Table of Contents
7.0 Introduction
7.1 Netstat and Host Application Firewalls
7.1.1 Netstat
7.1.2 Firewalls
7.1.3 Exercises
7.2 Packet Sniffers
7.2.1 Sniffing
7.2.2 Decoding Network Traffic
7.2.3 Sniffing Other Computers
7.2.4 Intrusion Detection Systems
7.2.5 Exercises
7.3 Honeypots and Honeynets
7.3.1 Types of Honeypots
7.3.2 Building a Honeypot
7.3.3 Exercises
Further Reading
Glossary
目錄
7.0 簡介
7.1 網絡和主應用程序防火牆
7.1.1 網絡狀態
7.1.2 防火牆
7.1.3 練習
7.2 數據盜竊
7.2.1 數據盜竊
7.2.2 解碼網絡傳輸
7.2.3 從其它電腦上盜竊數據
7.2.4 入侵偵測系統
7.2.5 練習
7.3 誘捕系統
7.3.1 誘捕系統的種類
7.3.2 建立一個誘捕系統
7.3.3 練習
深入閱讀
術語表
7.0 Introduction
There are a lot of programs on your computer that will want to open up network connections.
Some of these programs have valid reasons for connecting (your web browser won't work
nearly as well without access to a network connection as it will with one), others have been
written by people with motives ranging from questionable to criminal. If you want to protect
your computer, you'll have to learn how to detect network access, and identify the source
and intent. Not every attempt at network access is an attack, but if you don't know how to
identify friend from foe, you might as well just leave your door open.
7.0 簡介
電腦上的很多程序都需要聯網。一些程序的確需要聯網才能運行(你的網頁瀏覽器不聯網是不能查詢東西的),其它一些程序可能是由於寫這些人的犯罪心理。如果你想保護你的電腦,就必須學會如何偵測網絡連接情況,識別資料源和目的。並不是所有的網絡連接都是受到了攻擊,但如果你不知道如何識別朋友和敵人,你可能會將門戶大開。
7.1 Netstat and Host Application Firewalls
To be able to identify an attack, you have to know what applications and processes normally
run on your computer. Just looking at a graphical interface, whether in Windows or Linux,
won't let you see what's going on underneath the surface. Netstat and a firewall can be used
to help you identify which programs should be allowed to connect with the network.
7.1 網絡狀態和主應用程序防火牆
爲了識別電腦攻擊,你需要知道電腦上究竟正在運行什麼樣的程序和應用軟件。只查看圖形接口,Windows和LInux操作系統都可以,是不能發現隱藏起來的程序。顯示當前網絡連接狀態或者使用防火牆會幫助你識別那些需要聯網的程序。
7.1.1 Netstat
(netstat is also discussed in section 5.2.3) The netstat command will display the status of the
network. Netstat can give you information about what ports are open and the IP addresses
that are accessing them, what protocols those ports are using, the state of the port, and
information about the process or program using the port.
At a command prompt enter:
netstat -aon (for Windows) or
netstat -apn (for Linux)
and netstat will produce a display similar to this:
7.1.1 查看當前網絡連接連接狀態
netstat命令可以顯示當前網絡狀態。它會告訴你那些接口是開着的,這些接口連接的服務器的IP地址,這些接口使用了哪些協議,接口的狀態以及使用這些接口的程序的信息。
在命令提示符中輸入:
netstat -aon (Windows操作系統) 或者
netstat -apn (Linux操作系統)
會顯示如下圖格式類似的信息:
Now, you need to match the numbers in the PID column with names of the processes that are
running. In Windows, you should bring up the Windows Task Manager, by pressing
CTL+ALT+DEL. (If it doesn't show a PID column, click on View, then Select Columns, then select
PID.) In Linux, go to a command prompt and enter ps auxf to display the processor status.
In the case of our example results listed above, we find that PID 3400 belongs to our web
browser and PID 2740 belongs to our email client, both of which we have knowingly
executed, and both of which have valid reasons for establishing connections to the Internet.
However, PID 3838 belongs to a program named 6r1n.exe, and PID 1516 belongs to a
program named buscanv.exe, neither of which we are familiar with.
However, just because you don't recognize the name of a program, that doesn't mean that it
doesn't have a reason to be running on your system. The next step in this process is for us to go
to an Internet search engine and try to discover what these two programs do.
In our search, we discover that buscanv.exe is required by our virus scanner and should be
running. However, 6r1n.exe could be a trojan. Looking again at the display from netstat, we
can see that the port associated with the 6r1n.exe program is 6667, an IRC port commonly
used by trojans for remote access. At this point, we begin researching methods for removing
the trojan.
現在,你需要將PID欄的數字和正在運行的程序名配對。在Windows操作系統中,按CTL+ALT+DEL
打開Windows任務管理器。(如果不顯示PID欄,在視圖上點擊,選擇欄目,再選擇PID),在Linux操作
系統中,打開運行窗口,運行ps auxf顯示進程狀態。以上圖爲例,我們發現PIDgin 3400 屬於網頁瀏覽器,
PID2740屬於我們的郵件客戶端。這兩個我們是需要聯網的,這兩個也都必須聯網才能都運行。但是PID3838
屬於一個6r1n.exe的運行程序,PIDgin1516屬於一個名叫buscanv.exe的運行程序,這兩個我們都不熟悉。
然而,儘管你不認識這個程序的名字,並不是說就係統的運行就不需要這個程序。下一步我們就需要在搜索引擎中搜索
這兩個程序幹什麼用的。
通過查詢,我們發現buscanv.exe時病毒掃描器所需要的程序,一定要運行,但是6r1n.exe可能是一個木馬。再次查看netstat
結果顯示,我們發現和6r1n.exe鏈接的接口是6667,是木馬遠程連接最常用的IRC接口。這樣,我們就要開始查找刪除該木馬的方法。
7.1.2 Firewalls
Now, you could sit at your computer and run netstat over and over and over and over,
keeping a constant vigil on the data moving in and out of your computer, or you could use a
firewall program to do it for you.
A firewall monitors network traffic on your computer and uses a number of rules or filters to
determine whether or not a program should be allowed to access the network. A firewall can
filter data according to IP addresses and domain names, ports and protocols, or even
transmitted data. This means that you can do things such as:
block or allow all data coming from a specific IP address
block or allow all data coming from a specific domain
close or open specific ports
block or allow specific protocols
block or allow packets which contain specific data strings.
You can also combine these filters to allow for careful control of the data that is allowed
through the network. For example, you could:
allow data from www.ibiblio.com through ports 20 or 21 only
allow data from www.google.com that uses the UDP protocol
allow data from www.yahoo.com only through port 80 and only if the packets contain
the text string “I will not waste bandwidth”.
7.1.2 防火牆
現在,你能夠坐在電腦前不斷的運行netstat命令,保持對電腦上數據流通的監測,或者你也可以用一個防火牆程序來替你做這些工作。
防火牆監測你電腦上的網絡信息流通量,並通過一系列規則和過濾器來決定一個程序是否能聯網。防火牆可以通過IP地址、域名、接口和協議來過濾數據和傳輸數據。這意味着你能做下列事情:
阻止或者允許接收從某個IP地址上傳輸的所有數據
阻止或者允許接收從某個域名傳輸的所有數據
關閉或者打開某個接口
阻止或者打開某個協議
阻止或者允許接收包含某個特殊數據串的數據包
你可以使用那些過濾器來對一些可以在網絡上傳輸的數據進行控制。例如,你可以:
只從端口20或者21接受來自www.ibiblio.com 的信息
接收在www.google.com上使用了UDP協議的數據
只通過接口80從www.yahoo.com 上接收信息,或者只要數據包包含了字符串“我不會浪費字節”。