Hemos visto hasta ahora las muchas formas que tenemos de usar Tshark. Por ejemplo:
Tshark. Follow TCP Stream en modo CLI mediante estadísticas tshark., Geolocalización GeoIP mediante Column format/proto.colinfo, análisis de eventos SMB/CIFS – Netbios, captura remota de paquetes, Column format mediante %Cus y tcp.stream, filtrado frame/frame.protocols, estadísticas COUNT, SUM, MIN, MAX, AVG, filtros XML/RSS y estádisticas, filtros HTTP, detección de problemas en la red, análisis de correo SMTP, detección borrado ficheros de nuestra red, filtros y estádisticas, etc, etc.
En esta ocasión vamos a ver una forma de extraer información muy concreta: imágenes png / jpg / gif y correlacionarlas con otro tipo de información HTTP. Algo básico para empezar esta nueva «temporada» de artículos.
Extracción básica. primer paso.
Podríamos ejecutar tshark con un filtro básico HTTP:
tshark -r2015-10-28-traffic-analysis-exercise.pcap -Y’http’
5555 171.770016 172.16.124.217 -> www.mortgagejaw.com HTTP 413 GET /wp-content/uploads/2012/10/nature_graphics-300x250.jpg HTTP/1.1 5589 171.880612 www.mortgagejaw.com -> 172.16.124.217 HTTP 1380 HTTP/1.1 200 OK (JPEG JFIF image) 5593 171.915865 172.16.124.217 -> pagead46.l.doubleclick.net HTTP 370 GET /pagead/show_ads.js HTTP/1.1 5597 171.968920 www.mortgagejaw.com -> 172.16.124.217 HTTP 1039 HTTP/1.1 200 OK (application/javascript) 5688 172.034720 172.16.124.217 -> www.mortgagejaw.com HTTP 407 GET /wp-content/themes/FREEmium/img/search_submit.png HTTP/1.1 5689 172.044679 172.16.124.217 -> www.mortgagejaw.com HTTP 409 GET /wp-content/themes/FREEmium/img/content_main_bg.png HTTP/1.1 5708 172.110960 pagead46.l.doubleclick.net -> 172.16.124.217 HTTP 530 HTTP/1.1 200 OK (text/javascript) 5718 172.177910 172.16.124.217 -> pagead46.l.doubleclick.net HTTP 398 GET /pagead/js/r20151020/r20151006/show_ads_impl.js HTTP/1.1 5722 172.187818 www.mortgagejaw.com -> 172.16.124.217 HTTP 668 HTTP/1.1 200 OK (JPEG JFIF image) 5725 172.188898 172.16.124.217 -> www.mortgagejaw.com HTTP 404 GET /wp-content/themes/FREEmium/img/background.png HTTP/1.1 5736 172.199990 www.mortgagejaw.com -> 172.16.124.217 HTTP 1059 HTTP/1.1 200 OK (JPEG JFIF image) 5743 172.201611 www.mortgagejaw.com -> 172.16.124.217 HTTP 1217 HTTP/1.1 200 OK (JPEG JFIF image) 5745 172.209545 172.16.124.217 -> www.mortgagejaw.com HTTP 397 GET /wp-content/themes/FREEmium/img/rss.png HTTP/1.1 5746 172.209778 172.16.124.217 -> www.mortgagejaw.com HTTP 398 GET /wp-content/themes/FREEmium/img/date.png HTTP/1.1 5752 172.215326 www.mortgagejaw.com -> 172.16.124.217 HTTP 810 HTTP/1.1 200 OK (JPEG JFIF image) 5755 172.216091 172.16.124.217 -> www.mortgagejaw.com HTTP 407 GET /wp-content/themes/FREEmium/img/menu_selected.gif HTTP/1.1 5759 172.290471 www.mortgagejaw.com -> 172.16.124.217 HTTP 765 HTTP/1.1 200 OK (PNG) 5761 172.304076 www.mortgagejaw.com -> 172.16.124.217 HTTP 489 HTTP/1.1 200 OK (PNG) 5766 172.308370 172.16.124.217 -> www.mortgagejaw.com HTTP 406 GET /wp-content/themes/FREEmium/img/search_input.gif HTTP/1.1 5770 172.312570 172.16.124.217 -> www.mortgagejaw.com HTTP 403 GET /wp-content/themes/FREEmium/img/highlight.gif HTTP/1.1
Vemos que en la salida se aprecian rastros de imágenes PNG y JPG por ejemplo. Poco más. Afinamos un poquito con filtros y formas de extraer información que ya hemos visto. Queremos saber, sobre png, que software se usó para crearlos, método de compresión, URL donde aparecen….
tshark -r2015-10-28-traffic-analysis-exercise.pcap -Y'png' -o gui.column.format:'"IPOrigen","%Cus:ip.src", "IPDest", "%Cus:ip.dst", "png1","%Cus:png.text.keyword", "png2","%Cus:png.text.string", "png3", "%Cus:png.ihdr.compression_method", "http","%Cus:http.request.uri"'
obtenemos lo siguiente:
204.79.197.200 172.16.124.217 Software,Creation Time Adobe Fireworks CS6,06/23/15 Deflate 204.79.197.200 172.16.124.217 Deflate 204.79.197.200 172.16.124.217 Deflate 187.17.111.99 172.16.124.217 Software Adobe ImageReady Deflate 187.17.111.99 172.16.124.217 Deflate 187.17.111.99 172.16.124.217 Software Adobe ImageReady Deflate 187.17.111.99 172.16.124.217 Software Adobe ImageReady Deflate 204.79.197.200 172.16.124.217 Software Paint.NET v3.5.10 Deflate 66.33.210.104 172.16.124.217 Software Adobe ImageReady Deflate 66.33.210.104 172.16.124.217 Software Adobe ImageReady Deflate 66.33.210.104 172.16.124.217 Software Adobe ImageReady Deflate 66.33.210.104 172.16.124.217 Software Adobe ImageReady Deflate 66.33.210.104 172.16.124.217 Software Adobe ImageReady Deflate 66.33.210.104 172.16.124.217 Software Adobe ImageReady Deflate
Falta información que no aparece como http.request.uri. Seguimos afinando un poco más:
Afinando para extraer la información de forma correcta.
Probamos ahora aplicando el filtro (seguimos con los ficheros de imagen png):
http.content_type==»image/png» || http.request.full_uri contains «png»
tshark -r2015-10-28-traffic-analysis-exercise.pcap -Y'http.content_type=="image/png" || http.request.full_uri contains "png"' -Tfields -eframe.number -ehttp.request.full_uri -epng.text.string -epng.text.keyword
Obtenemos lo siguiente:
310 http://www.bing.com/s/a/hpc14.png 337 http://www.bing.com/sa/simg/sw_mg_l_4d_orange.png 341 Adobe Fireworks CS6,06/23/15 Software,Creation Time 385 1632 http://www.bing.com/rms/CarouselSprite/ic/c6fc9ef6/f62ecece.png?bu=rms+answers+Homepage+CarouselOpen%2cCarouselClose 1679 3531 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/images/label-sale.png 3757 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-facebook.png 3759 Adobe ImageReady Software 3762 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-twitter.png 3888 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-redes-sociais.png 3977 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-instagram.png 4196 4262 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/fashiontemplate/pt002/skin/frontend/default/pagayo-theme-002/images/search-icon-bg.png 4263 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/skin/frontend/default/pagayo-theme-002/images/bg-main.png 4318 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/fashiontemplate/pt002/skin/frontend/default/pagayo-theme-002/images/shadow-footer.png 4363 http://www.benditabonita.com/skin/frontend/base/default/css/magestore/bannerslider/image/slide2//jquery-slider-theme.png 4563 Adobe ImageReady Software 4821 http://www.benditabonita.com/media/favicon/default/favico1.png 4824 Adobe ImageReady Software 5288 http://www.bing.com/fd/s/as_spell_underline.png 5291 Paint.NET v3.5.10 Software 5688 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/search_submit.png 5689 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/content_main_bg.png 5725 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/background.png 5745 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/rss.png 5746 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/date.png 5759 Adobe ImageReady Software 5761 Adobe ImageReady Software 5829 Adobe ImageReady Software 5831 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/sidebar_right.png 5832 Adobe ImageReady Software 5836 Adobe ImageReady Software 6041 Adobe ImageReady Software
Bien, ahora tenemos la información pero mezclada y si saber que características o información de los ficheros de imágenes corresponde con la URL/imagen.png
Para terminar de sacar la información tal como la necesitamos, introduciremos un campo para el tcp stream, de forma que podamos relacionar las líneas de información con el stream o segmentos TCP que pertenecen a la misma conexión, que se identifica con un número o número de stream o conexión:
tshark -r2015-10-28-traffic-analysis-exercise.pcap -Y'http.content_type=="image/png" || http.request.full_uri contains "png"' -Tfields -etcp.stream -eframe.number -eip.src -eip.dst -ehttp.request.full_uri -epng.text.string -epng.text.keyword
y obtenemos:
9 310 172.16.124.217 204.79.197.200 http://www.bing.com/s/a/hpc14.png 10 337 172.16.124.217 204.79.197.200 http://www.bing.com/sa/simg/sw_mg_l_4d_orange.png 9 341 204.79.197.200 172.16.124.217 Adobe Fireworks CS6,06/23/15 Software,Creation Time 10 385 204.79.197.200 172.16.124.217 11 1632 172.16.124.217 204.79.197.200 http://www.bing.com/rms/CarouselSprite/ic/c6fc9ef6/f62ecece.png?bu=rms+answers+Homepage+CarouselOpen%2cCarouselClose 11 1679 204.79.197.200 172.16.124.217 28 3531 172.16.124.217 187.17.111.99 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/images/label-sale.png 29 3757 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-facebook.png 28 3759 187.17.111.99 172.16.124.217 Adobe ImageReady Software 28 3762 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-twitter.png 27 3888 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-redes-sociais.png 31 3977 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-instagram.png 31 4196 187.17.111.99 172.16.124.217 31 4262 172.16.124.217 187.17.111.99 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/fashiontemplate/pt002/skin/frontend/default/pagayo-theme-002/images/search-icon-bg.png 23 4263 172.16.124.217 187.17.111.99 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/skin/frontend/default/pagayo-theme-002/images/bg-main.png 32 4318 172.16.124.217 187.17.111.99 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/fashiontemplate/pt002/skin/frontend/default/pagayo-theme-002/images/shadow-footer.png 33 4363 172.16.124.217 187.17.111.99 http://www.benditabonita.com/skin/frontend/base/default/css/magestore/bannerslider/image/slide2//jquery-slider-theme.png 27 4563 187.17.111.99 172.16.124.217 Adobe ImageReady Software 27 4821 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/favicon/default/favico1.png 27 4824 187.17.111.99 172.16.124.217 Adobe ImageReady Software 42 5288 172.16.124.217 204.79.197.200 http://www.bing.com/fd/s/as_spell_underline.png 42 5291 204.79.197.200 172.16.124.217 Paint.NET v3.5.10 Software 53 5688 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/search_submit.png 52 5689 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/content_main_bg.png 54 5725 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/background.png 57 5745 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/rss.png 55 5746 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/date.png 53 5759 66.33.210.104 172.16.124.217 Adobe ImageReady Software 52 5761 66.33.210.104 172.16.124.217 Adobe ImageReady Software 54 5829 66.33.210.104 172.16.124.217 Adobe ImageReady Software 54 5831 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/themes/FREEmium/img/sidebar_right.png 55 5832 66.33.210.104 172.16.124.217 Adobe ImageReady Software 57 5836 66.33.210.104 172.16.124.217 Adobe ImageReady Software 54 6041 66.33.210.104 172.16.124.217 Adobe ImageReady Software
Las dos líneas en negrita, vemos que pertenecen al mismo stream, el 28:
28 3531 172.16.124.217 187.17.111.99 http://www.benditabonita.com/skin/frontend/default/pagayo-theme-002/images/label-sale.png 29 3757 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-social-facebook.png 28 3759 187.17.111.99 172.16.124.217 Adobe ImageReady Software
y tenemos la información que necesitábamos, la URL del fichero de imagen con la información de software de creación y más información que podríamos sacar de cada imagen.
Lo comprobamos realizando un follow tcp stream en modo CLI:
tshark -r2015-10-28-traffic-analysis-exercise.pcap -qz follow,tcp,ascii,28
y nos centramos en esta parte de la salida:
GET /skin/frontend/default/pagayo-theme-002/images/label-sale.png HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Referer: http://www.benditabonita.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.benditabonita.com Connection: Keep-Alive Cookie: frontend=i4hdjnisej2d955mfm66277lc5
1369 HTTP/1.1 200 OK Date: Wed, 28 Oct 2015 17:54:41 GMT Content-Type: image/png Content-Length: 4347 Connection: keep-alive Server: Apache Last-Modified: Fri, 20 Sep 2013 01:50:21 GMT ETag: "200ff41-10fb-4e6c6e4abed3e" Accept-Ranges: bytes X-Cache-Status: BYPASS
.PNG
.
IHDR...I...;.....7.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp: xmpMM:InstanceID="xmp.iid:98A39AEF2FD311E2BD6BD99F8EBF86FB" xmpMM:DocumentID="xmp.did:98A39AF02FD311E2BD6BD99F8EBF86FB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:98A39AED2FD311E2BD6BD99F8EBF86FB" stRe@@.Qv.#g;<C.s$-F.Z...9..=Ev/......+.A.../]...%....}0.,.5.......9q.........KZ...,...J...)o.-w.~g...ef........3.93g.7.o=...O|...
CreatorTool="Adobe Photoshop CS5 Macintosh"
incluso en la línea marcada en rojo, obtenemos más información hacia la derecha como:
CreatorTool="Adobe Photoshop CS5 Macintosh"
Para los archivos de imagen JPG/JPEG, podríamos realizar algo similar:
tshark -r2015-10-28-traffic-analysis-exercise.pcap -Y'http.content_type=="image/jpeg" || http.request.full_uri contains "jpg"' -Tfields -etcp.stream -eframe.number -eip.src -eip.dst -ehttp.request.full_uri -eimage-jfif.comment -eimage-jfif.identifier
y obtendríamos algo a sí como:
24 2882 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/bannerslider/0/0/005.jpg 27 3323 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/catalog/product/cache/1/small_image/210x/9df78eab33525d08d6e5fb8d27136e95/b/o/bolsas_carteiro_azul.jpg 29 3500 187.17.111.99 172.16.124.217 JFIF 29 3528 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/catalog/product/cache/1/small_image/210x/9df78eab33525d08d6e5fb8d27136e95/f/r/franja_marrom.jpg 28 3529 187.17.111.99 172.16.124.217 CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90 JFIF 23 3574 187.17.111.99 172.16.124.217 JFIF 23 3578 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/catalog/product/cache/1/small_image/210x/9df78eab33525d08d6e5fb8d27136e95/s/h/shortinho_ombr_frente_1.jpg 27 3624 187.17.111.99 172.16.124.217 CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90 JFIF 27 3637 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/catalog/product/cache/1/small_image/210x/9df78eab33525d08d6e5fb8d27136e95/d/s/dsc_3670_copy_crop.jpg 29 3751 187.17.111.99 172.16.124.217 CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90 JFIF 23 3792 187.17.111.99 172.16.124.217 CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90 JFIF 27 3849 187.17.111.99 172.16.124.217 CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90 JFIF 32 3978 172.16.124.217 187.17.111.99 http://www.benditabonita.com/media/wysiwyg/pagayo/pt002/icon-site-seguro.jpg 32 4297 187.17.111.99 172.16.124.217 JFIF,Exif,http://ns.adobe.com/xap/1.0/,ICC_PROFILE 42 5152 204.79.197.200 172.16.124.217 JFIF 52 5520 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/uploads/2012/10/red_baseball-300x250.jpg 54 5551 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/uploads/2013/04/small_house_2.jpg 57 5552 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/uploads/2012/11/lottery_winner-300x250.jpg 55 5554 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/uploads/2012/10/swirly_swirls_of_swirlness-300x250.jpg 56 5555 172.16.124.217 66.33.210.104 http://www.mortgagejaw.com/wp-content/uploads/2012/10/nature_graphics-300x250.jpg 52 5589 66.33.210.104 172.16.124.217 JFIF 54 5722 66.33.210.104 172.16.124.217 CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 80
Aunque la información que podemos extraer de un .pcap tanto para imagenes PNG, JPG como para GIF es mucha más de lo aquí expuesto.
===============================================
Y hasta aquí por hoy. La próxima semana un artículo algo más técnico y avanzado.
Seguridad y Redes 
Gracias a los dioses que estas de regreso… Como siempre, muy buen articulo.