20,199,118 2019-2020-2 "network attack and defense practice," the fifth week of work

Others 2020-04-01 00:19:18 views: null

Student ID: 20199118 "network attack and defense practice," the fifth week of work

1. knowledge carding and summary

We learned in the course of the fourth chapter in the TCP / IP network protocol attack important elements:

① network protocol attacks and basic concepts

Five security attributes of network security: confidentiality, integrity, availability, authenticity and non-repudiation. All attack or defense revolves around these five security attributes to expand.

So as the attacker, the attacker usually have the following modes:

  • Interception: Passive attack mode sniffing and listening technology-based, access to information content of the communication network communication between the two sides.
  • Interrupt: A denial of service attack technology-based active mode, the network communication and conversation impossible.
  • Forgery: in order to deceive the basis of active attack mode, impersonation network communicating parties, cheating communication partner for malicious purposes.
  • Tampering: the packet includes data tampering, and other information content middleman attack art blow active attack mode, the communication network engineering tampering, so that the communication received by one or both of false news.

Network protocol stack defects:

  • Network Interface Layer: Ethernet is the most commonly used protocol. This lack of verification of the protocol MAC address, the software can be modified by using the physical network card MAC address.
  • Interconnect layers: the most important protocol is well-known ipv4, icmp, arp. For ipv4, the biggest drawback is not to verify the authenticity of the source ipv4 address; icmp can be abused to attack, such as flooding attack; arp is used to match the ip address and mac address, but he did not come to match address for verification.
  • Transport Layer: mainly TCP and UDP. After establishing the TCP session is very vulnerable to forgery and spoofing attacks, such as TCP RST practice behind. As a simple stateless UDP transport protocol, for less aggressive, popular are UDP flood attacks.
  • Application Layer: Application layer protocol varied, and mostly clear text transmission, there is a monitored, spoofing, man in the middle attack risk.
② network layer protocol attacks and preventive measures

IP source address spoofing attacks

  • Principle: Use only the destination address of the packet forwarding route without the source address verification of the authenticity
    attack steps:
  • Trusted host of denial of service attacks
  • To target host TCP initial sequence number (ISN) sampling and speculation
  • Forged source address is sent to the host as a trusted host IP SYN packets
  • Waiting for the target host SYN / ACK packet to the trusted host has been paralyzed
  • Again disguised trusted target host sends an ACK packet to establish a connection.
  • Scenario: denial of service attacks, network scan (nmap -D)
  • Tools: Netwox, wireshark, nmap
  • Precautions:
    Use randomized serial number of the first test
    using a secure transmission network layer protocol
    to avoid using IP addresses based on trust policy
    implemented packet filtering on the router and gateway

IP source address spoofing attacks

  • Definitions: ARP spoofing also called ARP poisoning, when an attacker transmits over a wired Ethernet or forged ARP information, fake IP spoofing of the MAC address corresponding to the particular, so as to achieve the purpose of malicious attack techniques.
  • Principle: ARP protocol believe that all internal LAN users are trusted in the design, but there may be an internal attacker LAN, or an external attacker has penetrated into the local area network or malicious code. This makes it very easy to be injected into the ARP cache forged IP address to MAC address mapping.
  • Attack step (refer to FIG conjunction with the text):
  • A source node sends data packets to the destination node B, the request will be broadcast ARP packet on the LAN segment through the ARP protocol, the MAC address of the IP address to ask the Node B is mapped.
    It said the attack node C MAC address IP destination IP address mapped his own, and continue to send ARP response packet to the source node.
  • Since node C attack continuously transmits a response packet, the source node will force this to the C sends a response packet to update the ARP cache.
  • When the source node to send the packet A again to the Node B, transmits data packets directly to the corresponding MAC address C, which attacks the node C, and node C by passing off the object B. spoofing
  • If the ARP spoofing attack is a gateway node, all nodes will cause the entire local area network access through the gateway packet will be the first by attacking node could be sniffing, monitoring and malicious modification.
  • Scenario: switched network, constructed middle attacks, malicious code.
  • Tools: DSniff in Arpspoof, arpison, Ettercap, Netwox.
  • Precautions:
    static binding key host IP address and MAC address mapping relationship
    with the corresponding ARP prevention tools
    using virtual subnet network topology segments
    encrypted transmission

Routing ICMP redirect attack

  • Definition: An attacker masquerading as the router sends spoofed ICMP routing path control packets, such that the selected target host routing path dictated by the attacker to sniff or a technique spoofing attacks. ICMP messages are classified into two types: class error reporting (Destination Unreachable datagram expires, the packet error parameter), the control message type (request / response notification class and classes).
  • Principle: the use of ICMP redirect packet routing change Host Routing Table, send a redirect to the target host, disguised as a router, so that data packets target machine to attack aircraft to strengthen monitoring.
    Attack steps:
  • Attack node using IP source address spoofing, posing as the gateway IP address to send ICMP redirect packets to the attacked node, and set a new router IP address specified for the attack nodes.
  • Upon receipt of a packet attacks node, for examining constraint conditions, since the packet does not violate the constraints, and therefore will be received, the node is selected as a new attack attack router nodes.
  • Attack routing nodes can be turned forwards, acts as an intermediary, the communication nodes being attacked for the entire sniffer listens to achieve ARP spoofing attack similar effect.
  • In the forwarding process, according to the design principles of ICMP redirect routing mechanism, the attacker node protocol stack may send an ICMP redirect messages to attack node, originally designated as the new gateway router, routing path will deceive restored to the original state.
  • Tools: Netwox
  • Precautions:
  • Some filtering ICMP packets according to the type
  • Set up a firewall filter
  • ICMP redirect messages of judgment is not from the local router
③ transport layer protocol attacks and preventive measures

TCP RST attack

  • Defined: TCP RST attacks also referred forged TCP reset packet attacks, refers to a technique for TCP traffic connection interfering counterfeit.
  • Principle: TCP protocol header has a resetthe flag is 1, the host receives the data packet that is about to disconnect the TCP session connection. tcp reset packet is directly closed out a TCP session connection.
  • Attack steps:
  • Attacking host C can be monitored by the communicating parties A sniffer way, TCP connection between the B.
  • After obtaining the source, destination IP address and port, a serial number, then may be combined IP source address spoofing disguised as a communication party, sending a TCP reset packet to the other party of communication.
  • Ensure consistency in the port number and serial number fall into the TCP network traffic caused by both normal communication interruption, to the effect of a denial of service.
  • Tools: Netwox

TCP session hijacking attacks

  • Principle: TCP Session Hijacking hijacking communicating parties already established TCP session connection, fake identity of one of the parties for further communication with another party. The core of which is the communicating party validation of the session by TCP.
    Attack steps:
  • victim host to connect with telnet server, and by authentication to establish a session.
  • telnet server will send a response packet to the victim, and the server comprises the current sequence number (SVR_SEQ) and the next expected sequence number (SVR_ACK) sent by the client.
  • The attacker implement middle attack ARP spoofing, sniffing can obtain the contents of the communication between the victim and the telnet server, and then fake IP address and identity of the victim, sending a packet to the server talent, claims to be victim.
  • An attacker sends a packet sequence number must satisfy the condition: SVR_ACK <= CLT_SEQ <= SVR_ACK + SVR_WND.
    victim sustained talent will continue connect sessions between servers, but AC storms due to a mismatch between the value of each other and ACK telnet server appears.
    Precautions:
  • Disable source routing on the host
  • The static IP and IP-MAC mapping table to avoid ARP spoofing
  • References and filter ICMP redirect messages

TCP SYN Flood Denial of Service Attack

  • Principle: TCP three-way handshake defects based on the target host to send a large number of forged source address of the SYN connection request, the connection queue consumes resources of the target host, which can not serve properly.
    Attack steps:
  • In the TCP SYN Flood attack, the attacker sends a large number of forged source address of TCP SYN packets to the affected host.
  • Victim host allocate the necessary resources, and then returns the SYN / ACK packet to the source address, and wait for ACK packet returned to the source.
  • If the forged source address of the active host, will return a RST packet connection directly, but most of the forged source address is inactive, never returns ACK packet, the victim host continues to send SYN + ACK packet, when the half-open connection report text fill, the server will reject the new connection.
    Precautions:
  • SYN-Cookie technology (without resource allocation information is not completely connected before arrival).
  • Firewall address status monitoring technology (the TCP connection to the target server state is divided into NEW, GOOD, BAD).

UDP Flood Denial of Service Attack

  • Principle: sending a large number of UDP packets to the target host and the network, resulting in significant computational load hoist target host, or by network congestion, so that the target host and network into an unusable state, denial of service attacks.
    Precautions:
  • Disable and filter monitoring and response service.
  • Disable or other UDP filtering service.

2. practice

Practice a complete TCP / IP protocol stack, the focus of attack experiments --ARP cache poisoning attacks

  • The experiment will need hunt, netwox, so the run command sudo apt-get install netwoxandapt-get install hunt
  • IP address Kali -Linux attack aircraft for the 192.168.237.129MAC address00:0c:29:53:22:46
  • MetaSploitable2-Linux drone IP address for the 172.16.8.128MAC address of 00:0c:29:62:83:9c
    the former MAC address of the machine for the attack Kali-Linux, the second for the IP address MetaSploitable2-Linux drone.
  • Kali executing instructions on netwox 33 -b 00:0c:29:62:83:9c -g 172.16.8.130 -h 00:0c:29:62:83:9c -i 172.16.8.128the IP address of the address MetaSploitable2-Linux drone MAC address, the first IP address is forged, the second IP address to the real IP address of Kali-Linux
  • Use the command arp -ato view the drone in A arp cache table

Practice two complete TCP / IP protocol stack, the focus of attack experiments --ICMP redirection techniques

  • IP address Kali -Linux attack aircraft for 192.168.237.129
    * SEED drone IP address192.168.237.128
  • Drone gateway IP address192.168.237.8
  • Enter the command in attack aircraft in Kalinetwox 86 -f "host 192.168.237.128" -g 192.168.237.129 -i 192.168.237.8
  • ping process, we found that access to Baidu's data packet has been redirected to192.168.237.8

Practice three complete TCP / IP protocol stack, the focus of attack experiments --SYN Flood Attack

  • Netwox using the tool 76 attack aircraft Kali No. of drones SEED Ubuntu port 23 SYN Flood Attacknetwox 76 -i 192.168.237.128 -p 23
  • Drone attack sends a SYN connection request to the large number of false ip issued these false connection requests no MAC address, not traceable true identity of the attacker.

Practice in complete TCP / IP protocol stack, the focus of attack experiments --TCP RST attack

  • Netwox using the tool 78 attack aircraft Kali No. of drones SEED Ubuntu port 23 SYN Flood Attacknetwox 78 -i 192.168.237.128

The Five complete TCP / IP protocol stack, the focus of attack experiments --TCP session hijacking attacks

  • SEED Ubuntu IP address for the 192.168.237.128IP address of the drone is MetaSploitable192.168.31.25
  • First, we will take advantage of SEED Ubuntu attack aircraft telnet 192.168.31.25landed MetaSploitable drone.
  • Open on Kali Wireshark set filters tcp.port == 23, and the SEED Ubuntu type ls, back view of Kali Wireshark, l and s will find the packet.

  • Then we send the next packet can be forged, so as to Next Seq Num next ACK packet, the ACK packet as the next Seq. After obtaining the information, attack aircraft using the tools forged SEED Ubuntu netwox MetaSploitable to send a tcp package. After sent successfully, the original SEED Ubuntu will lose connection while MetaSploitable will Kali as a visitor, so to achieve a session hijacking

netwox 40 --ip4-dontfrag --ip4-offsetfrag 0 --ip4-ttl 64 --ip4-protocol 6 --ip4-src 192.168.237.128 --ip4-dst 192.168.31.25 --tcp-src 39458 --tcp-dst 23 --tcp-seqnum 145 --tcp-acknum 1406 --tcp-ack --tcp-psh --tcp-window 64 --tcp-data "6368656e6a69616e7975616e"

  • The first 40 are netwox of 40 tools, enter your SEED Ubuntu address after ip4-src, enter your MetaSploitable address after ip4-dst, tcp-src represents the original port number (this is changing), tcp- seqnum and tcp-acknum just explain the value of the input, tcp-data is a hexadecimal value you want to send data, here is helloworld hex. The same can be observed in Wireshark value transmitted.

3. The problems and solutions encountered in the study

  • Problem ①: Kali execution netwox 33 -b 00:0c:29:62:83:9c -g 172.16.8.130 -h 00:0c:29:62:83:9c -i 172.16.8.128error occurred while.
  • ① problem solution: re-examine the command syntax, proofreading the IP and MAC address

4. Learning perception, thinking, etc.

  • Deepen the understanding of network attack and defense technology, theory and practice, to improve their ability to use TCP / IP network protocol attacks.
  • Cultivate the ability to practice learning for practical application of network attack and defense had a great interest.

Reference material

Guess you like

Origin www.cnblogs.com/dkycjy/p/12599572.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com