流影---开源网络流量分析平台(五)(成果展示)

目录

前沿

攻击过程


前沿

前四章我们已经成功安装了流影的各个功能,那么接下来我们就看看这个开源工具的实力,本实验将进行多个攻击手段(ip扫描,端口扫描,sql注入)攻击靶机,来看看流影的态感效果

攻击过程

首先本实验ens33网卡作为web控制配置,ens34作为靶机的受体,我们把探针部署在ens34网卡上并启动

css 复制代码
[root@localhost ~]# lyprobe -T "%IN_SRC_MAC %OUT_DST_MAC %IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %SRC_TOS %IN_PKTS %IN_BYTES %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME" -n 127.0.0.1:9995 -e 0 -w 32768 -G -i ens34  #这里作为输入命令


03/Apr/2025 01:05:16 [nprobe.c:2374] Welcome to lyprobe v.1.0.0 ($Revision: 2212 $) for x86_64-unknown-linux-gnu 
03/Apr/2025 01:05:16 [plugin.c:145] Loading plugins from ./plugins ...... Not Found.
03/Apr/2025 01:05:16 [plugin.c:150] Loading plugins from /bin/plugins ...... Loaded.
03/Apr/2025 01:05:16 [servicePlugin.c:766] No pattern found in ./fp-patterns
03/Apr/2025 01:05:16 [servicePlugin.c:763] Load pattern in /bin/plugins/fp-patterns
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 44 protocol patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 15 device patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 16 os patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 25 midware patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 16 threat patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:792] >>Loaded 116 patterns totally.
03/Apr/2025 01:05:16 [plugin.c:585] 1 plugin(s) enabled
03/Apr/2025 01:05:16 [nprobe.c:3564] Capturing packets from interface ens34

同时打开/etc/rc.local文件,确定有以下内容

Delphi 复制代码
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
modprobe  pf_ring
lyprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %DNS_REQ_DOMAIN %DNS_REQ_TYPE %HTTP_URL %HTTP_REQ_METHOD %HTTP_HOST %HTTP_MIME %HTTP_RET_CODE %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %ICMP_DATA %ICMP_SEQ_NUM %ICMP_PAYLOAD_LEN %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME" -i ens34 -n 172.20.10.4:9995 -G -e 0 -w 32768 -k 1 -K /data/cap/3
/Agent/bin/nfcapd -w -D -l /data/flow/3 -p 9995
~                                                    

然后查看进程

Delphi 复制代码
[root@localhost ~]# ps aux |grep lyprobe   #查看lyprobe探针是否启动
root       1299  0.0  0.2 303584  9912 ?        Ssl  4月02   0:13 lyprobe -T %IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %DNS_REQ_DOMAIN %DNS_REQ_TYPE %HTTP_URL %HTTP_REQ_METHOD %HTTP_HOST %HTTP_MIME %HTTP_RET_CODE %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %ICMP_DATA %ICMP_SEQ_NUM %ICMP_PAYLOAD_LEN %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME -i ens34 -n 172.20.10.4:9995 -G -e 0 -w 32768 -k 1 -K /data/cap/3
root      10292  0.1  0.1 303584  7200 ?        Ssl  01:05   0:00 lyprobe -T %IN_SRC_MAC %OUT_DST_MAC %IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %SRC_TOS %IN_PKTS %IN_BYTES %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME -n 127.0.0.1:9995 -e 0 -w 32768 -G -i ens34
root      10300  0.0  0.0 112828   980 pts/2    S+   01:08   0:00 grep --color=auto lyprobe


[root@localhost ~]# ps aux |grep nfcapd    #查看nfcapd分析工具是否启动
root       1317  0.0  0.1  21348  4164 ?        S    4月02   0:00 /Agent/bin/nfcapd -w -D -l /data/flow/3 -p 9995
root      10388  0.0  0.0 112828   980 pts/2    S+   01:10   0:00 grep --color=auto nfcapd

然后浏览器输入http://ip地址:18080/ui,

点击配置> 规则,对各种规则进行设置(ip设置为0.0.0.0,流量如果小的话,阈值可以设置低点,要不然效果不明显,)关于规则具体的参数建议都设置小点(如果用的是流量包回放),不会的看官方文档:流影: 系统配置

然后导入流量包,我这里使用的是tcpreplay回放工具,可以先安装

Delphi 复制代码
# 安装tcpreplay回放工具
sudo yum install epel-release
sudo yum install tcpreplay


# 然后导入流量包(流量包在我前面的文章中有)
[root@localhost ~]# cd pcap_file
[root@localhost pcap_file]# ls
dnstun_cobalt_strike.pcap  ip_scan.pcap        mining_monerohash.pcap  sql_inject.pcap
icmptun_ptunnel_ssh.pcap   mining_common.pcap  port_scan.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 dnstun_cobalt_strike.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 ip_scan.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 mining_monerohash.pcap
[root@localhost pcap_file]# tcpreplay -i ens34sql_inject.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 icmptun_ptunnel_ssh.pcap 
[root@localhost pcap_file]# tcpreplay -i ens34 mining_common.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 port_scan.pcap

查看

相关推荐
写代码的小王吧1 小时前
【安全】Web渗透测试(全流程)_渗透测试学习流程图
linux·前端·网络·学习·安全·网络安全·ssh
zkmall2 小时前
HikariCP 源码核心设计解析与 ZKmall开源商城场景调优实践
spring boot·开源
FIT2CLOUD飞致云2 小时前
全面支持MCP协议,开启便捷连接之旅,MaxKB知识库问答系统v1.10.3 LTS版本发布
人工智能·开源
GalaxyPokemon2 小时前
Muduo网络库实现 [七] - Connection模块
linux·服务器·网络
sniper_fandc4 小时前
网络编程—Socket套接字(TCP)
网络·tcp/ip·javaee
the_nov4 小时前
19.TCP相关实验
linux·服务器·网络·c++·tcp/ip
林中伊人4 小时前
家庭路由器wifi设置LAN2LAN和LAN2WAN
网络·路由器
XYN615 小时前
【嵌入式学习3】基于python的tcp客户端、服务器
服务器·开发语言·网络·笔记·python·学习·tcp/ip
the_nov5 小时前
20.IP协议
linux·服务器·网络·c++·tcp/ip
奋斗者1号5 小时前
嵌入式AI开源生态指南:从框架到应用的全面解析
人工智能·开源