Wireshark

Network sniffer, inspect network traffic. The secret to using network sniffers such as wireshark is using capture and display filters to remove all information that you are not interested in.

(TO CONFIRM) Capture all traffic with DD-WRT – a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems.

Start Wireshark

Kali Linux

sudo wireshark

Mac OS X

sudo chgrp admin /dev/bpf*
sudo chmod g+rw /dev/bpf*
sudo chown <your username>:admin /dev/bpf*
ls -l /dev/bpf*

Promiscuous Mode

Network interface will send all packets to CPU for processing and not discard packets that are not addressed to this interface.

  • Click on Capture -> Options
  • Select Enable promiscuous mode on all interfaces

Capture Filters

Capture traffic matching the filters. Other traffic is discarded. Once the traffic is captured, we can select the traffic we want Wireshark to display to us using display filters.

Syntax

For predefined capture filters, click on Capture -> Capture filters.

[not] primitive [and|or [not] primitive ...]
DescriptionCapture Filter
No broadcast and no multicastnot broadcast and not multicast
No ARPnot arp
IPv4 onlyip
TCP onlytcp
UDP onlyudp
HTTP TCP port 80tcp port http
Capture traffic from or to hosthost x.x.x.x
Capture traffic on address rangenet x.x.x.0/24
Capture traffic from hostsrc host x.x.x.x
Capture traffic to hostdst host x.x.x.x
Capture traffic from port 80port 80
Capture Filters

Display Filters

For predefined display filters, click on Analyze -> Display filters.

DescriptionDisplay Filter
Match sourceip.src == x.x.x.x
Match destinationip.dst == x.x.x.x
Match either ip.addr == x.x.x.x
HTTP contains “GET”http2
http2.headers.method == “GET”
http2.headers.path == “/pub/css/styles.css”
http2.headers.set_cookie
http2.data.data && http2 contains username
Match porttcp.port == 80
Display Filters

Search within the Info column

Click on Edit > Find Packet.
Select "Packet details"
Uncheck "Case sensitive"
Select "String"
Type the string to search and click Search

Detect ARP Cache Poisoning Attacks

2 MAC addresses should not claim to have the same IP address in the Info column.

arp.duplicate-address-frame

Following TCP Streams

All packets after 10 are a bit difficult to comprehend, because they contain only fragmentary information. Most modern sniffers, Wireshark included, know how to reassemble a specific session, and display it in various formats.

In order to view a particular TCP stream and reassemble the session, we right-click a packet of interest, then select “Follow TCP Stream” from the context menu. The TCP Stream will open a new window.

HTTP/2 Decryption and Analysis in Wireshark

Traffic analysis and decryption
Chrome: Store SSL Keys / Developer tools
Curl: Store Keys / automation

URL="https://127.0.0.1:4433/"

SSLKEYLOGFILE=~/SSL_KEYS.txt curl -kia $URL
SSLKEYLOGFILE can be used with Wireshark to decrypt and view HTTP2 with SSL
Curl can be scripted to automate interaction with HTTP2 enabled web interfaces

# Storing SSL keys via Chrome (on windows)
# Chrome allows better interaction with HTTP2 enabled sites and also can be used to store SSL keys
# Keys can then be used with Wireshark
path_to_chrome/chrome -incognito --ssl-key-log-file="SSL_KEYS.txt" --new-window $URL


1- Start Wireshark and start capture
2- Open Chrome with ssl-key command
3- Look at SSL_KEYS.txt. Should contain keys.
4- Log into forms, generate some traffic.
5- In Wireshark, Edit/Preferences/Protocols/SSL, under Pre-master secret log file, choose SSL_KEYS.txt
Note that the Follow TCP Stream will still show encrypted traffic
6- Type display filter "http2"
Other userful filters:
http2
http2.headers.method == "GET"
http2.headers.path == "/pub/css/styles.css"
http2.headers.set_cookie
http2.data.data && http2 contains username

#---

# Store SSL keys with Firefox or Chrome, set env variable SSLKEYLOGFILE
export SSLKEYLOGFILE=/root/Downloads/sslkeylog.log

# Open Wireshark and start capture
# Start Firefox, it will log your TLS keys to this file (SSLKEYLOGFILE)

Suspicious Traffic

Attack types that can come from the network:
Malware, DOS/DDOS, Man-in-the-middle (MITM), Scanning, Brute-Force, Application

Normal Traffic:
- Known IP address
- Standard port numbers: Be sure of the applications that run over the network,
and verify that these are the only port numbers that you see.
- Normal TCP patterns, e.g. 3-way handshake
- Variable bandwidth
- Small amount of broadcasts
- Standard DNS query

Suspicious Traffic:
- Unknown IP address
- Unusual port numbers
- Unusual TCP patterns:
- E.g. Large amount of SYN packets that go to a single host or come from multiple sources
- E.g. Unusual flag combinations like RESET, FIN, URG and so on
- Fixed bandwidth (or normal for videos... check what it is)
- Huge amount of broadcasts, e.g. thousands of broadcasts per second
- Massive amount of DNS queries

NOTE on root user

Wireshark should never be run as root, create a separate user
It’s very unsecure running Wireshark as admin user as every possible Wireshark exploit will be running with the administrator account being able to compromise the whole system.

https://wiki.wireshark.org/CaptureSetup/CapturePrivileges

# Wireshark has implemented Privilege Separation which means that the Wireshark GUI
# (or the tshark CLI) can run as a normal user while the dumpcap capture utility
# runs as root. This can be achieved by installing dumpcap setuid root. The
# advantage of this solution is that while dumpcap is run as root the vast majority
# of Wireshark's code is run as a normal user (where it can do much less damage).

# In a terminal
sudo usermod -a -G wireshark wireshark

# Setting network privileges for dumpcap if your kernel and file system
# support file capabilities
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

# Setting network privileges for dumpcap if your kernel and file
# system don't support file capabilities
chown root /usr/bin/dumpcap
chmod u+s /usr/bin/dumpcap

# Limiting capture permission to only one group
1. Create user "wireshark" in group "wireshark".
adduser --home /wireshark wireshark
chgrp wireshark /usr/bin/dumpcap
chmod o-rx /usr/bin/dumpcap

# Ensure Wireshark works only from root and from a user in the "wireshark" group
Log as wireshark user