Cracking network Vanguard

ADSL brings great convenience to Internet access. Many families have several computers. Through ADSL Internet sharing, they can access the Internet without interfering with each other. However, many friends recently told me that, if only one machine is connected to the Internet, everything is normal. If both machines are connected to the Internet, they cannot open the web page. According to a message, China Telecom has a new network hardware: Network Vanguard.

I checked the information about the network Vanguard online. I only talked about the implementation function, but not about the implementation principle. To solve this problem, we must find out how it works if we cannot share the internet, there are two ways for ADSL to share the Internet. One is proxy and the other is address translation (NAT). Generally, the routing method is actually Nat, in fact, the principle of routing and Nat is still different. We will not discuss it here. Currently, ADSL cats generally have Nat functions. It is more economical and convenient to use its own functions to achieve Internet sharing, this article mainly discusses this method.

If you want to block more than one computer from accessing the internet, you must find that there are more than one machine behind the sharing, as shown in Nat working principle 1, after Nat translation, the addresses of computers accessing the Internet over the Intranet are all changed to 192.168.0.1, And the MAC address is also converted to the MAC address of ADSL. That is to say, in principle, you cannot find several machines accessing the internet by directly capturing nat-converted packets at the ADSL egress. How did we find it?

I. analyze the cause

First, use superscan to scan ADSL cats and find that port 161 is open, and port 161 is the SNMP (Simple Network Management Protocol) Service port. Is it the number of hosts discovered through the SNMP protocol, xscan is used to scan the cat's vulnerabilities. The default password is displayed. you can log on to the management interface of the cat but cannot find the place to close the SNMP service. It seems to be a backdoor left, from this, we can basically determine the number of hosts found through the SNMP protocol. In order to further confirm that an SNMP management software, activesnmp, is used to view the connection status of the ADSL cat, 2 shows that the SNMP protocol can clearly identify the number of hosts accessing the Internet at the same time.

Ii. Solution

The solution is to block the SNMP protocol. There are several ideas as follows.

1. There is no place in the cat to disable the SNMP protocol. You can switch between a cat and a cat that can disable the protocol.

2. You can change the configuration file to a file, use the binary editing tool to change the default password, and then load it into the cat. This is just a way of thinking and has not been tried.

3, buy an ADSL Router, such as TP-LINK TL-R400, put in three shown in the place, In the router and then do a NAT service, so into the ADSL cat is an address, in this way, shared Internet access is solved. Disable the SNMP protocol in the vro.

Network Vanguard must use a variety of mechanisms to detect the behavior of multiple users. For example, SNMP Based on ADSL Cat's SNMP router can directly see the user's connection information and determine the user's use based on the HTTP request header. proxy can even capture the IP addresses of Intranet users. Currently, most of the discussions are about transparent Nat, such as broadband router (disabling SNMP) how does he determine whether Nat is a form of packet capture at the exit? No abnormal data is found, so I think network Vanguard has no intuitive way to determine nat.

Note the following: after capturing data packets from the egress, It is very different to analyze the export data of a user and multiple users. Therefore, the single-user IP address and public IP data packets have many different features. For example, on the HTTP layer, multi-user IP addresses may initiate requests to different web sites in a short time. the probability of such behavior is very small. For example, the network Vanguard can analyze the data to determine whether there are multiple users.
Now all ISPs have updated their devices. Strictly speaking, there are multiple monitoring methods for China Telecom to deal with sharing,
1. The first is the access device. The access devices of ADSL and China Telecom are integrated. Through the network management system of ADSL cats, the data of ADSL cats can be read. Of course, if a cat is working in a bridging state and you are careful to set up your own network, this system can do little,

2. the spoofing device is used to set up a machine to bind IP addresses of CIDR blocks such as 192.168.0.0/255.255.0.0 to the user's router, the user's intranet machine may accidentally send packets to this spoofed machine, which can understand the situation of the Intranet. The countermeasure is to strictly implement firewall measures to block the Intranet from sending packets to non-route addresses through the router.

3. Scan the user's IP address to know the vro software version and determine the manufacturer. In addition, you can send some special packets to the vro to obtain the intranet information, for example, sending packets to a normal Intranet broadcast address can cause a response from each machine on the Intranet. Based on the response, you can accurately count the number of machines on the Intranet. The solution is firewall, because these scanning technologies are almost ancient hacker technologies, modern firewalls should be able to deal with them. The problem is that there are not many cheap routers with sufficient computing power to prevent fire,

3. Passive fingerprint analysis: This is the mechanism of several popular systems (such as jianbing and Xinfeng). Through the design of the IP header and TCP Header protocol or the analysis of defects, you can analyze a lot of data, such as ipid, which is the most convenient. You can directly count the number of machines, TTL, MSS (MTU), recwin, recwin, and MSS proportions, it can also analyze whether or not the machine uses Nat. In a more comprehensive step, we can know that an IP has several operating systems and can analyze the proxy, in addition to the changes in the Protocol version of the application (for example, HTTP 1.1-> 1.0), the proxy software uses some special TCP packets, for example, push... the corresponding method is the firewall, which enables the firewall's normalizer function to normalize the sent packets. Unfortunately, the cheap firewall is hard to do well even if it wants to give the packets an integer.

4. Application Layer analysis, such as the version of your browser, the number of connections, and the number of windows updates.

5. interfere with user data packets and inject some interference packets into the user's connected communication process ...... The analysis is a bit complex. The initial analysis is an attack on the normalizer system. We have observed this behavior in the information system. The countermeasure is to carefully configure normalizer to avoid being cheated, and package injection is difficult.

6. other new technologies?