Tcpdump
tcpdump读取pcap包
tcpdump -n -r p.pcap
-n 不显示那些协议的名称而是显示那些协议的端口号
-r 是读取
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -r p.pcap
08:51:25.048049 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048072 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048078 IP 172.16.40.10.81 > 208.68.234.99.33313: Flags [R], seq 1876488394, win 0, length 0
08:51:25.048197 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048202 IP 172.16.40.10.81 > 208.68.234.99.33313: Flags [R], seq 1876488394, win 0, length 0tcpdump -n -r p.pcap | awk '{print $5}'
只打印IP那一列,就是第五列
└─# tcpdump -n -r p.pcap | awk '{print $5}'
208.68.234.99.33313:
208.68.234.99.33313:
172.16.40.10.81:
172.16.40.10.81:
208.68.234.99.33313:
172.16.40.10.81:
208.68.234.99.33313:
└─# tcpdump -n -r p.pcap | awk '{print $5}' | sort | uniq -c
sort 排序
uniq -c 去除重复,+ 统计功能
tcpdump -n -r p.pcap | awk '{print $5}' | sort | uniq -c | more 一页一页显示
└─# tcpdump -n -r p.pcap | awk '{print $5}' | sort | uniq -c | more
reading from file p.pcap, link-type EN10MB (Ethernet), snapshot length 65535
20164 172.16.40.10.81:
14 208.68.234.99.32768:
14 208.68.234.99.32769:
6 208.68.234.99.32770:
208.68.234.99 32768 是客户端,他不断更换自己的端口去访问服务端
172.16.40.10 81 是服务端,81端口被请求20164次
添加过滤条件
└─# tcpdump -n dst host 172.16.40.10 -r p.pcap
只显示 目的为 172.16.40.10 的包
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n dst host 172.16.40.10 -r p.pcap
08:51:25.048049 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048072 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048197 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0按照端口过滤
─# tcpdump -n port 81 -r p.pcap
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n port 81 -r p.pcap
08:51:25.048049 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048072 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048078 IP 172.16.40.10.81 > 208.68.234.99.33313: Flags [R], seq 1876488394, win 0, length 0
08:51:25.048197 IP 208.68.234.99.33313 > 172.16.40.10.81: Flags [.], ack 577, win 124, options [nop,nop,TS val 25539315 ecr 71431652], length 0
08:51:25.048202 IP 172.16.40.10.81 > 208.68.234.99.33313: Flags [R], seq 1876488394, win 0, length 0
显示包的内容
└─# tcpdump -n -A -r p.pcap
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -A -r p.pcap | more
reading from file p.pcap, link-type EN10MB (Ethernet), snapshot length 65535
08:51:20.800917 IP 208.68.234.99.60509 > 172.16.40.10.81: Flags [S], seq 1855084074, win 14600, options [mss 1460,sackOK,TS val 25538253 ecr 0,nop,ws
cale 7], length 0
E..<..@.9....D.c..(
.].Qn.V*......9..w.........
.^.Q..>....E...s.......
.....A..GET //admin HTTP/1.1
Host: admin.megacorpone.com:81
User-Agent: Teh Forest Lobster
Authorization: Basic YWRtaW46TWVnYUNvcnA=
tcpdump: Unable to write output: Broken pipe
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>这里可以看到他有一些重复的Authorization: Basic ...
我们可以用 grep 来单独查看含有Authorization:的值
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -A -r p.pcap | grep Authorization
.A......HTTP/1.1 401 Authorization Required
<title>401 Authorization Required</title>
<h1>Authorization Required</h1>
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -A -r p.pcap | grep Authorization:
Authorization: Basic YWRtaW46ZnVuZGluZzE=
Authorization: Basic YWRtaW46ZnVuZGluZzE=
Authorization: Basic YWRtaW46ZnVuZGluZzE=
Authorization: Basic YWRtaW46bmFub3Byb2JlMQ==
Authorization: Basic YWRtaW46bmFub3Byb2JlMQ==
Authorization: Basic YWRtaW46bmFub3Byb2JlMQ==
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
grep -E ^Authorization
-E ^以这个为头部来查找
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -A -r p.pcap | grep -E ^Authorization
Authorization: Basic YWRtaW46ZnVuZGluZzE=
Authorization: Basic YWRtaW46ZnVuZGluZzE=
Authorization: Basic YWRtaW46ZnVuZGluZzE=
Authorization: Basic YWRtaW46bmFub3Byb2JlMQ==
Authorization: Basic YWRtaW46bmFub3Byb2JlMQ==
Authorization: Basic YWRtaW46bmFub3Byb2JlMQ==
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
Authorization: Basic YWRtaW46bmFub3RlY2hub2xvZ3kx
再加上排序和去重 | sort | uniq
└─# tcpdump -n -A -r p.pcap | grep -E ^Authorization | sort | uniq
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -A -r p.pcap | grep -E ^Authorization | sort | uniq
Authorization: Basic YWRtaW46ZXRoaWNz
Authorization: Basic YWRtaW46ZXRoaWNzZXM=
Authorization: Basic YWRtaW46ZXZlbnRz
Authorization: Basic YWRtaW46ZXZlbnRzZXM=
Authorization: Basic YWRtaW46ZXZlcnl0aGluZ3M=
Authorization: Basic YWRtaW46ZXZlcnl0aGluZw==
Authorization: Basic YWRtaW46ZXZlcnlvbmU=
Authorization: Basic YWRtaW46ZXZlcnlvbmVz
再使用AWK 单独提取密码
└─# tcpdump -n -A -r p.pcap | grep -E ^Authorization | sort | uniq | awk '{print $3}'
┌──(root㉿kali)-[~/桌面/6565]
└─# tcpdump -n -A -r p.pcap | grep -E ^Authorization | sort | uniq | awk '{print $3}'
YWRtaW46ZXRoaWNz
YWRtaW46ZXRoaWNzZXM=
YWRtaW46ZXZlbnRz
YWRtaW46ZXZlbnRzZXM=
YWRtaW46ZXZlcnl0aGluZ3M=
YWRtaW46ZXZlcnl0aGluZw==
YWRtaW46ZXZlcnlvbmU=
YWRtaW46ZXZlcnlvbmVz这里就把所有的base64密文都提取出来了
直接到https://gchq.github.io/CyberChef 里去解密
直接base64解密
但是结果是连着的,需要添加一个换行符啥的
再用replace,以admin:作为查找,再用replace \n
这里爆破使用的密码字典了
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容