滲透測試進階技術-OT Range(2)


Posted by nathan2009729 on 2023-04-27

接下來是OT封包分析,首先要學tcpdump:

tcpdump 的用法 @ 暉獲無度的步烙閣 :: 隨意窩 Xuite日誌

┌──(root㉿kali)-[~]
└─# ssh kevin@172.16.110.230
kevin@172.16.110.230's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 04 Apr 2023 09:34:07 AM UTC

  System load:  0.0                Processes:             161
  Usage of /:   12.0% of 61.51GB   Users logged in:       1
  Memory usage: 22%                IPv4 address for eth0: 172.16.110.230
  Swap usage:   0%


43 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun Mar 19 04:07:01 2023 from 172.16.253.15
kevin@BWA-OT:~$ sudo -i
sudo: unable to resolve host BWA-OT.CPENT.LOCALNET: Temporary failure in name resolution
[sudo] password for kevin:
Sorry, try again.
[sudo] password for kevin:
root@BWA-OT:~#

用tcpdump蒐集封包:

root@BWA-OT:~# tcpdump 'tcp and (not port 22) and (net 172.16.110.0/24)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@BWA-OT:~# tcpdump vv -w test1812.cap
tcpdump: can't parse filter expression: syntax error
root@BWA-OT:~# tcpdump -vv -w test1812.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6893 packets captured
6895 packets received by filter
0 packets dropped by kernel
root@BWA-OT:~# ls
Downloads  rootflag.txt  snap  test1812.cap  xampp-linux-x64-8.0.14-1-installer.run

把聽到的封包複製到攻擊機去做分析:

root@BWA-OT:~# scp /root/test1812.cap kali@192.168.200.7:/home/kali/test1812.cap
The authenticity of host '192.168.200.7 (192.168.200.7)' can't be established.
ECDSA key fingerprint is SHA256:Qrsxh/VOOuYPH6Lk5h3T8TuOEEs544mmxniMPJ4wflc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.200.7' (ECDSA) to the list of known hosts.
kali@192.168.200.7's password:
test1812.cap                                                                 100%  766KB 366.2KB/s   00:02

看看複製到哪裡:

┌──(root㉿kali)-[~]
└─# cd /home/kali/

┌──(root㉿kali)-[/home/kali]
└─# ls
cve-2017-16995.c  Documents   linpeas.sh  LPT_day3  Pictures  target_machine  Videos
cyberlab.ovpn     Downloads   LPT_day1    LPT_day4  PT_day3   Templates       vulnOSv2
Desktop           LinEnum.sh  LPT_day2    Music     Public    test1812.cap

解題思路:

題目出現192.168.110.230跟172.25.100.105,所以會先打下這兩台,再利用這兩台裡面的tcpdump來收流量。指令tmpdump -vv -w test.cap 收全部封包,收完後的test.cap送到kali或是自己主機上用wireshark分析(scp ~/test.cap kali@VPNIP:/home/xxx/test.cap),分析後會發現Src port是502(見Challenge 36的圖),這時可以再收一次,指令換成tmpdump tcp port 502 -vv -w test2.cap,再把cap檔拿去wireshark分析。

tcpdump配合wireshark

使用 wireshark 查看 tcpdump 的抓包结果 - mozillazg's Blog

sudo tcpdump -i eth0 -w dump.pcap

但是課程環境無法做到這一點,只能開模擬程式,之後用wireshark來收封包。

指令以windows的tcpdump為例:

C:\Users\natha\OneDrive\桌面\tcpdump_trial_license>tcpdump.exe -D

********************************************************************
**                                                                **
**              Tcpdump v4.9.2 (September 03, 2017)               **
**                   http://www.tcpdump.org                       **
**                                                                **
** Tcpdump for Windows is built with Microolap Packet Sniffer SDK **
**              Microolap EtherSensor product family              **
**               >>> build 5072.01 June 10, 2019 <<<              **
**                                                                **
**        Copyright(c) 1997 - 2019 Microolap Technologies         **
**       http://microolap.com/products/network/ethersensor        **
**         http://microolap.com/products/network/tcpdump          **
**                                                                **
**                  XP/2003/Vista/2008/Win7/Win8                  **
**                 Win2012/Win10/Win2016/Win2019                  **
**               (UEFI and Secure Boot compatible)                **
**                                                                **
**                       Trial license.                           **
**                                                                **
********************************************************************

1.\Device\{6D27C162-812A-488B-9C93-E99FDE8FCE2A} (WAN Miniport (Network Monitor))
2.\Device\{C0652407-AF6F-4D5D-B8C6-6A1C5D800BD0} (Intel(R) PRO/1000 MT Desktop Adapter)

以上是確認有哪些網卡,可以知道有網卡1號2號。接下來就是收2號網卡的封包,寫到test4.pcap。

C:\Users\natha\OneDrive\桌面\tcpdump_trial_license>tcpdump.exe -i 2 -w test4.pcap tcp port 502

********************************************************************
**                                                                **
**              Tcpdump v4.9.2 (September 03, 2017)               **
**                   http://www.tcpdump.org                       **
**                                                                **
** Tcpdump for Windows is built with Microolap Packet Sniffer SDK **
**              Microolap EtherSensor product family              **
**               >>> build 5072.01 June 10, 2019 <<<              **
**                                                                **
**        Copyright(c) 1997 - 2019 Microolap Technologies         **
**       http://microolap.com/products/network/ethersensor        **
**         http://microolap.com/products/network/tcpdump          **
**                                                                **
**                  XP/2003/Vista/2008/Win7/Win8                  **
**                 Win2012/Win10/Win2016/Win2019                  **
**               (UEFI and Secure Boot compatible)                **
**                                                                **
**                       Trial license.                           **
**                                                                **
********************************************************************

tcpdump.exe: listening on \Device\{C0652407-AF6F-4D5D-B8C6-6A1C5D800BD0}, link-type EN10MB (Ethernet), capture size 262144 bytes
762 packets captured
1231 packets received by filter
0 packets dropped by kernel

成果如下:

以下是模擬程式(server端)的畫面,紅圈是要點的東西:

wireshark點紅圈處開始收封包:

以下是模擬程式(client端)的畫面:

client端的另一個頁面:

wireshark的搜尋欄打:

ip.addr == 172.16.110.0/24 and not tcp.port == 3389 and tcp.port == 502

->可以濾出modbus封包

query代表送過去

實際情況,假設tcp client是在172.16.110.138(對應以下圖片的192.168.18.173),server是在172.16.110.131(1.34.94.173)。

Challenge 31: (50 Points)

What is the MAC address of the vendor (6 digits only) for the MAC address that makes the ModBus Query? Ans: C5830A(下面反藍)

注意是Query,不要看錯看到response的

Challenge 32: (50 Points)

In the ModBus traffic, what is the length of the value of the register at Transaction_Identifier: 209? Ans: 3(答案固定)

來查的是6,回應的會是5。

Challenge 33: (50 Points)

What is the value of the register 211 Trans: 1 in the ModBus response?

Ans: 0

要找到下圖地方:(此題無法復現,不確定)

Challenge 34: (50 Points)

What is the register 0 value (UNIT16) in the Trans: 228 in hex?

UNIT16是第16組

Challenge 35: (50 Points)

What is the destination MAC address of all of the ModBus responses? (use hex, but do not put the colons) Ans: FFFFFFFFFFFF

看下圖紅圈處即可。

Challenge 36: (50 Points)

What is the protocol identifier of the Modbus/TCP response for Trans: 238?

Ans: 0

Reference

使用 wireshark 查看 tcpdump 的抓包结果 - mozillazg's Blog

Wireshark抓包以及tcpdump抓包

Windows 使用windump进行循环抓包-阿里云开发者社区

TCP Dump 教學










Related Posts

[ 筆記 ] 基礎 SEO 標籤 - meta、og、JSON-LD

[ 筆記 ] 基礎 SEO 標籤 - meta、og、JSON-LD

pygame 開發之打磚塊遊戲

pygame 開發之打磚塊遊戲

[FE102] Part 1

[FE102] Part 1


Comments