配置yum源以及telnet
cd /eetc/yum.repos.d/
rm -rf ./*
vim /etc/yum.repos.d/a.repo
a.repo
[a]
name=a
baseurl=http://172.17.15.200/Centos1511
gpgcheck=0
enabled=1
:wq
sudo yum install -y telnet-server xinetd
sudo vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no # ← 改这里!
}
sudo systemctl restart xinetd
useradd hxl17
passwd hxl17
完成代码 telnet.py
# sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
from scapy.all import *
import random
local_ip = "192.168.17.128"
target_ip = "192.168.17.129"
local_port = int(input("input a number between 1024 - 65535:"))
target_port = 23
ip = IP(src=local_ip, dst=target_ip)
seq = 10
syn_ack = sr1(ip/TCP(sport=local_port, dport=target_port, seq=seq, flags="S"))
send(ip/TCP(sport=local_port, dport=target_port, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq + 1, flags="A"))
seq = syn_ack[TCP].ack
ack = syn_ack[TCP].seq + 1
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b'\xff\xfd&\xff\xfb&\xff\xfd\x03\xff\xfb\x18\xff\xfb\x1f\xff\xfb \xff\xfb!\xff\xfb"\xff\xfb\'\xff\xfd\x05\xff\xfb#'))
filter_str = (
"tcp and len > 40"
)
response = sniff(
filter=filter_str,
count=1,
timeout=20
)
seq += len(b'\xff\xfd&\xff\xfb&\xff\xfd\x03\xff\xfb\x18\xff\xfb\x1f\xff\xfb \xff\xfb!\xff\xfb"\xff\xfb\'\xff\xfd\x05\xff\xfb#')
ack = response[0][TCP].seq + len(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
response = sniff(
filter=filter_str,
count=1,
timeout=20
)
ack = response[0][TCP].seq + len(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b"\xff\xfa\x1f\x00M\x00\x1c\xff\xf0\xff\xfa \x0038400,38400\xff\xf0\xff\xfa#\x00kali:0.0\xff\xf0\xff\xfa'\x00\x00DISPLAY\x01kali:0.0\xff\xf0\xff\xfa\x18\x00XTERM-256COLOR\xff\xf0"))
seq += len(b"\xff\xfa\x1f\x00M\x00\x1c\xff\xf0\xff\xfa \x0038400,38400\xff\xf0\xff\xfa#\x00kali:0.0\xff\xf0\xff\xfa'\x00\x00DISPLAY\x01kali:0.0\xff\xf0\xff\xfa\x18\x00XTERM-256COLOR\xff\xf0")
response = sniff(
filter=filter_str,
count=1,
timeout=20
)
ack = response[0][TCP].seq + len(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b'\xff\xfc\x01'))
seq += len(b'\xff\xfc\x01')
response = sniff(
filter=filter_str,
count=1,
timeout=20
)
ack = response[0][TCP].seq + len(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b'\xff\xfd\x01'))
seq += len(b'\xff\xfc\x01')
response = sniff(
filter=filter_str,
count=1,
timeout=20
)
ack = response[0][TCP].seq + len(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
response = sr1(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b'hxl\r\x00'))
seq += len(b"hxl\r\x00")
ack = response[0][TCP].seq + len(response[0][Raw].load)
print(len(response))
print(len(response[0][Raw].load))
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
response = sniff(
filter=filter_str,
count=1,
timeout=20
)
ack = response[0][TCP].seq + len(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
response = sr1(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b'hxl17\r\x00'))
seq += len(b'hxl17\r\x00')
ack = response[0][TCP].seq + len(response[0][Raw].load)
response = sr1(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
#登录进去了!!!!!!!!!!
ack = response[0][TCP].seq + len(response[0][Raw].load)
response = sr1(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="PA")/Raw(load=b'cat test.txt\r\n'))
seq += len(b"cat test.txt\r\n")
ack = response[0][TCP].seq + len(response[0][Raw].load)
print(response[0][Raw].load)
send(ip/TCP(sport=local_port, dport=target_port, seq=seq, ack=ack, flags="A"))
监测代码 zhuabao.py
from scapy.all import *
import datetime
# 配置抓包参数
src_ip = "192.168.17.128" # 本机IP
dst_ip = "192.168.17.129" # 靶机IP
telnet_port = 23 # Telnet默认端口
output_pcap = "telnet_full_flow.pcap" # 保存的抓包文件
# 存储捕获的数据包
captured_packets = []
# -------------------------- 关键修复:补充所有Telnet控制码定义 --------------------------
IAC = b'\xff' # 中断符(选项协商起始)
DO = b'\xfd' # 请求启用选项
DONT = b'\xfe' # 拒绝启用选项(之前缺失!)
WILL = b'\xfb' # 同意启用选项
WONT = b'\xfc' # 不同意启用选项
# 目标选项码(你关注的4个选项)
TERMINAL_TYPE = b'\x18' # Terminal Type
TERMINAL_SPEED = b'\x20' # Terminal Speed
X_DISPLAY_LOC = b'\x23' # X Display Location
NEW_ENVIRON = b'\x27' # New Environment Option
def packet_handler(pkt):
"""数据包回调:过滤Telnet流量 + 打印完整包体 + 解析关键信息(容错处理)"""
try: # 捕获解析异常,避免抓包中断
if IP in pkt and TCP in pkt:
ip_src = pkt[IP].src
ip_dst = pkt[IP].dst
tcp_sport = pkt[TCP].sport
tcp_dport = pkt[TCP].dport
# 过滤目标流量(本机↔靶机的Telnet端口)
if (ip_src == src_ip and ip_dst == dst_ip and tcp_dport == telnet_port) or \
(ip_src == dst_ip and ip_dst == src_ip and tcp_sport == telnet_port):
captured_packets.append(pkt)
time_str = datetime.datetime.now().strftime("%H:%M:%S.%f")[:-3]
print("=" * 100)
print(f"[{time_str}] 捕获Telnet数据包:{ip_src}:{tcp_sport} → {ip_dst}:{tcp_dport}")
print("-" * 100)
# 1. 打印完整包体结构(Ethernet+IP+TCP+Raw)
print("【完整包体内容】")
pkt.show()
print("-" * 100)
# 2. 解析TCP标志位和关键字段
flags = pkt[TCP].flags
flag_str = ""
flag_desc = []
if flags & 0x01:
flag_str += "F"
flag_desc.append("FIN(关闭连接)")
if flags & 0x02:
flag_str += "S"
flag_desc.append("SYN(发起连接)")
if flags & 0x04:
flag_str += "R"
flag_desc.append("RST(重置连接)")
if flags & 0x08:
flag_str += "P"
flag_desc.append("PUSH(推送数据)")
if flags & 0x10:
flag_str += "A"
flag_desc.append("ACK(确认接收)")
print(f"【TCP标志位】: {flag_str} → {', '.join(flag_desc) if flag_desc else '无特殊标志'}")
print(f"【TCP关键字段】: 序号(seq)={pkt[TCP].seq}, 确认号(ack)={pkt[TCP].ack}")
print("-" * 100)
# 3. 解析Telnet数据(容错处理:即使解析失败也不中断抓包)
if Raw in pkt:
raw_data = pkt[Raw].load
print("【Telnet数据解析】")
if b'\xff' in raw_data:
print(f" 类型: Telnet选项协商")
print(f" 十六进制数据: {raw_data.hex()}")
parse_telnet_negotiation(raw_data) # 调用修复后的解析函数
else:
try:
plain_text = raw_data.decode("ascii")
print(f" 类型: 明文数据")
print(f" 内容: {repr(plain_text)}") # 显示换行符等不可见字符
except:
print(f" 类型: 非ASCII数据")
print(f" 十六进制: {raw_data.hex()}")
else:
print("【Telnet数据解析】: 无Raw负载(仅TCP控制包)")
print("=" * 100 + "\n")
except Exception as e:
print(f"【解析警告】: 数据包解析出错(不影响抓包)→ {str(e)}")
print("=" * 100 + "\n")
def parse_telnet_negotiation(data):
"""修复后的协商解析函数:兼容所有控制码,避免报错"""
# 控制码→名称映射(包含所有可能的指令,避免KeyError)
cmd_map = {
DO: "DO",
DONT: "DONT", # 补充缺失的DONT
WILL: "WILL",
WONT: "WONT"
}
# 选项码→名称映射(包含你关注的4个选项)
opt_map = {
TERMINAL_TYPE: "Terminal Type(终端类型)",
TERMINAL_SPEED: "Terminal Speed(终端速率)",
X_DISPLAY_LOC: "X Display Location(X显示位置)",
NEW_ENVIRON: "New Environment Option(新环境选项)",
b'\x03': "Suppress Go Ahead(禁止继续)",
b'\x05': "Status(状态查询)",
b'\x1f': "Terminal Location Number(终端位置编号)",
b'\x20': "Terminal Speed(终端速率)",
b'\x21': "Remote Flow Control(远程流量控制)",
b'\x22': "Linemode(行模式)",
b'\x26': "TN3270 Regime(TN3270模式)",
b'\x27': "New Environment Option(新环境选项)"
}
i = 0
while i < len(data):
if data[i:i + 1] == IAC and i + 2 < len(data):
cmd = data[i + 1:i + 2]
opt = data[i + 2:i + 3]
cmd_name = cmd_map.get(cmd, f"未知指令(0x{cmd.hex()})")
opt_name = opt_map.get(opt, f"未知选项(0x{opt.hex()})")
print(f" → 协商指令: IAC(0xff) + {cmd_name}(0x{cmd.hex()}) + {opt_name}(0x{opt.hex()})")
i += 3 # 跳过当前3字节协商指令
else:
i += 1
def save_captured_packets():
"""保存数据包到PCAP文件"""
if captured_packets:
wrpcap(output_pcap, captured_packets)
print(f"\n=== 抓包结束 ===")
print(f"共捕获 {len(captured_packets)} 个数据包,文件已保存为: {output_pcap}")
else:
print("\n=== 抓包结束 ===")
print("未捕获到目标流量")
if __name__ == "__main__":
print(f"=== 开始抓取 {src_ip} ↔ {dst_ip} 的Telnet流量(端口{telnet_port})===")
print("特点:打印完整包体(.show())+ 解析Telnet协商/明文数据 + 容错不中断")
print("按 Ctrl+C 停止抓包\n")
try:
# 启动抓包(L2层抓包,保留Ethernet头;添加超时重试)
sniff(
filter=f"tcp and host {src_ip} and host {dst_ip} and port {telnet_port}",
prn=packet_handler,
store=0,
count=0,
iface=None # 自动选择默认网卡(若抓不到可指定网卡名,如"eth0")
)
except KeyboardInterrupt:
save_captured_packets()
except Exception as e:
print(f"\n抓包核心错误:{str(e)}")
save_captured_packets()
浙公网安备 33010602011771号