Hacks: Unterschied zwischen den Versionen
Aus exmediawiki
C.heck (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=networkscans= ''ping target.com'' list ip + macadresses in network ''arp -a'' for ping 256 last ip in your network ''nmap -sP 192.168.1.0/24'' ''nma…“) |
C.heck (Diskussion | Beiträge) |
||
(Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
=networkscans= | =networkscans= | ||
− | ''ping target.com'' | + | ''$ ping target.com'' |
− | |||
− | |||
− | for ping 256 last ip in your network | + | '''list ip + macadresses in network''' |
+ | ''$ arp -a'' | ||
+ | |||
+ | |||
+ | '''for ping 256 last ip in your network''' | ||
''nmap -sP 192.168.1.0/24'' | ''nmap -sP 192.168.1.0/24'' | ||
''nmap -T4 -F 192.168.2.0/24'' | ''nmap -T4 -F 192.168.2.0/24'' | ||
− | |||
− | |||
− | + | '''list ip-adresses''' | |
− | + | ''$ netstat -r'' | |
− | '' | ||
− | mein computername | + | |
− | ''host `uname -n`'' | + | '''hostname / computername ?''' |
+ | ''$ nslookup 192.168.2.119'' | ||
+ | ''$ dig -x 192.168.2.119'' | ||
+ | |||
+ | |||
+ | '''mein computername''' | ||
+ | ''$ host `uname -n`'' | ||
Zeile 25: | Zeile 30: | ||
==wireshark== | ==wireshark== | ||
− | + | '''passwordsniff''' | |
''http.request.method == "POST"'' | ''http.request.method == "POST"'' | ||
− | + | ||
+ | '''Um zu ermitteln, ob ein User im Netz unverschlüsselte E-Mail-Kommunikation betreibt, reicht ein einfacher Capture-Filter:''' | ||
''tcp port 110 or tcp port 25 or tcp port 143'' | ''tcp port 110 or tcp port 25 or tcp port 143'' | ||
− | + | see also: http://www.thegeekstuff.com/2012/07/wireshark-filter/ | |
+ | |||
− | + | '''displays all TCP resets''' | |
''tcp.flags.reset==1'' | ''tcp.flags.reset==1'' | ||
− | + | ||
+ | '''displays all HTTP GET requests''' | ||
''http.request'' | ''http.request'' | ||
− | + | ||
+ | '''displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID''' | ||
''tcp contains traffic'' | ''tcp contains traffic'' | ||
− | + | ||
+ | '''Sets a filter for any packet with 10.0.0.1, as either the source or dest''' | ||
''ip.addr == 10.0.0.1'' | ''ip.addr == 10.0.0.1'' | ||
− | + | ||
+ | '''sets a conversation filter between the two defined IP addresses''' | ||
''ip.addr==10.0.0.1 && ip.addr==10.0.0.2'' | ''ip.addr==10.0.0.1 && ip.addr==10.0.0.2'' | ||
Match destination: ''ip.dst == x.x.x.x'' | Match destination: ''ip.dst == x.x.x.x'' | ||
Match source: ''ip.src == x.x.x.x'' | Match source: ''ip.src == x.x.x.x'' | ||
− | Match either: ''ip.addr == x.x.x.x | + | Match either: ''ip.addr == x.x.x.x'' |
− | '' | + | |
---- | ---- | ||
− | ''ping target.com'' | + | ''$ ping target.com'' |
− | ''arp -a'' | + | ''$ arp -a'' |
− | + | ||
+ | '''In the list returned by the arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, "AA:BB:CC:DD:EE:FF" – type in the filter box:''' | ||
''eth.addr == AA:BB:CC:DD:EE:FF'' | ''eth.addr == AA:BB:CC:DD:EE:FF'' | ||
− | + | ||
+ | '''Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:''' | ||
ip.addr == 192.168.0.1 and (http or ftp or messenger or pop) | ip.addr == 192.168.0.1 and (http or ftp or messenger or pop) | ||
− | + | ||
− | + | '''This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.''' | |
+ | |||
+ | |||
+ | '''You can capture all such traffic that runs over your network with a specific address or from multiple clients:''' | ||
ip.addr == 192.168.0 and (http or ftp or messenger or pop) | ip.addr == 192.168.0 and (http or ftp or messenger or pop) | ||
Zeile 79: | Zeile 95: | ||
''dns'' --- Show only the traffic for the dns protocol | ''dns'' --- Show only the traffic for the dns protocol | ||
− | + | ||
+ | '''Show all http traffic where the url contains the word "string."''' | ||
''http.request.uri contains string'' | ''http.request.uri contains string'' | ||
[[Category:Hacking]] | [[Category:Hacking]] |
Aktuelle Version vom 18. Oktober 2020, 15:02 Uhr
networkscans
$ ping target.com
list ip + macadresses in network
$ arp -a
for ping 256 last ip in your network
nmap -sP 192.168.1.0/24 nmap -T4 -F 192.168.2.0/24
list ip-adresses
$ netstat -r
hostname / computername ?
$ nslookup 192.168.2.119 $ dig -x 192.168.2.119
mein computername $ host `uname -n`
wireshark
passwordsniff
http.request.method == "POST"
Um zu ermitteln, ob ein User im Netz unverschlüsselte E-Mail-Kommunikation betreibt, reicht ein einfacher Capture-Filter:
tcp port 110 or tcp port 25 or tcp port 143
see also: http://www.thegeekstuff.com/2012/07/wireshark-filter/
displays all TCP resets
tcp.flags.reset==1
displays all HTTP GET requests
http.request
displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID
tcp contains traffic
Sets a filter for any packet with 10.0.0.1, as either the source or dest
ip.addr == 10.0.0.1
sets a conversation filter between the two defined IP addresses
ip.addr==10.0.0.1 && ip.addr==10.0.0.2
Match destination: ip.dst == x.x.x.x Match source: ip.src == x.x.x.x Match either: ip.addr == x.x.x.x
$ ping target.com $ arp -a
In the list returned by the arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, "AA:BB:CC:DD:EE:FF" – type in the filter box:
eth.addr == AA:BB:CC:DD:EE:FF
Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:
ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)
This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.
You can capture all such traffic that runs over your network with a specific address or from multiple clients:
ip.addr == 192.168.0 and (http or ftp or messenger or pop)
ip.addr==192.168.0.1 --- Show all traffic from and to 192.168.0.1
tcp.port==80 --- Show all the traffic with 80 as a source or destination port
ip.src==192.168.0.1 and ip.dst==10.100.1.1 --- Show all the traffic that starts from 192.168.0.1 and has as target 10.100.1.1
ftp --- Show only the traffic for the ftp protocol
http --- Show only the traffic for the http protocol
dns --- Show only the traffic for the dns protocol
Show all http traffic where the url contains the word "string."
http.request.uri contains string