Tags:流量分析,DNS流量,pyshark
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202312_QQ_packet1.zip
小张发现公司某台服务器被入侵,经过在服务器上抓包后得到流量文件,请帮忙分析流量,获取木马程序通信中隐藏的flag,flag请以everflag{}的格式提交。
0x01. WP1
1. 过滤流量未在http流请求中发现异常,却发现有大量DNS协议请求,初步怀疑为DNS信息外带。
2. 尝试对请求域名进行解码,得到敏感信息
3. 在前置请求中发现疑似Base64编码
Base64decode:whoami
4. 尝试分析较短的数据包,得到flag第一部分
5a6d78685a3373784d7a49354e445a6a5a6d526b4e4445355a6a6869
ZmxhZ3sxMzI5NDZjZmRkNDE5Zjhi
flag{132946cfdd419f8b
5. 在后续请求中找到flag第二部分
WldOb2J5QWlNekE0WldZM1pXVTRaVFkwTlRkaE5YMGlJRDRnWm14aFp6SXVkSGgw
ZWNobyAiMzA4ZWY3ZWU4ZTY0NTdhNX0iID4gZmxhZzIudHh0
echo "308ef7ee8e6457a5}" > flag2.txt
最终flag为flag{132946cfdd419f8b308ef7ee8e6457a5}
0x02. WP2
使用python调取pyshark自动化解析
exp.py
# -*- coding: utf-8 -*-
import pyshark
import base64strTsharkPath = "C:\\Program Files\\Wireshark"
strCapPath = ".\\pcapngs\\dns.pcapng"cap= pyshark.FileCapture(strCapPath, display_filter="dns && ip.src==192.168.158.1",tshark_path=strTsharkPath)# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[1].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
# 协议结构分析结束print("=" * 16)
print("DNS数据分析开始...")
strProtocal=""
intIndex=0
strCMD=""
strResponse=""
strResonseDecode=""
intTime=""for pkt in cap:strProtocal=pkt.layers[1].get_field_value("proto")intIndex=pkt.layers[2].get_field_value("Stream")try:strQryName = pkt.layers[3].get_field_value("qry_name")if (strQryName=="bnh0.com") :strResonseDecode=base64.b64decode(bytes.fromhex(strResponse)).decode("gb2312")if len(strResonseDecode)!=0:print("回显内容:\n",strResonseDecode)print("="*16)strResponse = ""else:strResponse=strResponse+strQryName.replace(".com", "")if pkt.layers[3].get_field_value("TXT")!=None:strCMD=pkt.layers[3].get_field_value("TXT")strCMD=base64.b64decode(base64.b64decode(strCMD)).decode("utf-8")print("Protocal:",strProtocal)print("Index:",intIndex)print("CMD:",strCMD)except:passif strResonseDecode:strResonseDecode = base64.b64decode(bytes.fromhex(strResponse)).decode("gb2312")print("回显内容:\n", strResonseDecode)print("=" * 16)
输出内容如下:
协议结构分析开始...
第 1 层: eth
['dst', 'dst_resolved', 'dst_oui', 'dst_oui_resolved', 'addr', 'addr_resolved', 'addr_oui', 'addr_oui_resolved', 'dst_lg', 'lg', 'dst_ig', 'ig', 'src', 'src_resolved', 'src_oui', 'src_oui_resolved', 'src_lg', 'src_ig', 'type']
第 2 层: ip
['version', 'hdr_len', 'dsfield', 'dsfield_dscp', 'dsfield_ecn', 'len', 'id', 'flags', 'flags_rb', 'flags_df', 'flags_mf', 'frag_offset', 'ttl', 'proto', 'checksum', 'checksum_status', 'src', 'addr', 'src_host', 'host', 'dst', 'dst_host']
第 3 层: udp
['srcport', 'dstport', 'port', 'length', 'checksum', 'checksum_status', 'stream', '', 'time_relative', 'time_delta', 'payload']
第 4 层: dns
['id', 'flags', 'flags_response', 'flags_opcode', 'flags_authoritative', 'flags_truncated', 'flags_recdesired', 'flags_recavail', 'flags_z', 'flags_authenticated', 'flags_checkdisable', 'flags_rcode', 'count_queries', 'count_answers', 'count_auth_rr', 'count_add_rr', '', 'qry_name', 'qry_name_len', 'count_labels', 'qry_type', 'qry_class', 'response_to', 'time']
协议结构分析完成。
================
DNS数据分析开始...
Protocal: 17
Index: 60
CMD: whoami
回显内容:admin-pc\admin================
Protocal: 17
Index: 62
CMD: dir
回显内容:驱动器 C 中的卷是 Windows卷的序列号是 CC6A-60ADC:\Users\Admin\Desktop\aa 的目录2021/07/18 21:37 <DIR> .
2021/07/18 21:37 <DIR> ..
2021/07/17 23:43 21 flag.txt
2021/07/18 21:34 4,644 shell.py2 个文件 4,665 字节2 个目录 32,699,531,264 可用字节================
Protocal: 17
Index: 80
CMD: tasklist
回显内容:映像名称 PID 会话名 会话# 内存使用
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 244 K
smss.exe 268 Services 0 136 K
csrss.exe 412 Services 0 1,836 K
wininit.exe 464 Services 0 292 K
csrss.exe 472 Console 1 14,056 K
winlogon.exe 528 Console 1 2,360 K
services.exe 564 Services 0 5,924 K
lsass.exe 580 Services 0 6,624 K
lsm.exe 588 Services 0 2,124 K
svchost.exe 680 Services 0 4,848 K
vm3dservice.exe 748 Services 0 1,240 K
svchost.exe 788 Services 0 6,112 K
svchost.exe 876 Services 0 11,520 K
svchost.exe 912 Services 0 7,176 K
svchost.exe 936 Services 0 11,632 K
svchost.exe 964 Services 0 25,100 K
svchost.exe 456 Services 0 4,060 K
svchost.exe 1036 Services 0 14,868 K
spoolsv.exe 1152 Services 0 4,064 K
svchost.exe 1200 Services 0 12,412 K
Everything.exe 1356 Services 0 1,536 K
svchost.exe 1400 Services 0 5,192 K
VGAuthService.exe 1460 Services 0 1,852 K
vmtoolsd.exe 1560 Services 0 8,952 K
WmiPrvSE.exe 1952 Services 0 14,500 K
msdtc.exe 1432 Services 0 1,312 K
taskhost.exe 2216 Console 1 7,848 K
dwm.exe 2296 Console 1 3,836 K
explorer.exe 2364 Console 1 62,052 K
vm3dservice.exe 2580 Console 1 652 K
vmtoolsd.exe 2588 Console 1 21,832 K
QQPYUserCenter.exe 2604 Console 1 14,324 K
VCDDaemon.exe 2700 Console 1 1,288 K
Everything.exe 2804 Console 1 20,524 K
SearchIndexer.exe 2996 Services 0 20,968 K
wmpnetwk.exe 1300 Services 0 7,664 K
svchost.exe 1828 Services 0 21,564 K
taskhost.exe 3440 Console 1 11,072 K
svchost.exe 2932 Services 0 3,660 K
QQPYUserCenter.exe 3660 Console 1 120 K
chrome.exe 484 Console 1 138,316 K
chrome.exe 3688 Console 1 5,488 K
chrome.exe 4980 Console 1 176,080 K
chrome.exe 5112 Console 1 35,812 K
chrome.exe 3216 Console 1 15,732 K
chrome.exe 1996 Console 1 56,464 K
chrome.exe 2548 Console 1 75,912 K
chrome.exe 2728 Console 1 119,332 K
chrome.exe 1060 Console 1 132,592 K
chrome.exe 1136 Console 1 101,928 K
chrome.exe 4256 Console 1 45,536 K
chrome.exe 1276 Console 1 86,652 K
chrome.exe 4332 Console 1 36,380 K
chrome.exe 3480 Console 1 100,268 K
sublime_text.exe 4184 Console 1 64,256 K
plugin_host-3.3.exe 5072 Console 1 17,120 K
plugin_host-3.8.exe 812 Console 1 26,336 K
ConEmu64.exe 3704 Console 1 35,292 K
ConEmuC64.exe 4108 Console 1 5,940 K
conhost.exe 2560 Console 1 4,368 K
cmd.exe 2500 Console 1 8,928 K
Wireshark.exe 1848 Console 1 151,448 K
dumpcap.exe 2408 Console 1 8,152 K
conhost.exe 4064 Console 1 3,700 K
py.exe 4376 Console 1 5,008 K
python.exe 1376 Console 1 15,544 K
cmd.exe 4008 Console 1 4,108 K
tasklist.exe 1592 Console 1 7,632 K================
Protocal: 17
Index: 336
CMD: type flag.txt
回显内容:flag{132946cfdd419f8b
================
Protocal: 17
Index: 341
CMD: echo "308ef7ee8e6457a5}" > flag2.txt
Protocal: 17
Index: 370
CMD: whoami
回显内容:admin-pc\admin================
Protocal: 17
Index: 372
CMD: dir
回显内容:驱动器 C 中的卷是 Windows卷的序列号是 CC6A-60ADC:\Users\Admin\Desktop\aa 的目录2021/07/18 21:38 <DIR> .
2021/07/18 21:38 <DIR> ..
2021/07/17 23:43 21 flag.txt
2021/07/18 21:38 22 flag2.txt
2021/07/18 21:34 4,644 shell.py3 个文件 4,687 字节2 个目录 32,694,652,928 可用字节================
)
)
:添加/删除用户)
)
:1: _python-argcomplete: function definition file not found)
