获取登陆报文

惠尔顿 web登录, wireshark 抓包分析过程

可以看到 HTTP POST 中 有用户名 密码 等关键信息.

方法1

需要 netcat 命令

把报文中的 HTTP POST 完整数据, 保存下载, 另存为 auth.http

登陆测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

root@localhost:~# /bin/cat  /root/auth.http | /bin/nc 10.100.100.3  80
HTTP/1.1 200 OK
Server: nginx/1.19.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Date: Tue, 22 Jun 2021 02:44:41 GMT
Set-Cookie: fms_session=eyJpdiI6IktIODZ4eVNOU1g3SzhUR2tDRURTc2c9PSIsInZhbHVlIjoieFN3UFljenFHTVc4NVA3emJ5d0pwZjZkWFJiMWUrTFdDMzhaUFRZNVlwQmRHNGkxd2NhUmJZOVVXZnVNS2hJaDBHd2grVnJOQjd5Umk3SXZyWjdLaWc9PSIsIm1hYyI6ImU0ZDlkNzY5YmQyMmJjOGRmM2E4YmMxZDA0ZGU3MWYzNmJhNzAzMjkzZTY5YjE2YjJjNjI5YmM5MWFmMGQ2YzYifQ%3D%3D; path=/; HttpOnly
X-Frame-Options: SAMEORIGIN

a3
{"status":"1", "msg":"success" , "redirect":"/deny-message?type=18&user=XXXXXXXXXXXXXXXX&cause=XXXXXXXXXXXXXXXXXXXXX","user_name":%XXXXXXXXXXXXXXXXXXXX"}
0

测试网络连通

使用 DNS 或者 ICMP协议不能测试出真实的网络互连状态,
惠尔顿上网行为管理器会拦截 TCP/UDP的传输.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@localhost:~# curl -vvv baidu.com
* Rebuilt URL to: baidu.com/
*   Trying 220.181.38.148...
* Connected to baidu.com (220.181.38.148) port 80 (#0)
> GET / HTTP/1.1
> Host: baidu.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 22 Jun 2021 02:44:22 GMT
< Server: Apache
< Last-Modified: Tue, 12 Jan 2010 13:48:00 GMT
< ETag: "51-47cf7e6ee8400"
< Accept-Ranges: bytes
< Content-Length: 81
< Cache-Control: max-age=86400
< Expires: Wed, 23 Jun 2021 02:44:22 GMT
< Connection: Keep-Alive
< Content-Type: text/html
<
<html>
<meta http-equiv="refresh" content="0;url=http://www.baidu.com/">
</html>
* Connection #0 to host baidu.com left intact
root@localhost:~#

开机自启

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@localhost:~# cat /lib/systemd/system/network_login.service
[Unit]
Description=network_login
After=network.target

[Service]
Type=idle
User=root
ExecStart=/bin/cat /root/auth.http | /bin/nc 10.100.100.3  80 >> /tmp/auth.log

[Install]
WantedBy=multi-user.target
root@localhost:~#
root@localhost:~# systemctl enable network_login.service
root@localhost:~#

间隔登陆 保持心跳

1
2
3
root@localhost:~# cat /etc/crontab
 */5  *    * * *   root   /bin/cat  /root/auth.http | /bin/nc 10.100.100.3  80
root@localhost:~#

每间隔N分钟, 与上网行为管理器 保持心跳连接.

验证

1
reboot

方法2

在没有 curl, 没有 netcat的情境下

1
2
3
4
5
认证
wget --post-data "param[UserName]=XXX&param[UserPswd]=XXX&uri=id=&url=&user=&mac=&force=0"  "http://10.100.100.3/user-login-auth?id=&url=&user=&mac=" -O /dev/null

测试
wget http://www.baidu.com/

完美 !!!