table of Contents
20,199,123 2019-2020-2 "network attack and defense practice 'Week 3 jobs
0 overall structure
| The work belongs to the curriculum | "Network attack and defense practice." |
|---|---|
| Where the job requires | "Network attack and defense practice," the third week of work |
| My aim in this course is | Learning network attack and defense technology collection |
| In particular aspects of the job which helped me achieve goals | Offense and defense to complete a first phase of information gathering drone |
| Text of the job | The following text |
| Other references | See end of text |
1. Practice content
This chapter explains that knowledge of the information collected. Both the attacker to collect network information when drone attacks, but also to collect information for the defenders to resist the attacker's attack. Network information collection methods have varied, this chapter is the enumeration of these three aspects of a commonly used technique is described in detail check out the location from the network, network scanning and detection, network.
1.1 Network Capitol
1.1.1 Network Capitol Overview
Network Capitol (footprinting) refers to information collected by an attacker in a planned, step by step to the target organization or individual to understand the network environment and information security targets, the technical process to get a complete analysis of target figure. Through careful analysis of the diagram analysis complete, the attacker will then be able to find out the weak link targets may exist to provide guidance for further attacks.
Capitol network technology
The most popular and common techniques include the following:
(1) Web information search and mining: the ability to leverage the power of Web search, a large number of public or accidentally leaked information about the target Web mining organizations and individuals, which can find a variety of further attacks on the critical importance of information;
(2) DNS and IP query: through open some Internet-based information services, can be found mapping relationship between the target organization's domain name, IP, and geography, as well as registration details, and can be used to obtain DNS service organization's internal system case ;
(3) network topology Reconnaissance: After identify as potential targets of the network, the attacker can go to the network topology and network access paths may exist which are determined by the network topology network reconnaissance attempts.
1.1.2 Web Information Search and Mining
For Web information search and mining-based search engine is the most popular network of information-gathering techniques, has also been given a special term - "Google Hacking"
Basic Search and Mining Skills
Advanced Search and Mining Skills
1, google map Advanced search
2, Example 1: to find out as much as possible in North pku.edu.cn website domain name server
3. Example Two: Try to find out the student ID number
Programming Google Search
Meta Search Engine
Web Information Search and Mining precautions
1.1.3 DNS and IP infrastructure management
DNS and IP are running the Internet rely on two sets of infrastructure environment, the role of communication as addresses and phone numbers in the real world, is the key organization-specific information necessary for personal and contact network in the world, so often DNS and IP information We need released on the Internet in an open manner, and maintained in a public database on the Internet for public inquiries.
DNS and IP infrastructure management
DNS and IP infrastructure is managed by the agency to be responsible for a hierarchy of unified management. As shown below, this management at the top level of the hierarchy, is one from the Internet business, technology, education and user groups broadly representative of the coordinating body established Internet technologies (Internet Corporation for Assigned Names and Numbers, ICANN). ICANN is responsible for coordinating the Internet on the types of work identifier assignment basis, including the DNS domain name, IP address and network communication protocol parameters and port number of the index, also responsible for the stable operation of the DNS root server system, ensuring global unique identifiers of these and maintain the mapping between, it is the key to ensuring the normal operation of the premise of the Internet.
DNS registration information WHOIS Search
From ICANN's WHOIS service maintenance ( http://www.internic.net/whois.html query); the information query Baidu as follows:
DNS Service: mapping from DNS to IP
Use IP address mapping windows comes nslookup queries of baidu.com
PS: the emergence of DNS nslookup of doing this operation when the request timed out the problem, the solution to this problem, see the questions that follow 3. encountered in the study and solution
IP WHOIS query
Address provided on the book ( http://ws.arin.net/whois/ ) has been unable to access, replaced the address ( https://search.arin.net/rdap/ ) queries
162.105.1.1to obtain the IP segment belongs to APNIC jurisdiction
From the DNS and IP to real-world location
DNS queries and IP security precautions
1.1.4 Network Topology reconnaissance
For the attackers, after the adoption of Web information search and mining, DNS queries and IP network technology to master the position of the target tissue, further Capitol goal is to master the topology of the target network as much as possible. An attacker on the main technical means of reconnaissance network topology routing track. Tool performs route tracking tracert client program is on the Windows platform and traceroute on UNIX-like operating system platform.
The following are the windows built-in routing track tracert Screenshot
1.2 Network Scanning
The basic purpose of the network is scanned to detect the target network to find as many connections as the goal, and then get further probe type, the presence of security vulnerabilities and other information, provide support for further attacks and to choose the right target channel. The type of network scanning technology include: host scans, port scans, operating system and network service identification, vulnerability scanning.
Host Scan: Scan also called Ping, is a fundamental step of detecting the target network topology.
Scanning using ICMP Ping protocol: Ping program uses ICMP Echo Request packet in the ICMP protocol is to detect viability and connectivity,
Scan using the TCP protocol host: There TCP ACK Ping scanning and SYN Ping Scan
UDP protocol host scan: Implementing UDP host scans need to choose a close destination port, to complete the activity detection, because if open to a UDP port send data packets to UDP data content randomly generated, many UDP network services are You may not have any feedback
Host scanning tools: there is nmap, fping, hping wait for the next class UNIX platform, which is the strongest and most popular network scanner nmap, include host scans, port scans, system and network services enumerated type probe, etc.
Host scanning precautions
Port scanning: scan to determine after the host is active hosts, which opened for TCP / UDP technical methods (network service that is in the listening state) port on the exploration of active hosts.
TCP Connect Scan: Connect the scan has the advantage of simple, does not need to scan the privileged user rights on the host, but its drawback is that the target host is connected to an error message on the large number of records can easily be detected by the system administrator, so generally it will not be attacked to use;
TCP SYN scanning: This is a scan of an improved Connect, a "half-open connections scan" the need privileged user rights;
UDP port scan: listening on UDP open ports and network services technology to detect discovery.
Port scanning tool is nmap commonly used, the FIG nmap port scanning function is implemented in the network scanner
System type probe
1.3 Network enumeration
The key difference between network enumeration and network scanning technology is targeted and focused information collected attacker, network scanning to find the target host or service is available in a wide range of attacks in the network, and the network is the enumeration We have chosen a good target, targeted to collect specific information content required to initiate the actual attack.
2. practice
2.1 Hands: DNS and IP lookup
- Task one: Query DNS registrant and contact information of the national domain names corresponding IP address, IP address of the registrant and contact information and IP addresses are located, the city and specific location.
1, enter the URL https://www.internic.net/whois.html query baidu.com registrant
2, enter the URL https://domains.markmonitor.com/whois/ check the registrant contact information
3, use nslookup to see the corresponding IP address baidu.com
4, use Webmaster Tools Query baidu.com city and country location
Task Two: Try to get BBS, forums, QQ, a friend of the IP address of MSN, and queries for specific geographic location where the buddy
1, open the task manager of the machine -> Resource Monitor -> Network
2, open micro letter to a friend a message, then there will be a friend of the IP address of the Network
3, view the IP location
2.2 Hands: nmap
Task: Use open source software nmap to scan the environment for drones, answer questions and give operational commands: (1) drone IP address is active? (2) drone which opened TCP and UDP ports? What operating system (3) drone installed? Version? (4) which network services are installed on the drone?
(1) using a
nmap -sP 192.168.200.0/25scanning segment active host list
(2) the use of
nmap -sS 192.168.200.125scanning drone open TCP port
(3) using the
nmap -sU 192.168.200.124scan in the open UDP port drone
(4) use of
nmap -O 192.168.200.125a scanning system mounted drone Linux2.6.X
(5) use
nmap -sV 192.168.200.125to view drone installation of network services
2.3 Hands: Nessus
Task: Use the Nessus open-source software to scan the environment for drone gives network services and security vulnerabilities situation on the drone environment.
1, open the program which will be found in winxpattacker comes nessus, enter https: // localhost: 8834
2. Click
Policies AddAdd
3, click
Scans AddAdd to scan drone
4, the scanning end wait about 10 minutes
5, view the scan report, we can see that Linux drone has 24 open ports
3. The problems and solutions encountered in the study
1, using the machine nslookup (Windows native) occurs when the query baidu.com DNS request timed out, after the investigation found that online information is dns server connected to this unit parsing error, which is connected to the unit dns not working, so I give the machine for a address dns, reference blog DNS address modification and then use the ip baidu.com nslookup query information.
2, various mounting nessus always unitary moths. I really went to great lengths up ... can not believe I actually installed a native windows version of nessus (at speeds not fail ...); still kali inside the machine or to install speed is not a failure ... (I be settled in accordance with those online blog, what the offline plug-in download it, various methods have been tried ...); Ever since, the remote computer laboratory it, the results appear VM computer laboratory had a bug fix has been stuck in the reboot reboot ...; Ever since I could not use my desktop computer ... antique result is higher than my laptop configuration (???? No wonder then kept distressed father this "baby" turned out to be "your guy") so in order to do this I practice at my house on top of installing a desktop environment ... and offensive and defensive use Winxpattacker which comes nessus done ... I can practice too hard No ... not the speed that the hardware does not work ... but in the end this experiment is finished.
4. practice summary
Network attack and defense experiments require hardware, networks, and other favorable factors ... this experiment can be really frustrating, nessus installed tried a variety of methods, finally comes with winxpattacker nessus completed the study, but the toss also I learned a lot. Offense and defense really needs all kinds of knowledge, patience ...