20,199,102 2019-2020-2 "network attack and defense practice," the fifth week of work

20,199,102 2019-2020-2 "network attack and defense practice," the fifth week of work

1.实验已经完成，但是博客还没写完先占个坑
2.这个作业最终版尽量用一个软件完成，不增加大家安装负担
3.对arp，TCP/UDP相关原理和字段意义，推荐《TCP/IP协议：卷一》
4.这次作业尝试和很多方法，可行的、不可行的和暂时未完成的都会列在最后

0 overall structure

The work belongs to the curriculum	"Network attack and defense practice."
Where the job requires	Fifth working TCP / IP network protocol attacks
My aim in this course is	Learning network attack and defense-related technologies, grasp the network attack and defense related capabilities
In particular aspects of the job which helped me achieve goals	Learn TCP / IP layer protocol related attacks
Text of the job	The following text, 2,3, 4 part
Other references	See the last part of the body

1. Practice content

1.1 TCP / IP protocol stack attack Overview

• Network security attributes and attack mode
  • Network security attributes: confidentiality, integrity, availability, authenticity and non-repudiation
  • Basic mode network attack: interception, interruption, tampering and forgery. Intercepted a passive mode of attack, the aim is to obtain information on the contents of the communication network communication between the two sides, a violation of confidentiality. It is the target of the attack interrupts the normal network traffic and answer can not continue, the destruction of availability. Fake is fake network communication party identity, deceit communication partner for malicious purposes. Tampering with the content of the network is the communication process is modified
• TCP / IP network protocol stack security flaws and attack techniques

  • Network interface layer (data link layer): Commonly used protocols include R / ARP protocol and PPP, respectively, ip-mac point transmission protocols and protocol conversion. Corresponding to MAC address spoofing and sniffing and eavesdropping attack.

  • Interconnect layer (network layer): commonly used protocols include ICMP, BGP ICMP and other protocols. IP addresses are only checks the validity of the source IP address to forward rather than lack of authentication mechanisms. ICMP protocol may control the routing path, it may also be used and flooding attack Smurf attack.

  • Transport Layer: TCP / UDP protocol. Only by IP address, port, and SEQ \ ACK number of the communication partner to authenticate re-established after very vulnerable to forgery and spoofing attacks. In addition TCP three-way handshake can create SYN flooding attack.

  • Application Layer: HTTP, FTP, POP3 / SMTP, DNS, SMB etc. lack of security considerations, the use of clear text transmission.

Network layer protocol attacks 1.2

• IP source address spoofing
  • First, a trusted host to attack, they lost the ability to work.
  • Sample guess initial sequence number ISN target server, and then returns the SYN / ACK packet time is set to ISN + 1.
  • Forged source address of a trusted host IP SYN packets
  • Disguised trusted host transmits an ACK packet, an ACK packet transmission is provided is predicted target host ISN + 1.
  • To establish a connection, counterfeit trusted hosts communicate with the host.
  • 
  • Scenario: network scanning, denial of service attacks and confrontation authentication mechanism.
  • netwox forged messages:netwox 41 -j 128 -k 1 -l 192.168.200.3 -m 192.168.200.5 -o 8
  • nmap forged source IP address: nmap -sS -p 8080 192.168.200.3 -D 192.168.200.5using the address scanning .5
  • Prevention wording: randomizing the initial sequence number, instead of using IPsec IP, avoiding the use of strategies based on trust and the IP address against IP source address on the routing and gateway spoofing.
• ARP spoofing
  • ARP works: When the data link layer device and then access a host, if mac address already know each other, directly combined to form MAC frame is transmitted; if only know the IP does not know the MAC address via the ARP protocol requesting the MAC address.
  • Specific work process: when the MAC address deletion wanted whole network broadcasts an ARP request, received by the Master checks its own IP and are consistent with the requested IP, arp respective packets matches the transmission. (In the book, some would say, whether or not IP match, the requesting party IP and MAC will be updated in the host receives the request.)
  • Attack process: When a node A sends a packet to the ARP B node request, the network host will receive the same request. B will return IP(B)/MAC(B), but will return to the attack machine C IP(B)/MAC(C), the other machine does not respond. C constantly returns the wrong data, resulting in the A IP-MACmapping table holds an error value. When A wants B transmission data, it will be sent to port C. If C while posing A and B, which constitute the middle attack
  • 
  • Scenario: as a middleman sniffing information, the spread of the virus, etc.
  • Use netwox conduct ARP spoofing command: netwox 33 -b MAC(A) -g IP(B) -h MAC(A) -i IP(A)The key is to -g IP(B)make the target host to save the error mappings.
  • ARP attack prevention measures: the use of static binding own key mapping table of IP address and MAC address
• Routing ICMP redirect attack
  • Principle redirection mechanism: ICMP control message routing class to update the redirection host routing table to improve the transmission efficiency of the network.
  • Redirect attack process: Attackers use IP source address spoofing, posing IP gateway sends ICMP redirect messages to attack node. After being reviewed ICMP attack node accepts the request, so the attacker will be a bridge between the attacker and the routing gateway. Forwarding process will send a real redirection packets based on the principle of redirection.
  • 
  • Use netwox redirect attack:netwox 86 -f "host 靶机IP" -g 攻击机IP -i 网关IP
  • Precautions: filtering some types of ICMP packets filtering firewall settings to determine ICMP redirect packet is not from the router

1.3 Transport Layer Attack

• TCP RST attack

  • TCP RST attack Principle: TCP protocol header in a resetposition that represents the session is interrupted. By providing a reasonable field ack seq and can achieve the effect of closing the connection.

  • Attack diagram:

    

  • netwox attack:netwox 78 -i 靶机IP

• TCP session hijacking attacks

  • TCP sessions principle attack: After hijacking drone then establish a TCP session, avoiding the need for authentication. Is simply a point in time after the attack shifted blind attack

  • TCP session attack process: drone connected with the server, the server returns the corresponding packet to the drone, wherein the sequence number is obtained sniffing attack aircraft, drones and further counterfeiting send packets to the server. At this time, attackers counterfeiting server sends the RST to drone, to avoid interference with communications drone.

    

  • TCP session hijacking defensive measures: a random initial sequence number, network design optimization, the next generation Internet protocol, the host disables source routing, static IP-MAC mapping table and the reference and the like ICMP redirect packet filtering. IPsec or using a common method of attack against TCP.

• TCP SYN Flood Denial of Service Attack

2. practice

Not only maps. To elaborate experiment.

3. The problems and solutions encountered in the study

• Question 1: XXXXXX
• Problem 1 Solution: XXXXXX
• Question 2: XXXXXX
• Problem 2 Solution: XXXXXX - ...

4. practice summary

xxx xxx

Reference material

• "XXX Second Edition)"
• "XXX" Study Guide
• ...