Discover and cheat teach you a simple way to find the hacker nest

Network security is a comprehensive and complex project. No network security measures can be guaranteed. Therefore, for some important departments, once the network is attacked, it is necessary to track network attacks, trace the attackers and bring them to justice.

Tracking network attacks is to find the source of the event. It has two meanings: one is to find the IP address, MAC address or authenticated host name, and the other is to determine the identity of the attacker. During or after attacks, network attackers will inevitably leave some clues, such as logon records, File Permission changes, and other virtual evidence, correct Processing of virtual evidence is the biggest challenge in tracking network attacks.

Another issue that needs to be considered in tracking network attacks is that the IP address is a virtual address rather than a physical address, and the IP address is easily forged. Most network attackers use IP address spoofing technology. The source of the attack is incorrect. It is more difficult to discover Attackers Based on IP addresses. Therefore, some methods must be used to identify the attacker's spoofing and find the real IP address of the attack source.

★Netstat command ---- real-time viewer

Use the netstat command to obtain the IP addresses of all network users connected to the tested host. Common network operating systems such as Windows, Unix, and Linux can all use the "netstat" command.

The disadvantage of using the "netstat" command is that the current connection can only be displayed. If an attacker does not have a connection when using the "netstat" command, no trace of the attacker can be found. Therefore, you can use Scheduler to create a schedule and schedule the system to use the "netstat" command at a certain time, use netstat> textfile format to write the data obtained during each check to a text file, so that you can use it to track network attacks.

★Log Data-the most detailed attack records

The system log data provides detailed user logon information. This data is the most direct and effective evidence when tracking network attacks. However, if the log data of some systems is incomplete, network attackers often delete their activities from the system logs. Therefore, remedial measures must be taken to ensure the integrity of log data.

Unix and Linux logs

Unix and Linux Log Files record various activities in detail, such as the username, IP address, port number, logon and exit time of the logon ID, Last Logon Time of each ID, logon terminal, executed command, and account information of the user ID. This information provides the ttyname (terminal number) and source address, which is the most important data for tracking network attacks.

Most Web attackers will delete their activity records from their diaries, and UOP and X Windows-based activities are often not recorded, making tracing difficult. To solve this problem, you can run the wrapper tool in the system, which records user service requests and all activities, and is not easy to detect by network attackers, this effectively prevents network attackers from clearing their activity records.

Windows NT and Windows 2000 logs

Windows NT and Windows 2000 have three types of logs: system logs, security logs, and application logs. security-related data is contained in security logs. The security log records the information of the logged-on user. The data in the security log is determined by the configuration. Therefore, it is necessary to properly configure the data according to the security requirements to obtain the data necessary to ensure system security.

However, Windows NT and Windows 2000 security logs have major defects. They do not record the source of the event and cannot track the attacker's source address based on the data in the security log. To solve this problem, you can install a third-party tool that can fully record audit data.

Firewall logs

As a "bastion host" in the network system, firewalls are much less likely to be attacked by network attackers. Therefore, the log data of the firewall is not easy to modify. The log data of the firewall provides the source address information of the optimal attack source.

However, the firewall cannot be cracked, and its logs may also be deleted and modified. Attackers can also launch DoS attacks to the firewall, paralyze the firewall or at least reduce its speed, making it difficult to respond to the event in a timely manner, thus undermining the integrity of the firewall log. Therefore, before using firewall logs, you should run a dedicated tool to check the integrity of firewall logs to prevent incomplete data from being traced by mistake.
★Raw data packets-relatively reliable analysis methods

Because the system host may be compromised, attackers can obtain information from system logs, which is sometimes unreliable. Therefore, capturing and analyzing the original data packets is another important and reliable method for determining the attack source.

Baotou Data Analysis

Table 1 lists the IP address headers of an original data packet. The first row in the table is the most useful number. The last 8 digits of the first line represent the source address. In this example, the IP addresses are 0xd2, 0x1d, 0x84, and 0x96, and the corresponding IP address is 210.45.132.150. By analyzing the packet header data of the original data packet, you can obtain the IP address of a more reliable network attacker, because the data will not be deleted or modified. However, this method is not perfect. If attackers encrypt their data packets, the analysis of the collected data packets will be useless.

Table 1 IP address header data

0x0000 45c0 c823 0000 d306 6002 2c06 d30d 8496

0x0010 22ab b365 c234 0000 0000 4066 dd1d 8818

0x0020 7034 ecf8 0000 5b88 7708 b901 4a88 de34

0x0030 9812 a5c6 0011 8386 9618 0000 a123 6907

0x0040 55c5 0023 3401 0000 5505 b1c5 0000 0000

0x0050 0000 0000 0000 0000

Capture Data Packets

It is difficult to capture data packets in an exchange network environment, mainly because the hub and switch are essentially different in data exchange. The Hub uses broadcast transmission. It does not support connection. Instead, it sends packets to all ports except the source port. All machines connected to the hub can capture packets through it. The switch supports end-to-end connections. When a data packet arrives, the switch establishes a temporary connection for it, and the data packet passes through this connection to the destination port. Therefore, it is not easy to capture packets in an exchange environment. To obtain data packets in the exchange environment, use the following method:

(1) configure a "spanning port" of the vswitch as a hub. data packets sent through this port are no longer connected to the target host, instead, it sends broadcast messages to all machines connected to this port. Set a packet capture host to capture packets through the "spaning port. However, at the same time, a vswitch can only be set to "spanning port" by one port. Therefore, data packets from multiple hosts cannot be captured at the same time.

(2) install a hub between vswitches or between vrouters and vswitches. Data packets from the hub can be captured by the captured host.

In the method of capturing data packets to obtain the attacker's source address, two problems need to be noted: first, ensure that the packet capture host has sufficient storage space, because if the network throughput is large when capturing data packets, the hard disk will soon be filled up. Second, when analyzing data packets, You can compile a small program for automatic analysis, it is impossible to manually analyze so much data.

★Search engines-unexpected surprises

The search engine is used to obtain the source address of a network attacker. Theoretically, there is no basis, but it will often receive unexpected results, which will surprise the tracing work. Hackers often have their own virtual communities on the Internet, where they discuss network attack techniques and methods and show off their results. Therefore, information about the attack source or even their identity is often exposed.

Using search engines to track the IP addresses of network attackers is to use some good search engines (such as Sohu's search engine) to search Web pages. The search keywords are the domain name, IP address, or host name of the attack host, check whether there are posts about attacks against the machines represented by the above keywords. Although network attackers generally use fake source addresses when posting, many users are paralyzed and use real source addresses. Therefore, attackers can often use this method to accidentally discover traces of network attackers.

Because the authenticity of the source address on the network cannot be guaranteed, the use of the source address without analysis may be implicated in innocent users. However, it is very useful to use search engines when combined with methods.