磁针石

联系方式： QQ:37391319 gmail and gtalk: xurongzhong@gmail.com

§16  嗅探器

       LAN中，交换机知道哪个MAC地址连接到哪个port。HUB则采取广播的方式。交换机有管理端口可以监听所有信息。

 

§16.1           嗅探器概述

       工作在低层，比如kernel或者OS级别应用，一般是Data Link layer。使用SSH，SSL，VPNs可以防止监听。

§16.2           BUTTSNIFFER

下载地址：http://packetstormsecurity.nl/sniffers/buttsniffer/

多数windows将其识别为病毒，且版本很久没有更新，暂不涉及。

§16.3           TCPDUMP和WINDUMP

Tcpdump下载地址：http://www.tcpdump.org

WinDump下载地址：http://winpcap.org/windump/

       BUTTSniffer主要用做偷听系统的插件。Tcpdump主要用于网络监视，流量分析，包监听。

＊     安装

都需要pcap库。由Lawrence Berkeley National Laboratory开发，从OS级别提供包过滤和还原IP包到原始数据的接口和函数。

Unix的安装需要libpcap库。Libpcap是内核级别包过滤器的系统独立接口。如果没有可以从http://www.tcpdump.org.下载。Linux有内置的"packet" protocol配合Libpcap。BSD等其他unix需要使用BPF (Berkeley Packet Filtering)。

 

＊     实现

Tcpdump一般需要root权限。Windows下WinDump会试图加载WinPcap DLL（如果没有运行）。加载是需要Administrator权限的，但是加载成功后，任何用户可以使用WinDump。

类型限定：host, net, and port

# tcpdump host 192.168.1.100 and port 80

方向限定：src (source) and dst (destination):

# tcpdump src host 192.168.1.100 and dst port 80

 

# tcpdump \(src or dst host 192.168.1.100\) and \(src or dst port 80\)

针对SLIP，PPP等，tcpdump使用inbound和outbound等限定词。

协议限定：tcp and icmp，ip, ip6, arp, and ether等

# tcpdump src host 192.168.1.100 and udp dst port 53

# tcpdump arp net 192.168.1

 

语法格式一般为：[protocol qualifier] [directional qualifier] <type qualifier> <value>

 

其他限定词：

Table 16-1: Qualifiers
Qualifier	Description	Examples
gateway	Displays only packets that use router1 as a gateway. The value used with gateway must be a hostname, as the expression needs to resolve the hostname to an IP (using /etc/hosts or DNS) as well as an Ethernet address (using /etc/ethers).	tcpdump gateway router1 (To use straight IP and MAC addresses, use tcpdump ether host <mac_of_gateway> and not ip host <ip_of_ gateway>, which is equivalent to using the gateway filter but with addresses instead of hostnames.)
broadcast, multicast	broadcast displays only packets that are broadcast packets (in this case, packets with a destination of 192.168.1.0 or 192.168.1.255). multicast displays only IP multicast packets.	tcpdump ip broadcast net 192.168.1
proto	This useful qualifier allows you to specify subprotocols of a particular protocol, even if tcpdump doesn't have a built-in keyword for it. Protocol names must be escaped using backslashes to keep tcpdump from interpreting them as keywords, but you can also use protocol numbers here. Some popular IP subprotocol numbers are 1 (ICMP), 6 (TCP), and 17 (UDP).	tcpdump ip proto 17 (The expression ip host 192.168.1.100 and tcp port 80 could be written ether proto \\ip and host 192.168.1.100 and ip proto \\tcp and port 80. Notice how the protocol modifier in each case gets expanded to <protocol> proto <subprotocol>.)
mask	This qualifier can specify a subnet mask for net type qualifiers. It is rarely used, because you can specify the netmask in the value for the net type qualifier.	tcpdump net 192.168.1.0 mask 255.255.255.0 (Or alternatively tcpdump net 192.168.1.0/24)
len,greater,less	Packets can be filtered on their size. The greater and less qualifiers are simply shorthand for length expressions that use the len keyword. Both examples show only packets that are 80 bytes or larger.	tcpdump greater 80 and tcpdump len>= 80
Packet content expressions	For advanced users. You can match packets based on their contents. Take a protocol name (such as ether, ip, or tcp), followed by the byte offset and size of the desired header value in brackets, followed by a Boolean operator and another expression. Note that most expressions need to be enclosed in quotation marks because the shell you're using will probably try to interpret them before tcpdump does.	tcpdump ‘udp[4:2] = 24’ Referencing Appendix A, you'll notice that byte 4 of a UDP header refers to the "length" of the packet. You'll also notice that the "length" value is 16 bits or 2 bytes long. Therefore, the above expression looks at the value in the two bytes 4 and 5 (the "length"), and matches only packets with a value of 24.

 

 

Values Obviously, the values for the qualifiers depend on the qualifier used. In general, the value will be either a symbolic name or a corresponding number:

• host-type qualifiers have values of hostnames or numeric addresses. (Whether they're IP addresses, MAC addresses, or other addresses depends on the protocol qualifier preceding them.)
• port-type qualifiers use symbolic names (from /etc/services) for ports or the port numbers themselves.
• net-type qualifiers use network addresses and network masks written either with only the network octets (such as 192.168), with a network followed by the number of network bytes (192.168.0.0/16), or with a network followed by a netmask (192.168.0.0 mask 255.255.0.0).
• proto-type qualifiers use symbolic names (ip, tcp, udp) or protocol numbers defined in /etc/protocols.

Note

Because Windows has no /etc directory, WinDump uses hosts and services files that are installed in the Windows root directory (for example, C:\Windows\System32\Drivers\Etc).

 

 

Table 16-2: tcpdump
Option	Explanation
-a	Resolves IP addresses to hostnames.
-c <num>	Sniffs until we've received <num> packets, and then exits.
-C <file_size>	If you're using –w to write captured packets to a file, you can use –C to limit the size of that file. For example, tcpdump –w capture.dat –C 20 would write the first 20 million bytes of data to capture.dat, the next 20 million bytes to capture.dat.2, and so on.
-d, -dd, -ddd	Takes the filter you specify on the command line and, instead of sniffing, outputs the packet matching code for that filter in compiled assembly code, a C program fragment, or a decimal representation, respectively. Used mainly for debugging and rarely useful to beginner and intermediate users.
-e	Displays the link-level header. For example, if you're on an Ethernet network, you can display the Ethernet headers of your packets. Useful if you're interested in the lower-level networking details of a particular part of traffic (such as determining the MAC address of another machine).
-E <algo:secret>	Attempt to decrypt sniffed IPsec packets using the encryption algorithm algo and the ESP secret secret. This works only if tcpdump is compiled with cryptography and is not recommended in production environments, as providing an ESP secret on the command line is usually a bad idea.
-F <file>	Specifies your filter expression from a file instead of on the command line.
-i	Listens on a particular interface. With Unix, you can use ifconfig to see the available network interfaces. With Windows, you can use windump –D to find the interface number that corresponds to the network interface in which you're interested.
-l	Has tcpdump's standard output use line buffering so that you can page through the output. Without this option, output redirection will keep any output from being written until tcpdump exits.
-n	Does not resolve IP addresses to hostnames.
-N	Suppresses printing of the FQDN (fully qualified domain name) of the host—use only the hostname.
-O	Suppresses the packet matching code optimizer. You can use this if it appears that the packet filter you feed to tcpdump is missing packets or includes packets that should be filtered out.
-p	Tells tcpdump not to put the network interface in promiscuous mode. Useful if you're interested in sniffing only local traffic (that is, traffic to and from the machine you're using).
-q	Tells tcpdump not to print as much packet header information. You lose a lot of the nitty-gritty details, but you still see the timestamp and hosts involved.
-r <file>	Tcpdump can write its output to a binary file (see -w). This tells tcpdump to read that file and display its output. Since tcpdump captures the raw data based on the packet filter you specify on the command line, you can use –r to reread the packet capture data and use output formatting command-line flags after the fact (-n, -l, -e, and -X) to display the output in a variety of ways.
-s <bytes>	Specifies how many bytes per packet tcpdump should try to "snarf." The default is 68. Making this value too high can cause tcpdump to miss packets.
-S	Tells tcpdump to print absolute TCP sequence numbers. The default is to use relative sequence numbers so that you can see by how many bytes the sequence number changes between packets over the time of a TCP connection. Using absolute numbers means that you'll have to do the math yourself.
-t, -tt, -ttt	Tells tcpdump not to print a timestamp at all, print an unformatted timestamp (the number of seconds since the epoch, January 1, 1970), or print the change in time (in micro-seconds) between output lines, respectively.
-T <type>	Tcpdump can natively interpret some other IP protocols and display appropriately formatted output on them, such as DHCP, DNS, NBT, and ARP. Tells tcpdump to interpret specifically the selected packets as a particular protocol type, such as RPC or SNMP.
-v, -vv, -vvv	Controls tcpdump's level of verbosity. The more vs you have, the more information you'll get and the more interpretation tcpdump will do.
-w <file>	Doesn't translate the packet capture data into human-readable format—write it to a binary file called <file>. Useful if you've captured data and want to use tcpdump or another tool such as Ethereal to view it later in different ways (see -r). Since it isn't translating the data to a human-readable format, it makes tcpdump more efficient and less likely to miss packets. Useful on a system with an extremely large volume of traffic.
-x	Displays the packet in hex. Sit down with the output of this command and a TCP/IP book if you want to learn more about TCP headers and things of that nature. This is an advanced feature that can help you sniff out packets that might have data hidden in the IP options or other packet mangling.
-X	Similar to the hex option, but it also displays the contents of the packet in ASCII, letting us see any clear-text character data contained within the packet. This is where you might be able to sniff usernames, passwords, and other interesting information floating around the Net.

 

ftp的会话过程：

22:43:06.164036 IP 10.0.1.2.54941 > jungle.metalab.unc.edu.ftp: S

   1853600587:1853600587(0) win 65535 <mss 1460,nop,wscale

   0,nop,nop,timestamp 230590940 0>

22:43:06.250777 IP jungle.metalab.unc.edu.ftp > 10.0.1.2.54941: S

   1338644912:1338644912(0) ack 1853600588 win 5792 <mss 1460,nop,

   nop,timestamp 670180642 230590940,nop,wscale 0>

22:43:06.250876 IP 10.0.1.2.54941 > jungle.metalab.unc.edu.ftp: .

   ack 1 win 65535 <nop,nop,timestamp 230590940 670180642>

22:43:06.342226 IP jungle.metalab.unc.edu.ftp > 10.0.1.2.54941: P

   1:38(37) ack 1 win 5792 <nop,nop,timestamp 670180652 230590940>

22:43:06.344117 IP 10.0.1.2.54941 > jungle.metalab.unc.edu.ftp: P

   1:17(16) ack 38 win 65535 <nop,nop,timestamp 230590941 670180652>

22:43:06.429535 IP jungle.metalab.unc.edu.ftp > 10.0.1.2.54941: .

 ack 17 win 5792 <nop,nop,timestamp 670180660 230590941>

22:43:06.430443 IP jungle.metalab.unc.edu.ftp > 10.0.1.2.54941: P

 38:114(76) ack 17 win 5792 <nop,nop,timestamp 670180660 230590941>

 

S表示SYN。初始是32位值中的随机值(0 to 4294967295)。之后使用的是相对值。三次握手：(mss1460,nop,nop,sackOK)，可以通过2个SYN识别它。

使用-X参数可以查看包的详细内容，# tcpdump -X  port 21，比如以下的.USER.root是用户名，PASS.rss123是密码。

# tcpdump -X  port 21  

tcpdump: listening on eth2

08:19:09.172874 10.50.44.88.32926 > 10.50.44.89.ftp: S 1394470701:1394470701(0) win 5840 <mss 1460,sackOK,timestamp 953706136 0,nop,wscale 0> (DF)

0x0000   4500 003c 89b5 4000 4006 43f2 0a32 2c58        E..<..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef2d 0000 0000        .2,Y....S..-....

0x0020   a002 16d0 61b3 0000 0204 05b4 0402 080a        ....a...........

0x0030   38d8 6698 0000 0000 0103 0300                  8.f.........

08:19:09.173003 10.50.44.89.ftp > 10.50.44.88.32926: S 381393638:381393638(0) ack 1394470702 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF)

0x0000   4500 0034 0000 4000 4006 cdaf 0a32 2c59        E..4..@.@....2,Y

0x0010   0a32 2c58 0015 809e 16bb 9ae6 531d ef2e        .2,X........S...

0x0020   8012 16d0 7682 0000 0204 05b4 0101 0402        ....v...........

0x0030   0103 0300                                      ....

08:19:09.173126 10.50.44.88.32926 > 10.50.44.89.ftp: . ack 1 win 5840 (DF)

0x0000   4500 0028 89b6 4000 4006 4405 0a32 2c58        E..(..@.@.D..2,X

0x0010   0a32 2c59 809e 0015 531d ef2e 16bb 9ae7        .2,Y....S.......

0x0020   5010 16d0 b74d 0000 0000 0000 0000             P....M........

08:19:09.198970 10.50.44.89.ftp > 10.50.44.88.32926: P 1:35(34) ack 1 win 5840 (DF)

0x0000   4500 004a 71c9 4000 4006 5bd0 0a32 2c59        E..Jq.@.@.[..2,Y

0x0010   0a32 2c58 0015 809e 16bb 9ae7 531d ef2e        .2,X........S...

0x0020   5018 16d0 fb3a 0000 3232 3020 5765 6c63        P....:..220.Welc

0x0030   6f6d 6520 746f 2062 6c61 6820 4654 5020        ome.to.blah.FTP.

0x0040   7365 7276 6963 652e 0d0a                       service...

08:19:09.199113 10.50.44.88.32926 > 10.50.44.89.ftp: . ack 35 win 5840 (DF) [tos 0x10]

0x0000   4510 0028 89b7 4000 4006 43f4 0a32 2c58        E..(..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef2e 16bb 9b09        .2,Y....S.......

0x0020   5010 16d0 b72b 0000 0000 0000 0000             P....+........

08:19:21.557350 10.50.44.88.32926 > 10.50.44.89.ftp: P 1:12(11) ack 35 win 5840 (DF) [tos 0x10]

0x0000   4510 0033 89b8 4000 4006 43e8 0a32 2c58        E..3..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef2e 16bb 9b09        .2,Y....S.......

0x0020   5018 16d0 0e84 0000 5553 4552 2072 6f6f        P.......USER.roo

0x0030   740d 0a                                        t..

08:19:21.557363 10.50.44.89.ftp > 10.50.44.88.32926: . ack 12 win 5840 (DF)

0x0000   4500 0028 71ca 4000 4006 5bf1 0a32 2c59        E..(q.@.@.[..2,Y

0x0010   0a32 2c58 0015 809e 16bb 9b09 531d ef39        .2,X........S..9

0x0020   5010 16d0 b720 0000                            P.......

08:19:21.557534 10.50.44.89.ftp > 10.50.44.88.32926: P 35:69(34) ack 12 win 5840 (DF)

0x0000   4500 004a 71cb 4000 4006 5bce 0a32 2c59        E..Jq.@.@.[..2,Y

0x0010   0a32 2c58 0015 809e 16bb 9b09 531d ef39        .2,X........S..9

0x0020   5018 16d0 6fd5 0000 3333 3120 506c 6561        P...o...331.Plea

0x0030   7365 2073 7065 6369 6679 2074 6865 2070        se.specify.the.p

0x0040   6173 7377 6f72 642e 0d0a                       assword...

08:19:21.557728 10.50.44.88.32926 > 10.50.44.89.ftp: . ack 69 win 5840 (DF) [tos 0x10]

0x0000   4510 0028 89b9 4000 4006 43f2 0a32 2c58        E..(..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef39 16bb 9b2b        .2,Y....S..9...+

0x0020   5010 16d0 b6fe 0000 0000 0000 0000             P.............

08:19:24.264494 10.50.44.88.32926 > 10.50.44.89.ftp: P 12:25(13) ack 69 win 5840 (DF) [tos 0x10]

0x0000   4510 0035 89ba 4000 4006 43e4 0a32 2c58        E..5..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef39 16bb 9b2b        .2,Y....S..9...+

0x0020   5018 16d0 1130 0000 5041 5353 2072 7373        P....0..PASS.rss

0x0030   3132 330d 0a                                   123..

08:19:24.267934 10.50.44.89.ftp > 10.50.44.88.32926: P 69:102(33) ack 25 win 5840 (DF)

0x0000   4500 0049 71cc 4000 4006 5bce 0a32 2c59        E..Iq.@.@.[..2,Y

0x0010   0a32 2c58 0015 809e 16bb 9b2b 531d ef46        .2,X.......+S..F

0x0020   5018 16d0 5294 0000 3233 3020 4c6f 6769        P...R...230.Logi

0x0030   6e20 7375 6363 6573 7366 756c 2e20 4861        n.successful..Ha

0x0040   7665 2066 756e 2e0d 0a                         ve.fun...

08:19:24.268121 10.50.44.88.32926 > 10.50.44.89.ftp: . ack 102 win 5840 (DF) [tos 0x10]

0x0000   4510 0028 89bb 4000 4006 43f0 0a32 2c58        E..(..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef46 16bb 9b4c        .2,Y....S..F...L

0x0020   5010 16d0 b6d0 0000 0000 0000 0000             P.............

08:19:24.268132 10.50.44.88.32926 > 10.50.44.89.ftp: P 25:31(6) ack 102 win 5840 (DF) [tos 0x10]

0x0000   4510 002e 89bc 4000 4006 43e9 0a32 2c58        E.....@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef46 16bb 9b4c        .2,Y....S..F...L

0x0020   5018 16d0 030b 0000 5359 5354 0d0a             P.......SYST..

08:19:24.268313 10.50.44.89.ftp > 10.50.44.88.32926: P 102:121(19) ack 31 win 5840 (DF)

0x0000   4500 003b 71cd 4000 4006 5bdb 0a32 2c59        E..;q.@.@.[..2,Y

0x0010   0a32 2c58 0015 809e 16bb 9b4c 531d ef4c        .2,X.......LS..L

0x0020   5018 16d0 4f5f 0000 3231 3520 554e 4958        P...O_..215.UNIX

0x0030   2054 7970 653a 204c 380d 0a                    .Type:.L8..

08:19:24.307471 10.50.44.88.32926 > 10.50.44.89.ftp: . ack 121 win 5840 (DF) [tos 0x10]

0x0000   4510 0028 89bd 4000 4006 43ee 0a32 2c58        E..(..@.@.C..2,X

0x0010   0a32 2c59 809e 0015 531d ef4c 16bb 9b5f        .2,Y....S..L..._

0x0020   5010 16d0 b6b7 0000 0000 0000 0000             P.............

 

        抓取发送0或1byte的udp包。根据UDP的格式，从第4个字节开始计算（估计是从0开始计数的，其实是第5个字节了）。计算2个字节，即Udp包的长度。

# tcpdump 'udp[4:2]=8 or udp[4:2]=9'

显示有SYN的包

# tcpdump 'tcp[13] & 2 = 2 and host 192.168.1.100'

常用参数：

tcpdump [-nn] [-i 接口] [-w 储存档名] [-c 次数] [-Ae]

                        [-qX] [-r 档案] [所欲撷取的数据内容]

参数：

-nn：直接以 IP 及 port number 显示，而非主机名与服务名称

-i ：后面接要『监听』的网络接口，例如 eth0, lo, ppp0 等等的界面；

-w ：如果你要将监听所得的封包数据储存下来，用这个参数就对了！后面接档名

-c ：监听的封包数，如果没有这个参数， tcpdump 会持续不断的监听，

     直到使用者输入 [ctrl]-c 为止。

-A ：封包的内容以 ASCII 显示，通常用来捉取 WWW 的网页封包资料。

-e ：使用资料连接层 (OSI 第二层) 的 MAC 封包数据来显示；

-q ：仅列出较为简短的封包信息，每一行的内容比较精简

-X ：可以列出十六进制 (hex) 以及 ASCII 的封包内容，对于监听封包内容很有用

-r ：从后面接的档案将封包数据读出来。那个『档案』是已经存在的档案，

     并且这个『档案』是由 -w 所制作出来的。

 

使用tcpdump的时候，/var/log/messages会有类似“entered promiscuous mode”的信息。

Gaccia使用的例子：tcpdump  src 10.56.14.166 or dst 10.56.14.166 -v -x -a -s 8024