20,199,103 2019-2020-2 "network attack and defense practice," the fifth week of work

20,199,103 2019-2020-2 "network attack and defense practice," the fifth week of work

1, practice content

Network security attributes and attack mode

Network security attributes

• Confidentiality: The information can not be understood by unauthorized people to use.
• Integrity: The information can not be arbitrarily changed.
• Availability: authorized people can use.
• Authenticity: can not just pretend to be
• Non-repudiation: the communication can not deny messages you have sent.

Network attack mode

• Interception: acquiring communication information between the two sides, breach of confidentiality.

• Interrupt: the call can not continue, in violation of availability.

• Tampering: modification, which violates integrity.

• Fake: fake identity, in violation of authenticity.

• Middle attacks: Suppose a call AB, C for two to intercept calls ,, and A claims to be. B, B claims to be A.

Network protocol stack defects

• Network Interface Layer: Ethernet is the most commonly used protocol. This lack of verification of the protocol MAC address, the software can be modified by using the physical network card MAC address.
• Interconnect layers: the most important protocol is well-known ipv4, icmp, arp. For ipv4, the biggest drawback is not to verify the authenticity of the source address ipv4, like express mail, just fill in the address issue. arp is used to match the ip address and mac address, but he did not address matching to verify, I said I was xx.xx.xx.xx, others will believe that I am, although I could be lying. icmp can be abused to attack, such as flooding attack.
• Transport Layer: as everyone knows, this is mainly TCP and UDP. After establishing the TCP session is very vulnerable to forgery and spoofing attacks, such as TCP RST practice behind. As a simple stateless UDP transport protocol, for less aggressive, popular are UDP flood attacks.
• Application Layer: Application layer protocol varied, and mostly clear text transmission, there is a monitored, fraud, risk of middle attack (?).

---

Original message forgery

In full knowledge of the agreement, we can not be packaged in accordance with the agreement, but directly own a fake message. In addition to their own programming can be achieved, powerful netwox can construct any tcp, udp, ip packets.

---

IP source address spoofing

principle

• As alluded to above, IP protocol does not authenticate the source address. So an attacker can forge its own IP address to send data to someone else to buy.
• Under normal circumstances, an attacker can not get the response packet, because the attacker did not fake IP. But there are special circumstances, such as fake IP and himself in a local area network, you can use arp spoofing or redirecting.
• Without being able to get the response packet, there is a blind attack: 1, the first attack a drone, so that he lost the ability to work. 2, is transmitted to the target aircraft to the target host IP SYN packet, and the destination host SEQ guess return SYN / ACK (the serial number) 3, and then forged ACK packet and the ACK value is set to the serial number plus One. ACK packet can send a lot to improve the probability of successful hits. 4, the link is established, start pretending drone sends a message to the target host.

Precautions

• Random sequence of numbers, let others guess.
• Encrypted data packet transmitted.
• Avoid the use of IP-based confidence-building measures.
• Packet filtering

ARP spoofing

principle

• ARP works would not repeat them.
• Have said before, ARP does not verify the authenticity, I beg your pardon what he believed.
• If A wants to know who has an IP address, the address is B, respectively. A broadcast under normal circumstances, only B will respond, but the attacker C say his address is the IP address (had not), and he kept saying. A will then update their ARP cache that owns the C address, the next time will not be asked again.

Precautions

• The key statically bound IP mapping with the MAC.
• Use appropriate preventive tool.
• Encrypt data to reduce losses.

ICMP redirection techniques

principle:

• ICMP principle can not repeat them.
• In conjunction with IP spoofing IP addresses, posing as the gateway, tell the attacker, was designated the new IP as the new gateway.
• The new IP route forwarding is turned on, you can start middle attack.
• Note: Because the path through the middleman is certainly not optimal, so the new IP routing as possible to send a redirect packet, the gateway will allow the attacker to change it back.

Prevention

• Set up a firewall, determine ICMP is not from the local routing.

TCP RST attack

principle

• TCP protocol header has a reset bit, once the position 1, the host receives the packet will immediately close the TCP session.
• The attacker acquires the communication between the two sides as early as IP, port number, serial number, you can put either one IP clothes, send reset information to another party, resulting in direct communication interruption.
• netwox can carry out the attack.

TCP session hijacking attacks

principle

• Some network services after establishing a TCP session, application layer authentication, but generally will not be certified after the second certification.
• Currently usually combined with ARP spoofing to session hijacking.
• A drone, and after the start call server B, C attack aircraft posing A, B began to message.
• However, A to B will continue message, since this will generate ACK ACK value does not match the storm.

Prevention

• Static binding IP-MAC mapping table to prevent ARP spoofing.
• References and filter ICMP redirect messages.

TCP SYN Flood Denial of Service Attack

principle

• Many fake address to send a large number of SYN address to the host, the host's resources consumed queue.
• At this time, the host will reply SYN / ACK, and waits for a reply, but most of the fake address is inactive and will not respond to RST, the host can continue to send SYN / ACK, and many semi-open backlog queue, eventually packed.

Precautions

• SYN-cookie, avoiding the resource allocation information is not reached before continuous.
• Firewall address status monitoring, surveillance program monitors when a ip for a long time do not reply, he would reply to a proxy RST, and the IP pulled up to the "blacklist."

Detection, prevention and reinforcement

• Network Interface layer: The main defense is to be detected sniffing. It can detect the listening point LAN; optimize network structure; good protection of critical gateways and routes.
• Interconnect layer: detection and filtering may be employed various techniques to detect and prevent spoofing attacks that may occur in the network.
• Transport Layer: encrypted transmission can be achieved and security control.
• Application layer: encryption, digital signatures, etc.

Network security protocol

• Network Interface Layer: The most commonly used WIFI, Bluetooth and so achieve authentication, encryption and other transport protocols.
• Internetworking Layer: currently the most important protocol is IPsec protocol suite, provides a complex specification, also applies to IPv6.
• Transport Layer: transport layer security protocol is the TLS mainly, there are two safety features: 1, using a symmetric key encryption algorithm. 2, reliable message using a hash function to calculate the integrity checksum.
• Application layer: application layer security protocol features that have different mechanisms for different needs. Such as e-mail, HTTP security.

2, practice

Complete TCP / IP protocol stack, the focus of attack experiments, including ARP cache poisoning attack, ICMP redirect technology, SYN Flood attacks, TCP RST attacks and TCP session hijacking attacks

ARP cache poisoning attacks

• First of all, the need to use experimental hunt, netwox, sosudo apt-get install netwox和apt-get install hunt

• First, find out the drone of mac
  

• Then I use netwox 33 -b MAC(A) -g IP(伪） -h MAC(A) -i IP(A)mac here (a) is a drone of mac, ip (pseudo) is the IP you want to pretend
  

• Then I went to see the drone arp -a, chart here twice arp -a, for the first time before the fraud, successfully posing as the second 192.168.154.130. Prior to this attack if you do not know the MAC machine needs to check, I check this step Screenshot (forget).
  

icmp redirect attack

• According to textbook example netwox 86 -f "host IP1" -g IP2 -i IP3（网关）meant to sniff the packet source or destination IP addresses are IP1, then it is in the name of the source address of IP3 send an ICMP redirect messages, let him IP2 as the default route.

• First, you should first check the routing table drone
  

• Then run the command
  

• After just visited what page, and then open the routing table
  

• You can see the changes, 192.168.254.128it appears in the routing table.

SYN Flood attacks

• According command netwox 76 -i IP -portIP IP want to attack, port is the port. telnet port is 23, so I attacked the 23 ports.

• I do not know why, I do drone attack seed, and then xp telnet 192.168.254.131connections seed, nothing happens, or can be connected, perhaps because the seed is very strong processing power? So I changed one attack metasploitable, then connected with the seed metasploitable, he succeeded.

• First to try seed can telnet connection and three metasploitable
  

• It can, and then attack metasploitable
  

• After then seed telnet connection metasploitable, quite a while no reaction.
  

• I go out to eat dumplings have reflected back.
  

• Success.

TCP RST attack

• netwox 78-i 靶机ip, Will be able to achieve their goals. Or before, to establish a telnet connection, and then attack.
  

• I have yet to enter the account was closed before. . .
  

• success

TCP session hijacking

• This experiment has a very troublesome is the hunt has not detected a link, but my two drone telnet link has been established.

• Online information that is because i do not turn on ip forwarding.
  

• You can see it is open.

• There is information that needs to be to achieve ARP spoofing, I have carried out two drone deception, or as follows
  

• It has always been connecting are availableand, I do not like is a case, so this abeyance, so I know a solution to update again.

3, the difficulties encountered in the study

• Question 1: The seed of TCP SYN Flood attack to be ineffective, even though wireshark has identified did send syn packet
• Problem 1 Solution: Replace the drone metasploitable

4, practice summary

Overall, the practice of some jobs simpler than before, especially not encountered trouble. However hunt not catch the connection still not been resolved.