NSPA3 — 網路安全封包分析筆記

Note

Wireshark color

  • 淺藍 UDP
  • 灰色 連線(SYN)或斷線(FIN)
  • 紅色 緊急斷線
  • 藍紫色 加密封包
  • 綠色 明碼傳送
  • 黑色
  • 黑底紅字 不要理他 封包掉了或出錯或要求重送 fault control
  • 黑底綠字 網路目標無法連線 ip位置不對 、 對方 port number 沒開(可能是防火牆會回這個)

開啟封包的Country , City , As Number, As Organization

  1. Edit -> Preference -> Name Resolution -> maxmind database
  2. Google -> GEOIP free download -> maxmind database
  3. 3個壓縮檔 -> C:\目錄\ (要放大家都能存取的目錄)

以AS Number 來忽略

  • Google : 15169
  • 中華電信數位分公司 : 3462
  • Microsoft : 8068, 8070, 8075

Display Filter

Capture Filter

過濾內網 — 忽略內網封包

快速加國家別的欄位

快速加公司別的欄位

key Points of HTTP Communication

  • HTTP uses TCP-80 for default communication
  • HTTP/HTTPS 預設通訊埠
  • 使用80/443,但可更改為其他port
  • TCP/80 其內容與行為,則必須為HTTP協定,若不符合HTTP行為,則為異常通訊,TCP/443 也是

HTTP與HTTPS用戶端原則

  • HTTP或HTTPs服務,在執行之前,通常會產生DNS詢答封包,
  • 下列情況可能沒有DNS封包
  • DNS Cache 3~5 sec
  • 直接使用IP位址
  • etc 目錄 hosts 檔案異動
  • 惡意行為 -> Worm 感染、弱掃
  • chrome , quic UDP 443
  • 一問一答 Query Reply
  • 1Q2R, 1QnR(DNS Spoofing)
  • 1Q 沒有 R
  • 無Q 有R (DNS Spoofing)

檢查DNS與網路連線 — 1

不要台灣

HTTP Method (query Command)

  • 瀏覽器丟的
  • GET : access the Web resource files
  • POST: send user data back into Web
  • 其他 問你在不在 行不行 能不能
  • HEAD: ask for accessing Web resource files
  • OPTIONS: ask for checking parameters of applications
  • TRACE: ask for checking loops of applications
  • 具備攻擊性
  • CONNECT: dynamically switch to a tunnel by proxy
  • PUT: upload file to store into server (WebDAV)
  • DELETE: erase file from server (WebDAV)

HTTP Response Status Code

  • 1xx: General Host Information
  • 2xx: Execute Command Successfully
  • 200 OK
  • 206 Partial Content
  • 3xx: Resource Redirection
  • 301 Moved Permanently
  • 302 Relocate URL
  • 304 Not Modified (Local Cache)
  • 4xx: Client Error
  • 400 Bad Request
  • 401 Unauthorized (Access Denied)
  • 403 Forbidden
  • 404 File not found
  • 5xx: Server Error

netstat

病毒練習網站

dump md5 file

Source and Targe (不考)

  • Referer: 大部分都有參考來源
  • Host 應該要等於網站名稱
  • User-Agent

SMTP Commands

  • HELO
  • EHLO

狀態通訊

  • 有態(有前後文)
  • SMTP
  • POP3
  • Telnet
  • FTP
  • IMAP

--

--

--

NTUT CSIE | Biomedical Informatics Lab | github.com/stwater20 | sectools.tw

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Erlang cluster peer discovery on Kubernetes

SQL and Why it Still Matters

Lessons learnt while automating People Processes

The Road to Become a Developer as a Self-Taught

Cognitive services: Creating Image dataset using Azure’s Bing Image Search API

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ryan.chen

ryan.chen

NTUT CSIE | Biomedical Informatics Lab | github.com/stwater20 | sectools.tw

More from Medium

Study Reveals What You’ll Name Your New Houseplant in 2022

MetaKrypton Developer’s Log #5

Dial Back — Motion Forward

11/52: Luster