20,199,111 2019-2020-2 "network attack and defense practice," the third week of work
1. Practice content
The method of information-gathering network
- Capitol network: information gathering, to grasp some of the key information
- Web Search and Mining
- IP and DNS queries
- Reconnaissance network topology
- Network Scanning: detect the target network, find out as much of the target, acquire detection type, the presence of security vulnerabilities, provide support for the attack target and select the appropriate channel
- Host Scan
- Port Scan
- System type probe
- Vulnerability scanning
- Network enumeration: for weaknesses, targeted exploration, to find the real entrance
- Flag crawl
- Network Services enumeration
2. practice
2.1 Network Capitol
2.1.1 Web Information Search and Mining
Identify student ID information. Search "filetype: xls document number site: edu.cn"
2.1.2 DNS and IP lookup
Prior to experiment a bit specifically to review the relationship between DNS and IP (sophomore school computer network has been almost forgotten)
DNS (Domain name System), Domain Name System. It can be mapped to the IP address of the domain name, so that people no longer remember the IP address is a direct complex machine headache identified
a complete domain of two or more parts. There are two points of the domain name and a domain name.
Level domain: the parent domain, top-level domain. Divided into: category and geographic top level domain top level domain.
Generic top-level domain: by the end of the '' COM "," NET " ," ORG "," BIZ "," INFO , are generally responsible for managing the company from abroad.
Geographical top-level domains: the CN "on behalf of China," UK "national representatives at the end of words such as Britain, generally composed of national and regional management
second-level domain: subdomain .. * parent domain
, for example child: HTTP: //www.example .com: 80 / dir / page.html
HTTP: //: agreement
www.example.com: second level domain
-level domain: example.com
80: port number
between IP and DNS of
(1) the domain name is the relative web sites of, is relatively IP networks in.
when entering a domain name when the page is how to react: enter the domain name ---- domain name server (dns) resolved to ip addresses to access the IP address --- --- complete access content --- return information
(2) computer IP on the Internet is only one IP address corresponding to a computer.
a computer can have a good number of the above services, which is a good ip address corresponds to multiple domains, namely there are a lot of sites on a computer.
nslookup view Baidu DNS IP address mapping
2.1.3 Network Topology reconnaissance
Tool performs route tracking tracert client program is on the Windows platform and traceroute on Unix-like operating platform, using the tracert command followed by the routing path
2.1.4 Hands
1. DNS and IP lookup
I chose to practice baidu.com
(1) enter Tencent cloud Domain Search queries DNS registrars and contact information
Registrar: MarkMonitor, Inc.
Contact: +1.2083895770
(2) IP address lookup operation obtained by 2.1.2
(3) enters ZoomEye specific location corresponding to the query IP address
IP location to get a place for the West China City Beijing Wenjin Street
2. Get buddy address
during prolonged direct communication, will establish point-to-TCP or UDP connections, use the netstat command or Skynet retardant paint to get the address of a friend
2.2 Network Scanning
| Network Scan Type | Scanning purposes | analogy |
|---|---|---|
| Host Scan | Identify network segment active hosts | Determine the target |
| Port Scan | Find open on a host of network services | Looking entrance |
| Operating system / network services identification | Identifying the type of operating system and network services, to select a different configuration code, and penetration attacks | Looking cracking tools |
| Vulnerability scanning | To identify the presence of the host / network services security vulnerabilities, as the channel break | Further looking for loopholes |
2.2.1 nmap scan
nmap is a network connection scanning software, used to scan your computer online open network connection. Determine which services to run in what connection, and infers which operating system the computer is running. There are three basic functions, first to detect a group of hosts are online; followed by the host port scanning service network, sniffer provided; you can also infer the host operating system being used. LAN Nmap can be used to scan only two nodes, until more than 500 nodes in the network. Nmap also allows users to customize scanning techniques. Typically, a simple operation using the ICMP ping protocol to meet the general requirements; may detect UDP or TCP port depth, until used by the host operating system; all further detection result to the log may be recorded in various formats, for further analysis operations.
| nmap command-line options | Function Description | send data | Open Host | Turn off the host |
|---|---|---|---|---|
| nmap -sP | A collection of ICMP / SYN / ACK / UDP Ping function, nmap default | |||
| Nmap -AM | ICMP Echo host scanning | ICMP Echo Request packet | ICMP Echo Reply packets | No response |
| nmap -PS[portlist] | Host TCP SYN scan | Packet with SYN flag | With a SYN / ACk flag data packets or packets with RST flag | No response |
| nmap -PA[portlist] | Host TCP ACK scan | Packet with the ACK flag | Packet with the RST flag | No response |
| nmap -PU[portlist] | UDP Host Scan | UDP packet | ICMP Port Unreachable packets | No response |
Check drone is activenmap -sP 192.168.6.0/24
View open TCP port dronenmap -sT 192.168.6.5
View drone open UDP portnmap -sU 192.168.6.5
Recognition drone operating systemnmap -O 192.168.6.5
Exploration drone Network Servicesnmap -sV 192.168.6.5
2.2.2 Nessus scan
Use Windows Nessus attack machine tools, type in the browser address https: // localhost: 8834
Click Policies-Addto add a scan policy, enter the site again, click Scans_Addto add a scan, and then start scanning
Into the waiting period of up to seven minutes, and finally Saowan
According scan report showing the 24 ports open on drone
See there are four high-risk vulnerabilities were in port 22, and port number 445
2.2.3 search your footprints on the Internet via search engines, and make sure you have a privacy and information disclosure issue
As the number of the same name too large, regardless of student number or other restrictions to join, it is difficult to directly get my privacy by search engines. It makes me a lot of the same name online "stealth" ha ha ha
3. The problems and solutions encountered in the study
- Question: nmap scan and found attack machine is always in the down state, but can not ping
- Solution: Enter the IP drone inquiry, found that the original IP settings changed, use the new IP can ping and subsequent operations
4. practice summary
By chapter some practical operation of the network attacks, to experience some of the operating mode of attack tools, got the ball rolling for subsequent learning process continuously discover and solve problems gradually build up my ability, also increased networking knowledge. Principle Some tools also somewhat vague, will gradually understand and grasp in subsequent studies.