Homework

Wang yuan can

January 14, 2020

@ Rain Man Network Security

operation

Job starts

1. Job Summary

Browser page rendering the whole story
Common penetration testing tool

2. Job Analysis

Anything from 2.1 to enter the URL of the page loads in the process have taken place?

　　Open your browser and enter URLthe browser to display some content that matches your entered URLs, in fact, we enter the time in the browser URLwhen the browser will start could match the intelligence URL, the browser from history , bookmarks and other places, to find the string you have entered the corresponding possible URL, and then gives smart tips.

　　In to lose URLafter we press the Enterbutton, the browser will initiate the request, if URLthe domain name rather than IPaddress, the domain name resolution

IP Address is a digital identification address on the network site, in order to facilitate memory, instead of using the domain IP address identifies site addresses, DNS domain name is the IP conversion address

　　DNS by following these steps:

We have a local hard disk under hosts( windowslower path C:\Windows\System32\drivers\etc) file, the role of some of the popular web site domain name corresponding IPto establish an association "database" address. In general, the system automatically from the first hostsfind the corresponding file IPaddress, if any, directly use hoststhe files inside IPaddress, and then directly confirm port
If the previous step is not found, the browser will call the parser, and become DNSa client server, the domain name to be resolved in DNSthe request packet to UDPthe User Datagram way distributed to local DNSserver
If the local DNSserver looks up the domain name corresponding to the IPaddress, then the corresponding IPaddress in the reply message is returned
If the previous step does not find that the local DNSserver does not know the queried domain name IPaddress, as the host to the local DNSquery server is recursive queries, so in this case, the local DNSserver will be at DNSthe customer's identity to other root DNScontinues to send a query request message server . Local DNSserver to the root DNSis iterative query query server, and when to find the appropriate domain name of IPthe address, it will put the results back to the original query request initiated by the browser

Recursive query: In this mode DNS the received client request to the server, the query must return an accurate result to the client. If the DNS server is not stored locally queried DNS information, then the server (for the client) asks other servers, and return the results back to the client.

Iterative query: In this mode the DNS receiving server to the client request, if the DNS server is not stored locally queried DNS information, DNS the server will provide additional able to resolve queries to the client DNS server address, so the client again this DNS server submit requests , followed by cycle until you return query results so far.
After the above steps, the browser has received input domain name IPaddress, you can be the next step.

The browser to get IPthe address, but also to confirm the default port is 80port, a server may offer different services that are distinguished by port, you can specify the port number
To give the browser IPthe address and port confirmed, the target server initiates the HTTPrequest, HTTPthe request by TCPtransmitting a connection (if HTTPSit is necessary to establish an SSL connection, is again TCPconnected, the following discussion is based HTTP), as follows

The browser will generate the target server HTTPrequest packet, the request packet typically contains the request method, request URI, protocol version, request content header fields, etc., HTTPafter preparing the request, HTTPa request message from the application layer spread to the transport layer is divided into segment, and it will reach the target server initiates a TCPconnection, beginning TCPthree-way handshake, the process as shown:

Popular can be understood as:

A call to the initiative B: Hey, can you hear me (SYN = 1, seq = x), then A B began to wait for the answer (SYN-SENT state), then A does not know B can not hear

After the hearing, then A, B, A can confirm that it can hear, but it also confirm that A can not hear his own voice, then B said: I can hear your voice (ACK = 1, ack = x +1), you can hear my voice right (SYN = 1, seq = y), and B start waiting for recovery of a (SYN-RECD state)

After hearing the words B of A, A can confirm two things, one B can hear it speak, and that it can be heard talking B, A can have any time to talk and listen to the (ESTABLISHED state). But at this time of waiting in B, A does not know can not hear, so in this case need to reply A B said: I can hear your voice (ACK = 1, ack = y + 1), a pleasant start chat it ~ (seq = x + 1), B after hearing these words can always talk to and listen to the (ESTABLISHED state)

After two people can balabalabala ....

HTTPRequest message request is directly attached to the third handshake message

Interspersed with small supplement knowledge, why is the three-way handshake, instead of twice or four times?

There is a view that three-way handshake is based on the TCP reliability of the protocol ( Reliability ) requirements, it is confirmed that the minimum number of twin can send and receive, and can not confirm twice, four times redundant. But no reliable full sense, regardless of shaking hands many times can only indicate shook hands to be reliable, no guarantee that has been a reliable time after the data transmission, because the channel is unreliable, of course, three-way handshake can at least show that it had reliable, this is a two-way handshake can not be completed, and four or more times just to improve the credibility of the handshake "it used to be reliable," this conclusion. So this is just a handshake to ensure a reliable basic needs, TCP reliability protocol (note the distinction integrity integrity ) is more of a checksum, retransmission timer expires, confirmation mechanism
"Computer network" a book has talked about this problem, the explanation given is: three-way handshake is to prevent the failure of the connection request packet is received by the server segment, resulting in an error. Specific examples of the following:
clienta connection request issued segment is not lost, but in some network nodes the residence time, resulting in delayed to a later time before reaching the connection release server. This in itself is already a failure of the segment. But serverafter the failure of the receipt of this connection request segment, it is mistaken for clienta new connection request is issued again. So it is to clientsend a confirmation message segment agreed to establish a connection.
Do not assume that a "three-way handshake", as long as servera confirmation, a new connection is established. However, due to now clientnot issued request to establish a connection, and therefore will not ignore serverrecognized, nor to serverthe data transmission. The serverthought that the new connection has been established, and has been waiting for clientincoming data. In this way, servermany resources are wasted.
A "three-way handshake" approach can prevent this phenomenon. For example, that sort of situation, clientnot to serverconfirm a confirmation. serverBecause not receive confirmation, we know that clientdoes not require a connection

After the connection is established, begin data transmission, although the browser know the target server IPand port, but the data can not always go flying? HTTPRequest packet from the network layer segments will spread the transport layer, the network layer is encapsulated into IPthe packet, the network layer specifies how to reach the target server via a path (a so-called transmission line), and transmits the data packets to each other.

Encapsulated network layer IPpacket is further transmitted to the data link layer level --- and are again encapsulated MACdata frame structure, since IPthe communication between the address is dependent on MACthe address (fixed address card belongs), it MACdata frame structure will be after ARPthe protocol analysis MACaddresses (not necessarily the target server's MACaddress, because in fact the two sides of the communication within the same local area network (LAN) is very small, usually after routing transit).

Data link layer MACdata frame re-transmission downwardly, will reach the physical layer, here to note the physical layer consideration is how to transfer data on the bit stream transmission medium connected to various computer, rather than to specific transmission medium . Physical layer needs to ensure that the original data may be transmitted over a variety of physical media, which defines the mechanical characteristics of transmission media, electrical characteristics, functional characteristics, process characteristics:

Common twisted pair transmission media, cable, fiber optic cable, wireless channels, etc., the task is to make the physical layer of the data can be can be transmitted on the transmission media

By MACthe addresses match, the physical layer data reaches the destination server via the transmission medium, a physical layer receives the data link layer data bit stream is then sent to the server to upload the data link layer MACwill be encapsulated data frame reverse operation, is reduced to IPthe packet after the upload to the network layer, the network layer is also reduced to an inverse operation of the package HTTPrequest packet segment (divided in short short), which are then transmitted to transport layer segments up at the transport layer according to the original sequence number reassembled into a complete HTTPrequest packet, again uploaded to the application layer, the application layer HTTPprotocol will start to process the request

This processing may be returned directly static resource, it may go through PHP, JAVAlike language processing, other processing is complete, it returns a HTTPresponse, it generates a HTTPresponse packet, the HTTPrequest packet-like structure, then the response packet will "walk" when the road request packets to arrive browser

The browser receives HTTPthe response, then it is possible to release the TCPconnection, it is also possible to re-use the TCPconnection to send a new request (persistent connections), here to learn about TCPthe release of the connection, unlike TCPthe connection establishment of three-way handshake, TCPthe release of connections is four times waving, the client and server can initiate a shutdown request, there are both turned off to initiate the request, client a in FIG initiate shutdown request:

The same wave of popular explanation:

A to B to pass the file has been passed over, he said to B: I want to pass a file has been passed over, I want to prepare off the assembly line (seq = u, FIN = 1). A B then waits for a reply (FIN-WAIT-1 state)

B after seeing the message A, A reply said: I know, but I still have to file your (ACK = 1, ack = u + 1, seq = v). B into the file transfer and so he finished state (CLOSE-WAIT state).
A B After receiving the reply, not down, then continue to wait for the completion of file transfer B (FIN-WAIT-2 state)

A few minutes later, the B file transfer over, this time he said to A: My file transfer over, I have to off the assembly line (seq = w, FIN = 1, ACK = 1, ack = u + 1), then B waiting for a reply to confirm that a really is down (LAST-ACK state)

A reply is received after B of A will to say: Well, then you are offline right (ACK = 1, seq = u + 1, ack = w + 1). A case will wait for some time (2MSL, TIME-WAIT state), B directly after receipt of the offline (CLOSE state), then after 2MSL to time, also offline A (CLOSE state)

为什么服务器B在接到A的断开请求时不立即同意断开？
当服务器B收到断开连接的请求时，服务器可能仍然有数据未发送完毕，所以服务器先发送确认信号，等所有数据发送完毕后再同意断开

为什么是四次挥手，而不是像建立连接一样的三次
因为TCP连接是全双工模式，服务器B收到A的断开请求时，仅仅表明A没有东西传给服务器B了，但此时服务器B可能向A的传输还没结束，所以服务器B要先给A一个确认收到A的断开请求的ACK报文，然后继续向A把信息传完，等传完之后服务器B再向A发送断开请求的报文段，等A收到并回复ACK报文后再释放连接。
也就是说对于A来说他要发送请求给B并等待B确认，对于B来说也要发送请求给A并等待A确认，两者都经过这两个过程才能完全释放TCP连接，而非单方面的释放。
建立连接只需要建立，没有数据的影响，而释放连接还要考虑数据是否传输完，所以建立连接的时候B确认收到A的建立请求与B发送建立请求这一步可以合成一步成为TCP建立连接的第二次握手，而释放连接时却必须分开。

最后一次握手后A为什么要等2MSL？
首先解释一下MSL，MSL是指最长报文段寿命，RFC793建议为两分钟，但实际上可据实际情况而定，也就是说一个报文段最久可存在的时间是MSL

这是为了保证A发送的最后一个ACK报文能够到达服务器B，如果这个ACK报文丢失了，服务器B没有收到，B会超时重传第三次握手的FIN+ACK报文给A，这个时候处于等待的A就可以收到这个重传的FIN+ACK报文，并再次发送ACK报文给服务器B，并且重新启动2MSL计时器，最终结果是A和B都正常进入CLOSE状态。如果A发完ACK报文后就直接释放了A-->B的连接，那么A就收不到B重传的FIN+ACK报文，也不能重新发送ACK`报文，那么B就无法按正常步骤释放B-->A的连接

防止“已失效的连接请求报文”出现在下一个新的连接中，因为一个报文段的寿命是MSL，所以A在发送完最后一个ACK报文段之后，再经过时间2MSL，本连接持续的时间内所产生的所有报文段都将在网络中消失，这样这些旧的报文段便不会出现在下一个新的连接中

浏览器之后会检查HTTP的响应状态，主要通过响应码来判断

1xx: 表示通知信息的，比如请求收到了或正在处理
2xx：表示成功，操作被成功接收并处理
3xx：表示重定向，一般完成请求还必须采取进一步的行动
4xx：表示客户端的差错
5xx：表示服务器的差错

如果响应可缓存，浏览器将把响应存入缓存

浏览器根据HTTP报头信息解码响应，决定如何处理这些响应，并展现响应，以响应为一个HTML为例

浏览器开始自上而下，自左而右的加载HTML文档，最开始会遇到<!DOCTYPE>声明，然后根据<!DOCTYPE>声明浏览器就知道该用哪种规范来解析这个文档

再继续边加载边解析，边生成DOM树，加载过程中遇到外部CSS文件，浏览器便会另外发出一个请求，来获取CSS文件（过程和上面说的一样），获取CSS后会生成CSS Rule树。DOM树和CSS Rule树生成Render树，页面可以开始边加载边渲染了

渲染树和DOM树的关系：那些不可见的DOM元素（如<head>…</head>，display=none的元素）不会被插入渲染树中；还有像一些节点是绝对定位或浮动，这些节点会在文本流之外，因此他们会在渲染树和DOM树的不同位置，渲染树标识出真实的位置，并用一个占位结构标识出他们原来的位置，而DOM树上是他们原来的位置

渲染包含"布局"（layout）和"绘制"（paint）这两个步骤，所谓"布局"是指给出每个DOM节点在浏览器窗口中的准确位置，"绘制"是指遍历Render树将布局好的DOM节点绘制在屏幕上。

浏览器继续加载渲染，如果遇到＜script＞标签，浏览器会立即执行（暂不考虑defer及async属性），此时会出现页面阻塞，不仅要等待文档中JS文件下载加载完毕，还要等待JS解析执行完毕，才可以恢复HTML文档的加载解析。
- 这是浏览器为了防止出现JS修改DOM树，需要重新构建DOM树的情况，DOM树改变浏览器需要回过头来重新渲染这部分代码，所以浏览器希望通过阻塞其他内容的下载和呈现，来避免出现更多的不必要的Reflow（称为回流或者重排）
- 如果<script>放在的<head>中，则<body>标签无法被加载，那么页面自然就无法渲染了,因此这将导致在该JS代码完全执行完之前，页面都是一片空白，用户体验非常不好，一般我看到长时间的空白页面，我都非常想直接关闭它。因此会推荐将所有<script>标签尽可能放到<body>标签的底部，以尽量减少对整个页面下载的影响，此时虽然还会存在一个脚本阻塞另一个脚本的问题，但是用户体验比上面的好很多，因为用户看到了大部分内容，而不是空白
- defer属性相当于告诉浏览器立即下载，延迟执行。它使得加载后续文档元素的过程将和JS文件的加载并行进行（异步），但是JS文件的执行要在整个页面解析完成之后，DOMContentLoaded事件触发之前完成，执行顺序为出现的先后顺序。（高程中指出现实中不一定会按照顺序执行，也不一定会在DOMContentLoaded事件触发之前完成，因此最好只包含一个延迟脚本，这可能是与浏览器的实现有关，具体什么情况下会出现我还不知道？？？）
- async属性相当于告诉浏览器立即下载执行，并且页面的加载渲染不需要等待该脚本加载和执行，它们两者会异步进行。标记为async的脚本不会按照它们出现的先后顺序执行，而是谁先下载完了谁就先执行，它们一定会在页面的load事件触发之前执行，但可能会在DOMContentLoaded事件触发之前或之后执行。基于前面所说的一点原因，异步脚本最好不要修改DOM，如果由多个异步脚本，它们之间最好没有依赖关系
浏览器继续加载渲染，如果遇到图片资源，浏览器也会另外发出一个请求，来获取图片资源，这是异步请求，所以不会等到图片下载完，而是继续渲染后面的HTML文档。
等到服务器返回图片文件，如果先前并没有为这个图片设定宽高，那么由于图片占用了一定面积，影响了后面段落的排布，浏览器会进行Reflow
然后然后终于和＜/html＞碰面了，此次的页面加载渲染过程完成，浏览器也是很累了，然后会立即触发DOMContentLoaded事件，该事件是在形成完整的DOM树之后就会触发，而不会理会图像、JS文件、CSS文件或其他资源是否已经下载完毕
当页面完全加载后，也就是所有图像、JS文件、CSS文件等外部资源都加载完成后会触发load事件
用户在页面上进行交互时，可能会导致页面进行Repaint或Reflow
- Repaint：如果只是改变了某个元素的背景颜色，文字颜色等，不影响元素周围或内部布局的属性，将只会引起浏览器的Repaint，重绘某一部分
- Reflow：如果某个部分发生了的变化影响了布局，那浏览器就需要倒回去重新渲染，每次Reflow必然会导致Repaint

2.2 整理收集渗透测试常用工具（信息收集，抓改包，webshell，注入，编解码，代理，扫描，漏洞利用）
需要做：给出相应类型工具无后门版下载地址
介绍：简单介绍该工具如何使用，或者给出官方手册或者互联网上比较好的教程文章
拓展：动手用一下这些工具

2.2.1 信息收集类

nmap

　　下载地址：https://nmap.org/download.html

　　在kali虚拟机中自带nmap，可通过nmap指令利用nmap

　　如，启动nmap：

>nmap

　　如，启动zenmap

>zenmap

　　nmap常用参数解析表

参数	说明
-sT	TCP扫描，这种方式会在目标主机的日志中记录大批连接请求和错误信息
-sS	半开扫描，很少有系统能够把它记入系统日志。但需要root权限
-sF -sN	秘密FIN数据包扫描、XmasTree、Null扫描模式
-sP	Ping扫描，Nmap在扫描端口时，默认都会使用ping扫描，只有主机存活，Nmap才会继续扫描
-sU	UDP扫描，
-sA	高级扫描方法，通常用来穿过防火墙的规则集
-sV	探测端口服务版本
-P0	扫描之前不用ping命令，防火墙禁止ping的时候，可以使用此选项进行扫描
-v	显示扫描结果
-h	帮助文档
-p	指定扫描的端口范围
-O	启动远程操作系统检测
-A	全面系统检测、启动脚本检测、扫描等
-oN/-oX/-oG	将报告写入文件，分别是正常、XML \grepable三种模式
-T4	针对TCP端口禁止动态扫描延迟超过10ms
-iL	读取主机列表