【实验目的和要求】
1、从客户端、服务端分析DHCP协议的安全漏洞;
2、研究ARP协议的工作原理;
3、分析ARP欺骗的工作原理,并通过构造ARP欺骗报文实现交换环境下的网络嗅探实现;
4、木马数据(网络传输数据)分析;
5、分析Wifi安全问题。
【实验步骤】
- 回答DHCP.PDF文档问题。
(1)Are DHCP messages sent over UDP or TCP?
UDP
(2)Draw a timing datagram illustrating the sequence of the first four-packet Discover/Offer/Request/ACK DHCP exchange between the client and server. For each packet, indicated the source and destination port numbers. Are the port numbers the same as in the example given in this lab assignment?
Discover/Offer/Request/ACK
服务机端口:68;客户机端口:67
(3)What is the link-layer (e.g., Ethernet) address of your host? 
(4)What values in the DHCP discover message differentiate this message from the DHCP request message?
TYPE DHCP首部字段中有个选项字段可以看出
(5)What is the value of the Transaction-ID in each of the first four (Discover/Offer/Request/ACK) DHCP messages? What are the values of the Transaction-ID in the second set (Request/ACK) set of DHCP messages? What is the purpose of the Transaction-ID field? 
ID是用于确认是哪条请求,被机器标识。
(6)A host uses DHCP to obtain an IP address, among other things. But a host’s IP address is not confirmed until the end of the four-message exchange! If the IP address is not set until the end of the four-message exchange, then what values are used in the IP datagrams in the four-message exchange? For each of the four DHCP messages (Discover/Offer/Request/ACK DHCP), indicate the source and destination IP addresses that are carried in the encapsulating IP datagram.
如果在发出Discover遇到了就分配的话 多个请求来的话 那么很快就会把DHCP的可用地址用完的,
以上即为这四种情况的源地址目的地址的变化。
在该题目中,DHCP OFFER阶段就提供了主机的ip地址。
(7) What is the IP address of your DHCP server?
10.33.0.1
(8) What IP address is the DHCP server offering to your host in the DHCP Offer message? Indicate which DHCP message contains the offered DHCP address.
DHCP OFFER发送的IP是10.33.122.124,offer消息就包含了DHCP的地址
(9)In the example screenshot in this assignment, there is no relay agent between the host and the DHCP server. What values in the trace indicate the absence of a relay agent? Is there a relay agent in your experiment? If so what is the IP address of the agent?
中继代理IP地址为0.0.0.0,表示没有使用DHCP中继。在我的实验中使用中继代理。
(10)In the example screenshots in this assignment, the host requests the offered IP address in the DHCP Request message. What happens in your own experiment?
(11)Explain the purpose of the lease time. How long is the lease time in your experiment?
租约时间是DHCP服务器分配IP的时间量给客户的地址,如果时间到期,就需要重新申请或者续期,如果没有重新租赁的话,DHCP服务器即自动关闭与其的服务提供。在我的实验中,我的租约时间是一个小时。
(12)What is the purpose of the DHCP release message? Does the DHCP server issue an acknowledgment of receipt of the client’s DHCP request? What would happen if the client’s DHCP release message is lost?
release message:释放租用的IP地址。如果如果来自客户端的DHCP Release消息丢失,则DHCP服务器必须等待该IP地址的租用期结束,直到它可以将其重新用于另一个客户。
2、熟悉wireshark的应用。
3、在现有的交换网络中,若接入一个假冒的DHCP服务器,分析存在的问题。
4、打开学校主页www.guet.edu.cn
进入命令行(开始-运行-输入cmd.exe),利用ipconfig/all 查看本机TCP/IP配置;利用arp –a 查看本机的arp缓存,记录网关的IP和MAC间对应关系如下:
然后用 arp –d 删除ARP记录。
从主机A上向主机B发PING检测报文,观察此时是否能捕获ARP报文,如果能,记录并分析ARP报文各字段的含义:
| 实验项 | ARP包字段名称 | 值 |
| 1 | Source MAC | c0:e3:fb:19:9e:98 |
| 2 | Source IP | 10.33.0.1 |
| 3 | Target MAC | 28:7f:cf:a3:3e:f5 |
| 4 | Target IP | 10.33.122.124 |
通过arp - a 查看ARP表的更新情况,记录此时能否看到B对应的MAC地址:
5、ARP欺骗之前的网络嗅探
5.1 A主机上外网(目标网站明文传输,输入任意的帐号和口令),B运行sinffer(选定只抓源为A的数据),B是否能看到A和外网的通信(A刚输入的帐户和口令)?为什么?
可以,因为网站使用的是明文传输。
5.2 为了捕获A到外网的数据,B实施ARP欺骗攻击,B将冒充该子网的什么实体?利用scapy构造arp欺骗报文,实施只针对A的ARP欺骗攻击,再次重复5.1操作,结果如何? (能捕获到A的数据吗?)你构造了什么样的ARP报文达到ARP攻击的目的?填入下表。构造ARP请求报文以达到欺骗的目的。
答:B将冒充该子网的网关。
| 实验项 | ARP包字段名称 | 值 |
| 1 | Source MAC | 00-0C-29-B5-54-41 |
| 2 | Source IP | 192.168.237.128 |
| 3 | Target MAC | 00-50-56-F3-0F-1C |
| 4 | Target IP | 192.168.237.129 |
6、写出以上实现ARP欺骗的Python脚本
(1)首先查看被欺骗主机的IP和网关,查看此时的arp表
(2)主机和目标主机互ping,可以ping通
(3)运行arpspoof
4)查看目标主机此时的arp表
(5)观察目标主机,已ping不通百度
停止欺骗,可以ping通百度
(6)wireshark抓包
7、查阅资料,描述ARP欺骗的防范方法。
8、完成木马数据流分析,从ratinfected.pcap中还原其传输的被攻击者桌面(截图保存)。
(1)对数据流进行筛选
(2)追踪流
(3)修改“显示和保存数据为”-——原始数据
另存为
(3)用winhex打开
把所以我们将“FF D8 FF E0…”前面的数据都删除掉,保存后即可打开图片。
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
