search
🏠 Home BlogGitHub📚 Buy Me a Book
githubEdit

🔬Tshark, ARP, WiFi

hashtag
Lab 1

🔬 Getting Started: Tsharkarrow-up-right

  • Tshark usage

tshark -v
TShark (Wireshark) 2.6.1 (Git v2.6.1 packaged as 2.6.1-0ubuntu2~16.04.0)

📌 Running Tshark version is 2.6.1

tshark -D

  • These are all supported network interfaces for monitoring

tshark -D

  • Sniff some traffic on eth0

tshark -i eth0

📌 student user don't have permission to capture on eth0 interface

  • Display the packet list of the .pcap file

  • Count .pcap file number of lines to find total number of packets

tshark -r HTTP_traffic.pcap

  • Read first 100 packets from the .pcap file

  • List the Protocol Hierarchy Statistics from the .pcap file

tshark -r HTTP_traffic.pcap -z io,phs -q

hashtag
Lab 2

🔬 Filtering Basics: HTTParrow-up-right

  • Tshark usage and filtering

hashtag
Filtering

  • Show the HTTP traffic from a .pcap file

tshark -r HTTP_traffic.pcap -Y 'http'

  • Show only the IP packets sent from IP address 192.168.252.128 to IP address 52.32.74.91

tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"

  • Print only packets containing GET requests

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"

  • Print only packets with frame time, source IP and URL for all GET requests

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

  • Print packets containing a string

tshark -r HTTP_traffic.pcap -Y "http contains password"

📌 4 HTTP packets contain the password string

  • Check the destination IP for GET requests sent to www.nytimes.com

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst

📌 170.149.159.130 is the destination IP of www.nytimes.com

  • Check the session ID used by 192.168.252.128 for amazon.in

tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie

📌 278-7381968-4337153 is the session ID

  • Find the OS type on the machine with IP 192.168.252.128

tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent

  • Use the User_agent string to find the specific distribution

Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0

📌 The OS is Linux x86_64; rv:31.0 - user-agents.netarrow-up-right

hashtag
Lab 3 - ARP Poisoning

🔬 INE Platform Lab

  • ARP Poisoning attack to a telnet server

    • the client machine authenticates with the telnet server every 30sec

  • Find the telnet login credentials

  • Tools: arpspoof & Wireshark

  • Monitor the traffic on eth1 interface of the Kali Attacker machine.

hashtag
Enumeration

nmap 10.100.13.0/24

hashtag
ARP Poisoning Attack

  • To see traffic of other machines, configure Kali Attacker VM to forward IP packets

  • Open Wireshark and start capture eth1 traffic

    • Apply telnet filter

  • Follow the TCP stream and find the telnet credentials

    • Stop the capture and the arpspoof tool

📌 Telnet credentials are admin:MyS3cr3tP455

hashtag
Lab 4 - WiFi Traffic Analysis

🔬 WiFi Security: Traffic Analysis Iarrow-up-right

  • WiFi basic traffic analysis with Wireshark

  • Find the name of the Open SSID in the packet dump, using the filter

    • Beacon frame = 0x0008

    • Wlan tag 48 = RSN-IEarrow-up-right (Robust Security Network Information Element)

chevron-rightReveal Flag - The name of the Open SSID is: 🚩hashtag

SecurityTube_Open

  • Find the channel Home_Network is operating

chevron-rightReveal Flag - Home_Network operates on channel: 🚩hashtag

6

  • Find which security mechanism has LazyArtists SSID

chevron-rightReveal Flag - LazyArtists configured security is: 🚩hashtag

WPA2-PSK

  • Check the WPS setup for Amazon Wood SSID

📌 WPS is enabled

  • Count the packets of the device with MAC e8:de:27:16:87:18

    • wlan.ta = transmitted

    • wlan.ra = received

chevron-rightReveal Flag - Total packets number is: 🚩hashtag

5701

  • Find a specific MAC address which exchange data with SecurityTube_Open SSID

    • SecurityTube_Open is hosted on BSSID e8:de:27:16:87:18

chevron-rightReveal Flag - The MAC address is: 🚩hashtag

5c:51:88:31:a0:3b

  • Find TSF timestamp of the Association Response sent from the SecurityTube_Open access point to a station

chevron-rightReveal Flag - The TSF timestamp is: 🚩hashtag

115152625

hashtag
Lab 5 - WiFi Traffic Filtering

🔬 Filtering Advanced: WiFiarrow-up-right

  • Tshark usage and filtering

  • Show only WiFi traffic

tshark -r WiFi_traffic.pcap -Y "wlan" | more

  • Show only the deauthentication packets

    • Every management frame in WiFi has can be classified under a type and subtype

    • wlan.fc.type_subtype == 0x000c - AP sends deauthentication frames

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"

  • Show only the WPA handshake packets

    • EAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake

tshark -r WiFi_traffic.pcap -Y "eapol"

  • Show only SSID and BSSID values of all beacon frames

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

  • Check the BSSID of LazyArtists SSID

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid

📌 LazyArtists BSSID is fc:b0:c4:91:71:e0.

  • Show the channel on which Home_Network operates

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel

📌 Home_Network operating channel is 6.

  • Show the two devices that received the deauth messages

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

📌 The MAC address of the two devices are 6c:19:8f:5f:81:74 and bc:ae:c5:c3:5e:01.

  • Check vendor and model of the device with MAC 5c:51:88:31:a0:3b

tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent

📌 The device is a Motorola MotoG3.

PreviousNetwork Based AttacksNextThe Metasploit Framework (MSF)

Last updated