📄 snort_capture.txt

📁 Cctt, "Covert Channel Tunneling Tool" - 顾名思义
💻 TXT
字号:
## Cctt - Covert Channel Tunneling Tool v0.1.7# 09/06/2003## This snort file was captured when a CCTT client asked a shell from# a CCTT server. Have a look on the doc/confs/http_post2 files.#06/09-23:35:15.004247 127.0.0.1:1094 -> 127.0.0.1:7222TCP TTL:60 TOS:0x0 ID:1644 IpLen:20 DgmLen:60 DF******S* Seq: 0xE651E531  Ack: 0x0  Win: 0x7960  TcpLen: 40TCP Options (5) => MSS: 3884 SackOK TS: 1041097 0 NOP WS: 0 0x0000: 00 00 08 00 45 00 00 3C 06 6C 40 00 3C 06 3A 4E  ....E..<.l@.<.:N0x0010: 7F 00 00 01 7F 00 00 01 04 46 1C 36 E6 51 E5 31  .........F.6.Q.10x0020: 00 00 00 00 A0 02 79 60 F8 53 00 00 02 04 0F 2C  ......y`.S.....,0x0030: 04 02 08 0A 00 0F E2 C9 00 00 00 00 01 03 03 00  ................=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+06/09-23:35:15.004321 127.0.0.1:7222 -> 127.0.0.1:1094TCP TTL:60 TOS:0x0 ID:1645 IpLen:20 DgmLen:60 DF***A**S* Seq: 0xE5DD3F5E  Ack: 0xE651E532  Win: 0x7960  TcpLen: 40TCP Options (5) => MSS: 3884 SackOK TS: 1041097 1041097 NOP WS: 0 0x0000: 00 00 08 00 45 00 00 3C 06 6D 40 00 3C 06 3A 4D  ....E..<.m@.<.:M0x0010: 7F 00 00 01 7F 00 00 01 1C 36 04 46 E5 DD 3F 5E  .........6.F..?^0x0020: E6 51 E5 32 A0 12 79 60 F0 2D 00 00 02 04 0F 2C  .Q.2..y`.-.....,0x0030: 04 02 08 0A 00 0F E2 C9 00 0F E2 C9 01 03 03 00  ................=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+06/09-23:35:15.004350 127.0.0.1:1094 -> 127.0.0.1:7222TCP TTL:60 TOS:0x0 ID:1646 IpLen:20 DgmLen:52 DF***A**** Seq: 0xE651E532  Ack: 0xE5DD3F5F  Win: 0x7960  TcpLen: 32TCP Options (3) => NOP NOP TS: 1041097 1041097 0x0000: 00 00 08 00 45 00 00 34 06 6E 40 00 3C 06 3A 54  ....E..4.n@.<.:T0x0010: 7F 00 00 01 7F 00 00 01 04 46 1C 36 E6 51 E5 32  .........F.6.Q.20x0020: E5 DD 3F 5F 80 10 79 60 28 6B 00 00 01 01 08 0A  ..?_..y`(k......0x0030: 00 0F E2 C9 00 0F E2 C9                          ........=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+06/09-23:35:15.020163 127.0.0.1:1094 -> 127.0.0.1:7222TCP TTL:60 TOS:0x0 ID:1647 IpLen:20 DgmLen:455 DF***AP*** Seq: 0xE651E532  Ack: 0xE5DD3F5F  Win: 0x7960  TcpLen: 32TCP Options (3) => NOP NOP TS: 1041099 1041097 0x0000: 00 00 08 00 45 00 01 C7 06 6F 40 00 3C 06 38 C0  ....E....o@.<.8.0x0010: 7F 00 00 01 7F 00 00 01 04 46 1C 36 E6 51 E5 32  .........F.6.Q.20x0020: E5 DD 3F 5F 80 18 79 60 5C 93 00 00 01 01 08 0A  ..?_..y`\.......0x0030: 00 0F E2 CB 00 0F E2 C9 50 4F 53 54 20 2F 73 65  ........POST /se0x0040: 72 76 6C 65 74 2F 75 70 6C 6F 61 64 5F 64 61 74  rvlet/upload_dat0x0050: 61 20 48 54 54 50 2F 31 2E 30 0A 48 6F 73 74 3A  a HTTP/1.0.Host:0x0060: 20 63 63 74 74 2E 65 6E 74 72 65 65 6C 69 62 72   cctt.entreelibr0x0070: 65 2E 63 6F 6D 0A 43 6F 6E 74 65 6E 74 2D 4C 65  e.com.Content-Le0x0080: 6E 67 74 68 3A 20 32 39 36 0A 43 6F 6E 74 65 6E  ngth: 296.Conten0x0090: 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D  t-Type: text/htm0x00A0: 6C 0A 0A 49 20 61 6D 20 61 20 43 43 54 54 20 63  l..I am a CCTT c0x00B0: 6C 69 65 6E 74 20 61 6E 64 20 49 20 61 6D 20 73  lient and I am s0x00C0: 65 6E 64 69 6E 67 20 61 72 62 69 74 72 61 72 79  ending arbitrary0x00D0: 20 64 61 74 41 73 69 6D 73 69 6D 31 33 32 35 30   datAsimsim132500x00E0: 33 36 49 66 20 79 6F 75 20 6C 6F 6F 6B 20 6F 6E  36If you look on0x00F0: 20 77 68 61 74 27 73 20 70 72 65 76 69 6F 75 73   what's previous0x0100: 2C 20 79 6F 75 27 6C 6C 20 6D 61 79 20 68 61 76  , you'll may hav0x0110: 65 20 61 20 6C 6F 6F 6B 20 6F 6E 20 77 68 61 74  e a look on what0x0120: 20 49 20 72 65 61 6C 6C 79 20 73 65 6E 64 65 64   I really sended0x0130: 2E 0A 42 75 74 20 72 65 6D 65 6D 62 65 72 2C 20  ..But remember, 0x0140: 74 68 65 73 65 20 61 72 62 69 74 72 61 72 79 20  these arbitrary 0x0150: 64 61 74 61 73 20 63 6F 75 6C 64 20 68 61 76 65  datas could have0x0160: 20 62 65 65 6E 20 65 6E 63 6F 64 65 64 20 61 6E   been encoded an0x0170: 64 20 74 68 61 74 20 74 68 65 73 65 20 74 6F 70  d that these top0x0180: 0A 61 6E 64 20 62 6F 74 74 6F 6D 20 70 61 64 64  .and bottom padd0x0190: 69 6E 67 20 63 6F 75 6C 64 20 68 61 76 65 20 62  ing could have b0x01A0: 65 65 6E 20 74 6F 70 20 61 6E 64 20 62 6F 74 74  een top and bott0x01B0: 6F 6D 20 6F 66 20 61 6E 20 69 6D 61 67 65 20 66  om of an image f0x01C0: 6F 72 20 65 78 61 6D 70 6C 65 20                 or example =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+06/09-23:35:15.020234 127.0.0.1:7222 -> 127.0.0.1:1094TCP TTL:60 TOS:0x0 ID:1648 IpLen:20 DgmLen:52 DF***A**** Seq: 0xE5DD3F5F  Ack: 0xE651E6C5  Win: 0x77CD  TcpLen: 32TCP Options (3) => NOP NOP TS: 1041099 1041099 0x0000: 00 00 08 00 45 00 00 34 06 70 40 00 3C 06 3A 52  ....E..4.p@.<.:R0x0010: 7F 00 00 01 7F 00 00 01 1C 36 04 46 E5 DD 3F 5F  .........6.F..?_0x0020: E6 51 E6 C5 80 10 77 CD 28 67 00 00 01 01 08 0A  .Q....w.(g......0x0030: 00 0F E2 CB 00 0F E2 CB                          ........=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+06/09-23:35:15.451336 127.0.0.1:7222 -> 127.0.0.1:1094TCP TTL:60 TOS:0x0 ID:1649 IpLen:20 DgmLen:944 DF***AP*** Seq: 0xE5DD3F5F  Ack: 0xE651E6C5  Win: 0x7960  TcpLen: 32TCP Options (3) => NOP NOP TS: 1041142 1041099 0x0000: 00 00 08 00 45 00 03 B0 06 71 40 00 3C 06 36 D5  ....E....q@.<.6.0x0010: 7F 00 00 01 7F 00 00 01 1C 36 04 46 E5 DD 3F 5F  .........6.F..?_0x0020: E6 51 E6 C5 80 18 79 60 FB 53 00 00 01 01 08 0A  .Q....y`.S......0x0030: 00 0F E2 F6 00 0F E2 CB 48 54 54 50 2F 31 2E 30  ........HTTP/1.00x0040: 20 32 30 30 20 4F 4B 0A 44 61 74 65 3A 20 4D 6F   200 OK.Date: Mo0x0050: 6E 2C 20 39 20 4A 75 6E 65 20 32 30 30 33 20 31  n, 9 June 2003 10x0060: 32 3A 32 32 3A 32 38 20 47 4D 54 0A 53 65 72 76  2:22:28 GMT.Serv0x0070: 65 72 3A 20 43 43 54 54 2D 30 2E 31 2E 37 0A 43  er: CCTT-0.1.7.C0x0080: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 37  ontent-Length: 70x0090: 37 36 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A  76.Content-Type:0x00A0: 20 74 65 78 74 2F 68 74 6D 6C 0A 0A 3C 68 74 6D   text/html..<htm0x00B0: 6C 3E 0A 0A 3C 68 65 61 64 3E 0A 20 20 3C 74 69  l>..<head>.  <ti0x00C0: 74 6C 65 3E 43 43 54 54 20 2D 20 43 6F 76 65 72  tle>CCTT - Cover0x00D0: 74 20 43 68 61 6E 6E 65 6C 20 54 75 6E 6E 65 6C  t Channel Tunnel0x00E0: 69 6E 67 20 54 6F 6F 6C 3C 2F 74 69 74 6C 65 3E  ing Tool</title>0x00F0: 0A 3C 2F 68 65 61 64 3E 0A 0A 3C 62 6F 64 79 3E  .</head>..<body>0x0100: 0A 0A 3C 21 2D 2D 20 46 69 72 73 74 20 50 61 72  ..<!-- First Par0x0110: 74 20 2F 2F 2D 2D 3E 0A 3C 63 65 6E 74 65 72 3E  t //-->.<center>0x0120: 54 68 69 73 20 69 73 20 61 6E 20 65 72 72 6F 72  This is an error0x0130: 20 70 61 67 65 20 67 65 6E 65 72 61 74 65 64 20   page generated 0x0140: 62 79 20 61 20 43 43 54 54 20 73 65 72 76 65 72  by a CCTT server0x0150: 20 69 6E 20 48 54 54 50 20 6D 6F 64 65 2E 3C 2F   in HTTP mode.</0x0160: 63 65 6E 74 65 72 3E 0A 3C 62 72 3E 0A 54 68 69  center>.<br>.Thi0x0170: 73 20 65 72 72 6F 72 20 70 61 67 65 20 69 73 20  s error page is 0x0180: 67 65 6E 65 72 61 74 65 64 20 69 66 20 74 68 65  generated if the0x0190: 20 63 6C 69 65 6E 74 20 64 6F 65 73 6E 27 74 20   client doesn't 0x01A0: 73 65 6E 64 20 74 68 65 20 67 6F 6F 64 20 55 52  send the good UR0x01B0: 49 20 6E 6F 72 20 64 6F 65 73 6E 27 74 20 73 65  I nor doesn't se0x01C0: 6E 64 20 61 75 74 68 6F 72 69 7A 65 64 20 63 72  nd authorized cr0x01D0: 65 64 65 6E 74 69 61 6C 73 20 61 6E 64 20 69 73  edentials and is0x01E0: 20 62 75 69 6C 64 65 64 20 6F 6E 20 74 68 72 65   builded on thre0x01F0: 65 20 64 69 73 74 69 6E 63 74 20 70 61 72 74 73  e distinct parts0x0200: 2E 20 54 68 65 20 66 69 72 73 74 20 70 61 72 74  . The first part0x0210: 20 69 73 20 61 64 64 65 64 20 61 74 20 74 68 65   is added at the0x0220: 20 74 6F 70 20 6F 66 20 61 72 62 69 74 72 61 72   top of arbitrar0x0230: 79 20 64 61 74 61 73 2E 20 54 68 65 20 73 65 63  y datas. The sec0x0240: 6F 6E 64 20 70 61 72 74 20 49 53 20 74 68 65 20  ond part IS the 0x0250: 61 72 62 69 74 72 61 72 79 20 64 61 74 61 20 61  arbitrary data a0x0260: 6E 64 20 74 68 65 20 74 68 69 72 64 20 70 61 72  nd the third par0x0270: 74 20 69 73 20 61 64 64 65 64 20 61 74 20 74 68  t is added at th0x0280: 65 20 62 6F 74 74 6F 6D 20 6F 66 20 61 72 62 69  e bottom of arbi0x0290: 74 72 61 72 79 20 64 61 74 61 73 2E 3C 62 72 3E  trary datas.<br>0x02A0: 0A 3C 62 72 3E 0A 3C 21 2D 2D 20 42 65 67 69 6E  .<br>.<!-- Begin0x02B0: 20 53 65 63 6F 6E 64 20 50 61 72 74 20 2F 2F 2D   Second Part //-0x02C0: 2D 3E 20 3C 21 2D 2D 62 61 73 68 3A 20 6E 6F 20  -> <!--bash: no 0x02D0: 6A 6F 62 20 63 6F 6E 74 72 6F 6C 20 69 6E 20 74  job control in t0x02E0: 68 69 73 20 73 68 65 6C 6C 0A 20 2F 2F 2D 2D 3E  his shell. //-->0x02F0: 20 3C 21 2D 2D 20 45 6E 64 20 53 65 63 6F 6E 64   <!-- End Second0x0300: 20 50 61 72 74 20 2F 2F 2D 2D 3E 0A 0A 3C 21 2D   Part //-->..<!-0x0310: 2D 20 42 65 67 69 6E 20 54 68 69 72 64 20 50 61  - Begin Third Pa0x0320: 72 74 20 2F 2F 2D 2D 3E 0A 3C 62 72 3E 0A 4E 6F  rt //-->.<br>.No0x0330: 74 65 20 74 68 61 74 20 79 6F 75 20 63 6F 75 6C  te that you coul0x0340: 64 20 68 61 76 65 20 75 73 65 64 20 74 68 65 73  d have used thes0x0350: 65 20 74 6F 70 20 61 6E 64 20 62 6F 74 74 6F 6D  e top and bottom0x0360: 20 70 61 72 74 73 20 74 6F 20 65 6D 62 65 65 64   parts to embeed0x0370: 20 64 61 74 61 20 69 6E 74 6F 20 61 6E 20 69 6D   data into an im0x0380: 61 67 65 2E 2E 2E 3C 62 72 3E 0A 3C 21 2D 2D 20  age...<br>.<!-- 0x0390: 45 6E 64 20 54 68 69 72 64 20 50 61 72 74 20 2F  End Third Part /0x03A0: 2F 2D 2D 3E 0A 3C 2F 62 6F 64 79 3E 0A 3C 2F 68  /-->.</body>.</h0x03B0: 74 6D 6C 3E                                      tml>
💿 文件大小 204 K
👤 上传用户 moxcki
📂 所属分类网络
🏷️ 相关标签

#Tunneling #Channel #Covert #Cctt
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -