Network protocol attacks and principle
0. overall structure
| The work belongs courses | Network attack and defense practice |
|---|---|
| Where the job requires | TCP / IP network protocol attacks |
| My aim in this course is | Learning network attack and defense techniques and principles related |
| In particular aspects of the job which helped me achieve goals | Principles and practices TCP / IP network protocol attacks |
1. Practice content
Fifth chapter overall more, but systematic and integrity are better, mainly about the network layer and the transport layer protocol attacks. Attack on the principle of the book this chapter is very detailed, so this principle of operation of slightly more space. It is divided into the following sections to sort out the theory of knowledge, and then practice after school.
- Network protocol attacks and basic concepts
- Network layer protocol attacks and preventive measures
- Transport layer protocol attacks and preventive measures
Network protocol attacks and basic concepts
Learning network security, information security should first be borne in mind is the mind of the five security attributes: confidentiality, integrity, availability, authenticity and non-repudiation . All our attack or defense revolves around these five security attributes to expand. So as the attacker, the attacker usually have the following modes:
- Interception : Passive attack mode sniffing and listening technology-based, access to information content of the communication network communication between the two sides.
- Interrupt : A denial of service attack technology-based active mode, the network communication and conversation impossible.
- Forgery : in order to deceive the basis of active attack mode, impersonation network communicating parties, cheating communication partner for malicious purposes.
- Tampering : the packet includes data tampering, and other information content middleman attack art blow active attack mode, the communication network engineering tampering, so that the communication received by one or both of false news.
But as an attacker, we still lack a safety defect, with security flaws that we can attack. The following briefly describes some of the TCP / IP network protocol stack security flaws and attack techniques, the main technical content in the next section explains .
- Network Interface Layer : an Ethernet protocol, when the network interface in promiscuous mode can be intercepted and sniff packets directly, while the lack of authentication mechanisms the source MAC address, MAC address spoofing achieved.
- Internet layer : IP protocol only on the destination address is forwarded without checking the source IP address is real and effective, namely the lack of IP address authentication mechanism, vulnerable to IP spoofing. It also includes a source routing abuse, the IP fragment attack, spoofing and ARP, ICMP redirect, the Smurf attacks.
- Transport Layer : After the connection process to establish a session TCP, it is very vulnerable to forgery and spoofing attacks, an attacker can perform direct TCP RST attack interrupted session. Simultaneous TCP three-way handshake process design flaw, an attacker can perform a SYN flood attack.
- Application Layer : Some popular application-level protocols HTTP, FTP, POP3 / SMTP, DNS etc. lack of security design.
The agreement stack attack techniques, the most important or popular is spoofing , and spoofing technique in which an attacker forged a specially crafted network packet sent to the target host, he has suffered the attack in an interview with dealing with these forged packets hit. Netwox is an open source toolkit, you can create any TCP / UDP / IP data packets, command line support structure and sending fake packets, you can automate the process by scripting.
Network layer protocol attacks and preventive measures
1.IP source address spoofing attack
- Principle : Use only the destination address of the packet forwarding route without the source address to verify authenticity .
- Attack step (refer to FIG conjunction with the text):
- Trusted host of denial of service attacks
- To target host TCP initial sequence number (ISN) sampling and speculation
- Forged source address is sent to the host as a trusted host IP SYN packets
- Waiting for the target host SYN / ACK packet to the trusted host has been paralyzed
- Again disguised trusted target host sends an ACK packet to establish a connection.
- Application scenarios : denial of service attacks, network scan (nmap -D)
- Tools : Netwox, wireshark, nmap
- Precautions :
- Using a random number of the first test sequence
- Using a network transmission protocol layer security
- Avoid using trust policy-based IP addresses
- Embodiment packet filtering on routers and gateways
2.ARP spoofing attack
- Definitions : ARP spoofing also called ARP poisoning, when an attacker transmits over a wired Ethernet or forged ARP information to be fake IP spoofing a MAC address corresponding to the particular , so as to achieve the purpose of malicious attack techniques.
- Principle : ARP protocol believe that all internal LAN users are trusted in the design, but there may be an internal attacker LAN, or an external attacker has penetrated into the local area network or malicious code. This makes the ARP cache very easily injected forged IP address to MAC address mapping .
- Attack step (refer to FIG conjunction with the text):
- A source node sends data packets to the destination node B, the request will be broadcast ARP packet on the LAN segment through the ARP protocol, the MAC address of the IP address to ask the Node B is mapped.
- It said the attack node C MAC address IP destination IP address mapped his own, and continue to send ARP response packet to the source node.
- Since node C attack continuously transmits a response packet, the source node will force this to the C sends a response packet to update the ARP cache.
- When the source node to send the packet A again to the Node B, transmits data packets directly to the corresponding MAC address C, which attacks the node C, and node C by passing off the object B. spoofing
- If the ARP spoofing attack is a gateway node, all nodes will cause the entire local area network access through the gateway packet will be the first by attacking node could be sniffing, monitoring and malicious modification.
- Scenarios : a switched network, constructed middle attacks, malicious code.
- Tools : DSniff in Arpspoof, arpison, Ettercap, Netwox.
- Precautions :
- Static binding key host IP address and MAC address mapping relations
- Use the appropriate ARP prevention tools
- Network topology using virtual subnet segments
- Encrypted transmission
3.ICMP route redirection attack
- Defined : An attacker masquerading as the router sends spoofed ICMP routing path control packets, such that the selected target host routing path dictated by the attacker to sniff or a technique spoofing attacks. ICMP messages are classified into two types: error reporting class (Destination Unreachable, timeout data packets, packet error parameter), the control message type (request / response notification class and classes).
- Principle : the use of ICMP redirect packet routing change Host Routing Table, send a redirect to the target host, disguised as a router, so that data packets target machine to attack aircraft to strengthen monitoring.
- Attack steps :
- Attack node using IP source address spoofing, posing as the gateway IP address to send ICMP redirect packets to the attacked node, and set a new router IP address specified for the attack nodes.
- Upon receipt of a packet attacks node, for examining constraint conditions, since the packet does not violate the constraints, and therefore will be received, the node is selected as a new attack attack router nodes.
- Attack routing nodes can be turned forwards, acts as an intermediary, the communication nodes being attacked for the entire sniffer listens to achieve ARP spoofing attack similar effect.
- In the forwarding process, according to the design principles of ICMP redirect routing mechanism, the attacker node protocol stack may send an ICMP redirect messages to attack node, originally designated as the new gateway router, routing path will deceive restored to the original state.
- Tools : Netwox
- Precautions :
- Some filtering ICMP packets according to the type
- Set up a firewall filter
- ICMP redirect messages of judgment is not from the local router
Transport layer protocol attacks and preventive measures
1.TCP RST attack
- Defined : TCP RST attacks also referred forged TCP reset packet attacks , refers to a technique for TCP traffic connection interfering counterfeit.
- Principle : TCP protocol has a header
reset, the flag is 1, the host receives the data packet that is about to disconnect the TCP session connection. tcp reset packet is directly closed out a TCP session connection. - Attack steps :
- Attacking host C can be monitored by the communicating parties A sniffer way, TCP connection between the B.
- After obtaining the source, destination IP address and port, a serial number, then may be combined IP source address spoofing disguised as a communication party, sending a TCP reset packet to the other party of communication.
- Ensure consistency in the port number and serial number fall into the TCP network traffic caused by both normal communication interruption, to the effect of a denial of service.
- Tools : Netwox
2.TCP session hijacking attacks
- Principle : TCP Session Hijacking hijacking communicating parties already established TCP session connection, fake identity of one of the parties for further communication with another party. The core of which is the verification of the session communication party by TCP .
- Attack steps :
- victim host to connect with telnet server, and by authentication to establish a session.
- telnet server will send a response packet to the victim, and the server comprises the current sequence number (
SVR_SEQ) and the next expected sequence number sent by the client (SVR_ACK). - The attacker implement middle attack ARP spoofing, sniffing can obtain the contents of the communication between the victim and the telnet server, and then fake IP address and identity of the victim, sending a packet to the server talent, claims to be victim.
- An attacker sending a packet sequence number of conditions must be met:
SVR_ACK<=CLT_SEQ<=SVR_ACK+SVR_WND. - victim sustained talent will continue connect sessions between servers, but AC storms due to a mismatch between the value of each other and ACK telnet server appears.
- Precautions :
- Disable source routing on the host
- The static IP and IP-MAC mapping table to avoid ARP spoofing
- References and filter ICMP redirect messages
3.TCP SYN Flood Denial of Service Attack
- Principle : TCP three-way handshake defects based on the target host to send a large number of forged source address of the SYN connection requests, consuming resources of the target host connection queue source, which can not serve properly.
- Attack steps :
- In the TCP SYN Flood attack, the attacker sends a large number of forged source address of TCP SYN packets to the affected host.
- Victim host allocate the necessary resources, and then returns the SYN / ACK packet to the source address, and wait for ACK packet returned to the source.
- If the forged source address of the active host, will return a RST packet connection directly, but most of the forged source address is inactive, never returns ACK packet, the victim host continues to send SYN + ACK packet, when the half-open connection report text fill, the server will reject the new connection.
- Precautions :
- SYN-Cookie technology (without resource allocation information is not completely connected before arrival).
- Firewall address status monitoring technology (the TCP connection to the target server state is divided into NEW, GOOD, BAD).
4.UDP Flood Denial of Service Attack
- Principle : by sending a large number of UDP packets to the target host and the network, resulting in significant computational load hoist target host, or by network congestion, so that the target host and network into an unusable state, denial of service attacks.
- Precautions :
- Disable and filter monitoring and response service.
- Disable or other UDP filtering service.
2. practice
Tasks: Complete network attack and defense attack experimental lab environment TCP / IP protocol stack points of the agreement, including ARP cache poisoning attack, ICMP redirect attacks, SYN Flood attacks, TCP RST attack, TCP session hijacking attacks.
ARP cache poisoning attacks
Solution
First need three machines here, I chose Kali as attack aircraft, the other two machines as a normal machine communication (Linux MetaSploitable and SEED Ubuntu).
Note: The three machines must be within the LAN, you should now make three machines outside the network can be bridged directly . Given three computers IP and MAC addresses as follows (with ifconfiginstructions to view).
| machine | IP addresses | MAC address |
|---|---|---|
| kali Linux | 192.168.3.19 |
00:0c:29:5d:8c:d9 |
| Linux MetaSploitable | 192.168.3.21 |
00:0c:29:8d:3c:c0 |
| SEED Ubuntu | 192.168.3.20 |
00:0c:29:82:d2:95 |
1 with the Ubuntu the SEED pingMetaSploitable, to give arp cache table, and with a arp -aview arp cache table, shown in FIG, MetaSploitable IP address and corresponding MAC address is.
2. executing instructions on Kali netwox 80 -e 00:0c:29:5d:8c:d9 -i 192.168.3.21. Explain this instruction, 80refer to No. 80 of the tool netwox (recommended 80 instead of 33, because 33 once executed, it is easy to arp cache table on the back), into the first MAC address attack aircraft Kali, second one is MetaSploitable IP address, after the execution in the LAN broadcast this command . More netwox Command Reference netwox introductory tutorial . (Please be assured that there is no output, has been on the radio)
3. Now In fact, experiments have been done, let's do a verification (verifying fucked me). Our aim is to verify Kali can listen SEED Ubuntu and MetaSploitable communications, be sure to keep in mind: SEED Ubuntu and MetaSploitable arp cache on the other side of the table must be changed! And have changed the MAC address of Kali, this time you can capture packets, or is otherwise not ping either arp cache table back . This time we should be able to capture wireshark packet communication from the SEED Ubuntu and MetaSploitable in Kali. As shown below.
4. Finally, do not forget to perform sudo arp -d 192.168.3.21to delete arp cache (in fact you cancel netwox then ping command should look on the back).
ICMP redirect attack
Solution
Environment or above environment, there is no longer explained. We begin here we change SEED Ubuntu routing table, you can put aside the MetaSploitable.
1. First, open the Wireshark on SEED Ubuntu to view the data flow, and in the end ping baidu.com, we found that after the bridge directly access the external network SEED Ubuntu
2. Run in the host Kali netwox 86 -f "host 192.168.3.20" -g 192.168.3.19 -i 192.168.3.1i.e. sniff 192.168.3.20time (SEED Ubuntu) packet to 192.168.3.1the ICMP redirect packet sent on behalf of the 192.168.3.19(Kali) as its default route, and then to observe the Wireshark packet.
3. Observation wireshark packet and pingprocess, we found that Baidu access data packet has been redirected to the 192.168.3.19(next hop 192.168.3.19).
SYN Flood attacks
Here choose to use SEED Ubuntu initiate telnet service to drone MetaSploitable access, attack drones with attack aircraft Kali telnet service port, and view it with Wireshark.
1. Use SEED Ubuntu launch to landing MetaSploitable telnet 192.168.3.21, enter your user name and password (MetaSploitable login user name and password).
2. The use of netwox in Kali 76on the number drone tool 23port number SYN Flood attacks netwox 76 -i 192.168.3.21 -p 23.
3. Open Wireshark view, you can see the attack sends a large number of false ip sent to the drone SYNconnection request, these false connection requests no MAC address, not traceable true identity of the attacker. We visit on SEED Ubuntu also found inaccessible. (This time you should find that your host fan turn more powerful)
TCP RST attack
Here we also choose to use SEED Ubuntu initiate telnet service to drone MetaSploitable access, use of drone aircraft launched the attack Kali TCP RST attack.
1. Use SEED Ubuntu launch to landing MetaSploitable telnet 192.168.3.21, enter your user name and password (MetaSploitable login user name and password).
2. The use of netwox in Kali 78to carry out drone attacks TCP RST number of tools netwox 78 -i 192.168.3.21.
3. Returning to our earlier SEED Ubuntu login screen, we are now the connection has been forced to shut down. Of course, you can also view the data packets sent by Wireshark.
TCP session hijacking attacks
2. The problems and solutions encountered in the study
- One problem: Log bbs Chinese garbage problem
- A solution to the problem: First, start with onions system fonts, as long as the changes found to encode landing.
- Second problem: the practice of forensic analysis requires a lot of knowledge and tools, wasting a lot of time here
- Question two solutions: continue to query tool and its principles
3. Learn sentiment, thinking
- The job has been professional but there are certain requirements, their knowledge of computer network is still relatively weak, need to continue to learn.
- While learning, while doing problems still pretty painful.