网络扫描技术
DESCRIPTION
网络扫描技术. 刘鹏 北京大学信息科学技术学院软件研究所 网络和信息安全研究室. 内容. TCP/IP 基础 网络信息收集 目标探测 网络扫描 查点 从系统中获取有效账号或资源名 网络监听 截获网络上的数据包. 安全层次. 应用安全. 系统安全. 网络安全. 安全协议. 安全的密码算法. TCP/IP 基础. 网络体系架构 重要协议的数据包格式 IP 、 ICMP TCP 、 UDP TCP 连接 一些上层协议. 网络体系架构. OSI 参考模型. TCP/IP 模型. TCP/IP 协议栈. 协议栈各层数据包结构. - PowerPoint PPT PresentationTRANSCRIPT
-
TCP/IP
-
TCP/IPIPICMPTCPUDPTCP
-
OSITCP/IP
-
TCP/IP
-
IP
-
IP44515655350DFMF8
-
IP0255101ICMP4IP6TCP17UDPIPIP44
-
IP10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.2551.0.0.0127.255.255.255128.0.0.0191.255.255.255192.0.0.0223.255.255.255224.0.0.0239.255.255.255240.0.0.0247.255.255.255
-
IP0IP
0IP
321IP
127.xx.yy.zz(loopback)
-
ICMPInternet Control Message ProtocolIPICMPIPICMP
-
ICMPICMPIPIP1ICMPICMP
-
ICMP0 Echo Reply3 Destination Unreachable4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded12 Parameter Problem13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply
-
ICMPICMP31112ICMP45ICMP/0813141718
-
ICMP Echo0Echo Reply8Echo0ID1
-
ICMP Time Exceeded1101IPIP+IP8
-
ICMP Destination Unreachable301 23IPIP+IP8
-
TCP
-
TCPIPTCPTCP4206URGURG1ACK10TCPPSHPUSH
-
TCPRSTSYNSYN1ACK=0SYN=1ACK=1FINMSS(Maximum Segment Size)
-
UDP
-
TCP
-
TCPTCP/IPSYNFINTCPRST RSTRST RSTRST ACKRST SYN SYNSYN|ACK FIN
-
DNS: 53/tcp,udpFTP: 20,21/tcptelnet: 23/tcpHTTP: 80/tcpNNTP: 119/tcpSMTP: 25/tcpPOP3: 110/tcpIANAport-numbers.txt
-
footprint
-
IPTCPUDPSNMP/
-
DNSXXXX
-
Web
HTML
-
()XX()(googleAltaVista)
-
whoisWhoisInternetIPClient/ServerClientServerUNIXwhoisWindowsWeb
-
Sam Spade
-
whoishttp://www.networksolution.comhttp://www.arin.netUnixwhoisfwhoisChris Cappucciohttp://www.ipswitch.comhttp://www.samspade.org comneteduorgwhoishttp://www.ripe.net IPhttp://whois.apnic.net IPhttp://whois.nic.mil
-
whoishttp://whois.nic.gov www.allwhois.com whois
whoisIP
-
FROM1998AOL
-
DNSDNSDNSCPUNslookupnslookupDNSDNSUNIX/LINUXhost
-
DNS
-
DNS & nslookupnslookupDNSDNSDNSIPnswwwftpISP
-
nslookupserver, DNSset type=XXXls, [domain name, or IP address]
-
DNS & nslookup(zone transfer)53TCPDNS53UDPDNSDNSDNSDNSMXWindows 2000DNSADSRVDNS
-
PingTraceroutePing: Packet InterNet GroperICMP EchoICMP ReplyTracerouteUDPTTLICMP Time ExceededWindowstracert
-
PingICMP EchoEcho Reply
-
PingPingactivepingtimeoutPing of deathping(>65535)
-
tracerouteUDP(38)TTL1ICMP Time ExceededUDP(33434)ICMP Destination Unreachable
-
traceroutetracerouteTraceroute
-
NIDS(Network Intrusion Detection System)NIDSSnortrotoroutortraceroute
-
TCP/IP
-
80ModemUNIXwar dialerSATAN: Security Administrator's Tool for Analyzing Networks 19954(HTML)X(Dan FarmerCOPSWeitse VenemaTCP_Wrapper)NmapFyodor
-
ICMP
-
ICMP Echo Request (type 8) Echo Reply (type 0) ICMP Echo Request ICMP Echo Reply PingICMP SweepPing SweepICMP Echo Request Broadcast ICMP ICMPUNIX/Linux Non-Echo ICMP ICMP131415161718
-
ICMP IP IPICMP Parameter Problem ErrorHeader Length IP Options
IP IPICMP Destination Unreachable
-
PMTU, Fragmentation Needed and Dont Fragment Bit was Set
IPIPIPICMP Host UnreachableICMP Time Exceeded IP
-
ICMPICMP
-
(Open Scanning)TCP(Half-Open Scanning)TCP(Stealth Scanning)TCP
-
TCP connect()Reverse-identTCP SYN()IP ID header aka dump()TCP Fin()TCP XMAS()TCP ftp proxy(bounce attack)IPSYN/FIN()UDP ICMPUDP recvfrom
-
TCP connect()socketconnect()
-
Reverse-identIdent(RFC1413)TCPTCPTCP11380identdrootident
-
TCP SYNSYNRSTSYN|ACKRSTUNIXrootSYN
-
IP ID header aka dump AntirezBugtraq IPSYNIP
-
TCP FinFINRSTTCPSYNWindowsRST
-
TCP XMASTCP UNIX/Linux/BSDTCP/IP Windows
-
SYNFINTCP
-
TCP ftp proxyFTP bounce attackPORTftp server"425 Can't build data connection: Connection refused." Ftp(,)ftp server
-
UDP ICMPUDPUDPACKUDPUDPICMP Port UnreachUDPICMProotICMP Port UnreachSolarisrpcbind(UDP)32770
-
UDP recvfrom() & write()rootICMP Port UnreachLinuxUDPwrite()ICMPUDPrecvfrom()EAGAIN()ECONNREFUSED()
-
SYNFINUnixlinux/etc/inetd.confWindowsServicesIIS
-
(social engineering)telnethttpftpTCP/IPDNSOS
-
TelnetHttpFtp
-
ftp
-
TCP/IPOSCheckos, by ShokQueso, by SavageNmap, by Fyodor
-
OSOS
-
FINTCPTCPACKTCP1TCPDF(Don't Fragment bit )IPDF
-
()ICMPICMPUDPICMPIP+8ICMPICMPTOSTCP(RFC793RFC1323)Query-Reply
-
()SYN flooding SYN 8
-
Nmapnmap-os-fingerprints.txt# TEST DESCRIPTION:# Tseq is the TCP sequenceability test# T1 is a SYN packet with a bunch of TCP options to open port# T2 is a NULL packet w/options to open port# T3 is a SYN|FIN|URG|PSH packet w/options to open port# T4 is an ACK to open port w/options# T5 is a SYN to closed port w/options# T6 is an ACK to closed port w/options# T7 is a FIN|PSH|URG to a closed port w/options# PU is a UDP packet to a closed port
- Nmap()Fingerprint Linux kernel 2.2.13TSeq(Class=RI%gcd=
- Nmap()Fingerprint Windows 2000/XP/METSeq(Class=RI%gcd=
-
Nmap1.TSeq class---sequence Csequence 64Ksequence64000 800isequence800 TDtime dependantsequence RIrandom incrementalsequence TRture randomsequence val---classCsequence gcd---sequenceclassRITD SI---nmapsequencesequenceclassRITD
-
Nmap2.TCP(T1-T7): Resp---,'Y''N' DF---'Y''N' W---tcp->th_win ACK--- S : ack == syn S++ : ack == syn + 1 O : Flags---tcp: B Bogus (64, not a real TCP flag) U Urgent A Acknowledgement P Push R Reset S Synchronize F Final SYNtcpbogus2.0.35linux
-
Nmap2.TCP(T1-T7):Ops---TCP: L End of List N No Op M MSS E MSSMSS W Window Scale T Timestamp 3.UDPpu Resp---,'Y''N' DF---'Y''N' TOS--- IPLEN---IP RIPTL---"IP" RID---"IP_ID"
-
Nmap3.UDPpuRIPCK---"IP_checksum" 0checksum0 E F UCK---"IP_udp_checksum" 0checksum0 E F ULEN---"IP_udp_len" DAT---IP EUDPE F
-
Nmap
-
TCP/IPTTLDFTOSSiphonhttp://siphon.datanerds.net/ osprints.conf
-
telnet 192.168.102.245192.168.102.155 snort192.168.102.245:23-> 192.168.102.155:2300 TCP TTL:255 TOS:0x0 ID:58955 DF**S***A* Seq:0xD3B709A4 Ack:0xBE09B2B7 Win:0x2798 TCP Options => NOP NOP TS:9688775 9682347 NOP WS:0 MSS:1460osprints.conf 192.168.102.245Solaris 2.6-2.7
-
OSOS
-
IDS
-
nmapBy FyodornmapCThe Art of Port ScanningRemote OS detection via TCP/IP Stack FingerPrinting
-
Nmap
-
Nmap()
-
X-scan
-
SATANSAINTSSSStrobeX-Scan
ISS ()PingerPortscanSuperscan
-
(enumeration)
-
(banner)
-
Windows NT/2000Windows NTCIFS/SMB(Common Internet File System/Server Message Block)NetBIOSWindows 2000NTWindowsNTRK(NT Resource Kit)2000 ServerSupport\Tools
-
Windows NT/2000Windows NT/2000NetBIOSTCP139TCP139net use \\192.168.102.230\IPC$ "" /USER: "" Windows 2000SMB445
-
NT/2000 NetBIOSNT/2000nbtstatNetBIOS
-
NT/2000 NetBIOSnbtscannbtstat
-
NT/2000 NetBIOS net viewnet view
-
NT/2000 NetBIOS legionNATLegion
-
NT/2000 NetBIOS NAT
-
NT/2000 NetBIOS NTRKnltestrmtsharesrvchecksrvinfo netdomepdumpgetmacnetviewxenumdumpsec
-
NT/2000 NetBIOS 50%NATenumdumpsecRudnyisid2useruser2sidSID(Security Identifier)SIDWhat is a SID http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14781
-
NT/2000telnetnc()c:\telnet 192.168.102.155 80
-
NT/2000nc v 192.168.102.233 80
-
NT/2000WindowsNT/2000AdministratorHKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winregregdumpdumpsec
-
NT/2000TCPUDP1351392000445
-
NT/2000Hkey_Local_Machine\SYSTEM\CurrentControlSet\Control\LSARestrictAnonymousREG_DWORDNT1200022000||(RestrictAnonymous2)
-
NT/2000netcat
-
Unix/LinuxUnix/LinuxTCP/IPNetBIOSUnix/LinuxshowmountNFS(2049)NISfingerfinger79
-
Unix/LinuxrusersrwhoSMTPvrfyexpn
-
Unix/LinuxNT/2000telnetncrpcinfoportmapper111
-
Unix/Linux79
-
139
-
administrator1234
-
nc
-
nc
-
LibpcapWinPcap
-
(sniffer)
-
/(CSMA/CD, carrier sense multiple access with collision detection)CSMA/CD
-
MAC(48)ARPMACIPipconfig/ifconfigMACMAC()
-
sniffer
-
HUB
MAC-
-
UNIXAPIPacket socketBPF
WindowsWinPcap
-
Packet socket(promiscuous)ioctl()packet socketpacket_socket = socket(PF_PACKET, int socket_type, int protocol); socket(PF_INET, SOCK_PACKET, protocol)UNIXLinuxsocket(open)ioctl()setsockopt()
-
BPF(Berkeley Packet Filter)BSDBPFNetwork TapKernel BufferUser bufferLibpcap()BPFLibpcapLibpcapBPFOS(BSD)
-
BPFlibpcap
-
libpcapAPIC1.10BPFProgramming with pcap http://www.tcpdump.org/pcap.htm
-
libpcap char *pcap_lookupdev(char *errbuf); pcap_t *pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf); packet capture descriptorsnaplenpcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname); savefiledumppcap_t *pcap_open_offline(char *fname, char *ebuf); savefile
-
Libpcap: filterint pcap_lookupnet(char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)
int pcap_compile(pcap_t *p, struct bpf_program *fp,char *str, int optimize, bpf_u_int32 netmask) str
int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
-
Libpcap: int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) cntpcap_handlerpcap_loopreadvoid pcap_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp) pcap_dump_open()
-
WindowsWindowssnifferWinPcaplibpcapWindows
-
WinPcapWinPcapNPF(Netgroup Packet Filter)packet.dllwin32WindowsPacket.dllPacket.dllWindows Wpcap.dllpacket.dllWpcap.dllpacket.dllWpcap.dll
-
WinPcapNPF
-
WindowsNDIS(Network Driver Interface Specification)NPF
-
WinPcaplibpcapUNIXlibpcapNPFhttp://winpcap.polito.it/
-
ARPGW1 BIP2 BarpA,GWIP3 AB4 BGWdsniffarpredirectAB
-
LibnetLibnetLibnet50C API()(IP)
-
Libnetlibnet_init_packet();libnet_open_raw_sock();libnet_build_ip();libnet_build_tcp();libnet_do_checksum();libnet_write_ip();libnet_close_raw_sock();libnet_destroy_packet();
-
SnifferSSHARPARP
-
DNSDNSLinuxMACLinux IPIPIPICMP ECHO()()Windows 9x/NTMAC0xff
-
()L0phtAntiSniff
-
WindowssnifferButtsnifferWindows NTNetMonNetXRayWinPcapWinDump(tcpdumpWindows)Analyzer
-
Windump
-
SnifferPro
-
UNIX/Linuxsnifferdsnifflinux_snifferSnorttcpdumpsniffit
-
tcpdump
-
Computer NetworksHackers Beware 2002Hacking ExposedRemote OS detection via TCP/IP Stack FingerPrintinghttp://www.insecure.org/nmap/nmap-fingerprinting-article.htmlThe Art of Port Scanning, http://www.insecure.org/nmap/nmap_doc.htmlWebUNIX/Linux Programmers ManualWinPcap, http://winpcap.polito.it/default.htmLibnet, http://www.packetfactory.net/Projects/Libnet/STAT, http://www.cs.ucsb.edu/~rsg/STATSnort, http://www.snort.org/http://www.tucows.com/