TShark - TryHackMe
티샤크
TShark는 네트워크 프로토콜 분석기입니다. 이를 통해 라이브 네트워크에서 패킷 데이터를 캡처하거나 이전에 저장한 캡처 파일에서 패킷을 읽어 해당 패킷의 디코딩된 형식을 표준 출력으로 인쇄하거나 패킷을 파일에 쓸 수 있습니다.
PCAP 파일 읽기
TShark는 패킷을 표시하고 번호를 매깁니다.
wc -l
를 사용하여 계산할 수도 있습니다.$ tshark -r dns.cap
1 0.000000 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0x1032 TXT google.com
2 0.000530 192.168.170.20 → 192.168.170.8 DNS 98 Standard query response 0x1032 TXT google.com TXT
3 4.005222 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0xf76f MX google.com
4 4.837355 192.168.170.20 → 192.168.170.8 DNS 298 Standard query response 0xf76f MX google.com MX 40 smtp4.google.com MX 10 smtp5.google.com MX 10 smtp6.google.com MX 10 smtp1.google.com MX 10 smtp2.google.com MX 40 smtp3.google.com A 216.239.37.26 A 64.233.167.25 A 66.102.9.25 A 216.239.57.25 A 216.239.37.25 A 216.239.57.26
5 12.817185 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0x49a1 LOC google.com
6 12.956209 192.168.170.20 → 192.168.170.8 DNS 70 Standard query response 0x49a1 LOC google.com
7 20.824827 192.168.170.8 → 192.168.170.20 DNS 85 Standard query 0x9bbb PTR 104.9.192.66.in-addr.arpa
8 20.825333 192.168.170.20 → 192.168.170.8 DNS 129 Standard query response 0x9bbb PTR 104.9.192.66.in-addr.arpa PTR 66-192-9-104.gen.twtelecom.net
9 92.189905 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x75c0 A www.netbsd.org
10 92.238816 192.168.170.20 → 192.168.170.8 DNS 90 Standard query response 0x75c0 A www.netbsd.org A 204.152.190.12
11 108.965135 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0xf0d4 AAAA www.netbsd.org
12 109.202803 192.168.170.20 → 192.168.170.8 DNS 102 Standard query response 0xf0d4 AAAA www.netbsd.org AAAA 2001:4f8:4:7:2e0:81ff:fe52:9a6b
13 169.027394 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x7f39 AAAA www.netbsd.org
14 169.027781 192.168.170.20 → 192.168.170.8 DNS 102 Standard query response 0x7f39 AAAA www.netbsd.org AAAA 2001:4f8:4:7:2e0:81ff:fe52:9a6b
15 178.239844 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x8db3 AAAA www.google.com
16 178.256382 192.168.170.20 → 192.168.170.8 DNS 94 Standard query response 0x8db3 AAAA www.google.com CNAME www.l.google.com
17 187.853816 192.168.170.8 → 192.168.170.20 DNS 76 Standard query 0xdca2 AAAA www.l.google.com
18 187.870481 192.168.170.20 → 192.168.170.8 DNS 76 Standard query response 0xdca2 AAAA www.l.google.com
19 228.708302 192.168.170.8 → 192.168.170.20 DNS 75 Standard query 0xbc1f AAAA www.example.com
20 228.941445 192.168.170.20 → 192.168.170.8 DNS 75 Standard query response 0xbc1f AAAA www.example.com
21 240.323938 192.168.170.8 → 192.168.170.20 DNS 79 Standard query 0x266d AAAA www.example.notginh
22 240.536930 192.168.170.20 → 192.168.170.8 DNS 79 Standard query response 0x266d No such name AAAA www.example.notginh
23 271.164734 192.168.170.8 → 192.168.170.20 DNS 71 Standard query 0xfee3 ANY www.isc.org
24 271.237338 192.168.170.20 → 192.168.170.8 DNS 115 Standard query response 0xfee3 ANY www.isc.org AAAA 2001:4f8:0:2::d A 204.152.184.88
25 271.241158 192.168.170.8 → 192.168.170.20 DNS 82 Standard query 0x5a53 PTR 1.0.0.127.in-addr.arpa
26 271.241746 192.168.170.20 → 192.168.170.8 DNS 105 Standard query response 0x5a53 PTR 1.0.0.127.in-addr.arpa PTR localhost
27 271.244120 192.168.170.8 → 192.168.170.20 DNS 67 Standard query 0x208a NS isc.org
28 271.259884 192.168.170.56 → 217.13.4.24 DNS 129 Standard query 0x326e SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local
29 271.262407 192.168.170.20 → 192.168.170.8 DNS 166 Standard query response 0x208a NS isc.org NS ns-ext.nrt1.isc.org NS ns-ext.sth1.isc.org NS ns-ext.isc.org NS ns-ext.lga1.isc.org
30 271.279695 217.13.4.24 → 192.168.170.56 DNS 129 Standard query response 0x326e No such name SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local
31 271.280350 192.168.170.56 → 217.13.4.24 DNS 98 Standard query 0xf161 SRV _ldap._tcp.dc._msdcs.utelsystems.local
32 271.297651 217.13.4.24 → 192.168.170.56 DNS 98 Standard query response 0xf161 No such name SRV _ldap._tcp.dc._msdcs.utelsystems.local
33 271.298194 192.168.170.56 → 217.13.4.24 DNS 140 Standard query 0x8361 SRV _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local
34 271.317878 217.13.4.24 → 192.168.170.56 DNS 140 Standard query response 0x8361 No such name SRV _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local
35 271.419659 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0xd060 A GRIMM.utelsystems.local
36 271.436583 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0xd060 No such name A GRIMM.utelsystems.local
37 278.861300 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0x7663 A GRIMM.utelsystems.local
38 278.879313 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0x7663 No such name A GRIMM.utelsystems.local
$ tshark -r dns.cap | wc -l
38
TShark를 사용하면 Wireshark에서와 같은 방식으로 "디스플레이 필터"를 사용할 수 있습니다. 여기에서 DNS 쿼리를 필터링합니다.
$ tshark -r dns.cap -Y "dns.qry.type == 1"
9 92.189905 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x75c0 A www.netbsd.org
10 92.238816 192.168.170.20 → 192.168.170.8 DNS 90 Standard query response 0x75c0 A www.netbsd.org A 204.152.190.12
35 271.419659 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0xd060 A GRIMM.utelsystems.local
36 271.436583 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0xd060 No such name A GRIMM.utelsystems.local
37 278.861300 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0x7663 A GRIMM.utelsystems.local
38 278.879313 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0x7663 No such name A GRIMM.utelsystems.local
패킷 구조를 필터링할 수도 있습니다. 여기서는 DNS 이름 필드만 추출합니다.
$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
DNS 유출
제공된 pcap을 살펴보겠습니다.
$ tshark -r pcap | wc -l
125
125개의 패킷이 있습니다.
$ tshark -r pcap -Y "dns.flags.response == 0" | wc -l
56
$ tshark -r pcap -T fields -e dns.qry.name | uniq | wc -l
56
56개의 고유한 DNS 쿼리가 있습니다.
이제 일부 패킷을 보면 이상한
0xbeef
트랜잭션 ID를 알 수 있습니다. DNS 서버 측에서 '특수' 쿼리를 식별하는 데 사용할 수 있습니다.$ tshark -r pcap | head -n2
1 0.000000 192.168.1.8 → 192.168.1.200 DNS 74 Standard query 0xbeef A M.m4lwhere.org
2 0.019731 192.168.1.200 → 192.168.1.8 DNS 90 Standard query response 0xbeef A M.m4lwhere.org A 52.207.163.69
125개의 패킷에서 한 가지 다른 점은 하위 도메인입니다! 데이터를 추출하는 데 사용할 수 있습니다. 이것을 알아봅시다:
$ tshark -r pcap -Y "dns.flags.response == 0" -T fields -e "dns.qry.name" | sed "s/.m4lwhere.org//g" | tr -d "\n"
MZWGCZ33OMYHE4SZL5RDA6L2L5EV65RTL5TDC3BTOJSUIXZXNA2HI7IK
필터링된 데이터를 자동으로 마술처럼 디코딩하려면 Ciphey
$ python3 -m ciphey -t "MZWGCZ33OMYHE4SZL5RDA6L2L5EV65RTL5TDC3BTOJSUIXZXNA2HI7IK"
Result 'flag{th1s_is_t0ugh_with0u7_tsh4rk!}' (y/N): y
Checker: passed with regex re.compile('(?i)(htb|thm|flag|ctf)\\{.*\\}', re.IGNORECASE)
Format used:
base32
utf8
Final result: "flag{s0rrY_b0yz_I_v3_f1l3reD_7h4t}"
Reference
이 문제에 관하여(TShark - TryHackMe), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/hextrace/thm-tshark-4kji텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)