“Wireshark is a popular network sniffing tool that provides GUI to decode many protocols and filters. TCPDump is really useful especially if you are not in GUI”
Basic
3 Section "Packet List Menu | Details Menu | Bytes Menu Packet Bytes Menu Raw Transmission (Bits & Bytes) | ASCII & Hexadecimal Data "
Packet List Menu All the Captured Packets with their respective information.
Right Click on Packet - Gives Options (HTTP Get Request) Follow - HTTP Stream - Get Request - Response
Packet Details Menu Packets details for that specific Packet.
Right Click - Gives Options (HTTP Get Request) Follow - HTTP Stream - Get Request - Response Also can apply as “Display Filter”
Toolbar “1st (Blue Fin) - Start Capturing the Packet 2nd (Red Square) - Stop Capturing the Packet 3rd (Green Fin) - Restart Capturing the Packet 4th (Settings Like) - Capture Options 5th (File Explorer) - Open a Capture File 6th (File)- Save this Capture File 7th (File Cross) - Close this Capture File 8th (File Reload) - Reload this File 9th (Lens) - Find a Packet: To find a packet if the captured file list is too long. 10th (Left Arrow) - Go to the Previous Packet 11th (Right Arrow) - Go to the Next Packet 12th (Right Arrow with Lines) - Go to the specified Packet by the ID number 13th (Up Arrow) - Go to the First Packet 14th (Down Arrow) - Go to the Last Packet 15th (Lines Down) - Automatically scroll to the last packet during a live capture. 16th (Colored Lines) - Draw packet using your coloring rules. 17th (Lens +) - Enlarge the Main Window Text 18th (Lens -) - Shrink the Main Window Text 19th (Lens =) - Return the Main Windows Text to its Normal Size. 20th (Link Shrink) - Resize Packet List Columns to fit Content.”
Modes " https://medium.com/@debookee/promiscuous-vs-monitoring-mode-d603601f5fa "
Promiscuous Mode - Wired + Wireless "Promiscuous Mode allows us to capture packets that do not belong to our computer & MAC address. This is highly illegal without permission. "
eth0 - Switch - AP Can capture any data that is going through that switch.
Non Promiscuous Mode - Wired + Wireless “Only captures packets that belong to our computer & MAC address.”
Expression “More Advanced Filters Placed just right to the filters option Eg.: http.request.method ==”post" "
Wireshark Overview "The first screen that we are greeted by when opening Wireshark is the main page that will allow us to specify our interface(s) as well as apply filters to narrow down traffic that we are capturing. Along with quick packet information, Wireshark also color codes packets in order of danger level as well as protocol to be able to quickly spot anomalies and protocols in captures. "
Live Packet Captures If we begin by navigating to the green ribbon in Wireshark and select Manage Capture Filters we can view a list of available filters. It will only help to bring down the number of packets being brought in and organize the capture.
Once you have any capture filters you want selected, you can begin a capture on an interface by double-clicking the interface or by right-clicking and navigating to Start Capture.
Collection Methods "Network Taps | MAC Floods | ARP Poisoning ARP Poisoning is another technique used by red teams to actively sniff packets. By ARP Poisoning you can redirect the traffic from the host(s) to the machine you’re monitoring from. This technique will not stress network equipment like MAC Flooding however should still be used with caution and only if other techniques like network taps are unavailable. "
Before going into detail about how to analyze each protocol in a PCAP we need to understand the ways to gather a PCAP file.
Network Taps
Network taps are a physical implant in which you physically tap between a cable, these techniques are commonly used by Threat Hunting/DFIR teams and red teams in an engagement to sniff and capture packets.
There are two primary means of tapping a wire. The first is by using hardware to tap the wire and intercept the traffic as it comes across, an example of this would be a vampire tap as pictured below.
Another option for planting a network tap would be an inline network tap, which you would plant between or ‘inline’ two network devices. The tap will replicate packets as they pass the tap. An example of this tap would be the very common Throwing Star LAN Tap
MAC Floods
MAC Floods are a tactic commonly used by red teams as a way of actively sniffing packets. MAC Flooding is intended to stress the switch and fill the CAM table. Once the CAM table is filled the switch will no longer accept new MAC addresses and so in order to keep the network alive, the switch will send out packets to all ports of the switch.
Note: This technique should be used with extreme caution and with explicit prior consent.
ARP Poisoning
Filtering Captures “Capture Filter | Display Filter”
Filtering Operators "&& || ^^ ! … == != ne or != Not Equal ip.dest != 192.168.1.1 "
and or && Logical AND All the conditions should match
or or || Logical OR Either all or one of the condition should match
xor or ^^ Logical XOR exclusive alternation – Only one of the two conditions should match not both
not or ! NOT(Negation) Not equal to
[n] […] Substring operator Filter a specific word or text
eq or == Equal ip.dest == 192.168.1.1
Capture Filter
Display Filter
Go back to Wireshark (Windows 10) "hping3 floods the victim machine by sending bulk SYN packets and overloading victim resources. Switch to the victim’s machine (Windows 10). You will observe that the Wireshark captures traffic, as shown in the screenshot. We sent huge number of SYN packets, which cause the victim’s machine to crash. "Initializing Wireshark “Wireshark main window > Double-Click on the available network adapter (here, Ethernet). Leave the Wireshark window running.”Initialize Wireshark “Wireshark main window > Double-Click on the available network adapter (here, Ethernet). Leave the Wireshark window running.”
Packet Dissection “Common Protocols | Packet Details”
Common Protocols in OSI Layers "How Wireshark uses OSI layers to break down packets and how to use these layers for analysis. Physical Physical Structure Coax, Fiber, Wireless, Hubs, Repeaters "
Application End User Layer HTTP, FTP, IRC, SSH, DNS
Presentation Syntax Layer SSL, SSH, IMAP, FTP, MPEG, JPEG
Session Synch & send to port API’s, Sockets, WinSock
Transport End-to-end connections TCP, UDP
Network Packets IP, ICMP, IPSec, IGMP
Data Link Frames Ethernet, PPP, Switch, Bridge
Packet Details "You can double click on a packet in capture to open its details. Application Data – This is an extension of layer 5 that can show the application-specific data. "
Frame (Layer 1) – This will show you what frame / packet you are looking at as well as details specific to the Physical layer of the OSI model.
Source [MAC] (Layer 2) – This will show you the source and destination MAC Addresses; from the Data Link layer of the OSI model.
Source [IP] (Layer 3) – This will show you the source and destination IPv4 Addresses; from the Network layer of the OSI model.
Protocol (Layer 4) – This will show you details of the protocol used (UDP/TCP) along with source and destination ports; from the Transport layer of the OSI model.
Protocol Errors – This is a continuation of the 4th layer showing specific segments from TCP that needed to be reassembled.
Application Protocol (Layer 5) – This will show details specific to the protocol being used such HTTP, FTP, SMB, etc. From the Application layer of the OSI model.
Protocol Analysis “ARP | ICMP | TCP | DNS | HTTP | HTTPS”
ARP Traffic “Address Resolution Protocol is a Layer 2 protocol that is used to connect IP Addresses with MAC Addresses.”
To identify packets "Request (1) | Reply (2) ARP is one of the simpler protocols to analyze, all you need to remember is to identify whether it is a request or reply packet and who it is being sent by. "
The message header will contain one of two operation codes: Request (1) Reply (2)
ICMP Traffic "Internet Control Message Protocol is used to analyze various nodes on a network. This is most commonly used with utilities like ping and traceroute. "
Packet Analysis "Type: 8 - Request | Type: 0 - Reply A type that equals 8 means that it is a request packet, if it is equal to 0 it is a reply packet. When these codes are altered or do not seem correct that is typically a sign of suspicious activity. "
More details within the packet that are useful "Timestamp | Data We can also look at the data string which will typically just be a random data string. "
The timestamp can be useful for identifying the time the ping was requested it can also be useful to identify suspicious activity in some cases.
TCP Traffic "Transmission Control Protocol handles the delivery of packets including sequencing and errors. Typically TCP packets need to be looked at as a whole to tell a story rather than one by one at the details. "
Example: Nmap scan, scanning port 80 and 443. We can tell that the port is closed due to the RST, ACK packet in red.
TCP can give useful insight into a network when analyzing however it can also be hard to analyze due to the number of packets it sends. This is where you may need to use other tools like RSA NetWitness and NetworkMiner to filter out and further analyze the captures.
DNS Traffic "Domain Name Service protocol is used to resolves names with IP addresses. If anyone of these is out of place then the packets should be looked at further and should be considered suspicious. "
HTTP Traffic "Hypertext Transfer Protocol is a commonly used port for the world wide web and is used to send GET and POST requests to a web server in order to receive things like webpages. We can identify some very important information like the host, user-agent, requested URI, and response. "
HTTPS Traffic “Hypertext Transfer Protocol Secure can be one of the most annoying protocols to understand from a packet analysis perspective and can be confusing to understand the steps needed to take in order to analyze HTTPS packets.”
tcpdump
PPT