流量分析

wireshark

tshark

提取TCP流量的data字段:

tshark -r 1.pcapng -Y tcp -T fields -e tcp.segment_data > tcp.txt

过滤器

抓包过滤器

抓取源地址为192.168.1.1,目的端口为80的流量

1
src host 192.168.1.1 && dst port 80

抓取192.168.1.1和192.168.1.2的流量

1
host 192.168.1.1 || host 192.168.1.2

过滤mac地址:

1
2
3
ether host 00:88:ca:86:f8:0d
ether src host 00:88:ca:86:f8:0d
ether dst host 00:88:ca:86:f8:0d

过滤IP地址:

1
2
3
host 192.168.1.1
src host 192.168.1.1
dst host 192.168.1.1

过滤端口:

1
2
3
4
port 80
!port 80
dst port 80
src port 80

过滤协议:

1
2
arp
icmp

结合逻辑符号综合过滤

1
host 192.168.1.1 && port 8080

显示过滤器

过滤IP地址:

1
2
3
ip.addr == 192.168.1.1   过滤该地址的包
ip.src == 172.16.1.1 过滤源地址为该地址的包
ip.dst == 172.16.1.1 过滤目标地址为该地址的包

过滤端口:

1
2
3
tcp.port == 80 过滤tcp中端口号为80的包
tcp.flags.syn == 1 过滤syn请求为1的包
tcp.flags.ack == 1 过滤ack请求为1的包

结合逻辑符综合过滤:

1
ip.src == 192.168.1.1 and ip.dst == 172.16.1.1

USB流量

工具:knm

键盘流量

USB协议数据部分在Leftover Capture Data域中,数据长度为八个字节。其中键盘击键信息集中在第三个字节中。键位映射关系参考:《USB键盘协议中键码》中的HID Usage ID

步骤

  1. tshark命令提取cap data

    tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt

    tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(去空行)

  2. 将数据还原成键位

    提取出来的数据可能会带冒号,也可能不带,但是一般的脚本都会按照有冒号的数据来识别。

    有冒号时提取数据的[6:8],无冒号时数据在[4:6]

    加冒号:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    f=open('usbdata.txt','r')
    fi=open('out.txt','w')
    while 1:
    a=f.readline().strip()
    if a:
    if len(a)==16:
    out=''
    for i in range(0,len(a),2):
    if i+2 != len(a):
    out+=a[i]+a[i+1]+":"
    else:
    out+=a[i]+a[i+1]
    fi.write(out)
    fi.write('\n')
    else:
    break
    fi.close()

    还原键位:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    normalKeys = {
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
    "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
    "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
    "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
    "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
    "22":"5", "23":"6","24":"7","25":"8","26":"9",
    "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
    "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
    "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
    "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
    "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
    "44":"<F11>","45":"<F12>"}
    shiftKeys = {
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
    "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
    "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
    "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
    "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
    "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
    "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
    "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
    "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
    "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
    "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
    "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
    output = []
    keys = open('out.txt')
    for line in keys:
    try:
    if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
    continue
    if line[6:8] in normalKeys.keys():
    output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
    else:
    output += ['[unknown]']
    except:
    pass

    keys.close()

    flag=0
    print("".join(output))
    for i in range(len(output)):
    try:
    a=output.index('<DEL>')
    del output[a]
    del output[a-1]
    except:
    pass

    for i in range(len(output)):
    try:
    if output[i]=="<CAP>":
    flag+=1
    output.pop(i)
    if flag==2:
    flag=0
    if flag!=0:
    output[i]=output[i].upper()
    except:
    pass

    print ('output :' + "".join(output))

鼠标流量

USB协议鼠标数据部分在Leftover Capture Data域中,数据长度为四个字节

第一个字节代表按键,当取0x00时代表没有按键,为0x01时代表按左键,为0x02时代表按右键。

第二个字节可以看成是一个signed byte类型,其最高位为符号位,当这个值为正时,代表鼠标水平右移多少像素,为负时,代表水平左移多少像素。

第三个字节与第二字节类似,代表垂直上下移动的偏移。

步骤

  1. tshark命令提取cap data

    tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt

    tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(去空行)

  2. 将鼠标数据还原鼠标移动轨迹

    提取出来的数据可能会带冒号,也可能不带,但是一般的脚本都会按照有冒号的数据来识别。

    有冒号时提取数据的[6:8],无冒号时数据在[4:6]

    加冒号:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    f=open('usbdata.txt','r')
    fi=open('out.txt','w')
    while 1:
    a=f.readline().strip()
    if a:
    if len(a)==8:
    out=''
    for i in range(0,len(a),2):
    if i+2 != len(a):
    out+=a[i]+a[i+1]+":"
    else:
    out+=a[i]+a[i+1]
    fi.write(out)
    fi.write('\n')
    else:
    break
    fi.close()
  3. 测试信息隐藏位置

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    nums = []
    keys = open('out.txt','r')
    f = open('xy.txt','w')
    posx = 0
    posy = 0
    for line in keys:
    if len(line) != 12 :
    continue
    x = int(line[3:5],16)
    y = int(line[6:8],16)
    if x > 127 :
    x -= 256
    if y > 127 :
    y -= 256
    posx += x
    posy += y
    btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
    if btn_flag == 2 : # 1 代表左键
    f.write(str(posx))
    f.write(' ')
    f.write(str(posy))
    f.write('\n')

    f.close()
  4. gnuplot将坐标转化成图像

    gnuplot

    gnuplot> plot "xy.txt"

TLS流量

解密:Wireshark首选项 - TLS - RSA keys list - Edit… - TLS Decrypt

NTLM

Net-NTLM-v2-Hash 格式:

[User name]::[Domain name]:[NTLM Server Challenge]:[NTLM Response]

其中 NTLM Response 由 NTProofStr+blob 两部分组成,即:

[User name]::[Domain name]:[NTLM Server Challenge]:[NTLM ProofStr]:[Blob]

爆破:

john hash.txt --wordlist=rockyou.txt

hashcat -m 5600 [HASH] rockyou.txt -o result.txt --force

Shadowsocks

参考:使用主动探测方法识别 Shadowsocks 服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3
# encoding: utf-8

import os
import sys
import logging
import hashlib

from Crypto.Cipher import AES

logging.basicConfig(level=logging.INFO)

def EVP_BytesToKey(password, key_len, iv_len):
m = []
i = 0
while len(b''.join(m)) < (key_len + iv_len):
md5 = hashlib.md5()
data = password
if i > 0:
data = m[i - 1] + password
md5.update(data)
m.append(md5.digest())
i += 1
ms = b''.join(m)
key = ms[:key_len]
iv = ms[key_len:key_len + iv_len]

return key, iv

def decrypt(cipher,password):
key_len = int(256/8)
iv_len = 16
mode = AES.MODE_CFB

key, _ = EVP_BytesToKey(password, key_len, iv_len)
cipher = bytes.fromhex(cipher)
iv = cipher[:iv_len]
real_cipher = cipher[iv_len:]

obj = AES.new(key, mode, iv, segment_size=128)
plain = obj.decrypt(real_cipher)

return plain

def main():
# test http request
cipher = ''

with open('rockyou.txt','rb') as f:
lines = f.readlines()
for password in lines:
plain = decrypt(cipher,password.strip())
if b'HTTP' in plain:
print(password,plain)

if __name__ == "__main__":
main()