🔬Tshark, ARP, WiFi
Last updated
Last updated
Tshark usage
📌 Running Tshark version is
2.6.1
These are all supported network interfaces for monitoring
Sniff some traffic on eth0
📌
studentuser don't have permission to capture oneth0interface
Display the packet list of the .pcap file
Count .pcap file number of lines to find total number of packets
Read first 100 packets from the .pcap file
List the Protocol Hierarchy Statistics from the .pcap file
Tshark usage and filtering
Show the HTTP traffic from a .pcap file
Show only the IP packets sent from IP address 192.168.252.128 to IP address 52.32.74.91
Print only packets containing GET requests
Print only packets with frame time, source IP and URL for all GET requests
Print packets containing a string
📌
4HTTP packets contain thepasswordstring
Check the destination IP for GET requests sent to www.nytimes.com
📌
170.149.159.130is the destination IP ofwww.nytimes.com
Check the session ID used by 192.168.252.128 for amazon.in
📌
278-7381968-4337153is the session ID
Find the OS type on the machine with IP 192.168.252.128
Use the User_agent string to find the specific distribution
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
📌 The OS is
Linux x86_64; rv:31.0- user-agents.net
🔬 INE Platform Lab
ARP Poisoning attack to a
telnetserver
the client machine authenticates with the
telnetserver every 30secFind the
telnetlogin credentialsTools:
arpspoof&Wireshark
Monitor the traffic on eth1 interface of the Kali Attacker machine.
To see traffic of other machines, configure Kali Attacker VM to forward IP packets
Start the ARP poisoning attack with the arpspoof tool
Open Wireshark and start capture eth1 traffic
Apply telnet filter
Follow the TCP stream and find the telnet credentials
Stop the capture and the arpspoof tool
📌
Telnetcredentials areadmin:MyS3cr3tP455
🔬 WiFi Security: Traffic Analysis I
WiFi basic traffic analysis with
Wireshark
Find the name of the Open SSID in the packet dump, using the filter
Beacon frame = 0x0008
Wlan tag 48 = RSN-IE (Robust Security Network Information Element)
Find the channel Home_Network is operating
Find which security mechanism has LazyArtists SSID
Check the WPS setup for Amazon Wood SSID
📌 WPS is enabled
Count the packets of the device with MAC e8:de:27:16:87:18
wlan.ta = transmitted
wlan.ra = received
Find a specific MAC address which exchange data with SecurityTube_Open SSID
SecurityTube_Open is hosted on BSSID e8:de:27:16:87:18
Find TSF timestamp of the Association Response sent from the SecurityTube_Open access point to a station
Tshark usage and filtering
Show only WiFi traffic
Show only the deauthentication packets
Every management frame in WiFi has can be classified under a type and subtype
wlan.fc.type_subtype == 0x000c - AP sends deauthentication frames
Show only the WPA handshake packets
EAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake
Show only SSID and BSSID values of all beacon frames
Check the BSSID of LazyArtists SSID
📌
LazyArtistsBSSID isfc:b0:c4:91:71:e0.
Show the channel on which Home_Network operates
📌
Home_Networkoperating channel is6.
Show the two devices that received the deauth messages
📌 The MAC address of the two devices are
6c:19:8f:5f:81:74andbc:ae:c5:c3:5e:01.
Check vendor and model of the device with MAC 5c:51:88:31:a0:3b
📌 The device is a Motorola MotoG3.
