http://www.icst.pku.edu.cn/InfoSecCourse

About This Presentation

Title:

http://www.icst.pku.edu.cn/InfoSecCourse

Description:

Title: PowerPoint Presentation Last modified by: panaimin Created Date: 1/1/1601 12:00:00 AM Document presentation format: Other titles – PowerPoint PPT presentation

Number of Views:31

Avg rating:3.0/5.0

Slides: 70

Provided by: securitycn

Category:

more less

Transcript and Presenter's Notes

Title: http://www.icst.pku.edu.cn/InfoSecCourse

1
??????????? (?)

???,??????????
http//www.icst.pku.edu.cn/InfoSecCourse

2
? ?

??
IP??
????
Web??
????
????

?????,TCP/IP???????????
3
? ?

DNS????
DNS nslookup
Ping traceroute
????
???????????
??????
????????????

4
????????

???????????
????
???TCP connect()??
TCP SYN??(??????, half open)
TCP Fin??(????,stealth)
TCP ftp proxy??(bounce attack)
?IP????SYN/FIN??(????????)
UDP recvfrom??
UDP ICMP???????
Reverse-ident??

5
??????

??????(IDS)
???
??????????,???????
?????

6
??????????

??????????????????????????(???)???????
????
???????????
DNS???OS??
TCP/IP???
??????????????????????,?????????????,?????????????
OS??

7
????????

IDS
????????,??????????
???
?????????IP??????
?????
?????????????

8
????

IP??
?????IP??????
????
?????email??????
Web??
?????????????
?????
DNS??
??????

9
IP??

IP?????
?????IP??,?????
?IP????????
?????
IP?????
??IP???????????
??IP????????????
??????TCP????
IP???????
IP?????????????????

10
IP?????????

????????????IP??
??
???????
?????
???????
?Linux???
?ifconfig

11
?????IP??

??IP?,IP????????IP??
?Unix/Linux???,???socket?????,????root??
?Windows???,????Winsock
????winpcap
???libnet??IP?
????
?Linux???,????raw socket,????IP???????,??????

12
?????IP??????

sockfd socket(AF_INET, SOCK_RAW, 255)
setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, on,
sizeof(on))
struct ip ip
struct tcphdr tcp
struct pseudohdr pseudoheader
ip-gtip_src.s_addr xxx
// ??IP?TCP??????,??????
pseudoheader.saddr.s_addr ip-gtip_src.s_addr
tcp-gtcheck tcpchksum((u_short
)pseudoheader, 12sizeof(struct
tcphdr)) //?????
sendto(sockfd, buf, len, 0, (const sockaddr
)addr, sizeof(struct sockaddr_in))

13
IP??????

?????

H????????

??????H
H?A????????
???????

14
????IP??

????,????
?????????????IP??
?????????
????,?????????
????????????????
????
????
???????????
????,????????IP??
????,????????IP??
?????????
????????????

15
??????

?????????
????????,???
????,??????
??????
?????
???????????
?????????????
????smtp??????
???????????
??????????
????????????????
????????

16
?????????????

??????????????????,?????????????

??????XX,??XXX????
?(?)?????
??????,?????????
17
?????????????

??????
??(Name)??,????From?Reply-To???,???????????
??????,????From???
????,????Reply-To???,????
???????

18
?????????

????,????

19
????????smtp???

????smtp????25??,??????,?????
Helo(or EHLO)
Mail from
Rcpt to
Data
Quit

20
??????????
21
???????

????????
Smtp???????????,???????????????????????
?????????????????????
???????????????,????DNS??
??????????smtp?????
???????????????????????
????,?????????
???

22
Web??

Web??????????,????Internet??,???????
??Internet????,???????????Web??
Web????(DNS??)??????,?????
??????????Web?????
Web?????
????,????
????
Web?????
???????
??URL
??Web??

23
???????

?????????????????,??????????,???????????,?????????
??
??,??ABC??,?abc.net???abc.com
???????????,?????????????????,??
????????????????,????????,??????????????(?????cook
ie),????????????,??????????????,????????????cooki
e,????????????????????,?????????????????
???????????,??????????

24
??URL

??HTTP???Web?????????????,?????????????,???????,??
?????URL??
URL???????????????,??lta hrefwww.hackersitegt
Welcom to Hollywood-Movie site.lt/agt
??????????
???????????
?url????script???,????
???????
??Web???,????
????http??
?????????????
??????????

25
Web????

HTTP???????(???),Web???????
Cookie
?url????
?????????????
Web?????????,???????????ID

26
??Web??

???????
????URL??????
????????URL??
??URL
????????????
??SSL
Web????
?????????
??????ID
Web???????,????????????Web??

27
??????

???????,??????
IP??????
??????????????
????????,?????????,???????,????Internet???????????
????
???????
??,??????
?????????????????
????????????????????
?????Internet???????,???????????????????????

28
??(??)??

??????,??????????
??????????????????
????,??????????
?????????????

29
TCP????(session hijacking)

?????
??????????,????????
??????????????????,????????????,?????????
??
Sniffer???????????
???????????????
???????
????,???????????????????????????????????
????,?????????,????????????????,????????,????,????
?????????????,?????????????

30
???????
???B
31
???????

TCP??
??????TCP??(???TCP??)
??????,??????4???
???????????IP??SN ltgt ??IP??SN
?TCP???????
??????????SN(?????)
???????????????
TCP???,?????SYN???,????ack??,???????????????
??,??????????TCP?????

32
??TCP??????

????ACK??,??????
???(SEG_SEQ)???????????????
???(SEG_ACK)???????????????????
????(CLT)????(SVR)??????,????????
SVR_SEQ ????????????????
SVR_ACK ????????????????(???????????????1)
SVR_WIND ????????
CLT_SEQ ???????????????
CLT_ACK ???????????????
CLT_WIND ???????
??
CLT_ACK lt SVR_SEQ lt CLT_ACK CLT_WIND
SVR_ACK lt CLT_SEQ lt SVR_ACK SVR_WIND
??????????,??????
??,?????,??????ACK?(????????)

33
??TCP??????(?)

????
SVR_SEQ CLT_ACK
CLT_SEQ SVR_ACK
?????
SVR_SEQ ! CLT_ACK
CLT_SEQ ! SVR_ACK
??TCP?????????????
???????SEG_SEQ CLT_SEQSEG_ACK
CLT_ACK????????,??CLT_SEQ ! SVR_ACK
??,?????(???)?????SEG_SEQ SVR_ACKSEG_ACK
SVR_SEQ???????????
???????????????,????????????????,????????

34
TCP ACK Storm

????????????????????,???????????ACK,??????????????
???,???????ACK?,??ACK????,??ACK???
?????ACK???,?????
????????,???????????
?????????????ACK??,????????,????????ACK,?????ACK??
,??,??????
??????????????,?????ACK??

35
??????????(?)

????????????
????????????????,?????????RST?,????????TCP????????
?SYN?,?????????SYN???
??????????,???????,???????SYN/ACK???,??????????,??
??????ACK?
??,??????????????TCP ESTABLISHED??,???????????????
,??????????????
??,?????????????????????,??????

36
??????????(?)

????????
?????????
??,???????????????,??????????????????
?????????????
???????????
?????????????,???????????

37
??????????(??)??

??????Blind spoofing
???????SYN?
????????ISN
???????,???????
????????????????
????????
??
?????????RST?
????????????????

38
????????????

????
????????,?????????????,???????????
???????ISN(?????)??
???nmap,??????????
????????
???????????,??????,???????????????
?????
?????????,?????????,??????
???????
ACK??,????
????
?????????,???????,???????????

39
Kill a connection
A
B
???

???????RST??B,????A?IP??
??A?B???????,??A?B????,??????????RST?,???????,????
?,?RST??????,??????
???????FIN??B,????A?IP??
???,???????B????FIN?
???,A????

40
????????(1)
A
???
B

????A-gtB?TCP Packet ID (from_IP.port-to_IP.port)
IP_A.PortA-IP_B.PortB SEQ (hex) 5C8223EA
ACK (hex) C34A67F6 FLAGS -AP--- Window
7C00,???1

B?????,B-gtATCP Packet ID (from_IP.port-to_IP.port
) IP_B.PortB-IP_A.PortA SEQ (hex) C34A67F6
ACK (hex) 5C8223EB FLAGS -AP--- Window
2238,???1

A?????,A-gtBTCP Packet ID (from_IP.port-to_IP.port
) IP_A.PortA-IP_B.PortB SEQ (hex) 5C8223EB
ACK (hex) C34A67F7 FLAGS -A---- Window
7C00,???0

41
????????(2)
A
???
B

?????A??????B,???????????????TCP Packet ID
(from_IP.port-to_IP.port) IP_A.PortA-IP_B.PortB
SEQ (hex) 5C8223EB ACK (hex) C34A67F6
FLAGS -AP--- Window 7C00,???10(?????)

B?????,B-gtATCP Packet ID (from_IP.port-to_IP.port
) IP_B.PortB-IP_A.PortA SEQ (hex) C34A67F7
ACK (hex) 5C8223F5 FLAGS -AP--- Window
2238,????(??20)

??,A????????SEQ/ACK???TCP Packet ID
(from_IP.port-to_IP.port) IP_A.PortA-IP_B.PortB
SEQ (hex) 5C8223EB ACK (hex) C34A67F7
FLAGS -A---- Window 7C00??????

42
????????(3)
A
???
B

??????????,????B????(?A???)TCP Packet ID
(from_IP.port-to_IP.port) IP_A.PortA-IP_B.PortB
SEQ (hex) 5C8223F5 ACK (hex) C34A680B
FLAGS -AP--- Window 7C00,????(??37)

B?????,B-gtATCP Packet ID (from_IP.port-to_IP.port
) IP_B.PortB-IP_A.PortA SEQ (hex) C34A680B
ACK (hex) 5C82241A FLAGS -AP--- Window
2238,????

43
?????????

????
Simple Active Attack Against TCP,
http//www.insecure.org/stf/iphijack.txt
A short overview of IP spoofing PART I,
http//staff.washington.edu/dittrich/papers/IP-spo
of-1.txt
A short overview of IP spoofing PART II ,
http//staff.washington.edu/dittrich/papers/IP-spo
of-2.txt
Hackers Beware,????????????,???????

44
?????????

?????????????
Juggernaut
????TCP???????sniffer??
Hunt
???Juggernaut??
TTY Watcher
????,??????????
IP Watcher
?????????

45
Hunt????

?????????,????Linux???
????
??????????
????(reset a session)
????
?????,???????
????????
??????
??reset
Arp??????
??MAC??
???????sniffer

46
Hunt???
l/w/r) list/watch/reset connections u) host
up tests a) arp/simple hijack (avoids ack
storm if arp used) s) simple hijack d)
daemons rst/arp/sniff/mac o) options x)
exit -gt
47
?hunt????
48
?hunt???????
49
Hunt????????ACK??
50
????????

???????,?????????
TCP????
?????
???????????????IP??
??
ACK????????

51
????(Denial of Service)

?????????????
???????????(availability)
DoS???????????
??DoS
???????????????????????????
??????????,???????
????,??DoS???????????
DoS???
???,????????,???? DOS
????????
??????????
??????

52
DoS???

???????????
??1996?9?,??ISP(Public Access Networks)??????????
???,????6000???1000?????Internet??
????
?????????????????
???????
2000?2?,???????Web?????DDoS???

53
DoS???

????,??????
?????????
????
????
????,?????????
??????????????,?????????????
????????DoS
??,???????,??????????NT???,?????????
???????,???

54
DoS?????

???????
????
??????????????
??????????(????Internet????),??????????????
??????,????????????,????????CPU????????,??
????????,?????????,??Ping of Death
??(??)????,????????????
???????
?????DoS??,???????????????,???????????????
???????,??????????????
????,????????????,???????????????????????,???????
?

55
DoS?????

???Internet????
??????
????,???TCP??,SYN Flood,?
??????????,?????
Ping of Death, IP????
???DoS(DDoS)??
????smurf??

56
?????DoS??

Ping of Death
?????(????IP?????)
Land
??????TCP SYN?,??????????,??????????,????DoS??
SYN Flood
??????SYN?
UDP Flood
Teardrop
IP??????
Smurf
???????ICMP Echo?,??????

57
Ping of Death

??????ping?,?ICMP Echo?,????????????????????,????
???
???????????????
????
????ping??,?????ping???
????
???
????????ping?

58
Teardrop

????IP?????????,??????,????????????,???memcpy????
?????
??????Linux/Windows NT/95,97???
????
??????,????IP????????
????
??????,???????????
???
??http//www.attrition.org/security/denial/w/tear
drop.dos.html

59
SYN Flood

????TCP????????,???????TCP??,?????????????TCP????
????????????????????,??,??????????????,???????,???
????????????
?????????????
????
????????,??,?IP????????,????????????IP??,??,??????
???????????
??,????????,??????,??,????????SYN?????????????????
????
?????Internet??????TCP?????,???????????
?????????,??????????,?????

60
SYN Flood(?)

????
?????????????SYN?,?????????
SYN???????????,???????
????
????
????????????????????????????
????,???????DoS????
???
Linux?Solaris????????SYN cookie??????SYN
Flood???????????????????,????????????

61
??SYN Flood?????
62
Smurf

??????????????ICMP Echo????????????????ICMP
Echo??,???????IP???????,??,????????????????Echo??,
??????????ICMP Echo-Reply?????,?????????????????
?????????????????
??fraggle,??UDP?,???udpsmurf
??,7???(echo),???????????,?????,??,??ICM???????
????
???????????????,???????
????????????,???????????,?????????????

63
Smurf?????
64
Smurf??