MISC: HTTP traffic analysis technology.
Misc is miscellaneous, information hiding, also known as information camouflage, is to hide sensitive information by reducing certain redundancy of the carrier, such as space redundancy, data redundancy, etc., to achieve a special purpose.
Information hiding breaks the thinking category of traditional cryptography and examines information security from a new perspective. Compared with traditional encryption, information hiding is more concealed. In information hiding, these two technologies can be combined, and the secret information is encrypted and preprocessed first, and then the information is hidden. The confidentiality of the secret information And the effect of imperceptibility is better.
Table of contents:
MISC: HTTP traffic analysis technology.
HTTP protocol three-way handshake:
(12) Common techniques in Wireshark.
What is traffic analysis:
In CTF, there are usually some data packets with pcapng or pcap file suffixes. Different data packets have different protocols. The common ones are HTTP and TCP protocols. Of course, there are many protocols investigated in CTF. We need to analyze from such files , get the data and finally find our answer flag.
HTTP protocol three-way handshake:
简单理解(三次握手):是建立连接的过程,客户端向服务端发起连接时:询问是否同意连接(SYN包),
同意连接(SYN+ACK包),建立连接(ACK包)第一次握手:建立连接时,客户端发送syn包(syn=j)到服务器,并进入SYN_SEND(请求连接)状态,等待服务器确认
第二次握手:服务器收到syn包,必须确认客户的SYN(ack=i+1),同时自己也发送一个SYN包 (syn=k)
,即SYN+ACK包此时服务器进入SYN_RECV状态.
第三次握手:客户端收到服务器的SYN + ACK包,向服务器发送确认包ACK(ack=k+1),此包发送完毕,客户端和
服务器进入ESTABLISHED(TCP连接成功)状态,完成三次握手。完成三次握手,客户端与服务器开始传送数据
Basic usage of Wireshark:
Wireshark 的基本使用分为数据包筛选、数据包搜索、数据包还原、数据提取四个部分.(1) Packet filtering:
Wireshark的数据包筛选功能是wireshark的核心功能,比如需要筛选出特定的协议如HTTP,Telnet等,
也可能需要筛选出ip地址,端口等,多条规则可以使用&&,|| 连接.#ip筛选:
ip.src == 地址 #源ip筛选
ip.dst == 地址 #目的ip筛选
ip.addr == 地址 #ip筛选#mac地址筛选:
eth.dst == A0:00:00:04:C5:84 #目标mac地址筛选
eth.addr == 20:89:84:32:73:c5 #mac地址筛选#端口筛选:
tcp.dstport == 80 #筛选tcp协议的目标端口为80的流量包
tcp.srcport == 80 #筛选tcp协议的源端口为80的流量包
udp.srcport == 80 #筛选udp协议的源端口为80的流量包#协议筛选:
tcp #筛选协议为tcp的流量包
udp #筛选协议为udp的流量包
arp/icmp/http/ftp/dns/ip #筛选协议为arp/icmp/http/ftp/dns/ip的流量包
#可用!加协议或者not加协议表示排除该协议not arp 或!arp#包长度筛选:
udp.length ==20 #筛选长度为20的udp流量包 这个长度是指udp本身固定长度8加上udp下面那块
数据包之和
tcp.len >=20 #筛选长度大于20的tcp流量包 指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len ==20 #筛选长度为20的IP流量包 除了以太网头固定长度14,其它都算是i.en,即i本身到最后
frame.len ==2 #筛选长度为20的整个流量包 整个数据包长度从eth开始到最后#http请求筛选:
GET:httprequest.method=="GET" #筛选HTTP请求方法为GET的流量包
POST:http.request.method=="POST" #筛选HTTP请求方法为POST的流量包
URI:http.request.uri=="/img/1.gif" #筛选HTTP请求的URL为/img/1.gif的流量包
http contains "FLAG" #筛选HTTP内容为/FLAG的流量包(请求或相应中包含特定内容:flag)
(2) Packet search:
在 wireshark 界面按 Ctrl+F 或者点击 Q 图标,可以进行关键字搜索.
Wireshark 的搜索功能支持正则表达式、字符串、十六进制等方式进行搜索,通常情况下直接使用字符串
方式进行搜索.
(3) Packet restoration:
在 wireshark 中,存在一个交追踪流的功能,可以将 HTTP 或 TCP 流量集合在一起并还原成原始
数据,具体操作方式如下选中想要还原的流量包,右键选中,选择追踪流--TCP流/UPD流/SSL流/HTTP流.
(4) Data extraction:
Wireshark 支持提取通过 http 传输 (上传/下载)的文件内容方法如下:选中 http 文件传输流量包,在分组详情中找到 data 或者 Linebased text data:text/html层,
鼠标右键点击-选中导出分组字节流.Practical case:
(1) A company's intranet network has been infiltrated by hackers. Please analyze the traffic and give the scanner used by the hackers.
解题思路:
常见的 WEB 扫描器有Awvs,Netsparker,Appscan,Webinspect,Rsas(绿盟极光),Nessus,
WebReaver,Sqlmap等。要识别攻击者使用的是哪一种扫描器,可通过wireshark筛选扫描器特征来得知.
//常见的扫描器特征参考: https://www.77169.net/html/259708.html
可以使用 http contains "扫描器特征值" 来进行过滤筛选,或者用分组字节流直接搜.
(2) A company's intranet network has been infiltrated by hackers. Please analyze the traffic and get the login background scanned by the hacker (relative path is enough)
解题思路:
如果黑客扫描到后台,一定会进行大量尝试账号密码,而且是以 POST 方式进行的.
http.request.method =="POST"
(3) A company's intranet network has been infiltrated by hackers. Please analyze the traffic to find out what account and password the hacker used to log in to the web background, in the form: username / password
解题思路:
在上面第二问知道登陆后合是'/admin/loain.php?rec=login,而且有 302 重定向,所以可以确定
黑客登陆的账号和密码,但是观察到有多个 302 重定向,账号密码都不一样.
这里我们把过滤再仔细一点,确定黑客的IP地址:
htp.request.method =="POST" && http contains "rec=login" && p.src == 192.168.94.59
然后按照时间排序,最后一个就是黑客使用的账号和密码:
admin/admin!@#pass123(4) A company's intranet network has been infiltrated by hackers. Please analyze the traffic to get the name and content of the webshell file uploaded by the hacker, and submit the content of the webshell.
解题思路:一般来说 webshell 都是一句话木马,直接搜
http contains "<?php @eval"
(5) A company's intranet network has been infiltrated by hackers, please analyze the traffic, what is the flag that the hacker found in robots.txt.
解题思路: 直接搜robots.txt,然后追踪流即可.
(6) A company's intranet network has been infiltrated by hackers. Please analyze the traffic and find out what the database password was found by the hackers.
解题思路:
找数据库密码就涉及到三个关键字,分别是mysql,database,password,可以通过这几个关键字来进行查询
http contains "database"
但是这样过滤的数据还是太多,可以再借助状态码来过滤一下,黑客可以得到mysal数据库的密码,说明
是请求文件之后服务器正常返回,也就是状态码 200
http contains "database" && http.response.code==200
只有一条,直接追踪流即可
(7) A company's intranet network has been infiltrated by hackers, please analyze the traffic, and what is the hash_code that the hacker found in the database.
解题思路:
根据上面一问知道数据库的主机是10.3.3.101,可以先查这个 ip 有什么数据
$dbhost ="10.3.3.101"
这里需要打开 webtwopcap 中直接搜
ip.src==10.3.3.101
同时搜索 hash_code
(8) A company's intranet network has been infiltrated by hackers. Please analyze the traffic. What is the password obtained by hackers who cracked the account [email protected]?
解题思路:
在 webtwo.pcap 这个流量包中,使用分组详情查询,即可查到密码.
(9) The internal network of a company has been infiltrated by hackers. Please analyze the traffic, the web server attacked by hackers, what is the network card configuration, and submit the internal network ip of the network card.
解题思路:
回到 webone.pcap 这个流量包中,这个问题问的是网卡的配置,一般网卡的名称都为 eth0,所以
可以利用这个关键词进行查询
tcp contains "eth0"
追踪一下 tcp 流,即可发现网卡的相关配置.
(10) A company's intranet network has been infiltrated by hackers, please analyze the traffic, what account the hacker used to log in to the mail system (Form: username/password)
解题思路:
这题需要综合来看 mailtwo.pcap 和 mailtwo1.pcap 两个数据包首先打开 mailtwo.pcap,
在第三条数据中发现了login_name=wenwenni字段,还有action=logout
继续向下读取数据,发现下个mail系统的数据是28号然后又到了登陆界面的35号数据.
(11) The internal network of a company has been infiltrated by hackers, please analyze the traffic, and what is the IP of the VPN obtained by the hackers.
解题思路:
在统计 --> IPV4 --> All Addresses 中发现,出现IP的次数最多.
(12) Common techniques in Wireshark.
1.拿到一个流量包,把他放 Wireshark 中导出 HTTP 流量.(一般有 HTTP 就是考 HTTP 流量)
导出操作 ==> 文件 ==> 导出对象 ==> HTTP
在命令行下切换到导出的文件中,执行(分离出文件.)
foremost * 
Link to study notes: 5-Traffic Analysis Technology_哔哩哔哩_bilibili