Homework
Wang yuan can
January 14, 2020
@ Rain Man Network Security
operation
Job starts
1. Job Summary
- Browser page rendering the whole story
- Common penetration testing tool
2. Job Analysis
Anything from 2.1 to enter the URL of the page loads in the process have taken place?
Open your browser and enter URL
the browser to display some content that matches your entered URLs, in fact, we enter the time in the browser URL
when the browser will start could match the intelligence URL
, the browser from history , bookmarks and other places, to find the string you have entered the corresponding possible URL
, and then gives smart tips.
In to lose URL
after we press the Enter
button, the browser will initiate the request, if URL
the domain name rather than IP
address, the domain name resolution
IP
Address is a digital identification address on the network site, in order to facilitate memory, instead of using the domainIP
address identifies site addresses, DNS domain name is theIP
conversion address
DNS by following these steps:
- We have a local hard disk under
hosts
(windows
lower pathC:\Windows\System32\drivers\etc
) file, the role of some of the popular web site domain name correspondingIP
to establish an association "database" address. In general, the system automatically from the firsthosts
find the corresponding fileIP
address, if any, directly usehosts
the files insideIP
address, and then directly confirm port - If the previous step is not found, the browser will call the parser, and become
DNS
a client server, the domain name to be resolved inDNS
the request packet toUDP
the User Datagram way distributed to localDNS
server - If the local
DNS
server looks up the domain name corresponding to theIP
address, then the correspondingIP
address in the reply message is returned -
If the previous step does not find that the local
DNS
server does not know the queried domain nameIP
address, as the host to the localDNS
query server is recursive queries, so in this case, the localDNS
server will be atDNS
the customer's identity to other rootDNS
continues to send a query request message server . LocalDNS
server to the rootDNS
is iterative query query server, and when to find the appropriate domain name ofIP
the address, it will put the results back to the original query request initiated by the browserRecursive query: In this mode
DNS
the received client request to the server, the query must return an accurate result to the client. If theDNS
server is not stored locally queriedDNS
information, then the server (for the client) asks other servers, and return the results back to the client.Iterative query: In this mode the
DNS
receiving server to the client request, if theDNS
server is not stored locally queriedDNS
information,DNS
the server will provide additional able to resolve queries to the clientDNS
server address, so the client again thisDNS
server submit requests , followed by cycle until you return query results so far. - After the above steps, the browser has received input domain name
IP
address, you can be the next step.
- The browser to get
IP
the address, but also to confirm the default port is80
port, a server may offer different services that are distinguished by port, you can specify the port number -
To give the browser
IP
the address and port confirmed, the target server initiates theHTTP
request,HTTP
the request byTCP
transmitting a connection (ifHTTPS
it is necessary to establish an SSL connection, is againTCP
connected, the following discussion is basedHTTP
), as follows
The browser will generate the target server HTTP
request packet, the request packet typically contains the request method, request URI
, protocol version, request content header fields, etc., HTTP
after preparing the request, HTTP
a request message from the application layer spread to the transport layer is divided into segment, and it will reach the target server initiates a TCP
connection, beginning TCP
three-way handshake, the process as shown:
Popular can be understood as:
A call to the initiative B: Hey, can you hear me (SYN = 1, seq = x), then A B began to wait for the answer (SYN-SENT state), then A does not know B can not hear
After the hearing, then A, B, A can confirm that it can hear, but it also confirm that A can not hear his own voice, then B said: I can hear your voice (ACK = 1, ack = x +1), you can hear my voice right (SYN = 1, seq = y), and B start waiting for recovery of a (SYN-RECD state)
After hearing the words B of A, A can confirm two things, one B can hear it speak, and that it can be heard talking B, A can have any time to talk and listen to the (ESTABLISHED state). But at this time of waiting in B, A does not know can not hear, so in this case need to reply A B said: I can hear your voice (ACK = 1, ack = y + 1), a pleasant start chat it ~ (seq = x + 1), B after hearing these words can always talk to and listen to the (ESTABLISHED state)
After two people can balabalabala ....
HTTP
Request message request is directly attached to the third handshake message
Interspersed with small supplement knowledge, why is the three-way handshake, instead of twice or four times?
There is a view that three-way handshake is based on theTCP
reliability of the protocol (Reliability
) requirements, it is confirmed that the minimum number of twin can send and receive, and can not confirm twice, four times redundant. But no reliable full sense, regardless of shaking hands many times can only indicate shook hands to be reliable, no guarantee that has been a reliable time after the data transmission, because the channel is unreliable, of course, three-way handshake can at least show that it had reliable, this is a two-way handshake can not be completed, and four or more times just to improve the credibility of the handshake "it used to be reliable," this conclusion. So this is just a handshake to ensure a reliable basic needs,TCP
reliability protocol (note the distinction integrityintegrity
) is more of a checksum, retransmission timer expires, confirmation mechanism"Computer network" a book has talked about this problem, the explanation given is: three-way handshake is to prevent the failure of the connection request packet is received by the server segment, resulting in an error. Specific examples of the following:
client
a connection request issued segment is not lost, but in some network nodes the residence time, resulting in delayed to a later time before reaching the connection releaseserver
. This in itself is already a failure of the segment. Butserver
after the failure of the receipt of this connection request segment, it is mistaken forclient
a new connection request is issued again. So it is toclient
send a confirmation message segment agreed to establish a connection.
Do not assume that a "three-way handshake", as long asserver
a confirmation, a new connection is established. However, due to nowclient
not issued request to establish a connection, and therefore will not ignoreserver
recognized, nor toserver
the data transmission. Theserver
thought that the new connection has been established, and has been waiting forclient
incoming data. In this way,server
many resources are wasted.
A "three-way handshake" approach can prevent this phenomenon. For example, that sort of situation,client
not toserver
confirm a confirmation.server
Because not receive confirmation, we know thatclient
does not require a connection
After the connection is established, begin data transmission, although the browser know the target server IP
and port, but the data can not always go flying? HTTP
Request packet from the network layer segments will spread the transport layer, the network layer is encapsulated into IP
the packet, the network layer specifies how to reach the target server via a path (a so-called transmission line), and transmits the data packets to each other.
Encapsulated network layer IP
packet is further transmitted to the data link layer level --- and are again encapsulated MAC
data frame structure, since IP
the communication between the address is dependent on MAC
the address (fixed address card belongs), it MAC
data frame structure will be after ARP
the protocol analysis MAC
addresses (not necessarily the target server's MAC
address, because in fact the two sides of the communication within the same local area network (LAN) is very small, usually after routing transit).
Data link layer MAC
data frame re-transmission downwardly, will reach the physical layer, here to note the physical layer consideration is how to transfer data on the bit stream transmission medium connected to various computer, rather than to specific transmission medium . Physical layer needs to ensure that the original data may be transmitted over a variety of physical media, which defines the mechanical characteristics of transmission media, electrical characteristics, functional characteristics, process characteristics:
Common twisted pair transmission media, cable, fiber optic cable, wireless channels, etc., the task is to make the physical layer of the data can be can be transmitted on the transmission media
By MAC
the addresses match, the physical layer data reaches the destination server via the transmission medium, a physical layer receives the data link layer data bit stream is then sent to the server to upload the data link layer MAC
will be encapsulated data frame reverse operation, is reduced to IP
the packet after the upload to the network layer, the network layer is also reduced to an inverse operation of the package HTTP
request packet segment (divided in short short), which are then transmitted to transport layer segments up at the transport layer according to the original sequence number reassembled into a complete HTTP
request packet, again uploaded to the application layer, the application layer HTTP
protocol will start to process the request
This processing may be returned directly static resource, it may go through PHP
, JAVA
like language processing, other processing is complete, it returns a HTTP
response, it generates a HTTP
response packet, the HTTP
request packet-like structure, then the response packet will "walk" when the road request packets to arrive browser
The browser receives HTTP
the response, then it is possible to release the TCP
connection, it is also possible to re-use the TCP
connection to send a new request (persistent connections), here to learn about TCP
the release of the connection, unlike TCP
the connection establishment of three-way handshake, TCP
the release of connections is four times waving, the client and server can initiate a shutdown request, there are both turned off to initiate the request, client a in FIG initiate shutdown request:
The same wave of popular explanation:
A to B to pass the file has been passed over, he said to B: I want to pass a file has been passed over, I want to prepare off the assembly line (seq = u, FIN = 1). A B then waits for a reply (FIN-WAIT-1 state)
B after seeing the message A, A reply said: I know, but I still have to file your (ACK = 1, ack = u + 1, seq = v). B into the file transfer and so he finished state (CLOSE-WAIT state).
A B After receiving the reply, not down, then continue to wait for the completion of file transfer B (FIN-WAIT-2 state)
A few minutes later, the B file transfer over, this time he said to A: My file transfer over, I have to off the assembly line (seq = w, FIN = 1, ACK = 1, ack = u + 1), then B waiting for a reply to confirm that a really is down (LAST-ACK state)
A reply is received after B of A will to say: Well, then you are offline right (ACK = 1, seq = u + 1, ack = w + 1). A case will wait for some time (2MSL, TIME-WAIT state), B directly after receipt of the offline (CLOSE state), then after 2MSL to time, also offline A (CLOSE state)
为什么服务器B在接到A的断开请求时不立即同意断开?
当服务器B收到断开连接的请求时,服务器可能仍然有数据未发送完毕,所以服务器先发送确认信号,等所有数据发送完毕后再同意断开
为什么是四次挥手,而不是像建立连接一样的三次
因为TCP
连接是全双工模式,服务器B收到A的断开请求时,仅仅表明A没有东西传给服务器B了,但此时服务器B可能向A的传输还没结束,所以服务器B要先给A一个确认收到A的断开请求的ACK
报文,然后继续向A把信息传完,等传完之后服务器B再向A发送断开请求的报文段,等A收到并回复ACK
报文后再释放连接。
也就是说对于A来说他要发送请求给B并等待B确认,对于B来说也要发送请求给A并等待A确认,两者都经过这两个过程才能完全释放TCP
连接,而非单方面的释放。
建立连接只需要建立,没有数据的影响,而释放连接还要考虑数据是否传输完,所以建立连接的时候B确认收到A的建立请求与B发送建立请求这一步可以合成一步成为TCP
建立连接的第二次握手,而释放连接时却必须分开。
最后一次握手后A为什么要等2MSL
?
首先解释一下MSL
,MSL
是指最长报文段寿命,RFC793建议为两分钟,但实际上可据实际情况而定,也就是说一个报文段最久可存在的时间是MSL
这是为了保证A发送的最后一个ACK
报文能够到达服务器B,如果这个ACK
报文丢失了,服务器B没有收到,B会超时重传第三次握手的FIN+ACK
报文给A,这个时候处于等待的A就可以收到这个重传的FIN+ACK
报文,并再次发送ACK
报文给服务器B,并且重新启动2MSL计时器,最终结果是A和B都正常进入CLOSE状态。如果A发完ACK
报文后就直接释放了A-->B的连接,那么A就收不到B重传的FIN+ACK
报文,也不能重新发送ACK`报文,那么B就无法按正常步骤释放B-->A的连接
防止“已失效的连接请求报文”出现在下一个新的连接中,因为一个报文段的寿命是MSL
,所以A在发送完最后一个ACK
报文段之后,再经过时间2MSL
,本连接持续的时间内所产生的所有报文段都将在网络中消失,这样这些旧的报文段便不会出现在下一个新的连接中
浏览器之后会检查HTTP
的响应状态,主要通过响应码来判断
1xx: 表示通知信息的,比如请求收到了或正在处理
2xx:表示成功,操作被成功接收并处理
3xx:表示重定向,一般完成请求还必须采取进一步的行动
4xx:表示客户端的差错
5xx:表示服务器的差错
如果响应可缓存,浏览器将把响应存入缓存
浏览器根据HTTP
报头信息解码响应,决定如何处理这些响应,并展现响应,以响应为一个HTML
为例
浏览器开始自上而下,自左而右的加载HTML
文档,最开始会遇到<!DOCTYPE>
声明,然后根据<!DOCTYPE>
声明浏览器就知道该用哪种规范来解析这个文档
再继续边加载边解析,边生成DOM
树,加载过程中遇到外部CSS
文件,浏览器便会另外发出一个请求,来获取CSS
文件(过程和上面说的一样),获取CSS
后会生成CSS Rule
树。DOM
树和CSS Rule
树生成Render
树,页面可以开始边加载边渲染了
渲染树和DOM
树的关系:那些不可见的DOM
元素(如<head>…</head>
,display=none
的元素)不会被插入渲染树中;还有像一些节点是绝对定位或浮动,这些节点会在文本流之外,因此他们会在渲染树和DOM
树的不同位置,渲染树标识出真实的位置,并用一个占位结构标识出他们原来的位置,而DOM
树上是他们原来的位置
渲染包含"布局"(layout
)和"绘制"(paint
)这两个步骤,所谓"布局"是指给出每个DOM
节点在浏览器窗口中的准确位置,"绘制"是指遍历Render
树将布局好的DOM
节点绘制在屏幕上。
-
浏览器继续加载渲染,如果遇到
<script>
标签,浏览器会立即执行(暂不考虑defer
及async
属性),此时会出现页面阻塞,不仅要等待文档中JS
文件下载加载完毕,还要等待JS
解析执行完毕,才可以恢复HTML
文档的加载解析。- 这是浏览器为了防止出现
JS
修改DOM
树,需要重新构建DOM
树的情况,DOM
树改变浏览器需要回过头来重新渲染这部分代码,所以浏览器希望通过阻塞其他内容的下载和呈现,来避免出现更多的不必要的Reflow
(称为回流或者重排) - 如果
<script>
放在的<head>
中,则<body>
标签无法被加载,那么页面自然就无法渲染了,因此这将导致在该JS
代码完全执行完之前,页面都是一片空白,用户体验非常不好,一般我看到长时间的空白页面,我都非常想直接关闭它。因此会推荐将所有<script>
标签尽可能放到<body>
标签的底部,以尽量减少对整个页面下载的影响,此时虽然还会存在一个脚本阻塞另一个脚本的问题,但是用户体验比上面的好很多,因为用户看到了大部分内容,而不是空白 defer
属性相当于告诉浏览器立即下载,延迟执行。它使得加载后续文档元素的过程将和JS
文件的加载并行进行(异步),但是JS
文件的执行要在整个页面解析完成之后,DOMContentLoaded
事件触发之前完成,执行顺序为出现的先后顺序。(高程中指出现实中不一定会按照顺序执行,也不一定会在DOMContentLoaded
事件触发之前完成,因此最好只包含一个延迟脚本,这可能是与浏览器的实现有关,具体什么情况下会出现我还不知道???)async
属性相当于告诉浏览器立即下载执行,并且页面的加载渲染不需要等待该脚本加载和执行,它们两者会异步进行。标记为async
的脚本不会按照它们出现的先后顺序执行,而是谁先下载完了谁就先执行,它们一定会在页面的load
事件触发之前执行,但可能会在DOMContentLoaded
事件触发之前或之后执行。基于前面所说的一点原因,异步脚本最好不要修改DOM
,如果由多个异步脚本,它们之间最好没有依赖关系
- 这是浏览器为了防止出现
- 浏览器继续加载渲染,如果遇到图片资源,浏览器也会另外发出一个请求,来获取图片资源,这是异步请求,所以不会等到图片下载完,而是继续渲染后面的
HTML
文档。 - 等到服务器返回图片文件,如果先前并没有为这个图片设定宽高,那么由于图片占用了一定面积,影响了后面段落的排布,浏览器会进行
Reflow
- 然后然后终于和
</html>
碰面了,此次的页面加载渲染过程完成,浏览器也是很累了,然后会立即触发DOMContentLoaded
事件,该事件是在形成完整的DOM
树之后就会触发,而不会理会图像、JS
文件、CSS
文件或其他资源是否已经下载完毕 - 当页面完全加载后,也就是所有图像、
JS
文件、CSS
文件等外部资源都加载完成后会触发load
事件 -
用户在页面上进行交互时,可能会导致页面进行
Repaint
或Reflow
Repaint
:如果只是改变了某个元素的背景颜色,文字颜色等,不影响元素周围或内部布局的属性,将只会引起浏览器的Repaint
,重绘某一部分Reflow
:如果某个部分发生了的变化影响了布局,那浏览器就需要倒回去重新渲染,每次Reflow
必然会导致Repaint
2.2 整理收集渗透测试常用工具(信息收集,抓改包,webshell,注入,编解码,代理,扫描,漏洞利用)
需要做:给出相应类型工具无后门版下载地址
介绍:简单介绍该工具如何使用,或者给出官方手册或者互联网上比较好的教程文章
拓展:动手用一下这些工具
2.2.1 信息收集类
- nmap
下载地址:https://nmap.org/download.html
在kali虚拟机中自带nmap,可通过nmap指令利用nmap
如,启动nmap:
>nmap
如,启动zenmap
>zenmap
nmap常用参数解析表
参数 |
说明 |
-sT |
TCP扫描,这种方式会在目标主机的日志中记录大批连接请求和错误信息 |
-sS |
半开扫描,很少有系统能够把它记入系统日志。但需要root权限 |
-sF -sN |
秘密FIN数据包扫描、XmasTree、Null扫描模式 |
-sP |
Ping扫描,Nmap在扫描端口时,默认都会使用ping扫描,只有主机存活,Nmap才会继续扫描 |
-sU |
UDP扫描, |
-sA |
高级扫描方法,通常用来穿过防火墙的规则集 |
-sV |
探测端口服务版本 |
-P0 |
扫描之前不用ping命令,防火墙禁止ping的时候,可以使用此选项进行扫描 |
-v |
显示扫描结果 |
-h |
帮助文档 |
-p |
指定扫描的端口范围 |
-O |
启动远程操作系统检测 |
-A |
全面系统检测、启动脚本检测、扫描等 |
-oN/-oX/-oG |
将报告写入文件,分别是正常、XML \grepable三种模式 |
-T4 |
针对TCP端口禁止动态扫描延迟超过10ms |
-iL |
读取主机列表 |
- 御剑
- Google Hacking(GitHack)
下载地址:(Github)https://github.com/lijiejie/GitHack
- Matlego
可使用Linux Kali的Maltego
官方地址:https://www.paterva.com/buy/maltego-clients/maltego-ce.php
- Whois
下载地址:(吾爱破解)https://www.52pojie.cn/thread-864451-1-1.html
2.2.2 漏洞扫描类
- AWVS
下载地址:(吾爱破解)https://www.52pojie.cn/thread-1036610-1-1.html
- H3C WebScan
- Appscan
下载地址:(吾爱破解)https://www.52pojie.cn/thread-992186-1-1.html
- NetSparker
下载地址:(吾爱破解)https://www.52pojie.cn/thread-993030-1-1.html
- Nessus
下载地址:(吾爱破解)https://www.52pojie.cn/forum.php?mod=viewthread&tid=702905&fromguid=hot
或用Bai的虚拟机内置版
2.2.3 漏洞利用类
- 中国菜刀
下载地址:(官网)http://www.zhongguocaidao.net/
- Sqlmap
下载地址:(Github)https://github.com/sqlmapproject/sqlmap
- 穿山甲
下载地址:(吾爱破解)https://www.52pojie.cn/forum.php?mod=viewthread&tid=861759
- Struts2终极漏洞利用工具
下载地址:(吾爱破解)https://www.52pojie.cn/thread-888314-1-1.html - Seay-van源码泄露漏洞利用工具
下载地址:http://www.vuln.cn/2225
- Antsword(中国蚁剑)
下载地址:(Github)https://github.com/AntSwordProject/
安装教程:https://www.fujieace.com/hacker/tools/antsword.html
注意需要下载一个antsword和一个加载器:
- Behinder(中国冰蝎)
下载地址:(Github)https://github.com/rebeyond/Behinder
2.2.4 综合平台类
- Burpsuite v2.1.07
下载地址:(吾爱破解)https://down.52pojie.cn/Tools/Network_Analyzer/Burp_Suite_Pro_v2.1.07_Loader_Keygen.zip
注意:需要将两个文件移动到jdk8的/bin目录下,然后用命令启动Burpsuite破解(需要移动的两个文件如下图)
- Metasploit
下载地址:
(Windows版,官网)https://windows.metasploit.com/metasploitframework-latest.msi
Linux kali自带msf,可在终端用msfconsole命令启动
3.思考总结
url地址解析到浏览器页面渲染完成的过程着实复杂,包含了计算机网络大部分的重要知识,小小的一个动作完成了这么多的工作,不禁让人感叹科技的力量。今天在渗透测试方面又接触了一堆工具,一切还在持续积累中。
4.参考资料
Linux kali探测以及nmap初体验:https://www.cnblogs.com/wangyuyang1016/p/10905326.html
网络安全工具大全:https://sectools.org
CTF工具包:https://cloud.tencent.com/developer/article/1352450
Kali Linux Maltego情报收集工具:https://www.cnblogs.com/zh2000/p/11199492.html
计算机网络基础知识:https://hit-alibaba.github.io/interview/basic/network/HTTP.html
浏览器如何工作:https://www.html5rocks.com/en/tutorials/internals/howbrowserswork/
Burpsuite使用指南:https://t0data.gitbooks.io/burpsuite/content/
从输入URL到页面加载完成都发生了什么事情?https://segmentfault.com/a/1190000014620172