Aktionen

Hacks: Unterschied zwischen den Versionen

Aus exmediawiki

 
Zeile 74: Zeile 74:
 
'''Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:'''
 
'''Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:'''
 
  ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)
 
  ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)
 +
 
'''This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.'''
 
'''This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.'''
  
Zeile 93: Zeile 94:
  
 
  ''dns'' --- Show only the traffic for the dns protocol
 
  ''dns'' --- Show only the traffic for the dns protocol
 +
  
 
'''Show all http traffic where the url contains the word "string."'''
 
'''Show all http traffic where the url contains the word "string."'''

Aktuelle Version vom 18. Oktober 2020, 15:02 Uhr

networkscans

$ ping target.com


list ip + macadresses in network

$ arp -a


for ping 256 last ip in your network

nmap -sP 192.168.1.0/24 
nmap -T4 -F 192.168.2.0/24


list ip-adresses

$ netstat -r


hostname / computername ?

$ nslookup 192.168.2.119
$ dig -x 192.168.2.119


mein computername
$ host `uname -n`



wireshark

passwordsniff

http.request.method == "POST"


Um zu ermitteln, ob ein User im Netz unverschlüsselte E-Mail-Kommunikation betreibt, reicht ein einfacher Capture-Filter:

tcp port 110 or tcp port 25 or tcp port 143

see also: http://www.thegeekstuff.com/2012/07/wireshark-filter/


displays all TCP resets

tcp.flags.reset==1 


displays all HTTP GET requests

http.request 


displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID

tcp contains traffic 


Sets a filter for any packet with 10.0.0.1, as either the source or dest

ip.addr == 10.0.0.1 


sets a conversation filter between the two defined IP addresses

ip.addr==10.0.0.1  && ip.addr==10.0.0.2 
Match destination: ip.dst == x.x.x.x
Match source: ip.src == x.x.x.x
Match either: ip.addr == x.x.x.x

$ ping target.com
$ arp -a

In the list returned by the arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, "AA:BB:CC:DD:EE:FF" – type in the filter box:

eth.addr == AA:BB:CC:DD:EE:FF


Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:

ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)

This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.


You can capture all such traffic that runs over your network with a specific address or from multiple clients:

ip.addr == 192.168.0 and (http or ftp or messenger or pop)

ip.addr==192.168.0.1 --- Show all traffic from and to 192.168.0.1
tcp.port==80 --- Show all the traffic with 80 as a source or destination port
ip.src==192.168.0.1 and ip.dst==10.100.1.1 --- Show all the traffic that starts from 192.168.0.1 and has as target 10.100.1.1
ftp --- Show only the traffic for the ftp protocol
http --- Show only the traffic for the http protocol
dns --- Show only the traffic for the dns protocol


Show all http traffic where the url contains the word "string."

http.request.uri contains string