20,199,117 2019-2020-2 "network attack and defense practice," the fifth week of work

1, practice content

1.1 TCP / IP network protocol stack attack Overview

1.1.1 Network security attributes and attack mode

• Network security attributes: confidentiality, integrity, availability,
• The basic model of network attacks
  in network communications, an attacker can attack follows four basic modes: passive threat: interception (confidentiality), proactive threat: Interrupt (availability), tampering (integrity), forgery (authenticity).

1.1.2 TCP / IP network protocol stack security flaws and attack techniques

• TCP / IP network protocol stack security flaws and attack techniques

Network layer protocol attacks 1.2

1.2.1 IP source address spoofing

IP source address spoofing refers to the attacker forged IP packets with fake source address to send, in order to hide the sender's identity, counterfeit purposes other computers.

• IP source address spoofing process

• IP source address spoofing principle: IP protocol using the destination address of the packet routing to forward only in the design, rather than to verify the authenticity of the source address.
• IP source address spoofing technology scenarios: commonly used in denial of service attacks, also used in network scanning.
• IP source address spoofing prevention measures
  (1) using randomized initial sequence number
  (2) using a network transmission protocol layer security
  (3) avoid the trust policy based IP address
  (4) in the embodiment of packet filtering routers and gateways

1.2.2 ARP spoofing

ARP spoofing, when an attacker transmits forged ARP messages over a wired Ethernet or wireless network, a fake IP spoofing of the MAC address corresponding to the particular, so as to achieve the purpose of malicious attack techniques.

• ARP spoofing process

• ARP spoofing attack principle: ARP spoofing attack the root cause is that the ARP protocol considered in the design of all internal LAN users are trusted, is to follow the design specifications of the agreement, but there is an internal attacker LAN, or local area network has penetrated into the 1 external attacker or malicious code.
• ARP spoofing technology application scenarios: a switched network, to build middle attacks, malicious code
• ARP spoofing attack prevention measures
  (1) static binding key host IP address and MAC address mapping relationship
  (2) using the appropriate ARP prevention tools
  (3) the use of VLAN virtual subnet segment the network topology, encrypted data transmission

1.2.3 ICMP redirect attack route

ICMP route redirection attack, an attacker masquerading router sends spoofed ICMP routing path control packets, such that the selected attack victim host specified routing path so as to perform a technique sniffing or spoofing attacks.

• ICMP route redirection attack schematic step

• Routing ICMP redirect attack principle: the use ICMP redirect packet routing change Host Routing Table, re-send the message to the target machine, can disguise himself to be a router, the target machine datagram sent to attack aircraft to strengthen monitoring.

1.3 Transport Layer Attack

1.3.1 TCP RST attack

TCP RST attacks, refers to a technique for TCP traffic connection interfering counterfeit.

• TCP RST attack schematic

• TCP RST attacks Principle: flag in TCP header has a "reset" bits, the majority of packet flag bits are set to 0, and once the flag is 1, then the data packet will be received from the host immediately disconnecting the TCP session connection, the connection is no longer using the data packet transmission and reception.

1.3.2 TCP session hijacking attacks

• TCP session hijacking attacks principle: TCP session hijacking goal is to hijack the communication parties established TCP session connection, counterfeit one party (usually the client) identity, one-step communication with another party.

• TCP session hijacking attacks technical process

• TCP session hijacking attacks precautionary measures
  (1) Disable source routing on the host
  (2) static binding IP-MAC mapping table to prevent ARP spoofing
  (3) references and filter ICMP redirect messages

1.3.3 TCP SYN Flood Denial of Service Attack

TCP SYN Flood defects using TCP three-way handshake protocol, the transmission source address a large number of forged connection request SYN, connection queue consumes resources of the target host so as not to provide services for a normal user to the target host.

• Precautions: SYN-Cookie technology, firewall address status monitoring technology

1.3.4 UDP Flood Denial of Service Attack

• Principle: sends a large number of UDP packets to the target host and the network, resulting in significant computational load hoist target host, the target network or network congestion, so that the target host and network into an unusable state, denial of service attacks.

• Precautions: Disable or filter monitoring and response services, disable, or other filter UDP service.

1.4TCP / IP network protocol stack attack prevention measures

• Surveillance, prevention and security reinforcement
• Network security protocol
• Next Generation Internet Protocol

2, practice

Practical assignments

Complete network attack and defense in a lab environment TCP / IP protocol stack challenge experiments focused protocols, including ARP cache poisoning attack, ICMP redirect attacks, SYN Flood attacks, TCP RST attack and TCP session hijacking attacks (bonus).

• IP / MAC address

  	IP addresses	MAC address
  Linux Kali (attack aircraft)	192.168.200.4	00:0c:29:9e:dc:dd
  MetaSploitable Linux (drone A)	192.168.200.6	00: 0c: 29: 6e: 32: 02
  WinXPattacker (drone B)	192.168.200.3	00: 0c: 29: 70: 6B: CF

ARP cache poisoning attacks

• WinXPattacker of ping Linux MetaSploitable, with a arp -a view arp cache table, FIG Linux MetaSploitable IP addresses and MAC addresses.

• In kali input network 80 -e Kali的MAC地址 -i MetaSploitable的IP地址with netwox tool 80 periodically sends the ARP response packet to tell WinXPattacker, MetaSploitable Kali MAC address is a MAC address, i.e., 00: 0c: 29: 9e: dc: dd

• FIG MetaSploitable can see the same MAC address and Kail, i.e. successful deception.

• ping MAC addresses again after restoration

ICMP redirect attack

• IP address / gateway IP address

  	IP address / gateway IP address
  Kali Linux (attack aircraft)	IP：192.168.200.4
  SEEDUbuntu (drone)	IP:192.168.200.5
  SEEDUbuntu (drone)	Gateway IP: 192.168.200.1

• Enter SEEDUbuntu route , query drone route for 192.168.200.1
  

• In the input Kali netwox 86 -f IP address "IP Address of host drone SEEDUbuntu" -g -i drone attack aircraft of Kali SEEDUbuntu gateway address , meaning sniffed source or destination address of the IP packet 192.168.200.5 when, with regard to 192.168.200.1 send the name to the source address of the packet is an ICMP redirect packet, so that the use
  192.168.200.4 as the default route.
  

• Enter the drone SEEDUbuntu of ping Baidu.com , FIG drones receive ICMP redirect packet
  

SYN Flood attacks

* IP address

	IP addresses
Kali Linux (attack aircraft)	192.168.200.4
WinXPattacker (drone)	192.168.200.3
Linux MetaSploitable (drone)	192.168.200.6

• MetaSploitable enter the FTP WinXP IP address , sends a request to the drone from a drone MetaSploitable WinXP

• Kali entered in the IP address -p netwox 76 -i WinXP 21 , No. 76 netwox use tool drone attack, "- p 21" due to the ftp port is 21

• Enter MetaSploitable again in the IP address of the ftp WinXP , the results shown, the SYN Flood attack success

TCR RST attack

• IP addresses

	IP addresses
Kali Linux (attack aircraft)	192.168.200.4
WinXPattacker (drone)	192.168.200.3
Linux MetaSploitable (drone)	192.168.200.6

• Enter in WinXP telnet MetaSploitable IP address , telnet connection will be established between the two drone

• In the input Kali netwox 78 -i "MetaSploitable IP address"

• Back WinXP interface, as shown, telnet server disconnects

TCP session hijacking attacks

• IP addresses

	IP addresses
Kali Linux (attack aircraft)	192.168.200.4
SEEDUbuntu (drone)	192.168.200.5
Linux MetaSploitable (drone)	192.168.200.6

• Enter SEEDUbuntu the IP address of the telnet MetaSploitable the connection is established

• In the Wireshark open Kali, the eth0 sniff, screening telnet, the input SEEDUbuntu LS , can be found in data packet wireshark

• Screening telnet, and select the final group, open Transmission Control Protocol view information source port number, etc.

• In the input Kali netwox 40 --ip4-tll 664 --ip4- prtocal 6 --ip4-src 192.168.200.5 --ip4-dst 192.168.200.6 --tcp-src 58806 --tcp-dst 23 --tcp- seqnum 124 --tcp-acknum 682 --tcp- ack --tcp-psh --tcp-window 64 --tcp-data 6869 forged SEEDUbuntu client to the server transmits TCP packets MetaSploitable.

• Open Wireshark, the observed TCP DUP message indicating successful hijacking

3, learning problems encountered and solutions

• Question one: can not access a variety of virtual machines and a variety of special cards! ! !
• Solution: replace a variety of network configurations, Baidu ways, replacement of various virtual machine, so the above experiments, drones and attack aircraft is not fixed
• Question two:

• Solution: do not enter a space before the IP address

4, practice summary

Network attack and defense practice I learned more knowledge while once again hone my patience, but did not consume my weight!