Preface
Traffic analysis is also a common topic in CTF competitions. Participants usually receive a data set of network data packets, which record the content and details of network communications. The contestant's task is to analyze these packets and identify useful information such as login credentials, encryption algorithms, vulnerability exploits, etc.
Tool installation
Wireshark is an open source network packet analysis tool used to capture, analyze and visualize network traffic. It's available on multiple platforms, including Windows, Mac and Linux, tool download address
https://www.wireshark.org/download.html
Just install it by default
Tool introduction
View the list of captured packets
Demo traffic package:
https://anonfiles.com/laS2l3v2zd/Alpha_1_pcapng
Visit the website to download
This is the file format of the traffic package
.pcapng
After installing wireshark, double-click to open this file
The top column is the taskbar, the bottom is the search box, and the bottom is the detailed information of the data packet and the data of the data packet.
Common filter commands and syntax
Protocol filter:
tcp:显示所有TCP协议的数据包
udp:显示所有UDP协议的数据包
http:显示所有HTTP协议的数据包
dns:显示所有DNS协议的数据包
icmp:显示所有ICMP协议的数据包
Enter http in the search box to see all http traffic. The same applies to others.
IP address filtering:
ip.addr == 192.168.0.1:显示与指定IP地址相关的所有数据包
src host 192.168.0.1:显示源IP地址为指定地址的数据包
dst host 192.168.0.1:显示目标IP地址为指定地址的数据包
Here we filter the data packets related to 192.168.1.25ip
After filtering, it is all about the packet traffic of this IP.
Port filtering:
tcp.port == 80:显示使用指定TCP端口的数据包
udp.port == 53:显示使用指定UDP端口的数据包
port 80:显示源或目标端口为指定端口的数据包
Filter tcp port 80 traffic
Logical Operators:
and:使用AND逻辑运算符连接多个条件,例如 tcp and ip.addr == 192.168.0.1
or:使用OR逻辑运算符连接多个条件,例如 tcp or udp
not:使用NOT逻辑运算符排除满足条件的数据包,例如 not tcp
Filter tcp traffic and traffic packets with ip address 192.168.1.5 tcp and ip.addr == 192.168.1.5
Comparison operators:
==:等于,例如 http.request.method == "POST"
!=:不等于,例如 ip.addr != 192.168.0.1
<、>:小于、大于,例如 tcp.len > 100
Filter http post request traffic package http.request.method == "POST"
Complex filtering:
使用括号 () 来组合多个条件,例如 (tcp and port 80) or (udp and port 53)
使用复合条件进行筛选,例如 (tcp.flags.syn == 1 or tcp.flags.ack == 1) and ip.addr == 192.168.0.1
HTTP traffic analysis
Demo traffic package:
https://anonfiles.com/laS2l3v2zd/Alpha_1_pcapng
Visit the website to download
Click on the protocol classification to see the traffic of all protocols in this traffic package.
There are udp traffic, ipv4 traffic, tcp traffic, and http traffic. We select http traffic data, right-click and select
You can see all http traffic in this traffic package
We randomly select a package and track its http traffic to view detailed data
Below, you can clearly see the SQL injection traffic
After that, he uploaded his own php one-sentence Trojan and connected to execute the command
Right click to track this traffic package
This one-sentence Trojan encrypts the execution content and uses base64 encoding. We copy the encrypted parameters and enter the website to decrypt.
https://base64.us/
He queried the files in the C:\phpStudy\WWW\ directory, and we can see the echo
Click Return in the lower right corner to continue tracking traffic packages
In the last one-sentence Trojan traffic, you can see that it exported a file called flag.zip
Since the file is not encrypted, we can also see the contents of flag.txt
The text in the flag.txt file is:
DPS
DNS traffic analysis
Question download address:
https://anonfiles.com/S5Fc91v3za/capture_pcap
Open the traffic package and you can see that it is all DNS traffic. Use the strings tool to find a lot of hexadecimal data.
Let's export these hexadecimal values
tshark -r capture.pcap -T fields -e dns.qry.name > a.txt
Use a text editor to remove the .pumpkincorp.com characters
Then use the uniq tool to remove duplicate strings
cat a.txt| uniq > b.txt
Convert hexadecimal to ascii code and you can find that this is an Excel file
https://gchq.github.io/CyberChef/
You can see the flag text
Keyboard traffic analysis
The most common USB keyboard traffic package is as shown below
The protocol is USB, and the keyboard data is stored in usbhid.data, where 0c corresponds to the i character
We extract the usbhid.data data in the traffic package, and then match it with the characters one by one. Here I developed a script that can directly extract and convert the USB keyboard traffic data.
https://github.com/baimao-box/KeyboardTraffic
Summarize
In this article, I just showed some basics of traffic analysis. If you want to become a big boss, you need to answer more questions.