HHS_en07_Attack_Analysis.pdf

(326 KB) Pobierz
HHS - Lesson 7 - Attack Analysis
LESSON 7
ATTACK ANALYSIS
4782126.286.png
LESSON 7 – ATTACK ANALYSIS
“License for Use” Information
The following lessons and workbooks are open and publicly available under the following
terms and conditions of ISECOM:
All works in the Hacker Highschool project are provided for non-commercial use with
elementary school students, junior high school students, and high school students whether in a
public institution, private institution, or a part of home-schooling. These materials may not be
reproduced for sale in any form. The provision of any class, course, training, or camp with
these materials for which a fee is charged is expressly forbidden without a license including
college classes, university classes, trade-school classes, summer or computer camps, and
similar. To purchase a license, visit the LICENSE section of the Hacker Highschool web page at
www.hackerhighschool.org/license .
The HHS Project is a learning tool and as with any learning tool, the instruction is the influence
of the instructor and not the tool. ISECOM cannot accept responsibility for how any
information herein is applied or abused.
The HHS Project is an open community effort and if you find value in this project, we do ask
you support us through the purchase of a license, a donation, or sponsorship.
All works copyright ISECOM, 2004.
2
4782126.297.png 4782126.308.png 4782126.319.png 4782126.001.png 4782126.012.png 4782126.023.png 4782126.034.png 4782126.045.png 4782126.056.png 4782126.067.png 4782126.078.png 4782126.089.png 4782126.100.png 4782126.111.png 4782126.122.png 4782126.133.png 4782126.144.png 4782126.155.png 4782126.166.png 4782126.177.png 4782126.188.png 4782126.199.png 4782126.210.png 4782126.221.png 4782126.232.png 4782126.243.png 4782126.254.png 4782126.260.png 4782126.261.png 4782126.262.png 4782126.263.png 4782126.264.png 4782126.265.png 4782126.266.png 4782126.267.png 4782126.268.png 4782126.269.png 4782126.270.png 4782126.271.png 4782126.272.png 4782126.273.png 4782126.274.png 4782126.275.png 4782126.276.png 4782126.277.png 4782126.278.png 4782126.279.png 4782126.280.png 4782126.281.png 4782126.282.png 4782126.283.png 4782126.284.png 4782126.285.png 4782126.287.png 4782126.288.png 4782126.289.png 4782126.290.png 4782126.291.png 4782126.292.png 4782126.293.png 4782126.294.png 4782126.295.png 4782126.296.png 4782126.298.png 4782126.299.png 4782126.300.png 4782126.301.png 4782126.302.png 4782126.303.png 4782126.304.png 4782126.305.png 4782126.306.png 4782126.307.png 4782126.309.png 4782126.310.png 4782126.311.png 4782126.312.png 4782126.313.png 4782126.314.png 4782126.315.png 4782126.316.png
LESSON 7 – ATTACK ANALYSIS
Table of Contents
“License for Use” Information.................................................................................................................2
Contributors...............................................................................................................................................4
7.0 Introduction.........................................................................................................................................5
7.1 Netstat and Host Application Firewalls............................................................................................6
7.1.1 Netstat...........................................................................................................................................6
7.1.2 Firewalls.........................................................................................................................................7
7.1.3 Exercises........................................................................................................................................8
7.2 Packet Sniffers.....................................................................................................................................9
7.2.1 Sniffing...........................................................................................................................................9
7.2.2 Decoding Network Traffic........................................................................................................11
7.2.3 Sniffing Other Computers.........................................................................................................12
7.2.4 Intrusion Detection Systems.....................................................................................................13
7.2.5 Exercises......................................................................................................................................13
7.3 Honeypots and Honeynets.............................................................................................................14
7.3.1 Types of Honeypots...................................................................................................................14
7.3.2 Building a Honeypot.................................................................................................................15
7.3.3 Exercises......................................................................................................................................15
Further Reading.......................................................................................................................................17
Glossary....................................................................................................................................................18
3
4782126.317.png 4782126.318.png 4782126.320.png 4782126.321.png 4782126.322.png 4782126.323.png 4782126.324.png 4782126.325.png 4782126.326.png 4782126.327.png 4782126.328.png 4782126.329.png 4782126.002.png 4782126.003.png 4782126.004.png 4782126.005.png 4782126.006.png 4782126.007.png 4782126.008.png 4782126.009.png 4782126.010.png 4782126.011.png 4782126.013.png 4782126.014.png 4782126.015.png 4782126.016.png 4782126.017.png 4782126.018.png 4782126.019.png 4782126.020.png 4782126.021.png 4782126.022.png 4782126.024.png 4782126.025.png 4782126.026.png 4782126.027.png 4782126.028.png 4782126.029.png 4782126.030.png 4782126.031.png 4782126.032.png 4782126.033.png 4782126.035.png 4782126.036.png 4782126.037.png 4782126.038.png 4782126.039.png 4782126.040.png 4782126.041.png 4782126.042.png 4782126.043.png 4782126.044.png 4782126.046.png 4782126.047.png 4782126.048.png 4782126.049.png 4782126.050.png 4782126.051.png 4782126.052.png 4782126.053.png 4782126.054.png 4782126.055.png 4782126.057.png 4782126.058.png 4782126.059.png 4782126.060.png 4782126.061.png 4782126.062.png 4782126.063.png 4782126.064.png 4782126.065.png 4782126.066.png 4782126.068.png 4782126.069.png 4782126.070.png 4782126.071.png 4782126.072.png 4782126.073.png 4782126.074.png 4782126.075.png 4782126.076.png 4782126.077.png
LESSON 7 – ATTACK ANALYSIS
Contributors
Pete Herzog, ISECOM
Chuck Truett, ISECOM
Marta Barceló, ISECOM
Kim Truett, ISECOM
4
4782126.079.png 4782126.080.png 4782126.081.png 4782126.082.png 4782126.083.png 4782126.084.png 4782126.085.png 4782126.086.png 4782126.087.png 4782126.088.png 4782126.090.png 4782126.091.png 4782126.092.png 4782126.093.png 4782126.094.png 4782126.095.png 4782126.096.png 4782126.097.png 4782126.098.png 4782126.099.png 4782126.101.png 4782126.102.png 4782126.103.png 4782126.104.png 4782126.105.png 4782126.106.png 4782126.107.png 4782126.108.png 4782126.109.png 4782126.110.png 4782126.112.png 4782126.113.png 4782126.114.png 4782126.115.png 4782126.116.png 4782126.117.png 4782126.118.png 4782126.119.png 4782126.120.png 4782126.121.png 4782126.123.png 4782126.124.png 4782126.125.png 4782126.126.png 4782126.127.png 4782126.128.png 4782126.129.png 4782126.130.png 4782126.131.png 4782126.132.png 4782126.134.png 4782126.135.png 4782126.136.png 4782126.137.png 4782126.138.png 4782126.139.png 4782126.140.png 4782126.141.png 4782126.142.png 4782126.143.png 4782126.145.png 4782126.146.png 4782126.147.png 4782126.148.png 4782126.149.png 4782126.150.png 4782126.151.png 4782126.152.png 4782126.153.png 4782126.154.png 4782126.156.png 4782126.157.png 4782126.158.png 4782126.159.png 4782126.160.png 4782126.161.png 4782126.162.png 4782126.163.png 4782126.164.png 4782126.165.png 4782126.167.png 4782126.168.png 4782126.169.png
LESSON 7 – ATTACK ANALYSIS
7.0 Introduction
There are a lot of programs on your computer that will want to open up network connections.
Some of these programs have valid reasons for connecting (your web browser won't work
nearly as well without access to a network connection as it will with one), others have been
written by people with motives ranging from questionable to criminal. If you want to protect
your computer, you'll have to learn how to detect network access, and identify the source
and intent. Not every attempt at network access is an attack, but if you don't know how to
identify friend from foe, you might as well just leave your door open.
7.1 Netstat and Host Application Firewalls
To be able to identify an attack, you have to know what applications and processes normally
run on your computer. Just looking at a graphical interface, whether in Windows or Linux,
won't let you see what's going on underneath the surface. Netstat and a firewall can be used
to help you identify which programs should be allowed to connect with the network.
7.1.1 Netstat
(netstat is also discussed in section 5.2.3) The netstat command will display the status of the
network. Netstat can give you information about what ports are open and the IP addresses
that are accessing them, what protocols those ports are using, the state of the port, and
information about the process or program using the port.
At a command prompt enter:
netstat -aon (for Windows) or
netstat -apn (for Linux)
and netstat will produce a display similar to this:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1134 0.0.0.0:0 LISTENING 3400
TCP 0.0.0.0:1243 0.0.0.0:0 LISTENING 3400
TCP 0.0.0.0:1252 0.0.0.0:0 LISTENING 2740
TCP 257.35.7.128:1243 64.257.167.99:80 ESTABLISHED 3400
TCP 257.35.7.128:1258 63.147.257.37:6667 ESTABLISHED 3838
TCP 127.0.0.1:1542 0.0.0.0:0 LISTENING 1516
TCP 127.0.0.1:1133 127.0.0.1:1134 ESTABLISHED 3400
TCP 127.0.0.1:1134 127.0.0.1:1133 ESTABLISHED 3400
TCP 127.0.0.1:1251 127.0.0.1:1252 ESTABLISHED 2740
TCP 127.0.0.1:1252 127.0.0.1:1251 ESTABLISHED 2740
Now, you need to match the numbers in the PID column with names of the processes that are
running. In Windows, you should bring up the Windows Task Manager , by pressing
5
4782126.170.png 4782126.171.png 4782126.172.png 4782126.173.png 4782126.174.png 4782126.175.png 4782126.176.png 4782126.178.png 4782126.179.png 4782126.180.png 4782126.181.png 4782126.182.png 4782126.183.png 4782126.184.png 4782126.185.png 4782126.186.png 4782126.187.png 4782126.189.png 4782126.190.png 4782126.191.png 4782126.192.png 4782126.193.png 4782126.194.png 4782126.195.png 4782126.196.png 4782126.197.png 4782126.198.png 4782126.200.png 4782126.201.png 4782126.202.png 4782126.203.png 4782126.204.png 4782126.205.png 4782126.206.png 4782126.207.png 4782126.208.png 4782126.209.png 4782126.211.png 4782126.212.png 4782126.213.png 4782126.214.png 4782126.215.png 4782126.216.png 4782126.217.png 4782126.218.png 4782126.219.png 4782126.220.png 4782126.222.png 4782126.223.png 4782126.224.png 4782126.225.png 4782126.226.png 4782126.227.png 4782126.228.png 4782126.229.png 4782126.230.png 4782126.231.png 4782126.233.png 4782126.234.png 4782126.235.png 4782126.236.png 4782126.237.png 4782126.238.png 4782126.239.png 4782126.240.png 4782126.241.png 4782126.242.png 4782126.244.png 4782126.245.png 4782126.246.png 4782126.247.png 4782126.248.png 4782126.249.png 4782126.250.png 4782126.251.png 4782126.252.png 4782126.253.png 4782126.255.png 4782126.256.png 4782126.257.png 4782126.258.png 4782126.259.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin