LESSON 7 ATTACK ANALYSIS part II

You, however, won't need to work out all the rules on your own. You can take advantage of
the firewalls ability to set these filters itself. After you first install a firewall, you will be hit with a
flurry of warnings and requests for access, and you will have to determine whether or not a
program will be allowed to access the network. (The firewall may also give you the option to
let the firewall determine what rights programs have to access the network, but then you
wouldn't learn anything, would you?) This process is going to be similar to the one that we
used to identify the programs listed by netstat. A program named iexplorer.exe is obviously
Microsoft's Internet Explorer and, if you use it as your web browser, then the firewall must allow
it to access the Internet. But a program named cbox.exe could be anything. You've got no

choice but to go to your preferred web search engine and check it out. (Of course, before
you can do this, you've got to tell the firewall to allow your web browser to access the
Internet.)
The firewall program should also give you the option to allow access to a program
repeatedly, or just once. Some programs – like your web browser – should be allowed to
access the network anytime, but for other programs – such as the ones that automatically
check for program updates – you can learn a lot about how your computer works by having
the firewall ask for permission every time that the program requests access.
Firewalls are available as stand-alone programs (including a number of free versions for both
Windows and Linux) or they are often bundled with anti-virus software. Additionally, Windows
XP comes with a built-in firewall, but, as is the case with Windows Internet Explorer, it will be
targeted by people looking for exploits – flaws in other firewalls may never be found, but flaws
in a Microsoft firewall will be found and they will be exploited.

 

你不需要懂所有的原理，你可以直接用防火墙来过滤数据。在你第一次安装防火墙后，你会收到很多的警告和请求，需要你决定一个程序是否能连接到网络上。（防火墙也可以自己来判断，但是你就不会学到任何东西了，不是吗？），这个过程和我们曾用来鉴别程序的软件类似。iexplorer.exe显然是微软浏览器，如果你将它设为主浏览器，防火墙就要允许它连接网络。但是我们不知道cbox.exe是什么程序，你只有去用网页浏览器查找这个程序的信息。（当然，你首先要通过防火墙将网页浏览器连上网）

防火墙会反复提醒你是否允许一个程序联网，也可能只有一次。一些程序---你的浏览器---应该时刻都被允许联网，但对其它程序来说---像程序升级的自动检测---在防火墙每次发出请求时，你可以学到很多关于电脑的知识。

防火墙可以作为一个独立的程序使用（给Windows和Linux提供大量免费的版本），或者和在防病毒软件里面。另外，Windows XP 自带防火墙，但是，和Windows自带的网页浏览器一样，被攻击的可能性比较大---在其它防火墙的漏洞可能不会被找到，但是微软防火墙上的漏洞会被找到，并被加以利用。

 

Exercises:
Open up a command prompt on your computer and enter:
netstat -aon (for Windows) or
netstat -apn (for Linux)
Match the PID numbers with program names and try to determine which programs on your
computer are accessing the network. (This is something that you can try at home, also.)

 

练习

打开电脑上的命令提示符，键入：

netstat -aon (Windows) 或者

netstat -apn (Linux)

查看每个程序名的PID数字，查出你电脑上哪个程序接入了网络。（你可以在家做）

 

 7.2 Packet Sniffers
Netstat will tell you what programs are connected to the network, but it won't show you what
data these programs are sending. A packet sniffer, however, gives you the means to record
and study the actual data that the programs are sending through the network.
7.2.1 Sniffing
A packet sniffer will record the network traffic on your computer, allowing you to look at the
data. Tcpdump (and its Windows port, windump) may be considered the archetypical
packet sniffers, but we're going to use Ethereal for our examples, because its graphical
interface is simpler, and it allows you to more quickly record and view a basic capture file.
If you don't already have Ethereal, it can be downloaded from www.ethereal.com. Note to
Windows users: To use Ethereal on a Windows based system, you must first download and
install the WinPcap packet capture driver. WinPcap is available on the Ethereal download
page or you can go to www.winpcap.polito.it to download it directly.
Shut down all other applications, then start Ethereal. In the menu click on View then
Autoscroll in Live Capture. Next, click on Capture, then Start to go to the Capture Options
screen. On the Capture Options screen, make sure that the box marked “Capture packets in
promiscuous mode” is not checked, that the three check boxes under “Name Resolution” are
checked, and that the box marked “Update list of packets in real time” is checked.

 

7.2嗅探器

Netstat命令可以查看到联网的程序，但不会显示这些程序在传送的数据。嗅探器可以记录和分析这些程序通过网络传送的实际数据。

7.2.1 嗅探

一个数据嗅探器将记录电脑上的网络流通状态，允许你查看资料。Tcpdump（如果有窗口接口，叫做windump（翻译的很别扭，自己都看不下去了））是公认的典型的数据嗅探器，我们用Ethreal作为例子，因为他的图形接口很简单，使你可以更快的记录和浏览基本的被捕获的文件。如果你没有Ethereal，可以从 www.ethereal.com上下载。Windows用户要注意：在Windows系统上装Ethereal需要先下载并装载WinPcap数据窃取驱动器。WinPcap在Ethereal下载页面就可以下载到，或者在www.winpcap.polito.it上去下载。

关闭所有其他的应用程序，启动Ethereal，在主菜单点击View，在窃取选项页面上，不要选 “Capture packets inpromiscuous mode” ，“Name Resolution” 下的三个选项都要选上，“Update list of packets in real time”的选项也要选上。如下图所示：

Now, click on the “OK” button.
In theory, nothing should happen now. You'll see a window for Ethereal which displays the
number of packets that have been captured, and, behind this, you'll see the Ethereal screen
which displays the data in those packets. You may see a small amount of traffic that is
caused by the computers on the local network trying to keep track of each other (ARP, NBNS,
ICMP) followed by DNS activity as Ethereal attempts to resolve names.
To see activity, you're going to generate some activity. While Ethereal is running, open your
web browser. Minimize everything other than the main Ethereal screen and your web browser,
and arrange the Ethereal and web browser windows so that you can see both at the same
time. Now go to a web search engine, such as www.google.com.
As the web page loads, your should see information about captured packets scrolling up
through the Ethereal screen. Pick a search term and enter it into the search bar. Click on
some of the web pages that are brought up by the search and watch what happens in
Ethereal as you do.

Note: If Ethereal reports no network activity at all, you may have the wrong network interface
chosen. Go to the Interface drop-down list in the Capture Options screen and choose a
different network interface.

 

现在，点击OK按钮。

理论上，应该一切都可以了。你会看到一个Ethereal窗口显示被截获的数据包，在后面，会有一个屏幕显示这些数据包里面的数据。你会看到一小部分流量是由本地网络产生的，这是由于Ethereal为了搜查名字用了DNS搜索器来连接网络中的服务器（ARP，NBNS，ICMP）。

如果要看到网络流量，你就需要打开一些程序。在Ethereal运行的同时，打开浏览器。最小化其他的程序，只留Ethereal屏幕和网页浏览器，合理调节这两个屏幕的位置，好同时观察这两个屏幕。现在连接到一个搜索引擎上，如www.google.com.
在网页打开的时候，你应该可以在Ethereal屏幕上滚动着被截获的信息。在该搜索引擎中搜索某个信息，打开那些搜索到的网页，然后看看Ethereal上发生了什么事。

注意：如果Ethereal报告没有网络活动，你可能接错了网络接口了。在Capture Options 界面上打开接口下拉表，重新选择一个网络接口。