wireshark
tshark
提取TCP流量的data字段:
tshark -r 1.pcapng -Y tcp -T fields -e tcp.segment_data > tcp.txt
过滤器
抓包过滤器
抓取源地址为192.168.1.1,目的端口为80的流量
1 | src host 192.168.1.1 && dst port 80 |
抓取192.168.1.1和192.168.1.2的流量
1 | host 192.168.1.1 || host 192.168.1.2 |
过滤mac地址:
1 | ether host 00:88:ca:86:f8:0d |
过滤IP地址:
1 | host 192.168.1.1 |
过滤端口:
1 | port 80 |
过滤协议:
1 | arp |
结合逻辑符号综合过滤
1 | host 192.168.1.1 && port 8080 |
显示过滤器
过滤IP地址:
1 | ip.addr == 192.168.1.1 过滤该地址的包 |
过滤端口:
1 | tcp.port == 80 过滤tcp中端口号为80的包 |
结合逻辑符综合过滤:
1 | ip.src == 192.168.1.1 and ip.dst == 172.16.1.1 |
常用
Nmap扫描出的靶机开放的端口
TCP协议的三次握手
第一次:发送 SYN 包
第二次:服务器收到SYN包 同时自己也发一个SYN包 即 SYN+ACK 包 此时服务器进入SYN_RECV状态
第三次:客户端收到服务器的包 向服务器发送确认包 ACK 完成三次握手
因此可以得知:SYN标志表示建立连接,ACK表示响应,查看开放端口,肯定会返回ACK标志,找
端口即为找ACK标志
wireshark:
ip.src == 192.168.204.133 && tcp.flags.syn == 1 && tcp.flags.ack == 1
tcpdump:
tcpdump -n -r 1.pcapng 'ip src 192.168.204.133 and tcp[13] =18' | awk '{print $3}' | sort -u
USB流量
工具:knm
键盘流量
USB协议数据部分在Leftover Capture Data域中,数据长度为八个字节。其中键盘击键信息集中在第三个字节中。键位映射关系参考:《USB键盘协议中键码》中的HID Usage ID。
步骤:
tshark命令提取cap data
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txttshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(去空行)将数据还原成键位
提取出来的数据可能会带冒号,也可能不带,但是一般的脚本都会按照有冒号的数据来识别。
有冒号时提取数据的
[6:8],无冒号时数据在[4:6]。加冒号:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16:
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()还原键位:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))
鼠标流量
USB协议鼠标数据部分在Leftover Capture Data域中,数据长度为四个字节。
第一个字节代表按键,当取0x00时代表没有按键,为0x01时代表按左键,为0x02时代表按右键。
第二个字节可以看成是一个signed byte类型,其最高位为符号位,当这个值为正时,代表鼠标水平右移多少像素,为负时,代表水平左移多少像素。
第三个字节与第二字节类似,代表垂直上下移动的偏移。
步骤:
tshark命令提取cap data
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txttshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(去空行)将鼠标数据还原鼠标移动轨迹
提取出来的数据可能会带冒号,也可能不带,但是一般的脚本都会按照有冒号的数据来识别。
有冒号时提取数据的
[6:8],无冒号时数据在[4:6]。加冒号:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==8:
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()测试信息隐藏位置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24nums = []
keys = open('out.txt','r')
f = open('xy.txt','w')
posx = 0
posy = 0
for line in keys:
if len(line) != 12 :
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 2 : # 1 代表左键
f.write(str(posx))
f.write(' ')
f.write(str(posy))
f.write('\n')
f.close()gnuplot将坐标转化成图像
gnuplotgnuplot> plot "xy.txt"
TLS流量
解密:Wireshark首选项 - TLS - RSA keys list - Edit… - TLS Decrypt
NTLM
Net-NTLM-v2-Hash 格式:
[User name]::[Domain name]:[NTLM Server Challenge]:[NTLM Response]
其中 NTLM Response 由 NTProofStr+blob 两部分组成,即:
[User name]::[Domain name]:[NTLM Server Challenge]:[NTLM ProofStr]:[Blob]
爆破:
john hash.txt --wordlist=rockyou.txt
hashcat -m 5600 [HASH] rockyou.txt -o result.txt --force
Shadowsocks
1 | #!/usr/bin/env python3 |
