CTF Misc(3) traffic analysis basics and principles

Preface

Traffic analysis is also a common topic in CTF competitions. Participants usually receive a data set of network data packets, which record the content and details of network communications. The contestant's task is to analyze these packets and identify useful information such as login credentials, encryption algorithms, vulnerability exploits, etc.

Tool installation

Wireshark is an open source network packet analysis tool used to capture, analyze and visualize network traffic. It's available on multiple platforms, including Windows, Mac and Linux, tool download address

https://www.wireshark.org/download.html

Just install it by default

Tool introduction

View the list of captured packets

Demo traffic package:

https://anonfiles.com/laS2l3v2zd/Alpha_1_pcapng

Visit the website to download

This is the file format of the traffic package

.pcapng

After installing wireshark, double-click to open this file

The top column is the taskbar, the bottom is the search box, and the bottom is the detailed information of the data packet and the data of the data packet.

Common filter commands and syntax

Protocol filter:

tcp：显示所有TCP协议的数据包
udp：显示所有UDP协议的数据包
http：显示所有HTTP协议的数据包
dns：显示所有DNS协议的数据包
icmp：显示所有ICMP协议的数据包

Enter http in the search box to see all http traffic. The same applies to others.

IP address filtering:

ip.addr == 192.168.0.1：显示与指定IP地址相关的所有数据包
src host 192.168.0.1：显示源IP地址为指定地址的数据包
dst host 192.168.0.1：显示目标IP地址为指定地址的数据包

Here we filter the data packets related to 192.168.1.25ip

After filtering, it is all about the packet traffic of this IP.

Port filtering:

tcp.port ==  80：显示使用指定TCP端口的数据包
udp.port == 53：显示使用指定UDP端口的数据包
port 80：显示源或目标端口为指定端口的数据包

Filter tcp port 80 traffic

Logical Operators:

and：使用AND逻辑运算符连接多个条件，例如 tcp and ip.addr == 192.168.0.1
or：使用OR逻辑运算符连接多个条件，例如 tcp or udp
not：使用NOT逻辑运算符排除满足条件的数据包，例如 not tcp

Filter tcp traffic and traffic packets with ip address 192.168.1.5 tcp and ip.addr == 192.168.1.5

Comparison operators:

==：等于，例如 http.request.method == "POST"
!=：不等于，例如 ip.addr != 192.168.0.1
<、>：小于、大于，例如 tcp.len > 100

Filter http post request traffic package http.request.method == "POST"

Complex filtering:

使用括号 () 来组合多个条件，例如 (tcp and port 80) or (udp and port 53)
使用复合条件进行筛选，例如 (tcp.flags.syn == 1 or tcp.flags.ack == 1) and ip.addr == 192.168.0.1

HTTP traffic analysis

Demo traffic package:

https://anonfiles.com/laS2l3v2zd/Alpha_1_pcapng

Visit the website to download

Click on the protocol classification to see the traffic of all protocols in this traffic package.

There are udp traffic, ipv4 traffic, tcp traffic, and http traffic. We select http traffic data, right-click and select

You can see all http traffic in this traffic package

We randomly select a package and track its http traffic to view detailed data

Below, you can clearly see the SQL injection traffic

After that, he uploaded his own php one-sentence Trojan and connected to execute the command

Right click to track this traffic package

This one-sentence Trojan encrypts the execution content and uses base64 encoding. We copy the encrypted parameters and enter the website to decrypt.

https://base64.us/

He queried the files in the C:\phpStudy\WWW\ directory, and we can see the echo

Click Return in the lower right corner to continue tracking traffic packages

In the last one-sentence Trojan traffic, you can see that it exported a file called flag.zip

Since the file is not encrypted, we can also see the contents of flag.txt

The text in the flag.txt file is:

DPS

DNS traffic analysis

Question download address:

https://anonfiles.com/S5Fc91v3za/capture_pcap

Open the traffic package and you can see that it is all DNS traffic. Use the strings tool to find a lot of hexadecimal data.

Let's export these hexadecimal values

tshark -r capture.pcap -T fields -e dns.qry.name > a.txt

Use a text editor to remove the .pumpkincorp.com characters

Then use the uniq tool to remove duplicate strings

cat a.txt| uniq > b.txt

Convert hexadecimal to ascii code and you can find that this is an Excel file

https://gchq.github.io/CyberChef/

You can see the flag text

Keyboard traffic analysis

The most common USB keyboard traffic package is as shown below

The protocol is USB, and the keyboard data is stored in usbhid.data, where 0c corresponds to the i character

We extract the usbhid.data data in the traffic package, and then match it with the characters one by one. Here I developed a script that can directly extract and convert the USB keyboard traffic data.

https://github.com/baimao-box/KeyboardTraffic

Summarize

In this article, I just showed some basics of traffic analysis. If you want to become a big boss, you need to answer more questions.