network services in the realization of the application layer protocol contained, according to the feedback included in the package fingerprints, to identify open ports of network services.

7. By screening tcp.flags.syn == 1 and tcp.flags.ack == 1to determine open ports 21 , 22 , 23, 25, 53, 80, 139, 445,3306, 5432, 8009 , 8180.

8. Use p0f -r listen.pcapprobed to obtain the operating system linux 2.6.X, p0f tools to listen card packets transmitted and received, the remote machine operating system services the read version information from the data packet.

Task four: offensive and defensive practice

Task: attacker Scan with nmap, tcpdump sniffer with a defender, with wireshark analysis, and analysis of the attacker scanning purposes, and nmap command each use.

metasploitable-linux drone when the attacker, IP address 192.168.200.125. conducted two scans ,, the first time nmap -sP, the second time nmap -O.

When kali defensive side, IP addresses is 192.168.200.64, by intercepting communications between a tcpdump attack aircraft and the target tcpdump host 192.168.200.3 and 192.168.200.125. FIG analyze the attack information can be obtained, according to the verified.

3. The problems and solutions encountered in the study

One problem: kali can not access, the card is still valid after reset

Solution: Find a problem for me before the service is shut down several VMware, is set to start manually, now forgotten, open the service and restart the virtual machine to solve.

Second problem: the forensic analysis problems encountered in practice, have been set forth in the Detailed specific task III.

4. practice summary

1. To more practice, while doing experiments in the time to figure out why.

2. not know to ask, encounter problems in time to communicate with students

3. learn a new technology is really a bit difficult

The first reference in the text