Home Blog GitHub Buy Me a Book

🔬Tshark, ARP, WiFi

Lab 1

🔬 Getting Started: Tshark

  • Tshark usage

tshark -v
TShark (Wireshark) 2.6.1 (Git v2.6.1 packaged as 2.6.1-0ubuntu2~16.04.0)

📌 Running Tshark version is 2.6.1

tshark -D

  • These are all supported network interfaces for monitoring

  • Sniff some traffic on eth0

tshark -i eth0

📌 student user don't have permission to capture on eth0 interface

  • Display the packet list of the .pcap file

tshark -r HTTP_traffic.pcap

  • Count .pcap file number of lines to find total number of packets

tshark -r HTTP_traffic.pcap | wc -l
	30418 # lines in the file

  • Read first 100 packets from the .pcap file

tshark -r HTTP_traffic.pcap -c 100

  • List the Protocol Hierarchy Statistics from the .pcap file

tshark -r HTTP_traffic.pcap -z io,phs -q

Lab 2

🔬 Filtering Basics: HTTP

  • Tshark usage and filtering

Filtering

  • Show the HTTP traffic from a .pcap file

tshark -r HTTP_traffic.pcap -Y 'http'
tshark -r HTTP_traffic.pcap -Y 'http' | more

  • Show only the IP packets sent from IP address 192.168.252.128 to IP address 52.32.74.91

tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"

  • Print only packets containing GET requests

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"

  • Print only packets with frame time, source IP and URL for all GET requests

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

  • Print packets containing a string

tshark -r HTTP_traffic.pcap -Y "http contains password"

📌 4 HTTP packets contain the password string

  • Check the destination IP for GET requests sent to www.nytimes.com

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst

📌 170.149.159.130 is the destination IP of www.nytimes.com

  • Check the session ID used by 192.168.252.128 for amazon.in

tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie

📌 278-7381968-4337153 is the session ID

  • Find the OS type on the machine with IP 192.168.252.128

tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent

  • Use the User_agent string to find the specific distribution

Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0

📌 The OS is Linux x86_64; rv:31.0 - user-agents.net

Lab 3 - ARP Poisoning

🔬 INE Platform Lab

  • ARP Poisoning attack to a telnet server

    • the client machine authenticates with the telnet server every 30sec

  • Find the telnet login credentials

  • Tools: arpspoof & Wireshark

  • Monitor the traffic on eth1 interface of the Kali Attacker machine.

ip -br -c a
	eth1  UP  10.100.13.140/24

Enumeration

nmap 10.100.13.0/24
Nmap scan report for 10.100.13.1
    22/tcp   open  ssh
    3389/tcp open  ms-wbt-server
# ^^ Gateway machine, do not attack

Nmap scan report for 10.100.13.36
    22/tcp open  ssh
    23/tcp open  telnet
# ^^ Telnet server machine

Nmap scan report for 10.100.13.140
    3389/tcp open  ms-wbt-server
    5910/tcp open  cm
# ^^ Client machine

ARP Poisoning Attack

  • To see traffic of other machines, configure Kali Attacker VM to forward IP packets

echo 1 > /proc/sys/net/ipv4/ip_forward

  • Start the ARP poisoning attack with the arpspoof tool

arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36
# -t = target
# -r = host

  • Open Wireshark and start capture eth1 traffic

    • Apply telnet filter

  • Follow the TCP stream and find the telnet credentials

    • Stop the capture and the arpspoof tool

📌 Telnet credentials are admin:MyS3cr3tP455

telnet 10.100.13.36

Lab 4 - WiFi Traffic Analysis

🔬 WiFi Security: Traffic Analysis I

  • WiFi basic traffic analysis with Wireshark

  • Find the name of the Open SSID in the packet dump, using the filter

    • Beacon frame = 0x0008

    • Wlan tag 48 = RSN-IE (Robust Security Network Information Element)

(wlan.fc.type_subtype == 0x0008) && (!(wlan.wfa.ie.wpa.version == 1)) &&
!(wlan.tag.number == 48)
Reveal Flag - The name of the Open SSID is: 🚩

SecurityTube_Open

  • Find the channel Home_Network is operating

wlan contains Home_Network
Reveal Flag - Home_Network operates on channel: 🚩

6

  • Find which security mechanism has LazyArtists SSID

wlan contains LazyArtists
Reveal Flag - LazyArtists configured security is: 🚩

WPA2-PSK

  • Check the WPS setup for Amazon Wood SSID

(wlan.ssid contains "Amazon") && (wlan.fc.type_subtype == 0x0008)

📌 WPS is enabled

  • Count the packets of the device with MAC e8:de:27:16:87:18

    • wlan.ta = transmitted

    • wlan.ra = received

(wlan.ta == e8:de:27:16:87:18)  ||  (wlan.ra == e8:de:27:16:87:18)
Reveal Flag - Total packets number is: 🚩

5701

  • Find a specific MAC address which exchange data with SecurityTube_Open SSID

    • SecurityTube_Open is hosted on BSSID e8:de:27:16:87:18

(wlan.bssid == e8:de:27:16:87:18) && (wlan.fc.type_subtype == 0x0020)
Reveal Flag - The MAC address is: 🚩

5c:51:88:31:a0:3b

  • Find TSF timestamp of the Association Response sent from the SecurityTube_Open access point to a station

((wlan.bssid == e8:de:27:16:87:18) && (wlan.addr==5c:51:88:31:a0:3b)) &&
(wlan.fc.type_subtype == 0x0001)
Reveal Flag - The TSF timestamp is: 🚩

115152625

Lab 5 - WiFi Traffic Filtering

🔬 Filtering Advanced: WiFi

  • Tshark usage and filtering

  • Show only WiFi traffic

tshark -r WiFi_traffic.pcap -Y "wlan"

  • Show only the deauthentication packets

    • Every management frame in WiFi has can be classified under a type and subtype

    • wlan.fc.type_subtype == 0x000c - AP sends deauthentication frames

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"

  • Show only the WPA handshake packets

    • EAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake

tshark -r WiFi_traffic.pcap -Y "eapol"

  • Show only SSID and BSSID values of all beacon frames

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

  • Check the BSSID of LazyArtists SSID

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid

📌 LazyArtists BSSID is fc:b0:c4:91:71:e0.

  • Show the channel on which Home_Network operates

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel

📌 Home_Network operating channel is 6.

  • Show the two devices that received the deauth messages

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

📌 The MAC address of the two devices are 6c:19:8f:5f:81:74 and bc:ae:c5:c3:5e:01.

  • Check vendor and model of the device with MAC 5c:51:88:31:a0:3b

tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent

📌 The device is a Motorola MotoG3.

PreviousNetwork Based AttacksNextThe Metasploit Framework (MSF)

Last updated