Understanding the primary stage of hackers: Network Information detection skills

1, the rapid establishment of TCP scanning method

We all have an experience, is to the network card work to the high speed is not easy, 100M network card traffic to 60M is about the same. But a lot of the test equipment, such as smartbit in the test can be to physical bandwidth, see the following gadgets you can do:

First understand some of the basics of TCP, TCP session process (three handshake):

n A sends Syn to B, generates ISN-A (A receives the package number cardinal), isn to prevent the data in the connection to receive the sequential error number, the initial value is randomly generated when establishing the connection, then starts to increment. Isn for the two-way isn-a and isn-b of communication, each record their own package order

N b Loopback Syn/ack to A, generating Isn-b (b receives the package number cardinality), an=isn-a+1

n A sends Syn to B,ISN-A+1,AN=ISN-B+1

In the TCP header serial number sn field, stored at the beginning of the conversation, negotiate a random 32-bit number isn

When the host sends Syn, it retains the isn and expected an in session memory. Wait for the loopback syn/ack, and with the received packets in the same, consistent recognition, to prevent other "fake" packets, if the waiting time is exceeded, then send several Syn, until there is a response, or return a timeout error. Generally in the scanning process, most of the connection is not responding, but all have to wait until the timeout to end, because the simultaneous establishment of more sessions, the computer consumes more resources, especially memory, so most of the scanning tool speed is slow.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Reverse SYN Cookie technology: When SYN is sent, a random isn is used, using the source and destination IP, source and destination ports, and a seed that is a "key" (a total of 160 bits) (the seed is set by the scanning tool) to compute a 32-bit isn by one-way hash function, The Scanrand tool uses the sha-1,160 bit output to intercept to 32 bits. In this way, when you send Syn, you do not record information such as ISN, send the process just as soon as possible. When the target responds, the listener process takes a minus 1 of the received packet, then use the IP and port information of the packet, and "seed" with the same hashing algorithm processing, the departure of the ISN, if the data with the received match, the listener process can be determined to send their own, and can know the purpose of the IP and port.

Because the sending does not need to wait for the response, also does not need the memory occupation, therefore the scan sends the speed only by the network card physical limit.

Scanrand The return value of the TCP scan:

Up: Open Syn/ack

Down: Close Rst/ack

UN**:ICMP Type 3 Destination Unreachable (RFC792): Un01 host unreachable, un03 Port Unreachable

: ICMP Type 11 Service timeout

In addition, the Reverse SYN cookie technology separates the connection between sending and receiving, because the connection "is not", so that the scanning tool can be two processes, one just hair, the other just collect, greatly provide the efficiency of the scan.

2. Detection and scanning techniques for avoiding IDs monitoring

The first step in the invasion is to collect the information stage, that is, to collect the target is a loophole, commonly known as "casing." The main task is to work for several aspects:

Determine the OS type and version of the target system

Open a service port

Turn on version information for the service

Rationale: The real risk of detecting scans is to send too many packets to the target to expose an attacker's presence, which often contains some data that forms identifiable signatures, some of which are intentionally malformed packets to get an identifiable error message response. Many intrusion detection systems (IDS) look for these signatures as "features" to identify the scan behavior of the attack. Especially the pure TCP mode.

XPROBE2 Tools Mix ICMP, TCP and UDP in many ways, and do not send malformed packets, detection behavior does not bring "noise" to the network, so can avoid many IDs detection. At the same time, using IDs generally like to have a large number of logs or false alarm habits, with some seemingly occasional suspicious events, especially in the context of a large number of events, it is easy to escape the eyes of security managers.

Probe operating system type:

Example 1:icmp Ping is a common way of connecting queries in the network, but many "fingerprint" details can bring important information needed in the probe. Normally send ICMP echo Request, the target machine generally replies to echo Reply. Tool Xprobe2 When sending a request, set the ICMP package's Code field to 123 (its own definition) instead of 0. Interestingly, the target machine responses for different operating systems are different, and Microsoft Windows responds with code 0, and other OS typically respond with the same code value as the request.

Probe Service port is open:

Example 2: Under normal circumstances, the probe service port will send a connection to a common port or all ports directly to create a request package, dense, neatly arranged, easily detected by IDs. In order to evade the monitoring of IDs when the target port is open, tool Xprobe2 uses a "third-party simulation" technique. Xprobe2 first sent a DNS request to the local DNS and got the correct return package. Then Xpeobe2 the return package to be a DNS server to the target machine's return package, send a DNS port (53), the query port is the target of the port to be probed, such as UDP65500. The target machine received this package unexpectedly, because it did not send a request, so gave a normal response, such as the port is not up, and this formal Xprobe2 required, the reply indicates that the port is closed. Because the DNS packet does not cause the attention of IDs, it masks the behavior of the probes.

To probe service type information on service ports:

This requirement is not necessary for common services, but it becomes necessary for network administrators to use a lot of "security" measures. "Not open, that is, security" is a traditional security concept, so network administrators use some non-standard port to run the usual network services, so that the detector lost "target" to ensure security.

As a scanner, you need to explore the service details on the port, and as a network administrator you need to detect that users in the network are installing "services" that are not allowed by the company.

Amap ([Url]www.thc.org[/url]) is a tool for probing port services. The main principle is to determine the type of service by opening multiple connections and grabbing the "features" of the port service. such as Telnet to the port, you can prompt for service type and version information. But the service "feature" is not obvious or modified, this approach is difficult to work. AMAP attempts to establish a connection to the target by simulating the initial request established by some queries or sessions, thus detecting the type and version of the service. such as SSL services need to shake hands three steps: 1, Client_hello. 2, Server_hello. 3, Server-to-client certificate transfer

Of course, the tool accumulates a vast database of common application analogue communications.

AMAP is also a good tool for network administrators, can be used to find users installed, unauthorized services, especially for the frequent changes in the port number, hiding the company does not allow services, such as Peer-to-peer, VNC Remote Desktop and so on.

3, can not underestimate the ARP protocol

ARP is the communication of the matching IP address and MAC address protocol, is the basis of TCP/IP communication, when the host to send data to the target, first through the DNS protocol to the WWW address (Application Layer address) to the target IP address (network layer address), And then through the ARP protocol to the IP address as the target of the MAC address (data Link Layer address) (may be the gateway rather than the real target computer), the data can be sent. In the hub era, everyone can be heard in communications, MAC address broadcast and update relatively simple, but to the switch era, the conflict domain "No", the other two people's communication is no longer you can freely get, so ARP also has a new development.

Proxy ARP (proxy ARP): At a very early time, the target host and the source host is not a network segment, the ARP broadcast Gateway equipment cut-off and discard, the target host can not hear, of course, can not answer. So there is a "manager" in the network is responsible for not the network segment of the ARP Request unified management, agents of these requests, let the source host first sent to themselves, and then by themselves sent to the target machine, this is the ARP proxy. Later, the host set the default gateway address, when the host found that the target host is not part of the network, directly sent to the device gateway. So directly request the MAC address of the gateway is OK. Although the ARP proxy has been used infrequently, people who want to listen to other people's communications can impersonate a gateway and act as proxies for your business.

Query Arp (unsolicited ARP, also known as unsolicited ARP): When the host is powered on, initialize the TCP/IP stack and send an ARP request to the IP address to be used to see if there is an address conflict on the network. You can use this IP address with confidence when the request does not receive a response. Of course, TCP/IP requirements in the sender does not know the target of the Mac, the first to send query arp, waiting for the target reply, no target Mac is no way to organize the packet sent.

Free ARP (Unicast arp,gratuitous Arp, also known as gratuitous ARP): Because the network device (switch) in the FDB forwarding (MAC address corresponding port) and host ARP cache table (IP address corresponding MAC address) are dynamic learning refresh, A period of time no packets will be "aging" and delete, so in order to refresh these "learning" form, send an ARP reply directly, because it is their own initiative to send, and this ARP answer is not for an address, but for this network segment of the broadcast, so called Free ARP. One scenario is that the host will send free ARP when it is turned on, in order to tell the network "I am coming" and to notify the switch to record its own Mac on the corresponding port. Another situation is that some hosts and network devices in order to maintain their own in the other cache is not aging, regular send refresh prompts, so when someone to send their own data, you do not have to because the address aging and send ARP request to find again. Cisco's network devices have the habit of regularly sending free ARP.

ARP is the MAC address learning tool, so free ARP is generally very common, security devices will ignore his presence, and thus become an attacker to monitor the tool.

ARP Poison attack principle: the target of the attacker is to become the ARP agent of both sides of the communication, also known as man-in-the-middle attack, specifically through the free ARP, quickly refresh the host ARP cache of the communication, so that both sides believe that the other side of the IP address of the corresponding MAC address is the middleman, so that when they communicate with Mistakenly sent "to the middleman, and then to the middleman agent to each other."

If the man-in-the-middle attack simulates oneself is the gateway, then may the proxy network paragraph all host external communication, therefore the gateway equipment to the network impersonate oneself IP behavior always attaches great importance.

This article is from the "Jack Zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/60946