{"id":16,"date":"2017-05-22T09:09:25","date_gmt":"2017-05-22T00:09:25","guid":{"rendered":"http:\/\/ps2.ddns.net\/press\/?p=11"},"modified":"2021-04-09T10:26:50","modified_gmt":"2021-04-09T01:26:50","slug":"pkt_monitor","status":"publish","type":"post","link":"https:\/\/rfsec.ddns.net\/db\/?p=16","title":{"rendered":"LAN\u306e\u30d1\u30b1\u30c3\u30c8\u76e3\u8996"},"content":{"rendered":"\n

WannaCry\u306f\u3001LAN\u306e\u4e2d\u3067\u306fsmb(445\/TCP)\u3067\u611f\u67d3\u3059\u308b\u3068\u3044\u3046\u3053\u3068\u306a\u306e\u3067\u3001\u7c21\u6613\u306a\u76e3\u8996\u306e\u30c4\u30fc\u30eb\u3092\u4f5c\u3063\u3066\u307f\u307e\u3057\u305f\u3002
\u30df\u30e9\u30fc\u3057\u305f\u30bb\u30b0\u30e1\u30f3\u30c8\u306e\u30d1\u30b1\u30c3\u30c8\u3092tcpdump\u3067\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3001PHP\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u89b3\u6e2c\u3057\u305f\u30d1\u30b1\u30c3\u30c8\u306e\u6570\u3092\u53ef\u8996\u5316\u3057\u307e\u3059\u3002
\u4f7f\u3044\u65b9\u306f\u3001\u6b21\u306e\u3088\u3046\u306a\u611f\u3058\u3001\u3001\u3001<\/p>\n\n\n\n

#tcpdump -ntttti eth0 port 445 | visualize.php<\/p>\n\n\n\n

visualize.php \u306f\u3001\u5b9a\u671f\u7684\u306bhtml\u30d5\u30a1\u30a4\u30eb\u3092\u751f\u6210\u307e\u3059
\u5229\u7528\u8005\u306f\u30d6\u30e9\u30a6\u30b6\u3067html\u30d5\u30a1\u30a4\u30eb\u3092\u95b2\u89a7\u3057\u307e\u3059\u3002
html\u30d5\u30a1\u30a4\u30eb\u306f (\u4f8b\u3048\u307010\u79d2\u6bce\u306b)\u81ea\u8eab\u3092refresh\u3057\u307e\u3059\u3002<\/p>\n\n\n\n

\u8868\u793a\u3055\u308c\u308b\u3001\u753b\u50cf\u306e\uff11\u30de\u30b9\u306f\u3001\u30ce\u30fc\u30c9\uff08PC\u3084\u30b5\u30fc\u30d0\uff09\u9593\u306e\u30d1\u30b1\u30c3\u30c8\u6570\u3092\u8272\u3067\u8868\u73fe\u3057\u3066\u3044\u307e\u3059\u3002
\u901a\u4fe1\u304c\u307e\u3063\u305f\u304f\u89b3\u6e2c\u3055\u308c\u306a\u3044\u5834\u5408\u306f\u6fc3\u3044\u9752\u8272\u3067\u89b3\u6e2c\u3055\u308c\u305f\u30d1\u30b1\u30c3\u30c8\u6570\u304c\u591a\u3044\u3068\u9ec4\u8272\uff5e\u8d64\u306b\u5909\u5316\u3057\u307e\u3059\u3002
\u307e\u305f\u3001\u30de\u30b9\u306e\u4e2d\u306e\uff11\u6587\u5b57\u306f\u3001\u89b3\u6e2c\u3057\u305f\u30d1\u30b1\u30c3\u30c8\u306e\u6570\u306b\u5fdc\u3058\u3066\u30010-9,A-Z…..\u3068\u8868\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
#!\/usr\/bin\/php\n<?php\n\/*\n        Usage:\n        tcpdump -nttttr xxxxx.pcap port 445 | .\/p445.php\n*\/\n\n$MIN_TH = 5;\n$fp=fopen(\"php:\/\/stdin\",\"r\");\nfor($i=1;$i<255;$i++){\n        for($j=1;$j<255;$j++){\n                $buf[$i][$j]=0;\n        }\n}\n$n=0;$prev_min=0;\nwhile($in=fgets($fp)){\n        $t=explode(\" \",$in);\n        $date=$t[0].\" \".$t[1];\n        $tmp =explode(\":\",$t[1]);       \/\/ hh:mm:ss.xxxxx\n        $min =$tmp[1];                  \/\/ min\n        if(isset($t[3])){\n                $s=explode(\".\",$t[3]);\n                if(isset($s[3])) {\n                        $ip1=$s[3];\n                        $d=explode(\".\",$t[5]);\n                        $ip2=$d[3];\n\/\/                      echo \"$ip1,$ip2\\n\";\n                        $buf[$ip1][$ip2]++;\n                }\n        }\n\n        $n++;\n        if(($n % 2000)==0 || ($min - $prev_min) > $MIN_TH) {\n                MkHTML($buf,$date);\n                $prev_min = $min;\n        }\n}\n\nfclose($fp);\nMkHTML($buf,$date);\necho \"Finished!!!\\n\";\n\n\nfunction MkHTML($buf,$date){\n\n        $date=\"<H3>$date<\/H3>\";\n        $header=\"<!DOCTYPE HTML><HTML><HEAD><meta http-equiv=\\\"refresh\\\" content=\\\"10\\\"><\/HEAD><BODY>\";\n        $msg=\"<H3>$date<\/H3>\\n<TABLE>\\n\";\n        for($i=1;$i<255;$i++){\n                $sum=0;\n                for($j=1;$j<255;$j++){\n                        $sum+=$buf[$j][$i];\n                }\n                $iSum[$i]=$sum;\n\/\/              echo \"$i,$iSum[$i]\\n\";\n        }\n\n        for($i=1;$i<255;$i++){\n                $tmp=\"<TR><TD>$i<\/TD>\";$sum=0;\n                for($j=1;$j<255;$j++){\n                        $var=$buf[$i][$j];\n                        $pt=\".\";\n                        if($var<63) {\n                                if($var<10) {\n                                        $pt=$var;\n                                } else {\n                                        $pt=chr(ord('A')+$var-10);\n                                }\n                        }\n                        $sum+=$var;\n                        $var=20*log($var+1);\n                        $color=set_color($var);\n                        if($iSum[$j]!=0) $tmp.= \"<TD BGCOLOR=$color>10.8.0.$j\\\">$pt<\/TD>\";\n\n                }\n                if($sum !=0 ) {\n                        $msg.=$tmp;\n                        $msg.=\"<\/TR>\\n\";\n                }\n        }\n\n        $msg.=\"<\/TABLE>\\n<H3>$date<\/H3><\/BODY><\/HTML>\\n\";\n        $fw=fopen(\"\/var\/www\/html\/cross.html\",\"w\");\n        fputs($fw,$header);\n        fputs($fw,$msg);\n        fclose($fw);\n}\n\n\nfunction set_color($x){\n   if ($x<64) {\n       $r=0; $g= $x*4 ; $b=255;\n   } else {\n       if ($x<128){\n           $r=4*( $x -64 );$g=255;$b=255-$r;\n       } else {\n           if ($x<192){\n               $b=4*( $x - 128 );$r=255;$g=255-$b;\n           } else {\n               $r=255;$g=0;$b=255-4*( $x -192);\n           }\n       }\n   }\n   return \"#\".sprintf(\"%02x%02x%02x\",$r,$g,$b);\n}\n?><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
WannaCry\u306f\u3001LAN\u306e\u4e2d\u3067\u306fsmb(445\/TCP)\u3067\u611f\u67d3\u3059\u308b\u3068\u3044\u3046\u3053\u3068\u306a\u306e\u3067\u3001\u7c21\u6613\u306a\u76e3\u8996\u306e\u30c4\u30fc\u30eb\u3092\u4f5c\u3063\u3066\u307f\u307e\u3057\u305f\u3002\u30df\u30e9\u30fc\u3057\u305f\u30bb\u30b0\u30e1\u30f3\u30c8\u306e\u30d1\u30b1\u30c3\u30c8\u3092tcpdump\u3067\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3001PHP\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u89b3\u6e2c\u3057\u305f\u30d1\u30b1\u30c3\u30c8 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,3],"tags":[],"class_list":["post-16","post","type-post","status-publish","format-standard","hentry","category-security","category-network"],"featured_image_src":null,"author_info":{"display_name":"mars","author_link":"https:\/\/rfsec.ddns.net\/db\/?author=1"},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts\/16","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16"}],"version-history":[{"count":1,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts\/16\/revisions"}],"predecessor-version":[{"id":57,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts\/16\/revisions\/57"}],"wp:attachment":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}