The Linux system under the Network Monitor technology-vulnerability warning-the black bar safety net

ID MYHACK58:62200611048
Type myhack58
Reporter 佚名
Modified 2006-08-12T00:00:00


Preface:in the network, when the information propagation time, you can use the tool, a network interface set in monitor mode, it will be the network is the dissemination of information intercepted or captured, thereby performing the attack. Network monitoring in the network in any one location mode can be implemented. While hackers are generally using a Network Monitor to intercept the user password. For example, when someone is occupied by a host after, then he has to re-think the Battle results extended to the host where the whole local area network session, the listener is often they choose the shortcut. Many times I in the various security forums to see some of the beginner enthusiasts, in their believe that if occupation of a certain host after then want to enter it in the intranet should be very simple. In fact, non-riding, into a host and then want to transfer it to the internal network of other machines are also not an easy thing. Because you in addition to you want to get into their password than there is that they shared the absolute path, of course, this path to the end must have write permissions. At this time, the Run has been controlled on the host, listener will have a big result. However it is a trouble thing, but also the need for parties to have enough patience and resilience. Includes:

The data frame is intercepted The data frame is analyzed and classified dos attack detection and prevention IP fraudulent use of detection and attack In network detection on the application The Spam of the preliminary filter

Research significance:

1)My Network is fast developing, the corresponding problem will appear, the network management and the corresponding application of the natural will be increasingly important, and the monitoring technology is Network Management and application basis, and its significance is of course important, look to the current related tools linux with snort, tcpdump ,snift, etc., the window with nexray, sniffer, etc. may not foreign software, with China the development of the network, the monitoring system will come in handy, so listening technology research is already the current requirements.

2)why choose linux as the environment? China's entry to WTO, a variety of for the piracy crackdown and for genuine software protection efforts will be greatly enhanced, windows the pirated software is everywhere the phenomenon will be a thing of the past, in the face of such a situation, most of the companies have only two choices:either pay big bucks to Microsoft to buy licensed software, either the freeOSto linux, particularly in important sectors such as state bodies, government departments, don't want to take their Office system to manipulate the foreign companies hand? Beijing Government Office system has been the diversion red flag linux, and the linux interface is also not only the improved, more user-friendly and easy to operate, we have reason to believe. linux will in our country has much to offer, it is also to study Linux network monitoring reasons.

About Linux network monitoring technology has two main points:

1)How to be as complete as possible to intercept data on the network frame, because Ethernet on all the time there may be information transfer, but also according to the Ethernet of the scale on a different network the amount of information also changed little, so that the interception of the data frame not only to ensure that the data frame intact, but also to consider how to reduce the leakage interception of the data frame.

2)is the interception of the data frame of the filtering analysis, a so-called monitor of course you want to“listen”to understand, so the interception of the data frame is translated into, we can use the data monitor to be successful.

Network monitoring principles

The Ethernet Protocol way of working is to send data packets to the connecting together of all hosts. In the header include should be received data package to the host the correct address, because only with the data packet destination address consistent with that of the host to receive the packet, but when the host is operating in monitor mode while regardless of the packet destination physical address is what, the host will be received. Many within the LAN have a dozen units or even hundreds of hosts by one cable, one Hub connected together, the in agreement of high-level or user point of view, when in the same network two hosts in Communication, the source host will be written with the purpose of the host address of the packet is directly sent to the destination host, or when the network of a host with the outside world of the host communication, the source host will write with a purpose host IP address of the packet sent to the gateway. But this packet can not be in the Protocol stack of the upper sent directly to send the data packet must be from the TCP/IP Protocol of the IP layer to the network interface, that said Data Link Layer. The network interface does not recognize the IP address. In the network interface by the IP layer with the IP address of the packet and adds a portion of the Ethernet frame frame header information. In the frame of the head, there are two domain, respectively, as the only network interface in order to identify the source host and the destination host's physical address this is a 4 8-bit address, the 4 The 8-bit address with the IP address corresponding to the address, in other words, an IP address also corresponds to a physical address. As for the gateway of the host, since it is connected to a plurality of networks, it also also have have a plurality of IP address in each network it has one. And sent to the network outside of the Frame Relay to carry is the gateway physical address.

Ethernet fill in the physical address of the frame from the network interface, i.e. from the network card send out is transmitted to the physical line. If the LAN is composed of a coarse mesh or fine mesh is connected, then the digital signal in the cable transmission signal to reach the line on each host. Then when using a Hub, sending out the signal arrives at the Hub, from the Hub and then to the connection at the hub on each line. Thus in the physical line transmission of the digital signal also will be able to reach the connection at the hub on each host. When the digital signal reaches a host's network interface, the normal state of the network interface to read into the data frame check, if the data frame carries the physical address is your own or a physical address is a broadcast address, then the data frame to the IP layer software. For each reach the network interface of the data frame are to carry out this process. But when the host is operating in the monitor mode, all the data frame will be handed over to the upper layer Protocol software processing.

When connected in the same cable or hub on the host is logically divided into several subnets, so if a host is in listening mode, it will also be received to the sent to the with their own is not in the same sub-network(using a different mask, IP address and Gateway)the host of the data packet, in the same physical channel to transmit all of the information can be received.

On UNIX systems, when a user has super user privileges you want to make your own the control of the host into the monitor mode, you only need to Interface(network interface)to send I/O control command, you can enable the host to set into monitor mode. While in Windows9x the system regardless of whether the user has permission to will be by directly running the Monitor tool can be achieved.

In the Network Monitor, often to save a large amount of information(also contains a lot of garbage information), and the collected information is a lot of finishing, so it will make the listening machine to other users of the request response becomes very slow. While listening to the program at run time consumes a lot of processor time, if at this time on the detailed analysis of the contents of the package, many packages will be too late to receive and be drain away. So the listener very often will be listening to the resulting packet is stored in a file medium for later analysis. Analysis of listening to the data packet is a headache thing. Because the network packets are very complicated. Between two hosts continuously transmitting and receiving data packets, listening to the results will inevitably add some other host interaction data packet. The listener will be the same TCP session Pack finishing together is quite easy, if you expect the user details are sorted out you need to according to the Protocol of the packet carried a lot of analysis. On the Internet then the multi-Protocol, run into the words the listener will be very big Oh.

Now in the network the Protocol used is the earlier design of many Protocol implementations are based on a very friendly, communication between the parties the full confidence of the Foundation. In a typical network environment below, the user information including the password is clear text transmitted over the Internet, so the Network Monitor to obtain user information is not a difficult thing, as long as the master to have a preliminary TCP/IP Protocol knowledge you can easily listen to the information you want. Previous time Chinese-American China-babble had made the desired path monitor from the LAN extension to WAN, but this idea was soon denied. If so I think the network is bound to chaos. And in fact now in the wide area network may also be monitored and intercepted to some of the user information. Just also not obvious. In the entire Internet, all the more insignificant.