Hacks: Unterschied zwischen den Versionen
Aus exmediawiki
C.heck (Diskussion | Beiträge) |
C.heck (Diskussion | Beiträge) |
||
| Zeile 74: | Zeile 74: | ||
'''Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:''' | '''Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:''' | ||
ip.addr == 192.168.0.1 and (http or ftp or messenger or pop) | ip.addr == 192.168.0.1 and (http or ftp or messenger or pop) | ||
| + | |||
'''This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.''' | '''This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.''' | ||
| Zeile 93: | Zeile 94: | ||
''dns'' --- Show only the traffic for the dns protocol | ''dns'' --- Show only the traffic for the dns protocol | ||
| + | |||
'''Show all http traffic where the url contains the word "string."''' | '''Show all http traffic where the url contains the word "string."''' | ||
Aktuelle Version vom 18. Oktober 2020, 16:02 Uhr
networkscans
$ ping target.com
list ip + macadresses in network
$ arp -a
for ping 256 last ip in your network
nmap -sP 192.168.1.0/24 nmap -T4 -F 192.168.2.0/24
list ip-adresses
$ netstat -r
hostname / computername ?
$ nslookup 192.168.2.119 $ dig -x 192.168.2.119
mein computername $ host `uname -n`
wireshark
passwordsniff
http.request.method == "POST"
Um zu ermitteln, ob ein User im Netz unverschlüsselte E-Mail-Kommunikation betreibt, reicht ein einfacher Capture-Filter:
tcp port 110 or tcp port 25 or tcp port 143
see also: http://www.thegeekstuff.com/2012/07/wireshark-filter/
displays all TCP resets
tcp.flags.reset==1
displays all HTTP GET requests
http.request
displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID
tcp contains traffic
Sets a filter for any packet with 10.0.0.1, as either the source or dest
ip.addr == 10.0.0.1
sets a conversation filter between the two defined IP addresses
ip.addr==10.0.0.1 && ip.addr==10.0.0.2
Match destination: ip.dst == x.x.x.x Match source: ip.src == x.x.x.x Match either: ip.addr == x.x.x.x
$ ping target.com $ arp -a
In the list returned by the arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, "AA:BB:CC:DD:EE:FF" – type in the filter box:
eth.addr == AA:BB:CC:DD:EE:FF
Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:
ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)
This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.
You can capture all such traffic that runs over your network with a specific address or from multiple clients:
ip.addr == 192.168.0 and (http or ftp or messenger or pop)
ip.addr==192.168.0.1 --- Show all traffic from and to 192.168.0.1
tcp.port==80 --- Show all the traffic with 80 as a source or destination port
ip.src==192.168.0.1 and ip.dst==10.100.1.1 --- Show all the traffic that starts from 192.168.0.1 and has as target 10.100.1.1
ftp --- Show only the traffic for the ftp protocol
http --- Show only the traffic for the http protocol
dns --- Show only the traffic for the dns protocol
Show all http traffic where the url contains the word "string."
http.request.uri contains string