CN110213761B - Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection - Google Patents
Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection Download PDFInfo
- Publication number
- CN110213761B CN110213761B CN201910446169.2A CN201910446169A CN110213761B CN 110213761 B CN110213761 B CN 110213761B CN 201910446169 A CN201910446169 A CN 201910446169A CN 110213761 B CN110213761 B CN 110213761B
- Authority
- CN
- China
- Prior art keywords
- syn
- phishing
- packet
- network
- network card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/06—Testing, supervising or monitoring using simulated traffic
Abstract
The invention discloses a multi-model pseudo AP detection method and a detection device based on bidirectional SYN reflection, wherein the detection method comprises the following steps: judging whether an AP detection set specified by a user has two or more APs with the same SSID, if so, judging the AP as a target AP; connecting the target AP with two network cards respectively, acquiring an allocated IP address, and executing bidirectional SYN reflection detection; after the bidirectional SYN reflection detection is executed, whether phishing AP attack exists in the target AP or not is judged according to the condition of the received SYN-ACK packet, meanwhile, the attack of multi-model pseudo-AP in the wireless local area network can be independently detected, wherein the attack comprises a serial phishing AP attack model and a phishing AP attack model, and the purposes of maintaining network security and protecting user privacy are achieved.
Description
Technical Field
The invention belongs to the technical field of communication safety, and particularly relates to a multi-model pseudo AP detection method and a multi-model pseudo AP detection device based on bidirectional SYN reflection.
Background
With the widespread use of Wireless Local Area Networks (WLANs), security issues become more prominent and important, before accessing a wireless network, it is first determined whether an AP corresponding to the wireless network is a suspicious AP. A suspect AP may be a fake AP, such as a common phishing AP, that an attacker uses to spoof wireless users into access and masquerade as a legitimate AP, a fake AP phishing attack being one of the serious security threats in a wireless network.
The phishing AP builds a phishing AP by imitating a normal AP, and then forces a wireless client to connect to the phishing AP by performing denial of service attack on a legal AP or providing a stronger signal than the legal AP. Generally, there are two kinds of wireless phishing AP attack models, one is a serial phishing AP model, and the other is a parallel phishing AP attack model. Tandem phishing AP attacks are now the dominant mode of attack. When a serial phishing AP is built, the wireless phishing AP is provided with two wireless network cards, wherein one wireless network card is used for disguising the phishing AP as a legal AP, releasing a signal, deceiving the connection of a wireless user and further stealing sensitive information of the user, and generally, an attacker configures the SSID, a channel, an encryption mode and other related information of the phishing AP as the related information of the legal AP; and the other wireless network card is used for disguising a legal user to connect with a corresponding legal AP and forwarding the data of the user to the legal AP. In this case, neither the wireless user nor the legitimate AP will be aware of the existence of the phishing AP when the phishing AP is built. When the parallel phishing AP is built, an attacker needs a mobile AP (such as a 4G router), the phishing AP does not depend on a legal AP any more, but depends on a mobile cellular network to enable a victim to access the Internet, and meanwhile, the phishing AP can release a wireless network signal (such as a Wi-Fi signal) to entice the victim to connect. Under both attack models, once the victim is connected, all transmitted information is eavesdropped by the phishing AP.
At present, various schemes are proposed for detecting phishing APs, for example, patent CN201210548689.2 discloses a method for identifying and processing phishing APs in a wireless network, which judges whether the phishing APs belong to a legal AP or not according to BSSID information, SSID information, channel information, beacon interval information, vendor information and location information of neighboring APs uploaded by each wireless AP. Patent CN201610173358 discloses a pseudo AP detection blocking method, a wireless device and a router, which send a Beacon message by broadcasting, receive the Beacon message broadcasted by a peripheral access point, and determine whether the SSID carried in the received Beacon message is the same as the SSID of its own access point; and judging whether the Beacon message carries an encrypted field, and detecting that the access point sending the Beacon message is a pseudo access point when the encrypted field does not exist in the Beacon message. Although the method can identify the phishing AP, no solution is provided for judging the type of the phishing AP, and the prior art has technical obstacles for identifying the attack type of the phishing AP.
SYN is a handshake signal used when TCP/IP establishes a connection. When a normal TCP network connection is established between the client and the server, the client first sends out a SYN message, the server indicates that it has received this message using a SYN + ACK reply, and finally the client responds with an ACK message. Such that a reliable TCP connection can be established between the client and the server and data can be transferred between the client and the server. The invention provides a mechanism based on bidirectional SYN reflection detection for identifying the pseudo AP and judging the attack model at the same time by utilizing a SYN response mechanism, and provides reliable support for blocking the network potential safety hazard.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a multi-model pseudo AP detection method and a detection device based on bidirectional SYN reflection, so as to realize the identification of phishing APs and the judgment of attack types.
In order to solve the technical problems, the invention adopts the technical scheme that:
a multi-model pseudo AP detection method based on bidirectional SYN reflection comprises the following steps:
judging whether an AP detection set specified by a user has two or more APs with the same SSID, if so, judging the AP as a target AP;
and respectively connecting the target AP by using two network cards, acquiring the allocated IP address, and executing bidirectional SYN reflection detection: using the first network card to execute forward SYN reflection detection, and using the second network card to execute reverse SYN reflection detection;
and after the bidirectional SYN reflection detection is executed, judging whether the phishing AP attack and the attack model exist in the target AP according to the condition of the received SYN-ACK packet.
Further, the step of executing bidirectional SYN reflection detection includes constructing a SYN packet with an IP address as the network card two by using the network card one, sending the SYN packet to a server, and simultaneously monitoring whether a corresponding SYN-ACK packet is received by using the network card two to complete forward SYN reflection detection;
and constructing a SYN packet with the IP address as the first network card by using the second network card, sending the SYN packet to a server, and monitoring whether the corresponding SYN-ACK packet is received or not by using the first network card to finish reverse SYN reflection detection.
Further, the step of detecting the forward SYN reflection comprises:
constructing a SYN packet for detection by using the first network card, and sending the SYN packet to a network server, wherein a second-layer source physical address of the SYN packet is an MAC address of the first network card, a third-layer source IP address is an address obtained by the second network card, a destination address is a server in the network, a source port number of the SYN packet is randomly selected, and the SYN position is 1;
and starting a second sniffing function of the network card, and continuously monitoring whether an expected SYN-ACK packet is received, wherein the expected SYN-ACK packet is a response packet containing a correct IP address and a correct port number which are received within a specified time.
Further, the step of reverse SYN reflection detection comprises:
constructing a SYN packet for detection by using the network card II, and sending the SYN packet to a network server, wherein the two-layer source physical address of the SYN packet is the MAC address of the network card II, the three-layer source IP address is the address obtained by the network card I, the destination address is the server in the network, the source port number of the SYN packet is randomly selected, and the SYN position is 1;
and starting a network card sniffing function, and continuously monitoring whether an expected SYN-ACK packet is received, wherein the expected SYN-ACK packet is a response packet containing a correct IP address and a correct port number which are received within a specified time.
Further, after bidirectional SYN reflection detection is executed, whether phishing AP attack and an attack model exist in the target AP or not is judged according to the number of the received SYN-ACK packets;
if the two network cards can receive expected SYN-ACK packets, and the number of the SYN-ACK packets is two, determining that the target AP is a legal AP; if only one network card can receive the expected SYN-ACK packet, and the number of the SYN-ACK packets is one, judging that the serially-connected phishing AP exists in the target AP and the AP connected with the network card which does not receive the SYN-ACK packet is the phishing AP; and if the two network cards do not receive the expected SYN-ACK and the number of the SYN-ACK packets is zero, judging that the parallel phishing AP exists in the target AP.
Furthermore, the Wi-Fi corresponding to the AP specified by the user is a detection range specified by the user according to requirements, and is all Wi-Fi of the whole wireless network or one or more specified Wi-Fi.
Further, the method further comprises: and when the phishing AP attack is judged, a warning is sent to the client and a network administrator to prompt that the Wi-Fi is unsafe and/or a user is prohibited to access, and/or the SSID and the MAC address of the phishing AP are sent to the network administrator.
Further, when judging that the serial phishing AP attack exists, sending out a serial AP attack alarm to the client and a network administrator; when the parallel phishing AP attack exists, sending out a parallel phishing AP attack alarm to the client and a network administrator; the alert information includes the SSID, MAC address, and physical location of the phishing AP.
Further, the multi-model pseudo AP detection method based on bidirectional SYN reflection further includes: and after judging the phishing AP, giving the SSID and the MAC address of the phishing AP to a network administrator, and positioning the AP by combining the signal intensity of the phishing AP.
The invention also provides a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the aforementioned detection method.
The invention also provides a computer program product comprising a program executable by a processor, the computer program realizing the steps of the detection method when being executed by the processor.
The invention also provides a device for detecting the multi-model pseudo AP based on the bidirectional SYN reflection, which comprises the following components:
the selection module is used for screening whether an AP detection set specified by a user has two or more than two APs with the same SSID, and if so, judging the AP as a target AP;
the reflection module is used for executing bidirectional SYN reflection detection, and comprises constructing a SYN handshake packet to execute forward SYN reflection detection and constructing the SYN handshake packet to execute reverse SYN reflection detection;
and the judging module is used for judging whether a phishing AP attack and an attack model exist in the target network according to the condition of the received SYN-ACK packet, judging that the target AP is a legal AP if two expected SYN-ACK packets are received, judging that a serial phishing AP attack exists in the target AP if only one expected SYN-ACK packet is received, judging that a phishing AP connected with a network card which cannot receive the SYN-ACK packet exists in the target AP, and judging that a parallel phishing AP attack exists in the target AP if the expected SYN-ACK packet is not received.
Compared with the prior art, the invention has the advantages that:
the invention provides a multi-model pseudo AP detection method, which is used for realizing accurate detection of pseudo APs based on a bidirectional SYN reflection detection technology, independently detecting attacks (including a serial phishing AP attack model and a phishing AP attack model) of multi-model pseudo APs in a wireless local area network, and achieving the purposes of maintaining network security, protecting user privacy and the like.
In addition, the invention also provides a detection device for identifying the pseudo AP, a computer readable storage medium and a computer program product, which are used for ensuring the realization and the application of the method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a schematic flowchart of a multi-model pseudo AP detection method based on bidirectional SYN reflection according to embodiment 1 of the present invention.
Fig. 2 is a schematic structural diagram of a multi-model pseudo AP detection apparatus based on bidirectional SYN reflection according to embodiment 2 of the present invention.
Fig. 3 is a flowchart illustrating a computer program according to embodiment 3 of the present invention when executed.
Detailed Description
For the understanding of the present invention, the present invention will be further explained with reference to the drawings and the specific embodiments, and the embodiments are not to be construed as limiting the embodiments of the present invention.
Example 1
As shown in fig. 1, the multi-model pseudo AP detection method based on bidirectional SYN reflection includes:
step S110, determining whether the AP detection set specified by the user has two or more APs with the same SSID, and if so, determining that the AP is the target AP.
Specifically, whether two or more APs with the same SSID are included in the wireless network environment to be detected is judged, if not, the fact that the phishing risk does not exist in the wireless network environment to be detected is indicated, and a user can safely access any one AP; if yes, it is indicated that a suspicious AP exists in the wireless network environment to be detected, and after the user accesses the suspicious AP, a phishing risk exists, and whether the user can access the suspicious AP needs to be confirmed through further judgment.
As an embodiment of the invention, the Wi-Fi corresponding to the AP specified by the user is a detection range specified by the user according to requirements, and is all Wi-Fi of the whole wireless network or one or more specified Wi-Fi. If the user is an administrator, his need may be to check if the WiFi of the entire network is secure; if the user is a regular wireless user, his needs may only focus on whether certain WFi or WFi are safe (for connection usage purposes or for pure detection purposes).
Before a client (i.e. a user) accesses a certain Wi-Fi, firstly, judging whether an AP (access point) corresponding to the Wi-Fi is a suspicious AP (i.e. a target AP) according to the method, if so, not allowing the client to access, and needing to carry out further judgment of subsequent steps to determine whether the client is allowed to access; and if the access point is not the suspicious AP, the client is directly allowed to access the Wi-Fi. The client is a wireless mobile terminal to be accessed to the wireless local area network, and can be a mobile terminal equipped with a wireless network card, such as a smart phone, a tablet computer or a portable notebook computer. Or, the client may also screen the AP corresponding to all Wi-Fi in the entire wireless local area network for a pseudo AP.
As a modified solution of this embodiment, before step S110, a hotspot in the WLAN may be scanned, a scanning result is recorded, a Wi-Fi list is generated, and the user selects an AP that the user wants to detect from the list. The device for scanning the WLAN is a wireless mobile terminal to be accessed to the wireless local area network, and may be a mobile terminal equipped with a wireless network card, such as a smart phone, a tablet computer, or a portable notebook, and a person skilled in the art may scan the wireless local area network currently required to be detected by using any device capable of collecting Wi-Fi information according to actual conditions. Since the same area may be covered by multiple hotspots, the Wi-Fi list may include Wi-Fi hotspots of multiple channels, and one Wi-Fi hotspot may also include multiple MAC addresses, such as a hotspot CMCC provided by a china mobile operator, a hotspot Starbucks provided by a large chain store, a personal hotspot, and the like.
The method comprises the steps of scanning Wi-Fi signals in the current wireless local area network by using equipment to be accessed into the wireless network, extracting relevant information, and recording scanning results, wherein the scanning results comprise Service Set Identifiers (SSIDs), Basic Service Set Identifiers (BSSIDs), channels and the like.
Step S102, two network cards are used to connect the target AP respectively, and distributed IP addresses are obtained, and bidirectional SYN reflection detection is executed: using network card one to execute forward SYN reflection detection, and using network card two to execute reverse SYN reflection detection.
Specifically, in order to perform forward SYN reflection detection, a SYN packet with an IP address as the second network card is constructed by using the first network card, and is sent to the server, and meanwhile, the second network card is used to monitor whether a corresponding SYN-ACK packet is received, so that forward SYN reflection detection is completed.
When constructing a SYN packet to perform forward SYN reflection detection, a SYN packet for detection is constructed by using a first network card and is sent to a network server, wherein a second-layer source physical address of the SYN packet is an MAC address of the first network card, a third-layer source IP address is an address obtained by a second network card, a destination address is a server in the network, the position of the SYN (synchronization sequence number) is 1, the port source port number is a random client port number in 10000-65535, and a destination IP address and a destination port number in the SYN packet are random. The purpose of this is to prevent attackers from evading detection. And starting a sniffing function of the second network card, and continuously monitoring whether the expected SYN-ACK packet is received by the second network card before the first network card sends the SYN packet. The expected SYN-ACK packet is a response packet that contains the correct IP address and the correct port number received within a specified time (i.e., the destination IP address and port number correspond to the SYN packet details constructed above). In the SYN reflection detection process, a SYN packet is sent to an Internet server by a network card through a gateway, the server sends SYN-ACK to the gateway after the server makes a response, and because the gateway uses an NAT technology, the gateway tries to forward the SYN-ACK packet to a recorded network card II and obtains an MAC address corresponding to the IP of the network card II by inquiring a forwarding entry.
In order to execute reverse SYN reflection detection, a SYN packet with an IP address as the first network card is constructed by the second network card and is sent to a server, and meanwhile, the first network card is used for monitoring whether a corresponding SYN-ACK packet is received or not, so that reverse SYN reflection detection is completed.
When constructing a SYN packet to perform reverse SYN reflection detection, a SYN packet for detection is constructed by using a network card two and is sent to a network server, wherein a two-layer source physical address of the SYN packet is an MAC address of the network card two, a three-layer source IP address is an address obtained by the network card one, a destination address is a server in the network, the position of SYN (synchronization sequence number) is 1, the port source port number is a random client port number in 10000-65535, and a destination IP address and a destination port number in the SYN packet are random. This is also done to prevent attackers from evading detection. And starting a network card sniffing function, and continuously monitoring whether an expected SYN-ACK packet is received, wherein the expected SYN-ACK packet is a response packet containing a correct IP address and a correct port number which are received within a specified time.
Step S103, after the bidirectional SYN reflection detection is executed, whether the phishing AP attack and the attack model exist in the target AP or not is judged according to the number of the received SYN-ACK packets.
Specifically, in a normal network configuration, bidirectional SYN-reflection detection is performed, and both network cards can receive a correct SYN-ACK packet. In the forward SYN reflection, the first network card constructs a SYN packet by using information such as the second network card IP and the like, and sends the SYN handshake packet to the network server, and when the SYN packet passes through the gateway, the NAT router extracts a source IP address (namely, the address of the second network card) in the SYN packet, allocates an idle public IP and a port number, and records corresponding information into a mapping table. After receiving the SYN packet sent by the gateway, the Internet server returns a response SYN-ACK packet to the gateway according to the IP address and the port number of the gateway. And after receiving the SYN-ACK packet, the gateway queries an NAT mapping table and translates the public IP address and the port number into a private IP address and a port number. Because the IP of network card two is recorded in the NAT mapping table, the SYN-ACK packet is forwarded to network card two. That is, the first network card performs forward SYN reflection, and the second network card receives the SYN-ACK packet. Similarly, when the second network card performs reverse SYN-reflection detection using information such as the first network card IP, the first network card may receive the expected SYN-ACK packet. In summary, when two target APs are legitimate APs, both network cards performing bi-directional SYN reflections receive the expected SYN-ACK packets, i.e., 2 SYN-ACK packets for the correct IP and port number.
Generally, in a public network and a private network, there is a gateway in each organization network, such as a home network, a company network, and an airport network, and hosts in a local area network surf the internet through a public IP address sharing one or a group of gateways, that is, NAT technology. Therefore, an AP in a normal network is connected to the same gateway, and the bi-directional SYN detection causes two network cards to receive the SYN-ACK frame.
In addition, in the serial phishing AP attack model, bidirectional SYN reflection detection is performed, and only one of the two network cards can receive the SYN-ACK frame. The serial phishing AP attack model refers to the situation that an attacker utilizes one wireless network card to release signals to entice a victim to connect, and the other wireless network card serves as a normal user and is connected with a legal AP. That is, the attacker connects the victim by using one wireless network card, and forwards the data of the victim to the legal AP by using the other network card, so as to provide internet service for the victim. In the tandem phishing AP attack model, the phishing AP is a man-in-the-middle with an attacker disposed between the legitimate AP and the victim, and the phishing AP and the legitimate AP are in a tandem structure.
In the serial phishing AP model, two network cards at a detection end are respectively connected with the phishing AP and the phishing AP, bidirectional SYN reflection detection is executed, and the network cards connected with the phishing AP cannot receive expected SYN-ACK packets. Since the phishing AP built by the attacker is like a gateway, the phishing AP forwards the traffic of the user of the internal network to the legal AP by using the IP which is distributed to the phishing AP network card by the legal AP. Suppose that the network card one is connected with the phishing AP and the network card two is connected with the legal AP. When forward SYN reflection detection is executed, the network card I constructs a SYN packet by using IP information of the network card II and sends the SYN packet to the phishing AP, the phishing AP records the IP of the network card II, replaces the source address of the IP packet with the IP address distributed to the phishing AP by the legal AP, then forwards the SYN packet to the legal AP, and forwards the SYN packet to the Internet through the gateway of the legal AP. After receiving the SYN packet, the Internet server sends the SYN-ACK packet to the gateway of the legal AP, and the gateway forwards the SYN-ACK packet to the legal AP according to the mapping item and finally delivers the SYN-ACK packet to the network card which serves as a normal user by the phishing AP. Because the SYN-ACK packet needs to be sent to the IP address of network card two in the NAT mapping table of the phishing AP, like the gateway, translates the destination IP address of the SYN-ACK packet into the IP of network card two and tries to send to network card two. And because the phishing AP and the network card II are in the same network, the SYN-ACK packet can be sent to a legal AP by the phishing AP and forwarded to the network card II. Therefore, in the tandem phishing AP attack model, network card one (connecting phishing AP) performs forward SYN reflection detection, and network card two can receive the expected SYN-ACK packet.
In the tandem phishing AP attack model, when reverse SYN reflection detection is performed, the network card (network card two) connected to the phishing AP cannot receive the expected SYN-ACK packet. When the network card II sends a SYN packet to the Internet server by using information such as IP (Internet protocol) of the network card I, the gateway checks whether the source IP address of the SYN packet is in the network segment, and if the source IP address belongs to the network segment, the gateway translates the SYN packet and sends the SYN packet to the Internet; if the source IP address of the SYN packet does not belong to the network segment, the gateway will discard the SYN packet for security reasons. In the tandem phishing AP attack model, the network segment released by the phishing AP is different from the network segment released by the legal AP. This indicates that after the network card two sends the SYN packet using the IP address of the network card one, the gateway of the legitimate AP will discard the SYN packet. Therefore, the network card will not receive the expected SYN-ACK packet. That is, in the tandem phishing AP attack model, when reverse SYN detection is performed, the network card cannot receive the SYN-ACK packet. To sum up, in the serial phishing AP attack model, bidirectional SYN reflection detection is performed, only the network card connected with a legitimate AP can receive an expected SYN-ACK packet, and the network card not receiving the SYN-ACK packet is connected with a phishing AP.
In addition, in the parallel phishing AP attack model, bidirectional SYN reflection detection is executed, and neither detection network card can receive the SYN-ACK packet. First, the parallel phishing AP attack model refers to an attacker accessing a victim connected to a phishing AP to the internet using a different gateway than a legitimate AP. Attackers typically use mobile cellular networks (e.g., 3G/4G, etc.) as access networks for phishing APs, while access networks for legitimate APs are typically ethernet. That is, the public IP of the legitimate gateway and the gateway used by the attacker are different. After the two detection network cards are respectively connected with the legal AP and the phishing AP to execute bidirectional SYN detection (the network card one-connection AP and the network card two-connection phishing AP), neither of the two detection network cards can receive the SYN-ACK of the response. When the forward SYN reflection detection is executed, the first network card constructs a SYN packet by using the IP address of the second network card, and the legal gateway translates the private address in the IP packet into a public IP address and sends the public IP address to the Internet server. Therefore, the SYN-ACK responded by the server is sent back to the legitimate gateway, and the network card two is connected with the phishing AP, that is, the legitimate gateway cannot enable the network card two connected with the phishing AP to receive the responded SYN-ACK packet. Similarly, when reverse SYN reflection detection is performed, the network card II constructs a SYN packet by using the IP address of the network card I, and the phishing AP translates the private address in the IP packet into the public IP address of the phishing AP and sends the public IP address to the Internet server. Therefore, the SYN-ACK responded by the server is sent back to the phishing AP, and the network card connected with the phishing AP is a legal AP, so that the phishing AP cannot receive the SYN-ACK packet responded by the network card connected with the legal AP. Therefore, in the parallel phishing AP attack model, a two-way SYN reflection detection is performed, and neither of the two detecting network cards can receive the expected SYN-ACK packet.
In summary, the bidirectional SYN-reflection detection may determine whether a phishing AP attack and an attack model exist in the network to be detected by using whether an expected SYN-ACK packet can be received and the number of received packets. After the bidirectional SYN reflection detection is executed, if two network cards can receive expected SYN-ACK packets, and the number of the SYN-ACK packets is two, the target AP is judged to be a true AP (legal AP), and the user can normally connect; if only one network card can receive the expected SYN-ACK packet, and the number of the SYN-ACK packets is one, judging that a pseudo AP exists in the target AP and is a serially-connected phishing AP, and judging that the AP connected with the network card which does not receive the SYN-ACK packet is the phishing AP; and if the two network cards do not receive the expected SYN-ACK and the number of the SYN-ACK packets is zero, judging that the parallel phishing AP exists in the target AP.
As an embodiment of the invention, after the phishing AP attack is judged, a warning is sent to the client and a network administrator to prompt that the Wi-Fi is not safe and/or a user is prohibited to access, and/or the SSID and the MAC address of the phishing AP are sent to the network administrator.
As an embodiment of the invention, when judging that the serial phishing AP attack exists, sending out a serial AP attack alarm to a client and a network administrator; when the parallel phishing AP attack exists, sending out a parallel phishing AP attack alarm to the client and a network administrator; the alert information includes the SSID, MAC address, and physical location of the phishing AP.
As an embodiment of the invention, after the phishing AP is judged, the SSID and the MAC address of the phishing AP are sent to a network administrator, and the AP is positioned by combining the signal strength of the phishing AP. The technology for positioning the AP by signal strength is not a design point of the present invention, and can be implemented according to the prior art, which is not described herein again.
Example 2
Referring to fig. 2, the present invention provides a device for detecting a multi-model pseudo AP based on bidirectional SYN reflection, including:
the selection module is used for screening whether an AP detection set specified by a user has two or more than two APs with the same SSID, and if so, judging the AP as a target AP;
the reflection module is used for executing bidirectional SYN reflection detection, and comprises constructing a SYN handshake packet to execute forward SYN reflection detection and constructing the SYN handshake packet to execute reverse SYN reflection detection;
and the judging module is used for judging whether a phishing AP attack and an attack model exist in the target network according to the condition of the received SYN-ACK packet, judging that the target AP is a legal AP if two expected SYN-ACK packets are received, judging that a serial phishing AP attack exists in the target AP if only one expected SYN-ACK packet is received, judging that a phishing AP connected with a network card which cannot receive the SYN-ACK packet exists in the target AP, and judging that a parallel phishing AP attack exists in the target AP if the expected SYN-ACK packet is not received.
For the implementation method of the device part, refer to embodiment 1, and details are not repeated here.
Example 3
Referring to fig. 3, the present invention also provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor implements the steps of:
firstly, through a selection module, a client selects Wi-Fi needing to be accessed or Wi-Fi to be detected, and an effective AP set to be detected is generated. The valid APs to be detected refer to different APs having the same SSID, i.e., target APs (suspicious APs).
And then, the bidirectional SYN reflection detection is executed through the reflection module. This step specifically includes three operations.
Firstly, two network cards are respectively connected with two suspicious APs, and IP addresses are obtained.
Second, network card one performs forward SYN reflection detection. Meanwhile, the second network card sniffs whether a correct SYN-ACK packet arrives at the second network card.
Third, the second network card performs reverse SYN reflection detection. Meanwhile, the second network card sniffs whether a correct SYN-ACK packet arrives at the first network card.
And finally, entering a judgment module, judging whether the phishing AP attack exists in the network and judging the attack type according to the condition of the SYN-ACK packet received by the two network cards. Three scenarios in total, scenario one: and if both network cards can receive the expected SYN-ACK packet, the target AP is a true AP (legal AP) and is not attacked by the phishing AP, the network is safe, and the user can normally connect. Scene two: if both network cards fail to receive the expected SYN-ACK, the parallel phishing AP exists in the target AP, and the network is not safe. Scene three: only one network card can receive the expected SYN-ACK packet, the network is unsafe, the attack of the serial phishing APs exists, and the APs connected with the network cards which do not receive the SYN-ACK packet are the phishing APs.
Of course, the computer program of this embodiment may also execute each of the process steps of embodiment 1, which is not described herein again.
As an embodiment of the present invention, the present invention further provides a computer program product, which includes a program executable by a processor, and when the computer program is executed by the processor, the steps of embodiments 1 and 2 can be implemented, which are not described herein again.
The same or similar parts among the various embodiments of the present description may be referred to each other, and each embodiment is described with emphasis on differences from the other embodiments. Moreover, the structure of the embodiment of the apparatus is only schematic, wherein the program modules described by the separable components may or may not be physically separated, and in actual application, some or all of the modules may be selected as required to achieve the purpose of the solution of the embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary hardware platform, and certainly may be implemented by hardware, but in many cases, the former is a better embodiment. With this understanding in mind, all or part of the technical solutions of the present invention that contribute to the background can be embodied in the form of a software product, which can be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments or some parts of the embodiments of the present invention.
It is understood that the above description is not intended to limit the present invention, and the present invention is not limited to the above examples, and those skilled in the art should understand that they can make various changes, modifications, additions and substitutions within the spirit and scope of the present invention.
Claims (7)
1. The multi-model pseudo AP detection method based on the bidirectional SYN reflection is characterized by comprising the following steps:
judging whether an AP detection set specified by a user has two or more APs with the same SSID, if so, judging the AP as a target AP;
and respectively connecting the target AP by using two network cards, acquiring the allocated IP address, and executing bidirectional SYN reflection detection: using the first network card to execute forward SYN reflection detection, and using the second network card to execute reverse SYN reflection detection;
after the bidirectional SYN reflection detection is executed, whether phishing AP attack and an attack model exist in the target AP or not is judged according to the condition of the received SYN-ACK packet;
performing bidirectional SYN reflection detection, wherein the SYN packet with the IP address as the network card II is constructed by using the network card I and is sent to a server, and meanwhile, the network card II is used for monitoring whether a corresponding SYN-ACK packet is received or not, so that forward SYN reflection detection is completed;
constructing a SYN packet with the IP address as the first network card by using the second network card, sending the SYN packet to a server, and monitoring whether a corresponding SYN-ACK packet is received or not by using the first network card to finish reverse SYN reflection detection; the step of forward SYN reflection detection includes:
constructing a SYN packet for detection by using the first network card, and sending the SYN packet to a network server, wherein a second-layer source physical address of the SYN packet is an MAC address of the first network card, a third-layer source IP address is an address obtained by the second network card, a destination address is a server in the network, a source port number of the SYN packet is randomly selected, and the SYN position is 1;
starting a second sniffing function of the network card, and continuously monitoring whether an expected SYN-ACK packet is received, wherein the expected SYN-ACK packet is a response packet containing a correct IP address and a correct port number which are received within a specified time; the reverse SYN reflection detection step includes:
constructing a SYN packet for detection by using the network card II, and sending the SYN packet to a network server, wherein the two-layer source physical address of the SYN packet is the MAC address of the network card II, the three-layer source IP address is the address obtained by the network card I, the destination address is the server in the network, the source port number of the SYN packet is randomly selected, and the SYN position is 1;
starting a network card sniffing function, and continuously monitoring whether an expected SYN-ACK packet is received, wherein the expected SYN-ACK packet is a response packet containing a correct IP address and a correct port number which are received within a specified time;
after bidirectional SYN reflection detection is executed, whether phishing AP attack and an attack model exist in the target AP or not is judged according to the number of the received SYN-ACK packets; the attack model comprises a serial phishing AP attack model and a parallel phishing AP attack model, wherein the serial phishing AP is provided with two wireless network cards, one wireless network card is used for disguising the phishing AP as a legal AP, releasing signals and deceiving user connection so as to steal sensitive information of a user, the other wireless network card is used for disguising the phishing AP as a legal user to connect with a corresponding legal AP and forwarding data of the user to the legal AP, and in the serial phishing AP attack model, the phishing AP and the legal AP are in a serial structure; the parallel phishing AP attack model refers to an attacker using a different gateway than a legitimate AP to access a victim connected to a phishing AP to the internet;
if the two network cards can receive expected SYN-ACK packets, and the number of the SYN-ACK packets is two, determining that the target AP is a legal AP; if only one network card can receive the expected SYN-ACK packet, and the number of the SYN-ACK packets is one, judging that the serially-connected phishing AP exists in the target AP and the AP connected with the network card which does not receive the SYN-ACK packet is the phishing AP; and if the two network cards do not receive the expected SYN-ACK and the number of the SYN-ACK packets is zero, judging that the parallel phishing AP exists in the target AP.
2. The bi-directional SYN reflection based multi-model pseudo AP detection method according to claim 1, wherein: the Wi-Fi corresponding to the AP specified by the user is a detection range specified by the user according to requirements, and is all Wi-Fi of the whole wireless network or one or more specified Wi-Fi.
3. The method for multi-model pseudo-AP detection based on bi-directional SYN reflections according to claim 2, further comprising: and when the phishing AP attack is judged, a warning is sent to the client and a network administrator to prompt that the Wi-Fi is unsafe and/or a user is prohibited to access, and/or the SSID and the MAC address of the phishing AP are sent to the network administrator.
4. The multi-model pseudo-AP detection method based on bidirectional SYN reflection according to claim 1, characterized in that when judging that there is a tandem phishing AP attack, it sends out a tandem AP attack alarm to the client and the network administrator; when the parallel phishing AP attack exists, sending out a parallel phishing AP attack alarm to the client and a network administrator; the alert information includes the SSID, MAC address, and physical location of the phishing AP.
5. The method for multi-model pseudo-AP detection based on bi-directional SYN reflections according to claim 1, further comprising: and after judging the phishing AP, giving the SSID and the MAC address of the phishing AP to a network administrator, and positioning the AP by combining the signal intensity of the phishing AP.
6. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of any one of claims 1 to 5.
7. Device for detecting multi-model pseudo-APs based on bi-directional SYN reflections, characterised in that it implements the steps according to any of claims 1 to 5, comprising:
the selection module is used for screening whether an AP detection set specified by a user has two or more than two APs with the same SSID, and if so, judging the AP as a target AP;
the reflection module is used for executing bidirectional SYN reflection detection, and comprises constructing a SYN handshake packet to execute forward SYN reflection detection and constructing the SYN handshake packet to execute reverse SYN reflection detection;
and the judging module is used for judging whether a phishing AP attack and an attack model exist in the target network according to the condition of the received SYN-ACK packet, judging that the target AP is a legal AP if two expected SYN-ACK packets are received, judging that a serial phishing AP attack exists in the target AP if only one expected SYN-ACK packet is received, judging that a phishing AP connected with a network card which cannot receive the SYN-ACK packet exists in the target AP, and judging that a parallel phishing AP attack exists in the target AP if the expected SYN-ACK packet is not received.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910446169.2A CN110213761B (en) | 2019-05-27 | 2019-05-27 | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910446169.2A CN110213761B (en) | 2019-05-27 | 2019-05-27 | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213761A CN110213761A (en) | 2019-09-06 |
| CN110213761B true CN110213761B (en) | 2020-06-02 |
Family
ID=67788774
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910446169.2A Active CN110213761B (en) | 2019-05-27 | 2019-05-27 | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213761B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073968B (en) * | 2020-08-19 | 2022-05-31 | 青岛大学 | Full-model pseudo AP detection method and detection device based on phase error drift range |
| CN112565005B (en) * | 2020-11-26 | 2022-05-13 | 北京北信源软件股份有限公司 | Network serial line detection method and device, equipment and medium |
| CN113411809B (en) * | 2021-07-30 | 2023-03-17 | 浙江大华技术股份有限公司 | Method and device for preventing access pseudo AP and AP hijacking |
| CN115086207A (en) * | 2022-06-14 | 2022-09-20 | 深信服科技股份有限公司 | Network card detection method and device, electronic equipment and storage medium |
| CN116709338B (en) * | 2023-08-09 | 2023-11-03 | 深圳市南方硅谷半导体股份有限公司 | Wi-Fi access point capable of defending middleman MitM attack |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7936682B2 (en) * | 2004-11-09 | 2011-05-03 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
| JP2009164947A (en) * | 2008-01-08 | 2009-07-23 | Nec Corp | Server, method of transferring packet, and program |
| CN103313429B (en) * | 2013-07-10 | 2016-12-28 | 江苏君立华域信息安全技术有限公司 | A kind of processing method identifying forgery WIFI hot spot |
| CN105611534B (en) * | 2014-11-25 | 2020-02-11 | 阿里巴巴集团控股有限公司 | Method and device for wireless terminal to identify pseudo-WiFi network |
| CN107197456B (en) * | 2017-06-16 | 2020-06-02 | 中国海洋大学 | Detection method and detection device for identifying pseudo AP (access point) based on client |
-
2019
- 2019-05-27 CN CN201910446169.2A patent/CN110213761B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213761A (en) | 2019-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213761B (en) | Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection | |
| US9003527B2 (en) | Automated method and system for monitoring local area computer networks for unauthorized wireless access | |
| US9705913B2 (en) | Wireless hotspot attack detection | |
| US7216365B2 (en) | Automated sniffer apparatus and method for wireless local area network security | |
| CN105681272B (en) | The detection of mobile terminal fishing WiFi a kind of and resist method | |
| US7856656B1 (en) | Method and system for detecting masquerading wireless devices in local area computer networks | |
| US9603021B2 (en) | Rogue access point detection | |
| US7970894B1 (en) | Method and system for monitoring of wireless devices in local area computer networks | |
| CN107197456B (en) | Detection method and detection device for identifying pseudo AP (access point) based on client | |
| US20150040194A1 (en) | Monitoring of smart mobile devices in the wireless access networks | |
| US7971253B1 (en) | Method and system for detecting address rotation and related events in communication networks | |
| CN105611534B (en) | Method and device for wireless terminal to identify pseudo-WiFi network | |
| JP2023000990A (en) | Wips sensor and method for blocking intrusion of unauthorized wireless terminal using wips sensor | |
| CN111405548B (en) | Fishing wifi detection method and device | |
| Kaplanis | Detection and prevention of man in the middle attacks in Wi-Fi technology | |
| US8542581B2 (en) | System and method for exposing malicious clients in wireless access networks | |
| US9100429B2 (en) | Apparatus for analyzing vulnerability of wireless local area network | |
| Tang et al. | Wireless Intrusion Detection for defending against TCP SYN flooding attack and man-in-the-middle attack | |
| Hasan et al. | Protecting Regular and Social Network Users in a Wireless Network by Detecting Rogue Access Point: Limitations and Countermeasures | |
| Reen et al. | Evaluation of Wireless Deauthentication Attacks and Countermeasures on Autonomous Vehicles | |
| CN113473471A (en) | Method for blocking wireless mobile terminal from accessing illegal AP | |
| Korolkov et al. | Analysis of the wireless clients security from dos attacks | |
| Mohammad et al. | Wireless LAN security (IEEE 802.11 b) | |
| WO2019047943A1 (en) | Method for pseudo base station identification and defense, and terminal | |
| Tao | A novel intrusion detection system for detection of MAC address spoofing in wireless networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Qu Haipeng Inventor after: Lu Qian Inventor after: Jiang Ruobing Inventor after: Ouyang Yuzhan Inventor after: Wang Xiaodong Inventor before: Lu Qian Inventor before: Qu Haipeng Inventor before: Jiang Ruobing Inventor before: Ouyang Yuzhan Inventor before: Wang Xiaodong |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |