https://pastein.ru/t/_0Z
Загрузка данных
root@ury:~# IP=192.168.1.193
root@ury:~# LOG=/tmp/wa2.log
root@ury:~# > $LOG
root@ury:~#
root@ury:~# echo "=== COUNTERS BEFORE ==="
=== COUNTERS BEFORE ===
root@ury:~# nft list table inet PodkopTable 2>/dev/null | grep -E 'mark set 0x00100000 counter' | head -8
echo "=== ЗАПУСКАЮ TCPDUMP ==="
tcpdump -i br-lan -nn -tt -l "host $IP and not port 22" > $LOG 2>&1 &
TCPID=$!
echo ">>> ПОДГОТОВЬСЯ. ЧЕРЕЗ 10 СЕКУНД ОТПРАВЛЯЙ ТОЧКУ <<<"
sleep 1 iifname @interfaces ip daddr @podkop_subnets meta l4proto tcp meta mark set 0x00100000 counter packets 44666 bytes 25183812
0
echo ">>> ОТПРАВЛЯЙ ТОЧКУ СЕЙЧАС! У ТЕБЯ 40 СЕКУН iifname @interfaces ip daddr @podkop_subnets meta l4proto udp meta mark set 0x00100000 counter packets 27 bytes 11514
iifname @interfaces ip daddr 198.18.0.0/15 meta l4proto tcp meta mark set 0x00100000 counter packets 2831 bytes 486357
iifname @interfaces ip daddr 198.18.0.0/15 meta l4proto udp meta mark set 0x00100000 counter packets 5798 bytes 1993821
ip daddr @podkop_subnets meta l4proto tcp meta mark set 0x00100000 counter packets 0 bytes 0
ip daddr @podkop_subnets meta l4proto udp meta mark set 0x00100000 counter packets 0 bytes 0
ip daddr 198.18.0.0/15 meta l4proto tcp meta mark set 0x00100000 counter packets 37 bytes 3278
ip daddr 198.18.0.0/15 meta l4proto udp meta mark set 0x00100000 counter packets 0 bytes 0
root@ury:~#
root@ury:~# echo "=== ЗАПУСКАЮ TCPDUMP ==="
=== ЗАПУСКАЮ TCPDUMP ===
root@ury:~# tcpdump -i br-lan -nn -tt -l "host $IP and not port 22" > $LOG 2>&1 &
Д <<<root@ury:~# TCPID=$!
root@ury:~# not found
root@ury:~# echo ">>> ПОДГОТОВЬСЯ. ЧЕРЕЗ 10 СЕКУНД ОТПРАВЛЯЙ ТОЧКУ <<<"
>>> ПОДГОТОВЬСЯ. ЧЕРЕЗ 10 СЕКУНД ОТПРАВЛЯЙ ТОЧКУ <<<
root@ury:~# sleep 10
"
sleep 40
kill $TCPID 2>/dev/null
sleep 1
echo "=== captured: $(wc -l < $LOG) ==="
echo "=== COUNTERS AFTER ==="
nft list table inet PodkopTable 2>/dev/null | grep -E 'mark set 0x00100000 counter' | head -8
echo "=== DNS REQUESTS FROM HER (port 53) ==="
grep '\.53' $LOG | grep "$IP" | head -20
echo "=== DEST IPs (TOP 20, OUTGOING from her phone) ==="
awk -v ip="$IP" 'index($3,ip)==1 {sub(/\.[0-9]+$/,"",$5); print $5}' $LOG | sort | uniq -c | sort -rn | head -20
echo "=== DEST PORTS ==="
awk -v ip="$IP" 'index($3,ip)==1 {n=split($5,a,"."); print a[n]}' $LOG | sed 's/:$//' | sort | uniq -c | sort -rn | head -10
echo "=== TCP SYN (new connections) ==="
grep -E "$IP.*Flags \[S\]" $LOG | awk '{print $5}' | sed 's/.$//' | sort -u | head -20
echo "=== 198.18.x (FakeIP — должны быть, если подкоп ловит DNS) ==="
grep -c '198\.18\.' $LOG
grep '198\.18\.' $LOG | head -5
echo "=== DONE ==="
root@ury:~# echo ">>> ОТПРАВЛЯЙ ТОЧКУ СЕЙЧАС! У ТЕБЯ 40 СЕКУНД <<<"
>>> ОТПРАВЛЯЙ ТОЧКУ СЕЙЧАС! У ТЕБЯ 40 СЕКУНД <<<
root@ury:~# sleep 40
root@ury:~# kill $TCPID 2>/dev/null
root@ury:~# sleep 1
[1]+ Done tcpdump -i br-lan -nn -tt -l "host ${IP} and not port 22" 1>${LOG} 2>&1
root@ury:~#
root@ury:~# echo "=== captured: $(wc -l < $LOG) ==="
=== captured: 570 ===
root@ury:~#
root@ury:~# echo "=== COUNTERS AFTER ==="
=== COUNTERS AFTER ===
root@ury:~# nft list table inet PodkopTable 2>/dev/null | grep -E 'mark set 0x00100000 counter' | head -8
iifname @interfaces ip daddr @podkop_subnets meta l4proto tcp meta mark set 0x00100000 counter packets 44666 bytes 25183812
iifname @interfaces ip daddr @podkop_subnets meta l4proto udp meta mark set 0x00100000 counter packets 27 bytes 11514
iifname @interfaces ip daddr 198.18.0.0/15 meta l4proto tcp meta mark set 0x00100000 counter packets 2834 bytes 486513
iifname @interfaces ip daddr 198.18.0.0/15 meta l4proto udp meta mark set 0x00100000 counter packets 5798 bytes 1993821
ip daddr @podkop_subnets meta l4proto tcp meta mark set 0x00100000 counter packets 0 bytes 0
ip daddr @podkop_subnets meta l4proto udp meta mark set 0x00100000 counter packets 0 bytes 0
ip daddr 198.18.0.0/15 meta l4proto tcp meta mark set 0x00100000 counter packets 37 bytes 3278
ip daddr 198.18.0.0/15 meta l4proto udp meta mark set 0x00100000 counter packets 0 bytes 0
root@ury:~#
root@ury:~# echo "=== DNS REQUESTS FROM HER (port 53) ==="
=== DNS REQUESTS FROM HER (port 53) ===
root@ury:~# grep '\.53' $LOG | grep "$IP" | head -20
1777654216.828743 IP 192.168.1.193.50611 > 172.234.214.79.53: 7317 notify+ [b2&3=0x25c3] [39544a] [5791q] [5344n] [19165au] Type2170 (Class 20980)? <BAD PTR> [|domain]
1777654216.828872 IP 192.168.1.193.50611 > 172.234.214.79.53: 13473 inv_q% [b2&3=0xc16] [45202q] [9533a] [39990n] [58602au] [|domain]
1777654216.965831 IP 192.168.1.193.43062 > 172.234.71.86.53: 4773 inv_q% [b2&3=0xa79] [58352q] [47352a] [45566n] [47377au] [|domain]
1777654216.965831 IP 192.168.1.193.43062 > 172.234.71.86.53: 59775 op7+ [b2&3=0x3961] [5894a] [53781q] [44253n] [60249au] Type9422 (Class 60282)? . [|domain]
1777654216.967124 IP 192.168.1.193.53409 > 172.232.39.73.53: 13738 updateD+% [b2&3=0x55b3] [51734a] [1567q] [62500n] [62803au] Type38395 (Class 47559)? M-^WsM-^B^U7M-MM-9GM-^?cMM-wM->}M-^^^Oq^PeIsdbM-]$pM-8.<BAD PTR> [|domain]
1777654216.967341 IP 192.168.1.193.53409 > 172.232.39.73.53: 43873 updateD NXRRSet*|$ [24488q], [|domain]
1777654217.254355 IP 192.168.1.193.55280 > 193.123.34.218.53: 50176 [20453a] [264q] [44679n] [24238au] [|domain]
1777654217.765566 IP 192.168.1.193.39760 > 196.245.156.117.53: Flags [S], seq 2379492654, win 65535, options [mss 1460,sackOK,TS val 1128577787 ecr 0,nop,wscale 8], length 0
1777654217.982266 IP 192.168.1.193.53470 > 192.168.1.1.53: 11780+ AAAA? www.storagejsstrategiesfabulous.com. (53)
1777654217.983584 IP 192.168.1.1.53 > 192.168.1.193.53470: 11780* 0/0/0 (53)
1777654217.983708 IP 192.168.1.193.56562 > 192.168.1.1.53: 48480+ A? www.storagejsstrategiesfabulous.com. (53)
1777654218.139147 IP 192.168.1.1.53 > 192.168.1.193.56562: 48480 2/0/0 CNAME j.sni.global.fastly.net., A 146.75.118.132 (164)
1777654218.429231 IP 192.168.1.193.50611 > 172.234.214.79.53: 46890 updateM% [b2&3=0x64fe] [25088a] [3604q] [57375n] [32723au] [|domain]
1777654218.430667 IP 192.168.1.193.50611 > 172.234.214.79.53: 50258 op6 Resp12-|$ [26882q] [|domain]
1777654218.740603 IP 192.168.1.193.53123 > 159.203.154.81.53: 21843 op8+% [b2&3=0x4552] [29749a] [8255q] [20582n] [26971au] [|domain]
1777654218.774266 IP 192.168.1.193.39760 > 196.245.156.117.53: Flags [S], seq 2379492654, win 65535, options [mss 1460,sackOK,TS val 1128578797 ecr 0,nop,wscale 8], length 0
1777654218.940921 IP 192.168.1.193.53123 > 159.203.154.81.53: 21843 op8+% [b2&3=0x4552] [29749a] [8255q] [20582n] [26971au] [|domain]
1777654218.942076 IP 192.168.1.193.53123 > 159.203.154.81.53: 21843 op8+% [b2&3=0x4552] [29749a] [8255q] [20582n] [26971au] [|domain]
1777654219.053342 IP 192.168.1.193.34679 > 172.238.56.235.53: 37435 op3+% [b2&3=0x1bd0] [3302a] [48893q] [56325n] [31254au] [|domain]
1777654219.053502 IP 192.168.1.193.34679 > 172.238.56.235.53: 28003 inv_q [b2&3=0xcc2] [12517q] [11359a] [5984n] [35098au] [|domain]
root@ury:~#
root@ury:~# echo "=== DEST IPs (TOP 20, OUTGOING from her phone) ==="
=== DEST IPs (TOP 20, OUTGOING from her phone) ===
root@ury:~# awk -v ip="$IP" 'index($3,ip)==1 {sub(/\.[0-9]+$/,"",$5); print $5}' $LOG | sort | uniq -c | sort -rn | head
-20
19 5.45.215.17.443:
17 172.234.239.44.553:
14 47.245.134.147.443:
13 159.203.154.81.53:
12 74.208.165.202.443:
12 213.180.204.145.443:
11 205.237.92.178.53:
10 89.221.238.2.443:
10 88.208.225.58.53:
10 8.211.29.218.443:
10 45.79.182.252.179:
10 139.162.119.225.627:
9 80.240.24.234.443:
9 57.128.75.129.443:
9 212.71.250.185.553:
9 204.216.104.202.627:
9 172.233.97.49.53:
9 138.68.204.170.53:
8 79.142.76.177.443:
8 192.168.1.1.53:
root@ury:~#
root@ury:~# echo "=== DEST PORTS ==="
=== DEST PORTS ===
root@ury:~# awk -v ip="$IP" 'index($3,ip)==1 {n=split($5,a,"."); print a[n]}' $LOG | sed 's/:$//' | sort | uniq -c | sor
t -rn | head -10
203 443
118 53
31 80
29 553
19 627
18 554
11 179
6 721
5 3478
4 983
root@ury:~#
root@ury:~# echo "=== TCP SYN (new connections) ==="
=== TCP SYN (new connections) ===
root@ury:~# grep -E "$IP.*Flags \[S\]" $LOG | awk '{print $5}' | sed 's/.$//' | sort -u | head -20
104.248.104.158.623
129.212.194.18.553
129.212.213.206.443
139.162.180.243.443
139.162.231.166.80
139.177.180.177.443
142.44.135.26.443
146.190.2.129.80
152.42.146.249.443
159.223.247.41.53
165.227.255.156.443
167.172.8.4.443
170.64.245.135.554
172.104.188.244.443
172.233.81.181.443
172.234.141.140.895
172.234.186.226.80
172.234.239.44.553
172.235.191.175.443
172.236.207.31.554
root@ury:~#
root@ury:~# echo "=== 198.18.x (FakeIP — должны быть, если подкоп ловит DNS) ==="
=== 198.18.x (FakeIP — должны быть, если подкоп ловит DNS) ===
root@ury:~# grep -c '198\.18\.' $LOG
6
root@ury:~# grep '198\.18\.' $LOG | head -5
1777654223.080746 IP 198.18.0.72.443 > 192.168.1.193.55350: Flags [P.], seq 1062622204:1062622228, ack 56545665, win 1999, options [nop,nop,TS val 4283549189 ecr 3078200810], length 24
1777654223.126364 IP 192.168.1.193.55350 > 198.18.0.72.443: Flags [.], ack 24, win 333, options [nop,nop,TS val 3078270862 ecr 4283549189], length 0
1777654224.082153 IP 198.18.0.72.443 > 192.168.1.193.55350: Flags [P.], seq 24:48, ack 1, win 1999, options [nop,nop,TS val 4283550191 ecr 3078270862], length 24
1777654224.082377 IP 198.18.0.72.443 > 192.168.1.193.55350: Flags [F.], seq 48, ack 1, win 1999, options [nop,nop,TS val 4283550191 ecr 3078270862], length 0
1777654224.083036 IP 192.168.1.193.55350 > 198.18.0.72.443: Flags [.], ack 48, win 333, options [nop,nop,TS val 3078271819 ecr 4283550191], length 0
root@ury:~#
root@ury:~# echo "=== DONE ==="
=== DONE ===
root@ury:~#