Theory of odor detection and anti-odor Detection

Theory of odor detection and anti-odor Detection

I. Basic knowledge of the stinker

1.1 What is a stinking detector?

Sniff is an English form of the stinker. It can be understood as a computer-installed eavesdropping device. It can be used to snoop a large amount of information on the computer's network. A simple explanation: A is a telephone eavesdropping device. A can be used to intercept the communication content of both parties, while a computer network Stinker can intercept the computer.ProgramData sent and received on the network.

However, the data directly transmitted by a computer is actually a large amount of binary data. Therefore, a network eavesdropping program must also use a specific network protocol to break down the smelly data, and the smelly detector must be able to identify the protocol that corresponds to the data segment, only in this way can we perform correct decoding.

Computer stinks have their unique advantages over telephone ***: many computer networks use "shared media ". That is to say, you do not have to interrupt his communication, configure special lines, and then install the stinking detector, you can directly Snoop computer network data in the same mask on almost any connected network. This method is called promiscuous mode ). Even so, this "sharing" technology has developed rapidly and has slowly switched to "exchange" technology. This technology will continue to be used for a long time and can be used to send and receive data with a specific purpose.

How the 1.2 Stinker works

1.2.1 how to snoop Network Information

As mentioned earlier, Ethernet data transmission is based on the "sharing" principle: All computers in the same region can receive the same data packet. This means that direct computer communication is transparent and visible.

For this reason, Ethernet cards all construct hardware filters, which will ignore all network information that is irrelevant to themselves. In fact, the information that does not match the MAC address is ignored.

The stinking program uses this feature to proactively disable the stinking detector, that is, setting the NIC "mixed mode" as mentioned earlier ". Therefore, the stinking program can receive network data throughout the Ethernet.

1.2.2 what is the MAC address of Ethernet

Mac: Media Access Control.

Because a large number of computers "share" data streams over Ethernet, a unified approach is required to differentiate the data streams transmitted to different computers. This problem does not occur to dial-up users, because the computer assumes that all data is initiated by you to the modem and then transmitted over the telephone line. However, when you send data to the Ethernet, you must find out which computer is the object of the data you send. Indeed, there are a large number of two-way communication programs. It seems that they only exchange information on two machines, but you must understand that Ethernet information is shared, other users actually receive the data you sent, but the data is ignored by the filter.

MAC addresses are composed of a group of six hexadecimal numbers, which exist in each Ethernet Card. The subsequent sections will show you how to view the MAC address of your computer.

If you are not familiar with the network structure, we recommend that you refer to the OSI 7-layer model. This will help you understand that the protocols used by Ethernet are TCP/IP, TCP/IP is also used in other network models (such as dial-up users, they are not in an Ethernet environment ). For example, many small-group computer users share files and prints, and install netbeui because it is not based on TCP/IP protocol, therefore, hackers from the Internet cannot learn about their devices.

Based on the raw Protocol, both transmission and receiving play a dominant role in Ethernet. You cannot directly send raw data to Ethernet. You must first do something so that Ethernet can understand what you mean. This is a bit similar to the mail method. You cannot directly deliver a letter. You must first install an envelope, write an address, paste a stamp, and transfer it over the Internet.

The following is a simple illustration to help you understand the principles of data transmission:

_________

/.........\

/.. Internet .\

+ ----- ++ ---- + ............ +

| Usera | ----- | route | ...... | userb |

+ ----- + ^ + ---- + ...... +

| \.........../

| \---------/

+ ------ +

| Stinker |

+ ------ +

Usera IP Address: 10.0.0.23

Userb IP Address: 192.168.100.54

Now we know that usera needs to communicate with userb on a computer. usera needs to create an IP packet for communications between 10.0.0.23 and 192.168.100.54.

This IP packet is transmitted over the network and must be able to penetrate the router. Therefore, usera must first submit this package to the router. Each router examines the destination IP address and then determines the transfer path.

What usera knows is the connection between the local and the route, and the IP address of userb. Usera does not know the network structure and routing trend.

Usera must tell the router about the packet to be sent. The Ethernet data transmission structure is like this:

+ -- +

| Target Mac |

+ -- +

| Source MAC |

+ -- +

| 08 00 |

+ -- + ----------- +

|

..

. IP package.

..

|

+ -- + ----- +

| CRC verification |

+ -- +

To understand this structure, the usera computer creates a packet and assumes that it consists of 100 bytes in length (let's assume that 20 bytes are IP information and 20 bytes are TCP information, there are also 60 bytes of transmitted data ). Now, send the package to the Ethernet, put 14 bytes before the MAC address of the destination, and set the source MAC address to a 0x0800 mark, it indicates the data structure after the TCP/IP stack. At the same time, four bytes are appended for CRC verification (CRC verification is used to check the correctness of the transmitted data ).

Send data to the network.

All computers in the network can find this data chip through the adapter, which also includes the routing adapter, smelly probe and some other machines. Generally, the adapter has a chip used for structure comparison. Check that the MAC address in the structure is different from its own MAC address. If not, the adapter discards the structure. This operation is done by hardware, so the entire process is imperceptible to programs in the computer.

When the router's Ethernet Adapter finds this structure, it reads network information, removes the first 14 bytes, and traces 4 bytes. Search for the 0x8000 flag, and then process the structure (it will deduce the next fastest route node based on the network conditions, so as to transmit data to the predetermined destination address as soon as possible ).

Imagine that only the routing machine can check this structure, and all other machines ignore this structure, the stinker will not be able to detect this structure in any way.

1.3.1 what is the MAC address format?

The MAC address of the Ethernet card is a set of 48-bit numbers, which are divided into two parts. The first 24 bits are used to represent the host of the Ethernet Card, the next 24 bits are serial numbers that are carried out by the host. This guarantees that the MAC addresses of no two NICs are the same (of course, it can be implemented through special methods ). If the same address appears, the problem will occur. All of this is very important. These 24 bits are called OUI (organizationally unique identifier ).

However, the actual length of Oui is only 22 bits, and there are two other bits used for other purposes: one bit is used to verify whether it is a broadcast or multicast address, another bit is used to allocate the local execution address (some networks allow the Administrator to assign the MAC address based on the specific situation ).

For example, your MAC address is expressed as 03 00 00 00 01 on the network. The binary representation of the value contained in the first byte is 00000011. We can see that the last two bits are set to true values. He specified a multicast mode to broadcast to all computers and used the "netbeui" protocol (generally, in the Windows computer network, file Sharing and transmission do not use the TCP/IP protocol )..

1.3.2 how do I get the MAC address of my computer?

Win9x

The program that comes with Win9x will tell you the answer: “winipcfg.exe"

Winnt

Run this command in the command line status: "ipconfig/all"

It will display your Mac NIC address. The following is an example:

Windows 2000 IP configuration

Host Name ......: bigball

Primary DNS suffix .......:

Node Type ......: Hybrid

IP routing enabled...: No

Wins proxy enabled...: No

Ethernet Adapter local connection:

Connection-specific DNS suffix .:

Description .....: Legend/D-link DFE-530TX PCI fast ETH

Ernet adapter (Rev B)

Physical address ......: 00-50-ba-25-5d-e8

DHCP enabled...

IP address ......: 192.168.10.254

Subnet Mask ......: 201710000128.0

Default Gateway...: 192.168.10.3

Ethernet Adapter sc1_1:

Description ......: Dec dc21140 PCI Fast Ethernet

Linux

Run "ifconfig ". The result is as follows:

Eth0 link encap: Ethernet hwaddr 08: 00: 17: 0a: 36: 3E

Inet ADDR: 192.0.00001 bcast: 192.0.2.255 mask: 255.255.255.0

Up broadcast running Multicast MTU: 1500 Metric: 1

RX packets: 1137249 errors: 0 dropped: 0 overruns: 0

TX packets: 994976 errors: 0 dropped: 0 overruns: 0

Interrupt: 5 base address: 0x300

Solaris

Run the "ARP" or "netstat-P" command.

1.3.3 how can I know that there are computers directly associated with my mac address?

For WinNT and Unix machines, you can directly view them using ARP-.

1.3.4 can I change my mac address?

Yes. To put it simply:

The first method is address spoofing because the MAC address is part of the packet structure. Therefore, when you send a packet to Ethernet, You can overwrite the Mac information from the source.

The second method is to allow many NICs to modify the internal MAC address within a certain period of time.

In the third method, you can re-install the eeprom to modify the MAC address. However, this method requires you to have a specific hardware device and an appropriate chip to modify, and this method will always change your MAC address.

Ii. Anti-odor Detection Technology

2.1 How can I check whether there is a smelly probe in the network?

Theoretically, the stinking program cannot be detected, because it is a passive receiving program that is passively triggered and only collects data packets, without sending any data, the smelly probing program can still be detected.

A stinking program will not send any data, but some data streams will be generated when it is installed on a computer in a normal LAN. For example, it can send a request to start DNS reverse lookup Based on the IP address.

The following is a simple detection method:

Ping Method

Many stinks. If you send a request to a machine with a program, it will respond.

Note:

1. It is suspected that the machine with the IP address 10.0.0.1 is installed with a stinking probe program, and its MAC address is determined as 00-40-05-a4-79-32.

2. Make sure that the machine is in the middle of the LAN.

3. Change the MAC address to 00-40-05-a4-79-33.

4. Ping the IP address using the ping command.

5. No one can view the sent data packet because the MAC address of each computer cannot be inconsistent with the MAC address in the packet. Therefore, the packet should be discarded.

6. If you see the response, it indicates that the MAC package has not been discarded. That is to say, there may be a stinking probe.

Now, this method has been widely promoted and publicized, and the new generation of hackers have learnedCodeMany computer operating systems (such as Windows) that have added virtual MAC address filters support Mac filters (many inspector checks only the first byte of Mac. In this way, MAC address FF-00-00-00-00-00 and FF-FF-FF-FF-FF-FF is no difference. (Broadcast address messages will be received by all computers ). This technology is usually used in Ethernet for switching models. When a vswitch finds an unknown MAC address, it performs operations similar to "Flood" and sends the package to each node.

2.2 local odor detection program

The program Detection Method of the local odor detector is relatively simple. You only need to check whether the NIC is in the mixed mode. in Linux, this method is easier to implement, but on Windows platform, there are no ready-made functions available for us to implement this function. Here are some tips:

# Include <winsock2.h>

# Define max_pack_len 65535

# Define max_hostname_lan 255

# Pragma comment (Lib, "ws2_32.lib ")

Int main ()

{

Socket sockraw, sock;

Wsadata;

Int ret = 0;

Struct sockaddr_in saddr, ADDR;

Char recvbuf [max_pack_len];

Char far name [max_hostname_lan];

Struct hostent far * phostent;

Char * Buf = (char *) malloc (128 );

Int setTimeout = 1000; // here we set a timeout of one second

Printf ("unsniffer for Win2k V1.0 \ Npower by bigball \ nhomepage: http: \// www.patching.net \/liumy \ nemail: liumy@patching.net \ noicq: 9388920 \ n \ nchecking your system, wait a moment please... \ n ");

Wsastartup (makeword (2, 2), & wsadata );

// Create a rawsocket

Sockraw = socket (af_inet, sock_raw, ipproto_ip );

Create another UDP

Sock = socket (af_inet, sock_dgram, ipproto_udp );

Memset (& saddr, 0, sizeof (saddr ));

Memset (& ADDR, 0, sizeof (ADDR ));

Saddr. sin_family = af_inet;

Saddr. sin_port = htons (5257 );

ADDR. sin_family = af_inet;

ADDR. sin_port = htons (5258 );

// Point the IP address to the Local Machine

ADDR. sin_addr.s_un.s_addr = inet_addr ("127.0.0.1 ");

Memset (recvbuf, 0, sizeof (recvbuf ));

Phostent = malloc (sizeof (struct hostent ));

Gethostname (name, max_hostname_lan );

Phostent = gethostbyname (name );

// Obtain your own IP Address

Memcpy (& saddr. sin_addr.s_un.s_addr, phostent-> h_addr_list [0], phostent-> h_length );

Free (phostent );

// Bind a local receiving port

BIND (sockraw, (struct sockaddr *) & saddr, sizeof (saddr ));

// An unopened port connecting to the Local Machine

Connect (sock, (struct sockaddr *) & ADDR, sizeof (ADDR ));

Buf = "1234567890! @ # $ % ^ &*";

// Set timeout

Setsockopt (sockraw, sol_socket, so_rcvtimeo, (char *) & setTimeout, sizeof (INT ));

// Send a packet to the virtual connection Port

Send (sock, Buf, strlen (BUF), 0 );

// Use sockraw to try to receive this packet

Ret = Recv (sockraw, recvbuf, sizeof (recvbuf), 0 );

If (ret = socket_error | ret = 0)

Printf ("No found any sniffer in your system! \ N ");

Else

{

// Chksum

If (BUF = "1234567890! @ # $ % ^ &*")

Printf ("Warning !!! Found sniffer !!! \ N ");

}

Closesocket (sock );

Closesocket (sockraw );

Free (phostent );

Free (BUF );

Wsacleanup ();

Return 0;

}