20,199,320 2019-2020-2 "network attack and defense practice 'Week 6 jobs

This work belongs courses	https://edu.cnblogs.com/campus/besti/19attackdefense
Where this requirement in the job	https://edu.cnblogs.com/campus/besti/19attackdefense/homework/10589
My aim in this course is	Master the knowledge and network attack and defense operations
In particular aspects of the job which helped me achieve goals	Master the TCP / IP network protocol stack security issues most basic network layer and transport layer protocols that exist and targeted attack techniques

First, knowledge summary

1. Security Model

PDR security model : a dynamic security model based on time to \ (P_t> D_t + R_t \ ) is the essence of the foundation, which, $ P_t $: defense mechanism against invading time; $ D_t \ (: detection mechanism detect intrusion time; \) R_t $: the response mechanism to deal with the invasion of time.
\ (P ^ 2DR \) security model : = network security based on risk analysis to develop a security policy (Policy) + perform security policy (Protection) + real-time detection (Detection) + real-time response (Response). Among them, the security policy is the core of the model.

2. Network security technology and systems

Firewall 2.1 Technical Overview

A firewall can implement network access control mechanisms at all levels of the network protocol stack, network traffic and access for inspection and control. The network protocol stack hierarchy of its work, can be divided into packet filtering firewall technology (network layer), circuit-level gateway (transport layer) and an application layer proxy (application layer) technology.

Function: Check the control network traffic in and out of the network, to prevent fragile or insecure protocols and services, to prevent the leakage of internal network information, network access and access to monitor and audit firewall can strengthen the network security policy and integrate with other security access mechanism.
Inadequate: from security threats within the network, the network computer attacks and viruses spread illegal outreach, service penetration attacks for open security vulnerabilities, penetration attacks against the network and the client program based covert channels of communication Trojans and botnets .

2.2 firewall technology and products

Packet filtering
- Extend the packet filtering based on the routing function, by checking the network layer and the transport layer header information in accordance with
  the security policy of the user-defined set of rules, to determine whether the packet should be forwarded.
- Advantages: simple, does not affect the performance of network communications.
- Inadequate: limited functionality (only for a single packet inspection), administrators demanding.
Based on the detected state packet filtering technology (dynamic packet filtering)
- Dynamic packet filtering technology still uses a static set of rules for security policy matches, but in addition to checking each individual data packet, the will to try to trace the packets on the network connection context and to network connection status as an additional matching criteria to determine whether to allow and deny traffic, i.e. matches embodiment and firewall rules on network connection level.
- Advantage: more powerful security features, simpler rules set to protect the legitimacy of data.
- Inadequate: realization of high complexity, greater impact on network transmission performance, may be subject to denial of service attacks.
Agent Technology
- Application proxy technology: work in the application layer, provides good security.
- Circuit-level proxy technology: work can be checked in the relay at the transport layer during processing and the various abnormal IP packet, and application proxy and information as to hide the internal network, but also can use the user-level authentication mechanism to to provide additional security.
- NAT proxy technology: work in the network layer for small office and home networks, providing entry method to make full use of limited IP resources, with security protection.
Firewall products
- Integrated packet filtering router, based on a common operating system firewall software product based on secure operating system's firewall and hardware firewall device
Firewall deployment method
- Packet filtering router: a router with packet filtering firewall functions as the only point of connection between the internal network and the external network. Based router administrator to configure access control lists, packet filtering.
- Dual-homed bastion host: using the application proxy gateway as a dual-homed bastion host instead of the packet filtering router.
- Screened Host: The shield bastion host routing and double safety measures.
- Screened subnet: includes two packet filtering firewall, external firewall to resist external network attacks, and manage access to all internal network to the DMZ. Internal Firewall DMZ access to internal network.

2.3 Linux open source firewalls: netfilter / iptables

netfilter / iptables open source firewall works :

In nefilter / iptables firewall system, the netfilter components in the kernel space of Linux, the realization of a static packet filtering and status packet check (i.e., dynamic packet filtering) basic firewall functions, in addition also supports a flexible and extensible framework that supports NAT Network address translation and other extra features, and provides multi-layer API interface to support third-party extensions, netfilter have to build a firewall, NAT to share Internet access, use NAT to build a transparent proxy, and building QoS policies router or other security features. Iptables firewall configuration tool is working in Linux user space, the command line mode allows the user to configure various netfiter firewall filtering and management rules.
nefilter / iptables architecture - Four Table V + chain rule
- RAW table only in PREROUTING and OUTPUT chains, because the highest priority, so that received packets can be treated before the connection tracking. However, a user uses a RAW table, on one strand, after RAW table processing will be skipped and the NAT table ip_conntrack process, i.e., no address translation and packet links the tracking process.
- TOS (Type Of Service, service type) mangle table is mainly used to modify the data packet, TTL (Time To Live, lifetime) means as well as the setting packet Mark flag to achieve Qos (Quality Of Service, Quality of Service) and adjust PBR applications.
- NAT table is mainly used to make IP address translation effect.
- Filter table is mainly used for data packet filtering effect.
- Priority level: raw> mangle> nat> filter
iptables syntax
```
iptables [-t table] command [match] [target]
```
: -t table specifies where the configuration rules: filter, nat, mangle, raw ...... if not -t, the default filter table.

command: What command tells iptables to do
- -A (- append): The rule is appended to the end of the chain
```
$iptables -A INPUT -s202.152.1.1 -j ACCEPT  //向INPUT链中添加一个规则，确认来自202.152.1.1的数据包可接收
```
- -D (- delete): Specifies the rule to match a specified rule or position number in the chain to remove it from the chain rule
- -P (- policy): The default target operation chain set, i.e., all packets in the chain does not match any rule will be forced to use a default operation of this chain
```
$iptables -P INPUT DROP   //将缺省值设置为DROP，即将丢弃所有与INPUT链中任何规则都不匹配的数据包
```
- -N (- new-chain): create a new chain of command in the name specified
- -F (- flush): If you specify the name of the chain, the chain of command to delete all the rules, if the chain name is specified, the command deletes all rules in all chains.
```
$iptables -F FORWARD //删除FORWARD中所有的规则
```
- -L (- list): List all the rules specified in the chain
```
$iptables -L FORWARD //列出FORWARD中的所有规则
```
match: Rules match conditions - is the relationship between multiple matches and conditions
- General match:
  
  -i / -o: access to the network interface / network interface emitted
  -s / -d: source and destination addresses
  -p: Protocol Type
  -m: network connection status
- Match a specific protocol:
  
  --sport / - dport: Match to TCP / UDP port conditions
: Target target operation satisfying specified conditions after matching
- ACCEPT: -j ACCEPT to accept (allow him to go to destination), and he will stop traversing the chain rule
- DROP: -j DROP block the information, discards
- REJECT: -j REJECT and DROP similar, but do not leave dead sockets on the server and client, in addition, it will send an error message back to the sender of the packet.
- RETURN: -jump RETURN let that matches the rule Packet stop chain ergodic containing the rule.
nefilter / iptables packet filtering mechanism

ACCEPT: Allow packets through the network protocol stack

DROP: silently discard the packet without notifying the sender

QUEUE: nf_queue mechanism by the packet transfer to the application layer for the upper layer application processing

STOLEN: holding data packet until a particular condition treated, and the like for processing slice ip

REPEAT: that the data packet re-enters the checkpoint Hook

Note: ACCEPT and DROP most common

Such as:
```
# iptables -t filter -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
/*该条静态包过滤规则对路由转发数据包进行检查，当数据包源IP地址属于192.168.0.0/24 C类网段，且目的地址属于192.168.1.0/24 C类网段，则执行目的操作
ACCEPT.*/
```
nefilter / iptables packet state inspection mechanism

NEW: a new connection, i.e. the connection is packet is received, or only see a direction of data packet

ESTABLISHED: it has completed three-way handshake TCP connection, or a network connection to see two-way communication

RELATED: Related web link for handling network protocols such as FTP port negotiation

INVALD: illegal state that the current process does not comply with the interactive network network protocol specification, resulting in illegal links

Such as:
```
//允许链接目标地址为web服务器IP，当前状态为NEW的网络链接可通过防火墙转发
# iptables -t filter -A FORWARD -d [WEB_SERVER] -m state --state NEW -j ACCEPT
//已经建立网络链接和相关网络链接可以通过防火墙
# iptables -t filter -A FORWARD -m state --state RELATED, ESTABLISHED -j ACCEPT
```

nefilter / iptables NAT mechanisms of

NAT configuration, mainly through the PREROUTING (for DNAT), POSTROUTING (for SNAT), OUTPUT (for locally generated packets are DNAT) 3 th default chain.

The SNAT (change the source address of the packet network connection)

IP masquerading

// 使得内部网络主机发出的数据包进行源IP地址伪装，使用防火墙外网IP地址。
# iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE

SNAT mechanism

POSTROUTING SNAT mechanism needs to be done in the chain, because the routing, packet filtering is the source address before the change made.

//通过路由发出的网络连接的源IP地址都修改为2.2.2.2
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 2.2.2.2
 
//通过路由发出的TCP网络链接的源IP地址修改为2.2.2.2，且源端口设置为1-1023范围内的一个
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 2.2.2.2:1-1023

DNAT (change the destination address of the packet network connection)

Port forwarding, load balancing, transparent proxy belong DNAT

DNAT mechanism

DNAT mechanism needs to be done in the PREROUTING chain

//将目的地址转换为3.3.3.3
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 3.3.3.3
 
//jiang web网络流量的目的地址和端口转换为4.4.4.4：8080
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 4.4.4.4:8080
 
//将本地发出的到2.2.2.2的数据包重定向至本地loopback
# iptables -t nat -A OUTPUT -d 2.2.2.2 -j DNAT --to 127.0.0.1
 
//将到外网IP1.2.3.4的8080端口网络流量转发至内网ip192.168.1.1的80端口
# iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 -j DNAT --to 192.168.1.1:80

3.

Second, practice

1. Hands: Firewall Configuration

Configure iptables on Linux operating system platform, operating system, or Windows personal firewall on the platform, performs the following functions and test:

(1) filtering ICMP packets, so that the host does not receive Ping packet;

Use iptables -LView seed all the rules to make sure that the default:

At this point, with kali (192.168.200.4) ping seed (192.168.200.6), there is no problem.
Use the command iptables -A INPUT -p icmp -j DROPso that the host does not receive ICMP packets.

-A INPUT: add rules to the input end of the chain;

-p icmp: icmp protocol specified;

-j DROP: designate corresponding drop packets.

View the rules again:
This time with kali ping seed again, have not seen a success:

The issue proved a lot wireshark icmp packet:
After successfully using iptables -Fto clear all rules.

(2) allow only specific IP addresses, host of a network access services (such as FTP, HTTP, SMB), while the other IP address can not access.

Before setting, access to the host with kali and winXPattacker ftp service can be successful.
Using the Command iptables -P INPUT DROPrejected all data inflows.
Use the command iptables -A INPUT -p tcp -s 192.168.200.4 -j ACCEPTonly allows kali (192.168.200.4) to access the host. Check the following:
After setting, access to seed with kali and winXPattacker, visible only kali can successfully access.
Input iptables -Fand iptables -P INPUT ACCEPTrestore the previous state.

2. Hands: Snort

Use Snort given pcap file (listen.pcap file) intrusion detection, and detect attacks will be explained. Used on BT4 Linux or Windows Attacker attack aircraft attack aircraft Snort, given pcap file intrusion detection, access to the alarm log.

Perform snort -c /etc/snort/snort.conf -r /home/kali/Desktop/listen.pcap -K asciireading of data from a source network log file offline pcap:

Visible, TCP packets majority.
snort in the default directory / var / log / snort generates a log file, cd/var/log/snortview the log file vim alert, this attack is initiated with nmap. Attack machine IP address is 172.31.4.178, drone IP address is 172.31.4.188, you can see the port number and so on.

3. Practice jobs

1. Analysis of offensive and defensive virtual network environment Honeywall firewall and IDS / IPS configuration rules, and analytical reports on how Honeywall is the use of firewalls and intrusion detection technology to complete its attack data capture and control requirements.

Detailed analysis of configuration rules file and startup items including:

• firewall (netfilter + IPTables): /etc/init.d/rc.firewall:

• intrusion detection system (Snort): /etc/init.d/hflow-snort and /etc/snort/snort.conf:

• Intrusion Prevention System (Snort_inlinc): /etc/init.d/hflow-snort_inline and / etc / snort_inline / snort inline.conf.

How to (1) above script is Honeywall for data capture and data control mechanisms?

Data Capture:

Honeypot gateway to capture data in three ways: firewall logs, network communications, system activity

Firewall Log: Firewall logs all inbound and outbound connections of this network. All information out of the firewall log records in / var / log / messages file. However, the firewall data can be recorded is limited, mainly header information, such as the inability of the attack time, the source and destination IP addresses and source and destination port, for keystrokes intruder, packet payload data, and the like.

IDS is capable of capturing all network activity, and records each packet payload. IDS can give full play to its ability to capture the data, get all the packets Honeynet environment. Snort captures all IP communication, and dumps it into a log file in tcpdump until later analysis. The sniffer to the external network interface eth0 binding, then the record will not be associated with the Honeynet data, there will be communication with the external network. Figure:

Data Control:

Honeywall main method for data control are: IPTables based outgoing connection limit and snort-inline intrusion detection system.

IPTables based firewall re.firewall script data can limit the number of packets outgoing TCP connections and UDP, ICMP protocol. Limitation time may be seconds, minutes, hours or days, then spirit convenient, easy and reasonable control. You can also modify packets outbound connections from reaching the destination, allowing an intruder think normal packet sent.

The figure shows the host belongs to the blacklist, discarding all packets; host belonging to the white list, the packet is accepted; belonging to the protection list, is not allowed to be externally accessible honeypot host.

Snort-inline is a Snort-based intrusion detection system, capable of detecting malicious data streams by Snort modified script. Its
attack signature matching each outgoing data packet, if found to generate an alarm comprising a known attack, well or drop packets allow an attacker to modify packets selected according to the configuration fails. All network packets out of the Honeynet must go through Snort_inline testing, not only to contain the packet traffic rules library. It also must use other means to Snort_inline data packet to be detected, which is achieved by the queue Iptables module.

(2) to obtain the actual list of rules IPTables, Snort and practical implementation of Snort_inline parameters.

iptables -t filter -LTo view the list of rules, -t is specified rules table, -L representing the list.
Execution vim /etc/init.d/snortd, snortd is snort startup script file, you can see some actual execution parameters, rules snort.conf default, the default monitor network card is eth0 and so on.
vim /etc/init.d/hw-snort_inlineSee relevant run the script.

After (3) Honeywall boot, firewall, NIDS, NIPS is how to start?

Enter chkconfig --list |grep 服务, to query the current state of the service. As shown below, we found that the NIDS port 7 are all turned off, it is necessary to manually open. Firewall and NIPS are not all closed, it is to follow the system starts.

(4) Bonus: Snort rules Honeywall is how to automatically upgrade?

From vim /etc/honeywall.conf, the point of view of snort rule whether to automatically update the configuration file open honeywall, default is not visible update:

You can also see Oinkmaster, which is automatically updated software, use vim /etc/oinkmaster.confto open the file, find the snort.conf files can be concluded that there have been tools Oinkmaster automatic upgrade of snort.

Third, the problems encountered in the study and solution

Question 1: When the firewall is configured to allow only designated service access to the host machine, set up after the two machines can still be a successful visit.

Solution: Because data can flow into the pre-set all, iptables -A INPUT -p tcp -s 192.168.200.4 -j ACCEPTbut allow access to a specific host, does not prohibit other machines, so the first input configured to iptables -P INPUT DROPreject all data flowing into the can.
Question 2: Perform snort -c /etc/snort/snort.conf -r /home/kali/Desktop/listen.pcappost-test, there is no default alert file in the directory / var / log / snort.

Workaround: snort command to add parameters back -K asciito ascii character set storage can be solved.

Fourth, the practice summary

The practice is mainly carried out using the iptables firewall configuration, snort intrusion detection tool analyzes the script file and generally understand the Honeywall is how to use firewalls and intrusion detection technology to complete its attack data capture and control requirements. The practice is relatively simple, the practice found during the use of the parameters of the command or confusing, remember to keep in mind to use.