2022-04-28 23:27:22 +00:00
# Wireshark tricks
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
## Wireshark tricks
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 13:25:53 +00:00
## Improve your Wireshark skills
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
### Tutorials
2020-12-23 10:58:38 +00:00
The following tutorials are amazing to learn some cool basic tricks:
* [https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/ ](https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/ )
* [https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/ ](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/ )
* [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/ ](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/ )
* [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/ ](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/ )
2022-05-01 13:25:53 +00:00
### Analysed Information
2021-08-19 11:24:25 +00:00
2022-04-28 23:27:22 +00:00
**Expert Information**
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analised** :
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 570 ) . png > )
2021-08-19 11:24:25 +00:00
2022-04-28 23:27:22 +00:00
**Resolved Addresses**
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, mac to manufacturer...\
2021-08-19 11:24:25 +00:00
This is interesting to know what is implicated in the communication.
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 571 ) . png > )
2021-08-19 11:24:25 +00:00
2022-04-28 23:27:22 +00:00
**Protocol Hierarchy**
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them.
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 572 ) . png > )
2021-08-19 11:24:25 +00:00
2022-04-28 23:27:22 +00:00
**Conversations**
2021-08-19 11:24:25 +00:00
2021-11-30 16:46:07 +00:00
Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them.
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 573 ) . png > )
2021-08-19 11:24:25 +00:00
2022-04-28 23:27:22 +00:00
**Endpoints**
2021-08-19 11:24:25 +00:00
2021-11-30 16:46:07 +00:00
Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them.
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 575 ) . png > )
2021-08-19 11:24:25 +00:00
2022-04-28 23:27:22 +00:00
**DNS info**
2021-08-19 22:50:46 +00:00
2021-11-30 16:46:07 +00:00
Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured.
2021-08-19 22:50:46 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 577 ) . png > )
2021-08-19 22:50:46 +00:00
2022-04-28 23:27:22 +00:00
**I/O Graph**
2021-08-19 11:24:25 +00:00
2021-11-30 16:46:07 +00:00
Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.**
2021-08-19 11:24:25 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 574 ) . png > )
2021-08-19 11:24:25 +00:00
2022-05-01 13:25:53 +00:00
### Filters
2020-12-23 10:58:38 +00:00
2021-10-18 11:21:18 +00:00
Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/ ](https://www.wireshark.org/docs/dfref/ )\
2020-12-23 10:58:38 +00:00
Other interesting filters:
2022-04-05 22:24:52 +00:00
* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
2020-12-23 10:58:38 +00:00
* HTTP and initial HTTPS traffic
2022-04-05 22:24:52 +00:00
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
2020-12-23 10:58:38 +00:00
* HTTP and initial HTTPS traffic + TCP SYN
2022-04-05 22:24:52 +00:00
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
2020-12-23 10:58:38 +00:00
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
2022-05-01 13:25:53 +00:00
### Search
2020-12-23 10:58:38 +00:00
2021-10-18 11:21:18 +00:00
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_ \
2022-04-06 08:57:29 +00:00
\_\_You can add new layers to the main information bar _(No., Time, Source...)_ pressing _right bottom_ and _Edit Column_
2020-12-23 10:58:38 +00:00
2021-10-18 11:21:18 +00:00
Practice: [https://www.malware-traffic-analysis.net/ ](https://www.malware-traffic-analysis.net )
2020-12-23 10:58:38 +00:00
2022-05-01 13:25:53 +00:00
## Identifying Domains
2020-12-23 10:58:38 +00:00
You can add a column that show the Host HTTP header:
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 403 ) . png > )
2020-12-23 10:58:38 +00:00
2021-10-18 11:21:18 +00:00
And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
2020-12-23 10:58:38 +00:00
2022-09-09 11:57:02 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 408 ) ( 1 ) . png > )
2020-12-23 10:59:42 +00:00
2022-05-01 13:25:53 +00:00
## Identifying local hostnames
2020-12-23 10:59:42 +00:00
2022-05-01 13:25:53 +00:00
### From DHCP
2020-12-23 10:59:42 +00:00
In current Wireshark instead of `bootp` you need to search for `DHCP`
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 404 ) . png > )
2020-12-23 10:59:42 +00:00
2022-05-01 13:25:53 +00:00
### From NBNS
2020-12-23 10:59:42 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 405 ) . png > )
2020-12-23 10:58:38 +00:00
2022-05-01 13:25:53 +00:00
## Decrypting TLS
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Decrypting https traffic with server private key
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
_edit>preference>protocol>ssl>_
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 98 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_)
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Decrypting https traffic with symmetric session keys
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ ](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ )\
2020-07-15 15:43:14 +00:00
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
A file of shared keys will looks like this:
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 99 ) . png > )
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it in (Pre)-Master-Secret log filename:
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . . / . gitbook / assets / image ( 100 ) . png > )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## ADB communication
2020-12-06 00:32:17 +00:00
Extract an APK from an ADB communication where the APK was sent:
```python
from scapy.all import *
pcap = rdpcap("final2.pcapng")
def rm_data(data):
splitted = data.split(b"DATA")
if len(splitted) == 1:
return data
else:
return splitted[0]+splitted[1][4:]
all_bytes = b""
for pkt in pcap:
if Raw in pkt:
a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:])
else:
all_bytes += rm_data(bytes(a))
print(all_bytes)
f = open('all_bytes.data', 'w+b')
f.write(all_bytes)
f.close()
```
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >