Objective:
Phantom Mix modified Flashsky of that port Multiplexing sniffer serv-u, tested, can not be used in Win2003 server, specifically I do not know, do not know whether the operation has knowledge, anyway, I did not succeed.
I built an environment myself. Try it, the sniffer program is written by itself, using raw for sniffing, if you want to ARP, to install that wincap, think that the low authority is impossible.
Experimental environment:
Windows2003 Server + Ocean 2006+serv-u5.2
The server cannot use Cmd.exe directly, but can upload and execute commands using the Wscript.Shell component.
Experiment steps:
1. Use Wcript.shell to perform NC bounce to get shell
2. Use the Self authoring tool for sniffing (I only sniff 21 and 9001, where 21 is ftp,9001 for bounce port)
/*------------------------------------------------------
*file:snifferftp.c
*effect: Used for sniffing experiments in Webshell, based on Raw
*code:huai_huai
*page:http://hhuai.cn
*date:2006.1.12
*-----------------------------------------------------*/
Defining IP Headers
typedef struct _IPHDR
{
BYTE Ver_len; Version 4 bits, head length 4 bits, header length to 32 bits per unit
byte type; Type 8 bits
BYTE length[2]; Total length, 16 bits, indicating the total length of the packet in bytes
Message length can not be more than 65,536 words, otherwise think the message is damaged
BYTE id[2]; Message indicator for more than 16 bits of a message
BYTE flag_offset[2];//flag, 3-bit data block offset 13-bit
byte time; Survival time, 8-bit
BYTE Protocol; Protocol, 8-bit
BYTE crc_val[2]; Head checksum, 16-bit
BYTE src_addr[4]; Source address, 32-bit
BYTE tar_addr[4]; Destination address, 32-bit
BYTE options[4]; Options and padding, 32-bit
}ip_header;
typedef struct _TCPHDR
{
BYTE source_port[2]; Send end port number, 16-bit
BYTE dest_port[2]; Receive port port number, 16-bit
BYTE sequence_no[4]; 32 bits, a number that marks the message end of the data in a byte of the whole block of data
BYTE ack_no[4]; 32-bit, confirmation number, indicating receiving end receive data block value for sender
unsigned char offset_reser_con;//data is offset 4 bits, 6 bits reserved, control bit 6 is
unsigned char th_flag;
BYTE window[2]; Window 16 bits
BYTE checksum[2]; Check code, 16-bit
BYTE urgen_pointer[2]; 16-bit, emergency data pointer
BYTE options[3]; Choose auspicious Fill, 32-bit
}tcp_header;
4. Experimental Summary:
Indeed can sniff some information, in native WinXP SP2 can sniff ftp password, but run on Win2003 server, can only sniff user name, use Webshell can also sniff user name, some operations, such as user directory.
Our Webshell permission can be very low, as long as the use of Wscript.Shell on the line.
There are many details, the need for careful research, million hope Forum Master can give a little hint. (Source: Evil octal Information Security team Author: bad)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.