Implementation of SSH file transmission commands and libnids Port Scan attack detection

In Linux, SCP is generally used to transmit files through SSH. If your work environment is Windows, you can choose to use
Secure CRT, or an SSH Login tool such as putty for transmission.
For Linux:
1. Use SCP to transfer files
1. download files from the server
SCP username @ servername:/path/filename
For example, SCP username@192.168.0.10: File Name (absolute path) Put
To the current directory.
2. upload local files to the server
SCP/path/filename username @ servername:/path
For example, SCP file name (absolute path) codinglog@192.168.0.10:/home/Wang/put the local/home/Wang/directory file
Upload to the/home/Wang/directory on 192.168.0.10.

3. Download the entire directory from the server
SCP-r username @ servername: remote_dir/local_dir/
Example: SCP-r username@192.168.0.10/home/Wang/lab_3/home/Wang/
4. Upload the directory to the server
SCP-r local_dir username @ servername: remote_dir
For example:
SCP-r test codinglog@192.168.0.10:/var/www/upload the directory test under the current directory to the server
/Var/www/directory
For Windows:
Ii. Use putty tool set
1. psftp Tool
A. Create a connection to open 192.168.0.1 and enter the user name and password as required.
B. the LCD changes the directory you want to download, for example, the LCD D: \ wwwroot \ enters the wwwroot directory under the local D Drive.
C. Start transmission and put filename to upload files.

Get filename download file

Implementation of libnids Port Scan attack detection

1. Linux uses the tcpdump command to capture packets and save Wireshark Analysis of pcap files

The command parameter for saving tcpdump packets to a file is-w xxx. cap captures the eth1 package tcpdump-I eth1-W/tmp/xxx. cap captures the packet tcpdump-I eth1 host 192.168.1.123-W/tmp/xxx. cap captures port 80 of 192.168.1.123 packet tcpdump-I eth1 host 192.168.1.123 and port 80-W/tmp/xxx. cap captures the ICMP packet of 192.168.1.123 tcpdump-I eth1 host 192.168.1.123 and ICMP-W/tmp/xxx. cap captures port 80 of 192.168.1.123 and packet tcpdump-I eth1 host 192.168.1.123 and for ports other than 110 and 25! Port 80 and! Port 25 and! Port 110-W/tmp/xxx. cap capture VLAN 1 packet tcpdump-I eth1 port 80 and VLAN 1-W/tmp/xxx. cap: Password for pppoe tcpdump-I eth1 pppoes-W/tmp/xxx. the CAP is separated by a size of 100 MB to save the file. If the size of the CAP is greater than 10000 MB, an additional file-C 10000 m is opened to capture packets and then exit-C background to capture packets. The exit of the console will not affect the file: nohup tcpdump-I eth1 port 110-W/tmp/xxx. cap &

You can use ethereal or Wireshark to open the captured file.

2. Linux NMAP scanning and sniffing tools

Map, or network Mapper, is a network scanning and sniffing tool package in Linux. It has three basic functions: one is to detect whether a group of hosts are online, and the other is to scan host ports, network Service provided by sniffing; the operating system used by the host can also be inferred. NMAP can be used to scan networks with only two nodes and more than 500 nodes. NMAP also allows you to customize scan techniques. Generally, a simple ping operation using ICMP can meet General requirements. You can also thoroughly test the UDP or TCP port until the operating system used by the host; all test results can also be recorded in logs of various formats for further analysis.
Ping the scan to print the host that responds to the scan without further testing (such as port scan or operating system detection ):

NMAP-SP 192.168.1.0/24

Only list each host on the specified network and do not send any packets to the target host:

NMAP-Sl 192.168.1.0/24

Port opened by the target host. You can specify a comma-separated port list (for example,-ps22, 80 ):

NMAP-PS 192.168.1.234

Use UDP ping to detect hosts:

NMAP-Pu 192.168.1.0/24

The most frequently used scan option is SYN scan, also known as semi-open scan. It does not open a full TCP connection and runs very quickly:

NMAP-SS 192.168.1.0/24

When SYN scan is unavailable, TCP connect () scan is the default TCP scan:

NMAP-ST 192.168.1.0/24

UDP scan uses the-su option to send an empty (no data) UDP header to each target Port:

NMAP-su 192.168.1.0/24

Determine the IP protocols supported by the target machine (TCP, ICMP, IGMP, etc ):

NMAP-So 192.168.1.19

Test the operating system of the Target Host:

NMAP-O 192.168.1.19

NMAP-A 192.168.1.19

In addition, the examples in the Nmap official document are as follows:

NMAP-V scanme.nmap.org

This option scans all reserved TCP ports in the host scanme.nmap.org. Option-V enables detail mode.

NMAP-SS-O scanme.nmap.org/24

The secret SYN scan is performed on 255 hosts in the "Class C" CIDR block where the host saznme is located. At the same time, try to determine the operating system type of each worker host. The root permission is required for SYN scanning and operating system detection.

NMAP-SV-P 110,143,456, 255.1 4 198.116.0-127-

Host enumeration and TCP scanning. The object is the 188.116 eight-bit subnet in the Class B 255 CIDR block. This test is used to determine whether the system is running sshd, DNS, imapd, or port 4564. If these ports are opened, version check is used to determine which application is running.

NMAP-v-IR 100000-P0-P 80

Randomly select 100000 hosts to scan for running Web servers (port 80 ). It is a waste of time to determine whether the host is working by sending a probe report in the initial phase, and only one port of the host needs to be detected because-P0 is used to prohibit the host list.

NMAP-P0-P80-ox logs/pb-port80scan.xml-og logs/pb-port80scan.gnmap 216.163.128.20/20

Scan 4096 IP addresses, search for the Web server (do not Ping), and save the results in grep and XML format.

Host-l company.com | cut-D-F 4 | NMAP-v-il-

To find the host in company.com, and then provide the IP address to NMAP. The preceding commands are used in GNU/Linux -- different commands are used when other systems perform regional transmission.

Other options:

-P <port ranges> (only scan the specified port)

Either a single port or a port range (for example, 1-1023) indicated by a hyphen. When scanning both TCP port and UDP port, you can add T: Or U: Before the port number to specify the protocol. The Protocol qualifier remains valid until another one is specified. For example, parameters-p u: 53,111,137, T: 21-25, 80, 53,111, 80 scan UDP port 137, and, and scan the TCP ports listed at the same time.

-F (fast (limited port) scanning)

3. tcpdump and tcpreplay playback for network detection

# Here is a detailed explanation of the packet capture commands of the two tools. Of course, here we will only briefly introduce the several parameters we used: shell> tcpdump-S0-VV-e-I eth0-nn port 67-C 100-W yfang. cap #-E: Print connection layer information #-VV: Print details #-I eth0: Listen to eth0 Nic #-NN: retain the output port and protocol in digital format #-C 100: capture the 100 packets that meet the conditions and end. Otherwise, we will continue to capture #-S0: this parameter plays a very important role in this experiment.-S0 indicates that the package size is not cropped to keep the original size # port 67: I don't need to explain it much, because the DHCP protocol mainly involves information exchange between the client and the server port 67 and port 68 #-W yfang. cap: TCPDUMP outputs intercepted packets to the standard output by default. The-W parameter is forcibly output to the file yfang according to the CAP format. cap, used for subsequent Replay

# Next, replay this package, without any modification. Here we only use two parameters-I eth0 without explanation.-L 3 indicates sending this package three times in a row. In actual testing, send Once OK

 # tcpreplay -i eth0 -l 3 mycap

When an intranet machine is configured as a fixed IP address in the lab today, the machine can ping the IP address and cannot access the Internet. This is generally because of a DNS issue.

You need to edit the sudo Vim/etc/resolv. conf file.

Namesever IP address (note that this IP address is the address of the DNS server, not casually)