2021HCNA security 网络安全配置.docx

《2021HCNA security 网络安全配置.docx》由会员分享，可在线阅读，更多相关《2021HCNA security 网络安全配置.docx（135页珍藏版）》请在课桌文档上搜索。

1、HCNAsecurity网络安全1课程简介2USG模拟器使用环境准备权限192.168.0.1默认地址adminAdmin123默认密码更改之后密码：abc-1234(abc-12345)清空配置删除除拓扑以外的文件夹Driveresetsaved-configuration清空酉己置双桥接实验手册砥羊共享CE6800交换机3OSI模型OSI模型：OPensysteminterconnection开放式系统互联（七层）一层：物理层：物理线缆二层：数据链路层：mac地址三层：网络层：IP地址四层：传输层：端口号（TCPUDP）五层：会话层八层：表小层局层七层：应用层注意：OSi目前已经被淘汰。目

2、前tcp/ip已经取代OSi模型。数据包结构二层MACifeiit数据链路层三层IP地址+四层4OCP、UDP端匚网络层OSI模型七层厂APDU应用层7提供应用程序间通信PPDU表示层G处理数据格式、数据加密等SPDU会话层S建立、维护和管理会话厂SegMe八七传输层4建立主机端到端连接Packet网络层3寻址和路由选择FrFe数据链路层Z提供介质访问、链路管埋等1Bit物理层1比特流传输上三层Y下四层4TCP/IP模型OSITCP/IP和C)SI的对应关系TCP/IPipv4报文：version版本：4ipv4IHL(header):ipv4包头长度(变化)ToS(dDSCP差分服务代码点)

3、：服务质量将流量进行分类，然后针对特定类的数据包实现优先转发totallength:总长度总长度-头部长度=高层数据标识、标记、分片偏移用来对数据包进行分片和重组identification标识位：标记属于同一片报文的idflags标记：标记最后一片报文，告知下一个路由器同一个包分片结束fragmentoffset偏移位：用来确保重组的顺序TTL(timetolive):生存周期现在用来记录传输的跳数防止三层路由环路报文通过三层设备时才会减一protocol协议字段：标识上层协议IlCMP6TCP17UDPheaderchecksum头部校验：校验ipv4报头在传输的时候是否损坏options

4、选项位：对于ipv4报文的高级功能（如松散源路由等）进行定义可有可无Padding填充位：在OPtionS不足32bit时，使用Padding填充Oo5各层协议之间的关系例如：数据链路层为三层的网络层服务。二层type:0x0800ip二层type:0x0806arpFrame452:641bytesonwire(5128bits),641bytescaptured(5128bits)EthernetII,Src:60:67:20:77:15:22(60:67:20:77:15:22),Dst:bc:dl:77:09:14:15Destination:be:dl:77:09:14:15(be:

5、dl:77:09:14:15)Type: p C0x0800)Source:60:67:20:77:15:22(60:67:20:77:15:22)InternetProtocol,Src:192.168.1.104(192.168.1.104),Dst:42.236.9.90(42.236TransmissioncontrolProtocol,SrcPort:59335(59335),DstPort:http(80),Se，例如:三层protocol:6tcp三层protocol:17udp三层protocol:1icmpFrame452:641bytesonwire(S128bits),6

6、41bytescapured(5128bits)EthernetII.Src:60:67:20:77:15:22(60:67:20:77:15:22),Dst:bc:dl:77:09:14:15(bc:dl:77:1internetProtocol.Src:192.168.1.104(192.168.1.104),Dst:42.236.9.90(42.236.9.90)version:4Headerlength:20bytesDifferentiatedServicesField:000(DSCP000:Default;ECN:0x00)TotalLength:627Identificatio

7、n:0x6953(26963)Flags:002(Don,tFragment)Fragmentoffset:0PrOtoC01 :- TCP (6,Timefo1ivc12898dbcorrectSource:192.1B8.1.104(192.168.1.104)Destination:42,236.9.90(42.236.9.90)TransmissionControlProtocol.SrcPort:59335(59335),DstPort:http(80).Seq:1.Ack:HypertextTransferProtocol例如：四层：端口：80http21ftp23telnetFr

8、ame452:641bytesonwire(5128bits),641bytescaptured(5128bits)EthernetII,Src:60:67:20:77:15:22(60:67:20:77:15:22),Dst:be:dl:77:09:1internetProtocol,Src:192.168.1.104(192.168.1.104),Dst:42.236.9.90(42TransmissionControlProtocol,SrcPort:59335(59335),DstPort:http(80)SOIlrrancrt:S933S5933”Destinationport:ht

9、tp(80)1.srreamne:4jsequencenumber:1(relativesequencenumber)Nextsequencenumber:S88(relativesequencenumber)Acknowledgementnumber:1(relativeacknumber)Headerlength:20bytes-Flags:018(PSH,ACK)windowsize:66048(scaled)checksum:O4O3cvalidationdisabled-SEOACKanalysis!IHypertextTransferProtocolI二层：type-三层：prot

10、ocol四层：端口高层应用层6各个层次的攻击手段TCP/IP协议栈常见安全风险7kali踩点扫描篇工具：nmapZenm叩nmap-sP192.168.6.1-120对6.1-6.120使用Ping命令进行扫描3-5s即可完成zenmap:图形界面nmapZenm叩是nm叩的GUI版本，由nm叩官方提供，通常随着nmap安装包一起发布。Zenm叩是用PythOn语言编写的，能够在Winde)Ws、Linux、UNIX、MacOS等不同系统上运行。开发ZenmaP的目的主要是为nm叩提供更加简单的操作方式。配置:扫描intense:强烈的认真的细致的scan:扫描comprehensive:综合

11、的完整的Zenmap扫描ia(El(P)MK（三）口称:11192.168.6.100-120I俞令：、nmjp-T4-A-v192.168.6.100-120主机Hl作系烧，主机 U 192.168.6.1NmaP出柘扑主机第18扫描nmap-T4-A-v192.168.6.100-120Nmapscanreportfor192.168.6.11620个地址大概需要扫描5分钟a:EUP-T4A-v192.1686100120主帆修符掇作累睡，主机U192.168.6.100D1911616.105U192.168.6,109D292.1必&IMV191168101。192.168.6.103

12、V191168.6.110。192.1686KMV192.168.6.107U192.1686108U192.168.6.102192.168.6.113192.1686IM192.1686115NnMP出王机拓扑王机峭8BWEMPT4Av192.1限&100420Mvapscanreportfor192.168.6.11HostisupdsACMdrtssiee：oc；29：FD：n：csvnrc)Runnlno;MicrosoftWindowsXP05C，E；rpe:/o:iBlcro$oft：windowxp：sp2cpe/o：nlcrosoft:windowsxp：:$p3OSdtlU

13、;MicrosoftWln70nrHg;IernCrdMrylcrlntOlFC:Wlndo4,Hndow$XP；CP：cpo：“EICrsoft:SruloWcpe：/o：elcrosofrwindowsXPl192.1686116192.16S112Mo.tscritr,ult:Iclock-skew：11ca11:2$.d*vlton:e5.*dian:2Ibsxt:MetBIOSnane：xiAOGE-xNetBIOSustr：,NetBIOSHAC：66：0c：29：fd：U：c5(Vare)IHanes：IXIAOGEXPIXIAOGEXPIef二，.9二WORKGROUP。“I$

14、rtb-o$-di$overy：Flags：Flags：Flags：Flags：IOS：NlfXlOWSXP(MlndOWS268LANManager)I_OSCPE：pe。：QKrogof；windowsxp：一)(onpuxernxe：XIaogeTPMetBIOScomputernw：IAOG-XPxOWorkarouo：wRKGWJUPMB()工II(T)El)MK（三）白林19246l0420融令nmU-A-V1921686.100-120EKinterneannn*nt主机U19216a6.1O0口1921616105V1921686109P19Z168GIMU192168.6.1

15、01P1921他6103U19l6a6.110P1921686104P1921616107口19216S6108U19l681021921686113.19Z16861HI1921686115|主机ft19216861161921686112王机叫IS以mvpcnetts-ssnhttpsmrmo11-dvr*we*rthw11Mvre-uthgwtcsefvervnchttpVnCmvpcmtrpcrmfpcmsrpcm&rpcowe唯*MroohWhdowRKMcfoflWndomnebtos-ssnVftidows7UtthMte7601ServicePk1IrkmoftCMXtroup

16、:WORKGROUVTwrrAuChcnhcjnonDaemon110(U/VNC.SOAP)VM*reAuthentKdbonDaemonLO(UsesVNCSOAP)MiCMOnTenrtnjiServiceVNCServerEnterprBeEdftnnhttpd4S4r41964reoluVo:48Q2S0VNCpoet5900fRMVNCEfWpme(PrOtoC0411MtroioftWndOMWRPCMiCWonWhwRPCMcroftWhdowsRPCMmHj,：Qulckscan,出后Fl2，CrnaPT4-FwvMvbMdu.ccm王6SMfTAtt 主机U 19216&6

17、.10OU19Z16&101P19Z8A102。19216a&104U1921H6105，192166,106U19Z16k107P19Z16&1M口19Z168l6l109NmP出口住机抵升主机VlfB封nmapT4-FMducomStartingNroP7.09(https:/nrap.org)at21-1-219:44ESTmapSnreportforwww.bald.on1113.2M.211.112)HostKup(.024$Uty哂.OHvffl O139/tcr O8(Vtc OI351cr*vtBa-biniwr O445t修 O136/lcp O491520 O491S3tc

18、 O9ISV O9iS5t O沏如用 O491STy&OWy翌1世1661050r341)三阳166112w3IMGl2第*W228IHlai12G66G66AmaIiiMaI6666666666666666666“%w8姐w8e8eMM36868M838u筮爸央生第誉8M筮爸W爸筮弘笠B02928原等Rgier*,比3r.Eoix,tMdCmr(2M!3)三RattVilnul*122/3013)利用报文：pingarp请求tcpsynnetbios8 kaliIinux攻击之断网：(原理arp欺骗)攻击机kali6.50受害者Win76.116arpspoof-ieth-t192.168.

19、6.116192.168.6.1-i网卡-t目标IP网关防御：后面再讲9 arp协议原理简介:(AddressResolutionProtocol),地址解析协议l通过目的IP地址，请求对方MAC地址的过程。PCl- 31.5Ml-PC231.6M2二层MlM2?三层31.5-31.6-a显示arp缓存arparp过程：cmdarparp-d*清空arp缓存表arp报文种类： PClPC2arp请求包：request广播注意：目标mac为全F,该报文属于广播，交换机见到目标mac为全F的报文会群发（泛洪）。dynamic动态缓存 PC1M1arp-S静态绑定例如：arp-S192.168.6.

20、20lc-87-2c-61-ff-25arp欺骗注意使用arp的响应报文！总结：arp协议太傻，谁给的响应它都相信！10arp攻击与防御攻击原理：利用arp傻傻的一根筋思维！别人说啥都信！原理：利用虚假的arprelay报文毒化PC或者网关的arp缓存表,arpreply报文会直接覆盖自己当前的arp表,后来的arpreply优先！即两头哄骗技术！：1 月 16dIbW分网百度网关IP6.1mac:ASW1=IeKali攻击机受害者Win7IP:6.50mac:BIP:6.80mac:Ckali攻击机：arpspoof-t192.168.6.1192.1686.80欺骗6.1声称自己就是6.8

21、0（将6.80的mac伪装成B,通过arprelay报文发送给61）arpspoof-t192.168.6.80192.168.6.1欺骗6.80声称自己就是6.1（将6.1的mac伪装成B,通过arprelay报文发送给6.80）开启kali的路由转发能：echo1procsysnet/ipv4ip_forwardCtrl+shift+tIinUX里面切换窗口攻击时通不攻击时也通用户网不中断！查看用户隐私、限速、篡改用户报文、欺骗钓鱼！文件S(E)视EB(Y)KH(G)HI获(0向加】tt(三)电话(P无线)工具用助但)显示过渡88_显示过滤器安圆).tcpSTtramPqO作为过滤器应用准

22、备过滤H对话过渡H启用的势议一SCTP追踪流Frame133:6bytesonwire(48EthernetIIrSrc:HUaWeiTe_8d:4b:解码为但)f新款入Lu牌件0H27TelnetData60TclnctDataCtrt+Shlft+Ctrl+Shift+LITCP流IIetransmissionc=29=fma.95)Retransmission：56CPRetranSmIssiOQ6TelnetData.本信息InternetProtocolVersion4,Src:192.168.6.254fDst:192.168.6.8TransaissionControlProto

23、colzSrcPort:23,DstPort:64595,Seq:Telnet1.en:6防御:dhcpsnooping+ip源防护+DAIarp限速360安全卫士开启局域网防护dhcpsnooping:dhcpsnoopingenable全局dhcpsnoopingenablevlan1intxxdhcpsnoopingenable或者vlanxxdhcpsnoopingenintxxxdhcpsnoopingtrusteddisplaydhcpsnoopinguser-bindarp报文限速功能：执彳亍命令arpspeed-limitsource-macmaximummaximum,配置根

24、据任意源MAC地址进行ARP报文限速的限速值。执彳亍命令arpspeed-limitsource-ipmaximummaximum,酉己置根据任意源IP地址进行ARP报文限速的限速值。执行命令arpanti-attackrate-limitenable,使能ARP报文限速功能。缺省情况下，未使能ARP报文限速功能（可选）执行命令arpanti-attackrate-limitalarmenable,使能ARP报文限速丢弃告警功能。DAl动态arp检测:intXXXarpanti-attackcheckuser-bindenablearpanti-attackcheckuser-bindalar

25、menable,使能动态ARP检测丢弃报文告警功能（可选）arpanti-attackcheckuser-bindalarmthresholdthreshold,配置动态ARP检测丢弃报文告警阈值。（默认是100）方法A:不启用dhcp-snooping,使用USer-bindstatic静态建立ip-mac-接口检查表项（这种方法适用于企业静态给用户配置ip地址的情况）192.168.31.1interface EthernetC，0/2user-bindstaticip-ddress192.168.31.7mac-address0021-cccf-1d28interfaceEthernet

26、002ipsourcecheckuser-bindenableEthernet00/1192.168.31.7全局user-bindstaticip-address192.168.31.7mac-address0021-cccf-ld28interfaceEthernet002interfaceEthernet002ipsourcecheckuser-bindenable即可接在e002口的PC只能是31.7mac是ld28才可以通过e002若ip和mac不匹配则报文将被直接丢弃方法B:192.168.31.1dhcp serverEthernet 0/0/0Ethernet0)1dhcpsn

27、oopingEthernet0)2Ethernet0)1192.168.31.7Quidwaydisdhcpsnoopinguser-bindallbind-table:FlagsrO-outervlan,I-innervlan,P-mapvlanifnamevsi0IP-vlanmac-addressip-addresstpleaseEth0021/0021-cccf-ld28192.168.31.251D2008.01.01-14:50Dynamicbinditemcount:1Dynamicbinditemtotalcount:1Quidway11dhcp协议原理DHCP(Dynamic

28、HostConfigurationProtocol)动态主机配置协议，给用户自动分配ip地址、网关、DNS等参数。可以提供DHCP功能的设备：路由器、家用路由器(小米、tp-link等)、防火墙、三层交换机、服务器用户上网满足参数：IP地址、网关、DNS等。配置：路由器：dhcpenable启用dhcp功能inte000ipadd192.168.31.124dhcpselectglobal配置dhcp选择从全局分配地址ippoolqq创建地址池qqgateway-list192.168.31.1网关network192.168.31.0mask255.255.255.0ip和掩码dns-lis

29、t114.114.114.114192.168.31.1DNSdisippoolnameaaused查看dhcp的分配记录KItGbootpExp”(it.CWrApplyNo.TimeSourceDtinMionProceedtofc711.8400000.0.0.0255.255.255.255DHCPDHCPDiscover-ransact811.8710192.168.31.1192.168.31.251DHCPDHCPOfferTranSaetiOn1013.8370000.0.0.0255.255.255.255DHCPDHCPRequest-Transaction1113.852

30、000192.168.31.1192.168.31.251DHCPDHCPACK-TranSaCtfonlFrame11:342bytesonwire(2736bits).342bytescaptured(2736bits)EthernetIIvSrc:HUaWeiTJ67:22:de(54:89:98:67:22:de)tDst:HuaweiTe.f3:52:ee(54:89:98:f3:52:ee)InternetProtocol,Src:192.168.31.1(192.16.31.1),Dst:192.168.31.251(192.168.31.251)userDatagramProt

31、ocol,SrcPort:btps(67),DstPort:bootpc(68)BtstrapProtocol第一个报文:dhcpdiscover源地址：0.000目标地址：255.255.255.255广播用户请求地址的时候,将自己的mac地址封装在dhcp的报文里面，服务器基于不同的mac地址来区分不同的计算机，进而分配不同的ip地址。12dhcp冒充攻击接入交换机：dhcpenabledhcpsnoopingenablevlan1dhcpsnoopingenablei11tgiO/O/1将上联设置为信任接口(默认所有的接口都是非信任口)dhcpsnoopingtrusted13dhcp耗

32、尽攻击dhcpserverkali攻击机电害者kali攻击机伪装各种dhcp请求报文将dhcp地址池耗尽，使得受害者无法获取ip地址win7虚机里面运行ensp,使用路由器搭建dhcp服务,kali通过云彩桥接到交换机进行dhcp耗尽攻击.kali执行攻击指令:pig.pyethrootgkali:-# pig.py eth(- INFOJ using interface eth DBG Thread - (Sniffer) READYThread 1 - (Sender) READY DHCP.Discover DHCP_Discover DHCP_DiscoverDHCP Offer ee

33、：ee：fc：ad：39：c8 OHCPlReqUeSt 192.168.6.173DHCP DiscoverDHCP DHCP DHCP DHCP DHCP DHCPOffer G6：ed:fc：ad:39：c8Request 192.168.6.172 DiscoverOffer ee：ed:fc:ad:39:c8Request 192.168.6.171DiscoverDHCP_Offer ( OHCP.Request ： DHCP Offer I OHCP二ReqUeSt ： DHCPZDlscoverI OHCP Offer_(0O:eG:fc:ad:39:c8 192.168.6.

34、17 be:dl:77:69:14:15 192.168.6.1160:cG:fc:ad:39:c8.IP:192.168.6.173for.,IP:192.168.6.172for,.0,IP:192.168.6,171for.8.IP：192.168.6.17fore.e.IP:192.168.6.116forMAC-de:ad：ei:5d:6f:flMAC=(de：ad:00:13；c5:6fMAC=de:ad:Il:5b:b2:a6MAC-de:ad:21:37:6b:bcMAC(ff:ff0.0.0.0 IP: 192168.6169 for MAC=Ide:ad:27:63:52:

35、Cfl路由器dhcp服务搭建：ippoolaagateway-list192.168.6.254network192.168.6.0mask255.255.255.0dns-list114.114.114.1148.8.8.8interfaceGigabitEthernetO/O/Oipaddress192.168.6.254255.255.255.0dhcpselectglobal查看指令：disippoolnameaauseddis ip pool Pool-name Pool-No Lease Doma i n -name DNS-serverO DNS-serverl NBNS-Ser

36、verO Netbios-type Position Gateway-O MaskVPN instancenameaausedaaO1 DaysOHoursOMinutes114.114.114.1148881.ocalStatus192.168.6.254255.255.255.0StartEndTotalUsedIdle(Expired)ConflictDisable192.168.6.1192.168.6.25425362191(16)OONetworksection:IndexIPMACLeaseStatus175192.168.6.176dead-2729-6636190Used17

37、6192.168.6.177dead-0flc-cc89190Used178192.168.6.179dead-1438-8376191Used179192.168.6.180dead-133c-84a3192Used180192.168.6.181dead-1515-5cf3192Used181192.168.6.182dead-1f3e-a6de193Used182192.168.6.183dead-1831-0d75193Used183192.168.6.184dead-191c-60e0193Used184192.168.6.185dead-092f-b2b7194Used187192

38、.168.6.188dead-0408-c03b196Used188192.168.6.189dead-2110-7839197Used189192.168.6.190dead-126f-75c2197Used1Qn1Q2IWaAlQlHoaH-11R14-71ft1QaFIqqK防御：dhcpSnOOPing端口dhcp请求限速（个数）14DHCPDOS攻击:攻击工具:yersiniaWVVW.yersinia,netyersinia是一款底层协议入侵工具，它能伪装多种协议的报文并实施欺骗和攻击。例如：夺取生成树StP的根角色，生成虚拟CdP(Cisco发现协议)邻居。在一个hsrp冗余型网

39、络环境中伪装成一个活动的路由器、制造假dhcp报文反馈，耗尽dhcp地址池等等。具体可以虚拟的报文如下： SpanningTreeProtocol(STP) CiscoDiscoveryProtocol(CDP) DynamicTrunkingProtocol(DTP) DynamicHostConfigurationProtocol(DHCP) HotStandbyRouterProtocol(HSRP) IEEE802.1Q IEEE802.1X Inter-SwitchLinkProtocol(ISL) VLANTrunkingProtocol(VTP)启动工具：yersinia-G死?怨11363336.0210241363乂 6.02107913S335 6.O21O9O136336 6.02114513H7.0aiM136338 6.02122113S9S9.0a2M136 MO 6.0212910.0.0