TShark - TryHackMe

이것은 TSharktryhackme.com 방에 대한 간략한 기록입니다.

티샤크



TShark는 네트워크 프로토콜 분석기입니다. 이를 통해 라이브 네트워크에서 패킷 데이터를 캡처하거나 이전에 저장한 캡처 파일에서 패킷을 읽어 해당 패킷의 디코딩된 형식을 표준 출력으로 인쇄하거나 패킷을 파일에 쓸 수 있습니다.

PCAP 파일 읽기



TShark는 패킷을 표시하고 번호를 매깁니다. wc -l를 사용하여 계산할 수도 있습니다.

$ tshark -r dns.cap
    1   0.000000 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0x1032 TXT google.com
    2   0.000530 192.168.170.20 → 192.168.170.8 DNS 98 Standard query response 0x1032 TXT google.com TXT
    3   4.005222 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0xf76f MX google.com
    4   4.837355 192.168.170.20 → 192.168.170.8 DNS 298 Standard query response 0xf76f MX google.com MX 40 smtp4.google.com MX 10 smtp5.google.com MX 10 smtp6.google.com MX 10 smtp1.google.com MX 10 smtp2.google.com MX 40 smtp3.google.com A 216.239.37.26 A 64.233.167.25 A 66.102.9.25 A 216.239.57.25 A 216.239.37.25 A 216.239.57.26
    5  12.817185 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0x49a1 LOC google.com
    6  12.956209 192.168.170.20 → 192.168.170.8 DNS 70 Standard query response 0x49a1 LOC google.com
    7  20.824827 192.168.170.8 → 192.168.170.20 DNS 85 Standard query 0x9bbb PTR 104.9.192.66.in-addr.arpa
    8  20.825333 192.168.170.20 → 192.168.170.8 DNS 129 Standard query response 0x9bbb PTR 104.9.192.66.in-addr.arpa PTR 66-192-9-104.gen.twtelecom.net
    9  92.189905 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x75c0 A www.netbsd.org
   10  92.238816 192.168.170.20 → 192.168.170.8 DNS 90 Standard query response 0x75c0 A www.netbsd.org A 204.152.190.12
   11 108.965135 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0xf0d4 AAAA www.netbsd.org
   12 109.202803 192.168.170.20 → 192.168.170.8 DNS 102 Standard query response 0xf0d4 AAAA www.netbsd.org AAAA 2001:4f8:4:7:2e0:81ff:fe52:9a6b
   13 169.027394 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x7f39 AAAA www.netbsd.org
   14 169.027781 192.168.170.20 → 192.168.170.8 DNS 102 Standard query response 0x7f39 AAAA www.netbsd.org AAAA 2001:4f8:4:7:2e0:81ff:fe52:9a6b
   15 178.239844 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x8db3 AAAA www.google.com
   16 178.256382 192.168.170.20 → 192.168.170.8 DNS 94 Standard query response 0x8db3 AAAA www.google.com CNAME www.l.google.com
   17 187.853816 192.168.170.8 → 192.168.170.20 DNS 76 Standard query 0xdca2 AAAA www.l.google.com
   18 187.870481 192.168.170.20 → 192.168.170.8 DNS 76 Standard query response 0xdca2 AAAA www.l.google.com
   19 228.708302 192.168.170.8 → 192.168.170.20 DNS 75 Standard query 0xbc1f AAAA www.example.com
   20 228.941445 192.168.170.20 → 192.168.170.8 DNS 75 Standard query response 0xbc1f AAAA www.example.com
   21 240.323938 192.168.170.8 → 192.168.170.20 DNS 79 Standard query 0x266d AAAA www.example.notginh
   22 240.536930 192.168.170.20 → 192.168.170.8 DNS 79 Standard query response 0x266d No such name AAAA www.example.notginh
   23 271.164734 192.168.170.8 → 192.168.170.20 DNS 71 Standard query 0xfee3 ANY www.isc.org
   24 271.237338 192.168.170.20 → 192.168.170.8 DNS 115 Standard query response 0xfee3 ANY www.isc.org AAAA 2001:4f8:0:2::d A 204.152.184.88
   25 271.241158 192.168.170.8 → 192.168.170.20 DNS 82 Standard query 0x5a53 PTR 1.0.0.127.in-addr.arpa
   26 271.241746 192.168.170.20 → 192.168.170.8 DNS 105 Standard query response 0x5a53 PTR 1.0.0.127.in-addr.arpa PTR localhost
   27 271.244120 192.168.170.8 → 192.168.170.20 DNS 67 Standard query 0x208a NS isc.org
   28 271.259884 192.168.170.56 → 217.13.4.24  DNS 129 Standard query 0x326e SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local
   29 271.262407 192.168.170.20 → 192.168.170.8 DNS 166 Standard query response 0x208a NS isc.org NS ns-ext.nrt1.isc.org NS ns-ext.sth1.isc.org NS ns-ext.isc.org NS ns-ext.lga1.isc.org
   30 271.279695  217.13.4.24 → 192.168.170.56 DNS 129 Standard query response 0x326e No such name SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local
   31 271.280350 192.168.170.56 → 217.13.4.24  DNS 98 Standard query 0xf161 SRV _ldap._tcp.dc._msdcs.utelsystems.local
   32 271.297651  217.13.4.24 → 192.168.170.56 DNS 98 Standard query response 0xf161 No such name SRV _ldap._tcp.dc._msdcs.utelsystems.local
   33 271.298194 192.168.170.56 → 217.13.4.24  DNS 140 Standard query 0x8361 SRV _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local
   34 271.317878  217.13.4.24 → 192.168.170.56 DNS 140 Standard query response 0x8361 No such name SRV _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local
   35 271.419659 192.168.170.56 → 217.13.4.24  DNS 83 Standard query 0xd060 A GRIMM.utelsystems.local
   36 271.436583  217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0xd060 No such name A GRIMM.utelsystems.local
   37 278.861300 192.168.170.56 → 217.13.4.24  DNS 83 Standard query 0x7663 A GRIMM.utelsystems.local
   38 278.879313  217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0x7663 No such name A GRIMM.utelsystems.local
$ tshark -r dns.cap | wc -l
38


TShark를 사용하면 Wireshark에서와 같은 방식으로 "디스플레이 필터"를 사용할 수 있습니다. 여기에서 DNS 쿼리를 필터링합니다.

$ tshark -r dns.cap -Y "dns.qry.type == 1"
   9  92.189905 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x75c0 A www.netbsd.org
   10  92.238816 192.168.170.20 → 192.168.170.8 DNS 90 Standard query response 0x75c0 A www.netbsd.org A 204.152.190.12
   35 271.419659 192.168.170.56 → 217.13.4.24  DNS 83 Standard query 0xd060 A GRIMM.utelsystems.local
   36 271.436583  217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0xd060 No such name A GRIMM.utelsystems.local
   37 278.861300 192.168.170.56 → 217.13.4.24  DNS 83 Standard query 0x7663 A GRIMM.utelsystems.local
   38 278.879313  217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0x7663 No such name A GRIMM.utelsystems.local


패킷 구조를 필터링할 수도 있습니다. 여기서는 DNS 이름 필드만 추출합니다.

$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local


DNS 유출



제공된 pcap을 살펴보겠습니다.

$ tshark -r pcap | wc -l
125


125개의 패킷이 있습니다.

$ tshark -r pcap -Y "dns.flags.response == 0" | wc -l 
56
$ tshark -r pcap -T fields -e dns.qry.name | uniq | wc -l 
56


56개의 고유한 DNS 쿼리가 있습니다.

이제 일부 패킷을 보면 이상한0xbeef 트랜잭션 ID를 알 수 있습니다. DNS 서버 측에서 '특수' 쿼리를 식별하는 데 사용할 수 있습니다.

$ tshark -r pcap | head -n2
    1   0.000000  192.168.1.8 → 192.168.1.200 DNS 74 Standard query 0xbeef A M.m4lwhere.org
    2   0.019731 192.168.1.200 → 192.168.1.8  DNS 90 Standard query response 0xbeef A M.m4lwhere.org A 52.207.163.69


125개의 패킷에서 한 가지 다른 점은 하위 도메인입니다! 데이터를 추출하는 데 사용할 수 있습니다. 이것을 알아봅시다:

$ tshark -r pcap -Y "dns.flags.response == 0" -T fields -e "dns.qry.name" | sed "s/.m4lwhere.org//g" | tr -d "\n"
MZWGCZ33OMYHE4SZL5RDA6L2L5EV65RTL5TDC3BTOJSUIXZXNA2HI7IK


필터링된 데이터를 자동으로 마술처럼 디코딩하려면 Ciphey

$ python3 -m ciphey -t "MZWGCZ33OMYHE4SZL5RDA6L2L5EV65RTL5TDC3BTOJSUIXZXNA2HI7IK"
Result 'flag{th1s_is_t0ugh_with0u7_tsh4rk!}' (y/N): y
Checker: passed with regex re.compile('(?i)(htb|thm|flag|ctf)\\{.*\\}', re.IGNORECASE)
Format used:
  base32
  utf8
Final result: "flag{s0rrY_b0yz_I_v3_f1l3reD_7h4t}"

좋은 웹페이지 즐겨찾기