來源:https://www.cnblogs.com/maybe2030/p/4781555.html#_label6
TCP/IP(transmission control protocol/internet protocol)協議是Internet最基本的協議、Internet國際互聯網絡的基礎,由網絡層的IP協議和傳輸層的TCP協議組成。通俗而言:TCP負責發現傳輸的問題,一有問題就發出信號,要求重新傳輸,直到所有數據安全正確地傳輸到目的地。而IP是給因特網的每一台聯網設備規定一個地址。
TCP是面向連接的通信協議,通過三次握手建立連接,通訊完成時要拆除連接,由於TCP是面向連接的所以只能用於端到端的通訊。TCP提供的是一種可靠的數據流服務,采用“帶重傳的肯定確認”技術來實現傳輸的可靠性。TCP還采用一種稱為“滑動窗口”的方式進行流量控制,所謂窗口實際表示接收能力,用以限制發送方的發送速度。
TCP協議的三次握手和四次揮手:
注:seq:"sequance"序列號;ack:"acknowledge"確認號;SYN:"synchronize"請求同步標志;;ACK:"acknowledge"確認標志";FIN:"Finally"結束標志。
TCP連接建立過程:首先Client端發送連接請求報文,Server段接受連接后回復ACK報文,並為這次連接分配資源。Client端接收到ACK報文后也向Server段發生ACK報文,並分配資源,這樣TCP連接就建立了。
TCP連接斷開過程:假設Client端發起中斷連接請求,也就是發送FIN報文。Server端接到FIN報文后,意思是說"我Client端沒有數據要發給你了",但是如果你還有數據沒有發送完成,則不必急着關閉Socket,可以繼續發送數據。所以你先發送ACK,"告訴Client端,你的請求我收到了,但是我還沒准備好,請繼續你等我的消息"。這個時候Client端就進入FIN_WAIT狀態,繼續等待Server端的FIN報文。當Server端確定數據已發送完成,則向Client端發送FIN報文,"告訴Client端,好了,我這邊數據發完了,准備好關閉連接了"。Client端收到FIN報文后,"就知道可以關閉連接了,但是他還是不相信網絡,怕Server端不知道要關閉,所以發送ACK后進入TIME_WAIT狀態,如果Server端沒有收到ACK則可以重傳。“,Server端收到ACK后,"就知道可以斷開連接了"。Client端等待了2MSL后依然沒有收到回復,則證明Server端已正常關閉,那好,我Client端也可以關閉連接了。Ok,TCP連接就這樣關閉了!
作者:sunset journey
鏈接:https://juejin.cn/post/6844903796707950600
來源:稀土掘金
分析包
| no | Time | Source | Destination | protocal | Length | info |
|---|---|---|---|---|---|---|
| 3 | 0.000278 | 192.168.137.28 | 192.168.1.102 | TCP | 58 | 49155 → 5000 [SYN] Seq=0 Win=8196 Len=0 MSS=1460 |
| 4 | 0.000408 | 192.168.1.102 | 192.168.137.28 | TCP | 58 | 5000 → 49155 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 |
| 5 | 0.000794 | 192.168.137.28 | 192.168.1.102 | TCP | 54 | 49155 → 5000 [ACK] Seq=1 Ack=1 Win=8196 Len=0 |
客戶端請求服務端連接的包 3號包
SYN Flag,由客戶端到服務端。Seq = 0(其實Seq應該是一個隨機數。畢竟隨機保密好一點。這里為0是巧合) MSS = Maximum Segment Size,最大分段長度。TCP建立連接時每一個報文段所能承載的最大數據長度。
服務器收到請求后發送給客戶端的包 4號包
SYN Flag,ACK Flag,服務器端到客戶端。Seq=0。這里看到AcK為1。其實是應答3號包的Seq。若是3號包Seq = n;那么4號包
if len==0
AcK = n+1;
else
Ack = n+len;
這4號包既是應答3號包又是請求連接包。所以也會有MSS信號。
客戶端回應服務端 4號包 的 5號包
AcK = 1 客戶端發送給服務端的包 AcK = 1。是因為4號包的Seq = 0。
若是4號包Seq = n;那么5號包
if len==0
AcK = n+1;
else
Ack = n+len;
可以看到5號包只有一個ACK Flag。沒有SYN Flag。也就是說這里是一個應答包。不是請求連接包。
pcap/cap 文件格式 - 知乎 (zhihu.com)
https://zhuanlan.zhihu.com/p/394946101
Pcap Header
文件頭,每一個 pcap 文件只有一個文件頭,共占 24 字節,包含 7 個字段。
- Magic(4B):標記文件開始,並用來識別文件和字節順序。值可以是 0xa1b2c3d4 或者 0x4dc3b2a1,如果是 0xa1b2c3d4 表示是大端模式,按照原來的順序一個字節一個字節的讀,如果是 0x4dc3b2a1 表示小端模式,下面的字節要交換順序。現在電腦大部分是小端模式
- 大端模式:即是內存的低地址空間存儲數據的高位,高地址空間存儲數據的低位;內存由低到高訪問時,首先碰到的是數據的高位,類似於嫁給你數據當作字符串。而小端模式剛好相反;
- 0x12345678,在大端模式中,高位為 0x12,在小端模式中,高位為 0x78;注意均為 1 個字節
- Major(2B):當前文件的主要版本,一般為 0x0200
- Minor(2B): 當前文件的次要版本號,一般為 0x0400
- ThisZone(4B): 當地的標准事件,如果用的是 GMT 則全零,一般全零
- SigFigs(4B): 時間戳的精度,一般為全零
- SnapLen(4B): 最大的存儲長度,設置所抓獲的數據包的最大長度,如果所有數據包都要抓獲,將值設置為 65535
- LinkType(4B): 鏈路類型。解析數據包首先要判斷它的 LinkType,所以這個值很重要。一般的值為1,即以太網常用的 LinkType(鏈路類型)
Modbus總結
來源:Modbus總結 - iluzhiyong - 博客園 (cnblogs.com)
1.概念
①Coil和Register
Modbus中定義的兩種數據類型。Coil是位(bit)變量;Register是整型(Word,即16-bit)變量。
②Slave和Master與Server和Client
同一種設備在不同領域的不同叫法。
Slave: 工業自動化用語;響應請求;
Master:工業自動化用語;發送請求;
Server:IT用語;響應請求;
Client:IT用語;發送請求;
在Modbus中,Slave和Server意思相同,Master和Client意思相同。
2.Modbus數據模型
Modbus中,數據可以分為兩大類,分別為Coil和Register,每一種數據,根據讀寫方式的不同,又可細分為兩種(只讀,讀寫)。
Modbus四種數據類型:
Discretes Input 位變量 只讀
Coils 位變量 讀寫
Input Registers 16-bit整型 只讀
Holding Registers 16-bit整型 讀寫
通常,在Slave端中,定義四張表來實現四種數據。
3.Modbus地址范圍對應表
設備地址 Modbus地址 描述 功能 R/W
1~10000 address-1 Coils(Output) 0 R/W
10001~20000 address-10001 Discrete Inputs 01 R
30001~40000 address-30001 Input Registers 04 R
40001~50000 address-40001 Holding Registers 03 R/W
4.Modbus變量地址
映射地址 Function Code 地址類型 R/W 描述
0xxxx 01,05,15 Coil R/W -
1xxxx 02 離散輸入 R -
2xxxx 03,04,06,16 浮點寄存器 R/W 兩個連續16-bit寄存器表示一個浮點數(IEEE754)
3xxxx 04 輸入寄存器 R 每個寄存器表示一個16-bit無符號整數(0~65535)
4xxxx 03,06,16 保持寄存器 R/W -
5xxxx 03,04,06,16 ASCII字符 R/W 每個寄存器表示兩個ASCII字符
來源:MODBUS協議中的功能代碼都有哪些?都有什么作用。_百度知道 (baidu.com)
MODBUS協議中的功能代碼都有哪些?都有什么作用。
01 READ COIL STATUS 讀線圈寄存器
02 READ INPUT STATUS 讀狀態寄存器
03 READ HOLDING REGISTER 讀保持寄存器
04 READ INPUT REGISTER 讀輸入寄存器
05 WRITE SINGLE COIL 寫單線圈寄存器
06 WRITE SINGLE REGISTER 寫單保持寄存器
15 WRITE MULTIPLE COIL 寫多線圈寄存器
16 WRITE MULTIPLE REGISTER 寫多保持寄存器
https://www.dragos.com/blog/industry-news/threat-analytics-and-activity-groups/
Threat Analytics and Activity Groups 威脅分析和活躍組織
Computer and network defense has typically focused on ‘indicators of compromise’ (IOCs) to drive investigations and response. Anomaly detection and modeling (e.g., machine learning approaches) are also increasingly used for alerting purposes, but due to the lack of context of adversary activity, they are of limited utility in tracking threats or informing investigations – thus, they will not be discussed in-depth here. Returning to IOCs, while they have value, the name indicates that such value is generally backward-looking: an IOC is indicative of a compromise by a known and observed threat vector. As a result, an IOC-based approach to defense has limited value in forward-leaning, hunting-oriented defense, and is of almost no value whatsoever in catching ‘new’, not previously observed intrusions.
計算機和網絡防御關注在IOCs(Indicators of compromise (IOCs) 妥協指標serve as forensic evidence 法醫數據 of potential intrusions on a host system or network主機系統或者網絡潛在的入侵)來推動調查和響應。異常檢測和建模(例如機器學習)的使用也日益增長出於預警的目的,但是因為缺少對手活動的內容,他們它們在追蹤威脅或者通知調查方面的效用有限-故不在此深入探討。回到IOCs,盡管他們有價值,但這一名字意味着這樣的價值用於回溯:一個……不會翻。作為結果,基於IOC的方法防御在前向學習、狩獵導向的防御中價值不大,在捕捉任何新的,不是之前已知的入侵時幾乎沒有價值。
關注:異常檢測在威脅追蹤方面用處有限
The majority of IOCs captured after an observed intrusion are target specific – they are unique or limited to that specific event. An adversary will either change or utilize different technical items, with corresponding different IOCs, for any future or different intrusions. Furthermore, IOCs are, by definition, unitary or ‘atomic’ in nature; they refer to a single observable piece of information: an IP address, a domain name, or a file hash value. While these have value, on their own, IOCs only capture one very specific aspect of any activity and must be combined with other data points to yield ‘information’, let alone intelligence. Thus, an IOC-dependent approach will find itself in perpetual data refinement to identify follow-on details from the single alerting point, so as to gain knowledge or understanding of an event.
盡管這些對於他們自身有價值,IOCs只是捕捉了一個活動非常明確的一個方面並且必須結合其他數據點來產生“信息”,更不用說是情報。因此,獨立的IOC方法將會發現其自身在持續的進行數據精細改進來識別接下來的來自單個警報點的細節,這樣來獲取知識或者理解一個活動。
Transitioning from defense by IOCs, a threat behavioral analytic approach attempts to leverage commonalities in adversary behaviors to create more complex threat identification methods by incorporating multiple data points into a single, robust analytic. An analytic is designed to target an adversary behavior, especially one that is an operational requirement (e.g., nearly all intrusions will require some form of command and control) and not trivially changed. For example, a specific command and control domain can be changed, but the method of communication (especially if a custom protocol or implementation is employed) is not so easily shifted.
從基於IOCs防御的過渡,一個威脅行為分析方法試着利用對抗行為的共同點來創建更復雜的威脅識別方法,通過將多個數據點合並成一個單個的、具有魯棒性的分析。聚焦於一個對手行為設計解析,尤其是對操作要求(例如幾乎所有的入侵需要一些命令和控制)並且不會頻繁變動一類的解析。舉例,一個指定的命令控制域可以變化,但是通信的方法(尤其是如果一個客戶協議或者實現)不會輕易改變。
In developing an analytic, the resulting detection methodology should not focus on a specific implementation of a behavior, but rather seek to cover multiple implementations of the behavior type. Threat analytics focus on adversary tactics, techniques, and procedures (TTPs) and behaviors – also referred to as ‘tradecraft’ – instead of static and atomic data points. Threat analytics can, therefore, be forward-looking and flexible. For the former, an analyst may not identify a specific instantiation of command and control but he or she can identify general command and control behaviors to track and alert on. With respect to the latter, flexibility comes from the ability to capture mutations in specific examples of behaviors over time. A critical advantage to this approach is providing alerting criteria with context. Even in those cases where a general threat analytic fires, the analyst has the advantage of knowing the corresponding alert relates to an instantiation of a type of malicious activity, aliging to a portion of the relevant attack path or kill chain, yielding context and nuance to the investigation’s start. This contrasts with an IOC approach, where a single IOC detection – for example, a hash value – must then be manually oriented by the analyst to determine its relevance, use, and associated activity.
When focusing on adversary behaviors, an alternative means of tracking and identifying adversaries themselves emerges that is complementary with an analytics-based approach for threat identification. Specifically, the Diamond Model of Intrusion Analysis identifies threats not by ‘who’ they are, but rather ‘how’ they operate. This transition may seem trivial at first, but this transition represents a dramatic difference from typical threat attribution techniques, which seek to group observed data points (IOCs) as part of an identified, labeled object associated with some publicly-recognized and known entity. For example, “advanced persistent threat FOZZYBEAR is associated with the country Ruritania” provides attribution for FOZZYBEAR activity to an entity, but lacks any definitive connection to how FOZZYBEAR operates or what it looks like to a defender in practice outside of the atomic data points which were collected under the FOZZYBEAR banner.
Contrary to the FOZZYBEAR example, the concept of activity groups, derived via the Diamond Model, focuses on behaviors and actions displayed by an entity. Specific observables include: an adversary’s methods of operation, infrastructure used to execute actions, and what targets they focus on (either specific targets or more general verticals, such as industry type). The goal, as defined by the Diamond Model of Intrusion Analysis, is to delineate an adversary as defined by their observed actions, capabilities, and demonstrated – not implied or assumed – intentions. These attributes then combine to create a construct around which defensive plans can be built. Ultimately, the desired end-state is to empower network defenders by providing a model of adversary activity that documents and forecasts likely adversary actions based upon observed behavioral and targeting traits.
Returning to the topic of analytics, threat behavioral analytics are an obvious extension of defining an activity group; behaviors, targets, and infrastructure of a malicious actor are documented and identified. Based upon this information, an analyst can define identifying or alerting criteria corresponding to the attributes classified within the Diamond Model representation of that activity group. However, at this stage, an important decision-point is reached with respect to the construction of analytics:
- Building threat analytics tuned to specific threat activity group behavior
- Designing a threat analytic to capture a general malicious TTP
The former is likely to be more accurate and focused, but at the cost of breadth and the ability to capture alterations of the underlying tactic. The latter is, in general, more sustainable and actionable, as analytics need not be redefined or recreated for each permutation of the technique, but at the potential cost of initial fidelity and detail when analyzing a triggered analytic.
To expound upon the latter point, if we were to define a threat analytic based around known adversary behavior – for example, taking a human machine interface (HMI) screenshot and exfiltrating this from the ICS environment for system reconnaissance, a DYMALLOY observed behavior1 – we can construct this in such a fashion as to abstract the precise method as to how this screenshot is created (likely tuned to a specific type of malware or other technique), and instead focus on simply that a screenshot was generated and moved out of the ICS environment. In the former case, where the specifics of how are taken into consideration, we have likely generated a high-confidence DYMALLOY threat analytic. But in the latter case, we have instead produced an all-encompassing threat behavior analytic that will identify any observation of screenshot migration out of the ICS network. This is more robust in detecting the general technique – but at the cost of losing some level of context as to who might be responsible for the action.
This point becomes most salient when framing threat analytics within the broader context of response planning and investigation playbooks. If we are to chain our analytics with specific response plans (such as investigation playbooks, which will be covered in a future Dragos blog post), such plans can become more refined and specific in action and detail the closer they are to a specific activity group. In this case, narrower analytics are beneficial. For more general threat analytics, response plans must, by necessity, be more broadly focused and prescribe less detailed, more general response actions. Additionally, while a specific threat-focused analytic can lead an analyst to hypothesize likely next-step actions by the specific adversary for investigation and pursuit, the more general threat behavior analytic leaves a much larger field of possibilities open.
Building a threat-focused defensive mindset around both of these approaches – specific threats and generalized threat behaviors – becomes the ideal end-state for an intelligence-driven network defensive posture. In this manner, complementary defensive approaches are built:
- General threat behavior analytics are designed to catch categories of malicious activity based upon adversary dependencies and ‘required actions’ for intrusion events.
- Where appropriate, implement specific instantiations of general behavior analytics tuned to precise adversary actions
The goal of the above ‘tiered’ alerts is to catch the general type of malicious activity, and where sufficient information exists, create higher confidence analytics tuned to a specific implementation of that behavior. The latter enables a more precise response to ‘known threat actors’, while the former ensures that variations of the technique or behavior are observed.
Returning to the earlier example of screenshot exfiltration from an ICS environment, our general threat behavior analytic will consist of the following data points:
- Image file identified in network traffic FROM the ICS environment.
- Image file metadata matches characteristics of a system screenshot.
The above will capture any permutation of the screenshot exfiltration technique, at least depending upon how condition 2 is defined. While categorizing a general behavior, the analyst receiving a notification that such activity has occurred is then left with the task of identifying further specifics of how this traffic was generated and what the adversary’s next steps would be.
From the above general analytic, we can derive a specific, activity group-focused variation:
- General threat behavior analytic for screenshot exfiltration identified.
- Additional observable data points captured indicative of DYMALLOY activity – e.g., command and control techniques identified in network traffic; or malware variants associated with the group identified in host data.
This approach takes the existing, generalized behavior and utilizes additional data to refine it to a notification of activity correlated with a known activity group. The benefit of this approach is that the analyst now has a (potentially) more limited, narrower scope set of questions to answer: assuming the DYMALLOY detections are correct, the screenshot activity identified can be correlated with other observations to initiate a more focused investigation. Based upon other elements of the DYMALLOY activity group definition – tools, targets, and infrastructure – the analyst can focus on most-likely actions leading to the observed activity and produce more specific hypotheses to initiate the investigation.
Examining another activity group tracked by Dragos, ELECTRUM – the group responsible for CRASHOVERRIDE – utilizes ‘living off the land’ techniques to accomplish network pivoting and further intrusion in observed events. Many of the behaviors exhibited by ELECTRUM for follow-on network compromise can be captured by the general threat analytics below:
- New use of PSExec between network endpoints.
- A single host executing PSExec on multiple network endpoints.
- A single host attempting to connect to many hosts via ‘net use’ commands.
The above abstracts some details, but provides a general conception of capturing intrusion pivoting via ‘living off the land’ methods. This would capture ELECTRUM uses, as well as other malicious (or suspicious) activity with the same behaviors. When triggered, the analyst is alerted to the suspect activity and can begin an investigation, but as with the screenshot example above, this initial investigation is hampered due to the initial large numbers of follow-on questions to scope and investigate. While still useful, the general behavior requires additional work
However, when sufficient detail is captured on preceding and likely follow-on activity through an understanding of the behaviors, infrastructure, and targets or intentions of a specific entity, such as ELECTRUM, the analyst is presented with a much narrower list of high-confidence next steps to investigate. In this case, if the behavioral analytic above is further enriched by observables specific to ELECTRUM (specific malware identified with the group, or examples of how ‘net use’ or PSExec are actually employed), the analyst now has a concrete path to follow for subsequent investigation.
One potential misconception that might emerge from the previous discussion is that threat analytics, when not enriched with specific activity group information, can be cumbersome or difficult for defenders to utilize. While specific behavioral patterns will obviously yield to specific follow-on response actions due to their refinement, the network defender must take the more generalized threat behavior analytics in the context of the typic alert, signature, or IOC that forms the starting point for most security incidents at present. In these cases, the analyst is presented with nothing more than a single data point – this packet header, that IP address, this MD5 hash sum – as the start for an investigation. The number of potential hypotheses for further exploration from a single alerting point such as this are vast, disadvantaging the responding analyst.
Meanwhile, a general threat behavior analytic – while by definition ‘general’ – is both more specific than alerting off of an IOC and more general in that it captures adversary actions rather than atomic (and replaceable) portions of those actions. For the former, analytics are more specific in that the combination of data points ensures that, due to a greater corpus of initial information, the analyst will have higher confidence that the detected behavior is ‘bad’ or worth investigating, compared to alerting on one-off uses of software (such as PSExec), which may very well be legitimate. In the latter case, the analytics are also more ‘general’ in that, instead of being founded on a single, immutable piece of information (such as an IP address), these take a totality of actions (with their attendant behavioral permutations) into consideration and track a less-easily altered technique.
Transitioning from atomic, fleeting, and backward-looking IOCs as the foundation of security response and visibility is vital in transitioning network defense – not just ICS defense – into a more responsive, flexible, and active position. By identifying threat behaviors and designing behavioral analytics to capture these, analysts can begin shifting detection and response solidly to the defender’s advantage, while further refinement to track specific activity groups through instantiations of more general analytics can increase accuracy, confidence, and efficacy in specific response instances. Above all, developing an understanding of network security events through a behavioral perspective rather than a single observation point (atomic IOC view) ensures analysts are better positioned to understand and respond to malicious events as they are identified.