编写 capture filters
如有转载,请在转载前给我提一些建议。谢谢。
百度查不到资料,为无能的百度搜索增加点营养的料。
读 http://www.n-cg.net/CaptureFilters.htm
使用TCPdump语法编写
Syntax | Description |
host host | host is either the ip address or host name |
src host host | Capture all packets where host is the source |
dst host host | Capture all packets where host is the destination |
示例: |
|
host 10.10.10.10 | Capture all packets to and from 10.10.10.10 |
src host 10.10.10.10 | Capture all packets where 10.10.10.10 is the source |
dst host 10.10.10.10 | Capture all packets where 10.10.10.10 is the destination |
Port filtering(端口过滤):
Syntax | Description |
port port | Capture all packets where port is either the source or destination |
src port port | Capture all packets where port is the source port |
dst port port | Capture all packets where port is the destination port |
示例: |
|
port 80 | Capture all packets where 80 is either the source or destination port |
src port 80 | Capture all packets where 80 is the source port |
dst port 80 | Capture all packets where 80 is the destination port |
Network filtering(网络过滤):
Syntax | Description |
net net | Capture all packets to/from net |
src net net | Capture all packets where net is the source |
dst net net | Capture all packets where net is the destination |
示例: |
|
net 192.168 | Capture all packets where the network is 192.168.0.0 |
src net 192.168 | Capture all packets where the 192.168.0.0 network is the source |
dst net 192.168 | Capture all packets where the 192.168.0.0 network is the destination |
----------以上的内容比较直观,理解时没什么困难。不懂的百度查一下,资料都是类似的。下面的内容目前百度不到,我重点分析。
Ethernet Based(基于以太网的过滤):
Syntax | Description |
ether proto [primitive name] |
|
示例: |
|
ether proto ip or just ip | Capture all ip packets |
ether proto arp or justarp | Capture all address resolution protocol packets |
ether proto arp or justrarp | Capture all reverse arp packets |
这里应该是基于网络层的的协议,有 IP , IPX , X.25 , ARP , RARP , ICMP 等(详细的三层协议见维基百科 http://zh.wikipedia.org/wiki/Category:%E7%BD%91%E7%BB%9C%E5%B1%82%E5%8D%8F%E8%AE%AE) 。
我试了下,可以填 ip , ipx , arp , arp 。其它几个不行,填写时用小写。
IP Based(基于IP的过滤):
Syntax | Description |
ip proto [primitive name] |
|
示例: |
|
ip proto cp or just tcp | Capture all TCP segments (packets) |
ip proto udp or just udp | Capture all UDP packets |
ip proto icmp or justicmp | Capture all ICMP packets |
常用的也就例子中的3种。
You can combine primitive expressions using the following:
否:! or not
并且:&& or and
或:|| or or
示例: |
|
host 10.10.10.10 && !net 192.168 | Capture all packets to/from 10.10.10.10 that are not to/from 192.168.0.0 |
host 10.10.10.10 && port 80 | Capture all packets to/from 10.10.10.10 and are sourced/destined on 80 |
---------------难点
Byte Offset Notation(字节偏移量符号)
字节偏移量符号是最强大但又是最不好理解的规则。一旦理解它,你就有能力抓取任意类型的包了。这种过滤规则可以过滤任何包中的任何值。简单讲十分强大,但不好懂。静下心来,试着啃啃这块硬骨头。
The syntax is: proto [Offset in bytes from the start of the header:Number of bytes to check]
语法 协议[包的起始位置,要从0字节开始数:起始位置后多个少字节]
Examples: |
|
ip[8] | Go to byte 8 of the ip header and check one byte (TTL field) |
tcp[0:2] | Go to the start of the tcp header and check 2 bytes (source port) |
Now that we know how to find a value within a packet, we have to do something with the value like compare it to another value. Tcpdump provides the usual comparison operators (>, <, >=, <=, =, !=).
Examples: |
|
ip[8] = 1 | Capture all IP packets where the TTL is 1 |
tcp[0:2] = 80 | Capture all tcp segments (packets) where 80 is the source port. This is equivalent to the filter: src port 80 |
Tips to help you with byte offset notation:
1. Remember that the headers start with byte zero. 包头从0字节开始。
2. Always keep a layout of the headers of interest handy when designing filters with byte offset notation (for example: ip,udp,tcp and icmp). 手上最好收藏感兴趣包的结构图,以便于分析包结构来制定规则。
3. If you don't specify the number of bytes to check, one byte will be checked. You can specify 1,2 or 4 bytes to be checked. 如果不指定检查的字节数,默认只检查1个字节。(大家都知道,1个字母数字是1个字节,1个汉字是2个字节)
4. 这里我补充一点,偏移的量不能太大,我测试700就不行了。
关看这些理论,确实不是很好理解,动手试验一把。刚抓到一些包是SSDP协议,一般网卡上随便都会抓到。我们就按上面例子抓TTL为1的ip包,ip[8] = 1。
点击"Time to live:1",在下面就会直接定位到01。灰色区域是IP包头,数一下位置确实是8(从0开始数)。IP包头前面的二层的源mac,目的mac,三层协议号。
再举了个例子:
tcp[0:2] = 80 即0x0050
我抓的是HTTP包,先定位是TCP,然后再定义源端口80,通常80端口对应的是http服务。上图 00 50 就是tcp[0:2]的位置了。从IP数据名结构中分析,这个位置是 源始端口。
根据上面的2个例子,应该对字符偏移规则有了进一步的理解了吧。
我再举了例子。http[0:3]=="GET"
抓取http且GET请求的包。如下图,GET的16进制编码是
在UE上输入 GET,按ctrl+H,切换到十六进制编码,发现GET的16进制编码是47 45 54
是不是有点兴奋了。离我们的目标越来越近了。我想过滤出包含用户名密码的包。我猜包中可能存在username= password= 类似的字符串。直冲目标包,过滤掉其它不相关的包。
拿个明文传输的网站(非https)的用户登陆表单来举例,如下图:
提交用户名,密码,验证码。参数如下:
如果用burpsuit抓包
上图参数的值不同,请大家不要纠结这个问题,输入内容是随便打的,我们关注的是关键字如 j_username
设定规则如下:
(http contains "username" ) and (http[0:4]=="POST")
意思是POST请求,且包含 "username" 的包。这样,就直接锁定目标,不会有多余的包干扰视线。
官网上有个常用过滤集,看起来挺实用的。拿来放这里。
http://www.n-cg.net/CaptureFilters.htm
Building a Basic Filter Set
This section will assist you with building your basic filter set.
The basic filter set should include filters to capture packets on well known service ports.
The table below should get you started.
Filter Name | Filter String |
HTTP_80 | port 80 |
DNS_53 | port 53 |
SMTP_25 | port 25 |
FTP_CMD_21 | port 21 |
TELNET_23 | port 23 |
POP3_110 | port 110 |
SNMP_161_162 | port 161 or port 162 |
IMAP_143 | port 143 |
NNTP_119 | port 119 |
LDAP_389 | port 389 |
NCP_524 | port 524 |
Netbios_SMB_137_138_139 | port 137 or port 138 or port 139 |
Host based filtering | host Enter the ip address or hostname after host |
Port based filtering | port Enter the port number after port |
IP Fragmentation | ip[6:2] & 0x2000 = 0x2000 or ip[6:2] & 0x1fff !=0x0000 |
IP_All | ip |
TCP_All | tcp |
UDP_All | udp |
ARP_Ether | arp |
ICMP_ALL | icmp |
ICMP_ping | icmp[0]= 0 or icmp[0]= 8 |
ICMP_noPing | icmp[0]!= 0 and icmp[0]!= 8 |
IGMP | ip[9] = 2 |
EGP | ip[9] = 8 |
Multicast | net 224.0.0 |
Multicast (another variation) | ip multicast |
Multicast | ether multicast |
You can use the common packet offsets table as a shortcut to help build other filters.
Header Offset Shortcuts
Field | Length(bits) | Tcpdump Filter |
IP Header Length | 4 | ip[0] & 0x0f |
IP Packet Length | 16 | ip[2:2] |
IP TTL | 8 | ip[8] |
IP Protocol | 8 | ip[9] |
IP Address Source | 32 | ip[12:4] |
IP Address Destination | 32 | ip[16:4] |
IP Fragmentation | flag = 3 and Offset = 13 | ip[6:2] & 0x2000 = 0x2000 or ip[6:2] & 0x1fff !=0x0000 |
TCP Source Port | 16 | tcp[0:2] |
TCP Destination Port | 16 | tcp[2:2] |
TCP Header Length | 4 | tcp[12] & 0xf0 |
TCP Flags | 8 | tcp[13] |
TCP Window Size | 16 | tcp[14:2] |
ICMP Type | 8 | icmp[0] |
ICMP Code | 8 | icmp[1] |
(经过前面的介绍,上面表格的大部分内容可以看懂了,不懂的部分下面讲解。)
Advanced Filters:
这里也有几个难点,耐心啃下去。看懂这一步后,你可以匹配ip包头,tcp包头的任意位了。这是过滤精髓的东西,可以说上面的普通规则都只是它的儿孙,都可以用它的原理去编。规则的祖师爷,非常强大。
SMTP
SMTP Commands - HELO, MAIL,RCPT,DATA,RSET,SEND,SOML,SAML,VRFY,EXPN,NOOP,QUIT AND TURN:
port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E)
上面这个实例子给大家分析一下: port 25 抓取25端口的包,即SMTP协议;tcp[12] & 0xf0 的意思是匹配第12字节的高4位, 其中tcp[12] 是tcp包的第12个字节(从零开始数), & 0xf0 是匹配其中的高4位。
0100 0101 假设这是tcp[12]的值
& 1111 0000 Our mask即0xf0
0100 0000 只匹配了前4位,即是0x40。
如果要匹配后四位呢? 如配合
tcp[12] & 0x0f ,如果tcp[12]是
0100 0101,匹配结果是0101,即0x05。
tcp[20:4] = 0x48454C4F 表示tcp第20个字符起4位等于HELO。
其它的MAIL,RCPT,DATA等同理。总结上面的规则意思是:匹配25端口 且 (第12个字符的高位是0X50 或 包含 tcp第20个包起4位是HELO, MAIL,RCPT,DATA,RSET,SEND,SOML,SAML,VRFY,EXPN,NOOP,QUIT AND TURN)。
官方文档中还讲怎么匹配具体哪一位,如:tcp[13] & 0x02 = 2
懂得上面的原理,这些都已不是难题。
下面还有2个官方网站的例子,耐心地分析一下。这3个例子是放在capture filter中,不是放在 display filter中。
SMTP Reply/response codes - 221,214,220,221,250,251,354,421,450,451,452,500,501,502,503,504,550,551,552,553 and 554:
port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[20:4] = 0x32323120 or tcp[20:4] = 0x32323420 or tcp[20:4] = 0x32353020 or tcp[20:4] = 0x32353120 or tcp[20:4] = 0x33353420 or tcp[20:4] = 0x34323120 or tcp[20:4] = 0x34353020 or tcp[20:4] = 0x34353120 or tcp[20:4] = 0x34353220 or tcp[20:4] = 0x35303020 or tcp[20:4] = 0x35303120 or tcp[20:4] = 0x35303220 or tcp[20:4] = 0x35303320 or tcp[20:4] = 0x35303420 or tcp[20:4] = 0x35353020 or tcp[20:4] = 0x35353120 or tcp[20:4] = 0x35353220 or tcp[20:4] = 0x35353320 or tcp[20:4] = 0x35353420)
SMTP Commands and reply (combination of the two above with tcp options, syn, fin, or reset flag set)
port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[13] & 0x07 != 0 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E or tcp[20:4] = 0x32323120 or tcp[20:4] = 0x32323420 or tcp[20:4] = 0x32353020 or tcp[20:4] = 0x32353120 or tcp[20:4] = 0x33353420 or tcp[20:4] = 0x34323120 or tcp[20:4] = 0x34353020 or tcp[20:4] = 0x34353120 or tcp[20:4] = 0x34353220 or tcp[20:4] = 0x35303020 or tcp[20:4] = 0x35303120 or tcp[20:4] = 0x35303220 or tcp[20:4] = 0x35303320 or tcp[20:4] = 0x35303420 or tcp[20:4] = 0x35353020 or tcp[20:4] = 0x35353120 or tcp[20:4] = 0x35353220 or tcp[20:4] = 0x35353320 or tcp[20:4] = 0x35353420)
NOTE: These SMTP filters will also capture any packets to/from port 25 with tcp options.
If you want to see how to build these filters, please refer to payload filtering.
现在我想编写一个抓取明文用户名密码的规则,一般用GET和POST的HTTP包。
GET tcp[20:4] = 0x47455420 这里抓4个字节,规则验证时3个字节过不去,补充一个空格,"GET "
or
POST tcp[20:4]=0X504F5354
即 tcp[20:4]=0x47455420 or tcp[20:4]=0X504F5354
再加上源地址为内网的话,进一步缩小抓包范围。
(src net 192.168) and (tcp[20:4]=0x47455420 or tcp[20:4]=0X504F5354)
再补充一部分http过滤的规则。网上找的直接粘过来。这些是应用层的,只能在"display filter"中编写。
五、http模式过滤:
例子:
http.request.method == "GET"
http.request.method == "POST"
http.request.uri == "/img/logo-edu.gif"
http contains "GET"
http contains "HTTP/1."
// GET包包含某头字段
http.request.method == "GET" && http contains "Host: "
http.request.method == "GET" && http contains "User-Agent: "
// POST包包含某头字段
http.request.method == "POST" && http contains "Host: "
http.request.method == "POST" && http contains "User-Agent: "
// 响应包包含某头字段
http contains "HTTP/1.1 200 OK" && http contains "Content-Type: "
http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "
抓取明文密码字段规则
从cain中提取的常用的用户名密码字段名,钓鱼是看运气的,不是每每都命中。
用户名:
username
user
name
NAME
Login
login
id
ID
key
密码:
password
Password
PASS
pass
pwd
PWD
key
pw
密码传输是文本,http.accept contains "text"
规则写成如下:
(http contains "user" or http contains "name" or http contains "NAME" or http contains "Login" or http contains "login" or http contains "id" or http contains "ID" or http contains "mail" or http contains "key" or http contains "password" or http contains "Password" or http contains "PASS" or http contains "pass" or http contains "pwd" or http contains "PWD" or http contains "key" or http contains "pw") and (http.accept contains "text")