利用wireshark从FTP流量中提取文件

FTP协议也是通过TCP协议来承载,wireshark对于这个流量包解析成了三种协议来显示:TCP,FTP,FTP-DATA。wireshark把带有FTP控制信息的解析为FTP,对于至传输了文件内容或者命令执行结果的FTP数据包解析称FTP-DATA。

使用wireshark打开流量包,过滤 ftp-data

image-20241222122027779

在右侧可以看到有四个文件

  • key.zip
  • pub.key
  • test.key
  • ____.pdf (乱码了)

依次提取文件

key.zip

追踪TCP流,用原始数据显示

image-20241222123040079

1
504b0304140000000000f7590949a29009868000000080000000070000006b65792e7478741205c9b3b40c16ee4f6691ad71f680cd3f3a5c98f10e3338feb4937a964ca10dd4c2ba97e24ae1d9e21fe9f5d3540320f147687e4d1ca09764d67d0fea5616558053adaec680c1d4120fa050e1682d05aa448fe5d80ccae5847eda6643ae1fde09b3a1339a3a9d55cc936da2760134269937cd7b724b705672516cd7fec4ea13504b01021400140000000000f7590949a290098680000000800000000700000000000000000020000000000000006b65792e747874504b0506000000000100010035000000a50000000000

导出,后缀改为 .zip

image-20241222123238788

image-20241222123411251

发现文件乱码,需要进一步解密。目前信息有限,继续提取文件

pub.key

继续追踪对应TCP流,在UTF-8中可以看到公钥

image-20241222123620160

1
2
3
4
5
6
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0UN0A+70iM0VCJ1ni0n/U1BRj
0u8yMWH4Qi+xTbjHgbE7wOukOaO+2PyQXiqIzZnf5jCkJuVDYjALGcKrZM4OCQBB
d85B/LTc36XZ7JVfX5kGy5tIR3tquuPIVKNdAsHlSqh9S7YSS39RdnSa5rOUyGhr
LzxwzzM9IO4e+QQ+CQIDAQAB
-----END PUBLIC KEY-----

使用在线工具解析

image-20241222123825861

test.key

和pub.key步骤相同,得到私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQD0UN0A+70iM0VCJ1ni0n/U1BRj0u8yMWH4Qi+xTbjHgbE7wOuk
OaO+2PyQXiqIzZnf5jCkJuVDYjALGcKrZM4OCQBBd85B/LTc36XZ7JVfX5kGy5tI
R3tquuPIVKNdAsHlSqh9S7YSS39RdnSa5rOUyGhrLzxwzzM9IO4e+QQ+CQIDAQAB
AoGADiaw5mGubtCxbkeBOVYf+V/fXnjVSf76QbrzsD1kOooUjfV6sKR2C5Pd7S7H
H+1owENBBgEKvoBtb/cqA2tvU9vQ4l5TMBJcHv6LEcb9WPpnMxPV2GNjO+DTPGPy
Xnu1UZlZjwx+NaF5rESoSSVS2ZaaIixBs4RWRXk+lHEbTFECQQD6Rp6jMweRgPHO
pR3mgIK83zL+kzqYM5isIPv3DIC5JQN2kXqK73IDQCFVlfXnr9lAAVRzLDsAXLqv
le/o6yQLAkEA+edY+GERlLuD1t2k9Js0Dc7EwnLcxoFUE60ivj8Gf9jzLskGHxsv
0IV6J5OHwPh54kAxAnqCjSqNRAWGNzr+uwJBALYEjDUm1LdGrxXZ0jAkgHC6Z0zs
aK3uwHdXGcinqCp+t9EQpq3KzQF+L4AeKxRQONEq5m9I2LQ/vGocwrmD4dcCQQDb
rTyOinWz8upAFPKOe2hUwvA/pkzgyosoCMhDyI9kD0gmVlvlODbd7Jem9o8dWM97
zcXHUf41LbSkmN6U6m1FAkEAqmZbr35bPfkeoiikwNl6OVQytg12TZjw2vIbvfub
f9Rvti8Lh/tbrmhZroiz8/l3aAZmugI1NBcbeZR0gz8ggg==
-----END RSA PRIVATE KEY-----

使用在线工具解析

image-20241222124043866

尝试以key.txt的16进制为密文进行解密

使用010editor打开key.txt,获取十六进制数据

image-20241222124408568

1
2
3
4
5
6
7
8
12 05 C9 B3 B4 0C 16 EE 4F 66 91 AD 71 F6 80 CD
3F 3A 5C 98 F1 0E 33 38 FE B4 93 7A 96 4C A1 0D
D4 C2 BA 97 E2 4A E1 D9 E2 1F E9 F5 D3 54 03 20
F1 47 68 7E 4D 1C A0 97 64 D6 7D 0F EA 56 16 55
80 53 AD AE C6 80 C1 D4 12 0F A0 50 E1 68 2D 05
AA 44 8F E5 D8 0C CA E5 84 7E DA 66 43 AE 1F DE
09 B3 A1 33 9A 3A 9D 55 CC 93 6D A2 76 01 34 26
99 37 CD 7B 72 4B 70 56 72 51 6C D7 FE C4 EA 13
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# RSA参数
n = 171564439954497216675768413953835569169744870521923941237304224433236499730629920633302799836863759824245577710773498119568181026335038584320641144215097129520996051634323993425856922224234683255676795474474502157940113864934282828740227389849908591389963794217637935199351304931352200910561925740911401385481
e = 65537
d = 9937266186539991676476141711838500702936532470226334451329887482621507743373532183713283003200250733064318064453609394111430416039303087814229424347170432034113193190833030069901831137256791793745782217103476219351831386347398299123883138090715324312420650276465474501757462292263213648181367569336785128529
p = 13108010293446761340196632179613357635987885161740190449406207540374275902270524889036958918167981833207018535542419157628046922388279842487382660916913163
q = 13088518860888399246566644050502763674299741757769502566717048439252763374675791226334700471400894138975721568725124324655217397612193189858170783443648187
dP = 9533043847239772735367686643833429436869105550513796746723958527196226747179761474986169231375261579201765788173983006698896813430468012458246788337623511
dQ = 11505402621050409396138126001334577647380992762334269845561578353988612509194383822102661003057898764764809490429137927329402845361222663041170923816906053
qInv = 8924563590703900106842685814387665916541700812430476060674809923936560651318359405279262418182232089852584767661307777487338282244935435432054792625528962


hex_ciphertext = '''
12 05 C9 B3 B4 0C 16 EE 4F 66 91 AD 71 F6 80 CD
3F 3A 5C 98 F1 0E 33 38 FE B4 93 7A 96 4C A1 0D
D4 C2 BA 97 E2 4A E1 D9 E2 1F E9 F5 D3 54 03 20
F1 47 68 7E 4D 1C A0 97 64 D6 7D 0F EA 56 16 55
80 53 AD AE C6 80 C1 D4 12 0F A0 50 E1 68 2D 05
AA 44 8F E5 D8 0C CA E5 84 7E DA 66 43 AE 1F DE
09 B3 A1 33 9A 3A 9D 55 CC 93 6D A2 76 01 34 26
99 37 CD 7B 72 4B 70 56 72 51 6C D7 FE C4 EA 13
'''

# 去除空格和换行符
hex_ciphertext = hex_ciphertext.replace(" ", "").replace("\n", "")

# 将十六进制密文转换为整数
c = int(hex_ciphertext, 16)

# 使用RSA私钥解密
m1 = pow(c, dP, p)
m2 = pow(c, dQ, q)
h = (qInv * (m1 - m2)) % p
m = m2 + h * q

# 将明文转换为字节并打印
plaintext_bytes = m.to_bytes((m.bit_length() + 7) // 8, byteorder='big')
print(f"明文: {plaintext_bytes.decode('utf-8', errors='ignore')}")

明文: R0Vׁv/{Is}wn}pKAJ9YTJ]|誴J_У?tդAQ+J6~n hi, boys and girls! flag is {haPPy_Use_0penSsI}

(补充)提取pdf

pdf文件有多条流量数据,对任意pdf流量追踪TCP流可以看到完整pdf信息。显示为原始数据并导出

image-20241222125346387

导出文件正常

image-20241222125451891

tips

流程大体为:

  1. 过滤 ftp-data
  2. 追踪 TCP 流
  3. 显示为原始数据
  4. 另存为对应后缀的文件

不要将非原始数据的信息直接复制到任意新建文件中再改后缀

比如在 wireshark 中将 pdf 的 utf-8 信息导出

image-20241222125959436

image-20241222130036367

放到010中对比看一下

image-20241222130438957

导出 原始数据(raw) 会保留数据的原始二进制形式,不会进行任何转换或编码;utf-8 是文本编码格式,适用于纯文本数据。如果数据包含非文本内容(如二进制数据、加密数据等),使用这些编码格式可能会导致数据解释错误或丢失信息