2020-12-06 00:31:08 +00:00
# Wireshark tricks
2020-07-15 15:43:14 +00:00
2020-12-23 10:58:38 +00:00
## Improve your Wireshark skills
### Tutorials
The following tutorials are amazing to learn some cool basic tricks:
* [https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/ ](https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/ )
* [https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/ ](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/ )
* [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/ ](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/ )
* [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/ ](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/ )
2021-08-19 22:50:46 +00:00
### Analysed Information
2021-08-19 11:24:25 +00:00
#### Expert Information
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analised** :
#### Resolved Addresses
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, mac to manufacturer...
This is interesting to know what is implicated in the communication.
#### Protocol Hierarchy
Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them.
#### Conversations
Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them.
#### **Endpoints**
Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them.
2021-08-19 22:50:46 +00:00
#### DNS info
Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured.
2021-08-19 11:24:25 +00:00
#### I/O Graph
Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.**
2020-12-23 10:58:38 +00:00
### Filters
Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/ ](https://www.wireshark.org/docs/dfref/ )
Other interesting filters:
* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
### Search
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_
You can add new layers to the main information bar _\(No., Time, Source...\)_ pressing _right bottom_ and _Edit Column_
Practice: [https://www.malware-traffic-analysis.net/ ](https://www.malware-traffic-analysis.net/ )
## Identifying Domains
You can add a column that show the Host HTTP header:
2021-05-28 17:40:28 +00:00
2020-12-23 10:58:38 +00:00
And a column that add the Server name from an initiating HTTPS connection \(**ssl.handshake.type == 1**\):
2021-05-28 17:40:28 +00:00
2020-12-23 10:59:42 +00:00
## Identifying local hostnames
### From DHCP
In current Wireshark instead of `bootp` you need to search for `DHCP`
2021-05-28 17:40:28 +00:00
2020-12-23 10:59:42 +00:00
### From NBNS
2021-05-28 17:40:28 +00:00
2020-12-23 10:58:38 +00:00
2020-12-23 10:59:42 +00:00
2020-07-15 15:43:14 +00:00
## Decrypting TLS
### Decrypting https traffic with server private key
_edit> preference> protocol> ssl> _
2021-05-28 17:40:28 +00:00
2020-07-15 15:43:14 +00:00
Press _Edit_ and add all the data of the server and the private key \(_IP, Port, Protocol, Key file and password_\)
### Decrypting https traffic with symmetric session keys
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ ](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ )
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
A file of shared keys will looks like this:
2021-05-28 17:40:28 +00:00
2020-07-15 15:43:14 +00:00
To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it in \(Pre\)-Master-Secret log filename:
2021-05-28 17:40:28 +00:00
2020-07-15 15:43:14 +00:00
2020-12-06 00:32:17 +00:00
## ADB communication
Extract an APK from an ADB communication where the APK was sent:
```python
from scapy.all import *
pcap = rdpcap("final2.pcapng")
def rm_data(data):
splitted = data.split(b"DATA")
if len(splitted) == 1:
return data
else:
return splitted[0]+splitted[1][4:]
all_bytes = b""
for pkt in pcap:
if Raw in pkt:
a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:])
else:
all_bytes += rm_data(bytes(a))
print(all_bytes)
f = open('all_bytes.data', 'w+b')
f.write(all_bytes)
f.close()
```
2020-07-15 15:43:14 +00:00
