This presentation is the property of its rightful owner.
Sponsored Links
1 / 69

网络与信息安全 网络安全 (四 ) PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

网络与信息安全 网络安全 (四 ). 内 容. 欺骗 IP 欺骗 邮件欺骗 Web 欺骗 会话劫持 拒绝服务. 你将会发现, TCP/IP 协议是多么脆弱、不安全. 复 习. DNS 收集信息 DNS & nslookup Ping & traceroute 端口扫描 暴露网络上潜在的脆弱性 操作系统辨识 为系统相关的攻击打好基础. 复习:关于端口扫描. 有助于加强系统的安全性 常用技术 基本的 TCP connect() 扫描 TCP SYN 扫描(半开连接扫描, half open) TCP Fin 扫描(秘密扫描, stealth)

Download Presentation

网络与信息安全 网络安全 (四 )

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


7024382

()


7024382

    • IP

    • Web

TCP/IP


7024382

  • DNS

    • DNS & nslookup

  • Ping & traceroute


7024382

    • TCP connect()

    • TCP SYN(, half open)

    • TCP Fin(stealth)

    • TCP ftp proxy(bounce attack)

    • IPSYN/FIN()

    • UDP recvfrom

    • UDP ICMP

    • Reverse-ident


7024382

  • (IDS)


7024382

  • ()

    • DNSOS

    • TCP/IP

      • OS


7024382

  • IDS

    • IP


7024382

  • IP

    • IP

    • email

  • Web

    • DNS


7024382

IP

  • IP

    • IP

    • IP

  • IP

    • IP

    • IP

    • TCP

  • IP

    • IP


7024382

IP

  • IP

  • Linux

    • ifconfig


7024382

IP

  • IPIPIP

    • Unix/Linuxsocketroot

    • WindowsWinsock

      • winpcap

    • libnetIP

    • Linuxraw socketIP


7024382

IP

sockfd = socket(AF_INET, SOCK_RAW, 255);

setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on));

struct ip *ip;

struct tcphdr *tcp;

struct pseudohdr pseudoheader;

ip->ip_src.s_addr = xxx;

// IPTCP

pseudoheader.saddr.s_addr = ip->ip_src.s_addr;

tcp->check = tcpchksum((u_short *)&pseudoheader,12+sizeof(struct tcphdr));//

sendto(sockfd, buf, len, 0, (const sockaddr *)addr, sizeof(struct sockaddr_in));


7024382

A -> B

B -> A

A

H

B

IP

H

  • H

    • HA


7024382

IP

    • IP

      • IP

      • IP


7024382

    • smtp


7024382

XXXXX

()


7024382

    • (Name)FromReply-To

    • From

    • Reply-To


7024382


7024382

smtp

  • smtp25

    • Helo(or EHLO)

    • Mail from:

    • Rcpt to:

    • Data

    • Quit


7024382


7024382

    • Smtp

    • DNS

    • smtp


7024382

Web

  • WebInternet

    • InternetWeb

    • Web(DNS)

    • Web

  • Web

  • Web

    • URL

    • Web


7024382

    • ABCabc.netabc.com

      • (cookie)cookie


7024382

URL

  • HTTPWebURL

    • URL<a href=www.hackersite> Welcom to Hollywood-Movie site.</a>

    • urlscript

    • Web

    • http


7024382

Web

  • HTTP()Web

    • Cookie

    • url

  • WebID


7024382

Web

    • URL

    • URL

  • URL

    • SSL

  • Web

    • ID

  • WebWeb


7024382

    • IP

    • Internet

    • Internet


7024382

()


Tcp session hijacking

TCP(session hijacking)

    • Sniffer


7024382

1 A

2

4 A

3

A

H

B


7024382

  • TCP

    • TCP(TCP)

    • 4

    • IP:+SN <> IP:+SN

  • TCP

    • SN()

      • TCPSYNack

    • TCP


7024382

TCP

  • ACK

    • (SEG_SEQ)

    • (SEG_ACK)

  • (CLT)(SVR)

    • SVR_SEQ:

    • SVR_ACK: (1)

    • SVR_WIND:

    • CLT_SEQ:

    • CLT_ACK:

    • CLT_WIND:

    • CLT_ACK <= SVR_SEQ <= CLT_ACK + CLT_WIND

    • SVR_ACK <= CLT_SEQ <= SVR_ACK + SVR_WIND

    • ACK()


7024382

TCP()

    • SVR_SEQ = CLT_ACK

    • CLT_SEQ = SVR_ACK

    • SVR_SEQ != CLT_ACK

    • CLT_SEQ != SVR_ACK

  • TCP

    • SEG_SEQ = CLT_SEQSEG_ACK = CLT_ACKCLT_SEQ != SVR_ACK

    • ()SEG_SEQ = SVR_ACKSEG_ACK = SVR_SEQ


Tcp ack storm

TCP ACK Storm

  • ACKACKACKACK

  • ACK

    • ACKACKACK

    • ACK


7024382

()

    • RSTTCPSYNSYN

    • SYN/ACKACK

    • TCP ESTABLISHED


7024382

()


7024382

()

  • Blind spoofing

  • SYN

  • ISN ()

    • RST


7024382

  • ISN()

    • nmap

    • ACK


Kill a connection

Kill a connection

  • RSTBAIP

    • ABABRSTRST

  • FINBAIP

    • BFIN

A

B


7024382

(1)

A

  • A->BTCP Packet ID (from_IP.port-to_IP.port): IP_A.PortA-IP_B.PortB SEQ (hex): 5C8223EA ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C001

B

BB->ATCP Packet ID (from_IP.port-to_IP.port): IP_B.PortB-IP_A.PortA SEQ (hex): C34A67F6 ACK (hex): 5C8223EB FLAGS: -AP--- Window: 22381

AA->BTCP Packet ID (from_IP.port-to_IP.port): IP_A.PortA-IP_B.PortB SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -A---- Window: 7C000


7024382

(2)

A

  • ABTCP Packet ID (from_IP.port-to_IP.port): IP_A.PortA-IP_B.PortBSEQ (hex): 5C8223EB ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C0010()

B

BB->ATCP Packet ID (from_IP.port-to_IP.port): IP_B.PortB-IP_A.PortA SEQ (hex): C34A67F7 ACK (hex): 5C8223F5 FLAGS: -AP--- Window: 2238(20)

ASEQ/ACKTCP Packet ID (from_IP.port-to_IP.port): IP_A.PortA-IP_B.PortB SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -A---- Window: 7C00


7024382

(3)

  • B(A)TCP Packet ID (from_IP.port-to_IP.port): IP_A.PortA-IP_B.PortB SEQ (hex): 5C8223F5 ACK (hex): C34A680B FLAGS: -AP--- Window: 7C00(37)

A

B

BB->ATCP Packet ID (from_IP.port-to_IP.port): IP_B.PortB-IP_A.PortASEQ (hex): C34A680B ACK (hex): 5C82241A FLAGS: -AP--- Window: 2238


7024382

    • Simple Active Attack Against TCP, http://www.insecure.org/stf/iphijack.txt

    • A short overview of IP spoofing: PART I, http://staff.washington.edu/dittrich/papers/IP-spoof-1.txt

    • A short overview of IP spoofing: PART II , http://staff.washington.edu/dittrich/papers/IP-spoof-2.txt

  • Hackers Beware


7024382

  • Juggernaut

    • TCPsniffer

  • Hunt

    • Juggernaut

  • TTY Watcher

  • IP Watcher


7024382

Hunt

  • Linux

    • (reset a session)

      • reset

      • Arp

      • MAC

      • sniffer


7024382

Hunt

l/w/r) list/watch/reset connections

u) host up tests

a) arp/simple hijack (avoids ack storm if arp used)

s) simple hijack

d) daemons rst/arp/sniff/mac

o) options

x) exit

->


7024382

hunt


7024382

hunt


Hunt ack

HuntACK


7024382

  • TCP

    • IP

    • ACK


Denial of service

(Denial of Service)

    • (availability)

    • DoS

  • DoS

    • DoS

  • DoS

    • : DOS


7024382

DoS

    • 19969ISP(Public Access Networks)60001000Internet

    • 20002WebDDoS


7024382

DoS

    • DoS

      • NT


7024382

DoS

      • (Internet)

    • CPU

    • Ping of Death

    • ()

    • DoS


7024382

DoS

  • Internet

    • TCPSYN Flood

    • Ping of Death, IP

  • DoS(DDoS)

    • smurf


7024382

DoS

  • Ping of Death

    • (IP)

  • Land

    • TCP SYNDoS

  • SYN Flood

    • SYN

  • UDP Flood

  • Teardrop

    • IP

  • Smurf

    • ICMP Echo


Ping of death

Ping of Death

  • pingICMP Echo

    • pingping

    • ping


Teardrop

Teardrop

  • IPmemcpy

  • Linux/Windows NT/9597

    • IP

  • http://www.attrition.org/security/denial/w/teardrop.dos.html


Syn flood

SYN Flood

  • TCPTCPTCP

    • IPIP

    • SYN

    • InternetTCP


Syn flood1

SYN Flood()

    • SYN

    • SYN

      • DoS

      • LinuxSolarisSYN cookieSYN Flood


Syn flood2

SYN Flood


Smurf

Smurf

  • ICMP EchoICMP EchoIPEchoICMP Echo-Reply

  • fraggleUDPudpsmurf

    • 7(echo)ICM


Smurf1

Smurf


Smurf2

Smurf

    • Smurf

      • SmurfICMP EchoICMP Echo-Reply

      • Internet

  • Smurf

    • ICMP Echo


Smurf3

Smurf

    • ICMP Echo Reply

    • DoS

    • IPsmurf

    • ICMP

  • log


7024382

(DDoS)


7024382

DoS

  • teardrop.csynflood.cDoS

    • IP

    • TargaDoS

    • TrinooDoS

    • TFN2KTargaDDoS

    • stacheldraht


7024382

DoS

    • DoS

      • IPDoS

    • DoSSYN Flooding


7024382

  • Hackers Beware

    ()

    • Simple Active Attack Against TCP

    • A short overview of IP spoofing: PART I

    • A short overview of IP spoofing: PART II

  • Web

    • http://www.washington.edu/People/dad/

    • DoShttp://www.attrition.org/security/denial/

    • DoShttp://www.itsecurity.it/dos_2.htm


  • Login