Practice 3 Network sniffing and protocol analysis
Practice 3 Network sniffing and protocol analysis
2. Problems encountered in learning and their solutions
3. Learning thoughts and experiences
1. Experimental requirements
(1) Hands-on practice with tcpdump
Use the tcpdump open source software to sniff the process of accessing the www.tianya.cn website on this machine and answer the question: When you visit the homepage of the www.tianya.cn website, how many web servers will the browser access? What are their IP addresses?
First change the kali virtual machine network adapter to bridge mode.
Query the local IP address.
Use the following command to capture packets.
sudo tcpdump -n src 192.168.16.128 and tcp port 80 and "tcp[13]&18=2"
Open the browser and visit www.tianya.cn
You can see the main accessed servers.
(2) Hands-on practice with Wireshark
Use the Wireshark open source software to sniff and analyze protocols when logging into the BBS via TELNET on this machine.
Enter the command to access the BBS server
sudo luit -encoding GBK telnet bbs.fudan.edu.cn
Use guest to log in.
The IP of the BBS server is 202.120.225.9, which is 23
Telnet transmits username and password in clear text.
(3) Forensic analysis practice, decoding network scanner (listen.cap)
What is the IP address of the attacking host?
What is the target IP address for network scanning?
Which scanning tool was used to initiate these port scans in this case? How did you determine that?
In the log file you analyzed, what kind of scanning method was used by the attacker, what was the target port of the scan, and a description of how it works.
Which ports were found to be open on the honeypot host?
What is the operating system of the attacking host?
Use wireshark to open listen.pcap. If it cannot be opened by the normal method, you can drag it directly to wireshark. You can see the IP of the target machine and host in the picture below.
Install snort. Enter sudo vim /etc/apt/sources.list to change sources.
sudo apt-get update
wget archive.kali.org/archive-key.asc 下载签名
apt-key add archive-key.asc 安装签名
sudo apt-get update
sudo apt-get install snort
sudo chmod 777 /etc/snort/snort.conf给snort.conf
snort -A console -q -u snort -c /etc/snort/snort.conf -r ~/listen.pcap
After the installation is successful, you can see that it was scanned with nmap. The IP address of the attacking host is 172.31.4.178 and the IP address of the target machine is 172.31.4.188.
Find the arp request packet and find the MAC address of the host with the target IP address 172.31.4.188
Looking for the ICMP request packet, you can see two sets of ICMP request packets and ICMP replay packets, indicating that host scanning was used and the target host was determined to be active.
Enter filter conditions:tcp.flags.syn == 1 and tcp.flags.ack == 1, to get all open port
To use the p0f tool, first download and install the p0f tool
Use the following command to get the following results. The operating system of the attacking host is 2.6.x
sudo p0f -r listen.pcap
2. Problems encountered in learning and their solutions
It took a long time to install snort because the new source was inserted but the old source was not replaced. The installation was successful after reinstalling it twice.
3. Learning thoughts and experiences
Through this practice, I learned how to use snort, wireshark and other tools to analyze data packets, and experienced the fun of network attack and defense.
reference
https://blog.csdn.net/weixin_43729943/article/details/104221462