用Scapy python识别telnet协议
Mic*_*rog 5 python telnet scapy
我正在用 Scapy 读取 Pcap 文件。如何识别在这个 pcap 文件中是否有使用 Telnet 协议的数据包?
我看到只有当这些端口中的一个是 23 时,Scapy 才能将“telnet”写入 dport/sport,但是如果我使用另一个端口进行 Telnet,我如何通过 Scapy 识别这一点?
@TimRoberts 在评论中表示“Telnet 与其他 TCP 协议没有区别”。这在某种程度上是正确的,因为所有 TCP 数据包都使用相同的结构,这在多个互联网工程任务组 (IETF) 征求意见 (RFC) 文档中进行了概述:
这是 TCP 数据包的结构。
常见的应用协议如超文本传输协议(HTTP)、文件传输协议(FTP)、Telnet等都采用这种结构。
关于Telnet应用协议。正如您所知,telnet 协议的官方端口分配是端口 23。大多数供应商都遵守此端口标准,这就是为什么“只有其中 1 个端口为 23 时,Scapy 才能将 'telnet' 写入 dport/sport”。
这是使用端口 23 的 Telnet 会话的 TCP 层:
Layer TCP:
Source Port: 1254
Destination Port: 23
Stream index: 0
TCP Segment Len: 0
Sequence number: 0 (relative sequence number)
Sequence number (raw): 72603759
Next sequence number: 1 (relative sequence number)
Acknowledgment number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
Expert Info (Chat/Sequence): Connection establish request (SYN): server port 23
Connection establish request (SYN): server port 23
Severity level: Chat
Group: Sequence
.... .... ...0 = Fin: Not set
TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7S\xc2\xb7
Window size value: 32120
Calculated window size: 32120
Checksum: 0x5d40 [unverified]
Checksum Status: Unverified
Urgent pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - SACK permitted
TCP Option - Timestamps: TSval 1444389, TSecr 0
Timestamp value: 1444389
Timestamp echo reply: 0
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 0 (multiply by 1)
Shift count: 0
Multiplier: 1
Timestamps
Time since first frame in this TCP stream: 0.000000000 seconds
Time since previous frame in this TCP stream: 0.000000000 seconds
Kind: SACK Permitted (4)
Kind: Time Stamp Option (8)
Kind: No-Operation (1)
Kind: Window Scale (3)
Length: 2
Length: 10
Length: 3
这是使用端口 3005 的 Telnet 会话的 TCP 层:
Layer TCP:
Source Port: 52187
Destination Port: 3005
Stream index: 0
TCP Segment Len: 0
Sequence number: 0 (relative sequence number)
Sequence number (raw): 1355255000
Next sequence number: 1 (relative sequence number)
Acknowledgment number: 0
Acknowledgment number (raw): 0
1011 .... = Header Length: 44 bytes (11)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
Expert Info (Chat/Sequence): Connection establish request (SYN): server port 3005
Connection establish request (SYN): server port 3005
Severity level: Chat
Group: Sequence
.... .... ...0 = Fin: Not set
TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7S\xc2\xb7
Window size value: 65535
Calculated window size: 65535
Checksum: 0x0afb [unverified]
Checksum Status: Unverified
Urgent pointer: 0
Options: (24 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), Timestamps, SACK permitted, End of Option List (EOL)
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 6 (multiply by 64)
Shift count: 6
Multiplier: 64
TCP Option - Timestamps: TSval 3609205717, TSecr 0
Timestamp value: 3609205717
Timestamp echo reply: 0
TCP Option - SACK permitted
TCP Option - End of Option List (EOL)
Timestamps
Time since first frame in this TCP stream: 0.000000000 seconds
Time since previous frame in this TCP stream: 0.000000000 seconds
Kind: No-Operation (1)
Kind: Window Scale (3)
Kind: No-Operation (1)
Kind: No-Operation (1)
Kind: Time Stamp Option (8)
Kind: SACK Permitted (4)
Kind: End of Option List (0)
Length: 3
Length: 10
Length: 2
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
这是使用端口 21 的 FTP 会话的 TCP 层:
Layer TCP:
Source Port: 35974
Destination Port: 21
Stream index: 0
TCP Segment Len: 0
Sequence number: 0 (relative sequence number)
Sequence number (raw): 29473206
Next sequence number: 1 (relative sequence number)
Acknowledgment number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
Expert Info (Chat/Sequence): Connection establish request (SYN): server port 21
Connection establish request (SYN): server port 21
Severity level: Chat
Group: Sequence
.... .... ...0 = Fin: Not set
TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7S\xc2\xb7
Window size value: 32648
Calculated window size: 32648
Checksum: 0x8fda [unverified]
Checksum Status: Unverified
Urgent pointer: 0
Options: (20 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - Maximum segment size: 1380 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1380
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 0 (multiply by 1)
Shift count: 0
Multiplier: 1
TCP Option - Timestamps: TSval 1657560000, TSecr 0
Timestamp value: 1657560000
Timestamp echo reply: 0
Timestamps
Time since first frame in this TCP stream: 0.000000000 seconds
Time since previous frame in this TCP stream: 0.000000000 seconds
Kind: No-Operation (1)
Kind: Window Scale (3)
Kind: No-Operation (1)
Kind: No-Operation (1)
Kind: Time Stamp Option (8)
Length: 3
Length: 10
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
这是使用端口 22 的 SSH 会话的 TCP 层:
Layer TCP:
Source Port: 57732
Destination Port: 22
Stream index: 0
TCP Segment Len: 0
Sequence number: 0 (relative sequence number)
Sequence number (raw): 71043058
Next sequence number: 1 (relative sequence number)
Acknowledgment number: 0
Acknowledgment number (raw): 0
1011 .... = Header Length: 44 bytes (11)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
Expert Info (Chat/Sequence): Connection establish request (SYN): server port 22
Connection establish request (SYN): server port 22
Severity level: Chat
Group: Sequence
.... .... ...0 = Fin: Not set
TCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7S\xc2\xb7
Window size value: 65535
Calculated window size: 65535
Checksum: 0xd079 [unverified]
Checksum Status: Unverified
Urgent pointer: 0
Options: (24 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), Timestamps, SACK permitted, End of Option List (EOL)
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 6 (multiply by 64)
Shift count: 6
Multiplier: 64
TCP Option - Timestamps: TSval 1452973307, TSecr 0
Timestamp value: 1452973307
Timestamp echo reply: 0
TCP Option - SACK permitted
TCP Option - End of Option List (EOL)
Timestamps
Time since first frame in this TCP stream: 0.000000000 seconds
Time since previous frame in this TCP stream: 0.000000000 seconds
Kind: No-Operation (1)
Kind: Window Scale (3)
Kind: No-Operation (1)
Kind: No-Operation (1)
Kind: Time Stamp Option (8)
Kind: SACK Permitted (4)
Kind: End of Option List (0)
Length: 3
Length: 10
Length: 2
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
如前所述,这些 TCP 层几乎无法区分。因此,尝试单独使用 TCP 层将很难确定端口 23 以外的端口上的 Telnet 会话。因此,尝试使用 Scapy 来识别这些会话而不进行更深入的数据包分析将非常困难。
您可以分析 TCP 数据包的数据层,以确定连接是否是 Telnet 会话。这又需要大量的努力,除非您已经进行了一定程度的流量分析。
使用 Python 模块 pyshark 从数据层提取内容。
通过端口 23 的 Telnet 会话:
import pyshark
# the pcap is a Telnet session over port 23
capture = pyshark.FileCapture('telnet-raw.pcap')
for packet in capture:
if hasattr(packet, 'tcp'):
layers = packet.layers
# 0 1 2 3
# [<ETH Layer>, <IP Layer>, <TCP Layer>, <DATA Layer>]
if len(layers) > 3:
payload = packet.tcp.payload
有效负载输出为十六进制
truncated...
ff:fb:01:ff:fa:21:02:ff:f0:ff:fc:01
ff:fd:01:ff:fe:01
ff:fa:22:03:05:80:00:11:80:00:12:80:00:ff:f0
0d:0a:4f:70:65:6e:42:53:44:2f:69:33:38:36:20:28:6f:6f:66:29:20:28:74:74:79:70:31:29:0d:0a:0d:0a
6c:6f:67:69:6e:3a:20
ff:fc:22:ff:fd:01
truncated...
输出中的第 4 个和第 5 个十六进制字符串对于破译可能发生的 TCP 连接类型非常重要。
import binascii
hex_data = '0d:0a:4f:70:65:6e:42:53:44:2f:69:33:38:36:20:28:6f:6f:66:29:20:28:74:74:79:70:31:29:0d:0a:0d:0a6c:6f:67:69:6e:3a:20 '
hex_string = ' '.join(hex_data.split('0d:0a')).replace(':', '')
hex_list = hex_string.split()
for item in hex_list:
decoded_string = binascii.unhexlify(item)
print(decoded_string)
# output
b'OpenBSD/i386 (oof) (ttyp1)'
b'login: '
解码十六进制后,我们可以看到身份验证是通过端口 23 进行的。
通过端口 3005 的 Telnet 会话:
import pyshark
# the pcap is a Telnet session over port 3005
capture = pyshark.FileCapture('telnet-pcap-1.pcapng')
for packet in capture:
if hasattr(packet, 'tcp'):
layers = packet.layers
# 0 1 2 3
# [<ETH Layer>, <IP Layer>, <TCP Layer>, <DATA Layer>]
if len(layers) > 3:
payload = packet.tcp.payload
有效负载输出为十六进制
ff:fb:01:ff:fb:03:ff:fd:18:ff:fd:1f
ff:fd:01:ff:fd:03:ff:fb:18:ff:fb:1f:ff:fa:1f:00:97:00:2f:ff:f0
0d:0a:55:73:65:72:20:41:63:63:65:73:73:20:56:65:72:69:66:69:63:61:74:69:6f:6e:0d:0a:0d:0a:55:73:65:72:6e:61:6d:65:3a:20
ff:fa:18:01:ff:f0
ff:fa:18:00:58:54:45:52:4d:2d:32:35:36:43:4f:4c:4f:52:ff:f0
truncated...
输出中的第三个十六进制字符串对于破译可能发生的 TCP 连接类型非常重要。
import binascii
hex_data = '0d:0a:55:73:65:72:20:41:63:63:65:73:73:20:56:65:72:69:66:69:63:61:74:69:6f:6e:0d:0a:0d:0a:55:73:65:72:6e:61:6d:65:3a:20'
# removing line breaks from the hex string
hex_string = ' '.join(hex_data.split('0d:0a')).replace(':', '')
hex_list = hex_string.split()
for item in hex_list:
decoded_string = binascii.unhexlify(item)
print(decoded_string)
# output
b'User Access Verification'
b'Username: '
解码十六进制后,我们可以看到端口 3005 上正在发生某种类型的身份验证。需要进行额外的分析来确定此会话是 Telnet 会话还是其他会话。