Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

開源資安工具 – 論網站憑證重要性 – Wireshark

本篇文章為Ryan.Chen 設計之 RyanCTF 考題。

任務目標

Perhaps websites without credentials are dangerous! Just use wireshark to eavesdrop on other people’s things… There seems to be a flag between their conversations, try to find it.

也許沒有憑據的網站很危險!只需使用Wireshk竊聽其他人的事物…他們之間的對話之間似乎有一個障礙,請嘗試找到它。

使用工具

Wireshark
作者:Wireshark開發團隊
載點:https://www.wireshark.org/download.html
簡介:免費開源的網路封包分析軟體,能夠截取網路封包,並盡可能顯示出最為詳細的網路封包資料。

目標檔案

您已經透過各種手段取得目標的對話訊息封包「flag.pcapng」 (點我下載)。

進行演練

Step1. 用Wireshark 開啟flag.pcapng,開始粗略觀察一下概況,然後按照之前對付這種題目的經驗,先將較不相關的協定給排除。

圖(1) 輸入not arp and not dhcpv6 and not ssdp and not dns and not browse

Step2. 根據篩選後的結果來觀察,可以發現剩餘的條目充斥的大量HTTP 與 TCP ,那麼我就可以先用 Conversations 來作進一步篩選,最後發現 TCP Port 大部分都是 80 與 443。

圖(2) Conversations 視窗中可看到大部分的封包都是port 80 與 443

Step3. 雖然現在線索指引我們可以去HTTP那邊觀察,但都來Conversations了,還是先在其中找幾個最大的封包查看一下內容,但果不其然沒有任何發現。

圖(3) 排序一下,找到TCP前幾大的封包
圖(4) 觀察一段時間,沒在這之中發現Flag或相關線索

Step4. 回去觀察一下HTTP相關的封包,結果看到有做POST的HTTP封包,因為題目提示是對話內容,所以跳過login相關封包,打開路徑描述為 /wp/wp-comments-post.php 的封包看一下,結果發現comment的欄位,嘗試對其內容做URL decode後看到像是在聊天對話的內容,與題目提示有對應到,代表下一步的線索或是Flag就在/wp/wp-comments-post.php 的封包之中!

圖(5) 打開一個 /wp/wp-comments-post.php 做POST的封包,並對Comment 解密發現聊天對話內容!

Step5. 然後在檢查每一個對/wp/wp-comments-post.php 作POST的封包後,成功在最後一個找到FLAG。(提示:可以用篩選語法或Ctrl+F 尋找加快解題速度,在此筆者是使用尋找)

圖(6) 最後一個對 /wp/wp-comments-post.php 做POST的封包,對其Comment 解密後成功找到Flag!

Step6. 將找到的Flag輸入進去,完成這題拿到分數。

免責聲明

未經事先雙方同意,使用本工具攻擊目標是非法的。請遵守當地法律規範。開發者與本作者對此工具不承擔任何責任,也不對任何濫用或損壞負責。

共同作者

本篇文為吳同與Ryan.Chen共同創作。

Back To Top
error: 內容被保護 !!
Buy Me A Coffee
歡迎贊助 sectools.tw 讓這個網站更好~!