Click here to load reader
Upload
yamin
View
57
Download
7
Embed Size (px)
DESCRIPTION
网络扫描技术. 刘鹏 北京大学信息科学技术学院软件研究所 网络和信息安全研究室. 内容. TCP/IP 基础 网络信息收集 目标探测 网络扫描 查点 从系统中获取有效账号或资源名 网络监听 截获网络上的数据包. 安全层次. 应用安全. 系统安全. 网络安全. 安全协议. 安全的密码算法. TCP/IP 基础. 网络体系架构 重要协议的数据包格式 IP 、 ICMP TCP 、 UDP TCP 连接 一些上层协议. 网络体系架构. OSI 参考模型. TCP/IP 模型. TCP/IP 协议栈. 协议栈各层数据包结构. - PowerPoint PPT Presentation
Citation preview
TCP/IP
TCP/IPIPICMPTCPUDPTCP
OSITCP/IP
TCP/IP
IP
IP44515655350DFMF8
IP0255101ICMP4IP6TCP17UDPIPIP44
IP10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.2551.0.0.0127.255.255.255128.0.0.0191.255.255.255192.0.0.0223.255.255.255224.0.0.0239.255.255.255240.0.0.0247.255.255.255
IP0IP
0IP
321IP
127.xx.yy.zz(loopback)
ICMPInternet Control Message ProtocolIPICMPIPICMP
ICMPICMPIPIP1ICMPICMP
ICMP0 Echo Reply3 Destination Unreachable4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded12 Parameter Problem13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply
ICMPICMP31112ICMP45ICMP/0813141718
ICMP Echo0Echo Reply8Echo0ID1
ICMP Time Exceeded1101IPIP+IP8
ICMP Destination Unreachable301 23IPIP+IP8
TCP
TCPIPTCPTCP4206URGURG1ACK10TCPPSHPUSH
TCPRSTSYNSYN1ACK=0SYN=1ACK=1FINMSS(Maximum Segment Size)
UDP
TCP
TCPTCP/IPSYNFINTCPRST RSTRST RSTRST ACKRST SYN SYNSYN|ACK FIN
DNS: 53/tcp,udpFTP: 20,21/tcptelnet: 23/tcpHTTP: 80/tcpNNTP: 119/tcpSMTP: 25/tcpPOP3: 110/tcpIANAport-numbers.txt
footprint
IPTCPUDPSNMP/
DNSXXXX
Web
HTML
()XX()(googleAltaVista)
whoisWhoisInternetIPClient/ServerClientServerUNIXwhoisWindowsWeb
Sam Spade
whoishttp://www.networksolution.comhttp://www.arin.netUnixwhoisfwhoisChris Cappucciohttp://www.ipswitch.comhttp://www.samspade.org comneteduorgwhoishttp://www.ripe.net IPhttp://whois.apnic.net IPhttp://whois.nic.mil
whoishttp://whois.nic.gov www.allwhois.com whois
whoisIP
FROM1998AOL
DNSDNSDNSCPUNslookupnslookupDNSDNSUNIX/LINUXhost
DNS
DNS & nslookupnslookupDNSDNSDNSIPnswwwftpISP
nslookupserver, DNSset type=XXXls, [domain name, or IP address]
DNS & nslookup(zone transfer)53TCPDNS53UDPDNSDNSDNSDNSMXWindows 2000DNSADSRVDNS
PingTraceroutePing: Packet InterNet GroperICMP EchoICMP ReplyTracerouteUDPTTLICMP Time ExceededWindowstracert
PingICMP EchoEcho Reply
PingPingactivepingtimeoutPing of deathping(>65535)
tracerouteUDP(38)TTL1ICMP Time ExceededUDP(33434)ICMP Destination Unreachable
traceroutetracerouteTraceroute
NIDS(Network Intrusion Detection System)NIDSSnortrotoroutortraceroute
TCP/IP
80ModemUNIXwar dialerSATAN: Security Administrator's Tool for Analyzing Networks 19954(HTML)X(Dan FarmerCOPSWeitse VenemaTCP_Wrapper)NmapFyodor
ICMP
ICMP Echo Request (type 8) Echo Reply (type 0) ICMP Echo Request ICMP Echo Reply PingICMP SweepPing SweepICMP Echo Request Broadcast ICMP ICMPUNIX/Linux Non-Echo ICMP ICMP131415161718
ICMP IP IPICMP Parameter Problem ErrorHeader Length IP Options
IP IPICMP Destination Unreachable
PMTU, Fragmentation Needed and Dont Fragment Bit was Set
IPIPIPICMP Host UnreachableICMP Time Exceeded IP
ICMPICMP
(Open Scanning)TCP(Half-Open Scanning)TCP(Stealth Scanning)TCP
TCP connect()Reverse-identTCP SYN()IP ID header aka dump()TCP Fin()TCP XMAS()TCP ftp proxy(bounce attack)IPSYN/FIN()UDP ICMPUDP recvfrom
TCP connect()socketconnect()
Reverse-identIdent(RFC1413)TCPTCPTCP11380identdrootident
TCP SYNSYNRSTSYN|ACKRSTUNIXrootSYN
IP ID header aka dump AntirezBugtraq IPSYNIP
TCP FinFINRSTTCPSYNWindowsRST
TCP XMASTCP UNIX/Linux/BSDTCP/IP Windows
SYNFINTCP
TCP ftp proxyFTP bounce attackPORTftp server"425 Can't build data connection: Connection refused." Ftp(,)ftp server
UDP ICMPUDPUDPACKUDPUDPICMP Port UnreachUDPICMProotICMP Port UnreachSolarisrpcbind(UDP)32770
UDP recvfrom() & write()rootICMP Port UnreachLinuxUDPwrite()ICMPUDPrecvfrom()EAGAIN()ECONNREFUSED()
SYNFINUnixlinux/etc/inetd.confWindowsServicesIIS
(social engineering)telnethttpftpTCP/IPDNSOS
TelnetHttpFtp
ftp
TCP/IPOSCheckos, by ShokQueso, by SavageNmap, by Fyodor
OSOS
FINTCPTCPACKTCP1TCPDF(Don't Fragment bit )IPDF
()ICMPICMPUDPICMPIP+8ICMPICMPTOSTCP(RFC793RFC1323)Query-Reply
()SYN flooding SYN 8
Nmapnmap-os-fingerprints.txt# TEST DESCRIPTION:# Tseq is the TCP sequenceability test# T1 is a SYN packet with a bunch of TCP options to open port# T2 is a NULL packet w/options to open port# T3 is a SYN|FIN|URG|PSH packet w/options to open port# T4 is an ACK to open port w/options# T5 is a SYN to closed port w/options# T6 is an ACK to closed port w/options# T7 is a FIN|PSH|URG to a closed port w/options# PU is a UDP packet to a closed port
Nmap1.TSeq class---sequence Csequence 64Ksequence64000 800isequence800 TDtime dependantsequence RIrandom incrementalsequence TRture randomsequence val---classCsequence gcd---sequenceclassRITD SI---nmapsequencesequenceclassRITD
Nmap2.TCP(T1-T7): Resp---,'Y''N' DF---'Y''N' W---tcp->th_win ACK--- S : ack == syn S++ : ack == syn + 1 O : Flags---tcp: B Bogus (64, not a real TCP flag) U Urgent A Acknowledgement P Push R Reset S Synchronize F Final SYNtcpbogus2.0.35linux
Nmap2.TCP(T1-T7):Ops---TCP: L End of List N No Op M MSS E MSSMSS W Window Scale T Timestamp 3.UDPpu Resp---,'Y''N' DF---'Y''N' TOS--- IPLEN---IP RIPTL---"IP" RID---"IP_ID"
Nmap3.UDPpuRIPCK---"IP_checksum" 0checksum0 E F UCK---"IP_udp_checksum" 0checksum0 E F ULEN---"IP_udp_len" DAT---IP EUDPE F
Nmap
TCP/IPTTLDFTOSSiphonhttp://siphon.datanerds.net/ osprints.conf
telnet 192.168.102.245192.168.102.155 snort192.168.102.245:23-> 192.168.102.155:2300 TCP TTL:255 TOS:0x0 ID:58955 DF**S***A* Seq:0xD3B709A4 Ack:0xBE09B2B7 Win:0x2798 TCP Options => NOP NOP TS:9688775 9682347 NOP WS:0 MSS:1460osprints.conf 192.168.102.245Solaris 2.6-2.7
OSOS
IDS
nmapBy FyodornmapCThe Art of Port ScanningRemote OS detection via TCP/IP Stack FingerPrinting
Nmap
Nmap()
X-scan
SATANSAINTSSSStrobeX-Scan
ISS ()PingerPortscanSuperscan
(enumeration)
(banner)
Windows NT/2000Windows NTCIFS/SMB(Common Internet File System/Server Message Block)NetBIOSWindows 2000NTWindowsNTRK(NT Resource Kit)2000 ServerSupport\Tools
Windows NT/2000Windows NT/2000NetBIOSTCP139TCP139net use \\192.168.102.230\IPC$ "" /USER: "" Windows 2000SMB445
NT/2000 NetBIOSNT/2000nbtstatNetBIOS
NT/2000 NetBIOSnbtscannbtstat
NT/2000 NetBIOS net viewnet view
NT/2000 NetBIOS legionNATLegion
NT/2000 NetBIOS NAT
NT/2000 NetBIOS NTRKnltestrmtsharesrvchecksrvinfo netdomepdumpgetmacnetviewxenumdumpsec
NT/2000 NetBIOS 50%NATenumdumpsecRudnyisid2useruser2sidSID(Security Identifier)SIDWhat is a SID http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14781
NT/2000telnetnc()c:\telnet 192.168.102.155 80
NT/2000nc v 192.168.102.233 80
NT/2000WindowsNT/2000AdministratorHKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winregregdumpdumpsec
NT/2000TCPUDP1351392000445
NT/2000Hkey_Local_Machine\SYSTEM\CurrentControlSet\Control\LSARestrictAnonymousREG_DWORDNT1200022000||(RestrictAnonymous2)
NT/2000netcat
Unix/LinuxUnix/LinuxTCP/IPNetBIOSUnix/LinuxshowmountNFS(2049)NISfingerfinger79
Unix/LinuxrusersrwhoSMTPvrfyexpn
Unix/LinuxNT/2000telnetncrpcinfoportmapper111
Unix/Linux79
139
administrator1234
nc
nc
LibpcapWinPcap
(sniffer)
/(CSMA/CD, carrier sense multiple access with collision detection)CSMA/CD
MAC(48)ARPMACIPipconfig/ifconfigMACMAC()
sniffer
HUB
MAC-
UNIXAPIPacket socketBPF
WindowsWinPcap
Packet socket(promiscuous)ioctl()packet socketpacket_socket = socket(PF_PACKET, int socket_type, int protocol); socket(PF_INET, SOCK_PACKET, protocol)UNIXLinuxsocket(open)ioctl()setsockopt()
BPF(Berkeley Packet Filter)BSDBPFNetwork TapKernel BufferUser bufferLibpcap()BPFLibpcapLibpcapBPFOS(BSD)
BPFlibpcap
libpcapAPIC1.10BPFProgramming with pcap http://www.tcpdump.org/pcap.htm
libpcap char *pcap_lookupdev(char *errbuf); pcap_t *pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf); packet capture descriptorsnaplenpcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname); savefiledumppcap_t *pcap_open_offline(char *fname, char *ebuf); savefile
Libpcap: filterint pcap_lookupnet(char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)
int pcap_compile(pcap_t *p, struct bpf_program *fp,char *str, int optimize, bpf_u_int32 netmask) str
int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
Libpcap: int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) cntpcap_handlerpcap_loopreadvoid pcap_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp) pcap_dump_open()
WindowsWindowssnifferWinPcaplibpcapWindows
WinPcapWinPcapNPF(Netgroup Packet Filter)packet.dllwin32WindowsPacket.dllPacket.dllWindows Wpcap.dllpacket.dllWpcap.dllpacket.dllWpcap.dll
WinPcapNPF
WindowsNDIS(Network Driver Interface Specification)NPF
WinPcaplibpcapUNIXlibpcapNPFhttp://winpcap.polito.it/
ARPGW1 BIP2 BarpA,GWIP3 AB4 BGWdsniffarpredirectAB
LibnetLibnetLibnet50C API()(IP)
Libnetlibnet_init_packet();libnet_open_raw_sock();libnet_build_ip();libnet_build_tcp();libnet_do_checksum();libnet_write_ip();libnet_close_raw_sock();libnet_destroy_packet();
SnifferSSHARPARP
DNSDNSLinuxMACLinux IPIPIPICMP ECHO()()Windows 9x/NTMAC0xff
()L0phtAntiSniff
WindowssnifferButtsnifferWindows NTNetMonNetXRayWinPcapWinDump(tcpdumpWindows)Analyzer
Windump
SnifferPro
UNIX/Linuxsnifferdsnifflinux_snifferSnorttcpdumpsniffit
tcpdump
Computer NetworksHackers Beware 2002Hacking ExposedRemote OS detection via TCP/IP Stack FingerPrintinghttp://www.insecure.org/nmap/nmap-fingerprinting-article.htmlThe Art of Port Scanning, http://www.insecure.org/nmap/nmap_doc.htmlWebUNIX/Linux Programmers ManualWinPcap, http://winpcap.polito.it/default.htmLibnet, http://www.packetfactory.net/Projects/Libnet/STAT, http://www.cs.ucsb.edu/~rsg/STATSnort, http://www.snort.org/http://www.tucows.com/