• 流量取证-提取文件


    PCAP 报文就是抓取实际在网络中传输的图片,视频等数据,然后以PCAP 格式存储形成的文件。工作中对离线的数据包进行回溯分析,有时会遇到将 PCAP 中的码流还原成相应的图片、视频、邮件等原有格式的需求。
    从流量中取证文件大部分情况下是为了提取流量中的可执行程序。
    1、 tcpxtract
    安装:
    apt-get install tcpxtract
    http://www.rpmfind.net/linux/rpm2html/search.php?query=tcpxtract # 下载对应版本
    查看帮助:
    root@kali:~# tcpxtract -h
    Usage: tcpxtract [OPTIONS] [[-d <DEVICE>] [-f <FILE>]]
    Valid options include:
    –file, -f <FILE> to specify an input capture file instead of a device 指定输入捕获文件
    –device, -d <DEVICE> to specify an input device (i.e. eth0) 指定输入设备(即eth0)
    –config, -c <FILE> use FILE as the config file 使用FILE作为配置文件
    –output, -o <DIRECTORY> dump files to DIRECTORY instead of current directory 将文件转储
    –version, -v display the version number of this program
    –help, -h display this lovely screen
    下载 pcap 流量包:
    wget http://forensicscontest.com/contest01/evidence01.pcap
    查看要恢复的文件:
    tcpxtract -f evidence01.pcap
    查看恢复后的文件
    打开文件:
    leafpad 00000042.html
    2、 NetworkMiner
    安装 NetworkMiner:
    从 http://sourceforge.net/projects/networkminer/files/latest/download 下载
    或者
    打开 PCAP 文件
    查看提取出来的文件
    3、wireshark 还原文件
    查看帮助
    root@kali:~# wireshark -h
    Wireshark 2.6.6 (Git v2.6.6 packaged as 2.6.6-1)
    Interactively dump and analyze network traffic.
    See https://www.wireshark.org for more information.
    Usage: wireshark [options] … [ <infile> ]
    Capture interface:
    -i <interface> name or idx of interface (def: first non-loopback)
    -f <capture filter> packet filter in libpcap filter syntax
    -s <snaplen> packet snapshot length (def: appropriate maximum)
    -p don’t capture in promiscuous mode
    -k start capturing immediately (def: do nothing)
    -S update packet display when new packets are captured
    -l turn on automatic scrolling while -S is in use
    -I capture in monitor mode, if available
    -B <buffer size> size of kernel buffer (def: 2MB)
    -y <link type> link layer type (def: first appropriate)
    –time-stamp-type <type> timestamp method for interface
    -D print list of interfaces and exit
    -L print list of link-layer types of iface and exit
    –list-time-stamp-types print list of timestamp types for iface and exit
    Capture stop conditions:
    -c <packet count> stop after n packets (def: infinite)
    -a <autostop cond.> … duration:NUM – stop after NUM seconds
    filesize:NUM – stop this file after NUM KB
    files:NUM – stop after NUM files
    Capture output:
    -b <ringbuffer opt.> … duration:NUM – switch to next file after NUM secs
    filesize:NUM – switch to next file after NUM KB
    files:NUM – ringbuffer: replace after NUM files
    Input file:
    -r <infile> set the filename to read from (no pipes or stdin!)
    Processing:
    -R <read filter> packet filter in Wireshark display filter syntax
    -n disable all name resolutions (def: all enabled)
    -N <name resolve flags> enable specific name resolution(s): “mnNtdv”
    -d <layer_type>==<selector>,<decode_as_protocol> …
    “Decode As”, see the man page for details
    Example: tcp.port==8888,http
    –enable-protocol <proto_name>
    enable disp of proto_name
    –disable-protocol <proto_name>
    disable disp of proto_name
    –enable-heuristic <short_name>
    enable disp of heuristic protocol
    –disable-heuristic <short_name>
    disable disp of heuristic protocol
    User interface:
    -C <config profile> start with specified configuration profile
    -Y <display filter> start with the given display filter
    -g <packet number> go to specified packet number after “-r”
    -J <jump filter> jump to the first packet matching the (display)
    filter
    -j search backwards for a matching packet after “-J”
    -m <font> set the font name used for most text
    -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
    -u s|hms output format of seconds (def: s: seconds)
    -X <key>:<value> eXtension options, see man page for details
    -z <statistics> show various statistics, see man page for details
    Output:
    -w <outfile|-> set the output filename (or ‘-‘ for stdout)
    Miscellaneous:
    -h display this help and exit
    -v display version info and exit
    -P <key>:<path> persconf:path – personal configuration files
    persdata:path – personal data files
    -o <name>:<value> … override preference or recent setting
    -K <keytab> keytab file to use for kerberos decryption
    –display=DISPLAY X display to use
    –fullscreen start Wireshark in full screen
    打开pcap文件:
    wireshark evidence01.pcap
    查看还原文件:
    文件–》导出对象–》HTTP
    查看PE文件
    file * | grep PE
    4. foremost
    kali 2.0 默认安装
    查看帮助
    root@kali:~# foremost -h
    foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
    $ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
    [-b <size>] [-c <file>] [-o <dir>] [-i <file]
    -V – display copyright information and exit
    -t – specify file type. (-t jpeg,pdf …)
    -d – turn on indirect block detection (for UNIX file-systems)
    -i – specify input file (default is stdin)
    -a – Write all headers, perform no error detection (corrupted files)
    -w – Only write the audit file, do not write any detected files to the disk
    -o – set output directory (defaults to output)
    -c – set configuration file to use (defaults to foremost.conf)
    -q – enables quick mode. Search are performed on 512 byte boundaries.
    -Q – enables quiet mode. Suppress output messages.
    -v – verbose mode. Logs all messages to screen
    # 还原文件
    foremost -v -i evidence01.pcap
    5、Chaosreader
    # 下载 chaosreader
    wget https://github.com/brendangregg/Chaosreader/archive/master.zip
    mv master.zip chaosreader.zip
    unzip chaosreader.zip
    还原文件:
    root@kali:~# cd Chaosreader-master
    root@kali:~/Chaosreader-master# ls
    chaosreader older_versions README.md
    查看PE文件:
    file * | grep PE
    参考文档
    http://blog.sina.com.cn/s/blog_e8e60bc00102vfd9.html
  • 相关阅读:
    构造注入
    关于事件
    泛型的一些补充
    [转]汇编语言之寄存器使用(bx,si,di,bp)
    asp.net计算页面执行时间
    运行 组件服务器 dcomcnfg
    Craig's Utility Library
    MASM内部数据类型 from: Intel汇编语言程序(第四版).djvu
    Python interpreter clear console screen
    C大小写转换问题
  • 原文地址:https://www.cnblogs.com/micr067/p/12519775.html
Copyright © 2020-2023  润新知