Explanation of Sniffer, hacker and Network Management

The article mainly describes Sniffer, hacker and network management. theHackerEthic pointed out in the hacker computer history by Steve Liwei mainly includes: there should be more than one road to the computer; all information should be free; Computer centralization should be broken; art and beauty should be created on the computer; and computer will make life better.

Introduction: about hackers

TheHackerEthic, Which Steve Liwei noted in his famous hacker computer history, includes more than one road to computer; all information should be free of charge, break down computer centralization, create art and beauty on the computer, and make life better.

The hacker culture contains the spirit of freedom and the spirit of anti-tradition, anti-authority, and anti-centralization.

In a broad sense, the public thinks that "hackers" are people who break into computer systems. This concept makes talented and real "hackers" feel sad. The definition of hackers and intruders in Maximum Security is as follows:

"Hacker" refers to a person who has a strong interest in the mysteries of any computer operating system. "Hackers" are mostly programmers who have high-level knowledge in operating systems and programming languages and know the vulnerabilities in the system and their causes. They constantly pursue deeper knowledge and make public their findings, share with others, and never attempt to corrupt data.

"Intruders" refer to people who break into or even undermine the integrity of remote machine systems with bad attempts. "Intruders" use illegal access to corrupt important data, reject legal user service requests, or create troubles for their own purposes. "Intruders" are easy to identify because they are malicious.

The concept of hackers here stems from computer fans at the MIT lab in and. They are energetic and keen to solve problems, think independently, and abide by laws and regulations.

There is no error in technology itself, and the error is caused by a person. The analysis of network security can be used by real hackers to enhance security and enhance the freedom of network management. It can also be used by intruders to snoop on others' privacy, tamper with data freely, and conduct online fraud activities.

Here, we will discuss the application of network sniffer in the broad hacker field and network management.

I. Sniffer attack Principle

Sniffer can be either hardware or software and is used to receive information transmitted over the network. The network can run under various protocols. Including Ethernet, TCP/IP, ZPX, and so on (it can also be the combination of several protocols ). The purpose of placing Sniffer is to place the network interface (in this example, the Ethernet adapter) in the promiscuous mode to intercept network content.

The sniffer is different from the general keyboard Capture program (Key Capture. The keyboard capture program captures the Input key values on the terminal, while the sniffer captures the real network packets. The sniffer puts it on a network interface to achieve this goal-set the ethernet card to the miscellaneous mode.

Ethernet)

Ethernet was invented by the Palo Aito Research Center (sometimes called PARC) of Xerox. The following describes the transmission mode of information on the Network (Ethernet here.

Data is transmitted in a small frame (Ftame) unit on the network. frames are composed of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet store the Source and Destination addresses. These bits tell the network the source and destination of the data. Other parts of the Ethernet frame are used to store actual user data, TCP/IP headers, and IPX headers ).

The frame is formed by a specific software called a network driver and then sent to the network cable through the network adapter. The opposite process is executed at one end of the target machine through a network cable. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. In the process of transmission and receipt, the sniffer will cause security problems.

Each workstation on a LAN has its hardware address. These addresses uniquely represent machines on the Network (similar to Internet address systems ). When a user sends a packet, the packet is sent to all available machines on the LAN.

In general, all machines on the network can "listen" to the traffic passed, but do not respond to messages that do not belong to them (in other words, workstation A does not capture data belonging to workstation B, but simply ignores the data ). If a network interface on a workstation is in the multiplexing mode, it can capture all the packets and frames on the network.

Sniffer is such hardware or software that can "listen" to (rather than ignore) all the information transmitted online. In this sense, every machine and every router is a Sniffer (or at least they can be called a Sniffer ). This information is stored on the media for future checks.

Sniffer can be (and usually) A combination of software and hardware. The software can be a common network analyzer with a strong debug function, or a real Sniffer.

The Sniffer must be located on the network where the Sniffer is to work. It can be placed anywhere in the network management segment.

Sniffer becomes a great risk because:

They can capture passwords;

They can intercept confidential or proprietary information;

They can be used to attack adjacent networks or to obtain high-level access permissions.

Ii. Use Sniffer to obtain information

The following is the message listening result by using the sniffer tool EtherPeek on the Windows platform. Let's analyze the data (to avoid unnecessary troubles, the data has been modified ).

1. Anonymous Ftp email Analysis

Flags: 0x00

Status: 0x00

Packet Length: 74

Timestamp: 19:11:21. 743000 01/18/2000

Raw Packet Data (original message Data)

. Zookeeper. RT *. Zhou .. E. 00 90 AB c0 68 00 52 54 AB 15 d6 de 08 00 45 00 [0-15]

. 8 ......) R (1 .. 00 38 10 09 40 00 20 06 29 52 a2 69 28 31 ca c8 [16-31]

*... F anchor ..*? P. 8c 02 04 b3 00 15 00 66 c3 aa 00 04 f0 3f 50 18 [32-47]

". + T .. USER anony 22 0a 2b 54 00 00 55 53 45 52 20 61 6e 6f 6e 79 [48-63]

Mous... 6d 6f 75 73 0d 0a 00 00 00 00

This may not be clear enough. The program decoding is as follows:

Flags: 0x00

Status: 0x00

Packet Length: 74

Timestamp: 19:11:21. 743000 01/18/2000

Ethernet Header

Destination: 00: 90: AB: c0: 68: 00 [0-5]

Source: 52: 54: AB: 15: d6: de [6-11]

Protocol Type: 08-00 IP [12-13]

IP Header-Internet Protocol datasync

Version: 4 [14 Mask 0xf0]

Header Length: 5 [14 Mask 0xf]

Precedence: 0 [15 Mask 0xe0]

Type of Service: % 000 [15 Mask 0x1c]

Unused: % 00 [15 Mask 0x3]

Total Length: 56 [16-17]

Identifier: 4105 [18-19]

Fragmentation Flags: % 010 Do Not Fragment [20 Mask 0xe0]

Fragment Offset: 0 [20-22 Mask 0x1fffff]

Time To Live: 32

IP Type: 0x06 TCP [23]

Header Checksum: 0x2952 [24-25]

Source IP Address: 162.105.40.49 [26-29]

Dest. IP Address: 202.200.140.2 [30-33]

No Internet datemedioptions

TCP-Transport Control Protocol

Source Port: 1203 [34-35]

Destination Port: 21 FTP Control-File Transfer Protocol [36-37]

Sequence Number: 6734762 [38-41]

Ack Number: 323647 [42-45]

Offset: 5 [46 Mask 0xf0]

Reserved: % 000000 [46 Mask 0xfc0]

Code: % 011000 [47 Mask 0x3f]

Ack is valid

Push Request

Window: 8714 [48-49]

Checksum: 0x2b54 [50-51]

Urgent Pointer: 0 [52-53]

No TCP Options

FTP Control-File Transfer Protocol

FTP Command: 0x55534552 (USER) User Name [54-57]

User Name:

20 [58]

Extra bytes (Padding ):

Anonymous .. 61 6e 6f 6e 79 6d 6f 75 73 0d 0a [59-69]

Frame Check Sequence: 0x00000000

Oh, the user name is being transferred. The username is anonymous.

There are also messages with the same source address and destination address.

Flags: 0x00

Status: 0x00

Packet Length: 71

Timestamp: 19:11:32. 149000 01/18/2000

Raw Packet Data

. Zookeeper. RT *. Zhou .. E. 00 90 AB c0 68 00 52 54 AB 15 d6 de 08 00 45 00 [0-15]

. 5... @... U (1 .. 00 35 12 09 40 00 20 06 27 55 a2 69 28 31 ca c8 [16-31]

*... F coal... *. P. 8c 02 04 b3 00 15 00 66 c3 ba 00 04 f0 87 50 18 [32-47]

! ... Pass guest 21 c2 7c 00 00 00 70 61 73 20 67 75 65 73 74 [48-63]

@... 40 0d 0a 00 00 00

What is this?

Flags: 0x00

Status: 0x00

Packet Length: 71

Timestamp: 19:11:32. 149000 01/18/2000

Ethernet Header

Destination: 00: 90: AB: c0: 68: 00 [0-5]

Source: 52: 54: AB: 15: d6: de [6-11]

Protocol Type: 08-00 IP [12-13]

IP Header-Internet Protocol datasync

Version: 4 [14 Mask 0xf0]

Header Length: 5 [14 Mask 0xf]

Precedence: 0 [15 Mask 0xe0]

Type of Service: % 000 [15 Mask 0x1c]

Unused: % 00 [15 Mask 0x3]

Total Length: 53 [16-17]

Identifier: 4617 [18-19]

Fragmentation Flags: % 010 Do Not Fragment [20 Mask 0xe0]

Fragment Offset: 0 [20-22 Mask 0x1fffff]

Time To Live: 32

IP Type: 0x06 TCP [23]

Header Checksum: 0x2755 [24-25]

Source IP Address: 162.105.40.49 [26-29]

Dest. IP Address: 202.200.140.2 [30-33]

No Internet datemedioptions

TCP-Transport Control Protocol

Source Port: 1203 [34-35]

Destination Port: 21 FTP Control-File Transfer Protocol [36-37]

Sequence Number: 6734778 [38-41]

Ack Number: 323719 [42-45]

Offset: 5 [46 Mask 0xf0]

Reserved: % 000