20,199,329 2019-2020-2 "network attack and defense practice," the fifth week of work

Others 2020-03-30 16:20:55 views: null

"Network attack and defense practice," the fifth week of work

I. Introduction

Second, the knowledge summary

1. Network protocol attacks and basic concepts

Learning network security, information security should first be borne in mind is the mind of the five security attributes: confidentiality, integrity, availability, authenticity and non-repudiation. All our attack or defense revolves around these five security attributes to expand. So as the attacker, the attacker usually have the following modes:

  • Interception: Passive attack mode sniffing and listening technology-based, access to information content of the communication network communication between the two sides.
  • Interrupt: A denial of service attack technology-based active mode, the network communication and conversation impossible.
  • Forgery: in order to deceive the basis of active attack mode, impersonation network communicating parties, cheating communication partner for malicious purposes.
  • Tampering: the packet includes data tampering, and other information content middleman attack art blow active attack mode, the communication network engineering tampering, so that the communication received by one or both of false news.

But as an attacker, we still lack a safety defect, with security flaws that we can attack. Usually have the following TCP / IP network protocol stack security flaws and attack techniques:

  • Network Interface Layer: an Ethernet protocol, when the network interface in promiscuous mode can be intercepted and sniff packets directly, while the lack of authentication mechanisms the source MAC address, MAC address spoofing achieved.
  • Internet layer: IP protocol only on the destination address is forwarded without checking the source IP address is real and effective, namely the lack of IP address authentication mechanism, vulnerable to IP spoofing. It also includes a source routing abuse, the IP fragment attack, spoofing and ARP, ICMP redirect, the Smurf attacks.
  • Transport Layer: After the connection process to establish a session TCP, it is very vulnerable to forgery and spoofing attacks, an attacker can perform direct TCP RST attack interrupted session. Simultaneous TCP three-way handshake process design flaw, an attacker can perform a SYN flood attack.
  • Application Layer: Some popular application-level protocols HTTP, FTP, POP3 / SMTP, DNS etc. lack of security design.

2. The network layer protocol attacks and preventive measures

2.1 IP source address spoofing attack

Principle: Use only the destination address of the packet forwarding route without the source address to verify authenticity.
Scenario: denial of service attacks, network scan (nmap -D)
tool: Netwox, wireshark, nmap
attack as follows:

  • Trusted host of denial of service attacks
  • To target host TCP initial sequence number (ISN) sampling and speculation
  • Forged source address is sent to the host as a trusted host IP SYN packets
  • Waiting for the target host SYN / ACK packet to the trusted host has been paralyzed
  • Again disguised trusted target host sends an ACK packet to establish a connection.

    Preventive measures are as follows:
  • Using a random number of the first test sequence
  • Using a network transmission protocol layer security
  • Avoid using trust policy-based IP addresses
  • Embodiment packet filtering on routers and gateways

2.2 ARP spoofing attack

Definitions: ARP spoofing also called ARP poisoning, when an attacker transmits over a wired Ethernet or forged ARP information, fake IP spoofing of the MAC address corresponding to the particular, so as to achieve the purpose of malicious attack techniques.
Principle: ARP protocol believe that all internal LAN users are trusted in the design, but there may be an internal attacker LAN, or an external attacker has penetrated into the local area network or malicious code. This makes it very easy to be injected into the ARP cache forged IP address to MAC address mapping.
Scenario: switched network, constructed middle attacks, malicious code.
Tools: DSniff in Arpspoof, arpison, Ettercap, Netwox.
Attack steps are as follows:

  • A source node sends data packets to the destination node B, the request will be broadcast ARP packet on the LAN segment through the ARP protocol, the MAC address of the IP address to ask the Node B is mapped.
  • It said the attack node C MAC address IP destination IP address mapped his own, and continue to send ARP response packet to the source node.
  • Since node C attack continuously transmits a response packet, the source node will force this to the C sends a response packet to update the ARP cache.
  • When the source node to send the packet A again to the Node B, transmits data packets directly to the corresponding MAC address C, which attacks the node C, and node C by passing off the object B. spoofing
  • If the ARP spoofing attack is a gateway node, all nodes will cause the entire local area network access through the gateway packet will be the first by attacking node could be sniffing, monitoring and malicious modification.

    Preventive measures are as follows:
  • Static binding key host IP address and MAC address mapping relations
  • Use the appropriate ARP prevention tools
  • Network topology using virtual subnet segments
  • Encrypted transmission

2.3 ICMP redirect attack route

Definition: An attacker masquerading as the router sends spoofed ICMP routing path control packets, such that the selected target host routing path dictated by the attacker to sniff or a technique spoofing attacks. ICMP messages are classified into two types: class error reporting (Destination Unreachable datagram expires, the packet error parameter), the control message type (request / response notification class and classes).
Principle: the use of ICMP redirect packet routing change Host Routing Table, send a redirect to the target host, disguised as a router, so that data packets target machine to attack aircraft to strengthen monitoring.
Tools: Netwox
attack as follows:

  • Attack node using IP source address spoofing, posing as the gateway IP address to send ICMP redirect packets to the attacked node, and set a new router IP address specified for the attack nodes.
  • Upon receipt of a packet attacks node, for examining constraint conditions, since the packet does not violate the constraints, and therefore will be received, the node is selected as a new attack attack router nodes.
  • Attack routing nodes can be turned forwards, acts as an intermediary, the communication nodes being attacked for the entire sniffer listens to achieve ARP spoofing attack similar effect.
  • In the forwarding process, according to the design principles of ICMP redirect routing mechanism, the attacker node protocol stack may send an ICMP redirect messages to attack node, originally designated as the new gateway router, routing path will deceive restored to the original state.

    Preventive measures are as follows:
  • Some filtering ICMP packets according to the type
  • Set up a firewall filter
  • ICMP redirect messages of judgment is not from the local router

3. Network Layer protocol attacks and preventive measures

3.1 TCP RST attack

Defined: TCP RST attacks also referred forged TCP reset packet attacks, refers to a technique for TCP traffic connection interfering counterfeit.
Principle: TCP protocol header has a RESET, the flag is 1, the host receives the data packet that is about to disconnect the TCP session connection. tcp reset packet is directly closed out a TCP session connection.
Tools: Netwox
attack as follows:

  • Attacking host C can be monitored by the communicating parties A sniffer way, TCP connection between the B.
  • After obtaining the source, destination IP address and port, a serial number, then may be combined IP source address spoofing disguised as a communication party, sending a TCP reset packet to the other party of communication.
  • Ensure consistency in the port number and serial number fall into the TCP network traffic caused by both normal communication interruption, to the effect of a denial of service.

3.2 TCP session hijacking attacks

Principle: TCP Session Hijacking hijacking communicating parties already established TCP session connection, fake identity of one of the parties for further communication with another party. The core of which is the communicating party validation of the session by TCP.
Attack steps are as follows:

  • victim host to connect with telnet server, and by authentication to establish a session.
  • telnet server will send a response packet to the victim, and the server comprises the current sequence number ( SVR_SEQ) and the next expected sequence number sent by the client ( SVR_ACK).
  • The attacker implement middle attack ARP spoofing, sniffing can obtain the contents of the communication between the victim and the telnet server, and then fake IP address and identity of the victim, sending a packet to the server talent, claims to be victim.
  • An attacker sending a packet sequence number of conditions must be met: SVR_ACK<=CLT_SEQ<=SVR_ACK+SVR_WND.
  • victim sustained talent will continue connect sessions between servers, but AC storms due to a mismatch between the value of each other and ACK telnet server appears.

    Preventive measures are as follows:
  • Disable source routing on the host
  • The static IP and IP-MAC mapping table to avoid ARP spoofing
  • References and filter ICMP redirect messages

3.3 TCP SYN Flood Denial of Service Attack

Principle: TCP three-way handshake defects based on the target host to send a large number of forged source address of the SYN connection request, the connection queue consumes resources of the target host, which can not serve properly.
Attack steps are as follows:

  • In the TCP SYN Flood attack, the attacker sends a large number of forged source address of TCP SYN packets to the affected host.
  • Victim host allocate the necessary resources, and then returns the SYN / ACK packet to the source address, and wait for ACK packet returned to the source.
  • If the forged source address of the active host, will return a RST packet connection directly, but most of the forged source address is inactive, never returns ACK packet, the victim host continues to send SYN + ACK packet, when the half-open connection report text fill, the server will reject the new connection.

    Preventive measures are as follows:
  • SYN-Cookie technology (without resource allocation information is not completely connected before arrival).
  • Firewall address status monitoring technology (the TCP connection to the target server state is divided into NEW, GOOD, BAD).

3.4 UDP Flood Denial of Service Attack

Principle: sending a large number of UDP packets to the target host and the network, resulting in significant computational load hoist target host, or by network congestion, so that the target host and network into an unusable state, denial of service attacks.

Preventive measures are as follows:

  • Disable and filter monitoring and response service.
  • Disable or other UDP filtering service.

Third, the experimental content

Task one: ARP cache poisoning attacks

The following experiments used as Kali attack aircraft, MetaSploitable SEED Ubuntu and communication equipment as a normal, first of all the need to ensure the three machines in the same subnet. The following are three computers IP and the MAC:
Kali 192.168.200.2 00: 0c: 29: E6: 86: 47
MetaSploitable 192.168.200.125 00: 0c: 29: B4: E5: 9B
the SEED the Ubuntu 192.168.200.5 00: 0c: 29: 95: bc: 25

  1. With the Ubuntu the SEED pingMetaSploitable, to give arp cache table, and with a arp -aview arp cache table, as shown below, MetaSploitable IP address and corresponding MAC address is.
  2. Executing instructions on Kali netwox 80 -e 00:0c:29:e6:86:47 -i 192.168.200.125. This instruction, the tool 80 is netwox means 80, the first MAC address into a Kali attack aircraft, the second is MetaSploitable IP addresses in the LAN broadcast after the execution of this command.

  3. Verification experiment on Kali we should be able to catch wireshark packets from SEED Ubuntu and MetaSploitable communication. As shown below:

Task two: ICMP redirect attack

  1. View seedubuntu routing table information

    2. Enter kali command netwox 86 -f "host 192.168.200.5" -g 192.168.200.2 -i 192.168.200.1

    3. Open Wireshark on SEED Ubuntu to view the data flow, and in the end ping baidu.com, we found that the data packet access Baidu has been redirected to192.168.200.2

Task three: SYN Flood attack

  1. Use SEED Ubuntu to initiate landing MetaSploitable telnet 192.168.200.125, enter a user name and password.
  2. Use netwox in Kali No. 76 No. 23 v tool port of SYN Flood attacks netwox 76 -i 192.168.200.125 -p 23.

    3. Open Wireshark view, you can see a SYN attack sends a large number of false connection requests to ip drones, these false connection requests no MAC address, not traceable true identity of the attacker.

    4. We visit on SEED Ubuntu also found inaccessible

Task four: TCP RST attack

  1. Use SEED Ubuntu to initiate landing MetaSploitable telnet 192.168.200.125, enter a user name and password.
  2. Netwox use in the Kali 78 tools MetaSploitable be TCP RST attack netwox 78 -i 192.168.200.125.

    3. Similarly, we find that a visit on SEED Ubuntu also found inaccessible

Task five: TCP session hijacking attacks

  1. Use SEED Ubuntu to initiate landing MetaSploitable telnet 192.168.200.125, enter a user name and password.
  2. Open on Kali Wireshark set filters tcp.port == 23, enter any commands in the SEED Ubuntu, here ll, the Kali Wireshark back view, will find a corresponding data packet.

    3. See the following values, source port, destination port, Next Seq Num and ACK values.

    4. Use the instruction kali netwox 40 --ip4-dontfrag --ip4-offsetfrag 0 --ip4-ttl 64 --ip4-protocol 6 --ip4-src 192.168.200.5 --ip4-dst 192.168.200.125 --tcp-src 45640 --tcp-dst 23 --tcp-seqnum 94 --tcp-acknum 1369 --tcp-ack --tcp-psh --tcp-window 64 --tcp-data "68656C6C6F776F726C64"


    5. found Tcp Dup and Tcp Retransmission on wireshark, described successful hijack

Fourth, the problems encountered in the study and solution

  • The MetaSploitable into a bridged network has been unable to achieve, later found to be the problem had to manually set the ip's. The solution is to just make sure that three machines in the same subnet without the need to change bridged network.
  • TCP session hijacking attacks Seq and ACK packet to find information have questions, read other students' blog have to find the right information.

5. Learn feelings and experiences

The main study of the relevant technology network protocol attacks, and other software used in the wireshark, to analyze different data packets through wireshark. Feel tools for understanding, but also a smattering principle part, the need for further digestion and absorption, can not do pure party tools. In particular, this chapter is the principle of special multi-part, felt the reference classmates blog done in many places has not yet completely understood.

2020 March 30

Guess you like

Origin www.cnblogs.com/Zxf313806994/p/12599030.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com