Shulou(Shulou.com)06/02 Report--

The "network bag grabbing tool" that must be used by "hackers"

In previous articles, we talked about network communication principles, network protocol ports, vulnerability scanning and other network-related knowledge. many netizens said that they had written well after reading these articles, but they still felt that they could not make a deep understanding after reading them. Today, I will teach you a tool. With this tool, you can verify the network knowledge you have learned before. " What kind of tool is this? In fact, I believe many of you have heard of it or used it, and this tool is also a necessary tool for hackers or workers engaged in network engineering. It is the "network packet grabbing tool".

Today we will introduce in detail the purpose of capturing packets on the Internet. What are the commonly used network bag catchers? The usage and skills of network package grabbing tools!

First, what is the purpose of network packet capture?

Official definition: packet capture is to intercept, retransmit, edit, transfer and other operations sent and received. It is also used to check network security. Grab packets are also often used for data interception and so on.

For white hat hackers, the purpose of packet capture is to analyze network messages, locate network interface problems, analyze application data interfaces, learn network protocols, and use packet capture tools to analyze network data intuitively.

For black hat hackers, the purpose of grabbing packets is even clearer, that is, in order to find loopholes, hackers first intercept data by grasping packets and extract valuable data such as account passwords and application information in data packets. After intercepting these data, you can edit them again, change the value information inside, and then save it back. For example, after the news was exposed, the Shanghai police cracked a major network theft case. In just half a day, hackers illegally realized that the amount was as high as 10 million. Why can hackers illegally withdraw so much money in such a short time? It turned out that the hacker found a loophole in a financial APP system and illegally modified the data information transmitted by the APP to the background in the form of network packet grabbing. For example, the hacker recharged 1 yuan and used the packet capture to change 1 yuan to 1000 or higher data to the server. In fact, he only recharged 1 yuan, and the data transmitted to the server was maliciously modified.

Here we still need to remind the children that the purpose of our study must be to master this technology, to better serve life, to create positive value for society, and not to go forward on the road of crime.

Second, what are the commonly used network bag catchers?

1 、 Wireshark

Wireshark has its own version in Windows, mac and linux, which is one of the most popular graphical package grabbing software. it is a must for hackers, network administrators and security workers.

Network administrators use Wireshark to detect network problems, network security engineers use Wireshark to check information security-related problems, developers use Wireshark to debug new communication protocols, and ordinary users use Wireshark to learn about network protocols.

2 、 tcpdump

Tcpdump can capture all layers of data, the function is very powerful, tcpdump Linux as a network server, especially as a router and gateway, data collection and analysis is indispensable. TcpDump is one of the powerful network data acquisition and analysis tools in Linux. Tcpdump is defined in simple words: dump the traffic on a network, a packet analysis tool that intercepts packets on the network according to the definition of the user. As a classic necessary tool for system administrators on the Internet, tcpdump, with its powerful functions and flexible interception strategy, has become one of the necessary tools for every senior system administrator to analyze the network and troubleshoot problems.

3 、 httpwatch

HttpWatch is a powerful web data analysis tool. Integrated in the Internet Explorer toolbar. Including page summary. Cookies management. Cache management. The message header is sent / accepted. Character query. POST data and directory management functions. Report output. HttpWatch is software that collects and displays deep information. It can display the log information of web page request and response at the same time without proxy server or some complex network monitoring tools. You can even display the exchange of information between the browser cache and IE. Integrated in the Internet Explorer toolbar.

4 、 Burpsuite

At present, Web security penetration is a necessary tool, without one, the function is very powerful. Burp Suite is an integrated platform for attacking web applications. It contains a number of tools and many interfaces are designed for these tools to facilitate faster attacks on applications. All tools share a powerful and extensible framework for processing and displaying HTTP messages, persistence, authentication, agents, logs, and alerts

5 、 Fiddler

At present, the most commonly used web message penetration tool, very powerful, can be the most local agent, message playback and so on. Fiddler is a http protocol debugging agent that can record and check all http communications between your computer and the Internet, set breakpoints, and view all "in and out" Fiddler data (cookie,html,js,css and other files, which allow you to modify the meaning). Fiddler is simpler than other web debuggers because it not only exposes http communications but also provides a user-friendly format.

6 、 Charles

Charles supports requests to capture http and https protocols, but does not support socket. The usage is basically the same as that of fiddler. It is also a commonly used tool for grabbing bags.

Third, the use methods and skills of network packet grabbing tools.

As there are many commonly used package grabbing tools, the method of use is also very similar. Here I only introduce the use of the most commonly used Wireshark network packet grabbing tools.

Tool, which is the tool with the most comprehensive functions and the largest number of users. Wireshark is a network packet analysis software. The function of network packet analysis software is to intercept network packets and show the most detailed network packet data as much as possible. Wireshark uses WinPCAP as the interface to exchange data messages directly with the network card.

The Wireshark infrastructure is as follows:

The official download site of Wireshark:

Wireshark is open source software and can be used across platforms.

The specific usage is as follows:

1. Introduction of the interface window

1.1WireShark is mainly divided into these interfaces.

1) Display Filter (display filter) for filtering

2) Packet List Pane (packet list), showing captured packets, active and destination addresses, and port numbers. Different colors represent

3) Packet Details Pane (packet details) to display the fields in the packet

4) Dissector Pane (hex data)

5) Miscellanous (address bar, miscellaneous)

1.2 the functions of common buttons from left to right are as follows:

1) list the available interfaces.

2) some options to be set when grabbing the bag. The result of the last setting is usually retained.

3) start a new bag grab.

4) stop grabbing the bag.

5) continue to grab the bag.

6) Open the file to grab the package. You can open the file saved by the previous grab package. You can open not only files saved by wireshark software, but also files saved by tcpdump with the-w parameter.

7) Save the file. Save the results of this capture or analysis.

8) close the open file. When the file is closed, it switches to the initial interface.

9) reload the grab package file.

2. Click the network interface to get the message

After clicking on the interface name, you can see the message received in real time. Wireshark captures every message sent and received by the system. If the crawling interface is wireless and the option is mixed mode, you will also see other messages on the network.

Each line of the upper panel corresponds to a network message, which by default displays the message receiving time (relative to the time to start crawling), source and destination IP addresses, protocol and message-related information. Click on a line to see more information in the two windows below. The "+" icon displays the details of each layer in the message. The bottom window lists the contents of the message in both hexadecimal and ASCII codes.

When you need to stop grabbing messages, click the stop button in the upper left corner.

Color identification:

At this point, we have seen that the message is displayed in green, blue and black. Wireshark makes the messages of all kinds of traffic clear at a glance through color. For example, the default green is TCP messages, dark blue is DNS, light blue is UDP, and black identifies problematic TCP messages-such as out-of-order messages.

Sample message:

For example, if you have installed Wireshark at home, but there are no messages of interest to observe in the home LAN environment, you can go to Wireshark wiki to download the message sample file.

It's pretty easy to open a crawl file, just click Open on the main interface and browse the file. You can also save your own package file in Wireshark and open it later.

Filter messages:

If you are trying to analyze a problem, such as a message sent by a program while making a phone call, you can shut down all other applications that use the network to reduce traffic. However, there may still be a large number of messages to be filtered, and a Wireshark filter is used.

The most basic way is to type in the filter bar at the top of the window and click Apply (or press enter). For example, type "dns" and you will see only the DNS message. When typed, Wireshark helps to automatically complete the filter criteria.

You can also click the Analyze menu and select Display Filters to create a new filter condition.

Another interesting thing is that you can right-click the message and select Follow TCP Stream.

You will see all the sessions between the server and the target side.

After closing the window, you will find that the filter condition is automatically referenced-Wireshark displays the messages that make up the session.

Check the message:

After selecting a message, you can dig deeper into its contents.

You can also create filter criteria here-- just right-click the details and use the Apply as Filter submenu to create filter criteria based on that detail.

3. Use Wireshark to observe basic network protocols.

Wireshark and the corresponding OSI seven-layer model

TCP message: TCP/IP establishes a connection through a three-way handshake. Three kinds of messages in this process are: SYN,SYN/ACK,ACK. This is not in the presentation process as I have talked about in my previous article, and then use the package grab tool to explain the following process.

First open wireshark, open the browser to enter a URL, then enter http filter in wireshark, then select the record of GET / tankxiao HTTP/1.1, right-click and then click "Follow TCP Stream". The purpose of this is to get the data packet related to the browser opening the website, and you will get the following figure

In the figure, you can see that wireshark intercepts three packets of a three-way handshake. The fourth package is HTTP's, which indicates that HTTP does use TCP to establish a connection.

First handshake packet

The client sends a TCP with the flag bit SYN and the serial number 0, which represents the client request to establish a connection. The figure below is as follows

The packet of the second handshake

The server sends back an acknowledgement packet with the flag bit SYN,ACK. Set the confirmation number (Acknowledgement Number) to the customer's I S N plus 1. That is, 0-1-1, as shown below

Packet of the third handshake

The client sends an acknowledgement packet (ACK) again with the SYN flag bit 0 and the ACK flag bit 1. And send the serial number field + 1 of the server to ACK and send it to the other side in the determined field. And write + 1 of ISN in the data segment, as shown below:

In this way, through the TCP three-way handshake, the connection was established.

ARP & ICMP:

Open Wireshark to grab the bag. Open the Windows console window and use the ping command line tool to view the connection to the neighboring machines.

After stopping grabbing the package, the Wireshark is shown in the following figure. ARP and ICMP messages are relatively difficult to read, so create filter conditions that display only ARP or ICMP.

ARP message:

The address resolution protocol, ARP (Address Resolution Protocol), is based on the learned one. Its function is to request ARP to all hosts on the network, receive the return message, determine the physical address of the target, store the IP address and hardware address in the local ARP cache, and query the ARP cache directly when the next request.

The initial ARP request from PC determines the MAC address of IP address 192.168.1.1 and receives an ARP reply from neighboring systems. After the ARP request, you will see the ICMP message.

ICMP message:

Network Control message Protocol (Internet Control Message Protocol,ICMP) is used to send control messages in the network and provide feedback on various problems that may occur in the communication environment. Through this information, managers can diagnose the problems and then take appropriate measures to solve them.

PC sends an echo request and receives an echo reply as shown in the figure above. The ping message is mark into Type 8, and the reply message mark is Type 0.

If you ping the same system multiple times and delete ARP cache on PC, a new ARP request will be generated after using the following ARP command.

HTTP:

HTTP protocol is the most widely used basic protocol at present, which benefits from the fact that many applications are based on WEB, which is easy to implement and easy to deploy, and can be used by browsers without additional clients. This process begins by requesting the server to transfer network files.

A GET command is included in the message visible from the figure above. When HTTP sends the initial GET command, TCP continues the data transfer process, and in the following link process, HTTP requests data from the server and uses TCP to transmit the data back to the client. Before transmitting the data, the server informs the client that the request is valid by sending a HTTP OK message. If the server does not have permission to send the target to the client, it will return 403 Forbidden. If the server cannot find the target requested by the client, it returns 404.

If there is no more data, the connection can be terminated, similar to the SYN and ACK messages of the TCP three-way handshake signal, where FIN and ACK messages are sent. When the server ends transmitting data, it sends a FIN/ACK to the client, which indicates the end of the connection. Next, the client returns the ACK message and adds 1 to the sequence number in the FIN/ACK. This terminates the communication from the server. To end this process, the client must re-initiate the process to the server. The FIN/ACK process must be initiated and confirmed on both the client and the server side.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.