一、抓包的简单用法
tcpdump -i eth0 -s 0 -w 1.cap #默认只抓68个字节 -s 0表示不限大小
tcpdump -r 1.cap #读取文件
tcpdump -A -r 1.cap #以ASCII码显示详细信息
tcpdump -X -r 1.cap #以16进制显示详细信息二、抓取某个tcp端口的包
#抓取24端口
[root@db2 ~]# tcpdump -i eth0 tcp port 24
#另一台主机连接24端口
root@kali:~# nc -nv 10.0.0.52 24
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connection refused.
#返回信息
14:24:12.962940 IP 10.0.0.146.35784 > db2.lmtp: Flags [S], seq 744522922, win 64240, options [mss 1460,sackOK,TS val 3033720939 ecr 0,nop,wscale 7], length 0
14:24:12.962984 IP db2.lmtp > 10.0.0.146.35784: Flags [R.], seq 0, ack 744522923, win 0, length 0三、抓取远程控制传输的字段
#①执行抓包命令写入到333.cap文件中去,最后一步ctrl +c
[root@db2 ~]# tcpdump -i eth0 port 333 -w 333.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C10 packets captured
#②打开另一个窗口,开启333端口,让连接的ip获得bash权限
[root@db2 ~]# nc -lp 333 -c bash
#③另一个主机进行连接,输入ls 、pwd命令
root@kali:~# nc -nv 10.0.0.52 333
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.52:333.
ls
333.cap
a.cap
txt.txt
pwd
/root
#④读取333.cap进行分析
[root@db2 ~]# tcpdump -A -r 333.cap
reading from file 333.cap, link-type EN10MB (Ethernet)
15:13:45.863433 IP 10.0.0.146.47488 > db2.texar: Flags [S], seq 468531016, win 64240, options [mss 1460,sackOK,TS val 3036693811 ecr 0,nop,wscale 7], length 0
E..<..@.@..?
...
..4...M..7H........0..........
..E3........
15:13:45.863466 IP db2.texar > 10.0.0.146.47488: Flags [S.], seq 1645785936, ack 468531017, win 28960, options [mss 1460,sackOK,TS val 19770654 ecr 3036693811,nop,wscale 7], length 0
E..<..@.@.%.
..4
....M..b..P..7I..q ...........
.-....E3....
15:13:45.863863 IP 10.0.0.146.47488 > db2.texar: Flags [.], ack 1, win 502, options [nop,nop,TS val 3036693811 ecr 19770654], length 0
E..4..@.@..F
...
..4...M..7Ib..Q...........
..E3.-..
15:13:47.608481 IP 10.0.0.146.47488 > db2.texar: Flags [P.], seq 1:4, ack 1, win 502, options [nop,nop,TS val 3036695556 ecr 19770654], length 3
E..7..@.@..B
...
..4...M..7Ib..Q...........
..L..-..ls #10.0.0.146远程控制10.0.0.52主机命令
15:13:47.608517 IP db2.texar > 10.0.0.146.47488: Flags [.], ack 4, win 227, options [nop,nop,TS val 19772400 ecr 3036695556], length 0
E..4.N@.@...
..4
....M..b..Q..7L...........
.-....L.
15:13:47.612503 IP db2.texar > 10.0.0.146.47488: Flags [P.], seq 1:23, ack 4, win 227, options [nop,nop,TS val 19772404 ecr 3036695556], length 22
E..J.O@.@...
..4
....M..b..Q..7L...........
.-....L.333.cap #结果显示
a.cap
txt.txt
15:13:47.613122 IP 10.0.0.146.47488 > db2.texar: Flags [.], ack 23, win 502, options [nop,nop,TS val 3036695560 ecr 19772404], length 0
E..4..@.@..D
...
..4...M..7Lb..g.....P.....
..L..-..
15:13:48.809833 IP 10.0.0.146.47488 > db2.texar: Flags [P.], seq 4:8, ack 23, win 502, options [nop,nop,TS val 3036696757 ecr 19772404], length 4
E..8..@.@..?
...
..4...M..7Lb..g...........
..P..-..pwd #远程控制命令显示
15:13:48.810145 IP db2.texar > 10.0.0.146.47488: Flags [P.], seq 23:29, ack 8, win 227, options [nop,nop,TS val 19773601 ecr 3036696757], length 6
E..:.P@.@...
..4
....M..b..g..7P...........
.-....P./root
15:13:48.810532 IP 10.0.0.146.47488 > db2.texar: Flags [.], ack 29, win 502, options [nop,nop,TS val 3036696758 ecr 19773601], length 0
E..4..@.@..B
...
..4...M..7Pb..m....|......
..P..-..四、抓取ssl加密传输的内容
#①开启抓包命令
[root@db2 ~]# tcpdump -i eth0 port 555 -w ssl.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C19 packets captured
19 packets received by filter
0 packets dropped by kernel
②开启555端口进行侦听
[root@db2 ~]# ncat -c bash -vnl 555 --ssl
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 034B B026 0A8C F68C D6C1 9FDF CD0E D8A9 E97B 3807
Ncat: Listening on :::555
Ncat: Listening on 0.0.0.0:555
Ncat: Connection from 10.0.0.146.
Ncat: Connection from 10.0.0.146:56654.
③控制端使用ssl加密连接
root@kali:~# ncat -nv 10.0.0.52 555 --ssl
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Subject: CN=localhost
Ncat: Issuer: CN=localhost
Ncat: SHA-1 fingerprint: 034B B026 0A8C F68C D6C1 9FDF CD0E D8A9 E97B 3807
Ncat: Certificate verification failed (EE certificate key too weak).
Ncat: SSL connection to 10.0.0.52:555.
Ncat: SHA-1 fingerprint: 034B B026 0A8C F68C D6C1 9FDF CD0E D8A9 E97B 3807
ls
ssl.cap
pwd
/root
④读取ssl.capf内容,全部是加密后的内容
[root@db2 ~]# tcpdump -A -r ssl.cap
reading from file ssl.cap, link-type EN10MB (Ethernet)
15:29:01.864556 IP 10.0.0.146.56654 > db2.dsf: Flags [S], seq 2467083936, win 64240, options [mss 1460,sackOK,TS val 3037609806 ecr 0,nop,wscale 7], length 0
E..<H.@.@..
...
..4.N.+.......................
..?N........
15:29:01.864590 IP db2.dsf > 10.0.0.146.56654: Flags [S.], seq 2910096944, ack 2467083937, win 28960, options [mss 1460,sackOK,TS val 20686656 ecr 3037609806,nop,wscale 7], length 0
E..<..@.@.%.
..4
....+.N.t.0......q ...........
.;.@..?N....
15:29:01.864864 IP 10.0.0.146.56654 > db2.dsf: Flags [.], ack 1, win 502, options [nop,nop,TS val 3037609807 ecr 20686656], length 0
E..4H.@.@...
...
..4.N.+.....t.1....^Z.....
..?O.;.@
15:29:01.865435 IP 10.0.0.146.56654 > db2.dsf: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 3037609808 ecr 20686656], length 517
E..9H.@.@...
...
..4.N.+.....t.1...........
..?P.;.@................c..........."wF.wJ....c..z* .P.`.......z..b.5k. ..e.-c..b .H.........,.0...................].a.W.S.$.(.k.j.s.w.....
...9.8...........Q.=...5...+./.............\.`.V.R.#.'.g.@.r.v..... ...3.2.....E.D.......P.<.../...A.............. 10.0.0.52.........
...
...........#.............*.(........... .
...........................+........-.....3.&.$... ..:....M......M....`...b ...?<.A...v......................................................................................................................
15:29:01.865449 IP db2.dsf > 10.0.0.146.56654: Flags [.], ack 518, win 235, options [nop,nop,TS val 20686657 ecr 3037609808], length 0
E..4)q@.@...
..4
....+.N.t.1...............
.;.A..?P
15:29:01.865895 IP db2.dsf > 10.0.0.146.56654: Flags [P.], seq 1:605, ack 518, win 235, options [nop,nop,TS val 20686657 ecr 3037609808], length 604
E...)r@.@..0
..4
....+.N.t.1.........H.....
.;.A..?P....5...1..aC.,7.!....M.....0..oJ.J...@.E....... ......#................
0...0..o.........B.0.. *.H........0.1.0...U... localhost0...211005072858Z..221005072858Z0.1.0...U... localhost0..0.. *.H............0.......kU......lP.....N}...%v|;.;.....h..:.......4.vF..S....U.<.a...'o..t..|W.L.T.hw......j....hH.o.FI]B.S..~B..ZZ.PHd...v..."...<.8........e0c0...U....0.. localhost0K. `.H...B...>.<Automatically generated by Ncat. See https://nmap.org/ncat/.0.. *.H....................3`@.5j...a.q.@......| ...Q..zK.QVc3y...~.Mu..........B.......7.C}...C......wl!.Y...mC.....N.F.^.....>./uK..)..H..:_kv>.e.........
15:29:01.866200 IP 10.0.0.146.56654 > db2.dsf: Flags [.], ack 605, win 501, options [nop,nop,TS val 3037609809 ecr 20686657], length 0
E..4H.@.@...
...
..4.N.+.....t......Y......
..?Q.;.A
15:29:01.869955 IP 10.0.0.146.56654 > db2.dsf: Flags [P.], seq 518:708, ack 605, win 501, options [nop,nop,TS val 3037609812 ecr 20686657], length 190
E...H.@.@..P
...
..4.N.+.....t.............
..?T.;.A.............._..X.g.J.....d..G.r......2..@$r.%.,uXZj..;{...G..W...c9.Kv._4Q..ae`.....f....,........H...._...&m.o.+._...wS3....ax.Ug..e{Z_...........(J..V{........cdzJ.....s....Q.MH....C.W.&
15:29:01.870770 IP db2.dsf > 10.0.0.146.56654: Flags [P.], seq 605:847, ack 708, win 243, options [nop,nop,TS val 20686662 ecr 3037609812], length 242
E..&)s@.@...
..4
....+.N.t.....d...........
.;.F..?T............,....XF"J.p0%.:...L.[.&....S...<..A..........:+...=......r....qR.;+.....K...4....Y.k..B...Y.C.N.V.&.` ..LG..g.<.+|....e...
.j..1t.W.......>.1...I....tu.lS(.i......J.. ..z.U=8..| ...........(*>}..x..b......l.da.}.=..=...,.&....z..1
15:29:01.871106 IP 10.0.0.146.56654 > db2.dsf: Flags [.], ack 847, win 501, options [nop,nop,TS val 3037609813 ecr 20686662], length 0
E..4H.@.@..
...
..4.N.+...d.t......X>.....
..?U.;.F
15:29:03.625935 IP 10.0.0.146.56654 > db2.dsf: Flags [P.], seq 708:740, ack 847, win 501, options [nop,nop,TS val 3037611568 ecr 20686662], length 32
E..TH.@.@...
...
..4.N.+...d.t.............
..F0.;.F.....J..V{...,.YZ2......>.N....A
15:29:03.629285 IP db2.dsf > 10.0.0.146.56654: Flags [P.], seq 847:884, ack 740, win 243, options [nop,nop,TS val 20688420 ecr 3037611568], length 37
E..Y)t@.@..e
..4
....+.N.t.................
.;.$..F0.... *>}..x. .@.........0....H....s..
15:29:03.629917 IP 10.0.0.146.56654 > db2.dsf: Flags [.], ack 884, win 501, options [nop,nop,TS val 3037611572 ecr 20688420], length 0
E..4H.@.@...
...
..4.N.+.....t......J<.....
..F4.;.$
15:29:05.252144 IP 10.0.0.146.56654 > db2.dsf: Flags [P.], seq 740:773, ack 884, win 501, options [nop,nop,TS val 3037613194 ecr 20688420], length 33
E..UH.@.@...
...
..4.N.+.....t......yv.....
..L..;.$.....J..V{.....-Sa...[..f.*...#..
15:29:05.252614 IP db2.dsf > 10.0.0.146.56654: Flags [P.], seq 884:919, ack 773, win 243, options [nop,nop,TS val 20690044 ecr 3037613194], length 35
E..W)u@.@..f
..4
....+.N.t.................
.;.|..L......*>}..x.!..@...r..a...D.>.\pos.
15:29:05.253071 IP 10.0.0.146.56654 > db2.dsf: Flags [.], ack 919, win 501, options [nop,nop,TS val 3037613195 ecr 20690044], length 0
E..4H.@.@..
...
..4.N.+.....t......=I.....
..L..;.|
15:29:06.578974 IP 10.0.0.146.56654 > db2.dsf: Flags [F.], seq 773, ack 919, win 501, options [nop,nop,TS val 3037614521 ecr 20690044], length 0
E..4H.@.@...
...
..4.N.+.....t......8......
..Q..;.|
15:29:06.579130 IP db2.dsf > 10.0.0.146.56654: Flags [P.], seq 919:950, ack 774, win 243, options [nop,nop,TS val 20691370 ecr 3037614521], length 31
E..S)v@.@..i
..4
....+.N.t.................
.;....Q......*>}..x."..$.mv...)......q.
15:29:06.579425 IP 10.0.0.146.56654 > db2.dsf: Flags [R], seq 2467084710, win 0, length 0
E..(..@.@.&.
...
..4.N.+........P...n.........五、tcpdump高级筛选
ip排序去重
tcpdump -n -r http.cap|awk '{print $3}' |sort -u
数据包来源ip是。。。显示
tcpdump -n src host 145.254.160.237 -r http.cap
数据包目标ip是。。。显示
tcpdump -n src host 145.254.160.237 -r http.cap
显示port为53端口的数据包
tcpdump -n port 53 -r http.cap
tcpdump -nX port 53 -r http.cap
显示数据包结构的第13个字节,push+ack的内容
tcpdump -A -n 'tcp[13] = 24' -r http.cap
0 Comments