20,199,125 2019-2020-2 "network attack and defense practice," the fifth week of work

I. Overview

The job belongs to which course	Network attack and defense practice
Work requirements	TCP / IP network protocol attacks
reward	For how to use the arp, icmp, tcp and udp protocols such as cyber attacks have a clearer understanding of, and how to guard against this type of cyber attacks, learned ipsec technology

II. Carding knowledge points this week

1.OSI seven layer model and TCP / IP 4-layer model comparison

2.TCP three-way handshake protocol

(1) First, the client sends some TCP packets to the server, in which:

• Flag is SYN, indicating "request to establish a new connection";
• Serial No. Seq = X (X is typically 1);
• The client then enter SYN-SENT stage;

After (2) the server receives the TCP packet from the client, end LISTEN stage. And return to the period of the TCP packet, which:

• Flag is SYN and ACK, it said, "confirm that the client packet sequence number Seq valid, the server can receive data sent by the client properly, and agreed to create a new connection" (that is, to tell the client, the server receives a connection request);
• Serial No. Seq = y;
• No. acknowledgment Ack = x + 1, it represents the received sequence number Seq and client value plus 1 as its confirmation value of the number of Ack; server then enters the SYN-RCVD stage;

After (3) the client receives an acknowledgment from the server-side TCP receive data packets, clear data transmission from the client to the server is normal, the end of the SYN-SENT stage. And return to the last paragraph of TCP packets. among them:

• Flag is ACK, indicating "the server to acknowledge receipt of the acknowledgment signal connection";
• Sequence number Seq = x + 1, represents the acknowledgment number received Ack server, and its value as its sequence number value;
• No. acknowledgment Ack = y + 1, represents the received sequence number Seq server, and its value plus 1 as the value of their Ack acknowledgment number;
  then entering ESTABLISHED client, the server must receive the "acknowledgment of receipt from the client server after the data, "the TCP packet, defined the normal data transmission from the server to the client. The end of the SYN-SENT stage, into the ESTABLISHED stage.

3. The three basic attributes of network security

Confidentiality: Data refers to the entity from unauthorized use, using an encryption algorithm for encryption.
Availability: means that the data is not vandalism, when the need to be able to provide information and services required for normal access and access.
Integrity: refers to data that is not allowed to be modified, usually digital signature and digest algorithms to ensure data integrity authorization.

4. The basic model of network attacks

Mainly it includes four models, namely: interception, interruption, tampering and forgery.

Which, arp spoofing and redirection attacks can be either icmp interception and can be interrupted attack (when the machine is not open attack ip route forward, into the interrupt attack).
The SYN flood, UDP flood attacks and other services are interrupted.

Three, TCP / IP network protocol attacks practice

1.ARP spoofing attack

The principle:
ARP protocol is the IP protocol addresses are mapped to a physical network card MAC address to achieve ARP spoofing attacks exploit vulnerabilities host dynamic cache ip-mac mapping table, forged ip address of a drone to this drone ip and mac address to send their other hosts frequent false arp data so that other hosts to update their ip-mac mapping table to map the drone of ip address to the mac attack machine; other hosts then sent to the original target drone ip packets are sent to the attack aircraft. Using arp deception embodiment utilizes both middle attack vulnerability asymmetric information, assumes that the host A and host B communicate normally, attack aircraft arp send false information to the C A B using the IP, so that update ip-mac A mapping table B the ip mapped to the mac address of the attacker C, the same token, the attacker C using a, ip to B is arp deception, such that B updates ip-mac mapping table, the mapping ip a is to the mac address of the attacker C's. Thus the A and B established a direct connection broker, all traffic between A and B should be forwarded through C.
Practical operation:

• Configuration
  
• To open the first attack aircraft ip route forwarding, or when initiating arp attack, will lead off the mobile phone network, which is arp off network attacks, the value is set to 1, that ip_forward open ip routing forwarding, set by way of echo 1 The only valid after a system reboot or revert to zero.
  
• Use arpspoof command: arpspoof -i [card] -t [drone ip] [LAN gateway ip], arp stop sending false information to deceive the drone attack, forged identity gateway, the gateway between the establishment and the drone the brokering.
  
• Open another terminal ubuntu, installation tools driftnet, use the tool to be drone traffic monitoring, run driftnet -i [attack machine card], images will be captured drone browse on the web page (the site can not use the https protocol capture)
  
• Open another terminal, using the command ettercap: ettercap –Tq –i ens33(T start indicates sniffing, q represents a quiet mode, i.e., not displayed sniffing data stream, -i represents select a network interface), sniffing execute command, this time using access drone Web site http protocol, perform account login operation will be sniffed in plain text transmission of account and password.
  
• Analysis of data packets, the virtual machine to attack aircraft forged identity gateway drones, drones sent to the gateway ip real ip, mac false information for their own mac address.
  
• Analysis drone once outside the network communication packet, middleman attack aircraft to establish the relationship between the router and the gateway drone, to send traffic to the first drone attack aircraft, attack aircraft then forwarded to the gateway.
  
  
  Precautions:
• Gateway and host to set a static ip-mac mapping table
• Based arbitration ARP spoofing prevention model
  after model in the ARP firewall, gateway will be connected in series with a device, the LAN user traffic will go through after the network equipment, before entering the gateway, and the data will go through this gateway firewall device transmission to the user. Corresponding schematic diagram as shown in FIG.
  

2.ICMP redirection attack

The principle:
ICMP redirect message routers provide real-time routing information to the host when a host receives ICMP redirect message, it will be updating its routing table based on this information. Due to the lack of legitimacy of the examination necessary if a hacker wants to attack the host to modify its routing table, the hacker will send ICMP redirect messages to the host attack, let the host as required by hackers to modify the routing table
icmp weight targeted attacks is the use of icmp redirect routing packets to change the host's routing table, the attacker sends a redirect message to the target host, to disguise himself as a router, so that data packets sent to the target host to forward the attacker.
Practical operation:

• First attack aircraft also have to open ip routing forwarding Otherwise icmp redirect the opportunity to attack the target off the net, perceived attack, to open the way as above.
• Use netwox of 86 tools, execute the command: netwox 86 -f "host [drones ip]" -g [attackers ip] -i [router ip], -frepresents a screening rule, -gsaid the new gateway address, -irepresents the original gateway address. This directive means that the attacker sends information to the icmp redirect drone, modify routing table on the drone, the drone is set to address the router ip.
  
• Whether using icmp redirect attack or use arp-middle attack, only one purpose: to intercept the target host communication flow with other hosts. So you can use the same ettercap -Tq -i ens33command to sniff passwords in plain text in the traffic forwarding.
  
• Wireshark capture data flow analysis, can be seen outside the network communication with the drone of traffic is forwarded to the first attack on the machine, and then forwarded by the attack machine to the real router.
  
  Precautions:
  filtering based on some type of ICMP packets, set firewall filters for ICMP redirect packets from the local router to determine whether further treatment.

3.TCP RST attack

The principle:
TCP is referred to as the RST attack forged TCP reset packet attacks, an TCP art method normally connected counterfeit interference. Using a flag in the TCP header of the "RST", the majority of packet flag are set to 0, and when a data packet RSTflag is 1, the packet receiving host will disconnect the TCP connection. Hosts A and B is assumed that normal TCP communication, an attacker to monitor the communication of information between A and B, in which case the attacker A sends a fake to the B RSTflag is set to 1 packet, the data packet is received after B examination, found that RSTthe flag 1 is connected, disconnected, and the a.
Practical operation:

• No. 78 netwox use tool to attack, execute commands netwox 78 -i [靶机ip]that were on the drone TCP RST attack, will lead to drone disconnect all TCP connections.
  
• After executing the command, carry out open wireshark packet capture analysis, and open the browser to visit any site drone, the results can not access the browser feedback is ERR_CONNECTION_RESETthat the TCP connection is reset.
  
• It is noteworthy that, I used drones with attack aircraft ssh connection, after the implementation of TCP RST attack, drones will also disconnect SSH connection with attack aircraft.
  
• Analysis wireshark packet, the TCP RST attacks embodiment, drones access server is interrupted, as shown in FIG interrupt back to the server on the TCP connection data drone, wherein the RSTflag bit is 1.
  
  Precautions:
  deploy a firewall to filter out RSTflag is 1 packet.

4.TCP session hijacking

The principle:
The so-called session is a communication between two hosts. For example, you Telnet to a host, which is a Telnet session; you visit a site, which is an HTTP session. The session hijacking (Session Hijack), is a combination of sniffing and attack deception techniques. For example, among a normal session, an attacker involved as a third party to which he can insert malicious data in the normal data packet, can also be heard in the brief session of both of them, or even be replaced by a party host to take over the conversation . We session hijacking attacks can be divided into two types: 1) the-middle attack (Man In The Middle, abbreviated MITM), 2) injection attacks (Injection); and session hijacking attacks can also be divided into two forms: 1) passive hijacking, 2) active hijacking; passive hijacking is actually in the background to monitor both the session data stream, a pair of access to sensitive data; and active session hijacking a host malpractices among the "kick" off the assembly line, and then by the attack who replace and take over the conversation.
Practical operation:

• I had wanted to use the hunt-1.5 tools tcp session hijacking, but after installing the hunt-1.5, found that hunt-1.5 does not recognize the card, did not catch any network connections within the local area network, ended in failure, yet to be resolved.
  
• After executing the command showed no connection
  
  precautions:
• Alternatively a switched network sharing network;
• Communications encrypted using SSH Telnet, and SSL in place using HTTP, or by using IPSec / VPN;
• Monitor network traffic, such as found in a large number of ACK packet networks appear, there may have been subjected to session hijacking attacks;
• Prevent arp spoofing.

5.SYN Flood Attack

The principle:
In the SYN Floodattack, the use of defective TCP three-way handshake protocol, the attacker sends a large number of forged source address of the TCP SYN packet, the target host allocate the necessary resources to the target host, and then return SYN + ACK packet to the source address, and wait for the source ACK packet is returned. Since the source address is forged, the source never returns an ACK packet, the victim host continues to send SYN + ACK packet, and half-connection queue backlog into the port, while the host has a general default weight timeout mechanism and the number of pass, but the half-connection port queue length is limited, if constantly sending large amounts of TCP SYN packets to the target host, half-connection queue will soon fill up the server rejects new connections, it will lead to the port other machines can not respond to connection requests, and finally to the victim host resource depletion.
Practical operation:

• Use virtual machine linux machine to initiate the attack on win7 drone SYN Floodattack, drone ip address 192.168.2.60;
• Use netwox the tool 76 attacks, execute the command: netwox 76 -i "[drones ip]" -p [port number]. Here I launched against port 23 telnet connection of SYN Floodattack.
  
• At the same time be open on drone wireshark capture analysis, you can see the attack sends a large number of false ip sent to the drone SYNconnection request, these false connection requests no MAC address, not traceable true identity of the attacker.
  
  Precautions:
• Optimization System configuration: a shorter timeout period, increasing the length of the semi-connection queue, closing nonessential services;
• Optimization Router Configuration: Configuration inner and outer NIC router;
• Improvement of infrastructure: increase the source IP address checking mechanisms;
• Use a firewall: translucent gateway technology, firewalls can effectively prevent SYN Flooding attack;
• Proactive monitoring: monitor TCP / IP traffic, communication control information collection, analysis status, identify attacks.

Fourth, the difficult problems

hunt network hijacking tool can not get to listen to a LAN connection card information, even though it can use other tools to intercept drone plaintext password, but want to tamper with injection attack or difficult to achieve.