| This work belongs courses | https://edu.cnblogs.com/campus/besti/19attackdefense |
| Where this requirement in the job | https://edu.cnblogs.com/campus/besti/19attackdefense/homework/10471 |
| My aim in this course is | Learn and master the knowledge network attack and defense, to complete the related practice |
| In particular aspects of the job which helped me achieve goals | Network attack and defense technology has been the basis of a preliminary understanding and use some of the tools |
1. knowledge carding and summary
1, the network information collected content
- For the attacker, the target will start from the name of the domain for specific information targeted for attack.
- For the defenders, the identity trace the intruder, network location, target of the attack, the use of attack methods.
2, the method of collecting network information: Network Capitol, network scanning, network enumeration
3, the network Capitol: the attacker through information gathering planned step by step to the goal, to understand the network environment and information security targets, the technical process to get a complete analysis of the target figure. Generally know little about the goal of the information can be used directly social engineering. Technical means as follows:
- Web Search and Mining : the use of Web search function, information on the target public or accidentally leaked excavation. World Wide Web, Google search engine (Google Hacking).
- Mirror Web site tools: wget, Teleport Pro, Offline Explorer
- Meta search engine: multiple single search engine integrated with a set-type search engines.
- IP and DNS query : through a public Internet-based information service to find out the mapping between the target organization's domain name, IP, and geography, as well as registration details, and can take advantage of DNS service to get inside the system case organization.
- WHOIS lookup domain registration information: whois baidu.com
- WHOIS query tool: SamSpade, SuperScan
- Authoritative answer: mapping information given by the authoritative DNS server.
- In the client, using nslookup or dig client program can query a specific DNS maps domain names to IP addresses.
- After running nslookup program execution "ls -d DOMAIN_NAME", if the DNS server is configured defective, it is possible to obtain a large number of internal network hostname and IP address information corresponding to the transmission region.
- Scouting Network topology : After finding a potential target of the network, the network topology investigators try to determine the topology of the network, and network access paths may exist.
- Traceroute tools: traceroute, tracert
- Command: tracert + URL
- Rationale: send UDP packets to the target host, the packet TTL incremented from 1, every hop routing and forwarding, minus the TTL switching device 1, once reduced to 0 to packet loss, and fat-membered IP ICMPTime Exceeded reply message, and the destination port of packets often set an unlikely value, so the target host will think back to the source IP ICMP Destination unreachable message indicating that the port is unreachable. Thus traceroute program can listen to all ICMP packets, obtain an IP address from the source node to each routing path on the target host.
- Defense: the deployment of intrusion detection systems or intrusion prevention systems.
4, Network Scanning: detect the target network, find out as much connection destination, and then get further probe type, the presence of security vulnerabilities and other information, provide support for further attacks and to choose the right target channel. Types are as follows:
- Host Scan : Find the active network segment host.
- ping sweep (ping + ip address), the response request packet by using ICMP protocol.
- TCP protocol: TCP ACK Ping, packet filtering is provided for the network segment, using the three-way handshake tcp; SYN Ping
- UDP Ping: need to choose a destination port is closed, dependent on ICMP packets.
- 工具:nmap、fping、hping;Superscan、PingSweep
- Defense: 360 security guards, Rising Personal Firewall
- Port Scanning : Find open on the host network services. 80 port, http protocol; port 443, https protocol; port 53, DNS protocol. The need for twice scanning probe, TCP and UDP port scan port scan.
- Other: FIN scan: entry table port sends a FIN packet, the packet loss open port, the port is closed RST is returned.
ACK scan: internal host port probes, can pass through the firewall.
Null Scan: all the flag of 0. The
Xman scan: FIN / URG / PUSH set. 1
TCP window scanning: The magnitude of the difference is open RST packet of the TCP window is determined feedback port. - System type probe : identification host operating system type and open type network service, to select a different configuration code, and penetration attacks.
- OS active detection: nmap -O network services active probing: nmap -sV
- Stack Fingerprinting: fingerprint information packet analysis, screening the target host operating system is running.
- Vulnerability scanning : identify security vulnerabilities on a host / network services that exist, as the crack channel.
- Nessus: allow a remote attacker to gain access to a system or steal information, security vulnerabilities, misconfigurations, weak passwords and default passwords for TCP / IP protocol stack denial of service vulnerability.
5, network enumeration: for known weaknesses identified in the service of more targeted exploration, to find critical data can really attack the entrance and attack the process that may be required.
- Network services fetch flags : limited to plain text transport protocol network service
- telnet + website + port number netcat: nc -v + URL
- Network Services enumeration
- FTP: cleartext, allowing anonymous, 21-port
- RPC: default installation and open, 111/32771 port, rpcinfo -p + address; nmap -sS -sR + Address
- SMTP email protocol in two special instructions: VRFY, the legitimate user name for authentication; EXPN, show the actual sending address and mailing lists of pseudonyms.
- Windows platform networking services enumeration:
(1) net view / domain: list domains and workgroups on a Windows network
net view / domain: Domain Name: domain search list to specify a computer list
(2) nltest / delist: Domain Name: the domain controller
(3) nbtstat -A + address: See table host NetBIOS name
2. Practice content
A task
Select a DNS domain name from google.com, g.cn, baidu.com, sina.com.cn the query to obtain the following information:
- DNS registrant and contact information
- The domain name corresponding to the IP address
- IP address of the registrant and contact information
- IP address of the host country, city, and specific location
In the InterNIC to baidu.com query, you can see DNS registrants and other relevant information.
Each query domain name corresponding IP addresses in windows and linux systems -> [nslookup baidu.com]
Query IP address registrant and contact information in the kali, IP address, country, city, and specific location ->] [whois baidu.com (root user)
due to the address found two 220.181.38.148 and 39.156.69.79 , so the two addresses were carried out inquiries.
Task II
Try to get BBS, forums, QQ, MSN in the IP address of a friend, put that query to get the specific location of where your friends are.
Open Wireshark, select the local network card, start packet capture. The use of computers to QQ friends to call, after the end of packet capture, enter [] oicq filter, view the results obtained friends ip address, the ip address of the person inquiry location. Capture package can also see my qq number.
Task three nmap
Open source software for use nmap to scan the environment drone, answer the following questions and give operational commands.
- Drone IP address is active
- What drone open TCP and UDP ports
- Drone what operating system is installed, version number
- What services are installed on drone
| nmap command-line options | Function Description | send data | Open Host | Turn off the host |
| nmap -sP | A collection of ICMP / SYN / ACK / UDP Ping function, nmap default | |||
| Nmap -AM | ICMP Echo host scanning | ICMP Echo Request packet | ICMP Echo Reply packets | No response |
| nmap -PS | Host TCP SYN scan | Packet with SYN flag | With a SYN / ACk flag data packets or packets with RST flag | No response |
| nmap -by | Host TCP ACK scan | Packet with the ACK flag | Packet with the RST flag | No response |
| nmap -PU | UDP Host Scan | UDP packet | ICMP Port Unreachable packets | No response |
| nmap command-line options | Function Description |
| nmap -sT | TCP connect () connect |
| nmap -sS | TCP SYN scanning |
| nmap -sF | FIN port scans |
| nmap -sN | NULL port scan |
| -in nmap | ACK Port Scan |
| nmap -sX | Christmas tree port scan |
| Nmap -sU | UDP port scan |
Use the instructions in kali [nmap -sP 192.168.200.2], the findings suggest Host is up instructions drone is active. It can also be used to view the ping 192.168.200.2.
Use [nmap -sS 192.168.200.2 TCP SYN scanning] to view open TCP port.
Use [] to nmap -sU 192.168.200.2 UDP port scan, to see open UDP ports.
Use [nmap -O -sV 192.168.200.2] of the type of operating system and network services to scan and found an open system of ftp, RPC and other services as well as possible operating systems and versions.
Task four Nessus
Nessus open source software for use drone to scan the environment, answer the following questions and give operational commands.
- Which ports are open on drone
- What security vulnerabilities exist drone various ports on the network service
- How do you think the fall drone environment, in order to obtain system access
WinXPAttacker use of virtual machine Nessus (Start - All Programs - scan tool), suggesting unsafe to add an exception. Username: administrator Password: mima1234.
First, add a scan policy open: Policies -> Add, option is the default.
Then add a scanning: Scans -> Add, and start scanning.
Scan results are as follows:
Tasks five
Search your footprint online via search engines, and confirm himself privacy and information leaks.
Search my name in the browser, and then find the 20,199,319 Fan Xiaonan published in the blog garden blog, as shown below:
Continue also found my high school's official website, as shown below:
Link to open the school year is a list of college entrance examination, can be found in my college entrance examination whereabouts, as shown below:
To sum up: in the course of the network, we need to protect personal information, such as a nickname in the network settings to avoid real personal information.
3. The problems and solutions encountered in the study
- 1, at the time of nslookup and whois operations with kali, the request times out
trying to root still not restart after it, is universal restart. - 2 offline download always hold off, none of the attempts to install nessus fruit in the kali.
Perhaps the reason is speed because it takes too much time to download, and finally chose this practice winXP comes nessus completed, subsequent re-try.
- 3, last week to build a good environment, other virtual machines are also normal, except win2kserver virtual machine ping illogical, but also sad!
Check the ip address and configure the local connection is right, helpless and reinstalled. I do not know in which case there is no other good solution ...
4. Summary
Sensitive or private information should not arbitrarily released, select a trusted site when they have to provide private information. Pay attention to computer security software, often the system security check, timely repair loopholes. To strengthen the security configuration of network services, avoid the use of default passwords or weak passwords, turn off unnecessary network services.
Reference material
nessus to install and use
Nessus to use notes
wireshark capture qq Analysis
Theory and Application Scanning