1, remote login delay analysis PuTTy
Phenomenon Problem Description: When using kali linux like PuTTY installed on a Windows host systems running in the background to find remote login password every time when there will be delays 10s, and now we use Wireshark to capture traffic analysis
To illustrate the problem I am here to facilitate the use of Metasploitable2 Ubuntu-based operating system with the analysis of the problem
Step one: First of all inquiries about: IP address Metasploitable2 of: 192.168.70.131, I'm not here to modify Metasploitable2 direct network connection mode using NAT mode. The machine experiment between hosts and virtual machines can communicate with. It does not affect the experiment.
Step two: Open the SSH service default state Metasploitable2de SSH service is not open so that the first open service for remote connection use the command: sudo /etc/init.d/ssh start
Step Three: In order to capture the SSH packet communication services we first opened Wireshark packet capture (If it is to set up a local area network, there is no direct communication with other services analyzes SSH service, but in reality we often want to use the filter, where we capture the data also
Filtration, here we note that we are not using the captured our local physical network card but VMware Network Adapter VMnet8 (with NAT mode related to our previously selected)
Step four: Open the service PuttY remote connections, click OK, for the first time when the connection will be made the default SSH key is not updated choose to believe the test is continued.
Enter Metasploitable2 Enter account and password and even received a metasploitable2 operating system but found that there is a delay
Now we just connect to analyze traffic data packages: At the beginning we see little packets, but when we PutTType successful connection rapid increase in data packet
The final step: filtering packets of analysis:
Now we have to analyze why the beginning of time there will be a delay, because the connection using the SSH service, so I like what the protocol analysis filter
从上面的图中我标注了 密钥协商建立的部分 从序号25-----> 序号36 协议完成了密钥建立生成通信密钥
但是序号36-------序号39之间世间增幅大概有10s 明显比其他的大 ,那么36-39中间缺少的额包去哪里了,没有使用SSL协议 使用的又是什么协议 。现在我们过滤这个序号之间的帧
使用过滤命令: frame.number>35$$frame.number<40 这里为了效果明显 我们保留之前的两个帧 显示结果如下:
很明显我们看到这两个序号之间的 37, 38 ,帧的数据包 分别是TCP协议和ARP协议 。TCP是连接协议ARP是地址解析协议 但是TCP是三次握手我们并没有看到,说明TCP没有建立握手浪费了大概5s时间,另外在ARP地址解析也浪费了大概5s的时间 。 我们看到并没有进行域名的解析服务,这是因为之前选择的NAT模式,在NAT模式下两个网卡没有进行域名的查询。如果是两台电脑在在远程的SSL连接就会进行域名的查询。
如果我们在虚拟的网卡中的路由表中添加对应的地址解析表,这样就可以避免减少时间 关于如何更改路由表的地址 记得之前有写过
问题的本质是什么:就是协议,协议规定了连接的时候要使用的参数,所以接下来我们看看SSH协议
使用gedit 打开该协议 使用命令: gedit /etc/ssh/sshd_config
其中 关于DNS的部分我们做一个修改:
默认的设置是: #UseDNS no 我们修改的时候只需要将前面的额备注去掉就可以了
想起之前看做的一本专门讲 wireshark 的技术书,作者将的非常的有意思,能够吧纯技术的书写的一点也不枯燥,读来还容易理解真的很难得,加油吧 ,不抛弃不放弃