겉바속촉

[보안] kali에서 명령어 연습하기 본문

IT 일기 (상반기)/네트워크 및 시스템 보안

[보안] kali에서 명령어 연습하기

겉바속촉 2021. 1. 19. 14:08
728x90
반응형

 

 

KALI LINUX에서

 

실습해보도록 하겠습니다.

 

 

 

 

 

 

 


 

 

 

 

@Attacker 에서 scapy 실습

 

 

 

 프로그램 실행

                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ scapy                                                                                                                                            130 ⨯
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
                                      
                     aSPY//YASa       
             apyyyyCY//////////YCa       |
            sY//////YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.4
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyP////C   | Have fun!
              p///Ac            sC///a   |
              P////YCpc           A//A   | We are in France, we say Skappee.
       scccccp///pSP///p          p//Y   | OK? Merci.
      sY/////////y  caa           S//P   |             -- Sebastien Chabal
       cayCyayP//Ya              pY/Ya   |
        sY/PsY////YCc          aC//Yp 
         sc  sccaCY//PCypaapyCP//YSs  
                  spCPY//////YPSps    
                       ccaacs         
                                       using IPython 7.19.0

 

 

 지원하는 프로토콜 목록

>>> ls()
AH         : AH
AKMSuite   : AKM suite
ARP        : ARP
ASN1P_INTEGER : None
ASN1P_OID  : None
ASN1P_PRIVSEQ : None
ASN1_Packet : None

 

 

TCP 헤더 정보를 출력

>>> ls(TCP)
sport      : ShortEnumField                      = (20)
dport      : ShortEnumField                      = (80)
seq        : IntField                            = (0)
ack        : IntField                            = (0)
dataofs    : BitField  (4 bits)                  = (None)
reserved   : BitField  (3 bits)                  = (0)
flags      : FlagsField  (9 bits)                = (<Flag 2 (S)>)
window     : ShortField                          = (8192)
chksum     : XShortField                         = (None)
urgptr     : ShortField                          = (0)
options    : TCPOptionsField                     = (b'')
>>> 

 

 

 

현재 설정된 TCP 헤더 정보를 출력

>>> TCP().display()
###[ TCP ]### 
  sport= ftp_data
  dport= http
  seq= 0
  ack= 0
  dataofs= None
  reserved= 0
  flags= S
  window= 8192
  chksum= None
  urgptr= 0
  options= []

>>> 

 

 

 

사용 가능한 기능 목록

>>> lsc()
IPID_count          : Identify IP id values classes in a list of packets
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
arpleak             : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers         : Bind 2 layers on some specific fields' values.
bridge_and_sniff    : Forward traffic between interfaces if1 and if2, sniff and return
chexdump            : Build a per byte hexadecimal representation
computeNIGroupAddr  : Compute the NI group Address. Can take a FQDN as input parameter
corrupt_bits        : 
corrupt_bytes       : 
defrag              : defrag(plist) -> ([not fragmented], [defragmented],
defragment          : defragment(plist) -> plist defragmented as much as possible 
dhcp_request        : Send a DHCP discover request and return the answer
dyndns_add          : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del          : Send a DNS delete message to a nameserver for "name"
etherleak           : Exploit Etherleak flaw
explore             : Function used to discover the Scapy layers and protocols.
fletcher16_checkbytes: Calculates the Fletcher-16 checkbytes returned as 2 byte binary-string.
fletcher16_checksum : Calculates Fletcher-16 checksum of the given buffer.
fragleak            : --
fragleak2           : --
fragment            : Fragment a big IP datagram

 

 

 

현재 설정된 IP 헤더의 정보를 출력

>>> IP().display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= hopopt
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\

>>> 

 

변수 설정해서 해보기

>>> ip = IP()
>>> 
>>> ip.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= hopopt
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\

>>> 

 

 

 

 

현재 IP 헤더에 목적지 주소를 변경

>>> ip = IP()
>>> ip.dst = "192.168.111.130"
>>> ip.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= hopopt
  chksum= None
  src= 192.168.94.129
  dst= 192.168.111.130
  \options\

 

 

 

 

 

 

 

 

 

 

스니핑 기능

 

  • 스니핑 = 네트워크에 대한 데이터 몰래 훔쳐보기
  • 스푸핑 = 잘못된 정보를 계속 주입시켜 그 정보를 믿도록 하는 것

 

 

sudo로 scapy 실행 (root권한으로)

                                                                                                
┌──(kali㉿kali)-[~]
└─$ sudo scapy    
[sudo] password for kali: 
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
                                      
                     aSPY//YASa       
             apyyyyCY//////////YCa       |
            sY//////YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.4
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyP////C   | Have fun!
              p///Ac            sC///a   |
              P////YCpc           A//A   | Craft me if you can.
       scccccp///pSP///p          p//Y   |                   -- IPv6 layer
      sY/////////y  caa           S//P   |
       cayCyayP//Ya              pY/Ya
        sY/PsY////YCc          aC//Yp 
         sc  sccaCY//PCypaapyCP//YSs  
                  spCPY//////YPSps    
                       ccaacs         
                                       using IPython 7.19.0

zsh: suspended  sudo scapy

 

 

sniff() 명령을 내리고 브라우저를 통해서 타 사이트를 방문한 후 중단(Ctrl+C)

스니핑 결과를 출력

>>> sniff()
^C<Sniffed: TCP:2445 UDP:68 ICMP:0 Other:2>

 

자세한 결과를 보려면 변수로 받아야합니다.

>>> sf = sniff()
^C>>> sf.display()
0000 Ether / IP / UDP / DNS Qry "b'www.daum.net.'" 
0001 Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https S
0002 Ether / IP / UDP / DNS Ans "b'www.g.daum.net.'" 
0003 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 SA / Padding
0004 Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https A
0005 Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https PA / Raw
0006 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 A / Padding
0007 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 PA / Raw
0008 Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https A
0009 Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https PA / Raw
0010 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 A / Padding
0011 Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https PA / Raw
0012 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 A / Padding
0013 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 PA / Raw
0014 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 PA / Raw
0015 Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 PA / Raw

 

 

***다음 내용은 위에서 0001, 0003, 0004 에 해당하는 것***

 

이 내용이 바로 3-handshaking을 의미

Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https S ⇐ 연결 요청 ( 내 kali linux > daum.net  sync )

Ether / IP / TCP 211.231.99.17:https > 192.168.94.129:53328 SA / Padding ⇐ 연결 수락 ( daum.net > 내 kali )

Ether / IP / TCP 192.168.94.129:53328 > 211.231.99.17:https A⇐ 연결 수락에 대한 회신(확인)  (내 kali > daum ack )

 

 

 

 

 도움말

>>> help()
help> sniff

 

 

 

 

캡쳐할 패킷의 개수를 지정

 

현재 10개만 준 상황입니다.

>>> sf = sniff(count=10)
>>> sf.display()
0000 Ether / IP / UDP / DNS Qry "b'www.daum.net.'" 
0001 Ether / IP / UDP / DNS Ans "b'www.g.daum.net.'" 
0002 Ether / IP / TCP 192.168.94.129:40264 > 203.133.167.16:https S
0003 Ether / IP / TCP 203.133.167.16:https > 192.168.94.129:40264 SA / Padding
0004 Ether / IP / TCP 192.168.94.129:40264 > 203.133.167.16:https A
0005 Ether / IP / TCP 192.168.94.129:40264 > 203.133.167.16:https PA / Raw
0006 Ether / IP / TCP 203.133.167.16:https > 192.168.94.129:40264 A / Padding
0007 Ether / IP / TCP 203.133.167.16:https > 192.168.94.129:40264 PA / Raw
0008 Ether / IP / TCP 203.133.167.16:https > 192.168.94.129:40264 PA / Raw
0009 Ether / IP / TCP 203.133.167.16:https > 192.168.94.129:40264 PA / Raw

 

 

위 정보에서 궁금한게 있다면

예를 들어 저 위의 2번째가 궁금하면 --> sg[2].show() 라는 명령을 주기

>>> sf[2].show()
###[ Ethernet ]### 
  dst= 00:50:56:ee:37:4a
  src= 00:0c:29:3d:e7:e0
  type= IPv4
###[ IP ]### 
     version= 4
     ihl= 5
     tos= 0x0
     len= 60
     id= 63862
     flags= DF
     frag= 0
     ttl= 64
     proto= tcp
     chksum= 0xaf85
     src= 192.168.94.129
     dst= 203.133.167.16
     \options\
###[ TCP ]### 
        sport= 40264
        dport= https
        seq= 3272259479
        ack= 0
        dataofs= 10
        reserved= 0
        flags= S			
        window= 64240
        chksum= 0x91ee
        urgptr= 0
        options= [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (43726480, 0)), ('NOP', None), ('WScale', 7)]

 

 

살펴보다보면 다음 내용이 보일 거에요.

S 가 바로 다음 의미가 되는 거쥬!!

 flags= S ⇐ SYN 플래그가 설정된 세그먼트

 

 

 

728x90
반응형