🔬Tshark, ARP, WiFi
Lab 1
Tshark usage
📌 Running Tshark version is
2.6.1
These are all supported network interfaces for monitoring
Sniff some traffic on
eth0
📌
student
user don't have permission to capture oneth0
interface
Display the packet list of the
.pcap
file
Count
.pcap
file number of lines to find total number of packets
Read first 100 packets from the
.pcap
file
List the Protocol Hierarchy Statistics from the
.pcap
file
Lab 2
Tshark usage and filtering
Filtering
Show the
HTTP
traffic from a.pcap
file
Show only the IP packets sent from IP address
192.168.252.128
to IP address52.32.74.91
Print only packets containing GET requests
Print only packets with frame time, source IP and URL for all GET requests
Print packets containing a string
📌
4
HTTP packets contain thepassword
string
Check the destination IP for
GET
requests sent towww.nytimes.com
📌
170.149.159.130
is the destination IP ofwww.nytimes.com
Check the session ID used by
192.168.252.128
foramazon.in
📌
278-7381968-4337153
is the session ID
Find the OS type on the machine with IP
192.168.252.128
Use the
User_agent
string to find the specific distribution
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
📌 The OS is
Linux x86_64; rv:31.0
- user-agents.net
Lab 3 - ARP Poisoning
🔬 INE Platform Lab
ARP Poisoning attack to a
telnet
server
the client machine authenticates with the
telnet
server every 30secFind the
telnet
login credentialsTools:
arpspoof
&Wireshark
Monitor the traffic on
eth1
interface of the Kali Attacker machine.
Enumeration
ARP Poisoning Attack
To see traffic of other machines, configure Kali Attacker VM to forward IP packets
Start the ARP poisoning attack with the
arpspoof
tool
Open
Wireshark
and start captureeth1
trafficApply
telnet
filter
Follow the TCP stream and find the
telnet
credentialsStop the capture and the
arpspoof
tool
📌
Telnet
credentials areadmin
:MyS3cr3tP455
Lab 4 - WiFi Traffic Analysis
🔬 WiFi Security: Traffic Analysis I
WiFi basic traffic analysis with
Wireshark
Find the name of the Open SSID in the packet dump, using the filter
Beacon frame =
0x0008
Wlan tag
48
= RSN-IE (Robust Security Network Information Element)
Find the channel
Home_Network
is operating
Find which security mechanism has
LazyArtists
SSID
Check the WPS setup for
Amazon Wood
SSID
📌 WPS is enabled
Count the packets of the device with MAC
e8:de:27:16:87:18
wlan.ta = transmitted
wlan.ra = received
Find a specific MAC address which exchange data with
SecurityTube_Open
SSIDSecurityTube_Open
is hosted on BSSIDe8:de:27:16:87:18
Find TSF timestamp of the Association Response sent from the
SecurityTube_Open
access point to a station
Lab 5 - WiFi Traffic Filtering
Tshark usage and filtering
Show only WiFi traffic
Show only the deauthentication packets
Every management frame in WiFi has can be classified under a type and subtype
wlan.fc.type_subtype == 0x000c
- AP sends deauthentication frames
Show only the
WPA handshake
packetsEAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake
Show only SSID and BSSID values of all beacon frames
Check the BSSID of
LazyArtists
SSID
📌
LazyArtists
BSSID isfc:b0:c4:91:71:e0
.
Show the channel on which
Home_Network
operates
📌
Home_Network
operating channel is6
.
Show the two devices that received the deauth messages
📌 The MAC address of the two devices are
6c:19:8f:5f:81:74
andbc:ae:c5:c3:5e:01
.
Check vendor and model of the device with MAC
5c:51:88:31:a0:3b
📌 The device is a Motorola MotoG3.
Last updated