Ncat과 tcpdump 숙련도를 올릴 필요가 있다.
Ncat (netcat 향상버전, SSL지원, 접속IP 화이트리스트 지원, 암호화로 IDS 탐지 회피 가능)
Ncat was written for the Nmap project9 as a much-improved reimplementation of the original Netcat program.
2.2.1 - Exercises
1. Use Ncat to create an encrypted reverse shell from your Windows system to your
Kali machine
2. Create an encrypted bind shell on your Windows VM. Try to connect to it from
Kali without encryption. Does it still work?
3. Make an unencrypted Ncat bind shell on your Windows system. Connect to the
shell using Netcat. Does it work?
Wireshark (패킷스니핑)
이건 ㅈ밥이라 딱히 정리할게 없음.
netcat과 ncat의 SSL 비교정도해보자.
2.3.5 - Exercises
1. Use Wireshark to capture the network activity of Netcat connecting to port 110
(POP3) and attempting a login.
2. Read and understand the output. Where is the session three-way handshake?
Where is the session closed?
3. Follow the TCP stream to read the login attempt.
4. Use the display filter to only see the port 110 traffic
5. Re-run the capture, this time using the capture filter to only collect port 110
tcpdump (cli기반 네트워크 캡쳐)
#tcpdump -r [파일명].pcap
-r: read
-n: don't convert address
-X: hex포멧으로 보기
-A: Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
src host [호스트 주소]: 출발지 기반 필터
dst host [호스트 주소]: 목적지 기반 필터
port [포트번호]: 포트기반 필터
#tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
#tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
#tcpdump -n port 81 -r password_cracking_filtered.pcap
The output is a bit overwhelming at first, so let’s try to get a better understanding of the
IP addresses and ports involved by using awk and sort.
#tcpdump -n -r ~~.pcap | awk -F " " '{print $3}' | sort -u | head
sort -u: unique(정렬하고 중복제거)
awk -F: field-separator(필드 구분자 설정), awk는 패턴 스캔 처리 언어임
Advanced Header Filtering
We would like to filter out and display only the data packets in the dump which have the PSH and ACK flags turned on. As can be seen in the following diagram, the TCP flags are defined in the 14th byte of the TCP header.
CEUAPRSF
00011000 = 24 in decimal
Our command would look similar to the following – specifying that the 14th byte in the
packets displayed should have ACK or PSH flags set:
root@kali:~# tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap
2.4.3 - Exercises
1. Use tcpdump to recreate the wireshark exercise of capturing traffic on port 110.
2. Use the -X flag to view the content of the packet. If data is truncated, investigate
how the -s flag might help.
'OSCP > OSCP Course PDF' 카테고리의 다른 글
| 4. Active Information Scanning - 1 (0) | 2020.02.19 |
|---|---|
| 3. Passive Information Gathering (0) | 2020.02.19 |
| 2. Essential tool - Netcat, rdesktop (0) | 2020.02.17 |
| 1.Bash (0) | 2020.02.16 |
| 1. Find와 Service (0) | 2020.02.16 |